Fix kubeovn-webhook certs

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-05 08:17:59 +00:00 · 2025-03-13 13:28:45 +01:00
40 changed files with 79 additions and 111 deletions
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -5,7 +5,6 @@ kind: Namespace
 metadata:
  name: cozy-system
  labels:
-    cozystack.io/system: "true"
    pod-security.kubernetes.io/enforce: privileged
 ---
 # Source: cozy-installer/templates/cozystack.yaml
@@ -69,7 +68,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/cozystack/cozystack/installer:v0.28.2"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.27.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -88,7 +87,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: assets
-        image: "ghcr.io/cozystack/cozystack/installer:v0.28.2"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.27.0"
        command:
        - /usr/bin/cozystack-assets-server
        - "-dir=/cozystack/assets"
--- a/packages/apps/clickhouse/images/clickhouse-backup.tag
+++ b/packages/apps/clickhouse/images/clickhouse-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.6.2@sha256:67dd53efa86b704fc5cb876aca055fef294b31ab67899b683a4821ea12582ea7
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.2@sha256:7a99cabdfd541f863aa5d1b2f7b49afd39838fb94c8448986634a1dc9050751c
--- a/packages/apps/ferretdb/images/postgres-backup.tag
+++ b/packages/apps/ferretdb/images/postgres-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.9.0@sha256:2b6ba87f5688a439bd2ac12835a5ab9e601feb15c0c44ed0d9ca48cec7c52521
+ghcr.io/aenix-io/cozystack/postgres-backup:0.9.0@sha256:6cc07280c0e2432ed37b2646faf82efe9702c6d93504844744aa505b890cac6f
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.3.1@sha256:2b82eae28239ca0f9968602c69bbb752cd2a5818e64934ccd06cb91d95d019c7
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:72ced2b1d8da2c784d6231af6cb0752170f6ea845c73effb11adb006b7a7fbb2
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.15.2@sha256:ea5cd225dbd1233afe2bfd727b9f90847f198f5d231871141d494d491fdee795
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.2@sha256:077023fc24d466ac18f8d43fec41b9a14c0b3d32c0013e836e7448e7a1e7d661
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.15.2@sha256:de98b18691cbd1e0d7d886c57873c2ecdae7a5ab2e3c4c59f9a24bdc321622a9
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.2@sha256:5ef7198eaaa4e422caa5f3d8f906c908046f1fbaf2d7a1e72b5a98627db3bda8
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.15.2@sha256:fdfa71edcb8a9f537926963fa11ad959fa2a20c08ba757c253b9587e8625b700
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.2@sha256:f862c233399b213e376628ffbb55304f08d171e991371d5bde067b47890cc959
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.30.1@sha256:bc08ea0ced2cb7dd98b26d72a9462fc0a3863adb908a5effbfcdf7227656ea65
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:7ce5467b8f34ef7897141b0ca96c455459c2729cae5824a2c20f32b01a841f90
--- a/packages/apps/mysql/images/mariadb-backup.tag
+++ b/packages/apps/mysql/images/mariadb-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.5.3@sha256:8ca1fb01e880d351ee7d984a0b437c1142836963cd079986156ed28750067138
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.3@sha256:89641695e0c1f4ad7b82697c27a2245bb4a1bc403845235ed0df98e04aa9a71f
--- a/packages/apps/postgres/images/postgres-backup.tag
+++ b/packages/apps/postgres/images/postgres-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.9.0@sha256:2b6ba87f5688a439bd2ac12835a5ab9e601feb15c0c44ed0d9ca48cec7c52521
+ghcr.io/aenix-io/cozystack/postgres-backup:0.9.0@sha256:6cc07280c0e2432ed37b2646faf82efe9702c6d93504844744aa505b890cac6f
--- a/packages/apps/tenant/README.md
+++ b/packages/apps/tenant/README.md
@@ -57,5 +57,5 @@ tenant-u1
 | `monitoring`     | Deploy own Monitoring Stack                                                                                                 | `false` |
 | `ingress`        | Deploy own Ingress Controller                                                                                               | `false` |
 | `seaweedfs`      | Deploy own SeaweedFS                                                                                                        | `false` |
-| `isolated`       | Enforce tenant namespace with network policies                                                                              | `true`  |
+| `isolated`       | Enforce tenant namespace with network policies                                                                              | `false` |
 | `resourceQuotas` | Define resource quotas for the tenant                                                                                       | `{}`    |
--- a/packages/apps/tenant/values.schema.json
+++ b/packages/apps/tenant/values.schema.json
@@ -30,7 +30,7 @@
        "isolated": {
            "type": "boolean",
            "description": "Enforce tenant namespace with network policies",
-            "default": true
+            "default": false
        },
        "resourceQuotas": {
            "type": "object",
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -48,7 +48,7 @@ kubernetes 0.13.0 ced8e5b9
 kubernetes 0.14.0 bfbde07c
 kubernetes 0.14.1 fde4bcfa
 kubernetes 0.15.0 cb7b8158
-kubernetes 0.15.1 43e593c7
+kubernetes 0.15.1 77df31e1
 kubernetes 0.15.2 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
@@ -113,7 +113,7 @@ tenant 1.6.6 d4634797
 tenant 1.6.7 06afcf27
 tenant 1.6.8 4cc48e6f
 tenant 1.7.0 6c73e3f3
-tenant 1.8.0 e2369ba
+tenant 1.8.0 46f0bb20
 tenant 1.9.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
@@ -122,7 +122,6 @@ virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 cad9cde
 virtual-machine 0.6.0 0e728870
-virtual-machine 0.6.1 af58018a
 virtual-machine 0.7.0 af58018a
 virtual-machine 0.7.1 05857b95
 virtual-machine 0.8.0 3fa4dd3
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -36,7 +36,7 @@ image-cozystack: run-builder
 		--push=$(PUSH) \
 		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack" \
 		--load=$(LOAD)
-	IMAGE="$(REGISTRY)/installer:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/installer.json -o json -r)" \
+	IMAGE="$(REGISTRY)/cozystack:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/installer.json -o json -r)" \
 		yq -i '.cozystack.image = strenv(IMAGE)' values.yaml
 	rm -f images/installer.json

--- a/packages/core/installer/templates/cozystack.yaml
+++ b/packages/core/installer/templates/cozystack.yaml
@@ -4,7 +4,6 @@ kind: Namespace
 metadata:
  name: cozy-system
  labels:
-    cozystack.io/system: "true"
    pod-security.kubernetes.io/enforce: privileged
 ---
 apiVersion: v1
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.28.2@sha256:f13bad3220695e206ed5142228f37bd3afa49db2913a1fd52ab91f809c3a017b
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.27.0@sha256:aac04571e99e13653f08e6ccc2b2214032455af547f9a887d01f1483e30d2915
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -205,7 +205,7 @@ releases:
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
-  dependsOn: [cilium,kubeovn,cert-manager,victoria-metrics-operator]
+  dependsOn: [cilium,kubeovn,cert-manager]

 - name: linstor
  releaseName: linstor
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.28.2@sha256:bb5e8f5d92e2e4305ea1cc7f007b3e98769645ab845f632b4788b9373cd207eb
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.27.0@sha256:1380b550c37c7316d924c9827122eb6fbb8e7da9aad8014f90b010b40f6c744d
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.28.2@sha256:d63d18eb6f10dc298339523f9bbf22127a874b340111df129028a83e3ea94fef
+ghcr.io/aenix-io/cozystack/matchbox:v0.27.0@sha256:ef53e59943706fd9bce33b021b11ef469b44f97a184661f7ac24eb5f1b57fe9e
--- a/packages/extra/monitoring/images/grafana.tag
+++ b/packages/extra/monitoring/images/grafana.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana:1.9.0@sha256:a492931b49af55ad184b485bcd7ea06f1334722d2184702d9f6f2e4123032357
+ghcr.io/aenix-io/cozystack/grafana:1.8.1@sha256:0377abd3cb2c6e27b12ac297f1859aa4d550f1aa14989f824f2315d0dfd1a5b2
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:6965cf844afc34950bdcbd626cb8751a0556c87aa6dbaa20150ec6d5f0c428b5
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:3bf81b4cc5fdd5b99da40a663e15c649b2d992cd933bd56f8bb1bc9dd41a7b11
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -11,8 +11,8 @@ cilium:
  ipam:
    mode: "kubernetes"
  image:
-    repository: ghcr.io/cozystack/cozystack/cilium
-    tag: 1.17.1
-    digest: "sha256:bb2ad64dfc01f774b429a96108527740c1f08230cac4b848a4939627dfce7a4a"
+    repository: ghcr.io/aenix-io/cozystack/cilium
+    tag: latest
+    digest: "sha256:a731981fef38429551dabdbc347b0f9af66a9f935bcc861117d63bc6681b3ec0"
  envoy:
    enabled: false
--- a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
@@ -1,6 +1,6 @@
 image:
-  repository: ghcr.io/cozystack/cozystack/cozy-proxy
-  tag: v0.1.4
+  repository: ghcr.io/aenix-io/cozystack/cozy-proxy
+  tag: v0.1.3
  pullPolicy: IfNotPresent

 daemonset:
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.28.2@sha256:69b09f1416def58d9f556d80318e35d77fad6287a75d42ad47587b6fde12e5ba
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.27.0@sha256:054adb2c2c3b380304e77a3f91428fc1d563d7ed2c1aab5d8ee0c5857b1dde99
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.28.2@sha256:ec3888832affb2cb657774a64a9929aa0d2b5f92b064f7a4dd55540a0d93324e
+  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.27.0@sha256:c97b2517aafdc1e906012c9604c792cb744ff1d3017d7c0c3836808dc308b835
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.28.2"
+  cozystackVersion: "v0.27.0"
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
@@ -76,7 +76,7 @@ data:
      "kubeappsNamespace": {{ .Release.Namespace | quote }},
      "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
      "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.28.2",
+      "appVersion": "v0.27.0",
      "authProxyEnabled": {{ .Values.authProxy.enabled }},
      "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
      "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -16,16 +16,16 @@ kubeapps:
      enabled: true
  dashboard:
    image:
-      registry: ghcr.io/cozystack/cozystack
+      registry: ghcr.io/aenix-io/cozystack
      repository: dashboard
-      tag: v0.28.2
-      digest: "sha256:ebef6a0c4b0c9f0857fc82699abcaa7a135d18b5dafe129febc0bf90707f2f48"
+      tag: v0.27.0
+      digest: "sha256:a363361571a7740c8544ecc22745e426ad051068a6bbe62d7e7d5e91df4d988e"
  kubeappsapis:
    image:
-      registry: ghcr.io/cozystack/cozystack
+      registry: ghcr.io/aenix-io/cozystack
      repository: kubeapps-apis
-      tag: v0.28.2
-      digest: "sha256:54ca0e1381a5a42201ab7fa5c08eaa54c88491375773a3fb842bb9c09a252b97"
+      tag: v0.27.0
+      digest: "sha256:dcffdd5a02433a4caec7b5e9753847cbeb05f2004146c38ec7cee44d02179423"
    pluginConfig:
      flux:
        packages:
--- a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
@@ -1,9 +1,9 @@
 annotations:
  artifacthub.io/changes: |
-    - Update Ingress-Nginx version controller-v1.11.2
+    - Update Ingress-Nginx version controller-v1.11.1
  artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.11.2
+appVersion: 1.11.1
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
  load balancer
 home: https://github.com/kubernetes/ingress-nginx
@@ -22,4 +22,4 @@ maintainers:
 name: ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.11.2
+version: 4.11.1
--- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@

 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

-![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square)
+![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)

 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

@@ -253,11 +253,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.3"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
@@ -325,8 +325,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` |  |
-| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` |  |
+| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` |  |
+| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.readOnlyRootFilesystem | bool | `false` |  |
@@ -334,7 +334,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.image.runAsNonRoot | bool | `true` |  |
 | controller.image.runAsUser | int | `101` |  |
 | controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.image.tag | string | `"v1.11.2"` |  |
+| controller.image.tag | string | `"v1.11.1"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
@@ -400,11 +400,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
 | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` |  |
+| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
 | controller.opentelemetry.image.distroless | bool | `true` |  |
-| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` |  |
+| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` |  |
 | controller.opentelemetry.image.registry | string | `"registry.k8s.io"` |  |
-| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` |  |
+| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` |  |
 | controller.opentelemetry.name | string | `"opentelemetry"` |  |
 | controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
@@ -244,6 +244,15 @@ Return the appropriate apiGroup for PodSecurityPolicy.
 {{- end -}}
 {{- end -}}

+{{/*
+Check the ingress controller version tag is at most three versions behind the last release
+*/}}
+{{- define "isControllerTagValid" -}}
+{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
+{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Extra modules.
 */}}
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -1,4 +1,5 @@
 {{- if eq .Values.controller.kind "DaemonSet" -}}
+{{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -1,4 +1,5 @@
 {{- if eq .Values.controller.kind "Deployment" -}}
+{{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
@@ -138,13 +138,3 @@ tests:
                        values:
                          - controller
                  topologyKey: kubernetes.io/hostname
-
-  - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set
-    set:
-      controller.kind: DaemonSet
-      controller.image.tag: my-little-custom-tag
-      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/ingress-nginx/controller:my-little-custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
@@ -160,12 +160,3 @@ tests:
                        values:
                          - controller
                  topologyKey: kubernetes.io/hostname
-
-  - it: should create a Deployment with a custom tag if `controller.image.tag` is set
-    set:
-      controller.image.tag: my-little-custom-tag
-      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/ingress-nginx/controller:my-little-custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
--- a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
@@ -26,9 +26,9 @@ controller:
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
-    tag: "v1.11.2"
-    digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
-    digestChroot: sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
+    tag: "v1.11.1"
+    digest: sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
+    digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
    pullPolicy: IfNotPresent
    runAsNonRoot: true
    # www-data -> uid 101
@@ -706,12 +706,12 @@ controller:
    name: opentelemetry
    image:
      registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry-1.25.3
+      image: ingress-nginx/opentelemetry
      ## for backwards compatibility consider setting the full image url via the repository value below
      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
      ## repository:
-      tag: v20240813-b933310d
-      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
+      tag: "v20230721-3e2062ee5"
+      digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
      distroless: true
    containerSecurityContext:
      runAsNonRoot: true
@@ -804,8 +804,8 @@ controller:
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
-        tag: v1.4.3
-        digest: sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
+        tag: v1.4.1
+        digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366
        pullPolicy: IfNotPresent
      # -- Provide a priority class name to the webhook patching job
      ##
--- a/packages/system/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/values.yaml
@@ -4,9 +4,9 @@ ingress-nginx:
      enable-ssl-passthrough: ""
    image:
      registry: ghcr.io
-      image: cozystack/ingress-nginx-with-protobuf-exporter/controller
+      image: kvaps/ingress-nginx-with-protobuf-exporter/controller
      tag: v1.11.2
-      digest: sha256:beba8869ee370599e1f26557a9669ebdc9481c07b34059f348eb3e17b647e7e0
+      digest: sha256:e80856ece4e30e9646d65c8d92c25a3446a0bba1c2468cd026f17df9e60d2c0f
    allowSnippetAnnotations: true
    replicaCount: 2
    admissionWebhooks:
@@ -16,17 +16,10 @@ ingress-nginx:
      enabled: true
    extraContainers:
    - name: protobuf-exporter
-      image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.2@sha256:6d9235a9ee6f2be1921db4687afbdcd85d145b087dd916b5a96455bdb5cff560
+      image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.2@sha256:25ed6a5f508bbc59134ad786f1e765d1c2187742075a4e828d68ef3f07a78e52
      args:
      - --server.telemetry-address=0.0.0.0:9090
      - --server.exporter-address=0.0.0.0:9091
-      resources:
-        limits:
-          cpu: 100m
-          memory: 90Mi
-        requests:
-          cpu: 100m
-          memory: 90Mi
    service:
      #type: NodePort # ClusterIP
      externalTrafficPolicy: "Local"
@@ -47,22 +40,8 @@ ingress-nginx:
      upstream-keepalive-timeout: "60"
      upstream-keepalive-connections: "320"
      ssl-session-tickets: "true"
-    resources:
-      limits:
-        cpu: "1"
-        memory: 2048Mi
-      requests:
-        cpu: 100m
-        memory: 90Mi
+

  defaultBackend:
    ##
    enabled: true
-    resources:
-      limits:
-        cpu: 10m
-        memory: 20Mi
-      requests:
-        cpu: 10m
-        memory: 20Mi
-
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,8 +3,8 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.28.2@sha256:20fda048d6097b59bdb4d2b036d2890ca85f1ba1ec7051182831e4559edfa226
-    repository: ghcr.io/cozystack/cozystack/kamaji
+    tag: v0.27.0@sha256:686348fc4a496ec76aac7d6af9e59e67d5d29af95dd73427054c0019ffc045e6
+    repository: ghcr.io/aenix-io/cozystack/kamaji
  resources:
    limits:
      cpu: 200m
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.28.2@sha256:587f25f7005d68f2e46f1fc135b35eabdb5bc43c7d60f617eb75bd608d876bab
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.28.0@sha256:113776d4ad9c5a21319f984fea4e47132dd18d49d7d5f45f0ccfcf98aa4bdca8
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -18,8 +18,8 @@ kube-ovn:
  DISABLE_MODULES_MANAGEMENT: true
 global:
  registry:
-    address: ghcr.io/cozystack/cozystack
+    address: ghcr.io/aenix-io/cozystack
  images:
    kubeovn:
      repository: kubeovn
-      tag: v1.13.3@sha256:8c4d665b67562286ded1fa796a747c4c621bc59d77f2854615fd66fd572fffcb
+      tag: v1.13.3@sha256:8fbe1444608758f35a0332b0922b3163afa26706eb788dcca4949dad074f44ff
--- a/packages/system/vertical-pod-autoscaler/Makefile
+++ b/packages/system/vertical-pod-autoscaler/Makefile
@@ -1,11 +1,11 @@
-export NAME=vertical-pod-autoscaler
+export NAME=victoria-metrics-operator
 export NAMESPACE=cozy-$(NAME)

 include ../../../scripts/package.mk

 update:
 	rm -rf charts
-	# VirtualPodAutoscaler operator
+	# VictoriaMetrics operator
 	helm repo add cowboysysop https://cowboysysop.github.io/charts/
 	helm repo update cowboysysop
 	helm pull cowboysysop/vertical-pod-autoscaler --untar --untardir charts