Release v0.32.0-beta.1 (#1044)

This PR prepares the release `v0.32.0-beta.1`.

.github/workflows/pull-requests-release.yaml

@@ -16,7 +16,6 @@ jobs:
       contents: read
       packages: write
 
-    # Run only when the PR carries the "release" label and not closed.
     if: |
       contains(github.event.pull_request.labels.*.name, 'release') &&
       github.event.action != 'closed'
@@ -35,6 +34,64 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
 
+      - name: Extract tag from PR branch
+        id: get_tag
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const branch = context.payload.pull_request.head.ref;
+            const m = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
+            if (!m) {
+              core.setFailed(`❌ Branch '${branch}' does not match 'release-X.Y.Z[-suffix]'`);
+              return;
+            }
+            const tag = `v${m[1]}`;
+            core.setOutput('tag', tag);
+
+      - name: Find draft release and get asset IDs
+        id: fetch_assets
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            const tag = '${{ steps.get_tag.outputs.tag }}';
+            const releases = await github.rest.repos.listReleases({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 100
+            });
+            const draft = releases.data.find(r => r.tag_name === tag && r.draft);
+            if (!draft) {
+              core.setFailed(`Draft release '${tag}' not found`);
+              return;
+            }
+            const findAssetId = (name) =>
+              draft.assets.find(a => a.name === name)?.id;
+            const installerId = findAssetId("cozystack-installer.yaml");
+            const diskId = findAssetId("nocloud-amd64.raw.xz");
+            if (!installerId || !diskId) {
+              core.setFailed("Missing required assets");
+              return;
+            }
+            core.setOutput("installer_id", installerId);
+            core.setOutput("disk_id", diskId);
+      
+      - name: Download assets from GitHub API
+        run: |
+          mkdir -p _out/assets
+          curl -sSL \
+            -H "Authorization: token ${GH_PAT}" \
+            -H "Accept: application/octet-stream" \
+            -o _out/assets/cozystack-installer.yaml \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ steps.fetch_assets.outputs.installer_id }}"
+          curl -sSL \
+            -H "Authorization: token ${GH_PAT}" \
+            -H "Accept: application/octet-stream" \
+            -o _out/assets/nocloud-amd64.raw.xz \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ steps.fetch_assets.outputs.disk_id }}"
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+
       - name: Run tests
         run: make test
 

.github/workflows/pull-requests.yaml

@@ -9,8 +9,8 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  e2e:
-    name: Build and Test
+  build:
+    name: Build
     runs-on: [self-hosted]
     permissions:
       contents: read
@@ -33,9 +33,50 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
+        env:
+          DOCKER_CONFIG: ${{ runner.temp }}/.docker
 
       - name: Build
         run: make build
+        env:
+          DOCKER_CONFIG: ${{ runner.temp }}/.docker
+
+      - name: Build Talos image
+        run: make -C packages/core/installer talos-nocloud
+     
+      - name: Upload installer
+        uses: actions/upload-artifact@v4
+        with:
+          name: cozystack-installer
+          path: _out/assets/cozystack-installer.yaml
+
+      - name: Upload Talos image
+        uses: actions/upload-artifact@v4
+        with:
+          name: talos-image
+          path: _out/assets/nocloud-amd64.raw.xz
+ 
+  test:
+    name: Test
+    runs-on: [self-hosted]
+    needs: build
+
+    # Never run when the PR carries the "release" label.
+    if: |
+      !contains(github.event.pull_request.labels.*.name, 'release')
+
+    steps:
+      - name: Download installer
+        uses: actions/download-artifact@v4
+        with:
+          name: cozystack-installer
+          path: _out/assets/
+
+      - name: Download Talos image
+        uses: actions/download-artifact@v4
+        with:
+          name: talos-image
+          path: _out/assets/
 
       - name: Test
         run: make test

.github/workflows/tags.yaml

@@ -99,11 +99,15 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
+        env:
+          DOCKER_CONFIG: ${{ runner.temp }}/.docker
 
       # Build project artifacts
       - name: Build
         if: steps.check_release.outputs.skip == 'false'
         run: make build
+        env:
+          DOCKER_CONFIG: ${{ runner.temp }}/.docker
 
       # Commit built artifacts
       - name: Commit release artifacts

Makefile

@@ -43,7 +43,7 @@ manifests:
 	(cd packages/core/installer/; helm template -n cozy-installer installer .) > _out/assets/cozystack-installer.yaml
 
 assets:
-	make -C packages/core/installer/ assets
+	make -C packages/core/installer assets
 
 test:
 	make -C packages/core/testing apply

cmd/cozystack-controller/main.go

@@ -194,7 +194,15 @@ func main() {
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Workload")
+		setupLog.Error(err, "unable to create controller", "controller", "TenantHelmReconciler")
+		os.Exit(1)
+	}
+
+	if err = (&controller.CozystackConfigReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackConfigReconciler")
 		os.Exit(1)
 	}
 

docs/changelogs/v0.31.0.md

@@ -1,39 +1,129 @@
-This is the third release candidate for the upcoming Cozystack v0.31.0 release.
-The release notes show changes accumulated since the release of previous version, Cozystack v0.30.0.
+Cozystack v0.31.0 is a significant release that brings new features, key fixes, and updates to underlying components.
+This version enhances GPU support, improves many components of Cozystack, and introduces a more robust release process to improve stability.
+Below, we'll go over the highlights in each area for current users, developers, and our community.
 
-Cozystack 0.31.0 further advances GPU support, monitoring, and all-around convenience features.
+## Major Features and Improvements
 
-## New Features and Changes
+### GPU support for tenant Kubernetes clusters
 
+Cozystack now integrates NVIDIA GPU Operator support for tenant Kubernetes clusters.
+This enables platform users to run GPU-powered AI/ML applications in their own clusters.
+To enable GPU Operator, set `addons.gpuOperator.enabled: true` in the cluster configuration.
+(@kvaps in https://github.com/cozystack/cozystack/pull/834)
+
+Check out Andrei Kvapil's CNCF webinar [showcasing the GPU support by running Stable Diffusion in Cozystack](https://www.youtube.com/watch?v=S__h_QaoYEk).
+
+<!--
 * [kubernetes] Introduce GPU support for tenant Kubernetes clusters. (@kvaps in https://github.com/cozystack/cozystack/pull/834)
+-->
+
+### Cilium Improvements
+
+Cozystack’s Cilium integration received two significant enhancements.
+First, Gateway API support in Cilium is now enabled, allowing advanced L4/L7 routing features via Kubernetes Gateway API.
+We thank Zdenek Janda @zdenekjanda for contributing this feature in https://github.com/cozystack/cozystack/pull/924.
+
+Second, Cozystack now permits custom user-provided parameters in the tenant cluster’s Cilium configuration.
+(@lllamnyp in https://github.com/cozystack/cozystack/pull/917)
+
+<!--
+* [cilium] Enable Cilium Gateway API. (@zdenekjanda in https://github.com/cozystack/cozystack/pull/924)
+* [cilium] Enable user-added parameters in a tenant cluster Cilium. (@lllamnyp in https://github.com/cozystack/cozystack/pull/917)
+-->
+
+### Cross-Architecture Builds (ARM Support Beta)
+
+Cozystack's build system was refactored to support multi-architecture binaries and container images.
+This paves the road to running Cozystack on ARM64 servers.
+Changes include Makefile improvements (https://github.com/cozystack/cozystack/pull/907)
+and multi-arch Docker image builds (https://github.com/cozystack/cozystack/pull/932 and https://github.com/cozystack/cozystack/pull/970).
+
+We thank Nikita Bykov @nbykov0 for his ongoing work on ARM support!
+
+<!--
+* Introduce support for cross-architecture builds and Cozystack on ARM:
+    * [build] Refactor Makefiles introducing build variables. (@nbykov0 in https://github.com/cozystack/cozystack/pull/907)
+    * [build] Add support for multi-architecture and cross-platform image builds. (@nbykov0 in https://github.com/cozystack/cozystack/pull/932 and https://github.com/cozystack/cozystack/pull/970)
+-->
+
+### VerticalPodAutoscaler (VPA) Expansion
+
+The VerticalPodAutoscaler is now enabled for more Cozystack components to automate resource tuning.
+Specifically, VPA was added for tenant Kubernetes control planes (@klinch0 in https://github.com/cozystack/cozystack/pull/806),
+the Cozystack Dashboard (https://github.com/cozystack/cozystack/pull/828),
+and the Cozystack etcd-operator (https://github.com/cozystack/cozystack/pull/850).
+All Cozystack components that have VPA enabled can automatically adjust their CPU and memory requests based on usage, improving platform and application stability.
+
+<!--
 * Add VerticalPodAutoscaler to a few more components:
     * [kubernetes] Kubernetes clusters in user tenants. (@klinch0 in https://github.com/cozystack/cozystack/pull/806)
     * [platform] Cozystack dashboard. (@klinch0 in https://github.com/cozystack/cozystack/pull/828)
     * [platform] Cozystack etcd-operator (@klinch0 in https://github.com/cozystack/cozystack/pull/850)
-* Introduce support for cross-architecture builds and Cozystack on ARM:
-    * [build] Refactor Makefiles introducing build variables. (@nbykov0 in https://github.com/cozystack/cozystack/pull/907)
-    * [build] Add support for multi-architecture and cross-platform image builds. (@nbykov0 in https://github.com/cozystack/cozystack/pull/932 and https://github.com/cozystack/cozystack/pull/970)
+-->
+
+### Tenant HelmRelease Reconcile Controller
+
+A new controller was introduced to monitor and synchronize HelmRelease resources across tenants.
+This controller propagates configuration changes to tenant workloads and ensures that any HelmRelease defined in a tenant
+stays in sync with platform updates.
+It improves the reliability of deploying managed applications in Cozystack.
+(@klinch0 in https://github.com/cozystack/cozystack/pull/870)
+
+<!--
 * [platform] Introduce a new controller to synchronize tenant HelmReleases and propagate configuration changes. (@klinch0 in https://github.com/cozystack/cozystack/pull/870)
-* [platform] Introduce options `expose-services`, `expose-ingress` and `expose-external-ips` to the ingress service. (@kvaps in https://github.com/cozystack/cozystack/pull/929)
+-->
+
+### Virtual Machine Improvements
+
+**Configurable KubeVirt CPU Overcommit**: The CPU allocation ratio in KubeVirt (how virtual CPUs are overcommitted relative to physical) is now configurable
+via the `cpu-allocation-ratio` value in the Cozystack configmap.
+This means Cozystack administrators can now tune CPU overcommitment for VMs to balance performance vs. density.
+(@lllamnyp in https://github.com/cozystack/cozystack/pull/905)
+
+**KubeVirt VM Export**: Cozystack now allows exporting KubeVirt virtual machines.
+This feature, enabled via KubeVirt's `VirtualMachineExport` capability, lets users snapshot or back up VM images.
+(@kvaps in https://github.com/cozystack/cozystack/pull/808)
+
+**Support for various storage classes in Virtual Machines**: The `virtual-machine` application (since version 0.9.2) lets you pick any StorageClass for a VM's 
+system disk instead of relying on a hard-coded PVC.
+Refer to values `systemDisk.storage` and `systemDisk.storageClass` in the [application's configs](https://cozystack.io/docs/reference/applications/virtual-machine/#common-parameters).
+(@kvaps in https://github.com/cozystack/cozystack/pull/974)
+
+<!--
 * [kubevirt] Enable exporting VMs. (@kvaps in https://github.com/cozystack/cozystack/pull/808)
 * [kubevirt] Make KubeVirt's CPU allocation ratio configurable. (@lllamnyp in https://github.com/cozystack/cozystack/pull/905)
 * [virtual-machine] Add support for various storages. (@kvaps in https://github.com/cozystack/cozystack/pull/974)
+-->
+
+### Other Features and Improvements
+
+* [platform] Introduce options `expose-services`, `expose-ingress`, and `expose-external-ips` to the ingress service. (@kvaps in https://github.com/cozystack/cozystack/pull/929)
 * [cozystack-controller] Record the IP address pool and storage class in Workload objects. (@lllamnyp in https://github.com/cozystack/cozystack/pull/831)
-* [cilium] Enable Cilium Gateway API. (@zdenekjanda in https://github.com/cozystack/cozystack/pull/924)
-* [cilium] Enable user-added parameters in a tenant cluster Cilium. (@lllamnyp in https://github.com/cozystack/cozystack/pull/917)
 * [apps] Remove user-facing config of limits and requests. (@lllamnyp in https://github.com/cozystack/cozystack/pull/935)
-* Update the Cozystack release policy to include long-lived release branches and start with release candidates. Update CI workflows and docs accordingly.
-    * Use release branches `release-X.Y` for gathering and releasing fixes after initial `vX.Y.0` release. (@kvaps in https://github.com/cozystack/cozystack/pull/816)
-    * Automatically create release branches after initial `vX.Y.0` release is published. (@kvaps in https://github.com/cozystack/cozystack/pull/886)
-    * Introduce Release Candidate versions. Automate patch backporting by applying patches from pull requests labeled `[backport]` to the current release branch. (@kvaps in https://github.com/cozystack/cozystack/pull/841 and https://github.com/cozystack/cozystack/pull/901, @nickvolynkin in https://github.com/cozystack/cozystack/pull/890)
-    * Support alpha and beta pre-releases. (@kvaps in https://github.com/cozystack/cozystack/pull/978)
-    * Commit changes in release pipelines under `github-actions <github-actions@github.com>`. (@kvaps in https://github.com/cozystack/cozystack/pull/823)
-    * Describe the Cozystack release workflow. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/817 and https://github.com/cozystack/cozystack/pull/897)
+
+## New Release Lifecycle
+
+Cozystack release lifecycle is changing to provide a more stable and predictable lifecycle to customers running Cozystack in mission-critical environments.
+
+* **Gradual Release with Alpha, Beta, and Release Candidates**: Cozystack will now publish pre-release versions (alpha, beta, release candidates) before a stable release.
+  Starting with v0.31.0, the team made three release candidates before releasing version v0.31.0.
+  This allows more testing and feedback before marking a release as stable.
+
+* **Prolonged Release Support with Patch Versions**: After the initial `vX.Y.0` release, a long-lived branch `release-X.Y` will be created to backport fixes.
+  For example, with 0.31.0’s release, a `release-0.31` branch will track patch fixes (`0.31.x`).
+  This strategy lets Cozystack users receive timely patch releases and updates with minimal risks.
+
+To implement these new changes, we have rebuilt our CI/CD workflows and introduced automation, enabling automatic backports.
+You can read more about how it's implemented in the Development section below.
+
+For more information, read the [Cozystack Release Workflow](https://github.com/cozystack/cozystack/blob/main/docs/release.md) documentation.
 
 ## Fixes
 
 * [virtual-machine] Add GPU names to the virtual machine specifications. (@kvaps in https://github.com/cozystack/cozystack/pull/862)
 * [virtual-machine] Count Workload resources for pods by requests, not limits. Other improvements to VM resource tracking. (@lllamnyp in https://github.com/cozystack/cozystack/pull/904)
+* [virtual-machine] Set PortList method by default. (@kvaps in https://github.com/cozystack/cozystack/pull/996)
+* [virtual-machine] Specify ports even for wholeIP mode. (@kvaps in https://github.com/cozystack/cozystack/pull/1000)
 * [platform] Fix installing HelmReleases on initial setup. (@kvaps in https://github.com/cozystack/cozystack/pull/833)
 * [platform] Migration scripts update Kubernetes ConfigMap with the current stack version for improved version tracking. (@klinch0 in https://github.com/cozystack/cozystack/pull/840)
 * [platform] Reduce requested CPU and RAM for the `kamaji` provider. (@klinch0 in https://github.com/cozystack/cozystack/pull/825)
@@ -45,7 +135,8 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * [kubernetes] Fix merging `valuesOverride` for tenant clusters. (@kvaps in https://github.com/cozystack/cozystack/pull/879)
 * [kubernetes] Fix `ubuntu-container-disk` tag. (@kvaps in https://github.com/cozystack/cozystack/pull/887)
 * [kubernetes] Refactor Helm manifests for tenant Kubernetes clusters. (@kvaps in https://github.com/cozystack/cozystack/pull/866)
-* [kubernetes] Fix Ingress-NGINX depends on Cert-Manager . (@kvaps in https://github.com/cozystack/cozystack/pull/976)
+* [kubernetes] Fix Ingress-NGINX depends on Cert-Manager. (@kvaps in https://github.com/cozystack/cozystack/pull/976)
+* [kubernetes, apps] Enable `topologySpreadConstraints` for tenant Kubernetes clusters and fix it for managed PostgreSQL. (@klinch0 in https://github.com/cozystack/cozystack/pull/995)
 * [tenant] Fix an issue with accessing external IPs of a cluster from the cluster itself. (@kvaps in https://github.com/cozystack/cozystack/pull/854)
 * [cluster-api] Remove the no longer necessary workaround for Kamaji. (@kvaps in https://github.com/cozystack/cozystack/pull/867, patched in https://github.com/cozystack/cozystack/pull/956) 
 * [monitoring] Remove legacy label "POD" from the exclude filter in metrics. (@xy2 in https://github.com/cozystack/cozystack/pull/826)
@@ -54,24 +145,13 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * [postgres] Remove duplicated `template` entry from backup manifest. (@etoshutka in https://github.com/cozystack/cozystack/pull/872)
 * [kube-ovn] Fix versions mapping in Makefile. (@kvaps in https://github.com/cozystack/cozystack/pull/883)
 * [dx] Automatically detect version for migrations in the installer.sh. (@kvaps in https://github.com/cozystack/cozystack/pull/837)
-* [e2e] Increase timeout durations for `capi` and `keycloak` to improve reliability during environment setup. (@kvaps in https://github.com/cozystack/cozystack/pull/858)
-* [e2e] Fix `device_ownership_from_security_context` CRI. (@dtrdnk in https://github.com/cozystack/cozystack/pull/896)
-* [e2e] Return `genisoimage` to the e2e-test Dockerfile (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/962)
-* [ci] Improve the check for `versions_map` running on pull requests. (@kvaps and @klinch0 in https://github.com/cozystack/cozystack/pull/836, https://github.com/cozystack/cozystack/pull/842, and https://github.com/cozystack/cozystack/pull/845)
-* [ci] If the release step was skipped on a tag, skip tests as well. (@kvaps in https://github.com/cozystack/cozystack/pull/822)
-* [ci] Allow CI to cancel the previous job if a new one is scheduled. (@kvaps in https://github.com/cozystack/cozystack/pull/873)
-* [ci] Use the correct version name when uploading build assets to the release page. (@kvaps in https://github.com/cozystack/cozystack/pull/876)
-* [ci] Stop using `ok-to-test` label to trigger CI in pull requests. (@kvaps in https://github.com/cozystack/cozystack/pull/875)
-* [ci] Do not run tests in the release building pipeline. (@kvaps in https://github.com/cozystack/cozystack/pull/882)
-* [ci] Fix release branch creation. (@kvaps in https://github.com/cozystack/cozystack/pull/884)
-* [ci, dx] Reduce noise in the test logs by suppressing the `wget` progress bar. (@lllamnyp in https://github.com/cozystack/cozystack/pull/865)
-* [ci] Revert "automatically trigger tests in releasing PR". (@kvaps in https://github.com/cozystack/cozystack/pull/900)
-* [ci] Force-update release branch on tagged main commits . (@kvaps in https://github.com/cozystack/cozystack/pull/977)
-* [docs] Explain that tenants cannot have dashes in the names. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/980)
+* [dx] remove version_map and building for library charts. (@kvaps in https://github.com/cozystack/cozystack/pull/998)
+* [docs] Review the tenant Kubernetes cluster docs. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/969)
+* [docs] Explain that tenants cannot have dashes in their names. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/980)
 
 ## Dependencies
 
-* MetalLB s now included directly as a patched image based on version 0.14.9. (@lllamnyp in https://github.com/cozystack/cozystack/pull/945)
+* MetalLB images are now built in-tree based on version 0.14.9 with additional critical patches. (@lllamnyp in https://github.com/cozystack/cozystack/pull/945)
 * Update Kubernetes to v1.32.4. (@kvaps in https://github.com/cozystack/cozystack/pull/949)
 * Update Talos Linux to v1.10.1. (@kvaps in https://github.com/cozystack/cozystack/pull/931)
 * Update Cilium to v1.17.3. (@kvaps in https://github.com/cozystack/cozystack/pull/848)
@@ -83,15 +163,81 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * Update KamajiControlPlane to edge-25.4.1. (@kvaps in https://github.com/cozystack/cozystack/pull/953, fixed by @nbykov0 in https://github.com/cozystack/cozystack/pull/983)
 * Update cert-manager to v1.17.2. (@kvaps in https://github.com/cozystack/cozystack/pull/975)
 
-## Maintenance
+## Documentation
 
-* Add @klinch0 to CODEOWNERS. (@kvaps in https://github.com/cozystack/cozystack/pull/838)
+* [Installing Talos in Air-Gapped Environment](https://cozystack.io/docs/operations/talos/configuration/air-gapped/):
+  new guide for configuring and bootstrapping Talos Linux clusters in air-gapped environments.
+  (@klinch0 in https://github.com/cozystack/website/pull/203)
 
-## New Contributors
+* [Cozystack Bundles](https://cozystack.io/docs/guides/bundles/): new page in the learning section explaining how Cozystack bundles work and how to choose a bundle.
+  (@NickVolynkin in https://github.com/cozystack/website/pull/188, https://github.com/cozystack/website/pull/189, and others;
+  updated by @kvaps in https://github.com/cozystack/website/pull/192 and https://github.com/cozystack/website/pull/193)
+
+* [Managed Application Reference](https://cozystack.io/docs/reference/applications/): A set of new pages in the docs, mirroring application docs from the Cozystack dashboard.
+  (@NickVolynkin in https://github.com/cozystack/website/pull/198, https://github.com/cozystack/website/pull/202, and https://github.com/cozystack/website/pull/204)
+
+* **LINSTOR Networking**: Guides on [configuring dedicated network for LINSTOR](https://cozystack.io/docs/operations/storage/dedicated-network/)
+and [configuring network for distributed storage in multi-datacenter setup](https://cozystack.io/docs/operations/stretched/linstor-dedicated-network/).
+(@xy2, edited by @NickVolynkin in https://github.com/cozystack/website/pull/171, https://github.com/cozystack/website/pull/182, and https://github.com/cozystack/website/pull/184)
+
+### Fixes
+
+* Correct error in the doc for the command to edit the configmap. (@lb0o in https://github.com/cozystack/website/pull/207)
+* Fix group name in OIDC docs (@kingdonb in https://github.com/cozystack/website/pull/179)
+* A bit more explanation of Docker buildx builders. (@nbykov0 in https://github.com/cozystack/website/pull/187)
+
+## Development, Testing, and CI/CD
+
+### Testing
+
+Improvements:
+
+* Introduce `cozytest` — a new [BATS-based](https://github.com/bats-core/bats-core) testing framework. (@kvaps in https://github.com/cozystack/cozystack/pull/982)
+
+Fixes:
+
+* Fix `device_ownership_from_security_context` CRI. (@dtrdnk in https://github.com/cozystack/cozystack/pull/896)
+* Increase timeout durations for `capi` and `keycloak` to improve reliability during e2e-tests. (@kvaps in https://github.com/cozystack/cozystack/pull/858)
+* Return `genisoimage` to the e2e-test Dockerfile (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/962)
+
+### CI/CD Changes
+                          
+Improvements:
+
+* Use release branches `release-X.Y` for gathering and releasing fixes after initial `vX.Y.0` release. (@kvaps in https://github.com/cozystack/cozystack/pull/816)
+* Automatically create release branches after initial `vX.Y.0` release is published. (@kvaps in https://github.com/cozystack/cozystack/pull/886)
+* Introduce Release Candidate versions. Automate patch backporting by applying patches from pull requests labeled `[backport]` to the current release branch. (@kvaps in https://github.com/cozystack/cozystack/pull/841 and https://github.com/cozystack/cozystack/pull/901, @nickvolynkin in https://github.com/cozystack/cozystack/pull/890)
+* Support alpha and beta pre-releases. (@kvaps in https://github.com/cozystack/cozystack/pull/978)
+* Commit changes in release pipelines under `github-actions <github-actions@github.com>`. (@kvaps in https://github.com/cozystack/cozystack/pull/823)
+* Describe the Cozystack release workflow. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/817 and https://github.com/cozystack/cozystack/pull/897)
+
+Fixes:
+
+* Improve the check for `versions_map` running on pull requests. (@kvaps and @klinch0 in https://github.com/cozystack/cozystack/pull/836, https://github.com/cozystack/cozystack/pull/842, and https://github.com/cozystack/cozystack/pull/845)
+* If the release step was skipped on a tag, skip tests as well. (@kvaps in https://github.com/cozystack/cozystack/pull/822)
+* Allow CI to cancel the previous job if a new one is scheduled. (@kvaps in https://github.com/cozystack/cozystack/pull/873)
+* Use the correct version name when uploading build assets to the release page. (@kvaps in https://github.com/cozystack/cozystack/pull/876)
+* Stop using `ok-to-test` label to trigger CI in pull requests. (@kvaps in https://github.com/cozystack/cozystack/pull/875)
+* Do not run tests in the release building pipeline. (@kvaps in https://github.com/cozystack/cozystack/pull/882)
+* Fix release branch creation. (@kvaps in https://github.com/cozystack/cozystack/pull/884)
+* Reduce noise in the test logs by suppressing the `wget` progress bar. (@lllamnyp in https://github.com/cozystack/cozystack/pull/865)
+* Revert "automatically trigger tests in releasing PR". (@kvaps in https://github.com/cozystack/cozystack/pull/900)
+* Force-update release branch on tagged main commits. (@kvaps in https://github.com/cozystack/cozystack/pull/977)
+* Show detailed errors in the `pull-request-release` workflow. (@lllamnyp in https://github.com/cozystack/cozystack/pull/992)
+
+## Community and Maintenance
+
+### Repository Maintenance
+
+Added @klinch0 to CODEOWNERS. (@kvaps in https://github.com/cozystack/cozystack/pull/838)
+
+### New Contributors
 
 * @etoshutka made their first contribution in https://github.com/cozystack/cozystack/pull/872
 * @dtrdnk made their first contribution in https://github.com/cozystack/cozystack/pull/896
 * @zdenekjanda made their first contribution in https://github.com/cozystack/cozystack/pull/924
 * @gwynbleidd2106 made their first contribution in https://github.com/cozystack/cozystack/pull/962
 
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.30.0...v0.31.0-rc.3
+## Full Changelog
+
+See https://github.com/cozystack/cozystack/compare/v0.30.0...v0.31.0

hack/e2e-apps.bats

@@ -90,5 +90,5 @@ EOF
   kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
   kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
   kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=5m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
 }

hack/e2e-cluster.bats

@@ -3,12 +3,14 @@
 # Cozystack end‑to‑end provisioning test (Bats)
 # -----------------------------------------------------------------------------
 
-@test "Environment variable COZYSTACK_INSTALLER_YAML is defined" {
-  if [ -z "${COZYSTACK_INSTALLER_YAML:-}" ]; then
-    echo 'COZYSTACK_INSTALLER_YAML environment variable is not set!' >&2
-    echo >&2
-    echo 'Please export it with the following command:' >&2
-    echo '  export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2
+@test "Required installer assets exist" {
+  if [ ! -f _out/assets/cozystack-installer.yaml ]; then
+    echo "Missing: _out/assets/cozystack-installer.yaml" >&2
+    exit 1
+  fi
+
+  if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
+    echo "Missing: _out/assets/nocloud-amd64.raw.xz" >&2
     exit 1
   fi
 }
@@ -70,19 +72,21 @@ EOF
   done
 }
 
-@test "Download Talos NoCloud image" {
-  if [ ! -f nocloud-amd64.raw ]; then
-    wget https://github.com/cozystack/cozystack/releases/latest/download/nocloud-amd64.raw.xz \
-      -O nocloud-amd64.raw.xz --show-progress --output-file /dev/stdout --progress=dot:giga 2>/dev/null
-    rm -f nocloud-amd64.raw
-    xz --decompress nocloud-amd64.raw.xz
+@test "Use Talos NoCloud image from assets" {
+  if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
+    echo "Missing _out/assets/nocloud-amd64.raw.xz" 2>&1
+    exit 1
   fi
+
+  rm -f nocloud-amd64.raw
+  cp _out/assets/nocloud-amd64.raw.xz .
+  xz --decompress nocloud-amd64.raw.xz
 }
 
 @test "Prepare VM disks" {
   for i in 1 2 3; do
     cp nocloud-amd64.raw srv${i}/system.img
-    qemu-img resize srv${i}/system.img 20G
+    qemu-img resize srv${i}/system.img 50G
     qemu-img create srv${i}/data.img 100G
   done
 }
@@ -243,8 +247,8 @@ EOF
           --from-literal=api-server-endpoint=https://192.168.123.10:6443 \
           --dry-run=client -o yaml | kubectl apply -f -
 
-  # Apply installer manifests from env variable
-  echo "$COZYSTACK_INSTALLER_YAML" | kubectl apply -f -
+  # Apply installer manifests from file
+  kubectl apply -f _out/assets/cozystack-installer.yaml
 
   # Wait for the installer deployment to become available
   kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available

internal/controller/system_helm_reconciler.go

@@ -0,0 +1,139 @@
+package controller
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"time"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+type CozystackConfigReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+var configMapNames = []string{"cozystack", "cozystack-branding", "cozystack-scheduling"}
+
+const configMapNamespace = "cozy-system"
+const digestAnnotation = "cozystack.io/cozy-config-digest"
+const forceReconcileKey = "reconcile.fluxcd.io/forceAt"
+const requestedAt = "reconcile.fluxcd.io/requestedAt"
+
+func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	digest, err := r.computeDigest(ctx)
+	if err != nil {
+		log.Error(err, "failed to compute config digest")
+		return ctrl.Result{}, nil
+	}
+
+	var helmList helmv2.HelmReleaseList
+	if err := r.List(ctx, &helmList); err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to list HelmReleases: %w", err)
+	}
+
+	now := time.Now().Format(time.RFC3339Nano)
+	updated := 0
+
+	for _, hr := range helmList.Items {
+		isSystemApp := hr.Labels["cozystack.io/system-app"] == "true"
+		isTenantRoot := hr.Namespace == "tenant-root" && hr.Name == "tenant-root"
+		if !isSystemApp && !isTenantRoot {
+			continue
+		}
+
+		if hr.Annotations == nil {
+			hr.Annotations = map[string]string{}
+		}
+
+		if hr.Annotations[digestAnnotation] == digest {
+			continue
+		}
+
+		patch := client.MergeFrom(hr.DeepCopy())
+		hr.Annotations[digestAnnotation] = digest
+		hr.Annotations[forceReconcileKey] = now
+		hr.Annotations[requestedAt] = now
+
+		if err := r.Patch(ctx, &hr, patch); err != nil {
+			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			continue
+		}
+		updated++
+		log.Info("patched HelmRelease with new config digest", "name", hr.Name, "namespace", hr.Namespace)
+	}
+
+	log.Info("finished reconciliation", "updatedHelmReleases", updated)
+	return ctrl.Result{}, nil
+}
+
+func (r *CozystackConfigReconciler) computeDigest(ctx context.Context) (string, error) {
+	hash := sha256.New()
+
+	for _, name := range configMapNames {
+		var cm corev1.ConfigMap
+		err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: name}, &cm)
+		if err != nil {
+			if kerrors.IsNotFound(err) {
+				continue // ignore missing
+			}
+			return "", err
+		}
+
+		// Sort keys for consistent hashing
+		var keys []string
+		for k := range cm.Data {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			v := cm.Data[k]
+			fmt.Fprintf(hash, "%s:%s=%s\n", name, k, v)
+		}
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+func (r *CozystackConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		WithEventFilter(predicate.Funcs{
+			UpdateFunc: func(e event.UpdateEvent) bool {
+				cm, ok := e.ObjectNew.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			CreateFunc: func(e event.CreateEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			DeleteFunc: func(e event.DeleteEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+		}).
+		For(&corev1.ConfigMap{}).
+		Complete(r)
+}
+
+func contains(slice []string, val string) bool {
+	for _, s := range slice {
+		if s == val {
+			return true
+		}
+	}
+	return false
+}

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.9.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/Makefile

@@ -1,4 +1,4 @@
-CLICKHOUSE_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+CLICKHOUSE_BACKUP_TAG = $(shell awk '$$0 ~ /^version:/ {print $$2}' Chart.yaml)
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.9.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.9.2@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,3 +1,5 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
 {{- $users := .Values.users }}
@@ -32,7 +34,7 @@ kind: "ClickHouseInstallation"
 metadata:
   name: "{{ .Release.Name }}"
 spec:
-  namespaceDomainPattern:  "%s.svc.cozy.local"
+  namespaceDomainPattern:  "%s.svc.{{ $clusterDomain }}"
   defaults:
     templates:
       dataVolumeClaimTemplate: data-volume-template
@@ -92,6 +94,9 @@ spec:
   templates:
     volumeClaimTemplates:
       - name: data-volume-template
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
           accessModes:
             - ReadWriteOnce
@@ -99,6 +104,9 @@ spec:
             requests:
               storage: {{ .Values.size }}
       - name: log-volume-template
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
           accessModes:
             - ReadWriteOnce
@@ -107,6 +115,9 @@ spec:
               storage: {{ .Values.logStorageSize }}
     podTemplates:
       - name: clickhouse-per-host
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
           affinity:
             podAntiAffinity:
@@ -122,9 +133,9 @@ spec:
             - name: clickhouse
               image: clickhouse/clickhouse-server:24.9.2.42
               {{- if .Values.resources }}
-              resources: {{- include "cozy-lib.resources.sanitize" .Values.resources | nindent 16 }}
+              resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 16 }}
               {{- else if ne .Values.resourcesPreset "none" }}
-              resources: {{- include "cozy-lib.resources.preset" .Values.resourcesPreset | nindent 16 }}
+              resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 16 }}
               {{- end }}
               volumeMounts:
                 - name: data-volume-template
@@ -133,6 +144,9 @@ spec:
                   mountPath: /var/log/clickhouse-server
     serviceTemplates:
       - name: svc-template
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         generateName: chendpoint-{chi}
         spec:
           ports:

packages/apps/clickhouse/templates/workloadmonitor.yaml

@@ -9,5 +9,5 @@ spec:
   kind: clickhouse
   type: clickhouse
   selector:
-    clickhouse.altinity.com/chi: {{ $.Release.Name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.11.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
+ghcr.io/cozystack/cozystack/postgres-backup:0.12.1@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f

packages/apps/ferretdb/templates/external-svc.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Release.Name }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -12,6 +12,7 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
       containers:
       - name: ferretdb

packages/apps/ferretdb/templates/postgres.yaml

@@ -19,9 +19,9 @@ spec:
   minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
   maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}
   monitoring:
     enablePodMonitor: true
@@ -35,6 +35,7 @@ spec:
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+      app.kubernetes.io/instance: {{ .Release.Name }}
 
   {{- if .Values.users }}
   managed:

packages/apps/ferretdb/templates/workloadmonitor.yaml

@@ -9,5 +9,5 @@ spec:
   kind: ferretdb
   type: ferretdb
   selector:
-    app: {{ $.Release.Name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/http-cache/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/http-cache/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:158c35dd6a512bd14e86a423be5c8c7ca91ac71999c73cce2714e4db60a2db43
+ghcr.io/cozystack/cozystack/nginx-cache:0.5.1@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af

packages/apps/http-cache/templates/haproxy/deployment.yaml

@@ -34,9 +34,9 @@ spec:
       - image: haproxy:latest
         name: haproxy
         {{- if .Values.haproxy.resources }}
-        resources: {{- toYaml .Values.haproxy.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.haproxy.resources $) | nindent 10 }}
         {{- else if ne .Values.haproxy.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" .Values.haproxy.resourcesPreset "Release" .Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list .Values.haproxy.resourcesPreset $) | nindent 10 }}
         {{- end }}
         ports:
         - containerPort: 8080

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -53,9 +53,9 @@ spec:
       containers:
       - name: nginx
         {{- if $.Values.nginx.resources }}
-        resources: {{- toYaml $.Values.nginx.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list $.Values.nginx.resources $) | nindent 10 }}
         {{- else if ne $.Values.nginx.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" $.Values.nginx.resourcesPreset "Release" $.Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list $.Values.nginx.resourcesPreset $) | nindent 10 }}
         {{- end }}
         image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         readinessProbe:

packages/apps/http-cache/templates/workloadmonitor.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-haproxy
+spec:
+  replicas: {{ .Values.haproxy.replicas }}
+  minReplicas: 1
+  kind: http-cache
+  type: http-cache
+  selector:
+    app: {{ $.Release.Name }}-haproxy
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-nginx
+spec:
+  replicas: {{ .Values.nginx.replicas }}
+  minReplicas: 1
+  kind: http-cache
+  type: http-cache
+  selector:
+    app: {{ $.Release.Name }}-nginx-cache
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: http-cache
+  type: http-cache
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/README.md

@@ -14,9 +14,9 @@
 | `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                                                                                      | `3`     |
 | `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                                                                                     | `""`    |
 | `kafka.resources`           | Resources                                                                                                                                                                                                         | `{}`    |
-| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
 | `zookeeper.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 
 ### Configuration parameters
 

packages/apps/kafka/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/kafka/templates/kafka.yaml

@@ -9,9 +9,9 @@ spec:
   kafka:
     replicas: {{ .Values.kafka.replicas }}
     {{- if .Values.kafka.resources }}
-    resources: {{- toYaml .Values.kafka.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.kafka.resources $) | nindent 6 }}
     {{- else if ne .Values.kafka.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.kafka.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.kafka.resourcesPreset $) | nindent 6 }}
     {{- end }}
     listeners:
       - name: plain
@@ -71,9 +71,9 @@ spec:
   zookeeper:
     replicas: {{ .Values.zookeeper.replicas }}
     {{- if .Values.zookeeper.resources }}
-    resources: {{- toYaml .Values.zookeeper.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.zookeeper.resources $) | nindent 6 }}
     {{- else if ne .Values.zookeeper.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.zookeeper.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.zookeeper.resourcesPreset $) | nindent 6 }}
     {{- end }}
     storage:
       type: persistent-claim

packages/apps/kafka/values.schema.json

@@ -33,7 +33,7 @@
                 "resourcesPreset": {
                     "type": "string",
                     "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "default": "small"
                 }
             }
         },
@@ -63,7 +63,7 @@
                 "resourcesPreset": {
                     "type": "string",
                     "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "default": "micro"
                 }
             }
         },

packages/apps/kafka/values.yaml

@@ -25,7 +25,7 @@ kafka:
   #     memory: 512Mi
   
   ## @param kafka.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "nano"
+  resourcesPreset: "small"
 
 zookeeper:
   size: 5Gi
@@ -42,7 +42,7 @@ zookeeper:
   #     memory: 512Mi
   
   ## @param zookeeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "nano"
+  resourcesPreset: "micro"
 
 ## @section Configuration parameters
 

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.21.0
+version: 0.23.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/README.md

@@ -81,12 +81,13 @@ See the reference for components utilized in this service:
 
 ### Common Parameters
 
-| Name                    | Description                                                                                                       | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+| Name                                | Description                                                                                                       | Value        |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
+| `host`                              | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
+| `controlPlane.replicas`             | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
+| `storageClass`                      | StorageClass used to store user data.                                                                             | `replicated` |
+| `useCustomSecretForPatchContainerd` | if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd                           | `false`      |
+| `nodeGroups`                        | nodeGroups configuration                                                                                          | `{}`         |
 
 ### Cluster Addons
 

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.20.1@sha256:720148128917fa10f860a8b7e74f9428de72481c466c880c5ad894e1f0026d43
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.23.1@sha256:7315850634728a5864a3de3150c12f0e1454f3f1ce33cdf21a278f57611dd5e9

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.20.1@sha256:1b48a4725a33ccb48604bb2e1be3171271e7daac2726d3119228212d8a9da5bb
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.23.1@sha256:6962bdf51ab2ff40b420b9cff7c850aeea02187da2a65a67f10e0471744649d7

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.20.1@sha256:fb6d3ce9d6d948285a6d399c852e15259d6922162ec7c44177d2274243f59d1f
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.23.1@sha256:b1525163cd21938ac934bb1b860f2f3151464fa463b82880ab058167aeaf3e29

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:184b81529ae72684279799b12f436cc7a511d8ff5bd1e9a30478799c7707c625
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:290264eba144c5c58f68009b17f59a5990f6fafbf768f9cbefd7050c34733930

packages/apps/kubernetes/templates/cluster.yaml

@@ -211,12 +211,25 @@ spec:
       - ["LABEL=ephemeral", "/ephemeral"]
       - ["/ephemeral/kubelet", "/var/lib/kubelet", "none", "bind,nofail"]
       - ["/ephemeral/containerd", "/var/lib/containerd", "none", "bind,nofail"]
+      {{- $sec := lookup "v1" "Secret" $.Release.Namespace (printf "%s-patch-containerd" $.Release.Name) }}
+      {{- if $sec }}
+      files:
+        {{- range $key, $_ := $sec.data }}
+        - path: /etc/containerd/certs.d/{{ trimSuffix ".toml" $key }}/hosts.toml
+          contentFrom:
+            secret:
+              name: {{ $.Release.Name }}-patch-containerd
+              key: {{ $key }}
+          permissions: "0400"
+        {{- end }}
+      {{- end }}
       preKubeadmCommands:
       - sed -i 's|root:x:|root::|' /etc/passwd
       - systemctl stop containerd.service
       - mkdir -p /ephemeral/kubelet /ephemeral/containerd
       - mount -o bind /ephemeral/kubelet /var/lib/kubelet
       - mount -o bind /ephemeral/containerd /var/lib/containerd
+      - sudo sed -i '/\[plugins."io.containerd.grpc.v1.cri".registry\]/,/^\[/ s|^\(\s*config_path\s*=\s*\).*|\1"/etc/containerd/certs.d"|' /etc/containerd/config.toml
       - systemctl start containerd.service
       joinConfiguration:
         nodeRegistration:

packages/apps/kubernetes/templates/copy-patch-containerd.yaml

@@ -0,0 +1,15 @@
+{{- if not .Values.useCustomSecretForPatchContainerd }}
+{{- $sourceSecret := lookup "v1" "Secret" "cozy-system" "patch-containerd" }}
+{{- if $sourceSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-patch-containerd
+  namespace: {{ .Release.Namespace }}
+type: {{ $sourceSecret.type }}
+data:
+{{- range $key, $value := $sourceSecret.data }}
+  {{ printf "%s: %s" $key ($value | quote) | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/gateway-api-crds.yaml

@@ -17,6 +17,7 @@ spec:
         kind: HelmRepository
         name: cozystack-system
         namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml

@@ -1,4 +1,6 @@
 {{- define "cozystack.defaultVPAValues" -}}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 vertical-pod-autoscaler:
@@ -13,7 +15,7 @@ vertical-pod-autoscaler:
       metric-for-pod-labels: kube_pod_labels{job="kube-state-metrics", tenant="{{ .Release.Namespace }}", cluster="{{ .Release.Name }}"}[8d]
       pod-name-label: pod
       pod-namespace-label: namespace
-      prometheus-address: http://vmselect-shortterm.{{ $targetTenant }}.svc.cozy.local:8481/select/0/prometheus/
+      prometheus-address: http://vmselect-shortterm.{{ $targetTenant }}.svc.{{ $clusterDomain }}:8481/select/0/prometheus/
       prometheus-cadvisor-job-name: cadvisor
     resources:
       limits:

packages/apps/kubernetes/values.schema.json

@@ -127,6 +127,11 @@
       "description": "StorageClass used to store user data.",
       "default": "replicated"
     },
+    "useCustomSecretForPatchContainerd": {
+      "type": "boolean",
+      "description": "if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd",
+      "default": false
+    },
     "addons": {
       "type": "object",
       "properties": {

packages/apps/kubernetes/values.yaml

@@ -3,9 +3,11 @@
 ## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
 ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
+## @param useCustomSecretForPatchContainerd if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd
 ##
 host: ""
 storageClass: replicated
+useCustomSecretForPatchContainerd: false
 
 ## @param nodeGroups [object] nodeGroups configuration
 ##

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.7.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.7.1@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4

packages/apps/mysql/templates/mariadb.yaml

@@ -57,6 +57,11 @@ spec:
     name: {{ .Release.Name }}-my-cnf
     key: config
 
+  service:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: {{ $.Release.Name }}
+
   storage:
     size: {{ .Values.size }}
     resizeInUseVolumes: true
@@ -74,7 +79,7 @@ spec:
   #  type: LoadBalancer
 
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/nats/templates/nats.yaml

@@ -1,3 +1,5 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $passwords := dict }}
 {{- range $user, $u := .Values.users }}
   {{- if $u.password }}
@@ -45,12 +47,15 @@ spec:
               - name: nats
                 image: nats:2.10.17-alpine
                 {{- if .Values.resources }}
-                resources: {{- toYaml .Values.resources | nindent 22 }}
+                resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 22 }}
                 {{- else if ne .Values.resourcesPreset "none" }}
-                resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 22 }}
+                resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 22 }}
                 {{- end }}
       fullnameOverride: {{ .Release.Name }}
       config:
+        cluster:
+          routeURLs:
+            k8sClusterDomain: {{ $clusterDomain }}
         {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
         merge:
           {{- if gt (len $passwords) 0 }}

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.0
+version: 0.12.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.11.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
+ghcr.io/cozystack/cozystack/postgres-backup:0.12.1@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f

packages/apps/postgres/templates/db.yaml

@@ -6,9 +6,9 @@ metadata:
 spec:
   instances: {{ .Values.replicas }}
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}
 
   enableSuperuserAccess: true
@@ -44,6 +44,8 @@ spec:
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+      app.kubernetes.io/name: postgres.apps.cozystack.io
+      app.kubernets.io/instance: {{ $.Release.Name }}
 ---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
@@ -55,6 +57,6 @@ spec:
   kind: postgres
   type: postgres
   selector:
-    cnpg.io/cluster: {{ .Release.Name }}
-    cnpg.io/podRole: instance
+    app.kubernetes.io/name: postgres.apps.cozystack.io
+    app.kubernets.io/instance: {{ $.Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/rabbitmq/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -12,9 +12,9 @@ spec:
     type: LoadBalancer
   {{- end }}
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}
   override:
     statefulSet:

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/redis/templates/redisfailover.yaml

@@ -26,22 +26,25 @@ spec:
   sentinel:
     replicas: 3
     {{- if .Values.resources }}
-    resources: {{- toYaml .Values.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 6 }}
     {{- else if ne .Values.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 6 }}
     {{- end }}
   redis:
     replicas: {{ .Values.replicas }}
     {{- if .Values.resources }}
-    resources: {{- toYaml .Values.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 6 }}
     {{- else if ne .Values.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 6 }}
     {{- end }}
     {{- with .Values.size }}
     storage:
       persistentVolumeClaim:
         metadata:
           name: redisfailover-persistent-data
+          labels:
+            app.kubernetes.io/component: redis
+            app.kubernetes.io/instance: {{ $.Release.Name }}
         spec:
           accessModes:
             - ReadWriteOnce

packages/apps/tcp-balancer/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/tcp-balancer/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/tcp-balancer/templates/deployment.yaml

@@ -15,6 +15,7 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}-haproxy
+        app.kubernetes.io/instance: {{ .Release.Name }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
     spec:
@@ -34,9 +35,9 @@ spec:
       - image: haproxy:latest
         name: haproxy
         {{- if .Values.resources }}
-        resources: {{- toYaml .Values.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 10 }}
         {{- else if ne .Values.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 10 }}
         {{- end }}
         ports:
         {{- with .Values.httpAndHttps }}

packages/apps/tcp-balancer/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: tcp-balancer
+  type: haproxy
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.9.2
+version: 1.9.3

packages/apps/tenant/templates/tenant.yaml

@@ -184,6 +184,12 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+      - virtualmachineinstances/portforward
+    verbs:
+      - get
+      - update
   - apiGroups:
     - cozystack.io
     resources:
@@ -253,6 +259,12 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+      - virtualmachineinstances/portforward
+    verbs:
+      - get
+      - update
   - apiGroups: ["apps.cozystack.io"]
     resources:
     - buckets
@@ -349,6 +361,12 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+      - virtualmachineinstances/portforward
+    verbs:
+      - get
+      - update
   - apiGroups: ["apps.cozystack.io"]
     resources:
     - '*'

packages/apps/versions_map

@@ -9,7 +9,8 @@ clickhouse 0.6.0 1ec10165
 clickhouse 0.6.1 c62a83a7
 clickhouse 0.6.2 8267072d
 clickhouse 0.7.0 93bdf411
-clickhouse 0.9.0 HEAD
+clickhouse 0.9.0 6130f43d
+clickhouse 0.9.2 HEAD
 ferretdb 0.1.0 e9716091
 ferretdb 0.1.1 91b0499a
 ferretdb 0.2.0 6c5cf5bf
@@ -18,13 +19,15 @@ ferretdb 0.4.0 b40e1b09
 ferretdb 0.4.1 1ec10165
 ferretdb 0.4.2 8267072d
 ferretdb 0.5.0 93bdf411
-ferretdb 0.6.0 HEAD
+ferretdb 0.6.0 6130f43d
+ferretdb 0.6.1 HEAD
 http-cache 0.1.0 263e47be
 http-cache 0.2.0 53f2365e
 http-cache 0.3.0 6c5cf5bf
 http-cache 0.3.1 0f312d5c
 http-cache 0.4.0 93bdf411
-http-cache 0.5.0 HEAD
+http-cache 0.5.0 6130f43d
+http-cache 0.5.1 HEAD
 kafka 0.1.0 f7eaab0a
 kafka 0.2.0 c0685f43
 kafka 0.2.1 dfbc210b
@@ -36,7 +39,8 @@ kafka 0.3.2 93c46161
 kafka 0.3.3 8267072d
 kafka 0.4.0 85ec09b8
 kafka 0.5.0 93bdf411
-kafka 0.6.0 HEAD
+kafka 0.6.0 6130f43d
+kafka 0.6.1 HEAD
 kubernetes 0.1.0 263e47be
 kubernetes 0.2.0 53f2365e
 kubernetes 0.3.0 007d414f
@@ -66,7 +70,8 @@ kubernetes 0.18.0 721c12a7
 kubernetes 0.19.0 93bdf411
 kubernetes 0.20.0 609e7ede
 kubernetes 0.20.1 f9f8bb2f
-kubernetes 0.21.0 HEAD
+kubernetes 0.21.0 6130f43d
+kubernetes 0.23.1 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -76,7 +81,8 @@ mysql 0.5.1 0f312d5c
 mysql 0.5.2 1ec10165
 mysql 0.5.3 8267072d
 mysql 0.6.0 93bdf411
-mysql 0.7.0 HEAD
+mysql 0.7.0 6130f43d
+mysql 0.7.1 HEAD
 nats 0.1.0 e9716091
 nats 0.2.0 6c5cf5bf
 nats 0.3.0 78366f19
@@ -84,7 +90,8 @@ nats 0.3.1 c62a83a7
 nats 0.4.0 898374b5
 nats 0.4.1 8267072d
 nats 0.5.0 93bdf411
-nats 0.6.0 HEAD
+nats 0.6.0 6130f43d
+nats 0.6.1 HEAD
 postgres 0.1.0 263e47be
 postgres 0.2.0 53f2365e
 postgres 0.2.1 d7cfa53c
@@ -101,7 +108,8 @@ postgres 0.9.0 8267072d
 postgres 0.10.0 721c12a7
 postgres 0.10.1 93bdf411
 postgres 0.11.0 f9f8bb2f
-postgres 0.12.0 HEAD
+postgres 0.12.0 6130f43d
+postgres 0.12.1 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -119,11 +127,13 @@ redis 0.3.1 c62a83a7
 redis 0.4.0 84f3ccc0
 redis 0.5.0 4e68e65c
 redis 0.6.0 93bdf411
-redis 0.7.0 HEAD
+redis 0.7.0 6130f43d
+redis 0.7.1 HEAD
 tcp-balancer 0.1.0 263e47be
 tcp-balancer 0.2.0 53f2365e
 tcp-balancer 0.3.0 93bdf411
-tcp-balancer 0.4.0 HEAD
+tcp-balancer 0.4.0 6130f43d
+tcp-balancer 0.4.1 HEAD
 tenant 0.1.4 afc997ef
 tenant 0.1.5 e3ab858a
 tenant 1.0.0 263e47be
@@ -146,7 +156,8 @@ tenant 1.7.0 24fa7222
 tenant 1.8.0 160e4e2a
 tenant 1.9.0 728743db
 tenant 1.9.1 721c12a7
-tenant 1.9.2 HEAD
+tenant 1.9.2 6130f43d
+tenant 1.9.3 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43
@@ -161,9 +172,11 @@ virtual-machine 0.8.1 93c46161
 virtual-machine 0.8.2 de19450f
 virtual-machine 0.9.0 721c12a7
 virtual-machine 0.9.1 93bdf411
-virtual-machine 0.10.0 HEAD
+virtual-machine 0.10.0 6130f43d
+virtual-machine 0.10.2 HEAD
 vm-disk 0.1.0 d971f2ff
-vm-disk 0.1.1 HEAD
+vm-disk 0.1.1 6130f43d
+vm-disk 0.1.2 HEAD
 vm-instance 0.1.0 1ec10165
 vm-instance 0.2.0 84f3ccc0
 vm-instance 0.3.0 4e68e65c
@@ -172,10 +185,12 @@ vm-instance 0.4.1 0ab39f20
 vm-instance 0.5.0 3fa4dd3a
 vm-instance 0.5.1 de19450f
 vm-instance 0.6.0 721c12a7
-vm-instance 0.7.0 HEAD
+vm-instance 0.7.0 6130f43d
+vm-instance 0.7.2 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
 vpn 0.3.1 1ec10165
 vpn 0.4.0 93bdf411
-vpn 0.5.0 HEAD
+vpn 0.5.0 6130f43d
+vpn 0.5.1 HEAD

packages/apps/virtual-machine/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0
+version: 0.10.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml

@@ -21,5 +21,5 @@ spec:
   kind: virtual-machine
   type: virtual-machine
   selector:
-    vm.kubevirt.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/virtual-machine/templates/vm.yaml

@@ -13,6 +13,7 @@ metadata:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
   running: {{ .Values.running | default "true" }}
+
   {{- with .Values.instanceType }}
   instancetype:
     kind: VirtualMachineClusterInstancetype
@@ -23,9 +24,12 @@ spec:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
   {{- end }}
+
   dataVolumeTemplates:
   - metadata:
       name: {{ include "virtual-machine.fullname" . }}
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
       storage:
         resources:
@@ -75,21 +79,25 @@ spec:
             deviceName: {{ $gpu.name }}
           {{- end }}
           {{- end }}
+
           disks:
           - disk:
               bus: scsi
             name: systemdisk
-          {{- if or .Values.sshKeys .Values.cloudInit }}
+          {{- if .Values.sshKeys }}
           - disk:
               bus: virtio
             name: cloudinitdisk
           {{- end }}
+
           interfaces:
           - name: default
             bridge: {}
+
         machine:
           type: ""
-      {{- with .Values.sshKeys }}
+
+      {{- if .Values.sshKeys }}
       accessCredentials:
       - sshPublicKey:
           source:
@@ -99,23 +107,37 @@ spec:
             # keys will be injected into metadata part of cloud-init disk
             noCloud: {}
       {{- end }}
+
       terminationGracePeriodSeconds: 30
+
       volumes:
-      - name: systemdisk
-        dataVolume:
-          name: {{ include "virtual-machine.fullname" . }}
-      {{- if or .Values.sshKeys .Values.cloudInit }}
-      - name: cloudinitdisk
-        cloudInitNoCloud:
-        {{- if .Values.cloudInit }}
-          secretRef:
-            name: {{ include "virtual-machine.fullname" . }}-cloud-init
+        - name: systemdisk
+          dataVolume:
+            name: {{ include "virtual-machine.fullname" . }}
+
+        {{- if and .Values.sshKeys .Values.cloudInit }}
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            secretRef:
+              name: {{ include "virtual-machine.fullname" . }}-cloud-init
+        {{- else if .Values.sshKeys }}
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            userData: |
+              {{ printf "%s" "#cloud-config" }}
+              ssh_authorized_keys:
+                {{- range .Values.sshKeys }}
+                - {{ . }}
+                {{- end }}
+              chpasswd:
+                expire: false
         {{- else }}
-          userData: |
-            #cloud-config
-            final_message: Cloud-init user-data was left blank intentionally.
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            userData: |
+              {{ printf "%s" "#cloud-config" }}
         {{- end }}
-      {{- end }}
+
       networks:
       - name: default
         pod: {}

packages/apps/vm-disk/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vm-disk/templates/dv.yaml

@@ -7,6 +7,8 @@ metadata:
     cdi.kubevirt.io/storage.bind.immediate.requested: ""
     {{- end }}
     vm-disk.cozystack.io/optical: "{{ .Values.optical }}"
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
   name: {{ .Release.Name }}
 spec:
   {{- if $existingDV }}

packages/apps/vm-disk/templates/workloadmonitor.yaml

@@ -0,0 +1,12 @@
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: 0
+  minReplicas: 0
+  kind: vm-disk
+  type: vm-disk
+  selector:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/vm-instance/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vm-instance/templates/dashboard-resourcemap.yaml

@@ -22,5 +22,5 @@ spec:
   kind: virtual-machine
   type: virtual-machine
   selector:
-    {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/vm-instance/templates/vm.yaml

@@ -94,17 +94,27 @@ spec:
         dataVolume:
           name: vm-disk-{{ .name }}
       {{- end }}
-      {{- if or .Values.sshKeys .Values.cloudInit }}
+      {{- if and .Values.sshKeys .Values.cloudInit }}
       - name: cloudinitdisk
         cloudInitNoCloud:
-        {{- if .Values.cloudInit }}
           secretRef:
             name: {{ include "virtual-machine.fullname" . }}-cloud-init
-        {{- else }}
+      {{- else if .Values.sshKeys }}
+      - name: cloudinitdisk
+        cloudInitNoCloud:
           userData: |
-            #cloud-config
-            final_message: Cloud-init user-data was left blank intentionally.
-        {{- end }}
+            {{ printf "%s" "#cloud-config" }}
+            ssh_authorized_keys:
+              {{- range .Values.sshKeys }}
+              - {{ . }}
+              {{- end }}
+            chpasswd:
+              expire: false
+      {{- else }}
+      - name: cloudinitdisk
+        cloudInitNoCloud:
+          userData: |
+            {{ printf "%s" "#cloud-config" }}
       {{- end }}
       networks:
       - name: default

packages/apps/vpn/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vpn/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/vpn/templates/deployment.yaml

@@ -14,6 +14,7 @@ spec:
       labels:
         app: {{ .Release.Name }}-vpn
         name: {{ .Release.Name }}-vpn
+        app.kubernetes.io/instance: {{ .Release.Name }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
     spec:
@@ -43,9 +44,9 @@ spec:
         - name: outline-vpn
           image: quay.io/outline/shadowbox:stable
           {{- if .Values.resources }}
-          resources: {{- toYaml .Values.resources | nindent 10 }}
+          resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 12 }}
           {{- else if ne .Values.resourcesPreset "none" }}
-          resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 10 }}
+          resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 12 }}
           {{- end }}
           ports:
             - containerPort: 40000

packages/apps/vpn/templates/service.yaml

@@ -5,6 +5,7 @@ metadata:
   name: {{ .Release.Name }}-vpn
   labels:
     app: {{ .Release.Name }}-vpn
+    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
   {{- if .Values.externalIPs }}
   externalIPs:

packages/apps/vpn/templates/workloadmonitor.yaml

@@ -0,0 +1,12 @@
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: vpn
+  type: vpn
+  selector:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}

packages/core/installer/hack/gen-profiles.sh

@@ -32,17 +32,36 @@ done
 
 for profile in $PROFILES; do
   echo "writing profile images/talos/profiles/$profile.yaml"
-  if [ "$profile" = "nocloud" ] || [ "$profile" = "metal" ]; then
-    image_options="{ diskSize: 1306525696, diskFormat: raw }"
-    out_format=".xz"
-    platform="$profile"
-    kind="image"
-  else
-    image_options="{}"
-    out_format="raw"
-    platform="metal"
-    kind="$profile"
-  fi
+  case "$profile" in
+    initramfs|kernel|iso)
+      image_options="{}"
+      out_format="raw"
+      platform="metal"
+      kind="$profile"
+      ;;
+    installer)
+      image_options="{}"
+      out_format="raw"
+      platform="metal"
+      kind="installer"
+      ;;
+    metal)
+      image_options="{ diskSize: 1306525696, diskFormat: raw }"
+      out_format=".xz"
+      platform="metal"
+      kind="image"
+      ;;
+    nocloud)
+      image_options="{ diskSize: 1306525696, diskFormat: raw }"
+      out_format=".xz"
+      platform="nocloud"
+      kind="image"
+      ;;
+    *)
+      echo "Unknown profile: $profile" >&2
+      exit 1
+      ;;
+  esac
 
   cat > images/talos/profiles/$profile.yaml <<EOT
 # this file generated by hack/gen-profiles.sh
@@ -57,12 +76,10 @@ input:
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:${TALOS_VERSION}
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:${AMD_UCODE_VERSION}
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:${AMDGPU_FIRMWARE_VERSION}
     - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:${BNX2_BNX2X_VERSION}
-    - imageRef: ghcr.io/siderolabs/i915-ucode:${I915_UCODE_VERSION}
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:${INTEL_ICE_FIRMWARE_VERSION}
     - imageRef: ghcr.io/siderolabs/intel-ucode:${INTEL_UCODE_VERSION}
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:${QLOGIC_FIRMWARE_VERSION}

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.1
+version: v1.10.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.10.1
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.1
+version: v1.10.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.10.1
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.1
+version: v1.10.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.10.1
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.1
+version: v1.10.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.10.1
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.1
+version: v1.10.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.10.1
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,22 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.10.1
+version: v1.10.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.10.1
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.31.0-rc.3@sha256:5fc6b88de670878b66f2b5bf381b89b68253ab3e69ff1cb7359470bc65beb3fa
+  image: ghcr.io/cozystack/cozystack/installer:v0.32.0-beta.1@sha256:57e449187e4f76c3346de7646b4fe11c7136e63216b05ebd7171f8fd5cb077d2

packages/core/platform/bundles/distro-full.yaml

@@ -1,4 +1,5 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 
 releases:
 - name: fluxcd-operator
@@ -13,6 +14,11 @@ releases:
   chart: cozy-fluxcd
   namespace: cozy-fluxcd
   dependsOn: [fluxcd-operator,cilium]
+  values:
+    flux-instance:
+      instance:
+        cluster:
+          domain: {{ $clusterDomain }}
 
 - name: cilium
   releaseName: cilium
@@ -121,6 +127,9 @@ releases:
   namespace: cozy-mariadb-operator
   optional: true
   dependsOn: [cilium,cert-manager,victoria-metrics-operator]
+  values:
+    mariadb-operator:
+      clusterName: {{ $clusterDomain }}
 
 - name: postgres-operator
   releaseName: postgres-operator
@@ -135,6 +144,9 @@ releases:
   namespace: cozy-kafka-operator
   optional: true
   dependsOn: [cilium,victoria-metrics-operator]
+  values:
+    strimzi-kafka-operator:
+      kubernetesServiceDnsDomain: {{ $clusterDomain }}
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator

packages/core/platform/bundles/distro-hosted.yaml

@@ -1,4 +1,5 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 
 releases:
 - name: fluxcd-operator
@@ -13,6 +14,11 @@ releases:
   chart: cozy-fluxcd
   namespace: cozy-fluxcd
   dependsOn: [fluxcd-operator]
+  values:
+    flux-instance:
+      instance:
+        cluster:
+          domain: {{ $clusterDomain }}
 
 - name: cert-manager-crds
   releaseName: cert-manager-crds
@@ -83,6 +89,9 @@ releases:
   namespace: cozy-mariadb-operator
   optional: true
   dependsOn: [victoria-metrics-operator]
+  values:
+    mariadb-operator:
+      clusterName: {{ $clusterDomain }}
 
 - name: postgres-operator
   releaseName: postgres-operator
@@ -97,6 +106,9 @@ releases:
   namespace: cozy-kafka-operator
   optional: true
   dependsOn: [victoria-metrics-operator]
+  values:
+    strimzi-kafka-operator:
+      kubernetesServiceDnsDomain: {{ $clusterDomain }}
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator

packages/core/platform/bundles/paas-full.yaml

@@ -1,4 +1,5 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
 {{- $host := index $cozyConfig.data "root-host" }}
 {{- if not $host }}
@@ -22,6 +23,11 @@ releases:
   chart: cozy-fluxcd
   namespace: cozy-fluxcd
   dependsOn: [fluxcd-operator,cilium,kubeovn]
+  values:
+    flux-instance:
+      instance:
+        cluster:
+          domain: {{ $clusterDomain }}
 
 - name: cilium
   releaseName: cilium
@@ -193,6 +199,9 @@ releases:
   chart: cozy-mariadb-operator
   namespace: cozy-mariadb-operator
   dependsOn: [cilium,kubeovn,cert-manager,victoria-metrics-operator]
+  values:
+    mariadb-operator:
+      clusterName: {{ $clusterDomain }}
 
 - name: postgres-operator
   releaseName: postgres-operator
@@ -205,6 +214,9 @@ releases:
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
   dependsOn: [cilium,kubeovn,victoria-metrics-operator]
+  values:
+    strimzi-kafka-operator:
+      kubernetesServiceDnsDomain: {{ $clusterDomain }}
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
@@ -284,9 +296,30 @@ releases:
   privileged: true
   dependsOn: [cilium,kubeovn,cert-manager]
 
-- name: capi-providers
-  releaseName: capi-providers
-  chart: cozy-capi-providers
+- name: capi-providers-bootstrap
+  releaseName: capi-providers-bootstrap
+  chart: cozy-capi-providers-bootstrap
+  namespace: cozy-cluster-api
+  privileged: true
+  dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: capi-providers-core
+  releaseName: capi-providers-core
+  chart: cozy-capi-providers-core
+  namespace: cozy-cluster-api
+  privileged: true
+  dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: capi-providers-cpprovider
+  releaseName: capi-providers-cpprovider
+  chart: cozy-capi-providers-cpprovider
+  namespace: cozy-cluster-api
+  privileged: true
+  dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: capi-providers-infraprovider
+  releaseName: capi-providers-infraprovider
+  chart: cozy-capi-providers-infraprovider
   namespace: cozy-cluster-api
   privileged: true
   dependsOn: [cilium,kubeovn,capi-operator]
@@ -349,6 +382,11 @@ releases:
   namespace: cozy-vertical-pod-autoscaler
   privileged: true
   dependsOn: [monitoring-agents]
+  values:
+    vertical-pod-autoscaler:
+      recommender:
+        extraArgs:
+          prometheus-address: http://vmselect-shortterm.tenant-root.svc.{{ $clusterDomain }}:8481/select/0/prometheus/
 
 - name: vertical-pod-autoscaler-crds
   releaseName: vertical-pod-autoscaler-crds

packages/core/platform/bundles/paas-hosted.yaml

@@ -1,4 +1,5 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
 {{- $host := index $cozyConfig.data "root-host" }}
 {{- if not $host }}
@@ -22,6 +23,11 @@ releases:
   chart: cozy-fluxcd
   namespace: cozy-fluxcd
   dependsOn: [fluxcd-operator]
+  values:
+    flux-instance:
+      instance:
+        cluster:
+          domain: {{ $clusterDomain }}
 
 - name: cert-manager-crds
   releaseName: cert-manager-crds
@@ -92,6 +98,9 @@ releases:
   chart: cozy-mariadb-operator
   namespace: cozy-mariadb-operator
   dependsOn: [cert-manager,victoria-metrics-operator]
+  values:
+    mariadb-operator:
+      clusterName: {{ $clusterDomain }}
 
 - name: postgres-operator
   releaseName: postgres-operator
@@ -104,6 +113,9 @@ releases:
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
   dependsOn: [victoria-metrics-operator]
+  values:
+    strimzi-kafka-operator:
+      kubernetesServiceDnsDomain: {{ $clusterDomain }}
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
@@ -129,6 +141,12 @@ releases:
   namespace: cozy-linstor
   dependsOn: [cert-manager]
 
+- name: objectstorage-controller
+  releaseName: objectstorage-controller
+  chart: cozy-objectstorage-controller
+  namespace: cozy-objectstorage-controller
+  dependsOn: []
+
 - name: telepresence
   releaseName: traffic-manager
   chart: cozy-telepresence
@@ -141,7 +159,7 @@ releases:
   chart: cozy-external-dns
   namespace: cozy-external-dns
   optional: true
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: external-secrets-operator
   releaseName: external-secrets-operator
@@ -200,10 +218,15 @@ releases:
   namespace: cozy-vertical-pod-autoscaler
   privileged: true
   dependsOn: [monitoring-agents]
+  values:
+    vertical-pod-autoscaler:
+      recommender:
+        extraArgs:
+          prometheus-address: http://vmselect-shortterm.tenant-root.svc.{{ $clusterDomain }}:8481/select/0/prometheus/
 
 - name: vertical-pod-autoscaler-crds
   releaseName: vertical-pod-autoscaler-crds
   chart: cozy-vertical-pod-autoscaler-crds
   namespace: cozy-vertical-pod-autoscaler
   privileged: true
-  dependsOn: [cilium, kubeovn]
+  dependsOn: []

packages/core/platform/templates/_helpers.tpl

@@ -69,4 +69,10 @@ kubeapps:
       .appview-first-row section[aria-labelledby="access-urls-title"] {
         width: 100%;
       }
+      .header-version {
+        display: none;
+      }
+      .label.label-info-secondary {
+        display: none;
+      }
 {{- end }}

packages/core/testing/Makefile

@@ -33,7 +33,9 @@ image-e2e-sandbox:
 test: test-cluster test-apps ## Run the end-to-end tests in existing sandbox
 
 test-cluster: ## Run the end-to-end for creating a cluster
-	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && export COZYSTACK_INSTALLER_YAML=$$(helm template -n cozy-system installer ./packages/core/installer) && hack/cozytest.sh hack/e2e-cluster.bats'
+	docker cp ../../../_out/assets/cozystack-installer.yaml "${SANDBOX_NAME}":/workspace/_out/assets/cozystack-installer.yaml
+	docker cp ../../../_out/assets/nocloud-amd64.raw.xz "${SANDBOX_NAME}":/workspace/_out/assets/nocloud-amd64.raw.xz
+	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-cluster.bats'
 
 test-apps: ## Run the end-to-end tests for apps
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-apps.bats'

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.0-rc.3@sha256:8de0a8900994cb55f74ba25d265eeecac9958b07cdb8f86b9284b9f23668d2bb
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.0-beta.1@sha256:bf067b3bb24b918d9840cadae26c112ee5d16a93d5f9b2e47af758a49d432040

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.31.0-rc.3@sha256:8b65a160333830bf4711246ae78f26095e3b33667440bf1bbdd36db60a7f92e2
+ghcr.io/cozystack/cozystack/matchbox:v0.32.0-beta.1@sha256:5a447d0533e2191b02c8f1cb8726641f291cabc8bf4d0ea90694fb6f594e0800

packages/extra/monitoring/images/grafana.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana:1.9.2@sha256:24382d445bf7a39ed988ef4dc7a0d9f084db891fcb5f42fd2e64622710b9457e
+ghcr.io/cozystack/cozystack/grafana:1.10.0@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399

packages/library/cozy-lib/Chart.yaml

@@ -15,4 +15,4 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0