Introduce new OpenAPI schema generator

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/pre-commit.yml

@@ -2,7 +2,7 @@ name: Pre-Commit Checks
 
 on:
   pull_request:
-    types: [labeled, opened, synchronize, reopened]
+    types: [opened, synchronize, reopened]
 
 concurrency:
   group: pre-commit-${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -28,16 +28,8 @@ jobs:
 
       - name: Install generate
         run: |
-          sudo apt update
+          curl -sSL https://github.com/cozystack/readme-generator-for-helm/releases/download/v1.0.0/readme-generator-for-helm-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ readme-generator-for-helm
-          sudo apt install curl -y
+          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v0.5.0/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen
-          sudo apt install nodejs -y
-          sudo apt install npm -y
-
-          git clone --branch 2.7.0 --depth 1 https://github.com/bitnami/readme-generator-for-helm.git
-          cd ./readme-generator-for-helm
-          npm install
-          npm install -g @yao-pkg/pkg
-          pkg . -o /usr/local/bin/readme-generator
 
       - name: Run pre-commit hooks
         run: |

.github/workflows/pull-requests-release.yaml

@@ -3,6 +3,8 @@ name: "Releasing PR"
 on:
   pull_request:
     types: [closed]
+    paths-ignore:
+      - 'docs/**/*'
 
 # Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:

.github/workflows/pull-requests.yaml

@@ -2,7 +2,9 @@ name: Pull Request
 
 on:
   pull_request:
-    types: [labeled, opened, synchronize, reopened]
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - 'docs/**/*'
 
 # Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
@@ -44,6 +46,17 @@ jobs:
 
       - name: Build Talos image
         run: make -C packages/core/installer talos-nocloud
+
+      - name: Save git diff as patch
+        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
+        run: git diff HEAD > _out/assets/pr.patch
+
+      - name: Upload git diff patch
+        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-patch
+          path: _out/assets/pr.patch
      
       - name: Upload installer
         uses: actions/upload-artifact@v4
@@ -126,6 +139,10 @@ jobs:
     if: ${{ always() && (needs.build.result == 'success' || needs.resolve_assets.result == 'success') }}
 
     steps:
+      # ▸ Checkout and prepare the codebase
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       # ▸ Regular PR path – download artefacts produced by the *build* job
       - name: "Download Talos image (regular PR)"
         if: "!contains(github.event.pull_request.labels.*.name, 'release')"
@@ -134,38 +151,51 @@ jobs:
           name: talos-image
           path: _out/assets
 
+      - name: Download PR patch
+        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-patch
+          path: _out/assets
+
+      - name: Apply patch
+        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
+        run: |
+          git apply _out/assets/pr.patch
 
       # ▸ Release PR path – fetch artefacts from the corresponding draft release
       - name: Download assets from draft release (release PR)
         if: contains(github.event.pull_request.labels.*.name, 'release')
         run: |
+          mkdir -p _out/assets
           curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
             -o _out/assets/nocloud-amd64.raw.xz \
             "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.disk_id }}"
         env:
           GH_PAT: ${{ secrets.GH_PAT }}
 
-      # ▸ Start actual job steps
       - name: Set sandbox ID
         run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
 
+      # ▸ Start actual job steps
       - name: Prepare workspace
         run: |
-          cd ..
           rm -rf /tmp/$SANDBOX_NAME
-          cp -r cozystack /tmp/$SANDBOX_NAME
+          cp -r ${{ github.workspace }} /tmp/$SANDBOX_NAME
-          sudo systemctl stop "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
+
-          sudo systemctl reset-failed "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
-          sudo systemctl daemon-reexec
-          sudo systemd-run \
-            --on-calendar="$(date -d 'now + 24 hours' '+%Y-%m-%d %H:%M:%S')" \
-            --unit=rm-workspace-$SANDBOX_NAME \
-            rm -rf /tmp/$SANDBOX_NAME
-            
       - name: Prepare environment
         run: |
           cd /tmp/$SANDBOX_NAME
-          make SANDBOX_NAME=$SANDBOX_NAME prepare-env
+          attempt=0
+          until make SANDBOX_NAME=$SANDBOX_NAME prepare-env; do
+            attempt=$((attempt + 1))
+            if [ $attempt -ge 3 ]; then
+              echo "❌ Attempt $attempt failed, exiting..."
+              exit 1
+            fi
+            echo "❌ Attempt $attempt failed, retrying..."
+          done
+          echo "✅ The task completed successfully after $attempt attempts"
 
   install_cozystack:
     name: "Install Cozystack"
@@ -192,6 +222,7 @@ jobs:
       - name: Download assets from draft release (release PR)
         if: contains(github.event.pull_request.labels.*.name, 'release')
         run: |
+          mkdir -p _out/assets
           curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
             -o _out/assets/cozystack-installer.yaml \
             "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.installer_id }}"
@@ -202,10 +233,24 @@ jobs:
       - name: Set sandbox ID
         run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
 
+      - name: Sync _out/assets directory
+        run: |
+          mkdir -p /tmp/$SANDBOX_NAME/_out/assets
+          mv _out/assets/* /tmp/$SANDBOX_NAME/_out/assets/
+
       - name: Install Cozystack into sandbox
         run: |
           cd /tmp/$SANDBOX_NAME
-          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME install-cozystack
+          attempt=0
+          until make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME install-cozystack; do
+            attempt=$((attempt + 1))
+            if [ $attempt -ge 3 ]; then
+              echo "❌ Attempt $attempt failed, exiting..."
+              exit 1
+            fi
+            echo "❌ Attempt $attempt failed, retrying..."
+          done
+          echo "✅ The task completed successfully after $attempt attempts."
 
   detect_test_matrix:
     name: "Detect e2e test matrix"
@@ -236,12 +281,55 @@ jobs:
       - name: E2E Apps
         run: |
           cd /tmp/$SANDBOX_NAME
-          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME test-apps-${{ matrix.app }}
+          attempt=0
+          until make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME test-apps-${{ matrix.app }}; do
+            attempt=$((attempt + 1))
+            if [ $attempt -ge 3 ]; then
+              echo "❌ Attempt $attempt failed, exiting..."
+              exit 1
+            fi
+            echo "❌ Attempt $attempt failed, retrying..."
+          done
+          echo "✅ The task completed successfully after $attempt attempts"
+
+  collect_debug_information:
+    name: Collect debug information
+    runs-on: [self-hosted]
+    needs: [test_apps]
+    if: ${{ always() }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set sandbox ID
+        run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
+
+      - name: Collect report
+        run: |
+          cd /tmp/$SANDBOX_NAME
+          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME collect-report
+
+      - name: Upload cozyreport.tgz
+        uses: actions/upload-artifact@v4
+        with:
+          name: cozyreport
+          path: /tmp/${{ env.SANDBOX_NAME }}/_out/cozyreport.tgz
+
+      - name: Collect images list
+        run: |
+          cd /tmp/$SANDBOX_NAME
+          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME collect-images
+
+      - name: Upload image list
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-list
+          path: /tmp/${{ env.SANDBOX_NAME }}/_out/images.txt
 
   cleanup:
     name: Tear down environment
     runs-on: [self-hosted]
-    needs: test_apps
+    needs: [collect_debug_information]
     if: ${{ always() && needs.test_apps.result == 'success' }}
 
     steps:
@@ -260,10 +348,4 @@ jobs:
       - name: Remove workspace
         run: rm -rf /tmp/$SANDBOX_NAME
 
-      - name: Tear down timers
+
-        run: |
-          sudo systemctl stop "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
-          sudo systemctl reset-failed "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
-          sudo systemctl stop "teardown-$SANDBOX_NAME.timer" "teardown-$SANDBOX_NAME.service" 2>/dev/null || true
-          sudo systemctl reset-failed "teardown-$SANDBOX_NAME.timer" "teardown-$SANDBOX_NAME.service" 2>/dev/null || true
-          sudo systemctl daemon-reexec

.github/workflows/tags.yaml

@@ -112,9 +112,13 @@ jobs:
       # Commit built artifacts
       - name: Commit release artifacts
         if: steps.check_release.outputs.skip == 'false'
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
         run: |
-          git config user.name  "github-actions"
+          git config user.name  "cozystack-bot"
-          git config user.email "github-actions@github.com"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
+          git config --unset-all http.https://github.com/.extraheader || true
           git add .
           git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
           git push origin HEAD || true
@@ -189,7 +193,12 @@ jobs:
       # Create release-X.Y.Z branch and push (force-update)
       - name: Create release branch
         if: steps.check_release.outputs.skip == 'false'
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
         run: |
+          git config user.name  "cozystack-bot"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
           BRANCH="release-${GITHUB_REF#refs/tags/v}"
           git branch -f "$BRANCH"
           git push -f origin "$BRANCH"
@@ -199,6 +208,7 @@ jobs:
         if: steps.check_release.outputs.skip == 'false'
         uses: actions/github-script@v7
         with:
+          github-token: ${{ secrets.GH_PAT }}
           script: |
             const version = context.ref.replace('refs/tags/v', '');
             const base    = '${{ steps.get_base.outputs.branch }}';

.pre-commit-config.yaml

@@ -11,14 +11,14 @@ repos:
     - id: run-make-generate
       name: Run 'make generate' in all app directories
       entry: |
-        /bin/bash -c '
+        flock -x .git/pre-commit.lock sh -c '
-          for dir in ./packages/apps/*/; do
+          for dir in ./packages/apps/*/ ./packages/extra/*/ ./packages/system/cozystack-api/; do
             if [ -d "$dir" ]; then
               echo "Running make generate in $dir"
-              (cd "$dir" && make generate)
+              make generate -C "$dir" || exit $?
             fi
           done
           git diff --color=always | cat
         '
-      language: script
+      language: system
       files: ^.*$

docs/changelogs/template.md

@@ -0,0 +1,11 @@
+## Major Features and Improvements
+
+## Security
+
+## Fixes
+
+## Dependencies
+
+## Documentation
+
+## Development, Testing, and CI/CD

docs/changelogs/v0.31.1.md

@@ -0,0 +1,8 @@
+## Fixes
+
+* [build] Update Talos Linux v1.10.3 and fix assets. (@kvaps in https://github.com/cozystack/cozystack/pull/1006)
+* [ci] Fix uploading released artifacts to GitHub. (@kvaps in https://github.com/cozystack/cozystack/pull/1009)
+* [ci] Separate build and testing jobs. (@kvaps in https://github.com/cozystack/cozystack/pull/1005)
+* [docs] Write a full release post for v0.31.1. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/999)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.31.0...v0.31.1

docs/changelogs/v0.31.2.md

@@ -0,0 +1,12 @@
+## Security
+
+* Resolve a security problem that allowed a tenant administrator to gain enhanced privileges outside the tenant. (@kvaps in https://github.com/cozystack/cozystack/pull/1062, backported in https://github.com/cozystack/cozystack/pull/1066)
+
+## Fixes
+
+* [platform] Fix dependencies in `distro-full` bundle. (@klinch0 in  https://github.com/cozystack/cozystack/pull/1056, backported in https://github.com/cozystack/cozystack/pull/1064)
+* [platform] Fix RBAC for annotating namespaces. (@kvaps in https://github.com/cozystack/cozystack/pull/1031, backported in https://github.com/cozystack/cozystack/pull/1037)
+* [platform] Reduce system resource consumption by using smaller resource presets for VerticalPodAutoscaler, SeaweedFS, and KubeOVN. (@klinch0 in https://github.com/cozystack/cozystack/pull/1054, backported in https://github.com/cozystack/cozystack/pull/1058)
+* [dashboard] Fix a number of issues in the Cozystack Dashboard (@kvaps in https://github.com/cozystack/cozystack/pull/1042, backported in https://github.com/cozystack/cozystack/pull/1066)
+* [apps] Specify minimal working resource presets. (@kvaps in https://github.com/cozystack/cozystack/pull/1040, backported in https://github.com/cozystack/cozystack/pull/1041)
+* [apps] Update built-in documentation and configuration reference for managed Clickhouse application. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1059, backported in https://github.com/cozystack/cozystack/pull/1065)

docs/changelogs/v0.32.1.md

@@ -0,0 +1,38 @@
+## Major Features and Improvements
+
+* [postgres] Introduce new functionality for backup and restore in PostgreSQL. (@klinch0 in https://github.com/cozystack/cozystack/pull/1086)
+* [apps] Refactor resources in managed applications. (@kvaps in https://github.com/cozystack/cozystack/pull/1106)
+* [system] Make VMAgent's `extraArgs` tunable. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1091)
+
+## Fixes
+
+* [postgres] Escape users and database names. (@kvaps in https://github.com/cozystack/cozystack/pull/1087)
+* [tenant] Fix monitoring agents HelmReleases for tenant clusters. (@klinch0 in https://github.com/cozystack/cozystack/pull/1079)
+* [kubernetes] Wrap cert-manager CRDs in a conditional. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1076)
+* [kubernetes] Remove `useCustomSecretForPatchContainerd` option and enable it by default. (@kvaps in https://github.com/cozystack/cozystack/pull/1104)
+* [apps] Increase default resource presets for Clickhouse and Kafka from `nano` to `small`. Update OpenAPI specs and readme's. (@kvaps in https://github.com/cozystack/cozystack/pull/1103 and https://github.com/cozystack/cozystack/pull/1105)
+* [linstor] Add configurable DRBD network options for connection and timeout settings, replacing scripted logic for detecting devices that lost connection. (@kvaps in https://github.com/cozystack/cozystack/pull/1094)
+
+## Dependencies
+
+* Update cozy-proxy to v0.2.0 (@kvaps in https://github.com/cozystack/cozystack/pull/1081)
+* Update Kafka Operator to 0.45.1-rc1 (@kvaps in https://github.com/cozystack/cozystack/pull/1082 and https://github.com/cozystack/cozystack/pull/1102)
+* Update Flux Operator to 0.23.0 (@kingdonb in https://github.com/cozystack/cozystack/pull/1078)
+
+## Documentation
+
+* [docs] Release notes for v0.32.0 and two beta-versions. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1043)
+
+## Development, Testing, and CI/CD
+
+* [tests] Add Kafka, Redis. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1077)
+* [tests] Increase disk space for VMs in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1097)
+* [tests] Upd Kubernetes v1.33. (@kvaps in https://github.com/cozystack/cozystack/pull/1083)
+* [tests] increase postgres timeouts. (@kvaps in https://github.com/cozystack/cozystack/pull/1108)
+* [tests] don't wait for postgres ro service. (@kvaps in https://github.com/cozystack/cozystack/pull/1109)
+* [ci] Setup systemd timer to tear down sandbox. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1092)
+* [ci] Split testing job into several. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1075)
+* [ci] Run E2E tests as separate parallel jobs. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1093)
+* [ci] Refactor GitHub workflows. (@kvaps in https://github.com/cozystack/cozystack/pull/1107)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.32.0...v0.32.1

docs/changelogs/v0.33.0.md

@@ -0,0 +1,91 @@
+> [!WARNING]
+> A patch release [0.33.2](github.com/cozystack/cozystack/releases/tag/v0.33.2) fixing a regression in 0.33.0 has been released. 
+> It is recommended to skip this version and upgrade to [0.33.2](github.com/cozystack/cozystack/releases/tag/v0.33.2) instead.
+
+## Feature Highlights
+
+### Unified CPU and Memory Allocation Management
+
+Since version 0.31.0, Cozystack introduced a single-point-of-truth configuration variable `cpu-allocation-ratio`,
+making CPU resource requests and limits uniform in Virtual Machines managed by KubeVirt.
+The new release 0.33.0 introduces `memory-allocation-ratio` and expands both variables to all managed applications and tenant resource quotas.
+
+Resource presets also respect the allocation ratios and behave in the same way as explicit resource definitions.
+The new resource definition format is concise and simple for platform users.
+
+```yaml
+# resource definition in the configuration
+resources:
+  cpu: <defined cpu value>
+  memory: <defined memory value>
+```
+
+It results in Kubernetes resource requests and limits, based on defined values and the universal allocation ratios:
+
+```yaml
+# actual requests and limits, provided to the application
+resources:
+  limits:
+    cpu: <defined cpu value>
+    memory: <defined memory value>
+  requests:
+    cpu: <defined cpu value / cpu-allocation-ratio>
+    memory: <defined memory value / memory-allocation-ratio>
+```
+
+When updating from earlier Cozystack versions, resource configuration in managed applications will be automatically migrated to the new format.
+
+### Backing up and Restoring Data in Tenant Kubernetes
+
+One of the main features of the release is backup capability for PVCs in tenant Kubernetes clusters.
+It enables platform and tenant administrators to back up and restore data used by services in the tenant clusters.
+
+This new functionality in Cozystack is powered by [Velero](https://velero.io/) and needs an external S3-compatible storage.
+
+## Support for NFS Storage
+
+Cozystack now supports using NFS shared storage with a new optional system module.
+See the documentation: https://cozystack.io/docs/operations/storage/nfs/.
+
+## Features and Improvements
+
+* [kubernetes] Enable PVC backups in tenant Kubernetes clusters, powered by [Velero](https://velero.io/). (@klinch0 in https://github.com/cozystack/cozystack/pull/1132)
+* [nfs-driver] Enable NFS support by introducing a new optional system module `nfs-driver`.  (@kvaps in https://github.com/cozystack/cozystack/pull/1133)
+* [virtual-machine] Configure CPU sockets available to VMs with the `resources.cpu.sockets` configuration value. (@klinch0 in https://github.com/cozystack/cozystack/pull/1131)
+* [virtual-machine] Add support for using pre-imported "golden image" disks for virtual machines, enabling faster provisioning by referencing existing images instead of downloading via HTTP. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1112)
+* [kubernetes] Add an option to expose the Ingress-NGINX controller in tenant Kubernetes cluster via LoadBalancer. New configuration value `exposeMethod` offers a choice of `Proxied` and `LoadBalancer`. (@kvaps in https://github.com/cozystack/cozystack/pull/1114)
+* [apps] When updating from earlier Cozystack versions, automatically migrate to the new resource definition format: from `resources.requests.[cpu,memory]` and `resources.limits.[cpu,memory]` to `resources.[cpu,memory]`. (@kvaps in https://github.com/cozystack/cozystack/pull/1127)
+* [apps] Give examples of new resource definitions in the managed app README's. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1120)
+* [tenant] Respect `cpu-allocation-ratio` in tenant's `resourceQuotas`.(@kvaps in https://github.com/cozystack/cozystack/pull/1119)
+* [cozy-lib] Introduce helper function to calculate Java heap params based on memory requests and limits. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1157)
+
+## Security
+
+* [monitoring] Disable sign up in Alerta. (@klinch0 in https://github.com/cozystack/cozystack/pull/1129)
+
+## Fixes
+
+* [platform] Always set resources for managed apps . (@lllamnyp in https://github.com/cozystack/cozystack/pull/1156)
+* [platform] Remove the memory limit for Keycloak deployment. (@klinch0 in https://github.com/cozystack/cozystack/pull/1122)
+* [kubernetes] Fix a condition in the ingress template for tenant Kubernetes. (@kvaps in https://github.com/cozystack/cozystack/pull/1143)
+* [kubernetes] Fix a deadlock on reattaching a KubeVirt-CSI volume. (@kvaps in https://github.com/cozystack/cozystack/pull/1135)
+* [mysql] MySQL applications with a single replica now correctly create a `LoadBalancer` service. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1113)
+* [etcd] Fix resources and headless services in the etcd application. (@kvaps in https://github.com/cozystack/cozystack/pull/1128)
+* [apps] Enable selecting `resourcePreset` from a drop-down list for all applications by adding enum of allowed values in the config scheme. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1117)
+* [apps] Refactor resource presets provided to managed apps by `cozy-lib`. (@kvaps in https://github.com/cozystack/cozystack/pull/1155)
+* [keycloak] Calculate and pass Java heap parameters explicitly to prevent OOM errors. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1157)
+
+
+## Development, Testing, and CI/CD
+
+* [dx] Introduce cozyreport tool and gather reports in CI. (@kvaps in https://github.com/cozystack/cozystack/pull/1139)
+* [ci] Use Nexus as a pull-through cache for CI. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1124)
+* [ci] Save a list of observed images after each workflow run. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1089)
+* [ci] Skip Cozystack tests on PRs that only change the docs. Don't restart CI when a PR is labeled. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1136)
+* [dx] Fix Makefile variables for `capi-providers`. (@kvaps in https://github.com/cozystack/cozystack/pull/1115)
+* [tests] Introduce self-destructing testing environments. (@kvaps in https://github.com/cozystack/cozystack/pull/1138, https://github.com/cozystack/cozystack/pull/1140, https://github.com/cozystack/cozystack/pull/1141, https://github.com/cozystack/cozystack/pull/1142)
+* [e2e] Retry flaky application tests to improve total test time. (@kvaps in https://github.com/cozystack/cozystack/pull/1123)
+* [maintenance] Add a PR template. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1121)
+
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.32.1...v0.33.0

docs/changelogs/v0.33.1.md

@@ -0,0 +1,3 @@
+## Fixes
+
+* [kubevirt-csi] Fix a regression by updating the role of the CSI controller. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1165)

docs/changelogs/v0.33.2.md

@@ -0,0 +1,19 @@
+## Features and Improvements
+
+* [vm-instance] Enable running [Windows](https://cozystack.io/docs/operations/virtualization/windows/) and [MikroTik RouterOS](https://cozystack.io/docs/operations/virtualization/mikrotik/) in Cozystack. Add `bus` option and always specify `bootOrder` for all disks. (@kvaps in https://github.com/cozystack/cozystack/pull/1168)
+* [cozystack-api] Refactor OpenAPI Schema and support reading it from config. (@kvaps in https://github.com/cozystack/cozystack/pull/1173)
+* [cozystack-api] Enable using singular resource names in Cozystack API. For example, `kubectl get tenant` is now a valid command, in addition to `kubectl get tenants`. (@kvaps in https://github.com/cozystack/cozystack/pull/1169)
+* [postgres] Explain how to back up and restore PostgreSQL using Velero backups. (@klinch0 and @NickVolynkin in https://github.com/cozystack/cozystack/pull/1141)
+
+## Fixes
+
+* [virtual-machine,vm-instance] Adjusted RBAC role to let users read the service associated with the VMs they create. Consequently, users can now see details of the service in the dashboard and therefore read the IP address of the VM. (@klinch0 in https://github.com/cozystack/cozystack/pull/1161)
+* [cozystack-api] Fix an error with `resourceVersion` which resulted in message 'failed to update HelmRelease: helmreleases.helm.toolkit.fluxcd.io "xxx" is invalid...'. (@kvaps in https://github.com/cozystack/cozystack/pull/1170)
+* [cozystack-api] Fix an error in updating lists in Cozystack objects, which resulted in message "Warning: resource ... is missing the kubectl.kubernetes.io/last-applied-configuration annotation". (@kvaps in https://github.com/cozystack/cozystack/pull/1171)
+* [cozystack-api] Disable `startegic-json-patch` support. (@kvaps in https://github.com/cozystack/cozystack/pull/1179)
+* [dashboard] Fix the code for removing dashboard comments which used to mistakenly remove shebang from cloudInit scripts. (@kvaps in https://github.com/cozystack/cozystack/pull/1175).
+* [virtual-machine] Fix cloudInit and sshKeys processing. (@kvaps in https://github.com/cozystack/cozystack/pull/1175 and https://github.com/cozystack/cozystack/commit/da3ee5d0ea9e87529c8adc4fcccffabe8782292e)
+* [applications] Fix a typo in preset resource tables in the built-in documentation of managed applications. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1172)
+* [kubernetes] Enable deleting Velero component from a tenant Kubernetes cluster. (@klinch0 in https://github.com/cozystack/cozystack/pull/1176)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.33.1...v0.33.2

hack/cdi_golden_image_create.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+name="$1"
+url="$2"
+
+if [ -z "$name" ] || [ -z "$url" ]; then
+  echo "Usage: <name> <url>"
+  echo "Example: 'ubuntu' 'https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img'"
+  exit 1
+fi
+
+#### create DV ubuntu source for CDI image cloning
+kubectl create -f - <<EOF
+apiVersion: cdi.kubevirt.io/v1beta1
+kind: DataVolume
+metadata:
+  name: "vm-image-$name"
+  namespace: cozy-public
+  annotations:
+    cdi.kubevirt.io/storage.bind.immediate.requested: "true"
+spec:
+  source:
+    http:
+      url: "$url"
+  storage:
+    resources:
+      requests:
+        storage: 5Gi
+    storageClassName: replicated
+EOF

hack/collect-images.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+for node in 11 12 13; do
+  talosctl -n 192.168.123.${node} -e 192.168.123.${node} images ls >> images.tmp
+  talosctl -n 192.168.123.${node} -e 192.168.123.${node} images --namespace system ls >> images.tmp
+done
+
+while read _ name sha _ ; do echo $sha $name ; done < images.tmp | sort -u > images.txt

hack/cozyreport.sh

@@ -0,0 +1,147 @@
+#!/bin/sh
+REPORT_DATE=$(date +%Y-%m-%d_%H-%M-%S)
+REPORT_NAME=${1:-cozyreport-$REPORT_DATE}
+REPORT_PDIR=$(mktemp -d)
+REPORT_DIR=$REPORT_PDIR/$REPORT_NAME
+
+# -- check dependencies
+command -V kubectl >/dev/null || exit $?
+command -V tar >/dev/null || exit $?
+
+# -- cozystack module
+
+echo "Collecting Cozystack information..."
+mkdir -p $REPORT_DIR/cozystack
+kubectl get deploy -n cozy-system cozystack -o jsonpath='{.spec.template.spec.containers[0].image}' > $REPORT_DIR/cozystack/image.txt 2>&1
+kubectl get cm -n cozy-system --no-headers | awk '$1 ~ /^cozystack/' |
+  while read NAME _; do
+    DIR=$REPORT_DIR/cozystack/configs
+    mkdir -p $DIR
+    kubectl get cm -n cozy-system $NAME -o yaml > $DIR/$NAME.yaml 2>&1
+  done
+
+# -- kubernetes module
+
+echo "Collecting Kubernetes information..."
+mkdir -p $REPORT_DIR/kubernetes
+kubectl version > $REPORT_DIR/kubernetes/version.txt 2>&1
+
+echo "Collecting nodes..."
+kubectl get nodes -o wide > $REPORT_DIR/kubernetes/nodes.txt 2>&1
+kubectl get nodes --no-headers | awk '$2 != "Ready"' |
+  while read NAME _; do
+    DIR=$REPORT_DIR/kubernetes/nodes/$NAME
+    mkdir -p $DIR
+    kubectl get node $NAME -o yaml > $DIR/node.yaml 2>&1
+    kubectl describe node $NAME > $DIR/describe.txt 2>&1
+  done
+
+echo "Collecting namespaces..."
+kubectl get ns -o wide > $REPORT_DIR/kubernetes/namespaces.txt 2>&1
+kubectl get ns --no-headers | awk '$2 != "Active"' |
+  while read NAME _; do
+    DIR=$REPORT_DIR/kubernetes/namespaces/$NAME
+    mkdir -p $DIR
+    kubectl get ns $NAME -o yaml > $DIR/namespace.yaml 2>&1
+    kubectl describe ns $NAME > $DIR/describe.txt 2>&1
+  done
+
+echo "Collecting helmreleases..."
+kubectl get hr -A > $REPORT_DIR/kubernetes/helmreleases.txt 2>&1
+kubectl get hr -A | awk '$4 != "True"' | \
+  while read NAMESPACE NAME _; do
+    DIR=$REPORT_DIR/kubernetes/helmreleases/$NAMESPACE/$NAME
+    mkdir -p $DIR
+    kubectl get hr -n $NAMESPACE $NAME -o yaml > $DIR/hr.yaml 2>&1
+    kubectl describe hr -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
+  done
+
+echo "Collecting pods..."
+kubectl get pod -A -o wide > $REPORT_DIR/kubernetes/pods.txt 2>&1
+kubectl get pod -A --no-headers | awk '$4 !~ /Running|Succeeded|Completed/' |
+  while read NAMESPACE NAME _ STATE _; do
+    DIR=$REPORT_DIR/kubernetes/pods/$NAMESPACE/$NAME
+    mkdir -p $DIR
+    CONTAINERS=$(kubectl get pod -o jsonpath='{.spec.containers[*].name}' -n $NAMESPACE $NAME)
+    kubectl get pod -n $NAMESPACE $NAME -o yaml > $DIR/pod.yaml 2>&1
+    kubectl describe pod -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
+    if [ "$STATE" != "Pending" ]; then
+      for CONTAINER in $CONTAINERS; do
+        kubectl logs -n $NAMESPACE $NAME $CONTAINER > $DIR/logs-$CONTAINER.txt 2>&1
+        kubectl logs -n $NAMESPACE $NAME $CONTAINER --previous > $DIR/logs-$CONTAINER-previous.txt 2>&1
+      done
+    fi
+  done
+
+echo "Collecting virtualmachines..."
+kubectl get vm -A > $REPORT_DIR/kubernetes/vms.txt 2>&1
+kubectl get vm -A --no-headers | awk '$5 != "True"' |
+  while read NAMESPACE NAME _; do
+    DIR=$REPORT_DIR/kubernetes/vm/$NAMESPACE/$NAME
+    mkdir -p $DIR
+    kubectl get vm -n $NAMESPACE $NAME -o yaml > $DIR/vm.yaml 2>&1
+    kubectl describe vm -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
+  done
+
+echo "Collecting virtualmachine instances..."
+kubectl get vmi -A > $REPORT_DIR/kubernetes/vmis.txt 2>&1
+kubectl get vmi -A --no-headers | awk '$4 != "Running"' |
+  while read NAMESPACE NAME _; do
+    DIR=$REPORT_DIR/kubernetes/vmi/$NAMESPACE/$NAME
+    mkdir -p $DIR
+    kubectl get vmi -n $NAMESPACE $NAME -o yaml > $DIR/vmi.yaml 2>&1
+    kubectl describe vmi -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
+  done
+
+echo "Collecting services..."
+kubectl get svc -A > $REPORT_DIR/kubernetes/services.txt 2>&1
+kubectl get svc -A --no-headers | awk '$4 == "<pending>"' |
+  while read NAMESPACE NAME _; do
+    DIR=$REPORT_DIR/kubernetes/services/$NAMESPACE/$NAME
+    mkdir -p $DIR
+    kubectl get svc -n $NAMESPACE $NAME -o yaml > $DIR/service.yaml 2>&1
+    kubectl describe svc -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
+  done
+
+echo "Collecting pvcs..."
+kubectl get pvc -A > $REPORT_DIR/kubernetes/pvcs.txt 2>&1
+kubectl get pvc -A | awk '$3 != "Bound"'  |
+  while read NAMESPACE NAME _; do
+    DIR=$REPORT_DIR/kubernetes/pvc/$NAMESPACE/$NAME
+    mkdir -p $DIR
+    kubectl get pvc -n $NAMESPACE $NAME -o yaml > $DIR/pvc.yaml 2>&1
+    kubectl describe pvc -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
+  done
+
+# -- kamaji module
+
+if kubectl get deploy -n cozy-linstor linstor-controller >/dev/null 2>&1; then
+  echo "Collecting kamaji resources..."
+  DIR=$REPORT_DIR/kamaji
+  mkdir -p $DIR
+  kubectl logs -n cozy-kamaji deployment/kamaji > $DIR/kamaji-controller.log 2>&1
+  kubectl get kamajicontrolplanes.controlplane.cluster.x-k8s.io -A > $DIR/kamajicontrolplanes.txt 2>&1
+  kubectl get kamajicontrolplanes.controlplane.cluster.x-k8s.io -A -o yaml > $DIR/kamajicontrolplanes.yaml 2>&1
+  kubectl get tenantcontrolplanes.kamaji.clastix.io -A > $DIR/tenantcontrolplanes.txt 2>&1
+  kubectl get tenantcontrolplanes.kamaji.clastix.io -A -o yaml > $DIR/tenantcontrolplanes.yaml 2>&1
+fi
+
+# -- linstor module
+
+if kubectl get deploy -n cozy-linstor linstor-controller >/dev/null 2>&1; then
+  echo "Collecting linstor resources..."
+  DIR=$REPORT_DIR/linstor
+  mkdir -p $DIR
+  kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor --no-color n l > $DIR/nodes.txt 2>&1
+  kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor --no-color sp l > $DIR/storage-pools.txt 2>&1
+  kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor --no-color r l > $DIR/resources.txt 2>&1
+fi
+
+# -- finalization
+
+echo "Creating archive..."
+tar -czf $REPORT_NAME.tgz -C $REPORT_PDIR .
+echo "Report created: $REPORT_NAME.tgz"
+
+echo "Cleaning up..."
+rm -rf $REPORT_PDIR

hack/e2e-apps/clickhouse.bats

@@ -2,8 +2,7 @@
 
 @test "Create DB ClickHouse" {
   name='test'
-  kubectl -n tenant-test get clickhouses.apps.cozystack.io $name || 
+  kubectl apply -f- <<EOF
-  kubectl create -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: ClickHouse
 metadata:

hack/e2e-apps/kafka.bats

@@ -2,7 +2,7 @@
 
 @test "Create Kafka" {
   name='test'
-  kubectl create -f- <<EOF
+  kubectl apply -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Kafka
 metadata:

hack/e2e-apps/kubernetes.bats

@@ -1,12 +1,16 @@
 #!/usr/bin/env bats
 
-@test "Create a tenant Kubernetes control plane" {
+run_kubernetes_test() {
-  kubectl -n tenant-test get kuberneteses.apps.cozystack.io test || 
+    local version_expr="$1"
-  kubectl create -f - <<EOF
+    local test_name="$2"
+    local port="$3"
+    local k8s_version=$(yq "$version_expr" packages/apps/kubernetes/files/versions.yaml)
+
+  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Kubernetes
 metadata:
-  name: test
+  name: "${test_name}"
   namespace: tenant-test
 spec:
   addons:
@@ -61,13 +65,49 @@ spec:
       roles:
       - ingress-nginx
   storageClass: replicated
+  version: "${k8s_version}"
 EOF
+  # Wait for the tenant-test namespace to be active
   kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
-  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
+  
-  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
+  # Wait for the Kamaji control plane to be created (retry for up to 10 seconds)
-  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-'"${test_name}"'; do sleep 1; done'
-  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
+
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
+  # Wait for the tenant control plane to be fully created (timeout after 4 minutes)
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-${test_name} --timeout=4m
-  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io test
+  
+  # Wait for Kubernetes resources to be ready (timeout after 2 minutes)
+  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  
+  # Wait for all required deployments to be available (timeout after 4 minutes)
+  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-${test_name} kubernetes-${test_name}-cluster-autoscaler kubernetes-${test_name}-kccm kubernetes-${test_name}-kcsi-controller
+  
+  # Wait for the machine deployment to scale to 2 replicas (timeout after 1 minute)
+  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
+
+  # Get the admin kubeconfig and save it to a file
+  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig
+
+  # Update the kubeconfig to use localhost for the API server
+  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig
+
+  # Set up port forwarding to the Kubernetes API server for a 40 second timeout
+  bash -c 'timeout 40s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
+
+  # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
+  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
+
+  # Wait for all machine deployment replicas to be ready (timeout after 10 minutes)
+  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+
+  # Clean up by deleting the Kubernetes resource
+  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io $test_name
+
+}
+
+@test "Create a tenant Kubernetes control plane with latest version" {
+  run_kubernetes_test 'keys | sort_by(.) | .[-1]' 'test-latest-version' '59991'
+}
+@test "Create a tenant Kubernetes control plane with previous version" {
+  run_kubernetes_test 'keys | sort_by(.) | .[-2]' 'test-previous-version' '59992'
 }

hack/e2e-apps/mysql.bats

@@ -2,8 +2,7 @@
 
 @test "Create DB MySQL" {
   name='test'
-  kubectl -n tenant-test get mysqls.apps.cozystack.io $name || 
+  kubectl apply -f- <<EOF
-  kubectl create -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: MySQL
 metadata:

hack/e2e-apps/postgres.bats

@@ -2,8 +2,7 @@
 
 @test "Create DB PostgreSQL" {
   name='test'
-  kubectl -n tenant-test get postgreses.apps.cozystack.io $name || 
+  kubectl apply -f - <<EOF
-  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Postgres
 metadata:

hack/e2e-apps/redis.bats

@@ -2,7 +2,7 @@
 
 @test "Create Redis" {
   name='test'
-  kubectl create -f- <<EOF
+  kubectl apply -f- <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: Redis
 metadata:

hack/e2e-apps/virtualmachine.bats

@@ -2,8 +2,7 @@
 
 @test "Create a Virtual Machine" {
   name='test'
-  kubectl -n tenant-test get virtualmachines.apps.cozystack.io $name || 
+  kubectl apply -f - <<EOF
-  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VirtualMachine
 metadata:

hack/e2e-apps/vminstance.bats

@@ -2,8 +2,7 @@
 
 @test "Create a VM Disk" {
   name='test'
-  kubectl -n tenant-test get vmdisks.apps.cozystack.io $name || 
+  kubectl apply -f - <<EOF
-  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VMDisk
 metadata:
@@ -26,8 +25,7 @@ EOF
 @test "Create a VM Instance" {
   diskName='test'
   name='test'
-  kubectl -n tenant-test get vminstances.apps.cozystack.io $name || 
+  kubectl apply -f - <<EOF
-  kubectl create -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
 kind: VMInstance
 metadata:

hack/e2e-install-cozystack.bats

@@ -1,5 +1,12 @@
 #!/usr/bin/env bats
 
+@test "Required installer assets exist" {
+  if [ ! -f _out/assets/cozystack-installer.yaml ]; then
+    echo "Missing: _out/assets/cozystack-installer.yaml" >&2
+    exit 1
+  fi
+}
+
 @test "Install Cozystack" {
   # Create namespace & configmap required by installer
   kubectl create namespace cozy-system --dry-run=client -o yaml | kubectl apply -f -
@@ -27,7 +34,7 @@
   # Fail the test if any HelmRelease is not Ready
   if kubectl get hr -A | grep -v " True " | grep -v NAME; then
     kubectl get hr -A
-    fail "Some HelmReleases failed to reconcile"
+    echo "Some HelmReleases failed to reconcile" >&2
   fi
 }
 

hack/e2e-prepare-cluster.bats

@@ -4,11 +4,6 @@
 # -----------------------------------------------------------------------------
 
 @test "Required installer assets exist" {
-  if [ ! -f _out/assets/cozystack-installer.yaml ]; then
-    echo "Missing: _out/assets/cozystack-installer.yaml" >&2
-    exit 1
-  fi
-
   if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
     echo "Missing: _out/assets/nocloud-amd64.raw.xz" >&2
     exit 1

internal/controller/system_helm_reconciler.go

@@ -54,6 +54,7 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 		if !isSystemApp && !isTenantRoot {
 			continue
 		}
+		patchTarget := hr.DeepCopy()
 
 		if hr.Annotations == nil {
 			hr.Annotations = map[string]string{}
@@ -62,13 +63,12 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 		if hr.Annotations[digestAnnotation] == digest {
 			continue
 		}
+		patchTarget.Annotations[digestAnnotation] = digest
+		patchTarget.Annotations[forceReconcileKey] = now
+		patchTarget.Annotations[requestedAt] = now
 
 		patch := client.MergeFrom(hr.DeepCopy())
-		hr.Annotations[digestAnnotation] = digest
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
-		hr.Annotations[forceReconcileKey] = now
-		hr.Annotations[requestedAt] = now
-
-		if err := r.Patch(ctx, &hr, patch); err != nil {
 			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
 			continue
 		}

internal/controller/workload_controller.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"context"
 	"strings"
+	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -15,6 +16,10 @@ import (
 	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 )
 
+const (
+	deletionRequeueDelay = 30 * time.Second
+)
+
 // WorkloadMonitorReconciler reconciles a WorkloadMonitor object
 type WorkloadReconciler struct {
 	client.Client
@@ -52,6 +57,9 @@ func (r *WorkloadReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 
 	// found object, nothing to do
 	if err == nil {
+		if !t.GetDeletionTimestamp().IsZero() {
+			return ctrl.Result{RequeueAfter: deletionRequeueDelay}, nil
+		}
 		return ctrl.Result{}, nil
 	}
 

packages/apps/bucket/Makefile

@@ -1,4 +1,4 @@
 include ../../../scripts/package.mk
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md

packages/apps/bucket/values.schema.json

@@ -1,5 +1,5 @@
 {
+    "properties": {},
     "title": "Chart Values",
-    "type": "object",
+    "type": "object"
-    "properties": {}
 }

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.1
+version: 0.11.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/Makefile

@@ -1,11 +1,12 @@
 CLICKHOUSE_BACKUP_TAG = $(shell awk '$$0 ~ /^version:/ {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 
 image:
 	docker buildx build images/clickhouse-backup \

packages/apps/clickhouse/README.md

@@ -1,18 +1,19 @@
-# Managed Clickhouse Service
+# Managed ClickHouse Service
 
 ClickHouse is an open source high-performance and column-oriented SQL database management system (DBMS).
 It is used for online analytical processing (OLAP).
-Cozystack platform uses Altinity operator to provide ClickHouse.
 
-### How to restore backup:
+### How to restore backup from S3
 
-1. Find a snapshot:
+1.  Find the snapshot:
-    ```
+
+    ```bash
     restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
     ```
 
 2.  Restore it:
-    ```
+
+    ```bash
     restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
     ```
 
@@ -22,49 +23,58 @@ For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.
 
 ### Common parameters
 
-| Name             | Description                                              | Value  |
+| Name              | Description                                                                                                                             | Value   |
-| ---------------- | -------------------------------------------------------- | ------ |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `size`           | Size of Persistent Volume for data                       | `10Gi` |
+| `replicas`        | Number of Clickhouse replicas                                                                                                           | `2`     |
-| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi`  |
+| `shards`          | Number of Clickhouse shards                                                                                                             | `1`     |
-| `shards`         | Number of Clickhouse shards                              | `1`    |
+| `resources`       | Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `replicas`       | Number of Clickhouse replicas                            | `2`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `small` |
-| `storageClass`   | StorageClass used to store the data                      | `""`   |
+| `size`            | Persistent Volume Claim size, available for application data                                                                            | `10Gi`  |
-| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`   |
+| `storageClass`    | StorageClass used to store the application data                                                                                         | `""`    |
 
-### Configuration parameters
+### Application-specific parameters
 
-| Name    | Description         | Value |
+| Name             | Description                                              | Value |
-| ------- | ------------------- | ----- |
+| ---------------- | -------------------------------------------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi` |
+| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`  |
+| `users`          | Users configuration                                      | `{}`  |
 
 ### Backup parameters
 
-| Name                     | Description                                                                 | Value                                                  |
+| Name                     | Description                                    | Value                                                  |
-| ------------------------ | --------------------------------------------------------------------------- | ------------------------------------------------------ |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                     | `false`                                                |
+| `backup.enabled`         | Enable periodic backups                        | `false`                                                |
-| `backup.s3Region`        | AWS S3 region where backups are stored                                      | `us-east-1`                                            |
+| `backup.s3Region`        | AWS S3 region where backups are stored         | `us-east-1`                                            |
-| `backup.s3Bucket`        | S3 bucket used for storing backups                                          | `s3.example.org/clickhouse-backups`                    |
+| `backup.s3Bucket`        | S3 bucket used for storing backups             | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups                                         | `0 2 * * *`                                            |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | Access key for S3, used for authentication                                  | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication     | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                  | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication     | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | Password for Restic backup encryption                                       | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `backup.resticPassword`  | Password for Restic backup encryption          | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU/memory resource requests and limits for the Clickhouse service | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly.       | `small`                                                |
 
+## Parameter examples and reference
 
-In production environments, it's recommended to set `resources` explicitly.
+### resources and resourcesPreset
-Example of `resources`:
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
 
 ```yaml
 resources:
-  limits:
+  cpu: 4000m
-    cpu: 4000m
+  memory: 4Gi
-    memory: 4Gi
-  requests:
-    cpu: 100m
-    memory: 512Mi
 ```
 
-Allowed values for `resourcesPreset` are `none`, `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
+`resourcesPreset` sets named CPU and memory configurations for each replica.
-This value is ignored if `resources` value is set. 
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.11.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -132,11 +132,7 @@ spec:
           containers:
             - name: clickhouse
               image: clickhouse/clickhouse-server:24.9.2.42
-              {{- if .Values.resources }}
+              resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 16 }}
-              resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 16 }}
-              {{- else if ne .Values.resourcesPreset "none" }}
-              resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 16 }}
-              {{- end }}
               volumeMounts:
                 - name: data-volume-template
                   mountPath: /var/lib/clickhouse

packages/apps/clickhouse/values.schema.json

@@ -1,93 +1,75 @@
 {
-    "title": "Chart Values",
-    "type": "object",
     "properties": {
-        "size": {
-            "type": "string",
-            "description": "Size of Persistent Volume for data",
-            "default": "10Gi"
-        },
-        "logStorageSize": {
-            "type": "string",
-            "description": "Size of Persistent Volume for logs",
-            "default": "2Gi"
-        },
-        "shards": {
-            "type": "number",
-            "description": "Number of Clickhouse shards",
-            "default": 1
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of Clickhouse replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "logTTL": {
-            "type": "number",
-            "description": "TTL (expiration time) for query_log and query_thread_log",
-            "default": 15
-        },
         "backup": {
-            "type": "object",
             "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
-                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "S3 bucket used for storing backups",
-                    "default": "s3.example.org/clickhouse-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
                 "cleanupStrategy": {
-                    "type": "string",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m",
                     "description": "Retention strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "type": "string"
                 },
-                "s3AccessKey": {
+                "enabled": {
-                    "type": "string",
+                    "default": false,
-                    "description": "Access key for S3, used for authentication",
+                    "description": "Enable periodic backups",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "type": "boolean"
-                },
-                "s3SecretKey": {
-                    "type": "string",
-                    "description": "Secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
                 },
                 "resticPassword": {
-                    "type": "string",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0",
                     "description": "Password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
+                },
+                "s3AccessKey": {
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "Access key for S3, used for authentication",
+                    "type": "string"
+                },
+                "s3Bucket": {
+                    "default": "s3.example.org/clickhouse-backups",
+                    "description": "S3 bucket used for storing backups",
+                    "type": "string"
+                },
+                "s3Region": {
+                    "default": "us-east-1",
+                    "description": "AWS S3 region where backups are stored",
+                    "type": "string"
+                },
+                "s3SecretKey": {
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "Secret key for S3, used for authentication",
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                 }
-            }
+            },
+            "type": "object"
+        },
+        "logStorageSize": {
+            "default": "2Gi",
+            "description": "Size of Persistent Volume for logs",
+            "type": "string"
+        },
+        "logTTL": {
+            "default": 15,
+            "description": "TTL (expiration time) for query_log and query_thread_log",
+            "type": "number"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of Clickhouse replicas",
+            "type": "number"
         },
         "resources": {
-            "type": "object",
+            "default": {},
-            "description": "Explicit CPU/memory resource requests and limits for the Clickhouse service",
+            "description": "Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
         },
         "resourcesPreset": {
-            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly.",
             "default": "small",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
             "enum": [
-                "none",
                 "nano",
                 "micro",
                 "small",
@@ -96,6 +78,23 @@
                 "xlarge",
                 "2xlarge"
             ]
+        },
+        "shards": {
+            "default": 1,
+            "description": "Number of Clickhouse shards",
+            "type": "number"
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume Claim size, available for application data",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the application data",
+            "type": "string"
         }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }

packages/apps/clickhouse/values.yaml

@@ -1,21 +1,29 @@
 ## @section Common parameters
-
-## @param size Size of Persistent Volume for data
-## @param logStorageSize Size of Persistent Volume for logs
-## @param shards Number of Clickhouse shards
-## @param replicas Number of Clickhouse replicas
-## @param storageClass StorageClass used to store the data
-## @param logTTL TTL (expiration time) for query_log and query_thread_log
 ##
-size: 10Gi
+## @param replicas Number of Clickhouse replicas
-logStorageSize: 2Gi
-shards: 1
 replicas: 2
+## @param shards Number of Clickhouse shards
+shards: 1
+## @param resources Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
+
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "small"
+## @param size Persistent Volume Claim size, available for application data
+size: 10Gi
+## @param storageClass StorageClass used to store the application data
 storageClass: ""
+
+
+## @section Application-specific parameters
+##
+## @param logStorageSize Size of Persistent Volume for logs
+logStorageSize: 2Gi
+## @param logTTL TTL (expiration time) for query_log and query_thread_log
 logTTL: 15
-
-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -27,6 +35,7 @@ logTTL: 15
 ##
 users: {}
 
+
 ## @section Backup parameters
 
 ## @param backup.enabled Enable periodic backups
@@ -47,11 +56,3 @@ backup:
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
   resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Explicit CPU/memory resource requests and limits for the Clickhouse service
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
-
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly.
-resourcesPreset: "small"

packages/apps/ferretdb/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.24.0"
+appVersion: 2.4.0

packages/apps/ferretdb/Makefile

@@ -1,5 +1,13 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+
+update:
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/FerretDB/FerretDB | awk -F'[/^]' '{sub("^v", "", $$3)} END{print $$3}') && \
+	pgtag=$$(skopeo list-tags docker://ghcr.io/ferretdb/postgres-documentdb | jq -r --arg tag "$$tag" '.Tags[] | select(endswith("ferretdb-" + $$tag))' | sort -V | tail -n1) && \
+	sed -i "s|\(imageName: ghcr.io/ferretdb/postgres-documentdb:\).*|\1$$pgtag|" templates/postgres.yaml && \
+	sed -i "s|\(image: ghcr.io/ferretdb/ferretdb:\).*|\1$$tag|" templates/ferretdb.yaml && \
+	sed -i "s|\(appVersion: \).*|\1$$tag|" Chart.yaml

packages/apps/ferretdb/README.md

@@ -1,37 +1,72 @@
 # Managed FerretDB Service
 
+FerretDB is an open source MongoDB alternative.
+It translates MongoDB wire protocol queries to SQL and can be used as a direct replacement for MongoDB 5.0+.
+Internally, FerretDB service is backed by Postgres.
+
 ## Parameters
 
 ### Common parameters
 
-| Name                     | Description                                                                                                             | Value   |
+| Name              | Description                                                                                                                           | Value   |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`               | Enable external access from outside the cluster                                                                         | `false` |
+| `replicas`        | Number of replicas                                                                                                                    | `2`     |
-| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
+| `resources`       | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `micro` |
-| `storageClass`           | StorageClass used to store the data                                                                                     | `""`    |
+| `size`            | Persistent Volume size                                                                                                                | `10Gi`  |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
+| `storageClass`    | StorageClass used to store the data                                                                                                   | `""`    |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
+| `external`        | Enable external access from outside the cluster                                                                                       | `false` |
 
-### Configuration parameters
+### Application-specific parameters
 
-| Name    | Description         | Value |
+| Name                     | Description                                                                                                                 | Value |
-| ------- | ------------------- | ----- |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `0`   |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `0`   |
+| `users`                  | Users configuration                                                                                                         | `{}`  |
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                                      | Value                                                  |
+| Name                     | Description                                                | Value                               |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
+| ------------------------ | ---------------------------------------------------------- | ----------------------------------- |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                         | `false`                                                |
+| `backup.enabled`         | Enable regular backups                                     | `false`                             |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                       | `us-east-1`                                            |
+| `backup.schedule`        | Cron schedule for automated backups                        | `0 2 * * * *`                       |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                           | `s3.example.org/postgres-backups`                      |
+| `backup.retentionPolicy` | Retention policy                                           | `30d`                               |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                              | `0 2 * * *`                                            |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `s3://bucket/path/to/folder/`       |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                         | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `http://minio-gateway-service:9000` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                   | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                   | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                        | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                        | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`                                                 |
 
+### Bootstrap (recovery) parameters
 
+| Name                     | Description                                                                                                          | Value   |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `""`    |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcesPreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +0,0 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f

packages/apps/ferretdb/templates/backup-cronjob.yaml

@@ -1,99 +0,0 @@
-{{- if .Values.backup.enabled }}
-{{ $image := .Files.Get "images/backup.json" | fromJson }}
-
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .Release.Name }}-backup
-spec:
-  schedule: "{{ .Values.backup.schedule }}"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 2
-      template:
-        spec:
-          restartPolicy: OnFailure
-      template:
-        metadata:
-          annotations:
-            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
-            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: pgdump
-            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
-            command:
-            - /bin/sh
-            - /scripts/backup.sh
-            env:
-            - name: REPO_PREFIX
-              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
-            - name: CLEANUP_STRATEGY
-              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: password
-            - name: PGHOST
-              value: {{ .Release.Name }}-postgres-rw
-            - name: PGPORT
-              value: "5432"
-            - name: PGDATABASE
-              value: postgres
-            - name: AWS_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3AccessKey
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3SecretKey
-            - name: AWS_DEFAULT_REGION
-              value: {{ .Values.backup.s3Region }}
-            - name: RESTIC_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: resticPassword
-            volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-            - mountPath: /tmp
-              name: tmp
-            - mountPath: /.cache
-              name: cache
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              privileged: false
-              readOnlyRootFilesystem: true
-              runAsNonRoot: true
-          volumes:
-          - name: scripts
-            secret:
-              secretName: {{ .Release.Name }}-backup-script
-          - name: tmp
-            emptyDir: {}
-          - name: cache
-            emptyDir: {}
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 9000
-            runAsGroup: 9000
-            seccompProfile:
-              type: RuntimeDefault
-{{- end }}

packages/apps/ferretdb/templates/backup-script.yaml

@@ -1,50 +0,0 @@
-{{- if .Values.backup.enabled }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup-script
-stringData:
-  backup.sh: |
-    #!/bin/sh
-    set -e
-    set -o pipefail
-
-    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
-    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
-    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
-    echo "Job ID: $JOB_ID"
-    echo "Target repo: $REPO_PREFIX"
-    echo "Cleanup strategy: $CLEANUP_STRATEGY"
-    echo "Start backup for:"
-    echo "$DB_LIST"
-    echo
-    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
-          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
-        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
-        pg_dump -Z0 -Ft -d "$db" | \
-          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
-        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
-      )
-    done
-    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-
-    echo
-    echo "Run cleanup:"
-    echo
-
-    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
-        restic prune -r "s3:${REPO_PREFIX}/$db"
-      )
-    done
-    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-{{- end }}

packages/apps/ferretdb/templates/backup-secret.yaml

@@ -1,11 +0,0 @@
-{{- if .Values.backup.enabled }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup
-stringData:
-  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
-  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
-  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
-{{- end }}

packages/apps/ferretdb/templates/backup.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ .Release.Name }}-postgres
+spec:
+  schedule: {{ .Values.backup.schedule | quote }}
+  backupOwnerReference: self
+  cluster:
+    name: {{ .Release.Name }}-postgres
+{{- end }}

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -16,12 +16,14 @@ spec:
     spec:
       containers:
       - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.24.0
+        image: ghcr.io/ferretdb/ferretdb:2.4.0
         ports:
         - containerPort: 27017
         env:
-          - name: FERRETDB_POSTGRESQL_URL
+          - name: POSTGRESQL_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ .Release.Name }}-postgres-app
+                name: {{ .Release.Name }}-postgres-superuser
-                key: uri
+                key: password
+          - name: FERRETDB_POSTGRESQL_URL
+            value: "postgresql://postgres:$(POSTGRESQL_PASSWORD)@{{ .Release.Name }}-postgres-rw:5432/postgres"

packages/apps/ferretdb/templates/init-job.yaml

@@ -1,66 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ .Release.Name }}-init-job
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  template:
-    metadata:
-      name: {{ .Release.Name }}-init-job
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }}
-    spec:
-      restartPolicy: Never
-      containers:
-      - name: postgres
-        image: ghcr.io/cloudnative-pg/postgresql:15.3
-        command:
-        - bash
-        - /scripts/init.sh
-        env:
-        - name: PGUSER
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: username
-        - name: PGPASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: password
-        - name: PGHOST
-          value: {{ .Release.Name }}-postgres-rw
-        - name: PGPORT
-          value: "5432"
-        - name: PGDATABASE
-          value: postgres
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        volumeMounts:
-        - mountPath: /etc/secret
-          name: secret
-        - mountPath: /scripts
-          name: scripts
-      securityContext:
-        fsGroup: 26
-        runAsGroup: 26
-        runAsNonRoot: true
-        runAsUser: 26
-        seccompProfile:
-          type: RuntimeDefault
-      volumes:
-      - name: secret
-        secret:
-          secretName: {{ .Release.Name }}-postgres-superuser
-      - name: scripts
-        secret:
-          secretName: {{ .Release.Name }}-init-script

packages/apps/ferretdb/templates/init-script.yaml

@@ -1,131 +0,0 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-init-script
-stringData:
-  init.sh: |
-    #!/bin/bash
-    set -e
-
-    until pg_isready ; do sleep 5; done
-
-    echo "== create users"
-    {{- if .Values.users }}
-    psql -v ON_ERROR_STOP=1 <<\EOT
-    {{- range $user, $u := .Values.users }}
-    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
-    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
-    {{- end }}
-    EOT
-    {{- end }}
-
-    echo "== delete users"
-    MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ')
-    DEFINED_USERS="{{ join " " (keys .Values.users) }}"
-    DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done)
-
-    echo "users to delete: $DELETE_USERS"
-    for user in $DELETE_USERS; do
-    # https://stackoverflow.com/a/51257346/2931267
-    psql -v ON_ERROR_STOP=1 --echo-all <<EOT
-    REASSIGN OWNED BY $user TO postgres;
-    DROP OWNED BY $user;
-    DROP USER $user;
-    EOT
-    done
-
-    echo "== create roles"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    SELECT 'CREATE ROLE app_admin NOINHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'app_admin')\gexec
-    COMMENT ON ROLE app_admin IS 'role managed by helm';
-    EOT
-
-    echo "== grant privileges on databases to roles"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    ALTER DATABASE app OWNER TO app_admin;
-
-    DO $$
-    DECLARE
-        schema_record record;
-    BEGIN
-        -- Loop over all schemas
-        FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
-            -- Changing Schema Ownership
-            EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, 'app_admin');
-
-            -- Add rights for the admin role
-            EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, 'app_admin');
-        END LOOP;
-    END$$;
-    EOT
-
-    echo "== setup event trigger for schema creation"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
-    RETURNS event_trigger LANGUAGE plpgsql AS $$
-    DECLARE
-      obj record;
-    BEGIN
-      FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
-        -- Set owner for schema
-        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
-
-        -- Set privileges for admin role
-        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, 'app_admin');
-      END LOOP;
-    END;
-    $$;
-
-    DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
-    CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
-    WHEN TAG IN ('CREATE SCHEMA')
-    EXECUTE PROCEDURE auto_grant_schema_privileges();
-    EOT
-
-    echo "== assign roles to users"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    GRANT app_admin TO app;
-    {{- range $user, $u := $.Values.users }}
-    GRANT app_admin TO {{ $user }};
-    {{- end }}
-    EOT

packages/apps/ferretdb/templates/postgres.yaml

@@ -5,6 +5,50 @@ metadata:
   name: {{ .Release.Name }}-postgres
 spec:
   instances: {{ .Values.replicas }}
+  {{- if .Values.backup.enabled }}
+  backup:
+    barmanObjectStore:
+      destinationPath: {{ .Values.backup.destinationPath }}
+      endpointURL: {{ .Values.backup.endpointURL }}
+      s3Credentials:
+        accessKeyId:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_SECRET_ACCESS_KEY
+    retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  {{- end }}
+
+  bootstrap:
+    initdb:
+      postInitSQL:
+        - 'CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;'
+    {{- if .Values.bootstrap.enabled }}
+    recovery:
+      source: {{ .Values.bootstrap.oldName }}
+      {{- if .Values.bootstrap.recoveryTime }}
+      recoveryTarget:
+        targetTime: {{ .Values.bootstrap.recoveryTime }}
+      {{- end }}
+    {{- end }}
+  {{- if .Values.bootstrap.enabled }}
+  externalClusters:
+    - name: {{ .Values.bootstrap.oldName }}
+      barmanObjectStore:
+        destinationPath: {{ .Values.backup.destinationPath }}
+        endpointURL: {{ .Values.backup.endpointURL }}
+        s3Credentials:
+          accessKeyId:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_ACCESS_KEY_ID
+          secretAccessKey:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_SECRET_ACCESS_KEY
+  {{- end }}
+  imageName: ghcr.io/ferretdb/postgres-documentdb:17-0.105.0-ferretdb-2.4.0
+  postgresUID: 999
+  postgresGID: 999
   enableSuperuserAccess: true
   {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
   {{- if $configMap }}
@@ -18,14 +62,21 @@ spec:
   {{- end }}
   minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
   maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
-  {{- if .Values.resources }}
+  resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 4 }}
-  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
-  {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
-  {{- end }}
   monitoring:
     enablePodMonitor: true
 
+  postgresql:
+    shared_preload_libraries:
+      - pg_cron
+      - pg_documentdb_core
+      - pg_documentdb
+    parameters:
+      cron.database_name: 'postgres'
+    pg_hba:
+      - host postgres postgres 127.0.0.1/32 trust
+      - host postgres postgres ::1/128 trust
+
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
     {{- with .Values.storageClass }}
@@ -46,8 +97,6 @@ spec:
       passwordSecret:
         name: {{ printf "%s-user-%s" $.Release.Name $user }}
       login: true
-      inRoles:
-      - app
     {{- end }}
   {{- end }}
 

packages/apps/ferretdb/values.schema.json

@@ -1,98 +1,100 @@
 {
-    "title": "Chart Values",
-    "type": "object",
     "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of Postgres replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "quorum": {
-            "type": "object",
-            "properties": {
-                "minSyncReplicas": {
-                    "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
-                    "default": 0
-                },
-                "maxSyncReplicas": {
-                    "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
-                    "default": 0
-                }
-            }
-        },
         "backup": {
-            "type": "object",
             "properties": {
+                "destinationPath": {
+                    "default": "s3://bucket/path/to/folder/",
+                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
+                    "type": "string"
+                },
                 "enabled": {
-                    "type": "boolean",
+                    "default": false,
-                    "description": "Enable pereiodic backups",
+                    "description": "Enable regular backups",
-                    "default": false
+                    "type": "boolean"
                 },
-                "s3Region": {
+                "endpointURL": {
-                    "type": "string",
+                    "default": "http://minio-gateway-service:9000",
-                    "description": "The AWS S3 region where backups are stored",
+                    "description": "S3 Endpoint used to upload data to the cloud",
-                    "default": "us-east-1"
+                    "type": "string"
                 },
-                "s3Bucket": {
+                "retentionPolicy": {
-                    "type": "string",
+                    "default": "30d",
-                    "description": "The S3 bucket used for storing backups",
+                    "description": "Retention policy",
-                    "default": "s3.example.org/postgres-backups"
+                    "type": "string"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
-                "cleanupStrategy": {
-                    "type": "string",
-                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
                 },
                 "s3AccessKey": {
-                    "type": "string",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
-                    "description": "The access key for S3, used for authentication",
+                    "description": "Access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "type": "string"
                 },
                 "s3SecretKey": {
-                    "type": "string",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
-                    "description": "The secret key for S3, used for authentication",
+                    "description": "Secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                    "type": "string"
                 },
-                "resticPassword": {
+                "schedule": {
-                    "type": "string",
+                    "default": "0 2 * * * *",
-                    "description": "The password for Restic backup encryption",
+                    "description": "Cron schedule for automated backups",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
                 }
-            }
+            },
+            "type": "object"
+        },
+        "bootstrap": {
+            "properties": {
+                "enabled": {
+                    "default": false,
+                    "description": "Restore database cluster from a backup",
+                    "type": "boolean"
+                },
+                "oldName": {
+                    "default": "",
+                    "description": "Name of database cluster before deleting",
+                    "type": "string"
+                },
+                "recoveryTime": {
+                    "default": "",
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "quorum": {
+            "properties": {
+                "maxSyncReplicas": {
+                    "default": 0,
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
+                    "type": "number"
+                },
+                "minSyncReplicas": {
+                    "default": 0,
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
+                    "type": "number"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of replicas",
+            "type": "number"
         },
         "resources": {
-            "type": "object",
+            "default": {},
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
         },
         "resourcesPreset": {
+            "default": "micro",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
             "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
-            "default": "nano",
             "enum": [
-                "none",
                 "nano",
                 "micro",
                 "small",
@@ -101,6 +103,18 @@
                 "xlarge",
                 "2xlarge"
             ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
         }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }

packages/apps/ferretdb/values.yaml

@@ -1,24 +1,30 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
+## @param replicas Number of replicas
-size: 10Gi
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false
 
+
+## @section Application-specific parameters
+##
 ## Configuration for the quorum-based synchronous replication
-## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed
-## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)
 quorum:
   minSyncReplicas: 0
   maxSyncReplicas: 0
-
-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -29,31 +35,36 @@ quorum:
 ##
 users: {}
 
-## @section Backup parameters
 
-## @param backup.enabled Enable pereiodic backups
+## @section Backup parameters
-## @param backup.s3Region The AWS S3 region where backups are stored
+##
-## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.enabled Enable regular backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.retentionPolicy Retention policy
-## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
-## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
-## @param backup.resticPassword The password for Restic backup encryption
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
 backup:
   enabled: false
-  s3Region: us-east-1
+  retentionPolicy: 30d
-  s3Bucket: s3.example.org/postgres-backups
+  destinationPath: s3://bucket/path/to/folder/
-  schedule: "0 2 * * *"
+  endpointURL: http://minio-gateway-service:9000
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  schedule: "0 2 * * * *"
   s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Resources
+
-resources: {}
+## @section Bootstrap (recovery) parameters
- # resources:
+##
- #   cpu: 4000m
+## @param bootstrap.enabled Restore database cluster from a backup
- #   memory: 4Gi
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
- 
+## @param bootstrap.oldName Name of database cluster before deleting
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+##
-resourcesPreset: "nano"
+bootstrap:
+  enabled: false
+  # example: 2020-11-26 15:22:00.00000+00
+  recoveryTime: ""
+  oldName: ""
+
+

packages/apps/http-cache/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.2
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/http-cache/Makefile

@@ -1,4 +1,5 @@
 NGINX_CACHE_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
@@ -22,9 +23,9 @@ image-nginx:
 	rm -f images/nginx-cache.json
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.haproxy.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.haproxy.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
-	yq -i -o json --indent 4 '.properties.nginx.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.nginx.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 
 update:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/chrislim2888/IP2Location-C-Library | awk -F'[/^]' 'END{print $$3}') && \

packages/apps/http-cache/README.md

@@ -1,8 +1,9 @@
-# Managed Nginx Caching Service
+# Managed Nginx-based HTTP Cache Service
 
-The Nginx Caching Service is designed to optimize web traffic and enhance web application performance. This service combines custom-built Nginx instances with HAproxy for efficient caching and load balancing.
+The Nginx-based HTTP caching service is designed to optimize web traffic and enhance web application performance.
+This service combines custom-built Nginx instances with HAProxy for efficient caching and load balancing.
 
-## Deployment infromation
+## Deployment information
 
 The Nginx instances include the following modules and features:
 
@@ -53,27 +54,77 @@ The deployment architecture is illustrated in the diagram below:
 
 ## Known issues
 
-VTS module shows wrong upstream resonse time
+- VTS module shows wrong upstream response time, [github.com/vozlt/nginx-module-vts#198](https://github.com/vozlt/nginx-module-vts/issues/198)
-- https://github.com/vozlt/nginx-module-vts/issues/198
 
 ## Parameters
 
 ### Common parameters
 
-| Name                      | Description                                                                                                                                      | Value   |
+| Name           | Description                                     | Value   |
-| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| -------------- | ----------------------------------------------- | ------- |
-| `external`                | Enable external access from outside the cluster                                                                                                  | `false` |
+| `size`         | Persistent Volume size                          | `10Gi`  |
-| `size`                    | Persistent Volume size                                                                                                                           | `10Gi`  |
+| `storageClass` | StorageClass used to store the data             | `""`    |
-| `storageClass`            | StorageClass used to store the data                                                                                                              | `""`    |
+| `external`     | Enable external access from outside the cluster | `false` |
-| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                                       | `2`     |
-| `nginx.replicas`          | Number of Nginx replicas                                                                                                                         | `2`     |
-| `haproxy.resources`       |                                                                                                                                                  | `{}`    |
-| `haproxy.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
-| `nginx.resources`         | Resources                                                                                                                                        | `{}`    |
-| `nginx.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
 
-### Configuration parameters
+### Application-specific parameters
 
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `endpoints` | Endpoints configuration | `[]`  |
+
+### HAProxy parameters
+
+| Name                      | Description                                                                                                                          | Value  |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------ |
+| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                           | `2`    |
+| `haproxy.resources`       | Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `haproxy.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano` |
+
+### Nginx parameters
+
+| Name                    | Description                                                                                                                        | Value  |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `nginx.replicas`        | Number of Nginx replicas                                                                                                           | `2`    |
+| `nginx.resources`       | Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `nginx.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `nano` |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcesPreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |
+
+
+### endpoints
+
+`endpoints` is a flat list of IP addresses:
+
+```yaml
+endpoints:
+  - 10.100.3.1:80
+  - 10.100.3.11:80
+  - 10.100.3.2:80
+  - 10.100.3.12:80
+  - 10.100.3.3:80
+  - 10.100.3.13:80
+```

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.2@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15
+ghcr.io/cozystack/cozystack/nginx-cache:0.6.1@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15

packages/apps/http-cache/templates/haproxy/deployment.yaml

@@ -33,11 +33,7 @@ spec:
       containers:
       - image: haproxy:latest
         name: haproxy
-        {{- if .Values.haproxy.resources }}
+        resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.haproxy.resourcesPreset .Values.haproxy.resources $) | nindent 10 }}
-        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.haproxy.resources $) | nindent 10 }}
-        {{- else if ne .Values.haproxy.resourcesPreset "none" }}
-        resources: {{- include "cozy-lib.resources.preset" (list .Values.haproxy.resourcesPreset $) | nindent 10 }}
-        {{- end }}
         ports:
         - containerPort: 8080
           name: http

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -52,11 +52,7 @@ spec:
       shareProcessNamespace: true
       containers:
       - name: nginx
-        {{- if $.Values.nginx.resources }}
+        resources: {{- include "cozy-lib.resources.defaultingSanitize" (list $.Values.nginx.resourcesPreset $.Values.nginx.resources $) | nindent 10 }}
-        resources: {{- include "cozy-lib.resources.sanitize" (list $.Values.nginx.resources $) | nindent 10 }}
-        {{- else if ne $.Values.nginx.resourcesPreset "none" }}
-        resources: {{- include "cozy-lib.resources.preset" (list $.Values.nginx.resourcesPreset $) | nindent 10 }}
-        {{- end }}
         image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         readinessProbe:
           httpGet:

packages/apps/http-cache/values.schema.json

@@ -1,41 +1,33 @@
 {
-    "title": "Chart Values",
-    "type": "object",
     "properties": {
+        "endpoints": {
+            "default": [],
+            "description": "Endpoints configuration",
+            "items": {},
+            "type": "array"
+        },
         "external": {
-            "type": "boolean",
+            "default": false,
             "description": "Enable external access from outside the cluster",
-            "default": false
+            "type": "boolean"
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
         },
         "haproxy": {
-            "type": "object",
             "properties": {
                 "replicas": {
-                    "type": "number",
+                    "default": 2,
                     "description": "Number of HAProxy replicas",
-                    "default": 2
+                    "type": "number"
                 },
                 "resources": {
-                    "type": "object",
+                    "default": {},
-                    "description": "",
+                    "description": "Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                 },
                 "resourcesPreset": {
-                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
                     "default": "nano",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                     "enum": [
-                        "none",
                         "nano",
                         "micro",
                         "small",
@@ -45,27 +37,26 @@
                         "2xlarge"
                     ]
                 }
-            }
+            },
+            "type": "object"
         },
         "nginx": {
-            "type": "object",
             "properties": {
                 "replicas": {
-                    "type": "number",
+                    "default": 2,
                     "description": "Number of Nginx replicas",
-                    "default": 2
+                    "type": "number"
                 },
                 "resources": {
-                    "type": "object",
+                    "default": {},
-                    "description": "Resources",
+                    "description": "Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                 },
                 "resourcesPreset": {
-                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
                     "default": "nano",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                     "enum": [
-                        "none",
                         "nano",
                         "micro",
                         "small",
@@ -75,13 +66,20 @@
                         "2xlarge"
                     ]
                 }
-            }
+            },
+            "type": "object"
         },
-        "endpoints": {
+        "size": {
-            "type": "array",
+            "default": "10Gi",
-            "description": "Endpoints configuration",
+            "description": "Persistent Volume size",
-            "default": [],
+            "type": "string"
-            "items": {}
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
         }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }

packages/apps/http-cache/values.yaml

@@ -1,37 +1,12 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param storageClass StorageClass used to store the data
-## @param haproxy.replicas Number of HAProxy replicas
-## @param nginx.replicas Number of Nginx replicas
 ##
-external: false
+## @param size Persistent Volume size
 size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
-haproxy:
+## @param external Enable external access from outside the cluster
-  replicas: 2
+external: false
-  ## @param haproxy.resources 
+## @section Application-specific parameters
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  
-  ## @param haproxy.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
-  resourcesPreset: "nano"
-nginx:
-  replicas: 2
-  ## @param nginx.resources Resources
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  
-  ## @param nginx.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
-  resourcesPreset: "nano"
-
-## @section Configuration parameters
 
 ## @param endpoints Endpoints configuration
 ## Example:
@@ -44,3 +19,29 @@ nginx:
 ##   - 10.100.3.13:80
 ##
 endpoints: []
+
+## @section HAProxy parameters
+haproxy:
+  ## @param haproxy.replicas Number of HAProxy replicas
+  replicas: 2
+  ## @param haproxy.resources Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param haproxy.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "nano"
+
+## @section Nginx parameters
+nginx:
+  ## @param nginx.replicas Number of Nginx replicas
+  replicas: 2
+  ## @param nginx.resources Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param nginx.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "nano"

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.8.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/Makefile

@@ -1,6 +1,7 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.kafka.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.kafka.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
-	yq -i -o json --indent 4 '.properties.zookeeper.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.zookeeper.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

packages/apps/kafka/README.md

@@ -4,22 +4,77 @@
 
 ### Common parameters
 
-| Name                        | Description                                                                                                                                      | Value   |
+| Name       | Description                                     | Value   |
-| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| ---------- | ----------------------------------------------- | ------- |
-| `external`                  | Enable external access from outside the cluster                                                                                                  | `false` |
+| `external` | Enable external access from outside the cluster | `false` |
-| `kafka.size`                | Persistent Volume size for Kafka                                                                                                                 | `10Gi`  |
-| `kafka.replicas`            | Number of Kafka replicas                                                                                                                         | `3`     |
-| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                                        | `""`    |
-| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                             | `5Gi`   |
-| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                     | `3`     |
-| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                    | `""`    |
-| `kafka.resources`           | Resources                                                                                                                                        | `{}`    |
-| `kafka.resourcesPreset`     | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `small` |
-| `zookeeper.resources`       | Resources                                                                                                                                        | `{}`    |
-| `zookeeper.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `small` |
 
-### Configuration parameters
+### Application-specific parameters
 
-| Name     | Description          | Value |
+| Name     | Description                        | Value |
-| -------- | -------------------- | ----- |
+| -------- | ---------------------------------- | ----- |
-| `topics` | Topics configuration | `[]`  |
+| `topics` | Topics configuration (see example) | `[]`  |
+
+### Kafka configuration
+
+| Name                    | Description                                                                                                                        | Value   |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `kafka.replicas`        | Number of Kafka replicas                                                                                                           | `3`     |
+| `kafka.resources`       | Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `kafka.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `small` |
+| `kafka.size`            | Persistent Volume size for Kafka                                                                                                   | `10Gi`  |
+| `kafka.storageClass`    | StorageClass used to store the Kafka data                                                                                          | `""`    |
+
+### Zookeeper configuration
+
+| Name                        | Description                                                                                                                            | Value   |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                           | `3`     |
+| `zookeeper.resources`       | Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `zookeeper.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `small` |
+| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                   | `5Gi`   |
+| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                          | `""`    |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcesPreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |
+
+### topics
+
+```yaml
+topics:
+  - name: Results
+    partitions: 1
+    replicas: 3
+    config:
+      min.insync.replicas: 2
+  - name: Orders
+    config:
+      cleanup.policy: compact
+      segment.ms: 3600000
+      max.compaction.lag.ms: 5400000
+      min.insync.replicas: 2
+    partitions: 1
+    replicas: 3
+```

packages/apps/kafka/templates/kafka.yaml

@@ -8,11 +8,7 @@ metadata:
 spec:
   kafka:
     replicas: {{ .Values.kafka.replicas }}
-    {{- if .Values.kafka.resources }}
+    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.kafka.resourcesPreset .Values.kafka.resources $) | nindent 6 }}
-    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.kafka.resources $) | nindent 6 }}
-    {{- else if ne .Values.kafka.resourcesPreset "none" }}
-    resources: {{- include "cozy-lib.resources.preset" (list .Values.kafka.resourcesPreset $) | nindent 6 }}
-    {{- end }}
     listeners:
       - name: plain
         port: 9092
@@ -70,11 +66,7 @@ spec:
           key: kafka-metrics-config.yml
   zookeeper:
     replicas: {{ .Values.zookeeper.replicas }}
-    {{- if .Values.zookeeper.resources }}
+    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.zookeeper.resourcesPreset .Values.zookeeper.resources $) | nindent 6 }}
-    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.zookeeper.resources $) | nindent 6 }}
-    {{- else if ne .Values.zookeeper.resourcesPreset "none" }}
-    resources: {{- include "cozy-lib.resources.preset" (list .Values.zookeeper.resourcesPreset $) | nindent 6 }}
-    {{- end }}
     storage:
       type: persistent-claim
       {{- with .Values.zookeeper.size }}

packages/apps/kafka/values.schema.json

@@ -1,41 +1,27 @@
 {
-    "title": "Chart Values",
-    "type": "object",
     "properties": {
         "external": {
-            "type": "boolean",
+            "default": false,
             "description": "Enable external access from outside the cluster",
-            "default": false
+            "type": "boolean"
         },
         "kafka": {
-            "type": "object",
             "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Persistent Volume size for Kafka",
-                    "default": "10Gi"
-                },
                 "replicas": {
-                    "type": "number",
+                    "default": 3,
                     "description": "Number of Kafka replicas",
-                    "default": 3
+                    "type": "number"
-                },
-                "storageClass": {
-                    "type": "string",
-                    "description": "StorageClass used to store the Kafka data",
-                    "default": ""
                 },
                 "resources": {
-                    "type": "object",
+                    "default": {},
-                    "description": "Resources",
+                    "description": "Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                 },
                 "resourcesPreset": {
-                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
                     "default": "small",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                     "enum": [
-                        "none",
                         "nano",
                         "micro",
                         "small",
@@ -44,54 +30,66 @@
                         "xlarge",
                         "2xlarge"
                     ]
-                }
+                },
-            }
-        },
-        "zookeeper": {
-            "type": "object",
-            "properties": {
                 "size": {
-                    "type": "string",
+                    "default": "10Gi",
-                    "description": "Persistent Volume size for ZooKeeper",
+                    "description": "Persistent Volume size for Kafka",
-                    "default": "5Gi"
+                    "type": "string"
-                },
-                "replicas": {
-                    "type": "number",
-                    "description": "Number of ZooKeeper replicas",
-                    "default": 3
                 },
                 "storageClass": {
-                    "type": "string",
+                    "default": "",
-                    "description": "StorageClass used to store the ZooKeeper data",
+                    "description": "StorageClass used to store the Kafka data",
-                    "default": ""
+                    "type": "string"
-                },
-                "resources": {
-                    "type": "object",
-                    "description": "Resources",
-                    "default": {}
-                },
-                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
-                    "default": "small",
-                    "enum": [
-                        "none",
-                        "nano",
-                        "micro",
-                        "small",
-                        "medium",
-                        "large",
-                        "xlarge",
-                        "2xlarge"
-                    ]
                 }
-            }
+            },
+            "type": "object"
         },
         "topics": {
-            "type": "array",
-            "description": "Topics configuration",
             "default": [],
-            "items": {}
+            "description": "Topics configuration (see example)",
+            "items": {},
+            "type": "array"
+        },
+        "zookeeper": {
+            "properties": {
+                "replicas": {
+                    "default": 3,
+                    "description": "Number of ZooKeeper replicas",
+                    "type": "number"
+                },
+                "resources": {
+                    "default": {},
+                    "description": "Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.",
+                    "type": "object"
+                },
+                "resourcesPreset": {
+                    "default": "small",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
+                    "enum": [
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
+                },
+                "size": {
+                    "default": "5Gi",
+                    "description": "Persistent Volume size for ZooKeeper",
+                    "type": "string"
+                },
+                "storageClass": {
+                    "default": "",
+                    "description": "StorageClass used to store the ZooKeeper data",
+                    "type": "string"
+                }
+            },
+            "type": "object"
         }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }

packages/apps/kafka/values.yaml

@@ -1,44 +1,12 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param kafka.size Persistent Volume size for Kafka
-## @param kafka.replicas Number of Kafka replicas
-## @param kafka.storageClass StorageClass used to store the Kafka data
-## @param zookeeper.size Persistent Volume size for ZooKeeper
-## @param zookeeper.replicas Number of ZooKeeper replicas
-## @param zookeeper.storageClass StorageClass used to store the ZooKeeper data
 ##
+## @param external Enable external access from outside the cluster
 external: false
-kafka:
-  size: 10Gi
-  replicas: 3
-  storageClass: ""
-  ## @param kafka.resources Resources
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  
-  ## @param kafka.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
-  resourcesPreset: "small"
 
-zookeeper:
-  size: 5Gi
-  replicas: 3
-  storageClass: ""
-  ## @param zookeeper.resources Resources
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  
-  ## @param zookeeper.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
-  resourcesPreset: "small"
 
-## @section Configuration parameters
+## @section Application-specific parameters
-
+##
-## @param topics Topics configuration
+## @param topics Topics configuration (see example)
 ## Example:
 ## topics:
 ##   - name: Results
@@ -56,3 +24,41 @@ zookeeper:
 ##     replicas: 3
 ##
 topics: []
+
+## @section Kafka configuration
+##
+kafka:
+  ## @param kafka.replicas Number of Kafka replicas
+  replicas: 3
+  ## @param kafka.resources Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param kafka.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
+  ## @param kafka.size Persistent Volume size for Kafka
+  size: 10Gi
+  ## @param kafka.storageClass StorageClass used to store the Kafka data
+  storageClass: ""
+
+
+## @section Zookeeper configuration
+##
+zookeeper:
+  ## @param zookeeper.replicas Number of ZooKeeper replicas
+  replicas: 3
+  ## @param zookeeper.resources Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param zookeeper.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
+  ## @param zookeeper.size Persistent Volume size for ZooKeeper
+  size: 5Gi
+  ## @param zookeeper.storageClass StorageClass used to store the ZooKeeper data
+  storageClass: ""
+
+
+

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.24.2
+version: 0.26.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 1.32.4
+appVersion: 1.32.6

packages/apps/kubernetes/Makefile

@@ -1,15 +1,18 @@
 KUBERNETES_VERSION = v1.32
 KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -o json -i '.properties.controlPlane.properties.apiServer.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
+	yq -o=json -i '.properties.version.enum = (load("files/versions.yaml") | keys)' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.controllerManager.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
+	yq -o json -i '.properties.addons.properties.ingressNginx.properties.exposeMethod.enum = ["Proxied","LoadBalancer"]' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.scheduler.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.apiServer.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.konnectivity.properties.server.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.controllerManager.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.scheduler.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.konnectivity.properties.server.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 
 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler
 
@@ -63,6 +66,8 @@ image-kubevirt-csi-driver:
 		--load=$(LOAD)
 	echo "$(REGISTRY)/kubevirt-csi-driver:$(call settag,$(KUBERNETES_PKG_TAG))@$$(yq e '."containerimage.digest"' images/kubevirt-csi-driver.json -o json -r)" \
 		> images/kubevirt-csi-driver.tag
+	IMAGE=$$(cat images/kubevirt-csi-driver.tag) \
+		yq -i '.csiDriver.image = strenv(IMAGE)' ../../system/kubevirt-csi-node/values.yaml
 	rm -f images/kubevirt-csi-driver.json
 
 

packages/apps/kubernetes/README.md

@@ -11,6 +11,9 @@ Tenant clusters are fully separated from the management cluster and are intended
 Within a tenant cluster, users can take advantage of LoadBalancer services and easily provision physical volumes as needed.                               
 The control-plane operates within containers, while the worker nodes are deployed as virtual machines, all seamlessly managed by the application.
 
+Kubernetes version in tenant clusters is independent of Kubernetes in the management cluster.
+Users can select the latest patch versions from 1.28 to 1.33.
+
 ## Why Use a Managed Kubernetes Cluster?
 
 Kubernetes has emerged as the industry standard, providing a unified and accessible API, primarily utilizing YAML for configuration.
@@ -81,62 +84,79 @@ See the reference for components utilized in this service:
 
 ### Common Parameters
 
-| Name                    | Description                                                                                                       | Value        |
+| Name           | Description                           | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
+| -------------- | ------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
+| `storageClass` | StorageClass used to store user data. | `replicated` |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
+
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
+### Application-specific parameters
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+
+| Name         | Description                                                                                                       | Value   |
+| ------------ | ----------------------------------------------------------------------------------------------------------------- | ------- |
+| `version`    | Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.                               | `v1.32` |
+| `host`       | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`    |
+| `nodeGroups` | Worker nodes configuration (see example)                                                                          | `{}`    |
 
 ### Cluster Addons
 
-| Name                                          | Description                                                                                                                                                                       | Value   |
+| Name                                          | Description                                                                                                                                                                       | Value     |
-| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
-| `addons.certManager.enabled`                  | Enable cert-manager, which automatically creates and manages SSL/TLS certificates.                                                                                                | `false` |
+| `addons.certManager.enabled`                  | Enable cert-manager, which automatically creates and manages SSL/TLS certificates.                                                                                                | `false`   |
-| `addons.certManager.valuesOverride`           | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.certManager.valuesOverride`           | Custom values to override                                                                                                                                                         | `{}`      |
-| `addons.cilium.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.cilium.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`      |
-| `addons.gatewayAPI.enabled`                   | Enable the Gateway API                                                                                                                                                            | `false` |
+| `addons.gatewayAPI.enabled`                   | Enable the Gateway API                                                                                                                                                            | `false`   |
-| `addons.ingressNginx.enabled`                 | Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).                                                                                       | `false` |
+| `addons.ingressNginx.enabled`                 | Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).                                                                                       | `false`   |
-| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.ingressNginx.exposeMethod`            | Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)                                                                                            | `Proxied` |
-| `addons.ingressNginx.hosts`                   | List of domain names that the parent cluster should route to this tenant cluster.                                                                                                 | `[]`    |
+| `addons.ingressNginx.hosts`                   | List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.                                | `[]`      |
-| `addons.gpuOperator.enabled`                  | Enable the GPU-operator                                                                                                                                                           | `false` |
+| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `{}`      |
-| `addons.gpuOperator.valuesOverride`           | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.gpuOperator.enabled`                  | Enable the GPU-operator                                                                                                                                                           | `false`   |
-| `addons.fluxcd.enabled`                       | Enable FluxCD                                                                                                                                                                     | `false` |
+| `addons.gpuOperator.valuesOverride`           | Custom values to override                                                                                                                                                         | `{}`      |
-| `addons.fluxcd.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.fluxcd.enabled`                       | Enable FluxCD                                                                                                                                                                     | `false`   |
-| `addons.monitoringAgents.enabled`             | Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage. | `false` |
+| `addons.fluxcd.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`      |
-| `addons.monitoringAgents.valuesOverride`      | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.monitoringAgents.enabled`             | Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage. | `false`   |
-| `addons.verticalPodAutoscaler.valuesOverride` | Custom values to override                                                                                                                                                         | `{}`    |
+| `addons.monitoringAgents.valuesOverride`      | Custom values to override                                                                                                                                                         | `{}`      |
+| `addons.verticalPodAutoscaler.valuesOverride` | Custom values to override                                                                                                                                                         | `{}`      |
+| `addons.velero.enabled`                       | Enable velero for backup and restore k8s cluster.                                                                                                                                 | `false`   |
+| `addons.velero.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`      |
 
 ### Kubernetes Control Plane Configuration
 
-| Name                                               | Description                                                                                                                                      | Value    |
+| Name                                               | Description                                                                                                                            | Value    |
-| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------- |
+| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------- |
-| `controlPlane.apiServer.resources`                 | Explicit CPU/memory resource requests and limits for the API server.                                                                             | `{}`     |
+| `controlPlane.replicas`                            | Number of replicas for Kubernetes control-plane components.                                                                            | `2`      |
-| `controlPlane.apiServer.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `medium` |
+| `controlPlane.apiServer.resources`                 | Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.         | `{}`     |
-| `controlPlane.controllerManager.resources`         | Explicit CPU/memory resource requests and limits for the controller manager.                                                                     | `{}`     |
+| `controlPlane.apiServer.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `medium` |
-| `controlPlane.controllerManager.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro`  |
+| `controlPlane.controllerManager.resources`         | Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`     |
-| `controlPlane.scheduler.resources`                 | Explicit CPU/memory resource requests and limits for the scheduler.                                                                              | `{}`     |
+| `controlPlane.controllerManager.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |
-| `controlPlane.scheduler.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro`  |
+| `controlPlane.scheduler.resources`                 | Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.          | `{}`     |
-| `controlPlane.konnectivity.server.resources`       | Explicit CPU/memory resource requests and limits for the Konnectivity.                                                                           | `{}`     |
+| `controlPlane.scheduler.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |
-| `controlPlane.konnectivity.server.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro`  |
+| `controlPlane.konnectivity.server.resources`       | Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.           | `{}`     |
+| `controlPlane.konnectivity.server.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |
 
-In production environments, it's recommended to set `resources` explicitly.
+## Parameter examples and reference
-Example of `controlPlane.*.resources`:
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
 
 ```yaml
 resources:
-  limits:
+  cpu: 4000m
-    cpu: 4000m
+  memory: 4Gi
-    memory: 4Gi
-  requests:
-    cpu: 100m
-    memory: 512Mi
 ```
 
-Allowed values for `controlPlane.*.resourcesPreset` are `none`, `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
+`resourcesPreset` sets named CPU and memory configurations for each replica.
-This value is ignored if the corresponding `resources` value is set. 
+This setting is ignored if the corresponding `resources` value is set.
 
-## Resources Reference
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |
 
 ### instanceType Resources
 
@@ -300,4 +320,3 @@ Specific characteristics of this series are:
   workload.
 - *vCPU-To-Memory Ratio (1:4)* - A vCPU-to-Memory ratio of 1:4 starting from
   the medium size.
-

packages/apps/kubernetes/files/versions.yaml

@@ -0,0 +1,6 @@
+"v1.28": "v1.28.15"
+"v1.29": "v1.29.15"
+"v1.30": "v1.30.14"
+"v1.31": "v1.31.10"
+"v1.32": "v1.32.6"
+"v1.33": "v1.33.0"

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.26.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.2@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.26.0@sha256:71f9afa218693a890f827cb5cda98ba327302bd9f58afde767740557538e07d9

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.2@sha256:598ab20550dbf495717e8e123e6b626bb36298f88dde851664301d393ac06ca3
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.0@sha256:445c2727b04ac68595b43c988ff17b3d69a7b22b0644fde3b10c65b47a7bc036

packages/apps/kubernetes/images/kubevirt-csi-driver/Dockerfile

@@ -3,7 +3,7 @@ ARG builder_image=docker.io/library/golang:1.22.5
 FROM ${builder_image} AS builder
 RUN git clone https://github.com/kubevirt/csi-driver /src/kubevirt-csi-driver \
  && cd /src/kubevirt-csi-driver \
- && git checkout 35836e0c8b68d9916d29a838ea60cdd3fc6199cf
+ && git checkout a8d6605bc9997bcfda3fb9f1f82ba6445b4984cc
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -11,6 +11,7 @@ ENV GOOS=$TARGETOS
 ENV GOARCH=$TARGETARCH
 
 WORKDIR /src/kubevirt-csi-driver
+
 RUN make build
 
 FROM quay.io/centos/centos:stream9

packages/apps/kubernetes/templates/_versions.tpl

@@ -0,0 +1,7 @@
+{{- define "kubernetes.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `Kubernetes version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}

packages/apps/kubernetes/templates/cluster.yaml

@@ -120,23 +120,11 @@ metadata:
     kamaji.clastix.io/kubeconfig-secret-key: "super-admin.svc"
 spec:
   apiServer:
-    {{- if .Values.controlPlane.apiServer.resources }}
+    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.controlPlane.apiServer.resourcesPreset .Values.controlPlane.apiServer.resources $) | nindent 6 }}
-    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.apiServer.resources $) | nindent 6 }}
-    {{- else if ne .Values.controlPlane.apiServer.resourcesPreset "none" }}
-    resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.apiServer.resourcesPreset $) | nindent 6 }}
-    {{- end }}
   controllerManager:
-    {{- if .Values.controlPlane.controllerManager.resources }}
+    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.controlPlane.controllerManager.resourcesPreset .Values.controlPlane.controllerManager.resources $) | nindent 6 }}
-    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.controllerManager.resources $) | nindent 6 }}
-    {{- else if ne .Values.controlPlane.controllerManager.resourcesPreset "none" }}
-    resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.controllerManager.resourcesPreset $) | nindent 6 }}
-    {{- end }}
   scheduler:
-    {{- if .Values.controlPlane.scheduler.resources }}
+    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.controlPlane.scheduler.resourcesPreset .Values.controlPlane.scheduler.resources $) | nindent 6 }}
-    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.scheduler.resources $) | nindent 6 }}
-    {{- else if ne .Values.controlPlane.scheduler.resourcesPreset "none" }}
-    resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.scheduler.resourcesPreset $) | nindent 6 }}
-    {{- end }}
   dataStoreName: "{{ $etcd }}"
   addons:
     coreDNS:
@@ -145,11 +133,7 @@ spec:
     konnectivity:
       server:
         port: 8132
-        {{- if .Values.controlPlane.konnectivity.server.resources }}
+        resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.controlPlane.konnectivity.server.resourcesPreset .Values.controlPlane.konnectivity.server.resources $) | nindent 10 }}
-        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.konnectivity.server.resources $) | nindent 10 }}
-        {{- else if ne .Values.controlPlane.konnectivity.server.resourcesPreset "none" }}
-        resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.konnectivity.server.resourcesPreset $) | nindent 10 }}
-        {{- end }}
   kubelet:
     cgroupfs: systemd
     preferredAddressTypes:
@@ -167,7 +151,7 @@ spec:
       labels:
         policy.cozystack.io/allow-to-etcd: "true"
   replicas: 2
-  version: {{ $.Chart.AppVersion }}
+  version: {{ include "kubernetes.versionMap" $ }}
 ---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
@@ -306,7 +290,7 @@ spec:
         kind: KubevirtMachineTemplate
         name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
         namespace: {{ $.Release.Namespace }}
-      version: v{{ $.Chart.AppVersion }}
+      version: {{ include "kubernetes.versionMap" $}}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineHealthCheck

packages/apps/kubernetes/templates/csi/deploy.yaml

@@ -69,6 +69,11 @@ spec:
             requests:
               cpu: 125m
               memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
         - name: csi-provisioner
           image: quay.io/openshift/origin-csi-external-provisioner:latest
           resources:
@@ -78,6 +83,11 @@ spec:
             requests:
               cpu: 125m
               memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
           args:
             - "--csi-address=$(ADDRESS)"
             - "--default-fstype=ext4"
@@ -118,6 +128,11 @@ spec:
             requests:
               cpu: 125m
               memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
           args:
@@ -134,6 +149,62 @@ spec:
             requests:
               cpu: 125m
               memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+        - name: csi-snapshotter
+          args:
+          - --timeout=1m
+          - --csi-address=$(ADDRESS)
+          - --worker-threads=10
+          - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
+          env:
+          - name: ADDRESS
+            value: /csi/csi.sock
+          image: registry.k8s.io/sig-storage/csi-snapshotter:v8.3.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 125m
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - mountPath: /csi
+            name: socket-dir
+          - mountPath: /etc/kubernetes/kubeconfig
+            name: kubeconfig
+            readOnly: true
+        - name: snapshot-controller
+          image: registry.k8s.io/sig-storage/snapshot-controller:v8.3.0
+          args:
+            - --worker-threads=10
+            - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 125m
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - mountPath: /etc/kubernetes/kubeconfig
+            name: kubeconfig
+            readOnly: true
       volumes:
         - name: socket-dir
           emptyDir: {}

packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml

@@ -13,11 +13,17 @@ rules:
   resources: ["datavolumes"]
   verbs: ["get", "create", "delete"]
 - apiGroups: ["kubevirt.io"]
-  resources: ["virtualmachineinstances"]
+  resources: ["virtualmachineinstances", "virtualmachines"]
   verbs: ["list", "get"]
 - apiGroups: ["subresources.kubevirt.io"]
-  resources: ["virtualmachineinstances/addvolume", "virtualmachineinstances/removevolume"]
+  resources: ["virtualmachines/addvolume", "virtualmachines/removevolume"]
   verbs: ["update"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshots"]
+  verbs: ["get", "create", "delete"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -40,6 +40,7 @@ spec:
                 {{ .Release.Name }}-fluxcd-operator
                 {{ .Release.Name }}-fluxcd
                 {{ .Release.Name }}-gpu-operator
+                {{ .Release.Name }}-velero
                 -p '{"spec": {"suspend": true}}'
                 --type=merge --field-manager=flux-client-side-apply || true
 ---
@@ -79,6 +80,8 @@ rules:
       - {{ .Release.Name }}-fluxcd-operator
       - {{ .Release.Name }}-fluxcd
       - {{ .Release.Name }}-gpu-operator
+      - {{ .Release.Name }}-velero
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml

@@ -3,9 +3,11 @@ ingress-nginx:
   fullnameOverride: ingress-nginx
   controller:
     kind: DaemonSet
+    {{- if eq .Values.addons.ingressNginx.exposeMethod "Proxied" }}
     hostNetwork: true
     service:
       enabled: false
+    {{- end }}
     {{- if not .Values.addons.certManager.enabled }}
     admissionWebhooks:
       certManager:

packages/apps/kubernetes/templates/helmreleases/velero.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.addons.velero.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-velero
+  labels:
+    cozystack.io/repository: system
+    cozystack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: velero
+  chart:
+    spec:
+      chart: cozy-velero
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
+  targetNamespace: cozy-velero
+  storageNamespace: cozy-velero
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  {{- with .Values.addons.velero.valuesOverride }}
+  values:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/volumesnapshot_crd.yaml

@@ -0,0 +1,39 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-volumesnapshot-crd-for-tenant-k8s
+  labels:
+    cozystack.io/repository: system
+    cozystack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: volumesnapshot-crd-for-tenant-k8s
+  chart:
+    spec:
+      chart: cozy-volumesnapshot-crd-for-tenant-k8s
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
+  targetNamespace: cozy-volumesnapshot-crd-for-tenant-k8s
+  storageNamespace: cozy-volumesnapshot-crd-for-tenant-k8s
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}

packages/apps/kubernetes/templates/ingress.yaml

@@ -1,6 +1,6 @@
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
-{{- if .Values.addons.ingressNginx.hosts }}
+{{- if and (eq .Values.addons.ingressNginx.exposeMethod "Proxied") .Values.addons.ingressNginx.hosts }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress

packages/apps/kubernetes/values.schema.json

@@ -1,34 +1,159 @@
 {
-  "title": "Chart Values",
-  "type": "object",
   "properties": {
-    "host": {
+    "addons": {
-      "type": "string",
+      "properties": {
-      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
+        "certManager": {
-      "default": ""
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "cilium": {
+          "properties": {
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "fluxcd": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable FluxCD",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "gatewayAPI": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the Gateway API",
+              "type": "boolean"
+            }
+          },
+          "type": "object"
+        },
+        "gpuOperator": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the GPU-operator",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "ingressNginx": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
+              "type": "boolean"
+            },
+            "exposeMethod": {
+              "default": "Proxied",
+              "description": "Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)",
+              "type": "string",
+              "enum": [
+                "Proxied",
+                "LoadBalancer"
+              ]
+            },
+            "hosts": {
+              "default": [],
+              "description": "List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.",
+              "items": {},
+              "type": "array"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "monitoringAgents": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "velero": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable velero for backup and restore k8s cluster.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "verticalPodAutoscaler": {
+          "properties": {
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        }
+      },
+      "type": "object"
     },
     "controlPlane": {
-      "type": "object",
       "properties": {
-        "replicas": {
-          "type": "number",
-          "description": "Number of replicas for Kubernetes control-plane components.",
-          "default": 2
-        },
         "apiServer": {
-          "type": "object",
           "properties": {
             "resources": {
-              "type": "object",
+              "default": {},
-              "description": "Explicit CPU/memory resource requests and limits for the API server.",
+              "description": "Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
+              "type": "object"
             },
             "resourcesPreset": {
-              "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
               "default": "medium",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
               "enum": [
-                "none",
                 "nano",
                 "micro",
                 "small",
@@ -38,22 +163,21 @@
                 "2xlarge"
               ]
             }
-          }
+          },
+          "type": "object"
         },
         "controllerManager": {
-          "type": "object",
           "properties": {
             "resources": {
-              "type": "object",
+              "default": {},
-              "description": "Explicit CPU/memory resource requests and limits for the controller manager.",
+              "description": "Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
+              "type": "object"
             },
             "resourcesPreset": {
-              "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
               "default": "micro",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
               "enum": [
-                "none",
                 "nano",
                 "micro",
                 "small",
@@ -63,50 +187,23 @@
                 "2xlarge"
               ]
             }
-          }
+          },
-        },
+          "type": "object"
-        "scheduler": {
-          "type": "object",
-          "properties": {
-            "resources": {
-              "type": "object",
-              "description": "Explicit CPU/memory resource requests and limits for the scheduler.",
-              "default": {}
-            },
-            "resourcesPreset": {
-              "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
-              "default": "micro",
-              "enum": [
-                "none",
-                "nano",
-                "micro",
-                "small",
-                "medium",
-                "large",
-                "xlarge",
-                "2xlarge"
-              ]
-            }
-          }
         },
         "konnectivity": {
-          "type": "object",
           "properties": {
             "server": {
-              "type": "object",
               "properties": {
                 "resources": {
-                  "type": "object",
+                  "default": {},
-                  "description": "Explicit CPU/memory resource requests and limits for the Konnectivity.",
+                  "description": "Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.",
-                  "default": {}
+                  "type": "object"
                 },
                 "resourcesPreset": {
-                  "type": "string",
-                  "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
                   "default": "micro",
+                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                  "type": "string",
                   "enum": [
-                    "none",
                     "nano",
                     "micro",
                     "small",
@@ -116,132 +213,68 @@
                     "2xlarge"
                   ]
                 }
-              }
+              },
+              "type": "object"
             }
-          }
+          },
+          "type": "object"
+        },
+        "replicas": {
+          "default": 2,
+          "description": "Number of replicas for Kubernetes control-plane components.",
+          "type": "number"
+        },
+        "scheduler": {
+          "properties": {
+            "resources": {
+              "default": {},
+              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
+              "type": "object"
+            },
+            "resourcesPreset": {
+              "default": "micro",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
+              "enum": [
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+              ]
+            }
+          },
+          "type": "object"
         }
-      }
+      },
+      "type": "object"
+    },
+    "host": {
+      "default": "",
+      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
+      "type": "string"
     },
     "storageClass": {
-      "type": "string",
+      "default": "replicated",
       "description": "StorageClass used to store user data.",
-      "default": "replicated"
+      "type": "string"
     },
-    "addons": {
+    "version": {
-      "type": "object",
+      "default": "v1.32",
-      "properties": {
+      "description": "Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.",
-        "certManager": {
+      "type": "string",
-          "type": "object",
+      "enum": [
-          "properties": {
+        "v1.28",
-            "enabled": {
+        "v1.29",
-              "type": "boolean",
+        "v1.30",
-              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
+        "v1.31",
-              "default": false
+        "v1.32",
-            },
+        "v1.33"
-            "valuesOverride": {
+      ]
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "cilium": {
-          "type": "object",
-          "properties": {
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "gatewayAPI": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the Gateway API",
-              "default": false
-            }
-          }
-        },
-        "ingressNginx": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            },
-            "hosts": {
-              "type": "array",
-              "description": "List of domain names that the parent cluster should route to this tenant cluster.",
-              "default": [],
-              "items": {}
-            }
-          }
-        },
-        "gpuOperator": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the GPU-operator",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "fluxcd": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable FluxCD",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "monitoringAgents": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "verticalPodAutoscaler": {
-          "type": "object",
-          "properties": {
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        }
-      }
     }
-  }
+  },
+  "title": "Chart Values",
+  "type": "object"
 }

packages/apps/kubernetes/values.yaml

@@ -1,13 +1,14 @@
 ## @section Common Parameters
 
-## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
-## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
-##
-host: ""
 storageClass: replicated
 
-## @param nodeGroups [object] nodeGroups configuration
+## @section Application-specific parameters
+## @param version Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.
+version: "v1.32"
+## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
+host: ""
+## @param nodeGroups [object] Worker nodes configuration (see example)
 ##
 nodeGroups:
   md0:
@@ -33,13 +34,12 @@ nodeGroups:
 ## @section Cluster Addons
 ##
 addons:
-
   ## Cert-manager: automatically creates and manages SSL/TLS certificate
   ##
   certManager:
     ## @param addons.certManager.enabled Enable cert-manager, which automatically creates and manages SSL/TLS certificates.
-    ## @param addons.certManager.valuesOverride Custom values to override
     enabled: false
+    ## @param addons.certManager.valuesOverride Custom values to override
     valuesOverride: {}
 
   ## Cilium CNI plugin
@@ -58,16 +58,17 @@ addons:
   ##
   ingressNginx:
     ## @param addons.ingressNginx.enabled Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).
-    ## @param addons.ingressNginx.valuesOverride Custom values to override
-    ##
     enabled: false
-    ## @param addons.ingressNginx.hosts List of domain names that the parent cluster should route to this tenant cluster.
+    ## @param addons.ingressNginx.exposeMethod Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)
+    exposeMethod: Proxied
+    ## @param addons.ingressNginx.hosts List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.
     ## e.g:
     ## hosts:
     ## - example.org
     ## - foo.example.net
     ##
     hosts: []
+    ## @param addons.ingressNginx.valuesOverride Custom values to override
     valuesOverride: {}
 
   ## GPU-operator: NVIDIA GPU Operator
@@ -103,38 +104,46 @@ addons:
     ##
     valuesOverride: {}
 
+  ## Velero
+  ##
+  velero:
+    ## @param addons.velero.enabled Enable velero for backup and restore k8s cluster.
+    ## @param addons.velero.valuesOverride Custom values to override
+    ##
+    enabled: false
+    valuesOverride: {}
+
 ## @section Kubernetes Control Plane Configuration
 ##
-
 controlPlane:
+  ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
   replicas: 2
-
   apiServer:
-    ## @param controlPlane.apiServer.resources Explicit CPU/memory resource requests and limits for the API server.
+    ## @param controlPlane.apiServer.resources Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.
-    ## @param controlPlane.apiServer.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+    resources: {}
+    ## @param controlPlane.apiServer.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
     ## e.g:
     ## resources:
     ##   cpu: 4000m
     ##   memory: 4Gi
     ##
     resourcesPreset: "medium"
-    resources: {}
 
   controllerManager:
-    ## @param controlPlane.controllerManager.resources Explicit CPU/memory resource requests and limits for the controller manager.
+    ## @param controlPlane.controllerManager.resources Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.
-    ## @param controlPlane.controllerManager.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+    ## @param controlPlane.controllerManager.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
     resourcesPreset: "micro"
     resources: {}
 
   scheduler:
-    ## @param controlPlane.scheduler.resources Explicit CPU/memory resource requests and limits for the scheduler.
+    ## @param controlPlane.scheduler.resources Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.
-    ## @param controlPlane.scheduler.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+    ## @param controlPlane.scheduler.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
     resourcesPreset: "micro"
     resources: {}
 
   konnectivity:
     server:
-      ## @param controlPlane.konnectivity.server.resources Explicit CPU/memory resource requests and limits for the Konnectivity.
+      ## @param controlPlane.konnectivity.server.resources Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.
-      ## @param controlPlane.konnectivity.server.resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
+      ## @param controlPlane.konnectivity.server.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
       resourcesPreset: "micro"
       resources: {}

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.2
+version: 0.9.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/Makefile

@@ -1,11 +1,12 @@
 MARIADB_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 
 image:
 	docker buildx build images/mariadb-backup \

packages/apps/mysql/README.md

@@ -1,6 +1,7 @@
 ## Managed MariaDB Service
 
-The Managed MariaDB Service offers a powerful and widely used relational database solution. This service allows you to create and manage a replicated MariaDB cluster seamlessly.
+The Managed MariaDB Service offers a powerful and widely used relational database solution.
+This service allows you to create and manage a replicated MariaDB cluster seamlessly.
 
 ## Deployment Details
 
@@ -46,7 +47,7 @@ restic -r s3:s3.example.org/mariadb-backups/database_name restore latest --targe
 ```
 
 more details:
-- https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
+- https://blog.aenix.io/restic-effective-backup-from-stdin-4bc1e8f083c1
 
 ### Known issues
 
@@ -67,14 +68,16 @@ more details:
 
 ### Common parameters
 
-| Name           | Description                                     | Value   |
+| Name              | Description                                                                                                                          | Value   |
-| -------------- | ----------------------------------------------- | ------- |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
+| `replicas`        | Number of MariaDB replicas                                                                                                           | `2`     |
-| `size`         | Persistent Volume size                          | `10Gi`  |
+| `resources`       | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `replicas`     | Number of MariaDB replicas                      | `2`     |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano`  |
-| `storageClass` | StorageClass used to store the data             | `""`    |
+| `size`            | Persistent Volume size                                                                                                               | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                  | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                      | `false` |
 
-### Configuration parameters
+### Application-specific parameters
 
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
@@ -83,16 +86,64 @@ more details:
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                                      | Value                                                  |
+| Name                     | Description                                    | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                         | `false`                                                |
+| `backup.enabled`         | Enable periodic backups                        | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                       | `us-east-1`                                            |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                           | `s3.example.org/postgres-backups`                      |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                              | `0 2 * * *`                                            |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                         | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                   | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                   | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                        | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                        | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`                                                 |
 
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcesPreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |
+
+### users
+
+```yaml
+users:
+  user1:
+    maxUserConnections: 1000
+    password: hackme
+  user2:
+    maxUserConnections: 1000
+    password: hackme
+```
+
+
+### databases
+
+```yaml
+databases:
+  myapp1:
+    roles:
+      admin:
+      - user1
+      readonly:
+      - user2
+```

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.8.1@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.9.1@sha256:a3789db9e9e065ff60cbac70771b4a8aa1460db3194307cf5ca5d4fe1b412b6b

packages/apps/mysql/templates/mariadb.yaml

@@ -80,8 +80,4 @@ spec:
   #secondaryService:
   #  type: LoadBalancer
 
-  {{- if .Values.resources }}
+  resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 4 }}
-  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
-  {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
-  {{- end }}

packages/apps/mysql/values.schema.json

@@ -1,83 +1,70 @@
 {
-    "title": "Chart Values",
-    "type": "object",
     "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of MariaDB replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
         "backup": {
-            "type": "object",
             "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable pereiodic backups",
-                    "default": false
-                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
                 "cleanupStrategy": {
-                    "type": "string",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m",
                     "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "type": "string"
                 },
-                "s3AccessKey": {
+                "enabled": {
-                    "type": "string",
+                    "default": false,
-                    "description": "The access key for S3, used for authentication",
+                    "description": "Enable periodic backups",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "type": "boolean"
-                },
-                "s3SecretKey": {
-                    "type": "string",
-                    "description": "The secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
                 },
                 "resticPassword": {
-                    "type": "string",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0",
                     "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
+                },
+                "s3AccessKey": {
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "The access key for S3, used for authentication",
+                    "type": "string"
+                },
+                "s3Bucket": {
+                    "default": "s3.example.org/postgres-backups",
+                    "description": "The S3 bucket used for storing backups",
+                    "type": "string"
+                },
+                "s3Region": {
+                    "default": "us-east-1",
+                    "description": "The AWS S3 region where backups are stored",
+                    "type": "string"
+                },
+                "s3SecretKey": {
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "The secret key for S3, used for authentication",
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                 }
-            }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of MariaDB replicas",
+            "type": "number"
         },
         "resources": {
-            "type": "object",
+            "default": {},
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
         },
         "resourcesPreset": {
-            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
             "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
             "enum": [
-                "none",
                 "nano",
                 "micro",
                 "small",
@@ -86,6 +73,18 @@
                 "xlarge",
                 "2xlarge"
             ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
         }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }

packages/apps/mysql/values.yaml

@@ -1,17 +1,23 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of MariaDB replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
+## @param replicas Number of MariaDB replicas
-size: 10Gi
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false
 
-## @section Configuration parameters
+## @section Application-specific parameters
-
+##
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -36,8 +42,8 @@ users: {}
 databases: {}
 
 ## @section Backup parameters
-
+##
-## @param backup.enabled Enable pereiodic backups
+## @param backup.enabled Enable periodic backups
 ## @param backup.s3Region The AWS S3 region where backups are stored
 ## @param backup.s3Bucket The S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
@@ -55,11 +61,3 @@ backup:
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
   resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Resources
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
-resourcesPreset: "nano"

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.8.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/Makefile

@@ -1,5 +1,6 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

packages/apps/nats/README.md

@@ -1,18 +1,53 @@
 # Managed NATS Service
 
+NATS is an open-source, simple, secure, and high performance messaging system.
+It provides a data layer for cloud native applications, IoT messaging, and microservices architectures.
+
 ## Parameters
 
 ### Common parameters
 
-| Name                | Description                                                                                                                                      | Value   |
+| Name              | Description                                                                                                                       | Value   |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`          | Enable external access from outside the cluster                                                                                                  | `false` |
+| `replicas`        | Number of replicas                                                                                                                | `2`     |
-| `replicas`          | Persistent Volume size for NATS                                                                                                                  | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `storageClass`      | StorageClass used to store the data                                                                                                              | `""`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.       | `nano`  |
-| `users`             | Users configuration                                                                                                                              | `{}`    |
+| `storageClass`    | StorageClass used to store the data                                                                                               | `""`    |
-| `jetstream.size`    | Jetstream persistent storage size                                                                                                                | `10Gi`  |
+| `external`        | Enable external access from outside the cluster                                                                                   | `false` |
-| `jetstream.enabled` | Enable or disable Jetstream                                                                                                                      | `true`  |
+
-| `config.merge`      | Additional configuration to merge into NATS config                                                                                               | `{}`    |
+### Application-specific parameters
-| `config.resolver`   | Additional configuration to merge into NATS config                                                                                               | `{}`    |
+
-| `resources`         | Resources                                                                                                                                        | `{}`    |
+| Name                | Description                                                               | Value  |
-| `resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `nano`  |
+| ------------------- | ------------------------------------------------------------------------- | ------ |
+| `users`             | Users configuration (see example)                                         | `{}`   |
+| `jetstream.enabled` | Enable or disable Jetstream                                               | `true` |
+| `jetstream.size`    | Jetstream persistent storage size                                         | `10Gi` |
+| `config.merge`      | Additional configuration to merge into NATS config (see example)          | `{}`   |
+| `config.resolver`   | Additional resolver configuration to merge into NATS config (see example) | `{}`   |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcesPreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |
+

packages/apps/nats/templates/nats.yaml

@@ -46,16 +46,9 @@ spec:
             containers:
               - name: nats
                 image: nats:2.10.17-alpine
-                {{- if .Values.resources }}
+                resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 22 }}
-                resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 22 }}
-                {{- else if ne .Values.resourcesPreset "none" }}
-                resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 22 }}
-                {{- end }}
       fullnameOverride: {{ .Release.Name }}
       config:
-        cluster:
-          routeURLs:
-            k8sClusterDomain: {{ $clusterDomain }}
         {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
         merge:
           {{- if gt (len $passwords) 0 }}
@@ -77,6 +70,8 @@ spec:
         {{- end }}
         cluster:
           enabled: true
+          routeURLs:
+            k8sClusterDomain: {{ $clusterDomain }}
           replicas: {{ .Values.replicas }}
         monitor:
           enabled: true

packages/apps/nats/values.schema.json

@@ -1,63 +1,55 @@
 {
-    "title": "Chart Values",
-    "type": "object",
     "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Persistent Volume size for NATS",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "jetstream": {
-            "type": "object",
-            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Jetstream persistent storage size",
-                    "default": "10Gi"
-                },
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable or disable Jetstream",
-                    "default": true
-                }
-            }
-        },
         "config": {
-            "type": "object",
             "properties": {
                 "merge": {
-                    "type": "object",
+                    "default": {},
-                    "description": "Additional configuration to merge into NATS config",
+                    "description": "Additional configuration to merge into NATS config (see example)",
-                    "default": {}
+                    "type": "object"
                 },
                 "resolver": {
-                    "type": "object",
+                    "default": {},
-                    "description": "Additional configuration to merge into NATS config",
+                    "description": "Additional resolver configuration to merge into NATS config (see example)",
-                    "default": {}
+                    "type": "object"
                 }
-            }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "jetstream": {
+            "properties": {
+                "enabled": {
+                    "default": true,
+                    "description": "Enable or disable Jetstream",
+                    "type": "boolean"
+                },
+                "size": {
+                    "default": "10Gi",
+                    "description": "Jetstream persistent storage size",
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of replicas",
+            "type": "number"
         },
         "resources": {
-            "type": "object",
+            "default": {},
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
         },
         "resourcesPreset": {
-            "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)",
             "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
             "enum": [
-                "none",
                 "nano",
                 "micro",
                 "small",
@@ -66,6 +58,13 @@
                 "xlarge",
                 "2xlarge"
             ]
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
         }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }

packages/apps/nats/values.yaml

@@ -1,14 +1,22 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param replicas Persistent Volume size for NATS
-## @param storageClass StorageClass used to store the data
 ##
-external: false
+## @param replicas Number of replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param storageClass StorageClass used to store the data
 storageClass: ""
-## @param users [object] Users configuration
+## @param external Enable external access from outside the cluster
+external: false
+
+## @section Application-specific parameters
+##
+## @param users [object] Users configuration (see example)
 ## Example:
 ## users:
 ##   user1:
@@ -17,18 +25,17 @@ storageClass: ""
 users: {}
 
 jetstream:
+  ## @param jetstream.enabled Enable or disable Jetstream
+  ## Set to true to enable Jetstream for persistent messaging in NATS.
+  ## Default: true
+  enabled: true
   ## @param jetstream.size Jetstream persistent storage size
   ## Specifies the size of the persistent storage for Jetstream (message store).
   ## Default: 10Gi
   size: 10Gi
 
-  ## @param jetstream.enabled Enable or disable Jetstream
-  ## Set to true to enable Jetstream for persistent messaging in NATS.
-  ## Default: true
-  enabled: true
-
 config:
-  ## @param config.merge Additional configuration to merge into NATS config
+  ## @param config.merge Additional configuration to merge into NATS config (see example)
   ## Allows you to customize NATS server settings by merging additional configurations.
   ## For example, you can add extra parameters, configure authentication, or set custom settings.
   ## Default: {}
@@ -56,17 +63,9 @@ config:
   ##   include ./my-config-last.conf;
   ## }
   merge: {}
-  ## @param config.resolver Additional configuration to merge into NATS config
+  ## @param config.resolver Additional resolver configuration to merge into NATS config (see example)
   ## Allows you to customize NATS server settings by merging resolver configurations.
   ## Default: {}
-  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
+  ## Example: https://github.com/nats-io/k8s/blob/94414664c254b0bbac3a07fc9693f6c4f8f88709/helm/charts/nats/values.yaml#L248-L270
   resolver: {}
 
-## @param resources Resources
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge)
-resourcesPreset: "nano"

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.1
+version: 0.17.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/Makefile

@@ -1,5 +1,6 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

packages/apps/postgres/README.md

@@ -1,6 +1,8 @@
 # Managed PostgreSQL Service
 
-PostgreSQL is currently the leading choice among relational databases, known for its robust features and performance. Our Managed PostgreSQL Service takes advantage of platform-side implementation to provide a self-healing replicated cluster. This cluster is efficiently managed using the highly acclaimed CloudNativePG operator, which has gained popularity within the community.
+PostgreSQL is currently the leading choice among relational databases, known for its robust features and performance.
+The Managed PostgreSQL Service takes advantage of platform-side implementation to provide a self-healing replicated cluster.
+This cluster is efficiently managed using the highly acclaimed CloudNativePG operator, which has gained popularity within the community.
 
 ## Deployment Details
 
@@ -9,71 +11,168 @@ This managed service is controlled by the CloudNativePG operator, ensuring effic
 - Docs: <https://cloudnative-pg.io/docs/>
 - Github: <https://github.com/cloudnative-pg/cloudnative-pg>
 
-## HowTos
+## Operations
 
-### How to switch master/slave replica
+### How to enable backups
+
+To back up a PostgreSQL application, an external S3-compatible storage is required.
+
+To start regular backups, update the application, setting `backup.enabled` to `true`, and fill in the path and credentials to an  `backup.*`:
+
+```yaml
+## @param backup.enabled Enable regular backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.retentionPolicy Retention policy
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
+backup:
+  enabled: false
+  retentionPolicy: 30d
+  destinationPath: s3://bucket/path/to/folder/
+  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * * *"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+```
+
+### How to recover a backup
+
+CloudNativePG supports point-in-time-recovery.
+Recovering a backup is done by creating a new database instance and restoring the data in it.
+
+Create a new PostgreSQL application with a different name, but identical configuration.
+Set `bootstrap.enabled` to `true` and fill in the name of the database instance to recover from and the recovery time:
+
+```yaml
+## @param bootstrap.enabled Restore database cluster from a backup
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @param bootstrap.oldName Name of database cluster before deleting
+##
+bootstrap:
+  enabled: false
+  recoveryTime: ""  # leave empty for latest or exact timestamp; example: 2020-11-26 15:22:00.00000+00
+  oldName: "<previous-postgres-instance>"
+```
+
+### How to switch primary/secondary replica
 
 See:
 
 - <https://cloudnative-pg.io/documentation/1.15/rolling_update/#manual-updates-supervised>
 
-### How to restore backup
-
-find snapshot:
-
-```bash
-restic -r s3:s3.example.org/postgres-backups/database_name snapshots
-```
-
-restore:
-
-```bash
-restic -r s3:s3.example.org/postgres-backups/database_name restore latest --target /tmp/
-```
-
-more details:
-
-- <https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1>
-
 ## Parameters
 
 ### Common parameters
 
-| Name                                    | Description                                                                                                              | Value   |
+| Name                                    | Description                                                                                                              | Type     | Value   |
-| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------- |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -------- | ------- |
-| `external`                              | Enable external access from outside the cluster                                                                          | `false` |
+| `external`                              | Enable external access from outside the cluster                                                                          | `bool`   | `false` |
-| `size`                                  | Persistent Volume size                                                                                                   | `10Gi`  |
+| `size`                                  | Persistent Volume size                                                                                                   | `string` | `10Gi`  |
-| `replicas`                              | Number of Postgres replicas                                                                                              | `2`     |
+| `replicas`                              | Number of Postgres replicas                                                                                              | `int`    | `2`     |
-| `storageClass`                          | StorageClass used to store the data                                                                                      | `""`    |
+| `storageClass`                          | StorageClass used to store the data                                                                                      | `string` | ``      |
-| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `100`   |
+| `postgresql`                            | PostgreSQL server configuration                                                                                          | `object` | `null`  |
-| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `0`     |
+| `postgresql.parameters`                 | PostgreSQL server parameters                                                                                             | `object` |         |
-| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `0`     |
+| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `int`    |         |
+| `quorum`                                | Quorum configuration for synchronous replication                                                                         | `object` | `null`  |
+| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `int`    |         |
+| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `int`    |         |
 
 ### Configuration parameters
 
-| Name        | Description             | Value |
+| Name                             | Description                                 | Type                  | Value |
-| ----------- | ----------------------- | ----- |
+| -------------------------------- | ------------------------------------------- | --------------------- | ----- |
-| `users`     | Users configuration     | `{}`  |
+| `users`                          | Users configuration                         | `map[string]user`     | `{}`  |
-| `databases` | Databases configuration | `{}`  |
+| `users[name].password`           | Password for the user                       | `*string`             |       |
+| `users[name].replication`        | Whether the user has replication privileges | `*bool`               |       |
+| `databases`                      | Databases configuration                     | `map[string]database` | `{}`  |
+| `databases[name].roles`          | Roles for the database                      | `object`              |       |
+| `databases[name].roles.admin`    | List of users with admin privileges         | `[]string`            |       |
+| `databases[name].roles.readonly` | List of users with read-only privileges     | `[]string`            |       |
+| `databases[name].extensions`     | Extensions enabled for the database         | `[]string`            |       |
 
 ### Backup parameters
 
-| Name                     | Description                                                          | Value                               |
+| Name                     | Description                                                | Type     | Value  |
-| ------------------------ | -------------------------------------------------------------------- | ----------------------------------- |
+| ------------------------ | ---------------------------------------------------------- | -------- | ------ |
-| `backup.enabled`         | Enable pereiodic backups                                             | `false`                             |
+| `backup`                 | Backup configuration                                       | `object` | `null` |
-| `backup.schedule`        | Cron schedule for automated backups                                  | `0 2 * * * *`                       |
+| `backup.enabled`         | Enable regular backups                                     | `bool`   |        |
-| `backup.retentionPolicy` | The retention policy                                                 | `30d`                               |
+| `backup.schedule`        | Cron schedule for automated backups                        | `string` |        |
-| `backup.destinationPath` | The path where to store the backup (i.e. s3://bucket/path/to/folder) | `s3://BUCKET_NAME/`                 |
+| `backup.retentionPolicy` | Retention policy                                           | `string` |        |
-| `backup.endpointURL`     | Endpoint to be used to upload data to the cloud                      | `http://minio-gateway-service:9000` |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `string` |        |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `string` |        |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                       | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `string` |        |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `string` |        |
 
 ### Bootstrap parameters
 
-| Name                     | Description                                                                                                                                      | Value   |
+| Name                     | Description                                                                                                          | Type        | Value   |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
-| `bootstrap.enabled`      | Restore cluster from backup                                                                                                                      | `false` |
+| `bootstrap`              | Bootstrap configuration                                                                                              | `object`    | `null`  |
-| `bootstrap.recoveryTime` | Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest                                        | `""`    |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `bool`      |         |
-| `bootstrap.oldName`      | Name of cluster before deleting                                                                                                                  | `""`    |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `string`    |         |
-| `resources`              | Resources                                                                                                                                        | `{}`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `string`    |         |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly. (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge) | `micro` |
+| `resources`              | Resources                                                                                                            | `object`    | `{}`    |
+| `resources.cpu`          | CPU                                                                                                                  | `*quantity` |         |
+| `resources.memory`       | Memory                                                                                                               | `*quantity` |         |
+| `resourcesPreset`        | Default sizing preset used when `resources` is omitted.                                                              | `string`    | `micro` |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcesPreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `250m` | `128Mi` |
+| `micro`     | `500m` | `256Mi` |
+| `small`     | `1`    | `512Mi` |
+| `medium`    | `1`    | `1Gi`   |
+| `large`     | `2`    | `2Gi`   |
+| `xlarge`    | `4`    | `4Gi`   |
+| `2xlarge`   | `8`    | `8Gi`   |
+
+### users
+
+```yaml
+users:
+  user1:
+    password: strongpassword
+  user2:
+    password: hackme
+  airflow:
+    password: qwerty123
+  debezium:
+    replication: true
+```
+
+### databases
+
+```yaml
+databases:          
+  myapp:            
+    roles:          
+      admin:        
+      - user1       
+      - debezium    
+      readonly:     
+      - user2       
+  airflow:          
+    roles:          
+      admin:        
+      - airflow     
+    extensions:     
+    - hstore        
+```

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -11,6 +11,7 @@ rules:
   - {{ .Release.Name }}-r
   - {{ .Release.Name }}-ro
   - {{ .Release.Name }}-rw
+  - {{ .Release.Name }}-external-write
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - ""