[bugfix] up pgdump version

Signed-off-by: kklinch0 <kklinch0@gmail.com>
2026-02-05 00:15:51 +00:00 · 2025-06-19 10:59:46 +03:00
116 changed files with 1512 additions and 1279 deletions
--- a/.github/workflows/pull-requests-release.yaml
+++ b/.github/workflows/pull-requests-release.yaml
@@ -1,15 +1,100 @@
-name: "Releasing PR"
+name: Releasing PR
 on:
  pull_request:
-    types: [closed]
+    types: [labeled, opened, synchronize, reopened, closed]
 # Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
-  group: pr-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: pull-requests-release-${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  verify:
    name: Test Release
    runs-on: [self-hosted]
    permissions:
      contents: read
      packages: write
    if: |
      contains(github.event.pull_request.labels.*.name, 'release') &&
      github.event.action != 'closed'
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
      - name: Extract tag from PR branch
        id: get_tag
        uses: actions/github-script@v7
        with:
          script: |
            const branch = context.payload.pull_request.head.ref;
            const m = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
            if (!m) {
              core.setFailed(`❌ Branch '${branch}' does not match 'release-X.Y.Z[-suffix]'`);
              return;
            }
            const tag = `v${m[1]}`;
            core.setOutput('tag', tag);
      - name: Find draft release and get asset IDs
        id: fetch_assets
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GH_PAT }}
          script: |
            const tag = '${{ steps.get_tag.outputs.tag }}';
            const releases = await github.rest.repos.listReleases({
              owner: context.repo.owner,
              repo: context.repo.repo,
              per_page: 100
            });
            const draft = releases.data.find(r => r.tag_name === tag && r.draft);
            if (!draft) {
              core.setFailed(`Draft release '${tag}' not found`);
              return;
            }
            const findAssetId = (name) =>
              draft.assets.find(a => a.name === name)?.id;
            const installerId = findAssetId("cozystack-installer.yaml");
            const diskId = findAssetId("nocloud-amd64.raw.xz");
            if (!installerId || !diskId) {
              core.setFailed("Missing required assets");
              return;
            }
            core.setOutput("installer_id", installerId);
            core.setOutput("disk_id", diskId);
      - name: Download assets from GitHub API
        run: |
          mkdir -p _out/assets
          curl -sSL \
            -H "Authorization: token ${GH_PAT}" \
            -H "Accept: application/octet-stream" \
            -o _out/assets/cozystack-installer.yaml \
            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ steps.fetch_assets.outputs.installer_id }}"
          curl -sSL \
            -H "Authorization: token ${GH_PAT}" \
            -H "Accept: application/octet-stream" \
            -o _out/assets/nocloud-amd64.raw.xz \
            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ steps.fetch_assets.outputs.disk_id }}"
        env:
          GH_PAT: ${{ secrets.GH_PAT }}
      - name: Run tests
        run: make test
  finalize:
    name: Finalize Release
    runs-on: [self-hosted]
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -4,9 +4,8 @@ on:
  pull_request:
    types: [labeled, opened, synchronize, reopened]
 # Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
-  group: pr-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: pull-requests-${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
@@ -56,193 +55,93 @@ jobs:
        with:
          name: talos-image
          path: _out/assets/nocloud-amd64.raw.xz
  prepare_env:
    name: Prepare environment
    runs-on: [self-hosted]
    needs: build
-  resolve_assets:
+    # Never run when the PR carries the "release" label.
-    name: "Resolve assets"
+    if: |
-    runs-on: ubuntu-latest
+      !contains(github.event.pull_request.labels.*.name, 'release')
    if: contains(github.event.pull_request.labels.*.name, 'release')
    outputs:
     installer_id: ${{ steps.fetch_assets.outputs.installer_id }}
     disk_id:      ${{ steps.fetch_assets.outputs.disk_id }}
    steps:
      - name: Checkout code
        if: contains(github.event.pull_request.labels.*.name, 'release')
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true
-      - name: Extract tag from PR branch (release PR)
+      - name: Download installer
        if: contains(github.event.pull_request.labels.*.name, 'release')
        id: get_tag
        uses: actions/github-script@v7
        with:
          script: |
            const branch = context.payload.pull_request.head.ref;
            const m = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
            if (!m) {
              core.setFailed(`❌ Branch '${branch}' does not match 'release-X.Y.Z[-suffix]'`);
              return;
            }
            core.setOutput('tag', `v${m[1]}`);
      - name: Find draft release & asset IDs (release PR)
        if: contains(github.event.pull_request.labels.*.name, 'release')
        id: fetch_assets
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GH_PAT }}
          script: |
            const tag = '${{ steps.get_tag.outputs.tag }}';
            const releases = await github.rest.repos.listReleases({
              owner: context.repo.owner,
              repo:  context.repo.repo,
              per_page: 100
            });
            const draft = releases.data.find(r => r.tag_name === tag && r.draft);
            if (!draft) {
              core.setFailed(`Draft release '${tag}' not found`);
              return;
            }
            const find = (n) => draft.assets.find(a => a.name === n)?.id;
            const installerId = find('cozystack-installer.yaml');
            const diskId      = find('nocloud-amd64.raw.xz');
            if (!installerId || !diskId) {
              core.setFailed('Required assets missing in draft release');
              return;
            }
            core.setOutput('installer_id', installerId);
            core.setOutput('disk_id',      diskId);
  prepare_env:
    name: "Prepare environment"
    runs-on: [self-hosted]
    permissions:
      contents: read
      packages: read
    needs: ["build", "resolve_assets"]
    if: ${{ always() && (needs.build.result == 'success' || needs.resolve_assets.result == 'success') }}
    steps:
      # ▸ Regular PR path – download artefacts produced by the *build* job
      - name: "Download Talos image (regular PR)"
        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
        uses: actions/download-artifact@v4
        with:
          name: talos-image
          path: _out/assets
      # ▸ Release PR path – fetch artefacts from the corresponding draft release
      - name: Download assets from draft release (release PR)
        if: contains(github.event.pull_request.labels.*.name, 'release')
        run: |
          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
            -o _out/assets/nocloud-amd64.raw.xz \
            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.disk_id }}"
        env:
          GH_PAT: ${{ secrets.GH_PAT }}
      # ▸ Start actual job steps
      - name: Set sandbox ID
        run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
      - name: Prepare workspace
        run: |
          cd ..
          rm -rf /tmp/$SANDBOX_NAME
          cp -r cozystack /tmp/$SANDBOX_NAME
          sudo systemctl stop "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
          sudo systemctl reset-failed "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
          sudo systemctl daemon-reexec
          sudo systemd-run \
            --on-calendar="$(date -d 'now + 24 hours' '+%Y-%m-%d %H:%M:%S')" \
            --unit=rm-workspace-$SANDBOX_NAME \
            rm -rf /tmp/$SANDBOX_NAME
      - name: Prepare environment
        run: |
          cd /tmp/$SANDBOX_NAME
          make SANDBOX_NAME=$SANDBOX_NAME prepare-env
  install_cozystack:
    name: "Install Cozystack"
    runs-on: [self-hosted]
    permissions:
      contents: read
      packages: read
    needs: ["prepare_env", "resolve_assets"]
    if: ${{ always() && needs.prepare_env.result == 'success' }}
    steps:
      - name: Prepare _out/assets directory
        run: mkdir -p _out/assets
      # ▸ Regular PR path – download artefacts produced by the *build* job
      - name: "Download installer (regular PR)"
        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
        uses: actions/download-artifact@v4
        with:
          name: cozystack-installer
-          path: _out/assets
+          path: _out/assets/
      - name: Download Talos image
        uses: actions/download-artifact@v4
        with:
          name: talos-image
          path: _out/assets/
      # ▸ Release PR path – fetch artefacts from the corresponding draft release
      - name: Download assets from draft release (release PR)
        if: contains(github.event.pull_request.labels.*.name, 'release')
        run: |
          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
            -o _out/assets/cozystack-installer.yaml \
            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.installer_id }}"
        env:
          GH_PAT: ${{ secrets.GH_PAT }}
      # ▸ Start actual job steps
      - name: Set sandbox ID
        run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
-      - name: Install Cozystack into sandbox
+      - name: Prepare environment
-        run: |
+        run: make SANDBOX_NAME=$SANDBOX_NAME prepare-env
          cd /tmp/$SANDBOX_NAME
          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME install-cozystack
-  detect_test_matrix:
+  install_cozystack:
-    name: "Detect e2e test matrix"
+    name: Install Cozystack
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted]
-    outputs:
+    needs: prepare_env
-      matrix: ${{ steps.set.outputs.matrix }}
+
    # Never run when the PR carries the "release" label.
    if: |
      !contains(github.event.pull_request.labels.*.name, 'release')
    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
-      - id: set
+        uses: actions/checkout@v4
-        run: |
+        with:
-          apps=$(find hack/e2e-apps -maxdepth 1 -mindepth 1 -name '*.bats' | \
+          fetch-depth: 0
-            awk -F/ '{sub(/\..+/, "", $NF); print $NF}' | jq -R . | jq -cs .)
+          fetch-tags: true
-          echo "matrix={\"app\":$apps}" >> "$GITHUB_OUTPUT"
+
      - name: Set sandbox ID
        run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
      - name: Install Cozystack
        run: make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME install-cozystack
  test_apps:
-    strategy:
+    name: Test applications
      matrix: ${{ fromJson(needs.detect_test_matrix.outputs.matrix) }}
    name: Test ${{ matrix.app }}
    runs-on: [self-hosted]
-    needs: [install_cozystack,detect_test_matrix]
+    needs: install_cozystack
-    if: ${{ always() && (needs.install_cozystack.result == 'success' && needs.detect_test_matrix.result == 'success') }}
+
    # Never run when the PR carries the "release" label.
    if: |
      !contains(github.event.pull_request.labels.*.name, 'release')
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true
      - name: Set sandbox ID
        run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
      - name: E2E Apps
-        run: |
+        run: make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME test-apps
          cd /tmp/$SANDBOX_NAME
          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME test-apps-${{ matrix.app }}
  cleanup:
    name: Tear down environment
    runs-on: [self-hosted]
    needs: test_apps
-    if: ${{ always() && needs.test_apps.result == 'success' }}
+
    # Never run when the PR carries the "release" label.
    if: |
      !contains(github.event.pull_request.labels.*.name, 'release')
    steps:
      - name: Checkout code
@@ -254,16 +153,5 @@ jobs:
      - name: Set sandbox ID
        run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
-      - name: Tear down sandbox
+      - name: E2E Apps
        run: make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME delete
      - name: Remove workspace
        run: rm -rf /tmp/$SANDBOX_NAME
      - name: Tear down timers
        run: |
          sudo systemctl stop "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
          sudo systemctl reset-failed "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
          sudo systemctl stop "teardown-$SANDBOX_NAME.timer" "teardown-$SANDBOX_NAME.service" 2>/dev/null || true
          sudo systemctl reset-failed "teardown-$SANDBOX_NAME.timer" "teardown-$SANDBOX_NAME.service" 2>/dev/null || true
          sudo systemctl daemon-reexec
--- a/1
+++ b/1
@@ -9,6 +9,7 @@ build-deps:
 build: build-deps
 	make -C packages/apps/http-cache image
 	make -C packages/apps/postgres image
 	make -C packages/apps/mysql image
 	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
--- a/docs/changelogs/v0.32.0.md
+++ b/docs/changelogs/v0.32.0.md
@@ -1,71 +0,0 @@
 Cozystack v0.32.0 is a significant release that brings new features, key fixes, and updates to underlying components.
 ## Major Features and Improvements
 * [platform] Use `cozypkg` instead of Helm (@kvaps in https://github.com/cozystack/cozystack/pull/1057)
 * [platform] Introduce the HelmRelease reconciler for system components. (@kvaps in https://github.com/cozystack/cozystack/pull/1033)
 * [kubernetes] Enable using container registry mirrors by tenant Kubernetes clusters. Configure containerd for tenant Kubernetes clusters. (@klinch0 in https://github.com/cozystack/cozystack/pull/979, patched by @lllamnyp in https://github.com/cozystack/cozystack/pull/1032)
 * [platform] Allow users to specify CPU requests in VCPUs. Use a library chart for resource management. (@lllamnyp in https://github.com/cozystack/cozystack/pull/972 and https://github.com/cozystack/cozystack/pull/1025)
 * [platform] Annotate all child objects of apps with uniform labels for tracking by WorkloadMonitors. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1018 and https://github.com/cozystack/cozystack/pull/1024)
 * [platform] Introduce `cluster-domain` option and un-hardcode `cozy.local`. (@kvaps in https://github.com/cozystack/cozystack/pull/1039)
 * [platform] Get instance type when reconciling WorkloadMonitor (https://github.com/cozystack/cozystack/pull/1030)
 * [virtual-machine] Add RBAC rules to allow port forwarding in KubeVirt for SSH via `virtctl`. (@mattia-eleuteri in https://github.com/cozystack/cozystack/pull/1027, patched by @klinch0 in https://github.com/cozystack/cozystack/pull/1028)
 * [monitoring] Add events and audit inputs (@kevin880202 in https://github.com/cozystack/cozystack/pull/948)
 ## Security
 * Resolve a security problem that allowed tenant administrator to gain enhanced privileges outside the tenant. (@kvaps in https://github.com/cozystack/cozystack/pull/1062)
 ## Fixes
 * [dashboard] Fix a number of issues in the Cozystack Dashboard (@kvaps in https://github.com/cozystack/cozystack/pull/1042)
 * [kafka] Specify minimal working resource presets. (@kvaps in https://github.com/cozystack/cozystack/pull/1040)
 * [cilium] Fixed Gateway API manifest. (@zdenekjanda in https://github.com/cozystack/cozystack/pull/1016)
 * [platform] Fix RBAC for annotating namespaces. (@kvaps in https://github.com/cozystack/cozystack/pull/1031)
 * [platform] Fix dependencies for paas-hosted bundle. (@kvaps in https://github.com/cozystack/cozystack/pull/1034)
 * [platform] Reduce system resource consumption by using lesser resource presets for VerticalPodAutoscaler, SeaweedFS, and KubeOVN. (@klinch0 in https://github.com/cozystack/cozystack/pull/1054)
 * [virtual-machine] Fix handling of cloudinit and ssh-key input for `virtual-machine` and `vm-instance` applications. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1019 and https://github.com/cozystack/cozystack/pull/1020)
 * [apps] Fix Clickhouse version parsing. (@kvaps in https://github.com/cozystack/cozystack/commit/28302e776e9d2bb8f424cf467619fa61d71ac49a)
 * [apps] Add resource quotas for PostgreSQL jobs and fix application readme generation check in CI. (@klinch0 in https://github.com/cozystack/cozystack/pull/1051)
 * [kube-ovn] Enable database health check. (@kvaps in https://github.com/cozystack/cozystack/pull/1047)
 * [kubernetes] Fix upstream issue by updating Kubevirt-CCM. (@kvaps in https://github.com/cozystack/cozystack/pull/1052)
 * [kubernetes] Fix resources and introduce a migration when upgrading tenant Kubernetes to v0.32.4. (@kvaps in https://github.com/cozystack/cozystack/pull/1073)
 * [cluster-api] Add a missing migration for `capi-providers`. (@kvaps in https://github.com/cozystack/cozystack/pull/1072)
 ## Dependencies
 * Introduce cozykpg, update to v1.1.0. (@kvaps in https://github.com/cozystack/cozystack/pull/1057 and https://github.com/cozystack/cozystack/pull/1063)
 * Update flux-operator to 0.22.0, Flux to 2.6.x. (@kingdonb in https://github.com/cozystack/cozystack/pull/1035)
 * Update Talos Linux to v1.10.3. (@kvaps in https://github.com/cozystack/cozystack/pull/1006)
 * Update Cilium to v1.17.4. (@kvaps in https://github.com/cozystack/cozystack/pull/1046)
 * Update MetalLB to v0.15.2. (@kvaps in https://github.com/cozystack/cozystack/pull/1045)
 * Update Kube-OVN to v1.13.13. (@kvaps in https://github.com/cozystack/cozystack/pull/1047)
 ## Documentation
 * [Oracle Cloud Infrastructure installation guide](https://cozystack.io/docs/operations/talos/installation/oracle-cloud/). (@kvaps, @lllamnyp, and @NickVolynkin in https://github.com/cozystack/website/pull/168)
 * [Cluster configuration with `talosctl`](https://cozystack.io/docs/operations/talos/configuration/talosctl/). (@NickVolynkin in https://github.com/cozystack/website/pull/211)
 * [Configuring container registry mirrors for tenant Kubernetes clusters](https://cozystack.io/docs/operations/talos/configuration/air-gapped/#5-configure-container-registry-mirrors-for-tenant-kubernetes). (@klinch0 in https://github.com/cozystack/website/pull/210)
 * [Explain application management strategies and available versions for managed applications.](https://cozystack.io/docs/guides/applications/). (@NickVolynkin in https://github.com/cozystack/website/pull/219)
 * [How to clean up etcd state](https://cozystack.io/docs/operations/faq/#how-to-clean-up-etcd-state). (@gwynbleidd2106 in https://github.com/cozystack/website/pull/214)
 * [State that Cozystack is a CNCF Sandbox project](https://github.com/cozystack/cozystack?tab=readme-ov-file#cozystack). (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1055)
 ## Development, Testing, and CI/CD
 * [tests] Add tests for applications `virtual-machine`, `vm-disk`, `vm-instance`, `postgresql`, `mysql`, and `clickhouse`. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1048, patched by @kvaps in https://github.com/cozystack/cozystack/pull/1074)
 * [tests] Fix concurrency for the `docker login` action. (@kvaps in https://github.com/cozystack/cozystack/pull/1014)
 * [tests] Increase QEMU system disk size in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1011)
 * [tests] Increase the waiting timeout for VMs in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1038)
 * [ci] Separate build and testing jobs in CI. (@kvaps in https://github.com/cozystack/cozystack/pull/1005 and https://github.com/cozystack/cozystack/pull/1010)
 * [ci] Fix the release assets. (@kvaps in https://github.com/cozystack/cozystack/pull/1006 and https://github.com/cozystack/cozystack/pull/1009)
 ## New Contributors
 * @kevin880202 made their first contribution in https://github.com/cozystack/cozystack/pull/948
 * @mattia-eleuteri made their first contribution in https://github.com/cozystack/cozystack/pull/1027
 **Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.31.0...v0.32.0
 <!-- 
 HEAD https://github.com/cozystack/cozystack/commit/3ce6dbe8
 -->
--- a/hack/e2e-apps.bats
+++ b/hack/e2e-apps.bats
@@ -0,0 +1,353 @@
 #!/usr/bin/env bats
 # -----------------------------------------------------------------------------
 # Cozystack end‑to‑end provisioning test (Bats)
 # -----------------------------------------------------------------------------
@test "Create tenant with isolated mode enabled" {
  kubectl -n tenant-root get tenants.apps.cozystack.io test || 
  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Tenant
 metadata:
  name: test
  namespace: tenant-root
 spec:
  etcd: false
  host: ""
  ingress: false
  isolated: true
  monitoring: false
  resourceQuotas: {}
  seaweedfs: false
 EOF
  kubectl wait hr/tenant-test -n tenant-root --timeout=1m --for=condition=ready
  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
 }
@test "Create a tenant Kubernetes control plane" {
  kubectl -n tenant-test get kuberneteses.apps.cozystack.io test || 
  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Kubernetes
 metadata:
  name: test
  namespace: tenant-test
 spec:
  addons:
    certManager:
      enabled: false
      valuesOverride: {}
    cilium:
      valuesOverride: {}
    fluxcd:
      enabled: false
      valuesOverride: {}
    gatewayAPI:
      enabled: false
    gpuOperator:
      enabled: false
      valuesOverride: {}
    ingressNginx:
      enabled: true
      hosts: []
      valuesOverride: {}
    monitoringAgents:
      enabled: false
      valuesOverride: {}
    verticalPodAutoscaler:
      valuesOverride: {}
  controlPlane:
    apiServer:
      resources: {}
      resourcesPreset: small
    controllerManager:
      resources: {}
      resourcesPreset: micro
    konnectivity:
      server:
        resources: {}
        resourcesPreset: micro
    replicas: 2
    scheduler:
      resources: {}
      resourcesPreset: micro
  host: ""
  nodeGroups:
    md0:
      ephemeralStorage: 20Gi
      gpus: []
      instanceType: u1.medium
      maxReplicas: 10
      minReplicas: 0
      resources:
        cpu: ""
        memory: ""
      roles:
      - ingress-nginx
  storageClass: replicated
 EOF
  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io test
 }
@test "Create a VM Disk" {
  name='test'
  kubectl -n tenant-test get vmdisks.apps.cozystack.io $name || 
  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VMDisk
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  source:
    http:
      url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
  optical: false
  storage: 5Gi
  storageClass: replicated
 EOF
  sleep 5
  kubectl -n tenant-test wait hr vm-disk-$name --timeout=5s --for=condition=ready
  kubectl -n tenant-test wait dv vm-disk-$name --timeout=150s --for=condition=ready
  kubectl -n tenant-test wait pvc vm-disk-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
 }
@test "Create a VM Instance" {
  diskName='test'
  name='test'
  kubectl -n tenant-test get vminstances.apps.cozystack.io $name || 
  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VMInstance
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  externalMethod: PortList
  externalPorts:
  - 22
  running: true
  instanceType: "u1.medium"
  instanceProfile: ubuntu
  disks:
    - name: $diskName
  gpus: []
  resources:
    cpu: ""
    memory: ""
  sshKeys:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
    test@test
  cloudInit: |
    #cloud-config
    users:
      - name: test
        shell: /bin/bash
        sudo: ['ALL=(ALL) NOPASSWD: ALL']
        groups: sudo
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
  cloudInitSeed: ""
 EOF
  sleep 5
  timeout 20 sh -ec "until kubectl -n tenant-test get vmi vm-instance-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 5; done"
  kubectl -n tenant-test wait hr vm-instance-$name --timeout=5s --for=condition=ready
  kubectl -n tenant-test wait vm vm-instance-$name --timeout=20s --for=condition=ready
  kubectl -n tenant-test delete vminstances.apps.cozystack.io $name 
  kubectl -n tenant-test delete vmdisks.apps.cozystack.io $diskName 
 }
@test "Create a Virtual Machine" {
  name='test'
  kubectl -n tenant-test get virtualmachines.apps.cozystack.io $name || 
  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VirtualMachine
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  externalMethod: PortList
  externalPorts:
  - 22
  instanceType: "u1.medium"
  instanceProfile: ubuntu
  systemDisk:
    image: ubuntu
    storage: 5Gi
    storageClass: replicated
  gpus: []
  resources:
    cpu: ""
    memory: ""
  sshKeys:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
    test@test
  cloudInit: |
    #cloud-config
    users:
      - name: test
        shell: /bin/bash
        sudo: ['ALL=(ALL) NOPASSWD: ALL']
        groups: sudo
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
  cloudInitSeed: ""
 EOF
  sleep 5
  kubectl -n tenant-test wait hr virtual-machine-$name --timeout=10s --for=condition=ready
  kubectl -n tenant-test wait dv virtual-machine-$name --timeout=150s --for=condition=ready
  kubectl -n tenant-test wait pvc virtual-machine-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
  kubectl -n tenant-test wait vm virtual-machine-$name --timeout=100s --for=condition=ready
  timeout 120 sh -ec "until kubectl -n tenant-test get vmi virtual-machine-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test delete virtualmachines.apps.cozystack.io $name 
 }
@test "Create DB PostgreSQL" {
  name='test'
  kubectl -n tenant-test get postgreses.apps.cozystack.io $name || 
  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Postgres
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  size: 10Gi
  replicas: 2
  storageClass: ""
  postgresql:
    parameters:
      max_connections: 100
  quorum:
    minSyncReplicas: 0
    maxSyncReplicas: 0
  users:
    testuser:
      password: xai7Wepo
  databases:
    testdb:
      roles:
        admin:
        - testuser
  backup:
    enabled: false
    s3Region: us-east-1
    s3Bucket: s3.example.org/postgres-backups
    schedule: "0 2 * * *"
    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr postgres-$name --timeout=100s --for=condition=ready
  kubectl -n tenant-test wait job.batch postgres-$name-init-job --timeout=50s --for=condition=Complete
  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-r -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-ro -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-rw -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-r -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-ro -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-rw -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test delete postgreses.apps.cozystack.io $name
 }
@test "Create DB MySQL" {
  name='test'
  kubectl -n tenant-test get mysqls.apps.cozystack.io $name || 
  kubectl create -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: MySQL
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  size: 10Gi
  replicas: 2
  storageClass: ""
  users:
    testuser:
      maxUserConnections: 1000
      password: xai7Wepo
  databases:
    testdb:
      roles:
        admin:
        - testuser
  backup:
    enabled: false
    s3Region: us-east-1
    s3Bucket: s3.example.org/postgres-backups
    schedule: "0 2 * * *"
    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr mysql-$name --timeout=30s --for=condition=ready
  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name -o jsonpath='{.spec.ports[0].port}' | grep -q '3306'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/mysql-$name --timeout=110s --for=jsonpath='{.status.replicas}'=2
  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name-metrics -o jsonpath='{.spec.ports[0].port}' | grep -q '9104'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name-metrics -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test wait deployment.apps/mysql-$name-metrics --timeout=90s --for=jsonpath='{.status.replicas}'=1
  kubectl -n tenant-test delete mysqls.apps.cozystack.io $name
 }
@test "Create DB ClickHouse" {
  name='test'
  kubectl -n tenant-test get clickhouses.apps.cozystack.io $name || 
  kubectl create -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: ClickHouse
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  size: 10Gi
  logStorageSize: 2Gi
  shards: 1
  replicas: 2
  storageClass: ""
  logTTL: 15
  users:
    testuser:
      password: xai7Wepo
  backup:
    enabled: false
    s3Region: us-east-1
    s3Bucket: s3.example.org/clickhouse-backups
    schedule: "0 2 * * *"
    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr clickhouse-$name --timeout=20s --for=condition=ready
  timeout 180 sh -ec "until kubectl -n tenant-test get svc chendpoint-clickhouse-$name -o jsonpath='{.spec.ports[*].port}' | grep -q '8123 9000'; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-0 --timeout=120s --for=jsonpath='{.status.replicas}'=1
  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
 }
--- a/hack/e2e-apps/clickhouse.bats
+++ b/hack/e2e-apps/clickhouse.bats
@@ -1,42 +0,0 @@
 #!/usr/bin/env bats
@test "Create DB ClickHouse" {
  name='test'
  kubectl -n tenant-test get clickhouses.apps.cozystack.io $name || 
  kubectl apply -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: ClickHouse
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  size: 10Gi
  logStorageSize: 2Gi
  shards: 1
  replicas: 2
  storageClass: ""
  logTTL: 15
  users:
    testuser:
      password: xai7Wepo
  backup:
    enabled: false
    s3Region: us-east-1
    s3Bucket: s3.example.org/clickhouse-backups
    schedule: "0 2 * * *"
    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr clickhouse-$name --timeout=20s --for=condition=ready
  timeout 180 sh -ec "until kubectl -n tenant-test get svc chendpoint-clickhouse-$name -o jsonpath='{.spec.ports[*].port}' | grep -q '8123 9000'; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-0 --timeout=120s --for=jsonpath='{.status.replicas}'=1
  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
 }
--- a/hack/e2e-apps/kafka.bats
+++ b/hack/e2e-apps/kafka.bats
@@ -1,51 +0,0 @@
 #!/usr/bin/env bats
@test "Create Kafka" {
  name='test'
  kubectl apply -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Kafka
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  kafka:
    size: 10Gi
    replicas: 2
    storageClass: ""
    resources: {}
    resourcesPreset: "nano"
  zookeeper:
    size: 5Gi
    replicas: 2
    storageClass: ""
    resources:
    resourcesPreset: "nano"
  topics:
    - name: testResults
      partitions: 1
      replicas: 2
      config:
        min.insync.replicas: 2
    - name: testOrders
      config:
        cleanup.policy: compact
        segment.ms: 3600000
        max.compaction.lag.ms: 5400000
        min.insync.replicas: 2
      partitions: 1
      replicas: 2
 EOF
  sleep 5
  kubectl -n tenant-test wait hr kafka-$name --timeout=30s --for=condition=ready
  kubectl wait kafkas -n tenant-test test --timeout=60s --for=condition=ready
  timeout 60 sh -ec "until kubectl -n tenant-test get pvc data-kafka-$name-zookeeper-0; do sleep 10; done"
  kubectl -n tenant-test wait pvc data-kafka-$name-zookeeper-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
  timeout 40 sh -ec "until kubectl -n tenant-test get svc kafka-$name-zookeeper-client -o jsonpath='{.spec.ports[0].port}' | grep -q '2181'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get svc kafka-$name-zookeeper-nodes -o jsonpath='{.spec.ports[*].port}' | grep -q '2181 2888 3888'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints kafka-$name-zookeeper-nodes -o jsonpath='{.subsets[*].addresses[0].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test delete kafka.apps.cozystack.io $name
  kubectl -n tenant-test delete pvc data-kafka-$name-zookeeper-0
  kubectl -n tenant-test delete pvc data-kafka-$name-zookeeper-1
 }
--- a/hack/e2e-apps/kubernetes.bats
+++ b/hack/e2e-apps/kubernetes.bats
@@ -1,73 +0,0 @@
 #!/usr/bin/env bats
@test "Create a tenant Kubernetes control plane" {
  kubectl -n tenant-test get kuberneteses.apps.cozystack.io test || 
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Kubernetes
 metadata:
  name: test
  namespace: tenant-test
 spec:
  addons:
    certManager:
      enabled: false
      valuesOverride: {}
    cilium:
      valuesOverride: {}
    fluxcd:
      enabled: false
      valuesOverride: {}
    gatewayAPI:
      enabled: false
    gpuOperator:
      enabled: false
      valuesOverride: {}
    ingressNginx:
      enabled: true
      hosts: []
      valuesOverride: {}
    monitoringAgents:
      enabled: false
      valuesOverride: {}
    verticalPodAutoscaler:
      valuesOverride: {}
  controlPlane:
    apiServer:
      resources: {}
      resourcesPreset: small
    controllerManager:
      resources: {}
      resourcesPreset: micro
    konnectivity:
      server:
        resources: {}
        resourcesPreset: micro
    replicas: 2
    scheduler:
      resources: {}
      resourcesPreset: micro
  host: ""
  nodeGroups:
    md0:
      ephemeralStorage: 20Gi
      gpus: []
      instanceType: u1.medium
      maxReplicas: 10
      minReplicas: 0
      resources:
        cpu: ""
        memory: ""
      roles:
      - ingress-nginx
  storageClass: replicated
 EOF
  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io test
 }
--- a/hack/e2e-apps/mysql.bats
+++ b/hack/e2e-apps/mysql.bats
@@ -1,47 +0,0 @@
 #!/usr/bin/env bats
@test "Create DB MySQL" {
  name='test'
  kubectl -n tenant-test get mysqls.apps.cozystack.io $name || 
  kubectl apply -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: MySQL
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  size: 10Gi
  replicas: 2
  storageClass: ""
  users:
    testuser:
      maxUserConnections: 1000
      password: xai7Wepo
  databases:
    testdb:
      roles:
        admin:
        - testuser
  backup:
    enabled: false
    s3Region: us-east-1
    s3Bucket: s3.example.org/postgres-backups
    schedule: "0 2 * * *"
    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr mysql-$name --timeout=30s --for=condition=ready
  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name -o jsonpath='{.spec.ports[0].port}' | grep -q '3306'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/mysql-$name --timeout=110s --for=jsonpath='{.status.replicas}'=2
  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name-metrics -o jsonpath='{.spec.ports[0].port}' | grep -q '9104'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name-metrics -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test wait deployment.apps/mysql-$name-metrics --timeout=90s --for=jsonpath='{.status.replicas}'=1
  kubectl -n tenant-test delete mysqls.apps.cozystack.io $name
 }
--- a/hack/e2e-apps/postgres.bats
+++ b/hack/e2e-apps/postgres.bats
@@ -1,55 +0,0 @@
 #!/usr/bin/env bats
@test "Create DB PostgreSQL" {
  name='test'
  kubectl -n tenant-test get postgreses.apps.cozystack.io $name || 
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Postgres
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  size: 10Gi
  replicas: 2
  storageClass: ""
  postgresql:
    parameters:
      max_connections: 100
  quorum:
    minSyncReplicas: 0
    maxSyncReplicas: 0
  users:
    testuser:
      password: xai7Wepo
  databases:
    testdb:
      roles:
        admin:
        - testuser
  backup:
    enabled: false
    s3Region: us-east-1
    s3Bucket: s3.example.org/postgres-backups
    schedule: "0 2 * * *"
    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr postgres-$name --timeout=100s --for=condition=ready
  kubectl -n tenant-test wait job.batch postgres-$name-init-job --timeout=50s --for=condition=Complete
  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-r -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-ro -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-rw -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-r -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  # for some reason it takes longer for the read-only endpoint to be ready
  #timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-ro -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-rw -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test delete postgreses.apps.cozystack.io $name
  kubectl -n tenant-test delete job.batch/postgres-$name-init-job
 }
--- a/hack/e2e-apps/redis.bats
+++ b/hack/e2e-apps/redis.bats
@@ -1,26 +0,0 @@
 #!/usr/bin/env bats
@test "Create Redis" {
  name='test'
  kubectl apply -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Redis
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  size: 1Gi
  replicas: 2
  storageClass: ""
  authEnabled: true
  resources: {}
  resourcesPreset: "nano"
 EOF
  sleep 5
  kubectl -n tenant-test wait hr redis-$name --timeout=20s --for=condition=ready
  kubectl -n tenant-test wait pvc redisfailover-persistent-data-rfr-redis-$name-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
  kubectl -n tenant-test wait deploy rfs-redis-$name --timeout=90s --for=condition=available
  kubectl -n tenant-test wait sts rfr-redis-$name --timeout=90s --for=jsonpath='{.status.replicas}'=2
  kubectl -n tenant-test delete redis.apps.cozystack.io $name
 }
--- a/hack/e2e-apps/virtualmachine.bats
+++ b/hack/e2e-apps/virtualmachine.bats
@@ -1,48 +0,0 @@
 #!/usr/bin/env bats
@test "Create a Virtual Machine" {
  name='test'
  kubectl -n tenant-test get virtualmachines.apps.cozystack.io $name || 
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VirtualMachine
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  externalMethod: PortList
  externalPorts:
  - 22
  instanceType: "u1.medium"
  instanceProfile: ubuntu
  systemDisk:
    image: ubuntu
    storage: 5Gi
    storageClass: replicated
  gpus: []
  resources:
    cpu: ""
    memory: ""
  sshKeys:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
    test@test
  cloudInit: |
    #cloud-config
    users:
      - name: test
        shell: /bin/bash
        sudo: ['ALL=(ALL) NOPASSWD: ALL']
        groups: sudo
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
  cloudInitSeed: ""
 EOF
  sleep 5
  kubectl -n tenant-test wait hr virtual-machine-$name --timeout=10s --for=condition=ready
  kubectl -n tenant-test wait dv virtual-machine-$name --timeout=150s --for=condition=ready
  kubectl -n tenant-test wait pvc virtual-machine-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
  kubectl -n tenant-test wait vm virtual-machine-$name --timeout=100s --for=condition=ready
  timeout 120 sh -ec "until kubectl -n tenant-test get vmi virtual-machine-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 10; done"
  kubectl -n tenant-test delete virtualmachines.apps.cozystack.io $name 
 }
--- a/hack/e2e-apps/vminstance.bats
+++ b/hack/e2e-apps/vminstance.bats
@@ -1,70 +0,0 @@
 #!/usr/bin/env bats
@test "Create a VM Disk" {
  name='test'
  kubectl -n tenant-test get vmdisks.apps.cozystack.io $name || 
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VMDisk
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  source:
    http:
      url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
  optical: false
  storage: 5Gi
  storageClass: replicated
 EOF
  sleep 5
  kubectl -n tenant-test wait hr vm-disk-$name --timeout=5s --for=condition=ready
  kubectl -n tenant-test wait dv vm-disk-$name --timeout=150s --for=condition=ready
  kubectl -n tenant-test wait pvc vm-disk-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
 }
@test "Create a VM Instance" {
  diskName='test'
  name='test'
  kubectl -n tenant-test get vminstances.apps.cozystack.io $name || 
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VMInstance
 metadata:
  name: $name
  namespace: tenant-test
 spec:
  external: false
  externalMethod: PortList
  externalPorts:
  - 22
  running: true
  instanceType: "u1.medium"
  instanceProfile: ubuntu
  disks:
    - name: $diskName
  gpus: []
  resources:
    cpu: ""
    memory: ""
  sshKeys:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
    test@test
  cloudInit: |
    #cloud-config
    users:
      - name: test
        shell: /bin/bash
        sudo: ['ALL=(ALL) NOPASSWD: ALL']
        groups: sudo
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
  cloudInitSeed: ""
 EOF
  sleep 5
  timeout 20 sh -ec "until kubectl -n tenant-test get vmi vm-instance-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 5; done"
  kubectl -n tenant-test wait hr vm-instance-$name --timeout=5s --for=condition=ready
  kubectl -n tenant-test wait vm vm-instance-$name --timeout=20s --for=condition=ready
  kubectl -n tenant-test delete vminstances.apps.cozystack.io $name 
  kubectl -n tenant-test delete vmdisks.apps.cozystack.io $diskName 
 }
--- a/hack/e2e-cluster.bats
+++ b/hack/e2e-cluster.bats
@@ -0,0 +1,391 @@
 #!/usr/bin/env bats
 # -----------------------------------------------------------------------------
 # Cozystack end‑to‑end provisioning test (Bats)
 # -----------------------------------------------------------------------------
@test "Required installer assets exist" {
  if [ ! -f _out/assets/cozystack-installer.yaml ]; then
    echo "Missing: _out/assets/cozystack-installer.yaml" >&2
    exit 1
  fi
  if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
    echo "Missing: _out/assets/nocloud-amd64.raw.xz" >&2
    exit 1
  fi
 }
@test "IPv4 forwarding is enabled" {
  if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then
    echo "IPv4 forwarding is disabled!" >&2
    echo >&2
    echo "Enable it with:" >&2
    echo "  echo 1 > /proc/sys/net/ipv4/ip_forward" >&2
    exit 1
  fi
 }
@test "Clean previous VMs" {
 kill $(cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid 2>/dev/null) 2>/dev/null || true
 rm -rf srv1 srv2 srv3
 }
@test "Prepare networking and masquerading" {
  ip link del cozy-br0 2>/dev/null || true
  ip link add cozy-br0 type bridge
  ip link set cozy-br0 up
  ip address add 192.168.123.1/24 dev cozy-br0
  # Masquerading rule – idempotent (delete first, then add)
  iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE 2>/dev/null || true
  iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
 }
@test "Prepare cloud‑init drive for VMs" {
  mkdir -p srv1 srv2 srv3
  # Generate cloud‑init ISOs
  for i in 1 2 3; do
    echo "hostname: srv${i}" > "srv${i}/meta-data"
    cat > "srv${i}/user-data" <<'EOF'
 #cloud-config
 EOF
    cat > "srv${i}/network-config" <<EOF
 version: 2
 ethernets:
  eth0:
    dhcp4: false
    addresses:
      - "192.168.123.1${i}/26"
    gateway4: "192.168.123.1"
    nameservers:
      search: [cluster.local]
      addresses: [8.8.8.8]
 EOF
    ( cd "srv${i}" && genisoimage \
        -output seed.img \
        -volid cidata -rational-rock -joliet \
        user-data meta-data network-config )
  done
 }
@test "Use Talos NoCloud image from assets" {
  if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
    echo "Missing _out/assets/nocloud-amd64.raw.xz" 2>&1
    exit 1
  fi
  rm -f nocloud-amd64.raw
  cp _out/assets/nocloud-amd64.raw.xz .
  xz --decompress nocloud-amd64.raw.xz
 }
@test "Prepare VM disks" {
  for i in 1 2 3; do
    cp nocloud-amd64.raw srv${i}/system.img
    qemu-img resize srv${i}/system.img 50G
    qemu-img create srv${i}/data.img 100G
  done
 }
@test "Create tap devices" {
  for i in 1 2 3; do
    ip link del cozy-srv${i} 2>/dev/null || true
    ip tuntap add dev cozy-srv${i} mode tap
    ip link set cozy-srv${i} up
    ip link set cozy-srv${i} master cozy-br0
  done
 }
@test "Boot QEMU VMs" {
  for i in 1 2 3; do
    qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 8 -m 24576 \
      -device virtio-net,netdev=net0,mac=52:54:00:12:34:5${i} \
      -netdev tap,id=net0,ifname=cozy-srv${i},script=no,downscript=no \
      -drive file=srv${i}/system.img,if=virtio,format=raw \
      -drive file=srv${i}/seed.img,if=virtio,format=raw \
      -drive file=srv${i}/data.img,if=virtio,format=raw \
      -display none -daemonize -pidfile srv${i}/qemu.pid
  done
  # Give qemu a few seconds to start up networking
  sleep 5
 }
@test "Wait until Talos API port 50000 is reachable on all machines" {
  timeout 60 sh -ec 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
 }
@test "Generate Talos cluster configuration" {
  # Cluster‑wide patches
  cat > patch.yaml <<'EOF'
 machine:
  kubelet:
    nodeIP:
      validSubnets:
      - 192.168.123.0/24
    extraConfig:
      maxPods: 512
  kernel:
    modules:
    - name: openvswitch
    - name: drbd
      parameters:
        - usermode_helper=disabled
    - name: zfs
    - name: spl
  registries:
    mirrors:
      docker.io:
        endpoints:
        - https://mirror.gcr.io
  files:
  - content: |
      [plugins]
        [plugins."io.containerd.cri.v1.runtime"]
          device_ownership_from_security_context = true
    path: /etc/cri/conf.d/20-customization.part
    op: create
 cluster:
  apiServer:
    extraArgs:
      oidc-issuer-url: "https://keycloak.example.org/realms/cozy"
      oidc-client-id: "kubernetes"
      oidc-username-claim: "preferred_username"
      oidc-groups-claim: "groups"
  network:
    cni:
      name: none
    dnsDomain: cozy.local
    podSubnets:
    - 10.244.0.0/16
    serviceSubnets:
    - 10.96.0.0/16
 EOF
  # Control‑plane‑only patches
  cat > patch-controlplane.yaml <<'EOF'
 machine:
  nodeLabels:
    node.kubernetes.io/exclude-from-external-load-balancers:
      $patch: delete
  network:
    interfaces:
    - interface: eth0
      vip:
        ip: 192.168.123.10
 cluster:
  allowSchedulingOnControlPlanes: true
  controllerManager:
    extraArgs:
      bind-address: 0.0.0.0
  scheduler:
    extraArgs:
      bind-address: 0.0.0.0
  apiServer:
    certSANs:
    - 127.0.0.1
  proxy:
    disabled: true
  discovery:
    enabled: false
  etcd:
    advertisedSubnets:
    - 192.168.123.0/24
 EOF
  # Generate secrets once
  if [ ! -f secrets.yaml ]; then
    talosctl gen secrets
  fi
  rm -f controlplane.yaml worker.yaml talosconfig kubeconfig
  talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 \
           --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml
 }
@test "Apply Talos configuration to the node" {
  # Apply the configuration to all three nodes
  for node in 11 12 13; do
    talosctl apply -f controlplane.yaml -n 192.168.123.${node} -e 192.168.123.${node} -i
  done
  # Wait for Talos services to come up again
  timeout 60 sh -ec 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
 }
@test "Bootstrap Talos cluster" {
  # Bootstrap etcd on the first node
  timeout 10 sh -ec 'until talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11; do sleep 1; done'
  # Wait until etcd is healthy
  timeout 180 sh -ec 'until talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 >/dev/null 2>&1; do sleep 1; done'
  timeout 60 sh -ec 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep -q "rpc error"; do sleep 1; done'
  # Retrieve kubeconfig
  rm -f kubeconfig
  talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
  # Wait until all three nodes register in Kubernetes
  timeout 60 sh -ec 'until [ $(kubectl get node --no-headers | wc -l) -eq 3 ]; do sleep 1; done'
 }
@test "Install Cozystack" {
  # Create namespace & configmap required by installer
  kubectl create namespace cozy-system --dry-run=client -o yaml | kubectl apply -f -
  kubectl create configmap cozystack -n cozy-system \
          --from-literal=bundle-name=paas-full \
          --from-literal=ipv4-pod-cidr=10.244.0.0/16 \
          --from-literal=ipv4-pod-gateway=10.244.0.1 \
          --from-literal=ipv4-svc-cidr=10.96.0.0/16 \
          --from-literal=ipv4-join-cidr=100.64.0.0/16 \
          --from-literal=root-host=example.org \
          --from-literal=api-server-endpoint=https://192.168.123.10:6443 \
          --dry-run=client -o yaml | kubectl apply -f -
  # Apply installer manifests from file
  kubectl apply -f _out/assets/cozystack-installer.yaml
  # Wait for the installer deployment to become available
  kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available
  # Wait until HelmReleases appear & reconcile them
  timeout 60 sh -ec 'until kubectl get hr -A | grep -q cozys; do sleep 1; done'
  sleep 5
  kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
  # Fail the test if any HelmRelease is not Ready
  if kubectl get hr -A | grep -v " True " | grep -v NAME; then
    kubectl get hr -A
    fail "Some HelmReleases failed to reconcile"
  fi
 }
@test "Wait for Cluster‑API provider deployments" {
  # Wait for Cluster‑API provider deployments
  timeout 60 sh -ec 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager >/dev/null 2>&1; do sleep 1; done'
  kubectl wait deployment/capi-controller-manager deployment/capi-kamaji-controller-manager deployment/capi-kubeadm-bootstrap-controller-manager deployment/capi-operator-cluster-api-operator deployment/capk-controller-manager -n cozy-cluster-api --timeout=1m --for=condition=available
 }
@test "Wait for LINSTOR and configure storage" {
  # Linstor controller and nodes
  kubectl wait deployment/linstor-controller -n cozy-linstor --timeout=5m --for=condition=available
  timeout 60 sh -ec 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) -eq 3 ]; do sleep 1; done'
  for node in srv1 srv2 srv3; do
    kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs ${node} /dev/vdc --pool-name data --storage-pool data
  done
  # Storage classes
  kubectl apply -f - <<'EOF'
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: local
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
 provisioner: linstor.csi.linbit.com
 parameters:
  linstor.csi.linbit.com/storagePool: "data"
  linstor.csi.linbit.com/layerList: "storage"
  linstor.csi.linbit.com/allowRemoteVolumeAccess: "false"
 volumeBindingMode: WaitForFirstConsumer
 allowVolumeExpansion: true
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: replicated
 provisioner: linstor.csi.linbit.com
 parameters:
  linstor.csi.linbit.com/storagePool: "data"
  linstor.csi.linbit.com/autoPlace: "3"
  linstor.csi.linbit.com/layerList: "drbd storage"
  linstor.csi.linbit.com/allowRemoteVolumeAccess: "true"
  property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io
  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io
  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary
  property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect
 volumeBindingMode: WaitForFirstConsumer
 allowVolumeExpansion: true
 EOF
 }
@test "Wait for MetalLB and configure address pool" {
  # MetalLB address pool
  kubectl apply -f - <<'EOF'
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
  name: cozystack
  namespace: cozy-metallb
 spec:
  ipAddressPools: [cozystack]
 ---
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: cozystack
  namespace: cozy-metallb
 spec:
  addresses: [192.168.123.200-192.168.123.250]
  autoAssign: true
  avoidBuggyIPs: false
 EOF
 }
@test "Check Cozystack API service" {
  kubectl wait --for=condition=Available apiservices/v1alpha1.apps.cozystack.io --timeout=2m
 }
@test "Configure Tenant and wait for applications" {
  # Patch root tenant and wait for its releases
  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true}}'
  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root >/dev/null 2>&1; do sleep 1; done'
  kubectl wait hr/etcd hr/ingress hr/tenant-root -n tenant-root --timeout=2m --for=condition=ready
  if ! kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready; then
    flux reconcile hr monitoring -n tenant-root --force
    kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready
  fi
  # Expose Cozystack services through ingress
  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"expose-services":"api,dashboard,cdi-uploadproxy,vm-exportproxy,keycloak"}}'
  # NGINX ingress controller
  timeout 60 sh -ec 'until kubectl get deploy root-ingress-controller -n tenant-root >/dev/null 2>&1; do sleep 1; done'
  kubectl wait deploy/root-ingress-controller -n tenant-root --timeout=5m --for=condition=available
  # etcd statefulset
  kubectl wait sts/etcd -n tenant-root --for=jsonpath='{.status.readyReplicas}'=3 --timeout=5m
  # VictoriaMetrics components
  kubectl wait vmalert/vmalert-shortterm vmalertmanager/alertmanager -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
  kubectl wait vlogs/generic -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
  kubectl wait vmcluster/shortterm vmcluster/longterm -n tenant-root --for=jsonpath='{.status.clusterStatus}'=operational --timeout=5m
  # Grafana
  kubectl wait clusters.postgresql.cnpg.io/grafana-db -n tenant-root --for=condition=ready --timeout=5m
  kubectl wait deploy/grafana-deployment -n tenant-root --for=condition=available --timeout=5m
  # Verify Grafana via ingress
  ingress_ip=$(kubectl get svc root-ingress-controller -n tenant-root -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  if ! curl -sS -k "https://${ingress_ip}" -H 'Host: grafana.example.org' --max-time 30 | grep -q Found; then
    echo "Failed to access Grafana via ingress at ${ingress_ip}" >&2
    exit 1
  fi
 }
@test "Keycloak OIDC stack is healthy" {
  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"oidc-enabled":"true"}}'
  timeout 120 sh -ec 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
  kubectl wait hr/keycloak hr/keycloak-configure hr/keycloak-operator -n cozy-keycloak --timeout=10m --for=condition=ready
 }
--- a/hack/e2e-install-cozystack.bats
+++ b/hack/e2e-install-cozystack.bats
@@ -20,9 +20,9 @@
  kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available
  # Wait until HelmReleases appear & reconcile them
-  timeout 60 sh -ec 'until kubectl get hr -A -l cozystack.io/system-app=true | grep -q cozys; do sleep 1; done'
+  timeout 60 sh -ec 'until kubectl get hr -A | grep -q cozys; do sleep 1; done'
  sleep 5
-  kubectl get hr -A -l cozystack.io/system-app=true | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
+  kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
  # Fail the test if any HelmRelease is not Ready
  if kubectl get hr -A | grep -v " True " | grep -v NAME; then
@@ -42,11 +42,7 @@
  kubectl wait deployment/linstor-controller -n cozy-linstor --timeout=5m --for=condition=available
  timeout 60 sh -ec 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) -eq 3 ]; do sleep 1; done'
  created_pools=$(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor sp l -s data --pastable | awk '$2 == "data" {printf " " $4} END{printf " "}')
  for node in srv1 srv2 srv3; do
    case $created_pools in
      *" $node "*) echo "Storage pool 'data' already exists on node $node"; continue;;
    esac
    kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs ${node} /dev/vdc --pool-name data --storage-pool data
  done
@@ -159,24 +155,3 @@ EOF
  timeout 120 sh -ec 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
  kubectl wait hr/keycloak hr/keycloak-configure hr/keycloak-operator -n cozy-keycloak --timeout=10m --for=condition=ready
 }
@test "Create tenant with isolated mode enabled" {
  kubectl -n tenant-root get tenants.apps.cozystack.io test || 
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Tenant
 metadata:
  name: test
  namespace: tenant-root
 spec:
  etcd: false
  host: ""
  ingress: false
  isolated: true
  monitoring: false
  resourceQuotas: {}
  seaweedfs: false
 EOF
  kubectl wait hr/tenant-test -n tenant-root --timeout=1m --for=condition=ready
  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
 }
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.1
+version: 0.10.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/clickhouse/README.md
+++ b/packages/apps/clickhouse/README.md
@@ -50,7 +50,7 @@ For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.
 | `backup.s3SecretKey`     | Secret key for S3, used for authentication                                  | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
 | `backup.resticPassword`  | Password for Restic backup encryption                                       | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
 | `resources`              | Explicit CPU/memory resource requests and limits for the Clickhouse service | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly.       | `small`                                                |
+| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly.       | `nano`                                                 |
 In production environments, it's recommended to set `resources` explicitly.
--- a/packages/apps/clickhouse/images/clickhouse-backup.tag
+++ b/packages/apps/clickhouse/images/clickhouse-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
--- a/packages/apps/clickhouse/values.schema.json
+++ b/packages/apps/clickhouse/values.schema.json
@@ -85,7 +85,7 @@
        "resourcesPreset": {
            "type": "string",
            "description": "Use a common resources preset when `resources` is not set explicitly.",
-            "default": "small"
+            "default": "nano"
        }
    }
 }
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -50,8 +50,12 @@ backup:
 ## @param resources Explicit CPU/memory resource requests and limits for the Clickhouse service
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
 ## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly.
-resourcesPreset: "small"
+resourcesPreset: "nano"
--- a/packages/apps/ferretdb/Chart.yaml
+++ b/packages/apps/ferretdb/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/ferretdb/README.md
+++ b/packages/apps/ferretdb/README.md
@@ -21,17 +21,17 @@
 ### Backup parameters
-| Name                     | Description                                                                                                                                      | Value                                                  |
+| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                         | `false`                                                |
+| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                       | `us-east-1`                                            |
+| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                           | `s3.example.org/postgres-backups`                      |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                              | `0 2 * * *`                                            |
+| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                         | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                   | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                   | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                        | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                        | `{}`                                                   |
+| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`                                                 |
+| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
--- a/packages/apps/ferretdb/values.schema.json
+++ b/packages/apps/ferretdb/values.schema.json
@@ -89,7 +89,7 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
            "default": "nano"
        }
    }
--- a/packages/apps/ferretdb/values.yaml
+++ b/packages/apps/ferretdb/values.yaml
@@ -52,8 +52,12 @@ backup:
 ## @param resources Resources
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/apps/http-cache/Chart.yaml
+++ b/packages/apps/http-cache/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.2
+version: 0.5.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/http-cache/README.md
+++ b/packages/apps/http-cache/README.md
@@ -60,17 +60,17 @@ VTS module shows wrong upstream resonse time
 ### Common parameters
-| Name                      | Description                                                                                                                                      | Value   |
+| Name                      | Description                                                                                                                                                                                                       | Value   |
-| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`                | Enable external access from outside the cluster                                                                                                  | `false` |
+| `external`                | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `size`                    | Persistent Volume size                                                                                                                           | `10Gi`  |
+| `size`                    | Persistent Volume size                                                                                                                                                                                            | `10Gi`  |
-| `storageClass`            | StorageClass used to store the data                                                                                                              | `""`    |
+| `storageClass`            | StorageClass used to store the data                                                                                                                                                                               | `""`    |
-| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                                       | `2`     |
+| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                                                                                                        | `2`     |
-| `nginx.replicas`          | Number of Nginx replicas                                                                                                                         | `2`     |
+| `nginx.replicas`          | Number of Nginx replicas                                                                                                                                                                                          | `2`     |
-| `haproxy.resources`       |                                                                                                                                                  | `{}`    |
+| `haproxy.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `haproxy.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
+| `haproxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
-| `nginx.resources`         | Resources                                                                                                                                        | `{}`    |
+| `nginx.resources`         | Resources                                                                                                                                                                                                         | `{}`    |
-| `nginx.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
+| `nginx.resourcesPreset`   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
 ### Configuration parameters
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.2@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15
+ghcr.io/cozystack/cozystack/nginx-cache:0.5.1@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af
--- a/packages/apps/http-cache/values.schema.json
+++ b/packages/apps/http-cache/values.schema.json
@@ -27,12 +27,12 @@
                },
                "resources": {
                    "type": "object",
-                    "description": "",
+                    "description": "Resources",
                    "default": {}
                },
                "resourcesPreset": {
                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
                    "default": "nano"
                }
            }
@@ -52,7 +52,7 @@
                },
                "resourcesPreset": {
                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
                    "default": "nano"
                }
            }
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -12,23 +12,31 @@ size: 10Gi
 storageClass: ""
 haproxy:
  replicas: 2
-  ## @param haproxy.resources 
+  ## @param haproxy.resources Resources
  resources: {}
  # resources:
-  #   cpu: 4000m
+  #   limits:
-  #   memory: 4Gi
+  #     cpu: 4000m
  #     memory: 4Gi
  #   requests:
  #     cpu: 100m
  #     memory: 512Mi
-  ## @param haproxy.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+  ## @param haproxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
  resourcesPreset: "nano"
 nginx:
  replicas: 2
  ## @param nginx.resources Resources
  resources: {}
  # resources:
-  #   cpu: 4000m
+  #   limits:
-  #   memory: 4Gi
+  #     cpu: 4000m
  #     memory: 4Gi
  #   requests:
  #     cpu: 100m
  #     memory: 512Mi
-  ## @param nginx.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+  ## @param nginx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
  resourcesPreset: "nano"
 ## @section Configuration parameters
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kafka/README.md
+++ b/packages/apps/kafka/README.md
@@ -4,19 +4,19 @@
 ### Common parameters
-| Name                        | Description                                                                                                                                      | Value   |
+| Name                        | Description                                                                                                                                                                                                       | Value   |
-| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`                  | Enable external access from outside the cluster                                                                                                  | `false` |
+| `external`                  | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `kafka.size`                | Persistent Volume size for Kafka                                                                                                                 | `10Gi`  |
+| `kafka.size`                | Persistent Volume size for Kafka                                                                                                                                                                                  | `10Gi`  |
-| `kafka.replicas`            | Number of Kafka replicas                                                                                                                         | `3`     |
+| `kafka.replicas`            | Number of Kafka replicas                                                                                                                                                                                          | `3`     |
-| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                                        | `""`    |
+| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                                                                                                         | `""`    |
-| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                             | `5Gi`   |
+| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                                                                                              | `5Gi`   |
-| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                     | `3`     |
+| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                                                                                      | `3`     |
-| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                    | `""`    |
+| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                                                                                     | `""`    |
-| `kafka.resources`           | Resources                                                                                                                                        | `{}`    |
+| `kafka.resources`           | Resources                                                                                                                                                                                                         | `{}`    |
-| `kafka.resourcesPreset`     | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `small` |
+| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
-| `zookeeper.resources`       | Resources                                                                                                                                        | `{}`    |
+| `zookeeper.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `zookeeper.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `small` |
+| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 ### Configuration parameters
--- a/packages/apps/kafka/values.schema.json
+++ b/packages/apps/kafka/values.schema.json
@@ -32,7 +32,7 @@
                },
                "resourcesPreset": {
                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
                    "default": "small"
                }
            }
@@ -62,8 +62,8 @@
                },
                "resourcesPreset": {
                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "small"
+                    "default": "micro"
                }
            }
        },
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -17,10 +17,14 @@ kafka:
  ## @param kafka.resources Resources
  resources: {}
  # resources:
-  #   cpu: 4000m
+  #   limits:
-  #   memory: 4Gi
+  #     cpu: 4000m
  #     memory: 4Gi
  #   requests:
  #     cpu: 100m
  #     memory: 512Mi
-  ## @param kafka.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+  ## @param kafka.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
  resourcesPreset: "small"
 zookeeper:
@@ -30,11 +34,15 @@ zookeeper:
  ## @param zookeeper.resources Resources
  resources: {}
  # resources:
-  #   cpu: 4000m
+  #   limits:
-  #   memory: 4Gi
+  #     cpu: 4000m
  #     memory: 4Gi
  #   requests:
  #     cpu: 100m
  #     memory: 512Mi
-  ## @param zookeeper.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+  ## @param zookeeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "small"
+  resourcesPreset: "micro"
 ## @section Configuration parameters
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.24.2
+version: 0.24.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/README.md
+++ b/packages/apps/kubernetes/README.md
@@ -81,12 +81,13 @@ See the reference for components utilized in this service:
 ### Common Parameters
-| Name                    | Description                                                                                                       | Value        |
+| Name                                | Description                                                                                                       | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
+| `host`                              | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
+| `controlPlane.replicas`             | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
+| `storageClass`                      | StorageClass used to store user data.                                                                             | `replicated` |
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+| `useCustomSecretForPatchContainerd` | if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd                           | `false`      |
 | `nodeGroups`                        | nodeGroups configuration                                                                                          | `{}`         |
 ### Cluster Addons
@@ -109,16 +110,16 @@ See the reference for components utilized in this service:
 ### Kubernetes Control Plane Configuration
-| Name                                               | Description                                                                                                                                      | Value    |
+| Name                                               | Description                                                                  | Value    |
-| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------- |
+| -------------------------------------------------- | ---------------------------------------------------------------------------- | -------- |
-| `controlPlane.apiServer.resources`                 | Explicit CPU/memory resource requests and limits for the API server.                                                                             | `{}`     |
+| `controlPlane.apiServer.resources`                 | Explicit CPU/memory resource requests and limits for the API server.         | `{}`     |
-| `controlPlane.apiServer.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `medium` |
+| `controlPlane.apiServer.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `medium` |
-| `controlPlane.controllerManager.resources`         | Explicit CPU/memory resource requests and limits for the controller manager.                                                                     | `{}`     |
+| `controlPlane.controllerManager.resources`         | Explicit CPU/memory resource requests and limits for the controller manager. | `{}`     |
-| `controlPlane.controllerManager.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro`  |
+| `controlPlane.controllerManager.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
-| `controlPlane.scheduler.resources`                 | Explicit CPU/memory resource requests and limits for the scheduler.                                                                              | `{}`     |
+| `controlPlane.scheduler.resources`                 | Explicit CPU/memory resource requests and limits for the scheduler.          | `{}`     |
-| `controlPlane.scheduler.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro`  |
+| `controlPlane.scheduler.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
-| `controlPlane.konnectivity.server.resources`       | Explicit CPU/memory resource requests and limits for the Konnectivity.                                                                           | `{}`     |
+| `controlPlane.konnectivity.server.resources`       | Explicit CPU/memory resource requests and limits for the Konnectivity.       | `{}`     |
-| `controlPlane.konnectivity.server.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro`  |
+| `controlPlane.konnectivity.server.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
 In production environments, it's recommended to set `resources` explicitly.
 Example of `controlPlane.*.resources`:
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.2@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.0@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.2@sha256:598ab20550dbf495717e8e123e6b626bb36298f88dde851664301d393ac06ca3
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.0@sha256:4d3728b2050d4e0adb00b9f4abbb4a020b29e1a39f24ca1447806fc81f110fa6
--- a/packages/apps/kubernetes/templates/copy-patch-containerd.yaml
+++ b/packages/apps/kubernetes/templates/copy-patch-containerd.yaml
@@ -1,3 +1,4 @@
 {{- if not .Values.useCustomSecretForPatchContainerd }}
 {{- $sourceSecret := lookup "v1" "Secret" "cozy-system" "patch-containerd" }}
 {{- if $sourceSecret }}
 apiVersion: v1
@@ -11,3 +12,4 @@ data:
  {{ printf "%s: %s" $key ($value | quote) | indent 2 }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
@@ -1,4 +1,3 @@
 {{- if .Values.addons.certManager.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -55,4 +54,3 @@ stringData:
  values: |
    {{- toYaml .Values.addons.certManager.valuesOverride | nindent 4 }}
 {{- end }}
 {{- end }}
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -25,7 +25,7 @@
            },
            "resourcesPreset": {
              "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+              "description": "Use a common resources preset when `resources` is not set explicitly.",
              "default": "medium",
              "enum": [
                "none",
@@ -50,7 +50,7 @@
            },
            "resourcesPreset": {
              "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+              "description": "Use a common resources preset when `resources` is not set explicitly.",
              "default": "micro",
              "enum": [
                "none",
@@ -75,7 +75,7 @@
            },
            "resourcesPreset": {
              "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+              "description": "Use a common resources preset when `resources` is not set explicitly.",
              "default": "micro",
              "enum": [
                "none",
@@ -103,7 +103,7 @@
                },
                "resourcesPreset": {
                  "type": "string",
-                  "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+                  "description": "Use a common resources preset when `resources` is not set explicitly.",
                  "default": "micro",
                  "enum": [
                    "none",
@@ -127,6 +127,11 @@
      "description": "StorageClass used to store user data.",
      "default": "replicated"
    },
    "useCustomSecretForPatchContainerd": {
      "type": "boolean",
      "description": "if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd",
      "default": false
    },
    "addons": {
      "type": "object",
      "properties": {
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -3,9 +3,11 @@
 ## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
 ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
 ## @param useCustomSecretForPatchContainerd if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd
 ##
 host: ""
 storageClass: replicated
 useCustomSecretForPatchContainerd: false
 ## @param nodeGroups [object] nodeGroups configuration
 ##
@@ -111,30 +113,34 @@ controlPlane:
  apiServer:
    ## @param controlPlane.apiServer.resources Explicit CPU/memory resource requests and limits for the API server.
-    ## @param controlPlane.apiServer.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+    ## @param controlPlane.apiServer.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
    ## e.g:
    ## resources:
-    ##   cpu: 4000m
+    ##   limits:
-    ##   memory: 4Gi
+    ##     cpu: 4000m
    ##     memory: 4Gi
    ##   requests:
    ##     cpu: 100m
    ##     memory: 512Mi
    ##
    resourcesPreset: "medium"
    resources: {}
  controllerManager:
    ## @param controlPlane.controllerManager.resources Explicit CPU/memory resource requests and limits for the controller manager.
-    ## @param controlPlane.controllerManager.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+    ## @param controlPlane.controllerManager.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
    resourcesPreset: "micro"
    resources: {}
  scheduler:
    ## @param controlPlane.scheduler.resources Explicit CPU/memory resource requests and limits for the scheduler.
-    ## @param controlPlane.scheduler.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+    ## @param controlPlane.scheduler.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
    resourcesPreset: "micro"
    resources: {}
  konnectivity:
    server:
      ## @param controlPlane.konnectivity.server.resources Explicit CPU/memory resource requests and limits for the Konnectivity.
-      ## @param controlPlane.konnectivity.server.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+      ## @param controlPlane.konnectivity.server.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
      resourcesPreset: "micro"
      resources: {}
--- a/packages/apps/mysql/Chart.yaml
+++ b/packages/apps/mysql/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.1
+version: 0.8.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/mysql/README.md
+++ b/packages/apps/mysql/README.md
@@ -83,16 +83,16 @@ more details:
 ### Backup parameters
-| Name                     | Description                                                                                                                                      | Value                                                  |
+| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                         | `false`                                                |
+| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                       | `us-east-1`                                            |
+| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                           | `s3.example.org/postgres-backups`                      |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                              | `0 2 * * *`                                            |
+| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                         | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                   | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                   | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                        | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                        | `{}`                                                   |
+| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`                                                 |
+| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
--- a/packages/apps/mysql/images/mariadb-backup.tag
+++ b/packages/apps/mysql/images/mariadb-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.8.1@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.8.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
--- a/packages/apps/mysql/values.schema.json
+++ b/packages/apps/mysql/values.schema.json
@@ -74,7 +74,7 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
            "default": "nano"
        }
    }
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -58,8 +58,12 @@ backup:
 ## @param resources Resources
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/apps/nats/Chart.yaml
+++ b/packages/apps/nats/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/nats/README.md
+++ b/packages/apps/nats/README.md
@@ -4,15 +4,15 @@
 ### Common parameters
-| Name                | Description                                                                                                                                      | Value   |
+| Name                | Description                                                                                                                                                                                                       | Value   |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`          | Enable external access from outside the cluster                                                                                                  | `false` |
+| `external`          | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `replicas`          | Persistent Volume size for NATS                                                                                                                  | `2`     |
+| `replicas`          | Persistent Volume size for NATS                                                                                                                                                                                   | `2`     |
-| `storageClass`      | StorageClass used to store the data                                                                                                              | `""`    |
+| `storageClass`      | StorageClass used to store the data                                                                                                                                                                               | `""`    |
-| `users`             | Users configuration                                                                                                                              | `{}`    |
+| `users`             | Users configuration                                                                                                                                                                                               | `{}`    |
-| `jetstream.size`    | Jetstream persistent storage size                                                                                                                | `10Gi`  |
+| `jetstream.size`    | Jetstream persistent storage size                                                                                                                                                                                 | `10Gi`  |
-| `jetstream.enabled` | Enable or disable Jetstream                                                                                                                      | `true`  |
+| `jetstream.enabled` | Enable or disable Jetstream                                                                                                                                                                                       | `true`  |
-| `config.merge`      | Additional configuration to merge into NATS config                                                                                               | `{}`    |
+| `config.merge`      | Additional configuration to merge into NATS config                                                                                                                                                                | `{}`    |
-| `config.resolver`   | Additional configuration to merge into NATS config                                                                                               | `{}`    |
+| `config.resolver`   | Additional configuration to merge into NATS config                                                                                                                                                                | `{}`    |
-| `resources`         | Resources                                                                                                                                        | `{}`    |
+| `resources`         | Resources                                                                                                                                                                                                         | `{}`    |
-| `resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
+| `resourcesPreset`   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
--- a/packages/apps/nats/values.schema.json
+++ b/packages/apps/nats/values.schema.json
@@ -54,7 +54,7 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
            "default": "nano"
        }
    }
--- a/packages/apps/nats/values.yaml
+++ b/packages/apps/nats/values.yaml
@@ -65,8 +65,12 @@ config:
 ## @param resources Resources
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.1
+version: 0.14.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/Makefile
+++ b/packages/apps/postgres/Makefile
@@ -1,4 +1,24 @@
 POSTGRES_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
 image:
 	docker buildx build images/postgres-backup \
 		--provenance false \
 		--builder=$(BUILDER) \
 		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/postgres-backup:latest \
 		--cache-to type=inline \
 		--metadata-file images/postgres-backup.json \
 		--push=$(PUSH) \
 		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack" \
 		--load=$(LOAD)
 	echo "$(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/postgres-backup.json -o json -r)" \
 		> images/postgres-backup.tag
 	cp images/postgres-backup.tag ../ferretdb/images/
 	rm -f images/postgres-backup.json
--- a/packages/apps/postgres/README.md
+++ b/packages/apps/postgres/README.md
@@ -58,22 +58,15 @@ more details:
 ### Backup parameters
-| Name                     | Description                                                          | Value                               |
+| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | -------------------------------------------------------------------- | ----------------------------------- |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                             | `false`                             |
+| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.schedule`        | Cron schedule for automated backups                                  | `0 2 * * * *`                       |
+| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.retentionPolicy` | The retention policy                                                 | `30d`                               |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/postgres-backups`                      |
-| `backup.destinationPath` | The path where to store the backup (i.e. s3://bucket/path/to/folder) | `s3://BUCKET_NAME/`                 |
+| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.endpointURL`     | Endpoint to be used to upload data to the cloud                      | `http://minio-gateway-service:9000` |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                       | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-
+| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-### Bootstrap parameters
+| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-
+| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
 | Name                     | Description                                                                                                                                      | Value   |
 | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
 | `bootstrap.enabled`      | Restore cluster from backup                                                                                                                      | `false` |
 | `bootstrap.recoveryTime` | Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest                                        | `""`    |
 | `bootstrap.oldName`      | Name of cluster before deleting                                                                                                                  | `""`    |
 | `resources`              | Resources                                                                                                                                        | `{}`    |
 | `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro` |
--- a/packages/apps/postgres/images/postgres-backup.tag
+++ b/packages/apps/postgres/images/postgres-backup.tag
@@ -0,0 +1 @@
 ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
--- a/packages/apps/postgres/images/postgres-backup/Dockerfile
+++ b/packages/apps/postgres/images/postgres-backup/Dockerfile
@@ -0,0 +1,2 @@
 FROM alpine:3.22
 RUN apk add --no-cache postgresql17-client uuidgen restic
--- a/packages/apps/postgres/templates/backup-cronjob.yaml
+++ b/packages/apps/postgres/templates/backup-cronjob.yaml
@@ -0,0 +1,99 @@
 {{- if .Values.backup.enabled }}
 {{ $image := .Files.Get "images/backup.json" | fromJson }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: {{ .Release.Name }}-backup
 spec:
  schedule: "{{ .Values.backup.schedule }}"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 2
      template:
        metadata:
          annotations:
            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
        spec:
          imagePullSecrets:
          - name: {{ .Release.Name }}-regsecret
          restartPolicy: OnFailure
          containers:
          - name: pgdump
            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
            command:
            - /bin/sh
            - /scripts/backup.sh
            env:
            - name: REPO_PREFIX
              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
            - name: CLEANUP_STRATEGY
              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
            - name: PGUSER
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-superuser
                  key: username
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-superuser
                  key: password
            - name: PGHOST
              value: {{ .Release.Name }}-rw
            - name: PGPORT
              value: "5432"
            - name: PGDATABASE
              value: postgres
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-backup
                  key: s3AccessKey
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-backup
                  key: s3SecretKey
            - name: AWS_DEFAULT_REGION
              value: {{ .Values.backup.s3Region }}
            - name: RESTIC_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Release.Name }}-backup
                  key: resticPassword
            volumeMounts:
            - mountPath: /scripts
              name: scripts
            - mountPath: /tmp
              name: tmp
            - mountPath: /.cache
              name: cache
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              privileged: false
              readOnlyRootFilesystem: true
              runAsNonRoot: true
            {{- include "postgresjobs.resources" . | nindent 12 }}
          volumes:
          - name: scripts
            secret:
              secretName: {{ .Release.Name }}-backup-script
          - name: tmp
            emptyDir: {}
          - name: cache
            emptyDir: {}
          securityContext:
            runAsNonRoot: true
            runAsUser: 9000
            runAsGroup: 9000
            seccompProfile:
              type: RuntimeDefault
 {{- end }}
--- a/packages/apps/postgres/templates/backup-script.yaml
+++ b/packages/apps/postgres/templates/backup-script.yaml
@@ -0,0 +1,50 @@
 {{- if .Values.backup.enabled }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Release.Name }}-backup-script
 stringData:
  backup.sh: |
    #!/bin/sh
    set -e
    set -o pipefail
    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
    echo "Job ID: $JOB_ID"
    echo "Target repo: $REPO_PREFIX"
    echo "Cleanup strategy: $CLEANUP_STRATEGY"
    echo "Start backup for:"
    echo "$DB_LIST"
    echo
    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
    for db in $DB_LIST; do
      (
        set -x
        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
        pg_dump -Z0 -Ft -d "$db" | \
          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
      )
    done
    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
    echo
    echo "Run cleanup:"
    echo
    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
    for db in $DB_LIST; do
      (
        set -x
        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
        restic prune -r "s3:${REPO_PREFIX}/$db"
      )
    done
    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
 {{- end }}
--- a/packages/apps/postgres/templates/backup-secret.yaml
+++ b/packages/apps/postgres/templates/backup-secret.yaml
@@ -1,10 +1,11 @@
-{{- if or .Values.backup.enabled .Values.bootstrap.enabled }}
+{{- if .Values.backup.enabled }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-s3-creds
+  name: {{ .Release.Name }}-backup
 stringData:
-  AWS_ACCESS_KEY_ID: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey | quote }}
+  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
-  AWS_SECRET_ACCESS_KEY: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey | quote }}
+  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
 {{- end }}
--- a/packages/apps/postgres/templates/backup.yaml
+++ b/packages/apps/postgres/templates/backup.yaml
@@ -1,12 +0,0 @@
 {{- if .Values.backup.enabled }}
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
  name: {{ .Release.Name }}
 spec:
  schedule: {{ .Values.backup.schedule | quote }}
  backupOwnerReference: self
  cluster:
    name: {{ .Release.Name }}
 {{- end }}
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -5,43 +5,6 @@ metadata:
  name: {{ .Release.Name }}
 spec:
  instances: {{ .Values.replicas }}
  {{- if .Values.backup.enabled }}
  backup:
    barmanObjectStore:
      destinationPath: {{ .Values.backup.destinationPath }}
      endpointURL: {{ .Values.backup.endpointURL }}
      s3Credentials:
        accessKeyId:
          name: {{ .Release.Name }}-s3-creds
          key: AWS_ACCESS_KEY_ID
        secretAccessKey:
          name: {{ .Release.Name }}-s3-creds
          key: AWS_SECRET_ACCESS_KEY
    retentionPolicy: {{ .Values.backup.retentionPolicy }}
  {{- end }}
  {{- if .Values.bootstrap.enabled }}
  bootstrap:
    recovery:
      source: {{ .Values.bootstrap.oldName }}
      {{- if .Values.bootstrap.recoveryTime }}
      recoveryTarget:
        targetTime: {{ .Values.bootstrap.recoveryTime }}
      {{- end }}
  externalClusters:
    - name: {{ .Values.bootstrap.oldName }}
      barmanObjectStore:
        destinationPath: {{ .Values.backup.destinationPath }}
        endpointURL: {{ .Values.backup.endpointURL }}
        s3Credentials:
          accessKeyId:
            name: {{ .Release.Name }}-s3-creds
            key: AWS_ACCESS_KEY_ID
          secretAccessKey:
            name: {{ .Release.Name }}-s3-creds
            key: AWS_SECRET_ACCESS_KEY
  {{- end }}
  {{- if .Values.resources }}
  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
  {{- else if ne .Values.resourcesPreset "none" }}
--- a/packages/apps/postgres/templates/init-script.yaml
+++ b/packages/apps/postgres/templates/init-script.yaml
@@ -41,10 +41,10 @@ stringData:
    {{- if .Values.users }}
    psql -v ON_ERROR_STOP=1 <<\EOT
    {{- range $user, $u := .Values.users }}
-    SELECT 'CREATE ROLE "{{ $user }}" LOGIN INHERIT;'
+    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE "{{ $user }}" WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
-    COMMENT ON ROLE "{{ $user }}" IS 'user managed by helm';
+    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
    {{- end }}
    EOT
    {{- end }}
@@ -68,15 +68,15 @@ stringData:
    {{- if .Values.databases }}
    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
    {{- range $database, $d := .Values.databases }}
-    SELECT 'CREATE DATABASE "{{ $database }}"'
+    SELECT 'CREATE DATABASE {{ $database }}'
    WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '{{ $database }}')\gexec
-    COMMENT ON DATABASE "{{ $database }}" IS 'database managed by helm';
+    COMMENT ON DATABASE {{ $database }} IS 'database managed by helm';
-    SELECT 'CREATE ROLE "{{ $database }}_admin" NOINHERIT;'
+    SELECT 'CREATE ROLE {{ $database }}_admin NOINHERIT;'
    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $database }}_admin')\gexec
-    COMMENT ON ROLE "{{ $database }}_admin" IS 'role managed by helm';
+    COMMENT ON ROLE {{ $database }}_admin IS 'role managed by helm';
-    SELECT 'CREATE ROLE "{{ $database }}_readonly" NOINHERIT;'
+    SELECT 'CREATE ROLE {{ $database }}_readonly NOINHERIT;'
    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $database }}_readonly')\gexec
-    COMMENT ON ROLE "{{ $database }}_readonly" IS 'role managed by helm';
+    COMMENT ON ROLE {{ $database }}_readonly IS 'role managed by helm';
    {{- end }}
    EOT
    {{- end }}
@@ -84,8 +84,8 @@ stringData:
    echo "== grant privileges on databases to roles"
    {{- range $database, $d := .Values.databases }}
    psql -v ON_ERROR_STOP=1 --echo-all -d "{{ $database }}" <<\EOT
-    ALTER DATABASE "{{ $database }}" OWNER TO "{{ $database }}_admin";
+    ALTER DATABASE {{ $database }} OWNER TO {{ $database }}_admin;
-    GRANT CONNECT ON DATABASE "{{ $database }}" TO "{{ $database }}_readonly";
+    GRANT CONNECT ON DATABASE {{ $database }} TO {{ $database }}_readonly;
    DO $$
    DECLARE
@@ -165,14 +165,14 @@ stringData:
    {{- range $database, $d := .Values.databases }}
    {{- range $user, $u := $.Values.users }}
    {{- if has $user $d.roles.admin }}
-    GRANT "{{ $database }}_admin" TO "{{ $user }}";
+    GRANT {{ $database }}_admin TO {{ $user }};
    {{- else }}
-    REVOKE "{{ $database }}_admin" FROM "{{ $user }}";
+    REVOKE {{ $database }}_admin FROM {{ $user }};
    {{- end }}
    {{- if has $user $d.roles.readonly }}
-    GRANT "{{ $database }}_readonly" TO "{{ $user }}";
+    GRANT {{ $database }}_readonly TO {{ $user }};
    {{- else }}
-    REVOKE "{{ $database }}_readonly" FROM "{{ $user }}";
+    REVOKE {{ $database }}_readonly FROM {{ $user }};
    {{- end }}
    {{- end }}
    {{- end }}
--- a/packages/apps/postgres/values.schema.json
+++ b/packages/apps/postgres/values.schema.json
@@ -65,25 +65,25 @@
                    "description": "Enable pereiodic backups",
                    "default": false
                },
                "s3Region": {
                    "type": "string",
                    "description": "The AWS S3 region where backups are stored",
                    "default": "us-east-1"
                },
                "s3Bucket": {
                    "type": "string",
                    "description": "The S3 bucket used for storing backups",
                    "default": "s3.example.org/postgres-backups"
                },
                "schedule": {
                    "type": "string",
                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * * *"
+                    "default": "0 2 * * *"
                },
-                "retentionPolicy": {
+                "cleanupStrategy": {
                    "type": "string",
-                    "description": "The retention policy",
+                    "description": "The strategy for cleaning up old backups",
-                    "default": "30d"
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
                },
                "destinationPath": {
                    "type": "string",
                    "description": "The path where to store the backup (i.e. s3://bucket/path/to/folder)",
                    "default": "s3://BUCKET_NAME/"
                },
                "endpointURL": {
                    "type": "string",
                    "description": "Endpoint to be used to upload data to the cloud",
                    "default": "http://minio-gateway-service:9000"
                },
                "s3AccessKey": {
                    "type": "string",
@@ -94,26 +94,11 @@
                    "type": "string",
                    "description": "The secret key for S3, used for authentication",
                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
                }
            }
        },
        "bootstrap": {
            "type": "object",
            "properties": {
                "enabled": {
                    "type": "boolean",
                    "description": "Restore cluster from backup",
                    "default": false
                },
-                "recoveryTime": {
+                "resticPassword": {
                    "type": "string",
-                    "description": "Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest",
+                    "description": "The password for Restic backup encryption",
-                    "default": ""
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
                },
                "oldName": {
                    "type": "string",
                    "description": "Name of cluster before deleting",
                    "default": ""
                }
            }
        },
@@ -124,8 +109,8 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "micro"
+            "default": "nano"
        }
    }
 }
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -60,38 +60,32 @@ databases: {}
 ## @section Backup parameters
 ## @param backup.enabled Enable pereiodic backups
 ## @param backup.s3Region The AWS S3 region where backups are stored
 ## @param backup.s3Bucket The S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.retentionPolicy The retention policy
+## @param backup.cleanupStrategy The strategy for cleaning up old backups
 ## @param backup.destinationPath The path where to store the backup (i.e. s3://bucket/path/to/folder)
 ## @param backup.endpointURL Endpoint to be used to upload data to the cloud
 ## @param backup.s3AccessKey The access key for S3, used for authentication
 ## @param backup.s3SecretKey The secret key for S3, used for authentication
 ## @param backup.resticPassword The password for Restic backup encryption
 backup:
  enabled: false
-  retentionPolicy: 30d
+  s3Region: us-east-1
-  destinationPath: s3://BUCKET_NAME/
+  s3Bucket: s3.example.org/postgres-backups
-  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * *"
-  schedule: "0 2 * * * *"
+  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-
+  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 ## @section Bootstrap parameters
 ## @param bootstrap.enabled Restore cluster from backup
 ## @param bootstrap.recoveryTime Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest
 ## @param bootstrap.oldName Name of cluster before deleting
 ##
 bootstrap:
  enabled: false
  # example: 2020-11-26 15:22:00.00000+00
  recoveryTime: ""
  oldName: ""
 ## @param resources Resources
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-resourcesPreset: "micro"
+resourcesPreset: "nano"
--- a/packages/apps/rabbitmq/Chart.yaml
+++ b/packages/apps/rabbitmq/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/rabbitmq/README.md
+++ b/packages/apps/rabbitmq/README.md
@@ -22,9 +22,9 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 ### Configuration parameters
-| Name              | Description                                                                                                                                      | Value  |
+| Name              | Description                                                                                                                                                                                                       | Value  |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------ |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `users`           | Users configuration                                                                                                                              | `{}`   |
+| `users`           | Users configuration                                                                                                                                                                                               | `{}`   |
-| `vhosts`          | Virtual Hosts configuration                                                                                                                      | `{}`   |
+| `vhosts`          | Virtual Hosts configuration                                                                                                                                                                                       | `{}`   |
-| `resources`       | Resources                                                                                                                                        | `{}`   |
+| `resources`       | Resources                                                                                                                                                                                                         | `{}`   |
-| `resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano` |
+| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
--- a/packages/apps/rabbitmq/values.schema.json
+++ b/packages/apps/rabbitmq/values.schema.json
@@ -34,7 +34,7 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
            "default": "nano"
        }
    }
--- a/packages/apps/rabbitmq/values.yaml
+++ b/packages/apps/rabbitmq/values.yaml
@@ -43,8 +43,12 @@ vhosts: {}
 ## @param resources Resources
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/apps/redis/Chart.yaml
+++ b/packages/apps/redis/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.1
+version: 0.8.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/redis/README.md
+++ b/packages/apps/redis/README.md
@@ -13,14 +13,14 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche
 ### Common parameters
-| Name              | Description                                                                                                                                      | Value   |
+| Name              | Description                                                                                                                                                                                                       | Value   |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`        | Enable external access from outside the cluster                                                                                                  | `false` |
+| `external`        | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `size`            | Persistent Volume size                                                                                                                           | `1Gi`   |
+| `size`            | Persistent Volume size                                                                                                                                                                                            | `1Gi`   |
-| `replicas`        | Number of Redis replicas                                                                                                                         | `2`     |
+| `replicas`        | Number of Redis replicas                                                                                                                                                                                          | `2`     |
-| `storageClass`    | StorageClass used to store the data                                                                                                              | `""`    |
+| `storageClass`    | StorageClass used to store the data                                                                                                                                                                               | `""`    |
-| `authEnabled`     | Enable password generation                                                                                                                       | `true`  |
+| `authEnabled`     | Enable password generation                                                                                                                                                                                        | `true`  |
-| `resources`       | Resources                                                                                                                                        | `{}`    |
+| `resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
+| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -34,7 +34,7 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
            "default": "nano"
        }
    }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -15,8 +15,12 @@ authEnabled: true
 ## @param resources Resources
 resources: {}
 # resources:
- #   cpu: 4000m
+ #   limits:
- #   memory: 4Gi
+ #     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/apps/tcp-balancer/Chart.yaml
+++ b/packages/apps/tcp-balancer/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.4.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/tcp-balancer/README.md
+++ b/packages/apps/tcp-balancer/README.md
@@ -19,13 +19,13 @@ Managed TCP Load Balancer Service efficiently utilizes HAProxy for load balancin
 ### Configuration parameters
-| Name                             | Description                                                                                                                                      | Value   |
+| Name                             | Description                                                                                                                                                                                                       | Value   |
-| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`                                                                                    | `tcp`   |
+| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`                                                                                                                                                     | `tcp`   |
-| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                                                                                                | `80`    |
+| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                                                                                                                                                                 | `80`    |
-| `httpAndHttps.targetPorts.https` | HTTPS port number.                                                                                                                               | `443`   |
+| `httpAndHttps.targetPorts.https` | HTTPS port number.                                                                                                                                                                                                | `443`   |
-| `httpAndHttps.endpoints`         | Endpoint addresses list                                                                                                                          | `[]`    |
+| `httpAndHttps.endpoints`         | Endpoint addresses list                                                                                                                                                                                           | `[]`    |
-| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting                                                                                            | `false` |
+| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting                                                                                                                                                             | `false` |
-| `whitelist`                      | List of client networks                                                                                                                          | `[]`    |
+| `whitelist`                      | List of client networks                                                                                                                                                                                           | `[]`    |
-| `resources`                      | Resources                                                                                                                                        | `{}`    |
+| `resources`                      | Resources                                                                                                                                                                                                         | `{}`    |
-| `resourcesPreset`                | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
+| `resourcesPreset`                | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
--- a/packages/apps/tcp-balancer/values.schema.json
+++ b/packages/apps/tcp-balancer/values.schema.json
@@ -65,7 +65,7 @@
    },
    "resourcesPreset": {
      "type": "string",
-      "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+      "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
      "default": "nano"
    }
  }
--- a/packages/apps/tcp-balancer/values.yaml
+++ b/packages/apps/tcp-balancer/values.yaml
@@ -47,8 +47,12 @@ whitelist: []
 ## @param resources Resources
 resources: {}
 # resources:
-#   cpu: 4000m
+#   limits:
-#   memory: 4Gi
+#     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -12,8 +12,7 @@ clickhouse 0.6.2 8267072d
 clickhouse 0.7.0 93bdf411
 clickhouse 0.9.0 6130f43d
 clickhouse 0.9.2 632224a3
-clickhouse 0.10.0 6358fd7a
+clickhouse 0.10.0 HEAD
 clickhouse 0.10.1 HEAD
 ferretdb 0.1.0 e9716091
 ferretdb 0.1.1 91b0499a
 ferretdb 0.2.0 6c5cf5bf
@@ -24,16 +23,14 @@ ferretdb 0.4.2 8267072d
 ferretdb 0.5.0 93bdf411
 ferretdb 0.6.0 6130f43d
 ferretdb 0.6.1 632224a3
-ferretdb 0.7.0 62cb694d
+ferretdb 0.7.0 HEAD
 ferretdb 0.7.1 HEAD
 http-cache 0.1.0 263e47be
 http-cache 0.2.0 53f2365e
 http-cache 0.3.0 6c5cf5bf
 http-cache 0.3.1 0f312d5c
 http-cache 0.4.0 93bdf411
 http-cache 0.5.0 6130f43d
-http-cache 0.5.1 62cb694d
+http-cache 0.5.1 HEAD
 http-cache 0.5.2 HEAD
 kafka 0.1.0 f7eaab0a
 kafka 0.2.0 c0685f43
 kafka 0.2.1 dfbc210b
@@ -47,10 +44,9 @@ kafka 0.4.0 85ec09b8
 kafka 0.5.0 93bdf411
 kafka 0.6.0 6130f43d
 kafka 0.6.1 632224a3
-kafka 0.7.0 6358fd7a
+kafka 0.7.0 HEAD
 kafka 0.7.1 HEAD
 kubernetes 0.24.0 62cb694d
-kubernetes 0.24.2 HEAD
+kubernetes 0.24.1 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -62,8 +58,7 @@ mysql 0.5.3 8267072d
 mysql 0.6.0 93bdf411
 mysql 0.7.0 6130f43d
 mysql 0.7.1 632224a3
-mysql 0.8.0 62cb694d
+mysql 0.8.0 HEAD
 mysql 0.8.1 HEAD
 nats 0.1.0 e9716091
 nats 0.2.0 6c5cf5bf
 nats 0.3.0 78366f19
@@ -73,8 +68,7 @@ nats 0.4.1 8267072d
 nats 0.5.0 93bdf411
 nats 0.6.0 6130f43d
 nats 0.6.1 632224a3
-nats 0.7.0 62cb694d
+nats 0.7.0 HEAD
 nats 0.7.1 HEAD
 postgres 0.1.0 263e47be
 postgres 0.2.0 53f2365e
 postgres 0.2.1 d7cfa53c
@@ -94,7 +88,7 @@ postgres 0.11.0 f9f8bb2f
 postgres 0.12.0 6130f43d
 postgres 0.12.1 632224a3
 postgres 0.14.0 62cb694d
-postgres 0.15.1 HEAD
+postgres 0.14.1 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -105,8 +99,7 @@ rabbitmq 0.4.3 1ec10165
 rabbitmq 0.4.4 8267072d
 rabbitmq 0.5.0 93bdf411
 rabbitmq 0.6.0 632224a3
-rabbitmq 0.7.0 62cb694d
+rabbitmq 0.7.0 HEAD
 rabbitmq 0.7.1 HEAD
 redis 0.1.1 263e47be
 redis 0.2.0 53f2365e
 redis 0.3.0 6c5cf5bf
@@ -116,14 +109,12 @@ redis 0.5.0 4e68e65c
 redis 0.6.0 93bdf411
 redis 0.7.0 6130f43d
 redis 0.7.1 632224a3
-redis 0.8.0 62cb694d
+redis 0.8.0 HEAD
 redis 0.8.1 HEAD
 tcp-balancer 0.1.0 263e47be
 tcp-balancer 0.2.0 53f2365e
 tcp-balancer 0.3.0 93bdf411
 tcp-balancer 0.4.0 6130f43d
-tcp-balancer 0.4.1 62cb694d
+tcp-balancer 0.4.1 HEAD
 tcp-balancer 0.4.2 HEAD
 tenant 1.10.0 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
@@ -164,5 +155,4 @@ vpn 0.3.1 1ec10165
 vpn 0.4.0 93bdf411
 vpn 0.5.0 6130f43d
 vpn 0.5.1 632224a3
-vpn 0.6.1 62cb694d
+vpn 0.6.1 HEAD
 vpn 0.6.2 HEAD
--- a/packages/apps/vpn/Chart.yaml
+++ b/packages/apps/vpn/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.2
+version: 0.6.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/vpn/README.md
+++ b/packages/apps/vpn/README.md
@@ -22,10 +22,10 @@ The VPN Service is powered by the Outline Server, an advanced and user-friendly
 ### Configuration parameters
-| Name              | Description                                                                                                                                      | Value  |
+| Name              | Description                                                                                                                                                                                                       | Value  |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------ |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `host`            | Host used to substitute into generated URLs                                                                                                      | `""`   |
+| `host`            | Host used to substitute into generated URLs                                                                                                                                                                       | `""`   |
-| `users`           | Users configuration                                                                                                                              | `{}`   |
+| `users`           | Users configuration                                                                                                                                                                                               | `{}`   |
-| `externalIPs`     | List of externalIPs for service.                                                                                                                 | `[]`   |
+| `externalIPs`     | List of externalIPs for service.                                                                                                                                                                                  | `[]`   |
-| `resources`       | Resources                                                                                                                                        | `{}`   |
+| `resources`       | Resources                                                                                                                                                                                                         | `{}`   |
-| `resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano` |
+| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
--- a/packages/apps/vpn/values.schema.json
+++ b/packages/apps/vpn/values.schema.json
@@ -32,7 +32,7 @@
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
            "default": "nano"
        }
    }
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -33,8 +33,12 @@ externalIPs: []
 ## @param resources Resources
 resources: {}
 # resources:
-#   cpu: 4000m
+#   limits:
-#   memory: 4Gi
+#     cpu: 4000m
 #     memory: 4Gi
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 resourcesPreset: "nano"
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.32.1@sha256:9eb11a1c396d63e4235f398f5f01ec6aedea2316d6a7a9294d88191d25af309c
+  image: ghcr.io/cozystack/cozystack/installer:v0.32.0@sha256:981f1a073fa654f878e448ea89ef324f50d2479f27d3228449e8b66fda7c567f
--- a/packages/core/testing/Makefile
+++ b/packages/core/testing/Makefile
@@ -32,23 +32,21 @@ image-e2e-sandbox:
 test: test-cluster test-apps ## Run the end-to-end tests in existing sandbox
-copy-nocloud-image:
+prepare-cluster:
 	docker cp ../../../_out/assets/nocloud-amd64.raw.xz "${SANDBOX_NAME}":/workspace/_out/assets/nocloud-amd64.raw.xz
 copy-installer-manifest:
 	docker cp ../../../_out/assets/cozystack-installer.yaml "${SANDBOX_NAME}":/workspace/_out/assets/cozystack-installer.yaml
-
+	docker cp ../../../_out/assets/nocloud-amd64.raw.xz "${SANDBOX_NAME}":/workspace/_out/assets/nocloud-amd64.raw.xz
 prepare-cluster: copy-nocloud-image
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-prepare-cluster.bats'
-install-cozystack: copy-installer-manifest
+install-cozystack:
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-install-cozystack.bats'
-test-cluster: copy-nocloud-image copy-installer-manifest ## Run the end-to-end for creating a cluster
+test-cluster: ## Run the end-to-end for creating a cluster
 	docker cp ../../../_out/assets/cozystack-installer.yaml "${SANDBOX_NAME}":/workspace/_out/assets/cozystack-installer.yaml
 	docker cp ../../../_out/assets/nocloud-amd64.raw.xz "${SANDBOX_NAME}":/workspace/_out/assets/nocloud-amd64.raw.xz
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-cluster.bats'
-test-apps-%:
+test-apps: ## Run the end-to-end tests for apps
-	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-apps/$*.bats'
+	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-apps.bats'
 delete: ## Remove sandbox from existing Kubernetes cluster.
 	docker rm -f "${SANDBOX_NAME}" || true
--- a/packages/core/testing/images/e2e-sandbox/Dockerfile
+++ b/packages/core/testing/images/e2e-sandbox/Dockerfile
@@ -1,9 +1,8 @@
 FROM ubuntu:22.04
-ARG KUBECTL_VERSION=1.33.2
+ARG KUBECTL_VERSION=1.32.0
-ARG TALOSCTL_VERSION=1.10.4
+ARG TALOSCTL_VERSION=1.9.5
-ARG HELM_VERSION=3.18.3
+ARG HELM_VERSION=3.16.4
 ARG COZYPKG_VERSION=1.1.0
 ARG TARGETOS
 ARG TARGETARCH
@@ -18,4 +17,5 @@ RUN curl -sSL "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm
 RUN curl -sSL "https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_${TARGETOS}_${TARGETARCH}" -o /usr/local/bin/yq \
 && chmod +x /usr/local/bin/yq
 RUN curl -sSL "https://fluxcd.io/install.sh" | bash
-RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s -- -v "${COZYPKG_VERSION}"
+RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s
 RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s -- -v 1.1.0
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.1@sha256:b15f85e58be54529d74ab7056d5d47960944abde28f14611e88156989a19c789
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.0@sha256:454d5a01c30685ca451a6cd42bda5f4c1d80195642f9dd8ccf09369932ebb531
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.32.1@sha256:a01a26c4fa437bb2082c9d242661cddb0a8ce98a2ee66858a971f141bbe0fd35
+ghcr.io/cozystack/cozystack/matchbox:v0.32.0@sha256:1c5173f0c368dd14e29dae95c3d576574af63c226b6f554c78d05c5f160084b5
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:b9041dd66226dbe2265be5942c4c8e356aa179de699f732042e1321c8a5b1406
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:17c867e1576da57bdee58142fa2b5d5fe5e5acb0a79322fbb0fb6e8723fad0d2
--- a/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: cozy-proxy
 description: A simple kube-proxy addon for 1:1 NAT services in Kubernetes using an NFT backend
 type: application
-version: 0.2.0
+version: 0.1.3
-appVersion: 0.2.0
+appVersion: 0.1.3
--- a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
@@ -1,6 +1,6 @@
 image:
  repository: ghcr.io/cozystack/cozystack/cozy-proxy
-  tag: v0.2.0
+  tag: v0.1.4
  pullPolicy: IfNotPresent
 daemonset:
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.32.1@sha256:d9bee0e9f73a950784e43d907552c21044d01eed728e1185455308e49d00c00d
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.32.0@sha256:d9bee0e9f73a950784e43d907552c21044d01eed728e1185455308e49d00c00d
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.32.1@sha256:9913b863553f329a4a029210fa21b3ae2a4a89cc55102c2c62c0ff217a7e27a7
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.32.0@sha256:a1fceb277007846bc85ceee0afd1f5d1122496174203c718c1275a1038cb07f6
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.32.1"
+  cozystackVersion: "v0.32.0"
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
@@ -76,7 +76,7 @@ data:
      "kubeappsNamespace": {{ .Release.Namespace | quote }},
      "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
      "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.32.1",
+      "appVersion": "v0.32.0",
      "authProxyEnabled": {{ .Values.authProxy.enabled }},
      "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
      "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -19,7 +19,7 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: dashboard
-      tag: v0.32.1
+      tag: v0.32.0
      digest: "sha256:5e514516bd3dc0c693bb346ddeb9740e0439a59deb2a56b87317286e3ce79ac9"
  redis:
    master:
@@ -37,8 +37,8 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: kubeapps-apis
-      tag: v0.32.1
+      tag: v0.32.0
-      digest: "sha256:27a82a08a522b3521036ec50d2731a8dc0199a398c62029a78eb2f8235f31c86"
+      digest: "sha256:8ab96c9cd4f0c5452565f2ca1b7e1b644b112e534dd31c0fcef623ec3054d21e"
    pluginConfig:
      flux:
        packages:
--- a/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
@@ -8,7 +8,7 @@ annotations:
    - name: Upstream Project
      url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.23.0
+appVersion: v0.22.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.23.0
+version: 0.22.0
--- a/packages/system/fluxcd-operator/charts/flux-operator/README.md
+++ b/packages/system/fluxcd-operator/charts/flux-operator/README.md
@@ -1,6 +1,6 @@
 # flux-operator
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.23.0](https://img.shields.io/badge/AppVersion-v0.23.0-informational?style=flat-square)
+![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.22.0](https://img.shields.io/badge/AppVersion-v0.22.0-informational?style=flat-square)
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the
--- a/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.1
    helm.sh/resource-policy: keep
  labels:
    app.kubernetes.io/instance: '{{ .Release.Name }}'
@@ -69,9 +69,7 @@ spec:
                      Defaults to 'cluster.local'.
                    type: string
                  multitenant:
-                    default: false
+                    description: Multitenant enables the multitenancy lockdown.
                    description: Multitenant enables the multitenancy lockdown. Defaults
                      to false.
                    type: boolean
                  networkPolicy:
                    default: true
@@ -79,12 +77,6 @@ spec:
                      NetworkPolicy restricts network access to the current namespace.
                      Defaults to true.
                    type: boolean
                  objectLevelWorkloadIdentity:
                    description: |-
                      ObjectLevelWorkloadIdentity enables the feature gate
                      required for object-level workload identity.
                      This feature is only available in Flux v2.6.0 and later.
                    type: boolean
                  tenantDefaultServiceAccount:
                    description: |-
                      TenantDefaultServiceAccount is the name of the service account
@@ -103,6 +95,9 @@ spec:
                    - azure
                    - gcp
                    type: string
                required:
                - domain
                - networkPolicy
                type: object
              commonMetadata:
                description: |-
@@ -124,7 +119,7 @@ spec:
              components:
                description: |-
                  Components is the list of controllers to install.
-                  Defaults to a commonly used subset.
+                  Defaults to all controllers.
                items:
                  description: Component is the name of a controller to install.
                  enum:
@@ -255,16 +250,6 @@ spec:
                      type: string
                    minItems: 1
                    type: array
                  storage:
                    description: |-
                      Storage defines if the source-controller shards
                      should use an emptyDir or a persistent volume claim for storage.
                      Accepted values are 'ephemeral' or 'persistent', defaults to 'ephemeral'.
                      For 'persistent' to take effect, the '.spec.storage' field must be set.
                    enum:
                    - ephemeral
                    - persistent
                    type: string
                required:
                - shards
                type: object
@@ -511,7 +496,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.1
    helm.sh/resource-policy: keep
  labels:
    app.kubernetes.io/instance: '{{ .Release.Name }}'
@@ -794,7 +779,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.1
    helm.sh/resource-policy: keep
  labels:
    app.kubernetes.io/instance: '{{ .Release.Name }}'
@@ -900,36 +885,7 @@ spec:
                      Limit specifies the maximum number of input sets to return.
                      When not set, the default limit is 100.
                    type: integer
                  semver:
                    description: Semver specifies the semantic version range to filter
                      and order the tags.
                    type: string
                type: object
              schedule:
                description: Schedule defines the schedules for the input provider
                  to run.
                items:
                  description: Schedule defines a schedule for something to run.
                  properties:
                    cron:
                      description: Cron specifies the cron expression for the schedule.
                      type: string
                    timeZone:
                      default: UTC
                      description: TimeZone specifies the time zone for the cron schedule.
                        Defaults to UTC.
                      type: string
                    window:
                      default: 0s
                      description: |-
                        Window defines the time window during which the execution is allowed.
                        Defaults to 0s, meaning no window is applied.
                      pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                      type: string
                  required:
                  - cron
                  type: object
                type: array
              secretRef:
                description: |-
                  SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
@@ -961,10 +917,8 @@ spec:
                enum:
                - Static
                - GitHubBranch
                - GitHubTag
                - GitHubPullRequest
                - GitLabBranch
                - GitLabTag
                - GitLabMergeRequest
                type: string
              url:
@@ -1057,45 +1011,12 @@ spec:
                  LastExportedRevision is the digest of the
                  inputs that were last reconcile.
                type: string
              lastHandledForceAt:
                description: |-
                  LastHandledForceAt holds the value of the most recent
                  force request value, so a change of the annotation value
                  can be detected.
                type: string
              lastHandledReconcileAt:
                description: |-
                  LastHandledReconcileAt holds the value of the most recent
                  reconcile request value, so a change of the annotation value
                  can be detected.
                type: string
              nextSchedule:
                description: NextSchedule is the next schedule when the input provider
                  will run.
                properties:
                  cron:
                    description: Cron specifies the cron expression for the schedule.
                    type: string
                  timeZone:
                    default: UTC
                    description: TimeZone specifies the time zone for the cron schedule.
                      Defaults to UTC.
                    type: string
                  when:
                    description: When is the next time the schedule will run.
                    format: date-time
                    type: string
                  window:
                    default: 0s
                    description: |-
                      Window defines the time window during which the execution is allowed.
                      Defaults to 0s, meaning no window is applied.
                    pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                    type: string
                required:
                - cron
                - when
                type: object
            type: object
        type: object
    served: true
@@ -1107,7 +1028,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.16.1
    helm.sh/resource-policy: keep
  labels:
    app.kubernetes.io/instance: '{{ .Release.Name }}'
@@ -1230,9 +1151,6 @@ spec:
                  When set, the inputs are fetched from the providers and concatenated
                  with the in-line inputs defined in the ResourceSet.
                items:
                  description: |-
                    InputProviderReference defines a reference to an input provider resource
                    in the same namespace as the ResourceSet.
                  properties:
                    apiVersion:
                      description: |-
--- a/packages/system/fluxcd/charts/flux-instance/Chart.yaml
+++ b/packages/system/fluxcd/charts/flux-instance/Chart.yaml
@@ -8,7 +8,7 @@ annotations:
    - name: Upstream Project
      url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.23.0
+appVersion: v0.22.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.23.0
+version: 0.22.0
--- a/packages/system/fluxcd/charts/flux-instance/README.md
+++ b/packages/system/fluxcd/charts/flux-instance/README.md
@@ -1,6 +1,6 @@
 # flux-instance
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.23.0](https://img.shields.io/badge/AppVersion-v0.23.0-informational?style=flat-square)
+![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.22.0](https://img.shields.io/badge/AppVersion-v0.22.0-informational?style=flat-square)
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)
--- a/packages/system/kafka-operator/Makefile
+++ b/packages/system/kafka-operator/Makefile
@@ -5,4 +5,4 @@ include ../../../scripts/package.mk
 update:
 	rm -rf charts
-	helm pull oci://quay.io/strimzi-helm/strimzi-kafka-operator --untar --untardir charts --version 0.45.1-rc1
+	helm pull oci://quay.io/strimzi-helm/strimzi-kafka-operator --untar --untardir charts
--- a/packages/system/kafka-operator/charts/strimzi-kafka-operator/Chart.yaml
+++ b/packages/system/kafka-operator/charts/strimzi-kafka-operator/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.45.1-rc1
+appVersion: 0.45.0
 description: 'Strimzi: Apache Kafka running on Kubernetes'
 home: https://strimzi.io/
 icon: https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/documentation/logo/strimzi_logo.png
@@ -24,4 +24,4 @@ maintainers:
 name: strimzi-kafka-operator
 sources:
 - https://github.com/strimzi/strimzi-kafka-operator
-version: 0.45.1-rc1
+version: 0.45.0
--- a/Show More
+++ b/Show More
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205`	`ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/nginx-cache:0.5.2@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15`	`ghcr.io/cozystack/cozystack/nginx-cache:0.5.1@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e`	`ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.2@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e`	`ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.0@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.2@sha256:598ab20550dbf495717e8e123e6b626bb36298f88dde851664301d393ac06ca3`	`ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.0@sha256:4d3728b2050d4e0adb00b9f4abbb4a020b29e1a39f24ca1447806fc81f110fa6`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/mariadb-backup:0.8.1@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4`	`ghcr.io/cozystack/cozystack/mariadb-backup:0.8.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4`
		`@@ -0,0 +1 @@`
							`ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f`
		`@@ -0,0 +1,2 @@`
							`FROM alpine:3.22`
							`RUN apk add --no-cache postgresql17-client uuidgen restic`
`@@ -1,2 +1,2 @@`
	`cozystack:`	`cozystack:`
	`image: ghcr.io/cozystack/cozystack/installer:v0.32.1@sha256:9eb11a1c396d63e4235f398f5f01ec6aedea2316d6a7a9294d88191d25af309c`	`image: ghcr.io/cozystack/cozystack/installer:v0.32.0@sha256:981f1a073fa654f878e448ea89ef324f50d2479f27d3228449e8b66fda7c567f`
`@@ -1,2 +1,2 @@`
	`e2e:`	`e2e:`
	`image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.1@sha256:b15f85e58be54529d74ab7056d5d47960944abde28f14611e88156989a19c789`	`image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.0@sha256:454d5a01c30685ca451a6cd42bda5f4c1d80195642f9dd8ccf09369932ebb531`