Release v0.31.2 (#1071 )

This PR prepares the release `v0.31.2`.
[Backport release-0.31] Refactor roles and permissions for tenants
2026-02-06 01:06:27 +00:00 · 2025-06-17 02:27:18 +02:00 · 2025-06-16 21:31:41 +02:00 · 2025-06-16 19:26:34 +00:00 · 2025-06-16 18:21:55 +02:00 · 2025-06-16 18:21:42 +02:00
48 changed files with 386 additions and 230 deletions
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -11,7 +11,7 @@ concurrency:
 jobs:
  build:
    name: Build
-    runs-on: [oracle-4cpu-16gb-x86-64]
+    runs-on: [self-hosted]
    permissions:
      contents: read
      packages: write
@@ -34,38 +34,20 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
      - name: Install dependencies
        run: |
          set -e
          sudo mkdir -p -m 755 /etc/apt/keyrings
          sudo wget -O /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
          sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
          echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
          sudo apt update
          sudo apt install -y jq skopeo gh gawk
          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
          sudo chmod +x /usr/local/bin/yq
          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sudo bash
          sudo modprobe loop
      - name: Build
        run: make build
      - name: Build Talos image
        run: make -C packages/core/installer talos-nocloud
      - name: Upload installer
        uses: actions/upload-artifact@v4
        with:
          name: cozystack-installer
          path: _out/assets/cozystack-installer.yaml
-      - name: Upload Talos image
+      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
-          name: talos-image
+          name: cozystack-artefacts
-          path: _out/assets/nocloud-amd64.raw.xz
+          path: |
- 
+            _out/assets/nocloud-amd64.raw.xz
            _out/assets/cozystack-installer.yaml
  test:
    name: Test
    runs-on: [self-hosted]
@@ -76,16 +58,16 @@ jobs:
      !contains(github.event.pull_request.labels.*.name, 'release')
    steps:
-      - name: Download installer
+      - name: Checkout code
-        uses: actions/download-artifact@v4
+        uses: actions/checkout@v4
        with:
-          name: cozystack-installer
+          fetch-depth: 0
-          path: _out/assets/
+          fetch-tags: true
-      - name: Download Talos image
+      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
-          name: talos-image
+          name: cozystack-artefacts
          path: _out/assets/
      - name: Test
--- a/.github/workflows/tags.yaml
+++ b/.github/workflows/tags.yaml
@@ -15,7 +15,7 @@ concurrency:
 jobs:
  prepare-release:
    name: Prepare Release
-    runs-on: [oracle-4cpu-16gb-x86-64]
+    runs-on: [self-hosted]
    permissions:
      contents: write
      packages: write
--- a/hack/e2e-cluster.bats
+++ b/hack/e2e-cluster.bats
@@ -86,7 +86,7 @@ EOF
@test "Prepare VM disks" {
  for i in 1 2 3; do
    cp nocloud-amd64.raw srv${i}/system.img
-    qemu-img resize srv${i}/system.img 50G
+    qemu-img resize srv${i}/system.img 20G
    qemu-img create srv${i}/data.img 100G
  done
 }
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -23,8 +23,3 @@ version: 0.9.0
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "24.9.2"
 dependencies:
  - name: cozy-lib
    version: 0.1.0
    repository: "http://cozystack.cozy-system.svc/repos/library"
--- a/packages/apps/clickhouse/README.md
+++ b/packages/apps/clickhouse/README.md
@@ -1,32 +1,35 @@
 # Managed Clickhouse Service
 ClickHouse is an open source high-performance and column-oriented SQL database management system (DBMS).
 It is used for online analytical processing (OLAP).
 Cozystack platform uses Altinity operator to provide ClickHouse.
 ### How to restore backup:
-find snapshot:
+1. Find a snapshot:
-```
+    ```
-restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
+    restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
-```
+    ```
-restore:
+2.  Restore it:
-```
+    ```
-restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
+    restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
-```
+    ```
-more details:
+For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.io/restic-effective-backup-from-stdin-4bc1e8f083c1).
 - https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
 ## Parameters
 ### Common parameters
-| Name             | Description                         | Value  |
+| Name             | Description                                              | Value  |
-| ---------------- | ----------------------------------- | ------ |
+| ---------------- | -------------------------------------------------------- | ------ |
-| `size`           | Persistent Volume size              | `10Gi` |
+| `size`           | Size of Persistent Volume for data                       | `10Gi` |
-| `logStorageSize` | Persistent Volume for logs size     | `2Gi`  |
+| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi`  |
-| `shards`         | Number of Clickhouse replicas       | `1`    |
+| `shards`         | Number of Clickhouse shards                              | `1`    |
-| `replicas`       | Number of Clickhouse shards         | `2`    |
+| `replicas`       | Number of Clickhouse replicas                            | `2`    |
-| `storageClass`   | StorageClass used to store the data | `""`   |
+| `storageClass`   | StorageClass used to store the data                      | `""`   |
-| `logTTL`         | for query_log and query_thread_log  | `15`   |
+| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`   |
 ### Configuration parameters
@@ -36,15 +39,32 @@ more details:
 ### Backup parameters
-| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
+| Name                     | Description                                                                 | Value                                                  |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
+| ------------------------ | --------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
+| `backup.enabled`         | Enable periodic backups                                                     | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
+| `backup.s3Region`        | AWS S3 region where backups are stored                                      | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/clickhouse-backups`                    |
+| `backup.s3Bucket`        | S3 bucket used for storing backups                                          | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
+| `backup.schedule`        | Cron schedule for automated backups                                         | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                                  | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                  | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `backup.resticPassword`  | Password for Restic backup encryption                                       | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
+| `resources`              | Explicit CPU/memory resource requests and limits for the Clickhouse service | `{}`                                                   |
-| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
+| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly.       | `nano`                                                 |
 In production environments, it's recommended to set `resources` explicitly.
 Example of `resources`:
 ```yaml
 resources:
  limits:
    cpu: 4000m
    memory: 4Gi
  requests:
    cpu: 100m
    memory: 512Mi
 ```
 Allowed values for `resourcesPreset` are `none`, `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 This value is ignored if `resources` value is set. 
--- a/packages/apps/clickhouse/templates/clickhouse.yaml
+++ b/packages/apps/clickhouse/templates/clickhouse.yaml
@@ -122,9 +122,9 @@ spec:
            - name: clickhouse
              image: clickhouse/clickhouse-server:24.9.2.42
              {{- if .Values.resources }}
-              resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 16 }}
+              resources: {{- include "cozy-lib.resources.sanitize" .Values.resources | nindent 16 }}
              {{- else if ne .Values.resourcesPreset "none" }}
-              resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 16 }}
+              resources: {{- include "cozy-lib.resources.preset" .Values.resourcesPreset | nindent 16 }}
              {{- end }}
              volumeMounts:
                - name: data-volume-template
--- a/packages/apps/clickhouse/values.schema.json
+++ b/packages/apps/clickhouse/values.schema.json
@@ -4,22 +4,22 @@
    "properties": {
        "size": {
            "type": "string",
-            "description": "Persistent Volume size",
+            "description": "Size of Persistent Volume for data",
            "default": "10Gi"
        },
        "logStorageSize": {
            "type": "string",
-            "description": "Persistent Volume for logs size",
+            "description": "Size of Persistent Volume for logs",
            "default": "2Gi"
        },
        "shards": {
            "type": "number",
-            "description": "Number of Clickhouse replicas",
+            "description": "Number of Clickhouse shards",
            "default": 1
        },
        "replicas": {
            "type": "number",
-            "description": "Number of Clickhouse shards",
+            "description": "Number of Clickhouse replicas",
            "default": 2
        },
        "storageClass": {
@@ -29,7 +29,7 @@
        },
        "logTTL": {
            "type": "number",
-            "description": "for query_log and query_thread_log",
+            "description": "TTL (expiration time) for query_log and query_thread_log",
            "default": 15
        },
        "backup": {
@@ -37,17 +37,17 @@
            "properties": {
                "enabled": {
                    "type": "boolean",
-                    "description": "Enable pereiodic backups",
+                    "description": "Enable periodic backups",
                    "default": false
                },
                "s3Region": {
                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
+                    "description": "AWS S3 region where backups are stored",
                    "default": "us-east-1"
                },
                "s3Bucket": {
                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
+                    "description": "S3 bucket used for storing backups",
                    "default": "s3.example.org/clickhouse-backups"
                },
                "schedule": {
@@ -57,34 +57,34 @@
                },
                "cleanupStrategy": {
                    "type": "string",
-                    "description": "The strategy for cleaning up old backups",
+                    "description": "Retention strategy for cleaning up old backups",
                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
                },
                "s3AccessKey": {
                    "type": "string",
-                    "description": "The access key for S3, used for authentication",
+                    "description": "Access key for S3, used for authentication",
                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
                },
                "s3SecretKey": {
                    "type": "string",
-                    "description": "The secret key for S3, used for authentication",
+                    "description": "Secret key for S3, used for authentication",
                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
                },
                "resticPassword": {
                    "type": "string",
-                    "description": "The password for Restic backup encryption",
+                    "description": "Password for Restic backup encryption",
                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
                }
            }
        },
        "resources": {
            "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU/memory resource requests and limits for the Clickhouse service",
            "default": {}
        },
        "resourcesPreset": {
            "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+            "description": "Use a common resources preset when `resources` is not set explicitly.",
            "default": "nano"
        }
    }
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -1,11 +1,11 @@
 ## @section Common parameters
-## @param size Persistent Volume size
+## @param size Size of Persistent Volume for data
-## @param logStorageSize Persistent Volume for logs size
+## @param logStorageSize Size of Persistent Volume for logs
-## @param shards Number of Clickhouse replicas
+## @param shards Number of Clickhouse shards
-## @param replicas Number of Clickhouse shards
+## @param replicas Number of Clickhouse replicas
 ## @param storageClass StorageClass used to store the data
-## @param logTTL for query_log and query_thread_log
+## @param logTTL TTL (expiration time) for query_log and query_thread_log
 ##
 size: 10Gi
 logStorageSize: 2Gi
@@ -29,14 +29,14 @@ users: {}
 ## @section Backup parameters
-## @param backup.enabled Enable pereiodic backups
+## @param backup.enabled Enable periodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
+## @param backup.s3Region AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.s3Bucket S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.cleanupStrategy Retention strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.s3AccessKey Access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
+## @param backup.resticPassword Password for Restic backup encryption
 backup:
  enabled: false
  s3Region: us-east-1
@@ -47,7 +47,7 @@ backup:
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
-## @param resources Resources
+## @param resources Explicit CPU/memory resource requests and limits for the Clickhouse service
 resources: {}
 # resources:
 #   limits:
@@ -56,6 +56,6 @@ resources: {}
 #   requests:
 #     cpu: 100m
 #     memory: 512Mi
- 
+
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly.
 resourcesPreset: "nano"
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:99cd04f09f80eb0c60cc0b2f6bc8180ada7ada00cb594606447674953dfa1b67
+ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:c1944c60a449e36e29153a38db6feee41139d38b02fe3670efb673feb3bc0ee6
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kafka/README.md
+++ b/packages/apps/kafka/README.md
@@ -14,9 +14,9 @@
 | `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                                                                                      | `3`     |
 | `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                                                                                     | `""`    |
 | `kafka.resources`           | Resources                                                                                                                                                                                                         | `{}`    |
-| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
 | `zookeeper.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 ### Configuration parameters
--- a/packages/apps/kafka/values.schema.json
+++ b/packages/apps/kafka/values.schema.json
@@ -33,7 +33,7 @@
                "resourcesPreset": {
                    "type": "string",
                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "default": "small"
                }
            }
        },
@@ -63,7 +63,7 @@
                "resourcesPreset": {
                    "type": "string",
                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "default": "micro"
                }
            }
        },
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -25,7 +25,7 @@ kafka:
  #     memory: 512Mi
  ## @param kafka.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "nano"
+  resourcesPreset: "small"
 zookeeper:
  size: 5Gi
@@ -42,7 +42,7 @@ zookeeper:
  #     memory: 512Mi
  ## @param zookeeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "nano"
+  resourcesPreset: "micro"
 ## @section Configuration parameters
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.21.0@sha256:7315850634728a5864a3de3150c12f0e1454f3f1ce33cdf21a278f57611dd5e9
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.21.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.21.0@sha256:6962bdf51ab2ff40b420b9cff7c850aeea02187da2a65a67f10e0471744649d7
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.21.0@sha256:c53cff22980c754eb45f552cb1ccd3d9ad0b4ce4c12b024012e0ae256fd114f0
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.21.0@sha256:b1525163cd21938ac934bb1b860f2f3151464fa463b82880ab058167aeaf3e29
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.21.0@sha256:510e4c8db50126391b94668fccce9f6ed82d298a02882d2585596b5c6213ddc3
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:bfe568db4b768a4b6c67a8d562892bbba766d0245e140d431754589b347f0b41
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:e53f2394c7aa76ad10818ffb945e40006cd77406999e47e036d41b8b0bf094cc
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 type: application
-version: 1.9.2
+version: 1.10.0
--- a/packages/apps/tenant/charts/cozy-lib
+++ b/packages/apps/tenant/charts/cozy-lib
@@ -0,0 +1 @@
 ../../../library/cozy-lib
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -23,8 +23,8 @@ metadata:
  namespace: {{ include "tenant.name" . }}
 rules:
 - apiGroups: [""]
-  resources: ["*"]
+  resources: ["pods", "services", "persistentvolumes", "endpoints", "events", "resourcequotas"]
-  verbs: ["get", "list", "watch", "create", "update", "patch"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch"]
@@ -94,7 +94,12 @@ rules:
  - apiGroups:
      - ""
    resources:
-      - "*"
+      - pods
      - services
      - persistentvolumes
      - endpoints
      - events
      - resourcequotas
    verbs:
      - get
      - list
@@ -119,24 +124,7 @@ metadata:
  name: {{ include "tenant.name" . }}-view
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}
 - kind: Group
  name: tenant-root-view
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-view
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-view
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-view
@@ -165,7 +153,12 @@ rules:
    - watch
  - apiGroups: [""]
    resources:
-    - "*"
+      - pods
      - services
      - persistentvolumes
      - endpoints
      - events
      - resourcequotas
    verbs:
    - get
    - list
@@ -184,6 +177,12 @@ rules:
    verbs:
    - get
    - list
  - apiGroups: ["subresources.kubevirt.io"]
    resources:
      - virtualmachineinstances/portforward
    verbs:
      - get
      - update
  - apiGroups:
    - cozystack.io
    resources:
@@ -196,24 +195,7 @@ metadata:
  name: {{ include "tenant.name" . }}-use
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "use" (include "tenant.name" .)) | nindent 2 }}
 - kind: Group
  name: tenant-root-use
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-use
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-use
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-use
@@ -234,7 +216,12 @@ rules:
    - get
  - apiGroups: [""]
    resources:
-    - "*"
+      - pods
      - services
      - persistentvolumes
      - endpoints
      - events
      - resourcequotas
    verbs:
    - get
    - list
@@ -253,6 +240,12 @@ rules:
    verbs:
    - get
    - list
  - apiGroups: ["subresources.kubevirt.io"]
    resources:
      - virtualmachineinstances/portforward
    verbs:
      - get
      - update
  - apiGroups: ["apps.cozystack.io"]
    resources:
    - buckets
@@ -293,24 +286,7 @@ metadata:
  name: {{ include "tenant.name" . }}-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "admin" (include "tenant.name" .)) | nindent 2 }}
 - kind: Group
  name: tenant-root-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-admin
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-admin
@@ -331,7 +307,12 @@ rules:
    - get
  - apiGroups: [""]
    resources:
-    - "*"
+      - pods
      - services
      - persistentvolumes
      - endpoints
      - events
      - resourcequotas
    verbs:
    - get
    - list
@@ -349,6 +330,12 @@ rules:
    verbs:
    - get
    - list
  - apiGroups: ["subresources.kubevirt.io"]
    resources:
      - virtualmachineinstances/portforward
    verbs:
      - get
      - update
  - apiGroups: ["apps.cozystack.io"]
    resources:
    - '*'
@@ -366,24 +353,7 @@ metadata:
  name: {{ include "tenant.name" . }}-super-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
 - kind: Group
  name: tenant-root-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-super-admin
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -36,7 +36,8 @@ kafka 0.3.2 93c46161
 kafka 0.3.3 8267072d
 kafka 0.4.0 85ec09b8
 kafka 0.5.0 93bdf411
-kafka 0.6.0 HEAD
+kafka 0.6.0 6130f43d
 kafka 0.6.1 HEAD
 kubernetes 0.1.0 263e47be
 kubernetes 0.2.0 53f2365e
 kubernetes 0.3.0 007d414f
@@ -146,7 +147,8 @@ tenant 1.7.0 24fa7222
 tenant 1.8.0 160e4e2a
 tenant 1.9.0 728743db
 tenant 1.9.1 721c12a7
-tenant 1.9.2 HEAD
+tenant 1.9.2 8c86905b
 tenant 1.10.0 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.31.1@sha256:b8f418e45dcbf351b13ce743f3528b195159753430d35c619dd82a1c676ae3bb
+  image: ghcr.io/cozystack/cozystack/installer:v0.31.2@sha256:c45ab98465c0077337077f86f5e7d8ab3c051db6092854bbc9c26400c3317f9a
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -167,7 +167,7 @@ releases:
  releaseName: snapshot-controller
  chart: cozy-snapshot-controller
  namespace: cozy-snapshot-controller
-  dependsOn: [cilium,cert-manager-issuers]
+  dependsOn: [cilium]
 - name: objectstorage-controller
  releaseName: objectstorage-controller
--- a/packages/core/platform/templates/_helpers.tpl
+++ b/packages/core/platform/templates/_helpers.tpl
@@ -69,4 +69,10 @@ kubeapps:
      .appview-first-row section[aria-labelledby="access-urls-title"] {
        width: 100%;
      }
      .header-version {
        display: none;
      }
      .label.label-info-secondary {
        display: none;
      }
 {{- end }}
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.1@sha256:55809f10d69d32b47b9ca306482861255408516eab7775498ac71368f362ee96
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.2@sha256:90468a068e64d41135e94104307dfee7c34baa97d1ad3661431a54a2a5742f5f
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.31.1@sha256:31b267a3a542e4ddabcadb85fbfe1fb0746e57cc29d941d320437cfd0abae7d9
+ghcr.io/cozystack/cozystack/matchbox:v0.31.2@sha256:b680021f59d717929fe41bc974a0e39ab9b4d361bf8f5189c7a98c2267bd039e
--- a/packages/extra/monitoring/Chart.yaml
+++ b/packages/extra/monitoring/Chart.yaml
@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.10.0
+version: 1.10.1
--- a/packages/extra/monitoring/images/grafana.tag
+++ b/packages/extra/monitoring/images/grafana.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana:1.10.0@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399
+ghcr.io/cozystack/cozystack/grafana:1.10.1@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399
--- a/packages/extra/monitoring/templates/vpa.yaml
+++ b/packages/extra/monitoring/templates/vpa.yaml
@@ -18,8 +18,8 @@ spec:
          {{- if and .vminsert .vminsert.minAllowed }}
          {{- toYaml .vminsert.minAllowed | nindent 10 }}
          {{- else }}
-          cpu: 250m
+          cpu: 25m
-          memory: 256Mi
+          memory: 64Mi
          {{- end }}
        maxAllowed:
          {{- if and .vminsert .vminsert.maxAllowed }}
@@ -47,8 +47,8 @@ spec:
          {{- if and .vmselect .vmselect.minAllowed }}
          {{- toYaml .vmselect.minAllowed | nindent 10 }}
          {{- else }}
-          cpu: 250m
+          cpu: 25m
-          memory: 256Mi
+          memory: 64Mi
          {{- end }}
        maxAllowed:
          {{- if and .vmselect .vmselect.maxAllowed }}
@@ -76,8 +76,8 @@ spec:
          {{- if and .vmstorage .vmstorage.minAllowed }}
          {{- toYaml .vmstorage.minAllowed | nindent 10 }}
          {{- else }}
-          cpu: 100m
+          cpu: 25m
-          memory: 512Mi
+          memory: 64Mi
          {{- end }}
        maxAllowed:
          {{- if and .vmstorage .vmstorage.maxAllowed }}
--- a/packages/extra/seaweedfs/Chart.yaml
+++ b/packages/extra/seaweedfs/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/extra/seaweedfs/templates/vpa.yaml
+++ b/packages/extra/seaweedfs/templates/vpa.yaml
@@ -13,8 +13,8 @@ spec:
    containerPolicies:
      - containerName: seaweedfs
        minAllowed:
-          cpu: 250m
+          cpu: 25m
-          memory: 256Mi
+          memory: 64Mi
        maxAllowed:
          cpu: "1"
          memory: 2048Mi
@@ -36,8 +36,8 @@ spec:
    containerPolicies:
      - containerName: seaweedfs
        minAllowed:
-          cpu: 250m
+          cpu: 25m
-          memory: 256Mi
+          memory: 64Mi
        maxAllowed:
          cpu: "1"
          memory: 2048Mi
@@ -59,8 +59,8 @@ spec:
    containerPolicies:
      - containerName: seaweedfs
        minAllowed:
-          cpu: 250m
+          cpu: 25m
-          memory: 256Mi
+          memory: 64Mi
        maxAllowed:
          cpu: "1"
          memory: 2048Mi
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -39,9 +39,11 @@ monitoring 1.8.1 8267072d
 monitoring 1.9.0 45a7416c
 monitoring 1.9.1 fd240701
 monitoring 1.9.2 f9f8bb2f
-monitoring 1.10.0 HEAD
+monitoring 1.10.0 632224a3
 monitoring 1.10.1 HEAD
 seaweedfs 0.1.0 71514249
 seaweedfs 0.2.0 5fb9cfe3
 seaweedfs 0.2.1 fde4bcfa
 seaweedfs 0.3.0 45a7416c
-seaweedfs 0.4.0 HEAD
+seaweedfs 0.4.0 632224a3
 seaweedfs 0.4.1 HEAD
--- a/packages/library/cozy-lib/templates/_rbac.tpl
+++ b/packages/library/cozy-lib/templates/_rbac.tpl
@@ -0,0 +1,106 @@
 {{- define "cozy-lib.rbac.accessLevelMap" }}
 view: 0
 use: 1
 admin: 2
 super-admin: 3
 {{- end }}
 {{- define "cozy-lib.rbac.accessLevelToInt" }}
 {{-   $accessMap := include "cozy-lib.rbac.accessLevelMap" "" | fromYaml }}
 {{-   $accessLevel := dig . -1 $accessMap | int }}
 {{-   if eq $accessLevel -1 }}
 {{-     printf "encountered access level of %s, allowed values are %s" . ($accessMap | keys) | fail }}
 {{-   end }}
 {{-   $accessLevel }}
 {{- end }}
 {{- define "cozy-lib.rbac.accessLevelsAtOrAbove" }}
 {{-   $minLevelInt := include "cozy-lib.rbac.accessLevelToInt" . | int }}
 {{-   range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }}
 {{-     if ge (int $v) $minLevelInt }}
 - {{ $k }}
 {{-     end }}
 {{-   end }}
 {{- end }}
 {{- define "cozy-lib.rbac.allParentTenantsAndThis" }}
 {{-   if not (hasPrefix "tenant-" .) }}
 {{-     printf "'%s' is not a valid tenant identifier" . | fail }}
 {{-   end }}
 {{-   $parts := append (splitList "-" .) "" }}
 {{-   $tenants := list }}
 {{-   range untilStep 2 (len $parts) 1 }}
 {{-     $tenants = append $tenants (slice $parts 0 . | join "-") }}
 {{-   end }}
 {{-   range $tenants }}
 - {{ . }}
 {{-   end }}
 {{-   if not (eq . "tenant-root") }}
 - tenant-root
 {{-   end }}
 {{- end }}
 {{- define "cozy-lib.rbac.groupSubject" -}}
 - kind: Group
  name: {{ . }}
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- define "cozy-lib.rbac.serviceAccountSubject" -}}
 - kind: ServiceAccount
  name: {{ . }}
  namespace: {{ . }}
 {{- end }}
 {{- /* 
  A helper function to get a list of groups that should have access, given a
  minimal access level and the tenant. Invoked as:
  {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" $) }}
  For an example input of (list "use" $) and a .Release.Namespace of
  tenant-abc-def it will return:
  ---
  - kind: Group
    name: tenant-abc-admin
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: tenant-abc-def-admin
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: tenant-abc-super-admin
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: tenant-abc-def-super-admin
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: tenant-abc-use
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: tenant-abc-def-use
    apiGroup: rbac.authorization.k8s.io
  in other words, all roles including use and higher and for tenant-abc-def, as
  well as all parent, grandparent, etc. tenants.
 */}}
 {{- define "cozy-lib.rbac.subjectsForTenantAndAccessLevel" }}
 {{-   include "cozy-lib.checkInput" . }}
 {{-   $level := index . 0 }}
 {{-   $tenant := index . 1 }}
 {{-   $levels := include "cozy-lib.rbac.accessLevelsAtOrAbove" $level | fromYamlArray }}
 {{-   $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $tenant | fromYamlArray }}
 {{-   range $t := $tenants }}
 {{-     include "cozy-lib.rbac.serviceAccountSubject" $t }}{{ printf "\n" }}
 {{-     range $l := $levels }}
 {{-       include "cozy-lib.rbac.groupSubject" (printf "%s-%s" $t $l) }}{{ printf "\n" }}
 {{-     end }}
 {{-   end}}
 {{- end }}
 {{- define "cozy-lib.rbac.subjectsForTenant" }}
 {{-   include "cozy-lib.checkInput" . }}
 {{-   $level := index . 0 }}
 {{-   $tenant := index . 1 }}
 {{-   $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $tenant | fromYamlArray }}
 {{-   range $t := $tenants }}
 {{-     include "cozy-lib.rbac.groupSubject" (printf "%s-%s" $t $level) }}{{ printf "\n" }}
 {{-   end}}
 {{- end }}
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:87669221b6c51dfdf9d9b0c97b41b90cb9199de3739c1623351f604621a99ae3
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:a634d52923f2f6acc8bd9595b3fa500d1cbdc686dfbeb59e36060d805e5a2684
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.31.1@sha256:4b6fc8f5a50ad02486aca663f6d29a800dcc1eb66763ca7f0e8f176b37f97f16
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.31.2@sha256:1b545911b21026f22eba46974294b8ac223e76a1ab84b42eae7f7c952547c9ca
--- a/packages/system/cozystack-controller/templates/rbac.yaml
+++ b/packages/system/cozystack-controller/templates/rbac.yaml
@@ -12,3 +12,6 @@ rules:
 - apiGroups: ["helm.toolkit.fluxcd.io"]
  resources: ["helmreleases"]
  verbs: ["get", "list", "watch", "patch", "update"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "patch", "update"]
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.31.1@sha256:7b415d9cbad18fdfbc13423a930a03164141d1972500fe3a1a45ba240da75c55
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.31.2@sha256:0f07f4f796c3ca9f34ea36876ca2e86c6b10b11dc8122433021769681b0f15bf
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.31.1"
+  cozystackVersion: "v0.31.2"
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
@@ -76,7 +76,7 @@ data:
      "kubeappsNamespace": {{ .Release.Namespace | quote }},
      "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
      "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.31.1",
+      "appVersion": "v0.31.2",
      "authProxyEnabled": {{ .Values.authProxy.enabled }},
      "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
      "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
--- a/packages/system/dashboard/images/dashboard/Dockerfile
+++ b/packages/system/dashboard/images/dashboard/Dockerfile
@@ -1,7 +1,7 @@
 FROM bitnami/node:20.15.1 AS build
 WORKDIR /app
-ARG COMMIT_REF=190ea544aeb0be74bb6d1aa4bb474910559e7ecd
+ARG COMMIT_REF=6856b66f9244ef1b2703a2f30899366e0ba040de
 RUN wget -O- https://github.com/cozystack/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=2 kubeapps-${COMMIT_REF}/dashboard
 RUN yarn install --frozen-lockfile
--- a/packages/system/dashboard/images/kubeapps-apis/Dockerfile
+++ b/packages/system/dashboard/images/kubeapps-apis/Dockerfile
@@ -4,7 +4,7 @@
 # syntax = docker/dockerfile:1
 FROM alpine AS source
-ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
+ARG COMMIT_REF=6856b66f9244ef1b2703a2f30899366e0ba040de
 RUN apk add --no-cache patch
 WORKDIR /source
 RUN wget -O- https://github.com/cozystack/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -19,24 +19,26 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: dashboard
-      tag: v0.31.1
+      tag: v0.31.2
-      digest: "sha256:a83fe4654f547469cfa469a02bda1273c54bca103a41eb007fdb2e18a7a91e93"
+      digest: "sha256:5e514516bd3dc0c693bb346ddeb9740e0439a59deb2a56b87317286e3ce79ac9"
  redis:
    master:
      resourcesPreset: "none"
      resources:
        requests:
-          cpu: 200m
+          cpu: 20m
-          memory: 256Mi
+          memory: 32Mi
        limits:
          memory: 256Mi
  kubeappsapis:
    resourcesPreset: "none"
    qps: "250.0"
    burst: "500"
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: kubeapps-apis
-      tag: v0.31.1
+      tag: v0.31.2
-      digest: "sha256:07646be7508e443c2fe11b1f33757a716aec487c09b42343e490f9edccb1d57f"
+      digest: "sha256:930f8f4b9e69a82f3de7fee951ead272f5d3a4c5d8eddad33b068f9e9682a962"
    pluginConfig:
      flux:
        packages:
--- a/packages/system/fluxcd-operator/values.yaml
+++ b/packages/system/fluxcd-operator/values.yaml
@@ -5,3 +5,10 @@ flux-operator:
      operator: Exists
      effect: NoSchedule
  hostNetwork: true
  resources:
    limits:
      cpu: 1000m
      memory: 1Gi
    requests:
      cpu: 10m
      memory: 64Mi
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.31.1@sha256:2402c2e4592d79983e074a2de8758a72f8cf2ea653cd30e0550ff2b988eb2e00
+    tag: v0.31.2@sha256:39bd83f5e7dae9c462f25d3aaef4240749dc380469062b9184727d5b12d0d584
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.31.1@sha256:c3f68266a7a43f87a392449939c0fe990821325bcb8070efb8e50f1f886b9c2c
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.31.2@sha256:afb08b32724c573d5b6503343271ae59cae2e7b554d7d441a276615416b59e71
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -16,6 +16,48 @@ kube-ovn:
  OPENVSWITCH_DIR: "/var/lib/openvswitch"
  OVN_DIR: "/var/lib/ovn"
  DISABLE_MODULES_MANAGEMENT: true
  ovn-central:
    requests:
      cpu: "50m"
      memory: "100Mi"
    limits:
      cpu: "3"
      memory: "4Gi"
  ovs-ovn:
    requests:
      cpu: "10m"
      memory: "50Mi"
    limits:
      cpu: "2"
      memory: "1000Mi"
  kube-ovn-controller:
    requests:
      cpu: "10m"
      memory: "100Mi"
    limits:
      cpu: "1000m"
      memory: "1Gi"
  kube-ovn-cni:
    requests:
      cpu: "50m"
      memory: "50Mi"
    limits:
      cpu: "1000m"
      memory: "1Gi"
  kube-ovn-pinger:
    requests:
      cpu: "10m"
      memory: "50Mi"
    limits:
      cpu: "200m"
      memory: "400Mi"
  kube-ovn-monitor:
    requests:
      cpu: "10m"
      memory: "50Mi"
    limits:
      cpu: "200m"
      memory: "200Mi"
 global:
  registry:
    address: ghcr.io/cozystack/cozystack
--- a/packages/system/metallb/values.yaml
+++ b/packages/system/metallb/values.yaml
@@ -4,8 +4,8 @@ metallb:
  controller:
    image:
      repository: ghcr.io/cozystack/cozystack/metallb-controller
-      tag: v0.14.9@sha256:d8fa1a8147f844fb6add20a2147e9be6d1c26424748439c2648a0f6d8e10804d
+      tag: v0.14.9@sha256:9bd71ad21152915dc1c31c79aa1b64ea248d3785b1d6c08ae8c62cc6f688e59a
  speaker:
    image:
      repository: ghcr.io/cozystack/cozystack/metallb-speaker
-      tag: v0.14.9@sha256:a65437314ef23acf030afb44c3a25c5cb6ee813041e9b36ee7e0988a1e21b762
+      tag: v0.14.9@sha256:f63fe3478101c711d84ba7423f0deb6b0c403ca278ca1b9327c693aaf51a3d1e
--- a/packages/system/snapshot-controller/template/clusterissuer.yaml
+++ b/packages/system/snapshot-controller/template/clusterissuer.yaml
@@ -0,0 +1,8 @@
 {{- if not (lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "cozy-cert-manager" "cert-manager-issuers") }}
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: selfsigned-cluster-issuer
 spec:
  selfSigned: {}
 {{- end }}
--- a/scripts/migrations/13
+++ b/scripts/migrations/13
@@ -0,0 +1,10 @@
 #!/bin/sh
 # Migration 13 --> 14
 # Upgrade tenants.apps to new chart version
 kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
  kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.10.0"}'
 done
 # Write version to cozystack-version config
 kubectl create configmap -n cozy-system cozystack-version --from-literal=version=14 --dry-run=client -o yaml | kubectl apply -f-
Author	SHA1	Message	Date
Andrei Kvapil	e98fa9cd72	Release v0.31.2 (#1071 ) This PR prepares the release `v0.31.2`.	2025-06-17 02:27:18 +02:00
Andrei Kvapil	01d90bb736	[Backport release-0.31] Refactor roles and permissions for tenants Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-06-16 21:31:41 +02:00
github-actions	e04cfaaa58	Prepare release v0.31.2 Signed-off-by: github-actions <github-actions@github.com>	2025-06-16 19:26:34 +00:00
Andrei Kvapil	8c86905b22	[Backport release-0.31] [cozystack-controller] Fix RBAC for annotating namespaces (#1037 ) # Description Backport of #1031 to `release-0.31`.	2025-06-16 18:21:55 +02:00
Andrei Kvapil	84955d13ac	[Backport release-0.31] [kafka] specify mimimal working resource presets (#1041 ) # Description Backport of #1040 to `release-0.31`.	2025-06-16 18:21:42 +02:00
Andrei Kvapil	46e5044851	[Backport release-0.31] Dashboard update and fixes (#1066 ) - [dashboard] Cumulative update (#1042) - [dashboard] Remove dependency on linsting secrets (#1066)	2025-06-16 18:21:17 +02:00
Andrei Kvapil	3a3f44a427	[dashboard] Remove dependency on linsting secrets Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-06-16 18:20:46 +02:00
Andrei Kvapil	0cc35a212c	[dashboard] Cumulative update Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-06-16 18:20:39 +02:00
Andrei Kvapil	0bb79adec0	[Backport release-0.31] [docs] Review the Clickhouse app docs (#1065 ) # Description Backport of #1059 to `release-0.31`.	2025-06-16 18:19:29 +02:00
Andrei Kvapil	9e89a9d3ad	[Backport release-0.31] [bugfix] fix distro full bundle (#1064 ) # Description Backport of #1056 to `release-0.31`.	2025-06-16 18:19:19 +02:00
Andrei Kvapil	ddfb1d65e3	[Backport release-0.31] [platform] decrease resources for system applications (#1058 ) # Description Backport of #1054 to `release-0.31`.	2025-06-16 18:18:52 +02:00
Nick Volynkin	efafe16d3b	[docs] Review the Clickhouse app docs Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com> (cherry picked from commit `980185ca2b`)	2025-06-16 16:14:48 +00:00
kklinch0	e1b4861c8a	[bugfix] fix distro full bundle Signed-off-by: kklinch0 <kklinch0@gmail.com> (cherry picked from commit `6a713e5eb4`)	2025-06-16 16:14:37 +00:00
kklinch0	4d0bf14fc3	[platform] cut resources Signed-off-by: kklinch0 <kklinch0@gmail.com> (cherry picked from commit `0fa70d9d38`)	2025-06-14 06:33:03 +00:00
Andrei Kvapil	35069ff3e9	[kafka] specify mimimal working resource presets Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `ba97a4593c`)	2025-06-09 22:34:37 +00:00
Andrei Kvapil	b9afd69df0	[cozystack-controller] Fix RBAC for annotating namespaces Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `ac5145be87`)	2025-06-09 08:16:37 +00:00
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:99cd04f09f80eb0c60cc0b2f6bc8180ada7ada00cb594606447674953dfa1b67`	`ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:c1944c60a449e36e29153a38db6feee41139d38b02fe3670efb673feb3bc0ee6`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/cluster-autoscaler:0.21.0@sha256:7315850634728a5864a3de3150c12f0e1454f3f1ce33cdf21a278f57611dd5e9`	`ghcr.io/cozystack/cozystack/cluster-autoscaler:0.21.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.21.0@sha256:6962bdf51ab2ff40b420b9cff7c850aeea02187da2a65a67f10e0471744649d7`	`ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.21.0@sha256:c53cff22980c754eb45f552cb1ccd3d9ad0b4ce4c12b024012e0ae256fd114f0`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.21.0@sha256:b1525163cd21938ac934bb1b860f2f3151464fa463b82880ab058167aeaf3e29`	`ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.21.0@sha256:510e4c8db50126391b94668fccce9f6ed82d298a02882d2585596b5c6213ddc3`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:bfe568db4b768a4b6c67a8d562892bbba766d0245e140d431754589b347f0b41`	`ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:e53f2394c7aa76ad10818ffb945e40006cd77406999e47e036d41b8b0bf094cc`
`@@ -1,2 +1,2 @@`
	`cozystack:`	`cozystack:`
	`image: ghcr.io/cozystack/cozystack/installer:v0.31.1@sha256:b8f418e45dcbf351b13ce743f3528b195159753430d35c619dd82a1c676ae3bb`	`image: ghcr.io/cozystack/cozystack/installer:v0.31.2@sha256:c45ab98465c0077337077f86f5e7d8ab3c051db6092854bbc9c26400c3317f9a`
`@@ -1,2 +1,2 @@`
	`e2e:`	`e2e:`
	`image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.1@sha256:55809f10d69d32b47b9ca306482861255408516eab7775498ac71368f362ee96`	`image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.2@sha256:90468a068e64d41135e94104307dfee7c34baa97d1ad3661431a54a2a5742f5f`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/matchbox:v0.31.1@sha256:31b267a3a542e4ddabcadb85fbfe1fb0746e57cc29d941d320437cfd0abae7d9`	`ghcr.io/cozystack/cozystack/matchbox:v0.31.2@sha256:b680021f59d717929fe41bc974a0e39ab9b4d361bf8f5189c7a98c2267bd039e`
`@@ -1 +1 @@`
	`ghcr.io/cozystack/cozystack/grafana:1.10.0@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399`	`ghcr.io/cozystack/cozystack/grafana:1.10.1@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399`