cilium: disable hostLegacyRouting

2026-03-30 08:03:33 +00:00 · 2024-08-29 13:20:35 +02:00
94 changed files with 13224 additions and 16487 deletions
--- a/hack/e2e.sh
+++ b/hack/e2e.sh
@@ -309,9 +309,8 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd

 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
-kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
-kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
+kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert-longterm vmalert-vmalert-shortterm vminsert-longterm vminsert-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm

 # Wait for grafana
 kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db
--- a/hack/gen_versions_map.sh
+++ b/hack/gen_versions_map.sh
@@ -24,36 +24,24 @@ resolved_miss_map=$(
      change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
       
      if [ "$change_commit" = "00000000" ]; then
-        # Not committed yet, use previous commit
+        # Not commited yet, use previus commit
        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
        commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
        if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previous commit not exists
+          # Previus commit not exists
          commit=$(echo $commit | cut -c2-)
        fi
      else
-        # Committed, but version_map wasn't updated
+        # Commited, but version_map wasn't updated
        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
        change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
        if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previous commit not exists
+          # Previus commit not exists
          commit=$(echo $change_commit | cut -c2-)
        else
          commit=$(git describe --always "$change_commit~1")
        fi
      fi
-
-      # Check if the commit belongs to the main branch
-      if ! git merge-base --is-ancestor "$commit" main; then
-        # Find the closest parent commit that belongs to main
-        commit_in_main=$(git log --pretty=format:"%H" main -- "$chart/Chart.yaml" | head -n 1)
-        if [ -n "$commit_in_main" ]; then
-          commit="$commit_in_main"
-        else
-          # No valid commit found in main branch for $chart, skipping..."
-          continue
-        fi
-      fi
    fi
    echo "$chart $version $commit"
  done
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -68,7 +68,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.14.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -87,7 +87,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.14.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.3.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/clickhouse/templates/clickhouse.yaml
+++ b/packages/apps/clickhouse/templates/clickhouse.yaml
@@ -1,32 +1,3 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
-
---
 apiVersion: "clickhouse.altinity.com/v1"
 kind: "ClickHouseInstallation"
 metadata:
@@ -41,7 +12,7 @@ spec:
    {{- with .Values.users }}
    users:
      {{- range $name, $u := . }}
-      {{ $name }}/password_sha256_hex: {{ sha256sum (index $passwords $name) }}
+      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
      {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
      {{ $name }}/networks/ip: ["::/0"]
      {{- end }}
@@ -60,7 +31,7 @@ spec:
        spec:
          accessModes:
            - ReadWriteOnce
-          {{- with $.Values.storageClass }}
+          {{- with .Values.stroageClass }}
          storageClassName: {{ . }}
          {{- end }}
          resources:
--- a/packages/apps/clickhouse/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/clickhouse/templates/dashboard-resourcemap.yaml
@@ -1,19 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-dashboard-resources
-rules:
- apiGroups:
-  - ""
-  resources:
-  - services
-  resourceNames:
-  - chi-clickhouse-test-clickhouse-0-0
-  verbs: ["get", "list", "watch"]
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  resourceNames:
-  - {{ .Release.Name }}-credentials
-  verbs: ["get", "list", "watch"]
--- a/packages/apps/ferretdb/Chart.yaml
+++ b/packages/apps/ferretdb/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.3.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/ferretdb/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/ferretdb/templates/dashboard-resourcemap.yaml
@@ -1,19 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-dashboard-resources
-rules:
- apiGroups:
-  - ""
-  resources:
-  - services
-  resourceNames:
-  - {{ .Release.Name }}
-  verbs: ["get", "list", "watch"]
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  resourceNames:
-  - {{ .Release.Name }}-credentials
-  verbs: ["get", "list", "watch"]
--- a/packages/apps/ferretdb/templates/init-script.yaml
+++ b/packages/apps/ferretdb/templates/init-script.yaml
@@ -1,30 +1,3 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -40,7 +13,7 @@ stringData:
    {{- range $user, $u := .Values.users }}
    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
    {{- end }}
    EOT
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -15,7 +15,7 @@ spec:

  storage:
    size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.storageClass }}
+    {{- with .Values.stroageClass }}
    storageClass: {{ . }}
    {{- end }}

--- a/packages/apps/ferretdb/values2.yaml
+++ b/packages/apps/ferretdb/values2.yaml
@@ -0,0 +1,56 @@
+## @section Common parameters
+
+## @param external Enable external access from outside the cluster
+## @param size Persistent Volume size
+## @param replicas Number of Postgres replicas
+##
+external: false
+size: 10Gi
+replicas: 1
+
+## Configuration for the quorum-based synchronous replication
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+quorum:
+  minSyncReplicas: 0
+  maxSyncReplicas: 0
+
+## @section Configuration parameters
+
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2:
+##     password: hackme
+##
+users:
+  foo:
+    password: asd
+  bar:
+    password: asd
+  baz:
+    password: asd
+  boo:
+    password: asd
+
+## @section Backup parameters
+
+## @param backup.enabled Enable pereiodic backups
+## @param backup.s3Region The AWS S3 region where backups are stored
+## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.resticPassword The password for Restic backup encryption
+backup:
+  enabled: false
+  s3Region: us-east-1
+  s3Bucket: s3.example.org/postgres-backups
+  schedule: "0 2 * * *"
+  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
--- a/packages/apps/http-cache/templates/nginx/deployment.yaml
+++ b/packages/apps/http-cache/templates/nginx/deployment.yaml
@@ -114,7 +114,7 @@ spec:
  resources:
    requests:
      storage: "{{ $.Values.size }}"
-  {{- with $.Values.storageClass }}
+  {{- with $.Values.stroageClass }}
  storageClassName: {{ . }}
  {{- end }}
 ---
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -53,7 +53,7 @@ spec:
        {{- with .Values.kafka.size }}
        size: {{ . }}
        {{- end }}
-        {{- with .Values.kafka.storageClass }}
+        {{- with .Values.kafka.stroageClass }}
        class: {{ . }}
        {{- end }}
        deleteClaim: true
@@ -64,7 +64,7 @@ spec:
      {{- with .Values.zookeeper.size }}
      size: {{ . }}
      {{- end }}
-      {{- with .Values.kafka.storageClass }}
+      {{- with .Values.kafka.stroageClass }}
      class: {{ . }}
      {{- end }}
      deleteClaim: false
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0
+version: 0.9.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -18,8 +18,6 @@ spec:
      runStrategy: Always
      template:
        metadata:
-          annotations:
-            kubevirt.io/allow-pod-bridge-network-live-migration: "true"
          labels:
            {{- range .group.roles }}
            node-role.kubernetes.io/{{ . }}: ""
@@ -40,9 +38,7 @@ spec:
                disk:
                  bus: virtio
                  pciAddress: 0000:08:00.0
-              interfaces:
-              - name: default
-                bridge: {}
+              networkInterfaceMultiqueue: true
            memory:
              guest: {{ .group.resources.memory }}
          evictionStrategy: External
@@ -53,9 +49,6 @@ spec:
          - name: ephemeral
            emptyDisk:
              capacity: {{ .group.ephemeralStorage | default "20Gi" }}
-          networks:
-          - name: default
-            pod: {}
 {{- end }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
--- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
@@ -31,8 +31,20 @@ spec:
  values:
    cilium:
      tunnel: disabled
+      autoDirectNodeRoutes: false
+      bpf:
+        masquerade: true
+      cgroup:
+        autoMount:
+          enabled: true
+        hostRoot: /run/cilium/cgroupv2
      k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
      k8sServicePort: 6443
+    
+      cni:
+        chainingMode: ~
+        customConf: false
+        configMap: ""
      routingMode: tunnel
      enableIPv4Masquerade: true
      ipv4NativeRoutingCIDR: ""
--- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml
@@ -28,7 +28,7 @@ spec:
  upgrade:
    remediation:
      retries: -1
-  {{- with .Values.storageClass }}
+  {{- with .Values.stroageClass }}
  values:
    storageClass: "{{ . }}"
  {{- end }}
--- a/packages/apps/mysql/Chart.yaml
+++ b/packages/apps/mysql/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.4.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/mysql/README.md
+++ b/packages/apps/mysql/README.md
@@ -79,7 +79,7 @@ more details:
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `users`     | Users configuration     | `{}`  |
-| `databases` | Databases configuration | `{}`  |
+| `databases` | Databases configuration | `[]`  |

 ### Backup parameters

--- a/packages/apps/mysql/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/mysql/templates/dashboard-resourcemap.yaml
@@ -1,20 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-dashboard-resources
-rules:
- apiGroups:
-  - ""
-  resources:
-  - services
-  resourceNames:
-  - {{ .Release.Name }}-primary
-  - {{ .Release.Name }}-secondary
-  verbs: ["get", "list", "watch"]
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  resourceNames:
-  - {{ .Release.Name }}-credentials
-  verbs: ["get", "list", "watch"]
--- a/packages/apps/mysql/templates/db.yaml
+++ b/packages/apps/mysql/templates/db.yaml
@@ -1,47 +1,14 @@
-{{- range $name, $db := .Values.databases }}
-{{ $dbDNSName := replace "_" "-" $name }}
+{{- range $name := .Values.databases }}
+{{ $dnsName := replace "_" "-" $name }}
 ---
 apiVersion: k8s.mariadb.com/v1alpha1
 kind: Database
 metadata:
-  name: {{ $.Release.Name }}-{{ $dbDNSName }}
+  name: {{ $.Release.Name }}-{{ $dnsName }}
 spec:
  name: {{ $name }}
  mariaDbRef:
    name: {{ $.Release.Name }}
  characterSet: utf8
  collate: utf8_general_ci
-{{- range $user := $db.roles.admin }}
-{{ $userDNSName := replace "_" "-" $user }}
---
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
-spec:
-  mariaDbRef:
-    name: {{ $.Release.Name }}
-  privileges: ['ALL']
-  database: {{ $name }}
-  table: "*"
-  username: {{ $user }}
-  grantOption: true
-{{- end }}
-{{- range $user := $db.roles.readonly }}
-{{ $userDNSName := replace "_" "-" $user }}
---
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
-spec:
-  mariaDbRef:
-    name: {{ $.Release.Name }}
-  privileges: ['SELECT']
-  database: {{ $name }}
-  table: "*"
-  username: {{ $user }}
-  grantOption: true
-{{- end }}
-
 {{- end }}
--- a/packages/apps/mysql/templates/mariadb.yaml
+++ b/packages/apps/mysql/templates/mariadb.yaml
@@ -4,9 +4,11 @@ kind: MariaDB
 metadata:
  name: {{ .Release.Name }}
 spec:
+  {{- if (and .Values.users.root .Values.users.root.password) }}
  rootPasswordSecretKeyRef:
-    name: {{ .Release.Name }}-credentials
-    key: root
+    name: {{ .Release.Name }}
+    key: root-password
+  {{- end }}

  image: "mariadb:11.0.2"

@@ -60,7 +62,7 @@ spec:
    size: {{ .Values.size }}
    resizeInUseVolumes: true
    waitForVolumeResize: true
-    {{- with .Values.storageClass }}
+    {{- with .Values.stroageClass }}
    storageClassName: {{ . }}
    {{- end }}

--- a/packages/apps/mysql/templates/secret.yaml
+++ b/packages/apps/mysql/templates/secret.yaml
@@ -1,31 +1,9 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- $usersWithRoot := .Values.users }}
-{{- if (and .Values.users.root .Values.users.root.password) }}
-  {{- $_ := set $usersWithRoot "root" dict }}
-{{- end }}
-
-{{- range $user, $u := $usersWithRoot }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-credentials
+  name: {{ .Release.Name }}
 stringData:
-  {{- range $name, $u := $usersWithRoot }}
-  {{ $name }}: {{ index $passwords $name }}
+  {{- range $name, $u := .Values.users }}
+  {{ $name }}-password: {{ $u.password }}
  {{- end }}
--- a/packages/apps/mysql/templates/user.yaml
+++ b/packages/apps/mysql/templates/user.yaml
@@ -11,8 +11,21 @@ spec:
  mariaDbRef:
    name: {{ $.Release.Name }}
  passwordSecretKeyRef:
-    name: {{ $.Release.Name }}-credentials
-    key: {{ $name }}
+    name: {{ $.Release.Name }}
+    key: {{ $name }}-password
  maxUserConnections: {{ $u.maxUserConnections }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dnsName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: {{ $u.privileges | toJson }}
+  database: "*"
+  table: "*"
+  username: {{ $name }}
+  grantOption: true
 {{- end }}
 {{- end }}
--- a/packages/apps/mysql/values.schema.json
+++ b/packages/apps/mysql/values.schema.json
@@ -22,6 +22,12 @@
            "description": "StorageClass used to store the data",
            "default": ""
        },
+        "databases": {
+            "type": "array",
+            "description": "Databases configuration",
+            "default": [],
+            "items": {}
+        },
        "backup": {
            "type": "object",
            "properties": {
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -15,25 +15,27 @@ storageClass: ""
 ## @param users [object] Users configuration
 ## Example:
 ## users:
+##   root:
+##     password: strongpassword
 ##   user1:
+##     privileges: ['ALL']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##   user2:
+##     privileges: ['SELECT']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##
 users: {}

-## @param databases [object] Databases configuration
+## @param databases Databases configuration
 ## Example:
 ## databases:
-##   myapp1:
-##     roles:
-##       admin:
-##       - user1
-##       readonly:
-##       - user2
-databases: {}
+## - wordpress1
+## - wordpress2
+## - wordpress3
+## - wordpress4
+databases: []

 ## @section Backup parameters

--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.5.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/postgres/templates/dashboard-resourcemap.yaml
@@ -8,14 +8,7 @@ rules:
  resources:
  - services
  resourceNames:
-  - {{ .Release.Name }}-r
-  - {{ .Release.Name }}-ro
-  - {{ .Release.Name }}-rw
-  verbs: ["get", "list", "watch"]
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  resourceNames:
-  - {{ .Release.Name }}-credentials
+  - postgres-service-r
+  - postgres-service-ro
+  - postgres-service-rw
  verbs: ["get", "list", "watch"]
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -19,7 +19,7 @@ spec:

  storage:
    size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.storageClass }}
+    {{- with .Values.stroageClass }}
    storageClass: {{ . }}
    {{- end }}

--- a/packages/apps/postgres/templates/init-script.yaml
+++ b/packages/apps/postgres/templates/init-script.yaml
@@ -1,30 +1,3 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -40,7 +13,7 @@ stringData:
    {{- range $user, $u := .Values.users }}
    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
    {{- end }}
    EOT
--- a/packages/apps/rabbitmq/Chart.yaml
+++ b/packages/apps/rabbitmq/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.3.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.13.2"
+appVersion: "3.12.2"
--- a/packages/apps/rabbitmq/README.md
+++ b/packages/apps/rabbitmq/README.md
@@ -19,10 +19,3 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 | `size`         | Persistent Volume size                          | `10Gi`  |
 | `replicas`     | Number of RabbitMQ replicas                     | `3`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
-
-### Configuration parameters
-
-| Name     | Description                 | Value |
-| -------- | --------------------------- | ----- |
-| `users`  | Users configuration         | `{}`  |
-| `vhosts` | Virtual Hosts configuration | `{}`  |
--- a/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
@@ -1,22 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-dashboard-resources
-rules:
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  resourceNames:
-  - {{ .Release.Name }}-default-user
-  {{- range $name, $u := .Values.users }}
-  - {{ $.Release.Name }}-{{ kebabcase $name }}-credentials
-  {{- end }}
-  verbs: ["get", "list", "watch"]
- apiGroups:
-  - ""
-  resources:
-  - services
-  resourceNames:
-  - {{ .Release.Name }}
-  verbs: ["get", "list", "watch"]
--- a/packages/apps/rabbitmq/templates/rabbitmq.yaml
+++ b/packages/apps/rabbitmq/templates/rabbitmq.yaml
@@ -13,85 +13,7 @@ spec:
  {{- end }}

  persistence:
-    {{- with .Values.storageClass }}
+    {{- with .Values.stroageClass }}
    storageClassName: {{ . }}
    {{- end }}
    storage: {{ .Values.size }}
-
-{{- range $user, $u := .Values.users }}
-
-{{- $password := $u.password }}
-{{- if not $password }}
-{{- with (dig "data" "password" "" (lookup "v1" "Secret" $.Release.Namespace (printf "%s-%s-credentials" $.Release.Name (kebabcase $user)))) }}
-{{- $password = b64dec . }}
-{{- end }}
-{{- end }}
-{{- if not $password }}
-{{- $password = (randAlphaNum 16) }}
-{{- end }}
-
---
-apiVersion: rabbitmq.com/v1beta1
-kind: User
-metadata:
-  name: {{ $.Release.Name }}-{{ kebabcase $user }}
-  annotations:
-    config: '{{ printf "%s %s" $user $password | sha256sum }}'
-spec:
-  importCredentialsSecret:
-    name: {{ $.Release.Name }}-{{ $user }}-credentials
-  rabbitmqClusterReference:
-    name: {{ $.Release.Name }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $.Release.Name }}-{{ kebabcase $user }}-credentials
-type: Opaque
-stringData:
-  username: {{ $user }}
-  password: {{ $password }}
-{{- end }}
-
-{{- range $host, $h := .Values.vhosts }}
---
-apiVersion: rabbitmq.com/v1beta1
-kind: Vhost
-metadata:
-  name: {{ $.Release.Name }}-{{ kebabcase $host }}
-spec:
-  name: {{ $host }}
-  rabbitmqClusterReference:
-    name: {{ $.Release.Name }}
-{{- range $user := $h.roles.admin }}
---
-apiVersion: rabbitmq.com/v1beta1
-kind: Permission
-metadata:
-  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
-spec:
-  vhost: "{{ $host }}"
-  user: "{{ $user }}"
-  permissions:
-    write: ".*"
-    configure: ".*"
-    read: ".*"
-  rabbitmqClusterReference:
-    name: {{ $.Release.Name }}
-{{- end }}
-{{- range $user := $h.roles.readonly }}
---
-apiVersion: rabbitmq.com/v1beta1
-kind: Permission
-metadata:
-  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
-spec:
-  vhost: "{{ $host }}"
-  user: "{{ $user }}"
-  permissions:
-    read: ".*"
-  rabbitmqClusterReference:
-    name: {{ $.Release.Name }}
-{{- end }}
-
-{{- end }}
--- a/packages/apps/rabbitmq/values.schema.json
+++ b/packages/apps/rabbitmq/values.schema.json
@@ -21,11 +21,6 @@
            "type": "string",
            "description": "StorageClass used to store the data",
            "default": ""
-        },
-        "vhosts": {
-            "type": "object",
-            "description": "Virtual Hosts configuration",
-            "default": {}
        }
    }
 }
--- a/packages/apps/rabbitmq/values.yaml
+++ b/packages/apps/rabbitmq/values.yaml
@@ -9,33 +9,3 @@ external: false
 size: 10Gi
 replicas: 3
 storageClass: ""
-
-## @section Configuration parameters
-
-## @param users [object] Users configuration
-## Example:
-## users:
-##   user1:
-##     password: strongpassword
-##   user2:
-##     password: hackme
-##   user3:
-##     password: testtest
-##
-users: {}
-
-## @param vhosts Virtual Hosts configuration
-## Example:
-## vhosts:
-##   myapp:
-##     roles:
-##       admin:
-##       - user1
-##       - user2
-##       readonly:
-##       - user3
-##   test:
-##     roles:
-##       admin:
-##       - user3
-vhosts: {}
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -2,13 +2,10 @@ bucket 0.1.0 HEAD
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 5ca8823
-clickhouse 0.3.0 b00621e
-clickhouse 0.4.0 HEAD
+clickhouse 0.3.0 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
-ferretdb 0.2.0 adaf603
-ferretdb 0.3.0 aa2f553
-ferretdb 0.4.0 HEAD
+ferretdb 0.2.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
 http-cache 0.3.0 HEAD
@@ -28,13 +25,11 @@ kubernetes 0.7.0 ceefae03
 kubernetes 0.8.0 ac11056e
 kubernetes 0.8.1 e54608d8
 kubernetes 0.8.2 5ca8823
-kubernetes 0.9.0 9b6dd19
-kubernetes 0.10.0 HEAD
+kubernetes 0.9.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
-mysql 0.4.0 93018c4
-mysql 0.5.0 HEAD
+mysql 0.4.0 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 HEAD
 postgres 0.1.0 f642698
@@ -43,12 +38,10 @@ postgres 0.2.1 4a97e297
 postgres 0.3.0 995dea6f
 postgres 0.4.0 ec283c33
 postgres 0.4.1 5ca8823
-postgres 0.5.0 c07c4bbd
-postgres 0.6.0 HEAD
+postgres 0.5.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
-rabbitmq 0.3.0 9e33dc0
-rabbitmq 0.4.0 HEAD
+rabbitmq 0.3.0 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD
@@ -66,8 +59,7 @@ tenant 1.4.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
-virtual-machine 0.3.0 b908400
-virtual-machine 0.4.0 HEAD
+virtual-machine 0.3.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 HEAD
--- a/packages/apps/virtual-machine/Chart.yaml
+++ b/packages/apps/virtual-machine/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.3.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/virtual-machine/Makefile
+++ b/packages/apps/virtual-machine/Makefile
@@ -3,8 +3,7 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' | \
-		jq '.properties.resources.properties.memory["x-display"] = "slider"' | \
-		jq '.properties.externalPorts.items.type = "integer"' \
+		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora"]' | \
+		jq '.properties.resources.properties.memory["x-display"] = "slider"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp
--- a/packages/apps/virtual-machine/README.md
+++ b/packages/apps/virtual-machine/README.md
@@ -9,67 +9,51 @@ The virtual machine is managed and hosted through KubeVirt, allowing you to harn
 - Docs: [KubeVirt User Guide](https://kubevirt.io/user-guide/)
 - GitHub: [KubeVirt Repository](https://github.com/kubevirt/kubevirt)

-## Accessing virtual machine
-
-You can access the virtual machine using the virtctl tool:
- [KubeVirt User Guide - Virtctl Client Tool](https://kubevirt.io/user-guide/user_workloads/virtctl_client_tool/)
-
-To access the serial console:
-
-```
-virtctl console <vm>
-```
-
-To access the VM using VNC:
-
-```
-virtctl vnc <vm>
-```
-
-To SSH into the VM:
-
-```
-virtctl ssh <user>@<vm>
-```
-
 ## Parameters

 ### Common parameters

-| Name               | Description                                                                                                | Value            |
-| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- |
-| `external`         | Enable external access from outside the cluster                                                            | `false`          |
-| `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`             |
-| `running`          | Determines if the virtual machine should be running                                                        | `true`           |
-| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos` | `ubuntu`         |
-| `storageClass`     | StorageClass used to store the data                                                                        | `replicated`     |
-| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                                   | `1`              |
-| `resources.memory` | The amount of memory allocated to the virtual machine                                                      | `1024M`          |
-| `resources.disk`   | The size of the disk allocated for the virtual machine                                                     | `5Gi`            |
-| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
-| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
-` |
+| Name               | Description                                                                                       | Value                               |
+| ------------------ | ------------------------------------------------------------------------------------------------- | ----------------------------------- |
+| `external`         | Enable external access from outside the cluster                                                   | `false`                             |
+| `running`          | Determines if the virtual machine should be running                                               | `true`                              |
+| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora` | `ubuntu`                            |
+| `storageClass`     | StorageClass used to store the data                                                               | `replicated`                        |
+| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                          | `1`                                 |
+| `resources.memory` | The amount of memory allocated to the virtual machine                                             | `1024M`                             |
+| `resources.disk`   | The size of the disk allocated for the virtual machine                                            | `5Gi`                               |
+| `sshPwauth`        | Enable password authentication for SSH. If set to `true`, users can log in using a password       | `true`                              |
+| `disableRoot`      | Disable root login via SSH. If set to `true`, root login will be disabled                         | `true`                              |
+| `password`         | The default password for the virtual machine                                                      | `hackme`                            |
+| `chpasswdExpire`   | Set whether the password should expire                                                            | `false`                             |
+| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys                 | `["ssh-rsa ...","ssh-ed25519 ..."]` |

 You can customize the exposed ports by specifying them under `service.ports` in the `values.yaml` file.

-## Example virtual machine:
+## Example `values.yaml`

 ```yaml
+external: false
 running: true
-image: fedora
-storageClass: replicated
+image: ubuntu
 resources:
  cpu: 1
  memory: 1024M
-  disk: 10Gi
+  disk: 5Gi
+sshPwauth: true
+disableRoot: true
+password: hackme
+chpasswdExpire: false
+sshKeys: 
+  - YOUR_SSH_PUB_KEY_HERE
+  - ANOTHER_SSH_PUB_KEY_HERE

-sshKeys:
- ssh-rsa ...
-
-cloudInit: |
-  #cloud-config
-  user: fedora
-  password: fedora
-  chpasswd: { expire: False }
-  ssh_pwauth: True
+service:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    - name: https
+      port: 443
+      targetPort: 443
 ```
--- a/packages/apps/virtual-machine/templates/secret.yaml
+++ b/packages/apps/virtual-machine/templates/secret.yaml
@@ -1,21 +0,0 @@
-{{- if .Values.sshKeys }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "virtual-machine.fullname" $ }}-ssh-keys
-stringData:
-  {{- range $k, $v := .Values.sshKeys }}
-  key{{ $k }}: {{ quote $v }} 
-  {{- end }}
-{{- end }}
-{{- if .Values.cloudInit }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "virtual-machine.fullname" . }}-cloud-init
-stringData:
-  userdata: |
-    {{- .Values.cloudInit | nindent 4 }}
-{{- end }}
--- a/packages/apps/virtual-machine/templates/service.yaml
+++ b/packages/apps/virtual-machine/templates/service.yaml
@@ -8,14 +8,21 @@ metadata:
    {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
+  {{- if .Values.external }}
  externalTrafficPolicy: Local
  allocateLoadBalancerNodePorts: false
+  {{- end }}
  selector:
    {{- include "virtual-machine.labels" . | nindent 4 }}
  ports:
-    {{- range .Values.externalPorts }}
-    - name: port-{{ . }}
-      port: {{ . }}
-      targetPort: {{ . }}
+    - name: ssh
+      port: 22
+      targetPort: 22
+    {{- if .Values.service.ports }}
+    {{- range .Values.service.ports }}
+    - name: {{ .name }}
+      port: {{ .port }}
+      targetPort: {{ .targetPort }}
+    {{- end }}
    {{- end }}
 {{- end }}
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -11,9 +11,8 @@ spec:
      name: {{ include "virtual-machine.fullname" . }}
    spec:
      pvc:
-        volumeMode: Block
        accessModes:
-        - ReadWriteMany
+        - ReadWriteOnce
        resources:
          requests:
            storage: {{ .Values.resources.disk | quote }}
@@ -29,9 +28,7 @@ spec:
          {{- else if eq .Values.image "fedora" }}
          url: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
          {{- else if eq .Values.image "alpine" }}
-          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
-          {{- else if eq .Values.image "talos" }}
-          url: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
+          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.2-x86_64.iso
          {{- end }}
  template:
    metadata:
@@ -48,39 +45,34 @@ spec:
          - disk:
              bus: scsi
            name: systemdisk
-          {{- if or .Values.sshKeys .Values.cloudInit }}
          - disk:
              bus: virtio
            name: cloudinitdisk
-          {{- end }}
-          interfaces:
-          - name: default
-            bridge: {}
        machine:
          type: ""
        resources:
          requests:
            memory: {{ .Values.resources.memory | quote }}
-      {{- with .Values.sshKeys }}
-      accessCredentials:
-      - sshPublicKey:
-          source:
-            secret:
-              secretName: {{ include "virtual-machine.fullname" $ }}-ssh-keys
-          propagationMethod:
-            noCloud: {}
-      {{- end }}
      terminationGracePeriodSeconds: 30
      volumes:
-      - name: systemdisk
-        dataVolume:
+      - dataVolume:
          name: {{ include "virtual-machine.fullname" . }}
-      {{- if or .Values.sshKeys .Values.cloudInit }}
-      - name: cloudinitdisk
-        cloudInitNoCloud:
-          secretRef:
-            name: {{ include "virtual-machine.fullname" . }}-cloud-init
-      {{- end }}
-      networks:
-      - name: default
-        pod: {}
+        name: systemdisk
+      - cloudInitNoCloud:
+          userData: |-
+            #cloud-config
+            ssh_pwauth: {{ if .Values.sshPwauth | default false }}True{{ else }}False{{ end }}
+            disable_root: {{ if .Values.disableRoot | default false }}True{{ else }}False{{ end }}
+            password: {{ .Values.password }}
+            chpasswd: { expire: {{ if .Values.chpasswdExpire | default false }}True{{ else }}False{{ end }} }
+            ssh_authorized_keys:
+            {{- if .Values.sshKeys }}
+              {{- $keys := .Values.sshKeys }}
+              {{- if not (kindIs "slice" $keys) }}
+                {{- $keys = list $keys }}
+              {{- end }}
+              {{- range $keys }}
+              - {{ . }}
+              {{- end }}
+            {{- end }}
+        name: cloudinitdisk
--- a/packages/apps/virtual-machine/values.schema.json
+++ b/packages/apps/virtual-machine/values.schema.json
@@ -7,14 +7,6 @@
      "description": "Enable external access from outside the cluster",
      "default": false
    },
-    "externalPorts": {
-      "type": "array",
-      "description": "Specify ports to forward from outside the cluster",
-      "default": "[]",
-      "items": {
-        "type": "integer"
-      }
-    },
    "running": {
      "type": "boolean",
      "description": "Determines if the virtual machine should be running",
@@ -22,14 +14,13 @@
    },
    "image": {
      "type": "string",
-      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
+      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`",
      "default": "ubuntu",
      "enum": [
        "ubuntu",
        "cirros",
        "alpine",
-        "fedora",
-        "talos"
+        "fedora"
      ]
    },
    "storageClass": {
@@ -58,18 +49,36 @@
        }
      }
    },
+    "sshPwauth": {
+      "type": "boolean",
+      "description": "Enable password authentication for SSH. If set to `true`, users can log in using a password",
+      "default": true
+    },
+    "disableRoot": {
+      "type": "boolean",
+      "description": "Disable root login via SSH. If set to `true`, root login will be disabled",
+      "default": true
+    },
+    "password": {
+      "type": "string",
+      "description": "The default password for the virtual machine",
+      "default": "hackme"
+    },
+    "chpasswdExpire": {
+      "type": "boolean",
+      "description": "Set whether the password should expire",
+      "default": false
+    },
    "sshKeys": {
      "type": "array",
-      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
-      "default": "[]",
+      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys",
+      "default": [
+        "ssh-rsa ...",
+        "ssh-ed25519 ..."
+      ],
      "items": {
        "type": "string"
      }
-    },
-    "cloudInit": {
-      "type": "string",
-      "description": "cloud-init user data config. See cloud-init documentation for more details.",
-      "default": "#cloud-config\n"
    }
  }
 }
--- a/packages/apps/virtual-machine/values.yaml
+++ b/packages/apps/virtual-machine/values.yaml
@@ -1,18 +1,19 @@
 ## @section Common parameters

 ## @param external Enable external access from outside the cluster
-## @param externalPorts [array] Specify ports to forward from outside the cluster
 ## @param running Determines if the virtual machine should be running
-## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`
+## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`
 ## @param storageClass StorageClass used to store the data
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine
 ## @param resources.memory The amount of memory allocated to the virtual machine
 ## @param resources.disk The size of the disk allocated for the virtual machine
+## @param sshPwauth Enable password authentication for SSH. If set to `true`, users can log in using a password
+## @param disableRoot Disable root login via SSH. If set to `true`, root login will be disabled
+## @param password The default password for the virtual machine
+## @param chpasswdExpire Set whether the password should expire
+## @param sshKeys List of SSH public keys for authentication. Can be a single key or a list of keys

 external: false
-externalPorts:
- 22
-
 running: true
 image: ubuntu
 storageClass: replicated
@@ -20,24 +21,10 @@ resources:
  cpu: 1
  memory: 1024M
  disk: 5Gi
-
-## @param sshKeys [array] List of SSH public keys for authentication. Can be a single key or a list of keys.
-## Example:
-## sshKeys:
-##   - ssh-rsa ...
-##   - ssh-ed25519 ...
-##
-sshKeys: []
-
-## @param cloudInit cloud-init user data config. See cloud-init documentation for more details.
-## - https://cloudinit.readthedocs.io/en/latest/explanation/format.html
-## - https://cloudinit.readthedocs.io/en/latest/reference/examples.html
-## Example:
-## cloudInit: |
-##   #cloud-config
-##   password: ubuntu
-##   chpasswd: { expire: False }
-##
-cloudInit: |
-  #cloud-config
-
+sshPwauth: true
+disableRoot: true
+password: hackme
+chpasswdExpire: false
+sshKeys:
+  - ssh-rsa ...
+  - ssh-ed25519 ...
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.14.0@sha256:5a0269683feb4fff24e9044a41453dbedbc857ad450102b275e1d05aa3aec081
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.12.0@sha256:0917812850fd0359d5ba78fd819c0e4ce6d7c12eed9cd46813e7284064b71d30
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -20,11 +20,14 @@ releases:
  namespace: cozy-cilium
  privileged: true
  dependsOn: []
-  valuesFiles:
-  - values.yaml
-  - values-talos.yaml
  values:
    cilium:
+      bpf:
+        masquerade: true
+      cni:
+        chainingMode: ~
+        customConf: false
+        configMap: ""
      enableIPv4Masquerade: true
      enableIdentityMark: true
      ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -20,10 +20,6 @@ releases:
  namespace: cozy-cilium
  privileged: true
  dependsOn: []
-  valuesFiles:
-  - values.yaml
-  - values-talos.yaml
-  - values-kubeovn.yaml

 - name: kubeovn
  releaseName: kubeovn
--- a/packages/core/platform/templates/helmreleases.yaml
+++ b/packages/core/platform/templates/helmreleases.yaml
@@ -39,10 +39,6 @@ spec:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
-      {{- with $x.valuesFiles }}
-      valuesFiles:
-      {{- toYaml $x.valuesFiles | nindent 6 }}
-      {{- end }}
  {{- $values := dict }}
  {{- with $x.values }}
  {{- $values = merge . $values }}
--- a/packages/core/testing/templates/sandbox.yaml
+++ b/packages/core/testing/templates/sandbox.yaml
@@ -10,7 +10,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: cozystack-e2e-{{ .Release.Name }}
-  namespace: cozy-e2e-tests
 spec:
  replicas: 1
  selector:
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.14.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.12.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -25,7 +25,7 @@ spec:
        resources:
          requests:
            storage: {{ .Values.size }}
-        {{- with .Values.storageClass }}
+        {{- with .Values.stroageClass }}
        storageClassName: {{ . }}
        {{- end }}
  security:
--- a/packages/extra/monitoring/templates/vm/vmalertmanager.yaml
+++ b/packages/extra/monitoring/templates/vm/vmalertmanager.yaml
@@ -27,6 +27,3 @@ metadata:
 spec:
  replicaCount: 2
  configSecret: alertmanager
-  podMetadata:
-    labels:
-      policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/extra/seaweedfs/templates/seaweedfs.yaml
+++ b/packages/extra/seaweedfs/templates/seaweedfs.yaml
@@ -34,7 +34,7 @@ spec:
        - name: data1
          type: "persistentVolumeClaim"
          size: "{{ .Values.size }}"
-          {{- with .Values.storageClass }}
+          {{- with .Values.stroageClass }}
          storageClass: {{ . }}
          {{- end }}
          maxVolumes: 0
@@ -50,7 +50,7 @@ spec:
            cert-manager.io/cluster-issuer: letsencrypt-prod
          tls:
            - hosts:
-              - {{ .Values.host | default (printf "s3.%s" $host) }}
+              - {{ .Values.host | default (printf "seaweedfs.%s" $host) }}
              secretName: {{ .Release.Name }}-s3-ingress-tls

      cosi:
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -11,7 +11,6 @@ monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
-monitoring 1.3.0 6c5cf5b
-monitoring 1.4.0 HEAD
+monitoring 1.3.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 HEAD
--- a/packages/system/cilium/values-kubeovn.yaml
+++ b/packages/system/cilium/values-kubeovn.yaml
@@ -1,19 +0,0 @@
-cilium:
-  sctp:
-    enabled: true
-  autoDirectNodeRoutes: false
-  kubeProxyReplacement: true
-  bpf:
-    masquerade: false
-  cni:
-    chainingMode: generic-veth
-    chainingTarget: kube-ovn
-    customConf: true
-    configMap: cni-configuration
-  routingMode: native
-  enableIPv4Masquerade: false
-  enableIPv6Masquerade: false
-  enableIdentityMark: false
-  enableRuntimeDeviceDetection: true
-  forceDeviceDetection: true
-  devices: ovn0
--- a/packages/system/cilium/values-talos.yaml
+++ b/packages/system/cilium/values-talos.yaml
@@ -1,7 +0,0 @@
-cilium:
-  cgroup:
-    autoMount:
-      enabled: false
-    hostRoot: /sys/fs/cgroup
-  k8sServiceHost: localhost
-  k8sServicePort: 7445
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -3,12 +3,35 @@ cilium:
    enabled: false
  externalIPs:
    enabled: true
-  nodePort:
-    enabled: true
+  autoDirectNodeRoutes: false
+  kubeProxyReplacement: true
+  bpf:
+    masquerade: false
+    hostLegacyRouting: false
  loadBalancer:
    algorithm: maglev
+  cgroup:
+    autoMount:
+      enabled: false
+    hostRoot: /sys/fs/cgroup
  ipam:
    mode: "kubernetes"
+  k8sServiceHost: localhost
+  k8sServicePort: 7445
+  cni:
+    chainingMode: generic-veth
+    customConf: true
+    configMap: cni-configuration
+  routingMode: native
+  enableIPv4Masquerade: false
+  enableIPv6Masquerade: false
+  enableIdentityMark: false
+  enableRuntimeDeviceDetection: true
+  forceDeviceDetection: true
+  devices: ovn0
+  extraEnv:
+    - name: CILIUM_ENFORCE_DEVICE_DETECTION
+      value: "true"
  image:
    repository: ghcr.io/aenix-io/cozystack/cilium
    tag: 1.16.1
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -33,11 +33,11 @@ kubeapps:
    image:
      registry: ghcr.io/aenix-io/cozystack
      repository: dashboard
-      tag: v0.14.0
-      digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
+      tag: v0.12.0
+      digest: sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb
  kubeappsapis:
    image:
      registry: ghcr.io/aenix-io/cozystack
      repository: kubeapps-apis
-      tag: v0.14.0
-      digest: "sha256:7918268647b8f4862f312df9ba42e9edfd2f703223259e2e8b9e02da1ad71cc4"
+      tag: v0.12.0
+      digest: "sha256:5eee4c2207f23a6d5317c08bbedfd71b8b22f733b834cd370f1313fb428a22d0"
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,5 +3,5 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.14.0@sha256:47bf03ba0f5a4c25eb53df94a1962bbd2423b1b3d027de26945b06a363eebf2e
+    tag: v0.12.0@sha256:197d7c36f76d4d9c09cc82eb87f9e36f05799a2b9158ae27e4729f2dd636ad0d
    repository: ghcr.io/aenix-io/cozystack/kamaji
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -22,4 +22,4 @@ global:
  images:
    kubeovn:
      repository: kubeovn
-      tag: v1.13.0@sha256:5c27a22f6b0a19c9a546e838a80ef73c32b863278cc209d7393555ad8a4f744a
+      tag: v1.13.0@sha256:55b3ed5d4b628216378040e445aadc3d1cd817ff4d17eb081d884c6e00fb51e2
--- a/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml
+++ b/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml
--- a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
+++ b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
@@ -6,7 +6,6 @@ spec:
  config:
    featureGates:
    - HonorWaitForFirstConsumer
-    - ExpandDisks
  imagePullPolicy: IfNotPresent
  infra:
    nodeSelector:
--- a/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml
+++ b/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml
--- a/packages/system/kubevirt/templates/kubevirt-cr.yaml
+++ b/packages/system/kubevirt/templates/kubevirt-cr.yaml
@@ -10,7 +10,6 @@ spec:
    developerConfiguration:
      featureGates:
      - HotplugVolumes
-      - ExpandDisks
  customizeComponents: {}
  imagePullPolicy: IfNotPresent
  workloadUpdateStrategy: {}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.0.30
+appVersion: v0.0.28
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
 icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
@@ -10,10 +10,10 @@ keywords:
 - mariadb-operator
 - database
 - maxscale
-kubeVersion: '>=1.26.0-0'
+kubeVersion: '>= 1.16.0-0'
 maintainers:
 - email: mariadb-operator@proton.me
  name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.30.0
+version: 0.28.1
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md
@@ -6,13 +6,13 @@
 <img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>

-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.30.0](https://img.shields.io/badge/Version-0.30.0-informational?style=flat-square) ![AppVersion: v0.0.30](https://img.shields.io/badge/AppVersion-v0.0.30-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.28.1](https://img.shields.io/badge/Version-0.28.1-informational?style=flat-square) ![AppVersion: v0.0.28](https://img.shields.io/badge/AppVersion-v0.0.28-informational?style=flat-square)

 Run and operate MariaDB in a cloud native way

 ## Installing
 ```bash
-helm repo add mariadb-operator https://helm.mariadb.com/mariadb-operator
+helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator
 helm install mariadb-operator mariadb-operator/mariadb-operator
 ```

@@ -36,7 +36,7 @@ helm uninstall mariadb-operator
 | certController.ha.enabled | bool | `false` | Enable high availability |
 | certController.ha.replicas | int | `3` | Number of replicas |
 | certController.image.pullPolicy | string | `"IfNotPresent"` |  |
-| certController.image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` |  |
+| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | certController.imagePullSecrets | list | `[]` |  |
 | certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
@@ -59,14 +59,13 @@ helm uninstall mariadb-operator
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
 | extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
-| extraEnvFrom | list | `[]` | Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom |
 | extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
 | extraVolumes | list | `[]` | Extra volumes to pass to pod. |
 | fullnameOverride | string | `""` |  |
 | ha.enabled | bool | `false` | Enable high availability |
 | ha.replicas | int | `3` | Number of replicas |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` |  |
+| image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"INFO"` | Controller log level |
@@ -79,7 +78,6 @@ helm uninstall mariadb-operator
 | nodeSelector | object | `{}` | Node selectors to add to controller Pod |
 | podAnnotations | object | `{}` | Annotations to add to controller Pod |
 | podSecurityContext | object | `{}` | Security context to add to controller Pod |
-| rbac.aggregation.enabled | bool | `true` | Specifies whether the cluster roles aggrate to view and edit predefinied roles |
 | rbac.enabled | bool | `true` | Specifies whether RBAC resources should be created |
 | resources | object | `{}` | Resources to add to controller container |
 | securityContext | object | `{}` | Security context to add to controller container |
@@ -91,14 +89,12 @@ helm uninstall mariadb-operator
 | tolerations | list | `[]` | Tolerations to add to controller Pod |
 | webhook.affinity | object | `{}` | Affinity to add to controller Pod |
 | webhook.annotations | object | `{}` | Annotations for webhook configurations. |
-| webhook.cert.ca.key | string | `""` | File under 'ca.path' that contains the full CA trust chain. |
-| webhook.cert.ca.path | string | `""` | Path that contains the full CA trust chain. |
+| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
 | webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
 | webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
 | webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
 | webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
-| webhook.cert.certManager.revisionHistoryLimit | int | `3` | The maximum number of CertificateRequest revisions that are maintained in the Certificate’s history. |
-| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path. |
+| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
 | webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
 | webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
 | webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
@@ -108,7 +104,7 @@ helm uninstall mariadb-operator
 | webhook.ha.replicas | int | `3` | Number of replicas |
 | webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
-| webhook.image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` |  |
+| webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | webhook.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | webhook.imagePullSecrets | list | `[]` |  |
 | webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
@@ -1,4 +1,4 @@
-{{ $chartRepo := "https://helm.mariadb.com/mariadb-operator" }}
+{{ $chartRepo := "https://mariadb-operator.github.io/mariadb-operator" }}
 {{ $org := "mariadb-operator" }}
 {{ $release := "mariadb-operator" }}
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
--- a/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
@@ -70,34 +70,6 @@ app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-webhook
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

-{{/*
-Webhook CA path to use cert-controller issued certificates
-*/}}
-{{- define "mariadb-operator-webhook.certControllerCAPath" -}}
-{{ .Values.webhook.cert.ca.path | default "/tmp/k8s-webhook-server/certificate-authority" }}
-{{- end }}
-
-{{/*
-Webhook CA full path to use cert-controller issued certificates
-*/}}
-{{- define "mariadb-operator-webhook.certControllerFullCAPath" -}}
-{{- printf "%s/%s" (include "mariadb-operator-webhook.certControllerCAPath" .) (.Values.webhook.cert.ca.key | default "tls.crt") }}
-{{- end }}
-
-{{/*
-Webhook CA path to use cert-manager issued certificates
-*/}}
-{{- define "mariadb-operator-webhook.certManagerCAPath" -}}
-{{ .Values.webhook.cert.ca.path | default .Values.webhook.cert.path }}
-{{- end }}
-
-{{/*
-Webhook CA full path to use cert-manager issued certificates
-*/}}
-{{- define "mariadb-operator-webhook.certManagerFullCAPath" -}}
-{{- printf "%s/%s" (include "mariadb-operator-webhook.certManagerCAPath" .) (.Values.webhook.cert.ca.key | default "ca.crt") }}
-{{- end }}
-
 {{/*
 Cert-controller common labels
 */}}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
@@ -1,12 +1,13 @@
 apiVersion: v1
 data:
-  MARIADB_ENTRYPOINT_VERSION: "11.4"
+  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
+  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
  MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
-  MARIADB_OPERATOR_IMAGE: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:v0.0.30
+  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
  RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
-  RELATED_IMAGE_EXPORTER_MAXSCALE: docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1
-  RELATED_IMAGE_MARIADB: docker-registry1.mariadb.com/library/mariadb:11.4.3
-  RELATED_IMAGE_MAXSCALE: docker-registry2.mariadb.com/mariadb/maxscale:23.08.5
+  RELATED_IMAGE_EXPORTER_MAXSCALE: mariadb/maxscale-prometheus-exporter-ubi:latest
+  RELATED_IMAGE_MARIADB: mariadb:10.11.7
+  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
 kind: ConfigMap
 metadata:
  creationTimestamp: null
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
@@ -63,9 +63,6 @@ spec:
          envFrom:
            - configMapRef:
                name: mariadb-operator-env
-            {{- with .Values.extraEnvFrom }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
          env:
            - name: CLUSTER_NAME
              value: {{ .Values.clusterName }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac-user.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac-user.yaml
@@ -1,30 +0,0 @@
-{{- if .Values.rbac.enabled -}}
-{{ $fullName := include "mariadb-operator.fullname" . }}
-# the mariadb-view ClusterRole allows viewing all k8s.mariadb.com resources
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $fullName }}-view
-  {{- if .Values.rbac.aggregation.enabled }}
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-  {{- end }}
-rules:
- apiGroups: ["k8s.mariadb.com"]
-  resources: ["*"]
-  verbs: ["get", "list", "watch"]
---
-# the mariadb-edit ClusterRole allows editing k8s.mariadb.com resources
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $fullName }}-edit
-  {{- if .Values.rbac.aggregation.enabled }}
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-  {{- end }}
-rules:
- apiGroups: ["k8s.mariadb.com"]
-  resources: ["*"]
-  verbs: ["create", "update", "patch", "delete"]
-{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
@@ -57,6 +57,15 @@ rules:
  - ""
  resources:
  - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
  - endpoints/restricted
  verbs:
  - create
@@ -68,9 +77,6 @@ rules:
  - ""
  resources:
  - events
-  - secrets
-  - serviceaccounts
-  - services
  verbs:
  - create
  - list
@@ -98,9 +104,30 @@ rules:
 - apiGroups:
  - ""
  resources:
-  - pods/log
+  - secrets
  verbs:
-  - get
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
 - apiGroups:
  - apps
  resources:
@@ -156,14 +183,6 @@ rules:
  - k8s.mariadb.com
  resources:
  - backups
-  - connections
-  - databases
-  - grants
-  - mariadbs
-  - maxscales
-  - restores
-  - sqljobs
-  - users
  verbs:
  - create
  - delete
@@ -176,28 +195,12 @@ rules:
  - k8s.mariadb.com
  resources:
  - backups/finalizers
-  - connections/finalizers
-  - databases/finalizers
-  - grants/finalizers
-  - mariadbs/finalizers
-  - maxscales/finalizers
-  - restores/finalizers
-  - sqljobs/finalizers
-  - users/finalizers
  verbs:
  - update
 - apiGroups:
  - k8s.mariadb.com
  resources:
  - backups/status
-  - connections/status
-  - databases/status
-  - grants/status
-  - mariadbs/status
-  - maxscales/status
-  - restores/status
-  - sqljobs/status
-  - users/status
  verbs:
  - get
  - patch
@@ -205,12 +208,235 @@ rules:
 - apiGroups:
  - k8s.mariadb.com
  resources:
+  - connections
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - connections
+  - grants
  - maxscale
+  - restores
+  - users
  verbs:
  - create
  - list
  - patch
  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - connections
+  - grants
+  - users
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - connections/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - connections/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - databases
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - databases/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - databases/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - grants
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - grants/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - grants/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - mariadbs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - mariadbs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - mariadbs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscales/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - restores
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - restores/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - restores/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - sqljobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - sqljobs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - sqljobs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - users
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - users/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - users/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
  - monitoring.coreos.com
  resources:
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
@@ -36,11 +36,7 @@ spec:
  {{- with .Values.webhook.cert.certManager.renewBefore }}
  renewBefore: {{ . | quote }}
  {{- end }}
-  {{- with .Values.webhook.cert.certManager.revisionHistoryLimit }}
-  revisionHistoryLimit: {{ . }}
-  {{- end }}
  secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-  {{- if or (.Values.webhook.cert.secretLabels) (.Values.webhook.cert.secretAnnotations) }}
  secretTemplate:
    {{- with .Values.webhook.cert.secretLabels }}
    labels:
@@ -48,7 +44,6 @@ spec:
    {{- end }}
    {{- with .Values.webhook.cert.secretAnnotations }}
    annotations:
-      {{- toYaml . | nindent 6 }}
+      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- end }}
 {{ end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
@@ -51,9 +51,9 @@ spec:
          args:
            - webhook
            {{- if .Values.webhook.cert.certManager.enabled }}
-            - --ca-cert-path={{ include "mariadb-operator-webhook.certManagerFullCAPath" . }}
+            - --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
            {{- else }}
-            - --ca-cert-path={{ include "mariadb-operator-webhook.certControllerFullCAPath" . }}
+            - --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
            {{- end }}
            - --cert-dir={{ .Values.webhook.cert.path }}
            - --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
@@ -76,7 +76,7 @@ spec:
              name: health
          volumeMounts:
            {{- if not .Values.webhook.cert.certManager.enabled }}
-            - mountPath: {{ include "mariadb-operator-webhook.certControllerCAPath" . }}
+            - mountPath: {{ .Values.webhook.cert.caPath }}
              name: ca
              readOnly: true
            {{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
@@ -2,7 +2,7 @@ nameOverride: ""
 fullnameOverride: ""

 image:
-  repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
+  repository: ghcr.io/mariadb-operator/mariadb-operator
  pullPolicy: IfNotPresent
  # -- Image tag to use. By default the chart appVersion is used
  tag: ""
@@ -51,20 +51,12 @@ rbac:
  # -- Specifies whether RBAC resources should be created
  enabled: true

-  aggregation:
-
-    # -- Specifies whether the cluster roles aggrate to view and edit predefinied roles
-    enabled: true
-
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []

 # -- Extra environment variables to be passed to the controller
 extraEnv: []

-# -- Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom
-extraEnvFrom: []
-
 # -- Extra volumes to pass to pod.
 extraVolumes: []

@@ -97,7 +89,7 @@ affinity: {}

 webhook:
  image:
-    repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
+    repository: ghcr.io/mariadb-operator/mariadb-operator
    pullPolicy: IfNotPresent
    # -- Image tag to use. By default the chart appVersion is used
    tag: ""
@@ -113,22 +105,17 @@ webhook:
      enabled: false
      # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
      issuerRef: {}
-      # -- Duration to be used in the Certificate resource,
+       # -- Duration to be used in the Certificate resource,
      duration: ""
-      # -- Renew before duration to be used in the Certificate resource.
+       # -- Renew before duration to be used in the Certificate resource.
      renewBefore: ""
-      # -- The maximum number of CertificateRequest revisions that are maintained in the Certificate’s history.
-      revisionHistoryLimit: 3
    # -- Annotatioms to be added to webhook TLS secret.
    secretAnnotations: {}
    # -- Labels to be added to webhook TLS secret.
    secretLabels: {}
-    ca:
-      # -- Path that contains the full CA trust chain.
-      path: ""
-      # -- File under 'ca.path' that contains the full CA trust chain.
-      key: ""
-    # -- Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path.
+    # -- Path where the CA certificate will be mounted.
+    caPath: /tmp/k8s-webhook-server/certificate-authority
+    # -- Path where the certificate will be mounted.
    path: /tmp/k8s-webhook-server/serving-certs
  # -- Port to be used by the webhook server
  port: 9443
@@ -186,7 +173,7 @@ certController:
  # -- Specifies whether the cert-controller should be created.
  enabled: true
  image:
-    repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
+    repository: ghcr.io/mariadb-operator/mariadb-operator
    pullPolicy: IfNotPresent
    # -- Image tag to use. By default the chart appVersion is used
    tag: ""
--- a/packages/system/mariadb-operator/values.yaml
+++ b/packages/system/mariadb-operator/values.yaml
@@ -1,5 +1,4 @@
 mariadb-operator:
-  clusterName: cozy.local
  metrics:
    enabled: true
  webhook:
--- a/packages/system/postgres-operator/Makefile
+++ b/packages/system/postgres-operator/Makefile
@@ -8,4 +8,3 @@ update:
 	helm repo add cnpg https://cloudnative-pg.github.io/charts
 	helm repo update cnpg
 	helm pull cnpg/cloudnative-pg --untar --untardir charts
-	rm -rf charts/cloudnative-pg/charts
--- a/packages/system/postgres-operator/charts/cloudnative-pg/Chart.lock
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: cluster
-  repository: https://cloudnative-pg.github.io/grafana-dashboards
-  version: 0.0.2
-digest: sha256:fcf16ad357c17be3dd79c138723e78e9e101fecc5d07d9371299c32b9f85dbd9
-generated: "2024-04-25T12:32:36.61779032-04:00"
--- a/packages/system/postgres-operator/charts/cloudnative-pg/Chart.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/Chart.yaml
@@ -1,11 +1,5 @@
 apiVersion: v2
-appVersion: 1.24.0
-dependencies:
- alias: monitoring
-  condition: monitoring.grafanaDashboard.create
-  name: cluster
-  repository: https://cloudnative-pg.github.io/grafana-dashboards
-  version: "0.0"
+appVersion: 1.22.2
 description: CloudNativePG Operator Helm Chart
 home: https://cloudnative-pg.io
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
@@ -22,4 +16,4 @@ name: cloudnative-pg
 sources:
 - https://github.com/cloudnative-pg/charts
 type: application
-version: 0.22.0
+version: 0.20.2
--- a/packages/system/postgres-operator/charts/cloudnative-pg/README.md
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/README.md
--- a/packages/system/postgres-operator/charts/cloudnative-pg/monitoring/grafana-dashboard.json
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/monitoring/grafana-dashboard.json
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/crds/crds.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/crds/crds.yaml
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/deployment.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/deployment.yaml
@@ -46,12 +46,6 @@ spec:
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- if .Values.hostNetwork }}
-      hostNetwork: {{ .Values.hostNetwork }}
-      {{- end }}
-      {{- if .Values.dnsPolicy }}
-      dnsPolicy: {{ .Values.dnsPolicy }}
-      {{- end }}
      containers:
      - args:
        - controller
@@ -78,9 +72,6 @@ spec:
              fieldPath: metadata.namespace
        - name: MONITORING_QUERIES_CONFIGMAP
          value: "{{ .Values.monitoringQueriesConfigMap.name }}"
-        {{- if .Values.additionalEnv }}
-        {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }}
-        {{- end }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        livenessProbe:
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/grafana-dashboard.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/grafana-dashboard.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.monitoring.grafanaDashboard.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.monitoring.grafanaDashboard.configMapName }}
+  namespace: {{ default .Release.Namespace .Values.monitoring.grafanaDashboard.namespace }}
+  labels:
+    {{ .Values.monitoring.grafanaDashboard.sidecarLabel }}: {{ .Values.monitoring.grafanaDashboard.sidecarLabelValue | quote }}
+data:
+    cnp.json: |-
+{{ .Files.Get "monitoring/grafana-dashboard.json" | indent 6 }}
+{{- end -}}
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/podmonitor.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/podmonitor.yaml
@@ -5,9 +5,6 @@ metadata:
  name: {{ include "cloudnative-pg.fullname" . }}
  labels:
    {{- include "cloudnative-pg.labels" . | nindent 4 }}
-    {{- with .Values.monitoring.podMonitorAdditionalLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end}}
  {{- with .Values.commonAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
@@ -18,12 +15,4 @@ spec:
      {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }}
  podMetricsEndpoints:
    - port: metrics
-      {{- with .Values.monitoring.podMonitorMetricRelabelings }}
-      metricRelabelings:
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
-      {{- with .Values.monitoring.podMonitorRelabelings }}
-      relabelings:
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
-{{- end }}
+{{- end }}
--- a/packages/system/postgres-operator/charts/cloudnative-pg/templates/rbac.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/templates/rbac.yaml
@@ -67,6 +67,14 @@ rules:
  verbs:
  - create
  - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
  - ""
  resources:
@@ -163,14 +171,26 @@ rules:
  - mutatingwebhookconfigurations
  verbs:
  - get
+  - list
  - patch
+  - update
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
+  - list
  - patch
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - update
 - apiGroups:
  - apps
  resources:
@@ -245,14 +265,6 @@ rules:
  - get
  - patch
  - update
- apiGroups:
-  - postgresql.cnpg.io
-  resources:
-  - clusterimagecatalogs
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
  - postgresql.cnpg.io
  resources:
@@ -280,14 +292,6 @@ rules:
  - patch
  - update
  - watch
- apiGroups:
-  - postgresql.cnpg.io
-  resources:
-  - imagecatalogs
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
  - postgresql.cnpg.io
  resources:
--- a/packages/system/postgres-operator/charts/cloudnative-pg/values.schema.json
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/values.schema.json
@@ -5,9 +5,6 @@
        "additionalArgs": {
            "type": "array"
        },
-        "additionalEnv": {
-            "type": "array"
-        },
        "affinity": {
            "type": "object"
        },
@@ -75,15 +72,9 @@
                }
            }
        },
-        "dnsPolicy": {
-            "type": "string"
-        },
        "fullnameOverride": {
            "type": "string"
        },
-        "hostNetwork": {
-            "type": "boolean"
-        },
        "image": {
            "type": "object",
            "properties": {
@@ -107,18 +98,12 @@
                "grafanaDashboard": {
                    "type": "object",
                    "properties": {
-                        "annotations": {
-                            "type": "object"
-                        },
                        "configMapName": {
                            "type": "string"
                        },
                        "create": {
                            "type": "boolean"
                        },
-                        "labels": {
-                            "type": "object"
-                        },
                        "namespace": {
                            "type": "string"
                        },
@@ -130,17 +115,8 @@
                        }
                    }
                },
-                "podMonitorAdditionalLabels": {
-                    "type": "object"
-                },
                "podMonitorEnabled": {
                    "type": "boolean"
-                },
-                "podMonitorMetricRelabelings": {
-                    "type": "array"
-                },
-                "podMonitorRelabelings": {
-                    "type": "array"
                }
            }
        },
--- a/packages/system/postgres-operator/charts/cloudnative-pg/values.yaml
+++ b/packages/system/postgres-operator/charts/cloudnative-pg/values.yaml
@@ -29,9 +29,6 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""

-hostNetwork: false
-dnsPolicy: ""
-
 crds:
  # -- Specifies whether the CRDs should be created when installing the chart.
  create: true
@@ -69,14 +66,6 @@ config:
 # -- Additinal arguments to be added to the operator's args list.
 additionalArgs: []

-# -- Array containing extra environment variables which can be templated.
-# For example:
-#  - name: RELEASE_NAME
-#    value: "{{ .Release.Name }}"
-#  - name: MY_VAR
-#    value: "mySpecialKey"
-additionalEnv: []
-
 serviceAccount:
  # -- Specifies whether the service account should be created.
  create: true
@@ -148,30 +137,18 @@ tolerations: []
 affinity: {}

 monitoring:
-
  # -- Specifies whether the monitoring should be enabled. Requires Prometheus Operator CRDs.
  podMonitorEnabled: false
-  # -- Metrics relabel configurations to apply to samples before ingestion.
-  podMonitorMetricRelabelings: []
-  # -- Relabel configurations to apply to samples before scraping.
-  podMonitorRelabelings: []
-  # -- Additional labels for the podMonitor
-  podMonitorAdditionalLabels: {}
-
  grafanaDashboard:
    create: false
    # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
    namespace: ""
    # -- The name of the ConfigMap containing the dashboard.
    configMapName: "cnpg-grafana-dashboard"
-    # -- Label that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    # -- Label that ConfigMaps should have to be loaded as dashboards.
    sidecarLabel: "grafana_dashboard"
-    # -- Label value that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    # -- Label value that ConfigMaps should have to be loaded as dashboards.
    sidecarLabelValue: "1"
-    # -- Labels that ConfigMaps should have to get configured in Grafana.
-    labels: {}
-    # -- Annotations that ConfigMaps can have to get configured in Grafana.
-    annotations: {}

 # Default monitoring queries
 monitoringQueriesConfigMap:
@@ -255,7 +232,6 @@ monitoringQueriesConfigMap:
          , pg_catalog.age(datfrozenxid) AS xid_age
          , pg_catalog.mxid_age(datminmxid) AS mxid_age
        FROM pg_catalog.pg_database
-        WHERE datallowconn
      metrics:
        - datname:
            usage: "LABEL"
@@ -375,7 +351,6 @@ monitoringQueriesConfigMap:
            description: "Time at which these statistics were last reset"

    pg_stat_bgwriter:
-      runonserver: "<17.0.0"
      query: |
        SELECT checkpoints_timed
          , checkpoints_req
@@ -420,71 +395,6 @@ monitoringQueriesConfigMap:
            usage: "COUNTER"
            description: "Number of buffers allocated"

-    pg_stat_bgwriter_17:
-      runonserver: ">=17.0.0"
-      name: pg_stat_bgwriter
-      query: |
-        SELECT buffers_clean
-          , maxwritten_clean
-          , buffers_alloc
-          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
-        FROM pg_catalog.pg_stat_bgwriter
-      metrics:
-        - buffers_clean:
-            usage: "COUNTER"
-            description: "Number of buffers written by the background writer"
-        - maxwritten_clean:
-            usage: "COUNTER"
-            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
-        - buffers_alloc:
-            usage: "COUNTER"
-            description: "Number of buffers allocated"
-        - stats_reset_time:
-            usage: "GAUGE"
-            description: "Time at which these statistics were last reset"
-
-    pg_stat_checkpointer:
-      runonserver: ">=17.0.0"
-      query: |
-        SELECT num_timed AS checkpoints_timed
-          , num_requested AS checkpoints_req
-          , restartpoints_timed
-          , restartpoints_req
-          , restartpoints_done
-          , write_time
-          , sync_time
-          , buffers_written
-          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
-        FROM pg_catalog.pg_stat_checkpointer
-      metrics:
-        - checkpoints_timed:
-            usage: "COUNTER"
-            description: "Number of scheduled checkpoints that have been performed"
-        - checkpoints_req:
-            usage: "COUNTER"
-            description: "Number of requested checkpoints that have been performed"
-        - restartpoints_timed:
-            usage: "COUNTER"
-            description: "Number of scheduled restartpoints due to timeout or after a failed attempt to perform it"
-        - restartpoints_req:
-            usage: "COUNTER"
-            description: "Number of requested restartpoints that have been performed"
-        - restartpoints_done:
-            usage: "COUNTER"
-            description: "Number of restartpoints that have been performed"
-        - write_time:
-            usage: "COUNTER"
-            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are written to disk, in milliseconds"
-        - sync_time:
-            usage: "COUNTER"
-            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are synchronized to disk, in milliseconds"
-        - buffers_written:
-            usage: "COUNTER"
-            description: "Number of buffers written during checkpoints and restartpoints"
-        - stats_reset_time:
-            usage: "GAUGE"
-            description: "Time at which these statistics were last reset"
-
    pg_stat_database:
      query: |
        SELECT datname
--- a/packages/system/rabbitmq-operator/Makefile
+++ b/packages/system/rabbitmq-operator/Makefile
@@ -8,6 +8,3 @@ update:
 	wget -O templates/cluster-operator.yml https://github.com/rabbitmq/cluster-operator/releases/latest/download/cluster-operator.yml
 	yq -i 'del(select(.kind=="Namespace"))' templates/cluster-operator.yml
 	sed -i 's/rabbitmq-system/$(NAMESPACE)/g' templates/cluster-operator.yml
-	wget -O templates/messaging-topology-operator.yml https://github.com/rabbitmq/messaging-topology-operator/releases/latest/download/messaging-topology-operator-with-certmanager.yaml
-	yq -i 'del(select(.kind=="Namespace"))' templates/messaging-topology-operator.yml
-	sed -i 's/rabbitmq-system/$(NAMESPACE)/g' templates/messaging-topology-operator.yml
--- a/packages/system/rabbitmq-operator/templates/cluster-operator.yml
+++ b/packages/system/rabbitmq-operator/templates/cluster-operator.yml
--- a/packages/system/rabbitmq-operator/templates/messaging-topology-operator.yml
+++ b/packages/system/rabbitmq-operator/templates/messaging-topology-operator.yml
--- a/scripts/package.mk
+++ b/scripts/package.mk
@@ -1,21 +1,20 @@
 .DEFAULT_GOAL=help
 .PHONY=help show diff apply delete update image
-.VALUES_FILES=$(shell kubectl get hr -n $(NAMESPACE) $(NAME) -o go-template='{{ range .spec.chart.spec.valuesFiles}}-f {{ . }} {{ end }}-f -')

 help: ## Show this help.
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

 show: check ## Show output of rendered templates
 	kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | NAMESPACE=$(NAMESPACE) NAME=$(NAME) \
-		helm template --dry-run=server --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . $(.VALUES_FILES)
+		helm template --dry-run=server --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f -

 apply: check suspend ## Apply Helm release to a Kubernetes cluster
 	kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | NAMESPACE=$(NAMESPACE) NAME=$(NAME) \
-		helm upgrade -i --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . $(.VALUES_FILES)
+		helm upgrade -i --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f -

 diff: check ## Diff Helm release against objects in a Kubernetes cluster
 	kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | NAMESPACE=$(NAMESPACE) NAME=$(NAME) \
-		helm diff upgrade --show-secrets --allow-unreleased --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . $(.VALUES_FILES)
+		helm diff upgrade --show-secrets --allow-unreleased --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f -

 suspend: check ## Suspend reconciliation for an existing Helm release
 	kubectl patch hr -n $(NAMESPACE) $(NAME) -p '{"spec": {"suspend": true}}' --type=merge --field-manager=flux-client-side-apply