Release v0.38.1 (#1668 )

This PR prepares the release `v0.38.1`.
Prepare release v0.38.1
2026-03-05 06:28:55 +00:00 · 2025-11-27 15:53:07 +01:00 · 2025-11-27 13:48:02 +00:00 · 2025-11-27 14:39:50 +01:00 · 2025-11-27 14:37:00 +01:00 · 2025-11-27 14:35:07 +01:00
84 changed files with 4331 additions and 820 deletions
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -33,6 +33,9 @@ jobs:
          fetch-depth: 0
          fetch-tags: true

+      - name: Run unit tests
+        run: make unit-tests
+
      - name: Set up Docker config
        run: |
          if [ -d ~/.docker ]; then
--- a/7
+++ b/7
@@ -1,4 +1,4 @@
-.PHONY: manifests repos assets
+.PHONY: manifests repos assets unit-tests helm-unit-tests

 build-deps:
 	@command -V find docker skopeo jq gh helm > /dev/null
@@ -46,6 +46,11 @@ test:
 	make -C packages/core/testing apply
 	make -C packages/core/testing test

+unit-tests: helm-unit-tests
+
+helm-unit-tests:
+	hack/helm-unit-tests.sh
+
 prepare-env:
 	make -C packages/core/testing apply
 	make -C packages/core/testing prepare-cluster
--- a/hack/e2e-apps/run-kubernetes.sh
+++ b/hack/e2e-apps/run-kubernetes.sh
@@ -80,58 +80,41 @@ EOF
  # Wait for the machine deployment to scale to 2 replicas (timeout after 1 minute)
  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
  # Get the admin kubeconfig and save it to a file
-  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig
+  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig-${test_name}

  # Update the kubeconfig to use localhost for the API server
-  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig
+  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig-${test_name}


  # Set up port forwarding to the Kubernetes API server for a 200 second timeout
  bash -c 'timeout 300s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
  # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
-  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
+  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'

  # Wait for the nodes to be ready (timeout after 2 minutes)
  timeout 3m bash -c '
-    until [ "$(kubectl --kubeconfig tenantkubeconfig get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
+    until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
      sleep 2
    done
  '
  # Verify the nodes are ready
-  kubectl --kubeconfig tenantkubeconfig wait node --all --timeout=2m --for=condition=Ready
-  kubectl --kubeconfig tenantkubeconfig get nodes -o wide
+  kubectl --kubeconfig tenantkubeconfig-${test_name} wait node --all --timeout=2m --for=condition=Ready
+  kubectl --kubeconfig tenantkubeconfig-${test_name} get nodes -o wide

  # Verify the kubelet version matches what we expect
-  versions=$(kubectl --kubeconfig tenantkubeconfig get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
+  versions=$(kubectl --kubeconfig "tenantkubeconfig-${test_name}" \
+    get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
+  
  node_ok=true
-
-  case "$k8s_version" in
-    v1.32*)
-      echo "⚠️  TODO: Temporary stub — allowing nodes with v1.33 while k8s_version is v1.32"
-      ;;
-  esac
-
+  
  for v in $versions; do
-    case "$k8s_version" in
-      v1.32|v1.32.*)
-        case "$v" in
-          v1.32 | v1.32.* | v1.32-* | v1.33 | v1.33.* | v1.33-*)
-            ;;
-          *)
-            node_ok=false
-            break
-            ;;
-        esac
+    case "$v" in
+      "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
+        # acceptable
        ;;
      *)
-        case "$v" in
-          "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
-            ;;
-          *)
-            node_ok=false
-            break
-            ;;
-        esac
+        node_ok=false
+        break
        ;;
    esac
  done
--- a/hack/e2e-test-openapi.bats
+++ b/hack/e2e-test-openapi.bats
@@ -19,3 +19,26 @@
    curl -sS --fail 'http://localhost:21234/openapi/v2?timeout=32s' -H 'Accept: application/com.github.proto-openapi.spec.v2@v1.0+protobuf' > /dev/null
  )
 }
+
+@test "Test kinds" {
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/tenants | jq -r '.kind')
+  if [ "$val" != "TenantList" ]; then
+    echo "Expected kind to be TenantList, got $val"
+    exit 1
+  fi
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/tenants | jq -r '.items[0].kind')
+  if [ "$val" != "Tenant" ]; then
+    echo "Expected kind to be Tenant, got $val"
+    exit 1
+  fi
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/ingresses | jq -r '.kind')
+  if [ "$val" != "IngressList" ]; then
+    echo "Expected kind to be IngressList, got $val"
+    exit 1
+  fi
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/ingresses | jq -r '.items[0].kind')
+  if [ "$val" != "Ingress" ]; then
+    echo "Expected kind to be Ingress, got $val"
+    exit 1
+  fi
+}
--- a/hack/helm-unit-tests.sh
+++ b/hack/helm-unit-tests.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+set -eu
+
+# Script to run unit tests for all Helm charts.
+# It iterates through directories in packages/apps, packages/extra,
+# packages/system, and packages/library and runs the 'test' Makefile
+# target if it exists.
+
+FAILED_DIRS_FILE="$(mktemp)"
+trap 'rm -f "$FAILED_DIRS_FILE"' EXIT
+
+tests_found=0
+
+check_and_run_test() {
+    dir="$1"
+    makefile="$dir/Makefile"
+
+    if [ ! -f "$makefile" ]; then
+        return 0
+    fi
+
+    if make -C "$dir" -n test >/dev/null 2>&1; then
+        echo "Running tests in $dir"
+        tests_found=$((tests_found + 1))
+        if ! make -C "$dir" test; then
+            printf '%s\n' "$dir" >> "$FAILED_DIRS_FILE"
+            return 1
+        fi
+    fi
+
+    return 0
+}
+
+for package_dir in packages/apps packages/extra packages/system packages/library; do
+    if [ ! -d "$package_dir" ]; then
+        echo "Warning: Directory $package_dir does not exist, skipping..." >&2
+        continue
+    fi
+
+    for dir in "$package_dir"/*; do
+        [ -d "$dir" ] || continue
+        check_and_run_test "$dir" || true
+    done
+done
+
+if [ "$tests_found" -eq 0 ]; then
+    echo "No directories with 'test' Makefile targets found."
+    exit 0
+fi
+
+if [ -s "$FAILED_DIRS_FILE" ]; then
+    echo "ERROR: Tests failed in the following directories:" >&2
+    while IFS= read -r dir; do
+        echo "  - $dir" >&2
+    done < "$FAILED_DIRS_FILE"
+    exit 1
+fi
+
+echo "All Helm unit tests passed."
--- a/internal/controller/dashboard/factory.go
+++ b/internal/controller/dashboard/factory.go
@@ -44,6 +44,9 @@ func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.Cozystack
 	if flags.Secrets {
 		tabs = append(tabs, secretsTab(kind))
 	}
+	if prefix, ok := vncTabPrefix(kind); ok {
+		tabs = append(tabs, vncTab(prefix))
+	}
 	tabs = append(tabs, yamlTab(plural))

 	// Use unified factory creation
@@ -150,6 +153,27 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 		}),
 		paramsList,
 	}
+	if kind == "VirtualPrivateCloud" {
+		rightColStack = append(rightColStack,
+			antdFlexVertical("vpc-subnets-block", 4, []any{
+				antdText("vpc-subnets-label", true, "Subnets", nil),
+				map[string]any{
+					"type": "EnrichedTable",
+					"data": map[string]any{
+						"id":                   "vpc-subnets-table",
+						"baseprefix":           "/openapi-ui",
+						"clusterNamePartOfUrl": "{2}",
+						"customizationId":      "virtualprivatecloud-subnets",
+						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/configmaps",
+						"fieldSelector": map[string]any{
+							"metadata.name": "virtualprivatecloud-{6}-subnets",
+						},
+						"pathToItems": []any{"items"},
+					},
+				},
+			}),
+		)
+	}

 	return map[string]any{
 		"key":   "details",
@@ -331,6 +355,36 @@ func yamlTab(plural string) map[string]any {
 	}
 }

+func vncTabPrefix(kind string) (string, bool) {
+	switch kind {
+	case "VirtualMachine":
+		return "virtual-machine", true
+	case "VMInstance":
+		return "vm-instance", true
+	default:
+		return "", false
+	}
+}
+
+func vncTab(prefix string) map[string]any {
+	return map[string]any{
+		"key":   "vnc",
+		"label": "VNC",
+		"children": []any{
+			map[string]any{
+				"type": "VMVNC",
+				"data": map[string]any{
+					"id":              "vm-vnc",
+					"cluster":         "{2}",
+					"namespace":       "{reqsJsonPath[0]['.metadata.namespace']['-']}",
+					"substractHeight": float64(400),
+					"vmName":          fmt.Sprintf("%s-{reqsJsonPath[0]['.metadata.name']['-']}", prefix),
+				},
+			},
+		},
+	}
+}
+
 // ---------------- OpenAPI → Right column ----------------

 func buildOpenAPIParamsBlocks(schemaJSON string, keysOrder [][]string) []any {
--- a/internal/controller/dashboard/static_refactored.go
+++ b/internal/controller/dashboard/static_refactored.go
@@ -182,6 +182,13 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),

+		// Virtual private cloud subnets
+		createCustomColumnsOverride("virtualprivatecloud-subnets", []any{
+			createFlatMapColumn("Data", ".data"),
+			createStringColumn("Subnet Parameters", "_flatMapData_Key"),
+			createStringColumn("Values", "_flatMapData_Value"),
+		}),
+
 		// Factory ingress details rules
 		createCustomColumnsOverride("factory-kube-ingress-details-rules", []any{
 			createStringColumn("Host", ".host"),
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:c8b08084a86251cdd18e237de89b695bca0e4f7eb1f1f6ddc2b903b4d74ea5ff
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -182,6 +182,33 @@ metadata:
 spec:
  template:
    spec:
+      files:
+      - path: /usr/bin/update-k8s.sh
+        owner: root:root
+        permissions: "0755"
+        content: |
+          #!/usr/bin/env bash
+          set -euo pipefail
+
+          # Expected to be passed in via preKubeadmCommands
+          : "${KUBELET_VERSION:?KUBELET_VERSION must be set, e.g. v1.31.0}"
+
+          ARCH="$(uname -m)"
+          case "${ARCH}" in
+            x86_64) ARCH=amd64 ;;
+            aarch64) ARCH=arm64 ;;
+          esac
+
+          # Use your internal mirror here for real-world use.
+          BASE_URL="https://dl.k8s.io/release/${KUBELET_VERSION}/bin/linux/${ARCH}"
+
+          echo "Installing kubelet and kubeadm  ${KUBELET_VERSION} for ${ARCH}..."
+          curl -fsSL "${BASE_URL}/kubelet" -o /root/kubelet
+          curl -fsSL "${BASE_URL}/kubeadm" -o /root/kubeadm
+          chmod 0755 /root/kubelet
+          chmod 0755 /root/kubeadm
+          if /root/kubelet --version ; then mv /root/kubelet /usr/bin/kubelet ; fi
+          if /root/kubeadm version ; then mv /root/kubeadm /usr/bin/kubeadm ; fi
      diskSetup:
        filesystems:
        - device: /dev/vdb
@@ -205,6 +232,7 @@ spec:
        {{- end }}
      {{- end }}
      preKubeadmCommands:
+      - KUBELET_VERSION={{ include "kubernetes.versionMap" $}} /usr/bin/update-k8s.sh || true
      - sed -i 's|root:x:|root::|' /etc/passwd
      - systemctl stop containerd.service
      - mkdir -p /ephemeral/kubelet /ephemeral/containerd
--- a/packages/apps/kubernetes/templates/csi/delete.yaml
+++ b/packages/apps/kubernetes/templates/csi/delete.yaml
@@ -1,76 +0,0 @@
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-datavolume-cleanup
-spec:
-  template:
-    spec:
-      serviceAccountName: {{ .Release.Name }}-datavolume-cleanup
-      restartPolicy: Never
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
-      containers:
-        - name: kubectl
-          image: docker.io/clastix/kubectl:v1.32
-          command:
-            - /bin/sh
-            - -c
-            - kubectl -n {{ .Release.Namespace }} delete datavolumes
-              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
-              --ignore-not-found=true
-
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-datavolume-cleanup
-  annotations:
-    helm.sh/hook: post-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
-    helm.sh/hook-weight: "0"
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-datavolume-cleanup
-rules:
-  - apiGroups:
-      - "cdi.kubevirt.io"
-    resources:
-      - datavolumes
-    verbs:
-      - get
-      - list
-      - delete
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-datavolume-cleanup
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-datavolume-cleanup
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-datavolume-cleanup
-    namespace: {{ .Release.Namespace }}
-
--- a/packages/apps/kubernetes/templates/delete.yaml
+++ b/packages/apps/kubernetes/templates/delete.yaml
@@ -0,0 +1,150 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+  name: {{ .Release.Name }}-cleanup
+spec:
+  template:
+    metadata:
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ .Release.Name }}-cleanup
+      restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
+      containers:
+        - name: kubectl
+          image: docker.io/clastix/kubectl:v1.32
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+              echo "Step 1: Suspending all HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
+              for hr in $(kubectl -n {{ .Release.Namespace }} get helmreleases.helm.toolkit.fluxcd.io -l "cozystack.io/target-cluster-name={{ .Release.Name }}" -o name 2>/dev/null || true); do
+                if [ -n "$hr" ]; then           
+                  echo "  Suspending $hr"
+                  kubectl -n {{ .Release.Namespace }} patch "$hr" \
+                    -p '{"spec": {"suspend": true}}' \
+                    --type=merge --field-manager=flux-client-side-apply
+                fi
+              done
+
+              echo "Step 2: Deleting HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete helmreleases.helm.toolkit.fluxcd.io \
+                -l "cozystack.io/target-cluster-name={{ .Release.Name }}" \
+                --ignore-not-found=true --wait=true
+
+              echo "Step 3: Deleting KamajiControlPlane {{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete kamajicontrolplanes.controlplane.cluster.x-k8s.io {{ .Release.Name }} \
+                --ignore-not-found=true
+
+              echo "Step 4: Deleting TenantControlPlane {{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete tenantcontrolplanes.kamaji.clastix.io {{ .Release.Name }} \
+                --ignore-not-found=true
+
+              echo "Step 5: Cleaning up DataVolumes"
+              kubectl -n {{ .Release.Namespace }} delete datavolumes \
+                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
+                --ignore-not-found=true
+
+              echo "Step 6: Cleaning up LoadBalancer Services"
+              kubectl -n {{ .Release.Namespace }} delete services \
+                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
+                --field-selector spec.type=LoadBalancer \
+                --ignore-not-found=true
+
+              echo "Cleanup completed successfully"
+
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-cleanup
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook-weight: "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-cleanup
+rules:
+  - apiGroups:
+      - "helm.toolkit.fluxcd.io"
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - delete
+  - apiGroups:
+      - "controlplane.cluster.x-k8s.io"
+    resources:
+      - kamajicontrolplanes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - "kamaji.clastix.io"
+    resources:
+      - tenantcontrolplanes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - "cdi.kubevirt.io"
+    resources:
+      - datavolumes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-cleanup
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-cleanup
+    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml
@@ -1,104 +0,0 @@
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-flux-teardown
-spec:
-  template:
-    spec:
-      serviceAccountName: {{ .Release.Name }}-flux-teardown
-      restartPolicy: Never
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
-      containers:
-        - name: kubectl
-          image: docker.io/clastix/kubectl:v1.32
-          command:
-            - /bin/sh
-            - -c
-            - >-
-              kubectl
-              --namespace={{ .Release.Namespace }}
-              patch
-              helmrelease
-              {{ .Release.Name }}-cilium
-              {{ .Release.Name }}-gateway-api-crds
-              {{ .Release.Name }}-csi
-              {{ .Release.Name }}-cert-manager
-              {{ .Release.Name }}-cert-manager-crds
-              {{ .Release.Name }}-vertical-pod-autoscaler
-              {{ .Release.Name }}-vertical-pod-autoscaler-crds
-              {{ .Release.Name }}-ingress-nginx
-              {{ .Release.Name }}-fluxcd-operator
-              {{ .Release.Name }}-fluxcd
-              {{ .Release.Name }}-gpu-operator
-              {{ .Release.Name }}-velero
-              {{ .Release.Name }}-coredns
-              -p '{"spec": {"suspend": true}}'
-              --type=merge --field-manager=flux-client-side-apply || true
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-flux-teardown
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
-    helm.sh/hook-weight: "0"
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  annotations:
-    "helm.sh/hook": pre-install,post-install,pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-flux-teardown
-rules:
-  - apiGroups:
-      - "helm.toolkit.fluxcd.io"
-    resources:
-      - helmreleases
-    verbs:
-      - get
-      - patch
-    resourceNames:
-      - {{ .Release.Name }}-cilium
-      - {{ .Release.Name }}-csi
-      - {{ .Release.Name }}-cert-manager
-      - {{ .Release.Name }}-cert-manager-crds
-      - {{ .Release.Name }}-gateway-api-crds
-      - {{ .Release.Name }}-vertical-pod-autoscaler
-      - {{ .Release.Name }}-vertical-pod-autoscaler-crds
-      - {{ .Release.Name }}-ingress-nginx
-      - {{ .Release.Name }}-fluxcd-operator
-      - {{ .Release.Name }}-fluxcd
-      - {{ .Release.Name }}-gpu-operator
-      - {{ .Release.Name }}-velero
-      - {{ .Release.Name }}-coredns
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
-    helm.sh/hook-weight: "5"
-  name: {{ .Release.Name }}-flux-teardown
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-flux-teardown
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-flux-teardown
-    namespace: {{ .Release.Namespace }}
--- a/packages/apps/mysql/templates/mariadb.yaml
+++ b/packages/apps/mysql/templates/mariadb.yaml
@@ -37,6 +37,10 @@ spec:
    #  automaticFailover: true
  {{- end }}

+  podMetadata:
+    labels:
+      "policy.cozystack.io/allow-to-apiserver": "true"
+
  metrics:
    enabled: true
    exporter:
--- a/packages/apps/tenant/templates/cleanup-job.yaml
+++ b/packages/apps/tenant/templates/cleanup-job.yaml
@@ -0,0 +1,85 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+rules:
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources: ["helmreleases"]
+  verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "tenant.name" . }}-cleanup
+subjects:
+- kind: ServiceAccount
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "0"
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "tenant.name" . }}-cleanup
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ include "tenant.name" . }}-cleanup
+      restartPolicy: OnFailure
+      containers:
+      - name: cleanup
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/bash
+        - -c
+        - |
+          set -e
+          NAMESPACE="{{ include "tenant.name" . }}"
+          
+          echo "Cleaning up HelmReleases in namespace: $NAMESPACE"
+          
+          echo "Deleting Applications"
+          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
+            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule!=true' \
+            --ignore-not-found=true --wait=true
+          
+          echo "Deleting Tenant Modules"
+          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
+            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule=true' \
+            --ignore-not-found=true --wait=true
+          
+          echo "Cleanup completed successfully"
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -122,7 +122,7 @@ metadata:
  name: {{ include "tenant.name" . }}-view
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-view
@@ -200,7 +200,7 @@ metadata:
  name: {{ include "tenant.name" . }}-use
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "use" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-use
@@ -299,7 +299,7 @@ metadata:
  name: {{ include "tenant.name" . }}-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "admin" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-admin
@@ -373,7 +373,7 @@ metadata:
  name: {{ include "tenant.name" . }}-super-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-super-admin
--- a/packages/apps/vpc/README.md
+++ b/packages/apps/vpc/README.md
@@ -19,7 +19,7 @@ Subnet name and ip address range must be unique within a VPC.
 Subnet ip address space must not overlap with the default management network ip address range, subsets of 172.16.0.0/12 are recommended.
 Currently there are no fail-safe checks, however they are planned for the future.

-Different VPCs may have subnets with ovelapping ip address ranges.
+Different VPCs may have subnets with overlapping ip address ranges.

 A VM or a pod may be connected to multiple secondary Subnets at once. Each secondary connection will be represented as an additional network interface.

--- a/packages/apps/vpc/charts/cozy-lib
+++ b/packages/apps/vpc/charts/cozy-lib
@@ -0,0 +1 @@
+../../../library/cozy-lib
--- a/packages/apps/vpc/templates/vpc.yaml
+++ b/packages/apps/vpc/templates/vpc.yaml
@@ -60,13 +60,33 @@ kind: ConfigMap
 metadata:
  name: {{ $.Release.Name }}-subnets
  labels:
+    apps.cozystack.io/application.group: apps.cozystack.io
+    apps.cozystack.io/application.kind: VirtualPrivateCloud
+    apps.cozystack.io/application.name: {{ trimPrefix "virtualprivatecloud-" .Release.Name }}
    cozystack.io/vpcId: {{ $vpcId }}
    cozystack.io/tenantName: {{ $.Release.Namespace }}
 data:
  {{- range $subnetName, $subnetConfig := .Values.subnets }}
-  {{ $subnetName }}: |-
-    subnetName: {{ $subnetName }}
-    subnetId: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
-    subnetCIDR: {{ $subnetConfig.cidr }}
+  {{ $subnetName }}.ID: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
+  {{ $subnetName }}.CIDR: {{ $subnetConfig.cidr }}
  {{- end }}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ .Release.Name }}-subnets"
+subjects: {{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace ) | nindent 2 }}
+roleRef:
+  kind: Role
+  name: "{{ .Release.Name }}-subnets"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "{{ .Release.Name }}-subnets"
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get","list","watch"]
+  resourceNames: ["{{ .Release.Name }}-subnets"]
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.37.0@sha256:256c5a0f0ae2fc3ad6865b9fda74c42945b38a5384240fa29554617185b60556
+  image: ghcr.io/cozystack/cozystack/installer:v0.38.1@sha256:b76b497cfb65e1f9eb40501c947dbf5c5e15578686a1047d58071d581d16984a
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.37.0@sha256:10afd0a6c39248ec41d0e59ff1bc6c29bd0075b7cc9a512b01cf603ef39c33ea
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.38.1@sha256:e8cdd1a2c24621299e2e48b87d2070e4401c6cb2ddda31b30b3bc2f3514fb78b
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.37.0@sha256:5cca5f56b755285aefa11b1052fe55e1aa83b25bae34aef80cdb77ff63091044
+ghcr.io/cozystack/cozystack/matchbox:v0.38.1@sha256:c1122766930ba1e73fad93a0505b9542ba211d14d478e8934bbd7cd299b7439f
--- a/packages/extra/ingress/templates/nginx-ingress.yaml
+++ b/packages/extra/ingress/templates/nginx-ingress.yaml
@@ -1,6 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
-{{- $exposeExternalIPs := (index $cozyConfig.data "expose-external-ips") | default "" }}
+{{- $exposeExternalIPs := (index $cozyConfig.data "expose-external-ips") | default "" | nospace }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
--- a/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
+++ b/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.37.0@sha256:f166f09cdc9cdbb758209883819ab8261a3793bc1d7a6b6685efd5a2b2930847
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.1@sha256:7b21cea262f379db350fd30003266875241737777f43e3044e4e2c98e5cab31a
--- a/packages/library/cozy-lib/Makefile
+++ b/packages/library/cozy-lib/Makefile
@@ -4,3 +4,5 @@ include ../../../scripts/package.mk
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md

+test:
+	$(MAKE) -C ../../tests/cozy-lib-tests/ test
--- a/packages/library/cozy-lib/templates/_resources.tpl
+++ b/packages/library/cozy-lib/templates/_resources.tpl
@@ -174,15 +174,46 @@
 {{- end }}

 {{- define "cozy-lib.resources.flatten" -}}
-{{- $out := dict -}}
-{{- $res := include "cozy-lib.resources.sanitize" . | fromYaml -}}
-{{- range $section, $values := $res }}
-  {{- range $k, $v := $values }}
-    {{- $key := printf "%s.%s" $section $k }}
-    {{- if ne $key "limits.storage" }}
-        {{- $_ := set $out $key $v }}
-    {{- end }}
-  {{- end }}
+{{-   $out := dict -}}
+{{-   $res := include "cozy-lib.resources.sanitize" . | fromYaml -}}
+{{-   range $section, $values := $res }}
+{{-     range $k, $v := $values }}
+{{-       with include "cozy-lib.resources.flattenResource" (list $section $k) }}
+{{-         $_ := set $out . $v }}
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{-   $out | toYaml }}
 {{- end }}
-{{- $out | toYaml }}
+
+{{/*
+  This is a helper function that takes an argument like `list "limits" "services.loadbalancers"`
+  or `list "limits" "storage"` or `list "requests" "cpu"` and returns "services.loadbalancers",
+  "", and "requests.cpu", respectively, thus transforming them to an acceptable format for k8s
+  ResourceQuotas objects.
+*/}}
+{{- define "cozy-lib.resources.flattenResource" }}
+{{-   $rawQuotaKeys := list
+        "pods"
+        "services"
+        "services.loadbalancers"
+        "services.nodeports"
+        "services.clusterip"
+        "configmaps"
+        "secrets"
+        "persistentvolumeclaims"
+        "replicationcontrollers"
+        "resourcequotas"
+-}}
+{{-   $section := index . 0 }}
+{{-   $type := index . 1 }}
+{{-   $out := "" }}
+{{-   if and (eq $section "limits") (eq $type "storage") }}
+{{-     $out = "" }}
+{{-   else if and (eq $section "limits") (has $type $rawQuotaKeys) }}
+{{-     $out = $type }}
+{{-   else if not (has $type $rawQuotaKeys) }}
+{{-     $out = printf "%s.%s" $section $type }}
+{{-   end }}
+{{-   $out -}}
 {{- end }}
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:7348bec610f08bd902c88c9a9f28fdd644727e2728a1e4103f88f0c99febd5e7
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:ec77d572175945f6be3e3da6f77fa8a5988cce33ae2425e71a9012ed84cf439f
--- a/packages/system/cozystack-api/.gitignore
+++ b/packages/system/cozystack-api/.gitignore
@@ -0,0 +1 @@
+apiserver.local.config/
--- a/packages/system/cozystack-api/Makefile
+++ b/packages/system/cozystack-api/Makefile
@@ -4,6 +4,18 @@ NAMESPACE=cozy-system
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

+run-local:
+	openssl req -nodes -new -x509 -keyout /tmp/ca.key -out /tmp/ca.crt -subj "/CN=kube-ca"
+	openssl req -out /tmp/client.csr -new -newkey rsa:2048 -nodes -keyout /tmp/client.key -subj "/C=US/ST=SomeState/L=L/OU=Dev/CN=development/O=system:masters"
+	openssl x509 -req -days 365 -in /tmp/client.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -set_serial 01 -sha256 -out /tmp/client.crt
+	openssl req -out /tmp/apiserver.csr -new -newkey rsa:2048 -nodes -keyout /tmp/apiserver.key -subj "/CN=cozystack-api" -config cozystack-api-openssl.cnf
+	openssl x509 -req -days 365 -in /tmp/apiserver.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -set_serial 01 -sha256 -out /tmp/apiserver.crt -extensions v3_req -extfile cozystack-api-openssl.cnf
+	CGO_ENABLED=0 go build -o /tmp/cozystack-api ../../../cmd/cozystack-api/main.go
+	/tmp/cozystack-api --client-ca-file /tmp/ca.crt --tls-cert-file /tmp/apiserver.crt --tls-private-key-file /tmp/apiserver.key --secure-port 6443 --kubeconfig $(KUBECONFIG) --authorization-kubeconfig $(KUBECONFIG) --authentication-kubeconfig $(KUBECONFIG)
+
+debug:
+	dlv debug ../../../cmd/cozystack-api/main.go -- --client-ca-file /tmp/ca.crt --tls-cert-file /tmp/apiserver.crt --tls-private-key-file /tmp/apiserver.key --secure-port 6443 --kubeconfig $(KUBECONFIG) --authorization-kubeconfig $(KUBECONFIG) --authentication-kubeconfig $(KUBECONFIG)
+
 image: image-cozystack-api

 image-cozystack-api:
--- a/packages/system/cozystack-api/cozystack-api-openssl.cnf
+++ b/packages/system/cozystack-api/cozystack-api-openssl.cnf
@@ -0,0 +1,13 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions     = v3_req
+prompt             = no
+
+[ req_distinguished_name ]
+CN = cozystack-api
+
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1 = 127.0.0.1
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,5 +1,5 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.37.0@sha256:19d89e8afb90ce38ab7e42ecedfc28402f7c0b56f30957db957c5415132ff6ca
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.38.1@sha256:33cc3dc3b38c804e607a7220cb6d5622a5b090ea22cef47789960dd24aea143a
  localK8sAPIEndpoint:
    enabled: true
  replicas: 2
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,6 +1,6 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.37.0@sha256:845b8e68cbc277c2303080bcd55597e4334610d396dad258ad56fd906530acc3
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.38.1@sha256:98f220940a99e0cf102ffc413e0c150ff5067f1994ea9d771f833e291bfaed58
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.37.0"
+  cozystackVersion: "v0.38.1"
  cozystackAPIKind: "DaemonSet"
--- a/packages/system/dashboard/images/openapi-ui-k8s-bff/Dockerfile
+++ b/packages/system/dashboard/images/openapi-ui-k8s-bff/Dockerfile
@@ -3,7 +3,7 @@ ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS builder
 WORKDIR /src

-ARG COMMIT_REF=ba56271739505284aee569f914fc90e6a9c670da
+ARG COMMIT_REF=183dc9dcbb0f8a1833dad642c35faa385c71e58d
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui-k8s-bff/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1

 ENV PATH=/src/node_modules/.bin:$PATH
--- a/packages/system/dashboard/images/openapi-ui/Dockerfile
+++ b/packages/system/dashboard/images/openapi-ui/Dockerfile
@@ -5,7 +5,7 @@ ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS openapi-k8s-toolkit-builder
 RUN apk add git
 WORKDIR /src
-ARG COMMIT=7bd5380c6c4606640dd3bac68bf9dce469470518
+ARG COMMIT=cb2f122caafaa2fd5455750213d9e633017ec555
 RUN wget -O- https://github.com/cozystack/openapi-k8s-toolkit/archive/${COMMIT}.tar.gz | tar -xzvf- --strip-components=1

 COPY openapi-k8s-toolkit/patches /patches
@@ -22,7 +22,7 @@ FROM node:${NODE_VERSION}-alpine AS builder
 #RUN apk add git
 WORKDIR /src

-ARG COMMIT_REF=0c3629b2ce8545e81f7ece4d65372a188c802dfc
+ARG COMMIT_REF=3cfbbf2156b6a5e4a1f283a032019530c0c2d37d
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1

 #COPY openapi-ui/patches /patches
--- a/packages/system/dashboard/templates/configmap.yaml
+++ b/packages/system/dashboard/templates/configmap.yaml
@@ -1,6 +1,6 @@
 {{- $brandingConfig:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}

-{{- $tenantText := "latest" }}
+{{- $tenantText := "v0.38.1" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}
--- a/packages/system/dashboard/templates/nginx-config.yaml
+++ b/packages/system/dashboard/templates/nginx-config.yaml
@@ -34,6 +34,14 @@ data:
      }

      location /k8s {
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+          proxy_read_timeout 86400s;
+          proxy_send_timeout 86400s;
+          
          rewrite /k8s/(.*) /$1  break;
          proxy_pass https://kubernetes.default.svc:443;
      }
--- a/packages/system/dashboard/templates/nginx.yaml
+++ b/packages/system/dashboard/templates/nginx.yaml
@@ -16,7 +16,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/configmap-configurationnginxfile: 258c66b019c8c7f4a5d0a78dfd7bf297ce486b213346fbd2879c466abfc377e0
+        checksum/config: {{ include (print $.Template.BasePath "/nginx-config.yaml") . | sha256sum }}
      labels:
        app.kubernetes.io/instance: incloud-web
        app.kubernetes.io/name: nginx
--- a/packages/system/dashboard/templates/web.yaml
+++ b/packages/system/dashboard/templates/web.yaml
@@ -15,7 +15,8 @@ spec:
    type: RollingUpdate
  template:
    metadata:
-      annotations: null
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
      labels:
        app.kubernetes.io/instance: incloud-web
        app.kubernetes.io/name: web
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:latest@sha256:77991f2482c0026d082582b22a8ffb191f3ba6fc948b2f125ef9b1081538f865
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.38.1@sha256:e968ddf4a5cecaccb6bde2a3390184b55b7ef469172a282aa85f8e293cfc994a
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:latest@sha256:8386f0747266726afb2b30db662092d66b0af0370e3becd8bee9684125fa9cc9
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.38.1@sha256:7646364cda96f3b6da421f28293db0256ae5dbce0a8912bf076eef3349968af2
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:latest@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b
+  image: ghcr.io/cozystack/cozystack/token-proxy:v0.38.1@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b
--- a/packages/system/kafka-operator/values.yaml
+++ b/packages/system/kafka-operator/values.yaml
@@ -1,4 +1,7 @@
 strimzi-kafka-operator:
  watchAnyNamespace: true
  generateNetworkPolicy: false
-  kubernetesServiceDnsDomain: cozy.local
+  kubernetesServiceDnsDomain: cozy.local
+  resources:
+    limits:
+      memory: 512Mi
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.37.0@sha256:9f4fd5045ede2909fbaf2572e4138fcbd8921071ecf8f08446257fddd0e6f655
+    tag: v0.38.1@sha256:d8909d4ac16f6ca890304742a1c9382d09f2464330173a9d5762ca6909b1c086
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
@@ -13,4 +13,4 @@ kamaji:
      cpu: 100m
      memory: 100Mi
  extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.37.0@sha256:9f4fd5045ede2909fbaf2572e4138fcbd8921071ecf8f08446257fddd0e6f655
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.38.1@sha256:d8909d4ac16f6ca890304742a1c9382d09f2464330173a9d5762ca6909b1c086
--- a/packages/system/kubeovn-plunger/values.yaml
+++ b/packages/system/kubeovn-plunger/values.yaml
@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.37.0@sha256:9950614571ea77a55925eba0839b6b12c8e5a7a30b8858031a8c6050f261af1a
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.38.1@sha256:843ab1f551ca5b5197cc761b700085f0b464036b996a6aba311e1e0ae7b33faa
 ovnCentralName: ovn-central
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.37.0@sha256:7e63205708e607ce2cedfe2a2cafd323ca51e3ebc71244a21ff6f9016c6c87bc
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.38.1@sha256:5581d232c05d698c508c40c8fdc111901d24f7cff1327bb8dfa99a46acf82eb9
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -44,7 +44,7 @@ kube-ovn:
      memory: "50Mi"
    limits:
      cpu: "1000m"
-      memory: "1Gi"
+      memory: "2Gi"
  kube-ovn-pinger:
    requests:
      cpu: "10m"
@@ -65,4 +65,4 @@ global:
  images:
    kubeovn:
      repository: kubeovn
-      tag: v1.14.5@sha256:af10da442a0c6dc7df47a0ef752e2eb5c247bb0b43069fdfcb2aa51511185ea2
+      tag: v1.14.11@sha256:35e64717c685b1b3fafa4c669ee3943595e1e02a5057a5e2c35a8043face00d3
--- a/packages/system/kubevirt-csi-node/values.yaml
+++ b/packages/system/kubevirt-csi-node/values.yaml
@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:c8b08084a86251cdd18e237de89b695bca0e4f7eb1f1f6ddc2b903b4d74ea5ff
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb
--- a/packages/system/lineage-controller-webhook/values.yaml
+++ b/packages/system/lineage-controller-webhook/values.yaml
@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.37.0@sha256:845b8e68cbc277c2303080bcd55597e4334610d396dad258ad56fd906530acc3
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.38.1@sha256:5729934ec876bc58d9307a1ff5b5bc04ac7a29098b51d026ca00a56c109973d0
  debug: false
  localK8sAPIEndpoint:
    enabled: true
--- a/packages/system/mariadb-operator/charts/mariadb-operator/Chart.lock
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: mariadb-operator-crds
  repository: file://../mariadb-operator-crds
-  version: 0.38.1
-digest: sha256:0f2ff90b83955a060f581b7db4a0c746338ae3a50d9766877c346c7f61d74cde
-generated: "2025-04-15T16:54:07.813989419Z"
+  version: 25.10.2
+digest: sha256:01b102dbdb92970e38346df382ed3e5cd93d02a3b642029e94320256c9bfad42
+generated: "2025-10-28T11:29:04.951947063Z"
--- a/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: 0.38.1
+appVersion: 25.10.2
 dependencies:
 - condition: crds.enabled
  name: mariadb-operator-crds
  repository: file://../mariadb-operator-crds
-  version: 0.38.1
+  version: 25.10.2
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
 icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
@@ -21,4 +21,4 @@ maintainers:
  name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.38.1
+version: 25.10.2
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md
@@ -2,7 +2,7 @@

 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)

-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.38.1](https://img.shields.io/badge/Version-0.38.1-informational?style=flat-square) ![AppVersion: 0.38.1](https://img.shields.io/badge/AppVersion-0.38.1-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 25.10.2](https://img.shields.io/badge/Version-25.10.2-informational?style=flat-square) ![AppVersion: 25.10.2](https://img.shields.io/badge/AppVersion-25.10.2-informational?style=flat-square)

 Run and operate MariaDB in a cloud native way

@@ -16,7 +16,7 @@ helm install mariadb-operator-crds mariadb-operator/mariadb-operator-crds
 helm install mariadb-operator mariadb-operator/mariadb-operator
 ```

-Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/HELM.md) for further detail.
+Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/helm.md) for further detail.

 ## Values

@@ -60,14 +60,15 @@ Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-op
 | certController.tolerations | list | `[]` | Tolerations to add to cert-controller container |
 | certController.topologySpreadConstraints | list | `[]` | topologySpreadConstraints to add to cert-controller container |
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
-| config | object | `{"exporterImage":"prom/mysqld-exporter:v0.15.1","exporterMaxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1","galeraLibPath":"/usr/lib/galera/libgalera_smm.so","mariadbDefaultVersion":"11.4","mariadbImage":"docker-registry1.mariadb.com/library/mariadb:11.4.5","maxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale:23.08.5"}` | Operator configuration |
+| config | object | `{"exporterImage":"prom/mysqld-exporter:v0.15.1","exporterMaxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1","galeraLibPath":"/usr/lib/galera/libgalera_smm.so","mariadbDefaultVersion":"11.8","mariadbImage":"docker-registry1.mariadb.com/library/mariadb:11.8.2","mariadbImageName":"docker-registry1.mariadb.com/library/mariadb","maxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale:23.08.5"}` | Operator configuration |
 | config.exporterImage | string | `"prom/mysqld-exporter:v0.15.1"` | Default MariaDB exporter image |
 | config.exporterMaxscaleImage | string | `"docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1"` | Default MaxScale exporter image |
 | config.galeraLibPath | string | `"/usr/lib/galera/libgalera_smm.so"` | Galera library path to be used with MariaDB Galera |
-| config.mariadbDefaultVersion | string | `"11.4"` | Default MariaDB version to be used when unable to infer it via image tag |
-| config.mariadbImage | string | `"docker-registry1.mariadb.com/library/mariadb:11.4.5"` | Default MariaDB image |
+| config.mariadbDefaultVersion | string | `"11.8"` | Default MariaDB version to be used when unable to infer it via image tag |
+| config.mariadbImage | string | `"docker-registry1.mariadb.com/library/mariadb:11.8.2"` | Default MariaDB image |
+| config.mariadbImageName | string | `"docker-registry1.mariadb.com/library/mariadb"` | Default MariaDB image name |
 | config.maxscaleImage | string | `"docker-registry2.mariadb.com/mariadb/maxscale:23.08.5"` | Default MaxScale image |
-| crds | object | `{"enabled":false}` | - CRDs |
+| crds | object | `{"enabled":false}` | CRDs |
 | crds.enabled | bool | `false` | Whether the helm chart should create and update the CRDs. It is false by default, which implies that the CRDs must be managed independently with the mariadb-operator-crds helm chart. **WARNING** This should only be set to true during the initial deployment. If this chart manages the CRDs and is later uninstalled, all MariaDB instances will be DELETED. |
 | currentNamespaceOnly | bool | `false` | Whether the operator should watch CRDs only in its own namespace or not. |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
@@ -17,6 +17,6 @@ helm install mariadb-operator-crds mariadb-operator/mariadb-operator-crds
 helm install mariadb-operator mariadb-operator/mariadb-operator
 ```

-Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/HELM.md) for further detail.
+Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/helm.md) for further detail.

 {{ template "chart.valuesSection" . }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/charts/mariadb-operator-crds/Chart.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/charts/mariadb-operator-crds/Chart.yaml
@@ -16,4 +16,4 @@ maintainers:
  name: mmontes11
 name: mariadb-operator-crds
 type: application
-version: 0.38.1
+version: 25.10.2
--- a/packages/system/mariadb-operator/charts/mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/NOTES.txt
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/NOTES.txt
@@ -1,4 +1,4 @@
 mariadb-operator has been successfully deployed! 🦭

 Not sure what to do next? 😅 Check out:
-https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/QUICKSTART.md
+https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/quickstart.md
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml
@@ -51,10 +51,10 @@ rules:
  - patch
  - watch
 - apiGroups:
-  - ""
+  - discovery.k8s.io
  resources:
-  - endpoints
-  - endpoints/restricted
+  - endpointslices
+  - endpointslices/restricted
  verbs:
  - get
  - list
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/configmap.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/configmap.yaml
@@ -4,6 +4,7 @@ data:
  MARIADB_GALERA_LIB_PATH: "{{ .Values.config.galeraLibPath }}"
  MARIADB_DEFAULT_VERSION: "{{ .Values.config.mariadbDefaultVersion }}"
  RELATED_IMAGE_MARIADB: "{{ .Values.config.mariadbImage }}"
+  RELATED_IMAGE_MARIADB_NAME: "{{ .Values.config.mariadbImageName }}"
  RELATED_IMAGE_MAXSCALE: "{{ .Values.config.maxscaleImage }}"
  RELATED_IMAGE_EXPORTER: "{{ .Values.config.exporterImage }}"
  RELATED_IMAGE_EXPORTER_MAXSCALE: "{{ .Values.config.exporterMaxscaleImage }}"
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/rbac-namespace.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/rbac-namespace.yaml
@@ -36,17 +36,6 @@ rules:
  verbs:
  - create
  - patch
- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - endpoints/restricted
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
  - ""
  resources:
@@ -65,6 +54,7 @@ rules:
  - persistentvolumeclaims
  verbs:
  - create
+  - delete
  - deletecollection
  - list
  - patch
@@ -121,6 +111,7 @@ rules:
  verbs:
  - create
  - delete
+  - get
  - list
  - patch
  - watch
@@ -133,6 +124,17 @@ rules:
  - list
  - patch
  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  - endpointslices/restricted
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
  - k8s.mariadb.com
  resources:
@@ -141,7 +143,9 @@ rules:
  - databases
  - grants
  - mariadbs
+  - externalmariadbs
  - maxscales
+  - physicalbackups
  - restores
  - sqljobs
  - users
@@ -161,7 +165,9 @@ rules:
  - databases/finalizers
  - grants/finalizers
  - mariadbs/finalizers
+  - externalmariadbs/finalizers
  - maxscales/finalizers
+  - physicalbackups/finalizers
  - restores/finalizers
  - sqljobs/finalizers
  - users/finalizers
@@ -175,7 +181,9 @@ rules:
  - databases/status
  - grants/status
  - mariadbs/status
+  - externalmariadbs/status
  - maxscales/status
+  - physicalbackups/status
  - restores/status
  - sqljobs/status
  - users/status
@@ -220,6 +228,17 @@ rules:
  - list
  - patch
  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml
@@ -53,17 +53,6 @@ rules:
  - list
  - patch
  - watch
- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - endpoints/restricted
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
  - ""
  resources:
@@ -82,6 +71,7 @@ rules:
  - persistentvolumeclaims
  verbs:
  - create
+  - delete
  - deletecollection
  - list
  - patch
@@ -150,6 +140,7 @@ rules:
  verbs:
  - create
  - delete
+  - get
  - list
  - patch
  - watch
@@ -162,6 +153,17 @@ rules:
  - list
  - patch
  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  - endpointslices/restricted
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
  - k8s.mariadb.com
  resources:
@@ -170,7 +172,9 @@ rules:
  - databases
  - grants
  - mariadbs
+  - externalmariadbs
  - maxscales
+  - physicalbackups
  - restores
  - sqljobs
  - users
@@ -190,7 +194,9 @@ rules:
  - databases/finalizers
  - grants/finalizers
  - mariadbs/finalizers
+  - externalmariadbs/finalizers
  - maxscales/finalizers
+  - physicalbackups/finalizers
  - restores/finalizers
  - sqljobs/finalizers
  - users/finalizers
@@ -204,7 +210,9 @@ rules:
  - databases/status
  - grants/status
  - mariadbs/status
+  - externalmariadbs/status
  - maxscales/status
+  - physicalbackups/status
  - restores/status
  - sqljobs/status
  - users/status
@@ -250,6 +258,17 @@ rules:
  - list
  - patch
  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook/config.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook/config.yaml
@@ -1,41 +1,5 @@
 {{ if and (not .Values.currentNamespaceOnly) .Values.webhook.enabled }}
 {{ $fullName := include "mariadb-operator.fullname" . }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: {{ $fullName }}-webhook
-  labels:
-    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
-  annotations:
-    {{- if .Values.webhook.cert.certManager.enabled }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{- else }}
-    k8s.mariadb.com/webhook: ""
-    {{- end }}
-    {{- with .Values.webhook.annotations }}
-    {{ toYaml . | indent 4 }}
-    {{- end }}
-webhooks:
- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: {{ $fullName }}-webhook
-      namespace: {{ .Release.Namespace }}
-      path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
-  failurePolicy: Fail
-  name: mmariadb-v1alpha1.kb.io
-  rules:
-  - apiGroups:
-    - k8s.mariadb.com
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - mariadbs
-  sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -73,6 +37,26 @@ webhooks:
        resources:
          - backups
    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: {{ $fullName }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate-k8s-mariadb-com-v1alpha1-physicalbackup
+    failurePolicy: Fail
+    name: vphysicalbackup-v1alpha1.kb.io
+    rules:
+      - apiGroups:
+          - k8s.mariadb.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - physicalbackups
+    sideEffects: None
  - admissionReviewVersions:
      - v1
    clientConfig:
@@ -233,4 +217,4 @@ webhooks:
        resources:
          - users
    sideEffects: None
-{{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
@@ -1,6 +1,6 @@
 nameOverride: ""
 fullnameOverride: ""
-# --- CRDs
+# -- CRDs
 crds:
  # -- Whether the helm chart should create and update the CRDs. It is false by default, which implies that the CRDs must be
  # managed independently with the mariadb-operator-crds helm chart.
@@ -310,9 +310,11 @@ config:
  # -- Galera library path to be used with MariaDB Galera
  galeraLibPath: /usr/lib/galera/libgalera_smm.so
  # -- Default MariaDB version to be used when unable to infer it via image tag
-  mariadbDefaultVersion: "11.4"
+  mariadbDefaultVersion: "11.8"
  # -- Default MariaDB image
-  mariadbImage: docker-registry1.mariadb.com/library/mariadb:11.4.5
+  mariadbImage: docker-registry1.mariadb.com/library/mariadb:11.8.2
+  # -- Default MariaDB image name
+  mariadbImageName: docker-registry1.mariadb.com/library/mariadb
  # -- Default MaxScale image
  maxscaleImage: docker-registry2.mariadb.com/mariadb/maxscale:23.08.5
  # -- Default MariaDB exporter image
--- a/packages/system/multus/templates/multus-daemonset-thick.yml
+++ b/packages/system/multus/templates/multus-daemonset-thick.yml
@@ -154,7 +154,7 @@ spec:
      serviceAccountName: multus
      containers:
        - name: kube-multus
-          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.2-thick
+          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.3-thick
          command: [ "/usr/src/multus-cni/bin/multus-daemon" ]
          resources:
            requests:
@@ -162,7 +162,7 @@ spec:
              memory: "100Mi"
            limits:
              cpu: "100m"
-              memory: "100Mi"
+              memory: "300Mi"
          securityContext:
            privileged: true
          terminationMessagePolicy: FallbackToLogsOnError
@@ -201,11 +201,13 @@ spec:
                  fieldPath: spec.nodeName
      initContainers:
        - name: install-multus-binary
-          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.2-thick
+          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.3-thick
          command:
-            - "sh"
-            - "-c"
-            - "cp /usr/src/multus-cni/bin/multus-shim /host/opt/cni/bin/multus-shim && cp /usr/src/multus-cni/bin/passthru /host/opt/cni/bin/passthru"
+            - "/usr/src/multus-cni/bin/install_multus"
+            - "-d"
+            - "/host/opt/cni/bin"
+            - "-t"
+            - "thick"
          resources:
            requests:
              cpu: "10m"
--- a/packages/system/objectstorage-controller/values.yaml
+++ b/packages/system/objectstorage-controller/values.yaml
@@ -1,3 +1,3 @@
 objectstorage:
  controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.37.0@sha256:5f2eed05d19ba971806374834cb16ca49282aac76130194c00b213c79ce3e10d"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.38.1@sha256:7d37495cce46d30d4613ecfacaa7b7f140e7ea8f3dbcc3e8c976e271de6cc71b"
--- a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
@@ -3,8 +3,8 @@ name: piraeus
 description: |
  The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.9.1
-appVersion: "v2.9.1"
+version: 2.10.1
+appVersion: "v2.10.1"
 maintainers:
  - name: Piraeus Datastore
    url: https://piraeus.io
--- a/packages/system/piraeus-operator/charts/piraeus/README.md
+++ b/packages/system/piraeus-operator/charts/piraeus/README.md
@@ -3,33 +3,8 @@
 Deploys the [Piraeus Operator](https://github.com/piraeusdatastore/piraeus-operator) which deploys and manages a simple
 and resilient storage solution for Kubernetes.

-The main deployment method for Piraeus Operator switched to [`kustomize`](../../docs/tutorial)
+The main deployment method for Piraeus Operator switched to [`kustomize`](https://piraeus.io/docs/stable/tutorial/get-started/)
 in release `v2.0.0`. This chart is intended for users who want to continue using Helm.

 This chart **only** configures the Operator, but does not create the `LinstorCluster` resource creating the actual
-storage system. Refer to the existing [tutorials](../../docs/tutorial)
-and [how-to guides](../../docs/how-to).
-
-## Deploying Piraeus Operator
-
-To deploy Piraeus Operator with Helm, clone this repository and deploy the chart:
-
-```
-$ git clone --branch v2 https://github.com/piraeusdatastore/piraeus-operator
-$ cd piraeus-operator
-$ helm install piraeus-operator charts/piraeus-operator --create-namespace -n piraeus-datastore
-```
-
-Follow the instructions printed by Helm to create your storage cluster:
-
-```
-$ kubectl apply -f - <<EOF
-apiVersion: piraeus.io/v1
-kind: LinstorCluster
-metadata:
-  name: linstorcluster
-spec: {}
-EOF
-```
-
-Check out our [documentation](../../docs) for more information.
+storage system. Refer to the [how-to guide](https://piraeus.io/docs/stable/how-to/helm/).
--- a/packages/system/piraeus-operator/charts/piraeus/templates/NOTES.txt
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/NOTES.txt
@@ -14,7 +14,7 @@ Piraeus Operator installed.
 ` }}
 {{- end }}

-{{- if not (.Capabilities.APIVersions.Has "piraeus.io/v1/LinstorCluster") }}
+{{- if and (not (.Capabilities.APIVersions.Has "piraeus.io/v1/LinstorCluster")) (not .Values.installCRDs) }}
 It looks like the necessary CRDs for Piraeus Operator are still missing.

 To apply them via helm now use:
@@ -23,18 +23,12 @@ To apply them via helm now use:

 Alternatively, you can manage them manually:

-  kubectl apply --server-side -k "https://github.com/piraeusdatastore/piraeus-operator//config/crd?ref=v2"
+  kubectl apply --server-side -k "https://github.com/piraeusdatastore/piraeus-operator//config/crd?ref={{ .Chart.AppVersion }}"

 {{- end }}

-To get started with Piraeus, simply run:
+To get started with Piraeus Datastore deploy the "linstor-cluster" chart:

-$ kubectl apply -f - <<EOF
-apiVersion: piraeus.io/v1
-kind: LinstorCluster
-metadata:
-  name: linstorcluster
-spec: {}
-EOF
+$ helm upgrade --install --namespace {{ .Release.Namespace }} linstor-cluster oci://ghcr.io/piraeusdatastore/helm-charts/linstor-cluster

-For next steps, check out our documentation at https://github.com/piraeusdatastore/piraeus-operator/tree/v2/docs
+For next steps, check out our documentation at https://piraeus.io/docs/{{ .Chart.AppVersion }}
--- a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
@@ -23,20 +23,26 @@ data:
        tag: v1.32.3
        image: piraeus-server
      linstor-csi:
-        tag: v1.9.0
+        tag: v1.10.2
        image: piraeus-csi
+      nfs-server:
+        tag: v1.10.2
+        image: piraeus-csi-nfs-server
      drbd-reactor:
-        tag: v1.9.0
+        tag: v1.10.0
        image: drbd-reactor
      ha-controller:
-        tag: v1.3.0
+        tag: v1.3.1
        image: piraeus-ha-controller
      drbd-shutdown-guard:
-        tag: v1.0.0
+        tag: v1.1.1
        image: drbd-shutdown-guard
      ktls-utils:
        tag: v1.2.1
        image: ktls-utils
+      linstor-affinity-controller:
+        tag: v1.3.0
+        image: linstor-affinity-controller
      drbd-module-loader:
        tag: v9.2.15
        # The special "match" attribute is used to select an image based on the node's reported OS.
@@ -93,13 +99,13 @@ data:
        tag: v2.17.0
        image: livenessprobe
      csi-provisioner:
-        tag: v5.3.0
+        tag: v6.0.0
        image: csi-provisioner
      csi-snapshotter:
-        tag: v8.3.0
+        tag: v8.4.0
        image: csi-snapshotter
      csi-resizer:
-        tag: v1.14.0
+        tag: v2.0.0
        image: csi-resizer
      csi-external-health-monitor-controller:
        tag: v0.16.0
--- a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml
@@ -15,7 +15,41 @@ spec:
    singular: linstorcluster
  scope: Cluster
  versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: If the LINSTOR Cluster is available
+      jsonPath: .status.conditions[?(@.type=='Available')].status
+      name: Available
+      type: string
+    - description: If the LINSTOR Cluster is fully configured
+      jsonPath: .status.conditions[?(@.type=='Configured')].status
+      name: Configured
+      type: string
+    - description: The version of the LINSTOR Cluster
+      jsonPath: .status.version
+      name: Version
+      priority: 10
+      type: string
+    - description: The number of running/expected Satellites
+      jsonPath: .status.satellites
+      name: Satellites
+      type: string
+    - description: The used capacity in all storage pools
+      jsonPath: .status.capacity
+      name: Used Capacity
+      type: string
+    - description: The number of volumes in the cluster
+      jsonPath: .status.numberOfVolumes
+      name: Volumes
+      type: integer
+    - description: The number of snapshots in the cluster
+      jsonPath: .status.numberOfSnapshots
+      name: Snapshots
+      priority: 10
+      type: integer
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
    schema:
      openAPIV3Schema:
        description: LinstorCluster is the Schema for the linstorclusters API
@@ -40,6 +74,30 @@ spec:
          spec:
            description: LinstorClusterSpec defines the desired state of LinstorCluster
            properties:
+              affinityController:
+                description: AffinityController controls the deployment of the Affinity
+                  Controller Deployment.
+                properties:
+                  enabled:
+                    default: true
+                    description: Enable the component.
+                    type: boolean
+                  podTemplate:
+                    description: |-
+                      Template to apply to Pods of the component.
+
+                      The template is applied as a patch to the default deployment, so it can be "sparse", not listing any
+                      containers or volumes that should remain unchanged.
+                      See https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates
+                    type: object
+                    x-kubernetes-map-type: atomic
+                    x-kubernetes-preserve-unknown-fields: true
+                  replicas:
+                    description: Number of desired pods. Defaults to 1.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                type: object
              apiTLS:
                description: |-
                  ApiTLS secures the LINSTOR API.
@@ -47,6 +105,11 @@ spec:
                  This configures the TLS key and certificate used to secure the LINSTOR API.
                nullable: true
                properties:
+                  affinityControllerSecretName:
+                    description: |-
+                      AffinityControllerSecretName references a secret holding the TLS key and certificate used by the Affinity
+                      Controller to monitor volume state. Defaults to "linstor-affinity-controller-tls".
+                    type: string
                  apiSecretName:
                    description: |-
                      ApiSecretName references a secret holding the TLS key and certificate used to protect the API.
@@ -114,6 +177,11 @@ spec:
                      CsiNodeSecretName references a secret holding the TLS key and certificate used by the CSI Nodes to query
                      the volume state. Defaults to "linstor-csi-node-tls".
                    type: string
+                  nfsServerSecretName:
+                    description: |-
+                      NFSServerSecretName references a secret holding the TLS key and certificate used by the NFS Server to query
+                      the cluster state. Defaults to "linstor-csi-nfs-server-tls".
+                    type: string
                type: object
              controller:
                description: Controller controls the deployment of the LINSTOR Controller
@@ -152,6 +220,11 @@ spec:
                    type: object
                    x-kubernetes-map-type: atomic
                    x-kubernetes-preserve-unknown-fields: true
+                  replicas:
+                    description: Number of desired pods. Defaults to 1.
+                    format: int32
+                    minimum: 0
+                    type: integer
                type: object
              csiNode:
                description: CSINode controls the deployment of the CSI Node DaemonSet.
@@ -272,6 +345,25 @@ spec:
                  * Store credentials for accessing remotes for backups.
                  See https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/#s-encrypt_commands for more information.
                type: string
+              nfsServer:
+                description: NFSServer controls the deployment of the LINSTOR CSI
+                  NFS Server DaemonSet.
+                properties:
+                  enabled:
+                    default: true
+                    description: Enable the component.
+                    type: boolean
+                  podTemplate:
+                    description: |-
+                      Template to apply to Pods of the component.
+
+                      The template is applied as a patch to the default deployment, so it can be "sparse", not listing any
+                      containers or volumes that should remain unchanged.
+                      See https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates
+                    type: object
+                    x-kubernetes-map-type: atomic
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
              nodeAffinity:
                description: |-
                  NodeAffinity selects the nodes on which LINSTOR Satellites will be deployed.
@@ -379,9 +471,16 @@ spec:
                    JSON patch and its targets.
                  properties:
                    options:
-                      additionalProperties:
-                        type: boolean
                      description: Options is a list of options for the patch
+                      properties:
+                        allowKindChange:
+                          description: AllowKindChange allows kind changes to the
+                            resource.
+                          type: boolean
+                        allowNameChange:
+                          description: AllowNameChange allows name changes to the
+                            resource.
+                          type: boolean
                      type: object
                    patch:
                      description: Patch is the content of a patch.
@@ -493,6 +592,15 @@ spec:
          status:
            description: LinstorClusterStatus defines the observed state of LinstorCluster
            properties:
+              availableCapacityBytes:
+                description: The number of bytes in total in all storage pools in
+                  the LINSTOR Cluster.
+                format: int64
+                type: integer
+              capacity:
+                description: Capacity mirrors the information from TotalCapacityBytes
+                  and FreeCapacityBytes in a human-readable string
+                type: string
              conditions:
                description: Current LINSTOR Cluster state
                items:
@@ -553,6 +661,35 @@ spec:
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
+              freeCapacityBytes:
+                description: The number of bytes free in all storage pools in the
+                  LINSTOR Cluster.
+                format: int64
+                type: integer
+              numberOfSnapshots:
+                description: The number of snapshots in the LINSTOR Cluster.
+                format: int32
+                type: integer
+              numberOfVolumes:
+                description: The number of volumes in the LINSTOR Cluster.
+                format: int32
+                type: integer
+              runningSatellites:
+                description: The number of LINSTOR Satellites currently running.
+                format: int32
+                type: integer
+              satellites:
+                description: Satellites mirrors the information from ScheduledSatellites
+                  and RunningSatellites in a human-readable string
+                type: string
+              scheduledSatellites:
+                description: The number of LINSTOR Satellites that are expected to
+                  run.
+                format: int32
+                type: integer
+              version:
+                description: The Version of the LINSTOR Cluster.
+                type: string
            type: object
        type: object
    served: true
@@ -575,7 +712,15 @@ spec:
    singular: linstornodeconnection
  scope: Cluster
  versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: If the LINSTOR Node Connection is fully configured
+      jsonPath: .status.conditions[?(@.type=='Configured')].status
+      name: Configured
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
    schema:
      openAPIV3Schema:
        description: LinstorNodeConnection is the Schema for the linstornodeconnections
@@ -777,7 +922,28 @@ spec:
    singular: linstorsatelliteconfiguration
  scope: Cluster
  versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: The node selector used
+      jsonPath: .spec.nodeSelector
+      name: Selector
+      type: string
+    - description: If the Configuration was applied
+      jsonPath: .status.conditions[?(@.type=='Applied')].status
+      name: Applied
+      type: string
+    - description: Number of Satellites this Configuration has been applied to
+      jsonPath: .status.matched
+      name: Matched
+      type: integer
+    - description: Satellites this Configuration has been applied to
+      jsonPath: .status.appliedTo
+      name: Satellites
+      priority: 10
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
    schema:
      openAPIV3Schema:
        description: LinstorSatelliteConfiguration is the Schema for the linstorsatelliteconfigurations
@@ -1013,9 +1179,16 @@ spec:
                    JSON patch and its targets.
                  properties:
                    options:
-                      additionalProperties:
-                        type: boolean
                      description: Options is a list of options for the patch
+                      properties:
+                        allowKindChange:
+                          description: AllowKindChange allows kind changes to the
+                            resource.
+                          type: boolean
+                        allowNameChange:
+                          description: AllowNameChange allows name changes to the
+                            resource.
+                          type: boolean
                      type: object
                    patch:
                      description: Patch is the content of a patch.
@@ -1274,6 +1447,12 @@ spec:
            description: LinstorSatelliteConfigurationStatus defines the observed
              state of LinstorSatelliteConfiguration
            properties:
+              appliedTo:
+                description: AppliedTo lists the LinstorSatellite resource this configuration
+                  was applied to
+                items:
+                  type: string
+                type: array
              conditions:
                description: Current LINSTOR Satellite Config state
                items:
@@ -1334,6 +1513,10 @@ spec:
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
+              matched:
+                description: Number of configured LinstorSatellite resource.
+                format: int64
+                type: integer
            type: object
        type: object
    served: true
@@ -1356,7 +1539,51 @@ spec:
    singular: linstorsatellite
  scope: Cluster
  versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: If the LINSTOR Satellite is connected
+      jsonPath: .status.conditions[?(@.type=='Available')].status
+      name: Connected
+      type: string
+    - description: If the LINSTOR Satellite is fully configured
+      jsonPath: .status.conditions[?(@.type=='Configured')].status
+      name: Configured
+      type: string
+    - description: The Satellite Configurations applied to this Satellite
+      jsonPath: .metadata.annotations.piraeus\.io/applied-configurations
+      name: Applied Configurations
+      priority: 10
+      type: string
+    - description: The deletion policy of the Satellite
+      jsonPath: .spec.deletionPolicy
+      name: Deletion Policy
+      type: string
+    - description: The used capacity on the node
+      jsonPath: .status.capacity
+      name: Used Capacity
+      type: string
+    - description: The number of volumes on the node
+      jsonPath: .status.numberOfVolumes
+      name: Volumes
+      type: integer
+    - description: The number of snapshots on the node
+      jsonPath: .status.numberOfSnapshots
+      name: Snapshots
+      priority: 10
+      type: integer
+    - description: The storage providers supported by the node
+      jsonPath: .status.storageProviders
+      name: Storage Providers
+      priority: 10
+      type: string
+    - description: The device layers supported by the node
+      jsonPath: .status.deviceLayers
+      name: Device Layers
+      priority: 10
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
    schema:
      openAPIV3Schema:
        description: LinstorSatellite is the Schema for the linstorsatellites API
@@ -1546,9 +1773,16 @@ spec:
                    JSON patch and its targets.
                  properties:
                    options:
-                      additionalProperties:
-                        type: boolean
                      description: Options is a list of options for the patch
+                      properties:
+                        allowKindChange:
+                          description: AllowKindChange allows kind changes to the
+                            resource.
+                          type: boolean
+                        allowNameChange:
+                          description: AllowNameChange allows name changes to the
+                            resource.
+                          type: boolean
                      type: object
                    patch:
                      description: Patch is the content of a patch.
@@ -1801,6 +2035,15 @@ spec:
          status:
            description: LinstorSatelliteStatus defines the observed state of LinstorSatellite
            properties:
+              availableCapacityBytes:
+                description: The number of bytes in total in all storage pools on
+                  this Satellite.
+                format: int64
+                type: integer
+              capacity:
+                description: Capacity mirrors the information from TotalCapacityBytes
+                  and FreeCapacityBytes in a human-readable string.
+                type: string
              conditions:
                description: Current LINSTOR Satellite state
                items:
@@ -1861,6 +2104,31 @@ spec:
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
+              deviceLayers:
+                description: DeviceLayers lists the device layers (LUKS, CACHE, etc...)
+                  this Satellite supports.
+                items:
+                  type: string
+                type: array
+              freeCapacityBytes:
+                description: The number of bytes free in all storage pools on this
+                  Satellite.
+                format: int64
+                type: integer
+              numberOfSnapshots:
+                description: The number of snapshots on this Satellite.
+                format: int32
+                type: integer
+              numberOfVolumes:
+                description: The number of volumes on this Satellite.
+                format: int32
+                type: integer
+              storageProviders:
+                description: StorageProviders lists the storage providers (LVM, ZFS,
+                  etc...) this Satellite supports.
+                items:
+                  type: string
+                type: array
            type: object
        type: object
    served: true
--- a/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml
@@ -13,9 +13,15 @@ spec:
  template:
    metadata:
      labels:
-      {{- include "piraeus-operator.selectorLabels" . | nindent 8 }}
+        {{- include "piraeus-operator.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
      annotations:
        kubectl.kubernetes.io/default-container: manager
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
    spec:
      containers:
      - args:
@@ -90,6 +96,9 @@ spec:
      {{- end }}
      securityContext:
        runAsNonRoot: true
+        {{- with .Values.podSecurityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
      serviceAccountName: {{ include "piraeus-operator.serviceAccountName" . }}
      terminationGracePeriodSeconds: 10
      priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }}
--- a/packages/system/piraeus-operator/charts/piraeus/templates/rbac.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/rbac.yaml
@@ -30,8 +30,18 @@ rules:
    - ""
  resources:
    - nodes
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - ""
+  resources:
    - persistentvolumeclaims
  verbs:
+    - delete
    - get
    - list
    - patch
@@ -92,6 +102,21 @@ rules:
    - patch
    - update
    - watch
+- apiGroups:
+    - cluster.x-k8s.io
+  resources:
+    - machines
+  verbs:
+    - get
+    - update
+- apiGroups:
+    - discovery.k8s.io
+  resources:
+    - endpointslices
+    - endpointslices/restricted
+  verbs:
+    - create
+    - delete
 - apiGroups:
    - events.k8s.io
  resources:
@@ -103,6 +128,32 @@ rules:
    - patch
    - update
    - watch
+- apiGroups:
+    - groupsnapshot.storage.k8s.io
+  resources:
+    - volumegroupsnapshotclasses
+    - volumesnapshots
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - groupsnapshot.storage.k8s.io
+  resources:
+    - volumegroupsnapshotcontents
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - groupsnapshot.storage.k8s.io
+  resources:
+    - volumegroupsnapshotcontents/status
+  verbs:
+    - patch
+    - update
 - apiGroups:
    - internal.linstor.linbit.com
  resources:
@@ -194,7 +245,6 @@ rules:
  resources:
    - volumesnapshotcontents
  verbs:
-    - delete
    - get
    - list
    - patch
--- a/packages/system/piraeus-operator/charts/piraeus/values.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/values.yaml
@@ -1,3 +1,4 @@
+---
 replicaCount: 1

 installCRDs: false
@@ -18,6 +19,7 @@ operator:

  options:
    leaderElect: true
+    #clusterApiKubeconfig: "" # set to "<none>" to disable ClusterAPI integration

  resources: { }
    # limits:
@@ -80,6 +82,7 @@ rbac:
  create: true

 podAnnotations: { }
+podLabels: {}

 podSecurityContext: {}
  # fsGroup: 2000
--- a/packages/system/seaweedfs/Makefile
+++ b/packages/system/seaweedfs/Makefile
@@ -12,6 +12,7 @@ update:
 	sed -i.bak "/ARG VERSION/ s|=.*|=$${version}|g" images/seaweedfs/Dockerfile && \
 	rm -f images/seaweedfs/Dockerfile.bak
 	patch --no-backup-if-mismatch -p4 < patches/resize-api-server-annotation.diff
+	patch --no-backup-if-mismatch -p4 < patches/long-term-ca.diff
 	#patch --no-backup-if-mismatch -p4 < patches/retention-policy-delete.yaml

 image:
--- a/packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml
+++ b/packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml
@@ -13,6 +13,8 @@ spec:
  secretName: {{ template "seaweedfs.name" . }}-ca-cert
  commonName: "{{ template "seaweedfs.name" . }}-root-ca"
  isCA: true
+  duration: 87600h
+  renewBefore: 720h
  issuerRef:
    name: {{ template "seaweedfs.name" . }}-issuer
    kind: Issuer
--- a/packages/system/seaweedfs/patches/long-term-ca.diff
+++ b/packages/system/seaweedfs/patches/long-term-ca.diff
@@ -0,0 +1,13 @@
+diff --git a/packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml b/packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml
+index 0fd6615e..f2572558 100644
+--- a/packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml
+++ b/packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml
+@@ -13,6 +13,8 @@ spec:
+   secretName: {{ template "seaweedfs.name" . }}-ca-cert
+   commonName: "{{ template "seaweedfs.name" . }}-root-ca"
+   isCA: true
+  duration: 87600h
+  renewBefore: 720h
+   issuerRef:
+     name: {{ template "seaweedfs.name" . }}-issuer
+     kind: Issuer
--- a/packages/system/seaweedfs/values.yaml
+++ b/packages/system/seaweedfs/values.yaml
@@ -124,7 +124,7 @@ seaweedfs:
    bucketClassName: "seaweedfs"
    region: ""
    sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:latest@sha256:f4ec2b5ec8183870e710b32fa11b3af5d97fa664572df5edcff4b593b00f9a7b"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.1@sha256:7b21cea262f379db350fd30003266875241737777f43e3044e4e2c98e5cab31a"
  certificates:
    commonName: "SeaweedFS CA"
    ipAddresses: []
--- a/packages/tests/cozy-lib-tests/.helmignore
+++ b/packages/tests/cozy-lib-tests/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/packages/tests/cozy-lib-tests/Chart.yaml
+++ b/packages/tests/cozy-lib-tests/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: quota
+description: Testing chart for cozy-lib
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
--- a/packages/tests/cozy-lib-tests/Makefile
+++ b/packages/tests/cozy-lib-tests/Makefile
@@ -0,0 +1,2 @@
+test:
+	helm unittest .
--- a/packages/tests/cozy-lib-tests/charts/cozy-lib
+++ b/packages/tests/cozy-lib-tests/charts/cozy-lib
@@ -0,0 +1 @@
+../../../library/cozy-lib
--- a/packages/tests/cozy-lib-tests/templates/tests/quota.yaml
+++ b/packages/tests/cozy-lib-tests/templates/tests/quota.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ .Release.Name }}
+spec:
+{{- with .Values.quota }}
+  hard: {{- include "cozy-lib.resources.flatten" (list . $) | nindent 4 }}
+{{- end }}
--- a/packages/tests/cozy-lib-tests/tests/quota_test.yaml
+++ b/packages/tests/cozy-lib-tests/tests/quota_test.yaml
@@ -0,0 +1,50 @@
+# ./tests/quota_test.yaml
+suite: quota helper
+
+templates:
+  - templates/tests/quota.yaml
+
+tests:
+  - it: correctly interprets special kubernetes quota types
+    values:
+      - quota_values.yaml
+
+    release:
+      name: myrelease
+      namespace: default
+      revision: 1
+      isUpgrade: false
+
+    asserts:
+      - equal:
+          path: spec.hard["limits.cpu"]
+          value: "20"
+
+      - equal:
+          path: spec.hard["requests.cpu"]
+          value: "2"
+
+      - equal:
+          path: spec.hard["limits.foobar"]
+          value: "3"
+
+      - equal:
+          path: spec.hard["requests.foobar"]
+          value: "3"
+
+      - equal:
+          path: spec.hard["services.loadbalancers"]
+          value: "2"
+
+      - equal:
+          path: spec.hard["requests.storage"]
+          value: "5Gi"
+
+      - notExists:
+          path: spec.hard["limits.storage"]
+
+      - notExists:
+          path: spec.hard["limits.services.loadbalancers"]
+
+      - notExists:
+          path: spec.hard["requests.services.loadbalancers"]
--- a/packages/tests/cozy-lib-tests/tests/quota_values.yaml
+++ b/packages/tests/cozy-lib-tests/tests/quota_values.yaml
@@ -0,0 +1,5 @@
+quota:
+  services.loadbalancers: "2"
+  cpu: "20"
+  storage: "5Gi"
+  foobar: "3"
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -30,14 +30,16 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"

 	"github.com/cozystack/cozystack/pkg/apis/apps"
 	appsinstall "github.com/cozystack/cozystack/pkg/apis/apps/install"
-	coreinstall "github.com/cozystack/cozystack/pkg/apis/apps/install"
 	"github.com/cozystack/cozystack/pkg/apis/core"
+	coreinstall "github.com/cozystack/cozystack/pkg/apis/core/install"
 	"github.com/cozystack/cozystack/pkg/config"
 	cozyregistry "github.com/cozystack/cozystack/pkg/registry"
 	applicationstorage "github.com/cozystack/cozystack/pkg/registry/apps/application"
@@ -48,7 +50,8 @@ import (

 var (
 	// Scheme defines methods for serializing and deserializing API objects.
-	Scheme = runtime.NewScheme()
+	Scheme    = runtime.NewScheme()
+	mgrScheme = runtime.NewScheme()
 	// Codecs provides methods for retrieving codecs and serializers for specific
 	// versions and content types.
 	Codecs            = serializer.NewCodecFactory(Scheme)
@@ -57,18 +60,23 @@ var (
 )

 func init() {
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&zap.Options{
+		Development: true,
+		// any other zap.Options tweaks
+	})))
+	klog.SetLogger(ctrl.Log.WithName("klog"))
 	appsinstall.Install(Scheme)
 	coreinstall.Install(Scheme)

 	// Register HelmRelease types.
-	if err := helmv2.AddToScheme(Scheme); err != nil {
+	if err := helmv2.AddToScheme(mgrScheme); err != nil {
 		panic(fmt.Errorf("Failed to add HelmRelease types to scheme: %w", err))
 	}

-	if err := corev1.AddToScheme(Scheme); err != nil {
+	if err := corev1.AddToScheme(mgrScheme); err != nil {
 		panic(fmt.Errorf("Failed to add core types to scheme: %w", err))
 	}
-	if err := rbacv1.AddToScheme(Scheme); err != nil {
+	if err := rbacv1.AddToScheme(mgrScheme); err != nil {
 		panic(fmt.Errorf("Failed to add RBAC types to scheme: %w", err))
 	}
 	// Add unversioned types.
@@ -134,7 +142,7 @@ func (c completedConfig) New() (*CozyServer, error) {
 	}

 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
-		Scheme: Scheme,
+		Scheme: mgrScheme,
 		Cache:  cache.Options{SyncPeriod: &syncPeriod},
 	})
 	if err != nil {
@@ -164,7 +172,7 @@ func (c completedConfig) New() (*CozyServer, error) {
 	}

 	cli := mgr.GetClient()
-	watchCli, err := client.NewWithWatch(cfg, client.Options{Scheme: Scheme})
+	watchCli, err := client.NewWithWatch(cfg, client.Options{Scheme: mgrScheme})
 	if err != nil {
 		return nil, fmt.Errorf("failed to build watch client: %w", err)
 	}
--- a/pkg/cmd/server/start.go
+++ b/pkg/cmd/server/start.go
@@ -42,11 +42,11 @@ import (
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	utilversionpkg "k8s.io/apiserver/pkg/util/version"
-	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/component-base/featuregate"
 	baseversion "k8s.io/component-base/version"
 	netutils "k8s.io/utils/net"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	k8sconfig "sigs.k8s.io/controller-runtime/pkg/client/config"
 )

 // CozyServerOptions holds the state for the Cozy API server
@@ -150,7 +150,7 @@ func (o *CozyServerOptions) Complete() error {
 		return fmt.Errorf("failed to register types: %w", err)
 	}

-	cfg, err := clientcmd.BuildConfigFromFlags("", "")
+	cfg, err := k8sconfig.GetConfig()
 	if err != nil {
 		return fmt.Errorf("failed to get kubeconfig: %w", err)
 	}
--- a/pkg/registry/apps/application/rest.go
+++ b/pkg/registry/apps/application/rest.go
@@ -142,9 +142,17 @@ func (r *REST) GetSingularName() string {
 // Create handles the creation of a new Application by converting it to a HelmRelease
 func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
 	// Assert the object is of type Application
-	app, ok := obj.(*appsv1alpha1.Application)
+	us, ok := obj.(*unstructured.Unstructured)
 	if !ok {
-		return nil, fmt.Errorf("expected Application object, got %T", obj)
+		return nil, fmt.Errorf("expected unstructured.Unstructured object, got %T", obj)
+	}
+
+	app := &appsv1alpha1.Application{}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
+		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
+		klog.Errorf(errMsg)
+		return nil, fmt.Errorf(errMsg)
 	}

 	// Convert Application to HelmRelease
@@ -389,11 +397,9 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 	}

 	// Explicitly set apiVersion and kind in unstructured object
-	appList := &unstructured.UnstructuredList{}
-	appList.SetAPIVersion("apps.cozystack.io/v1alpha1")
-	appList.SetKind(r.kindName + "List")
+	appList := r.NewList().(*unstructured.Unstructured)
 	appList.SetResourceVersion(hrList.GetResourceVersion())
-	appList.Items = items
+	appList.Object["items"] = items

 	klog.V(6).Infof("Successfully listed %d Application resources in namespace %s", len(items), namespace)
 	return appList, nil
@@ -441,9 +447,16 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 	}

 	// Assert the new object is of type Application
-	app, ok := newObj.(*appsv1alpha1.Application)
+	us, ok := newObj.(*unstructured.Unstructured)
 	if !ok {
-		errMsg := fmt.Sprintf("expected Application object, got %T", newObj)
+		errMsg := fmt.Sprintf("expected unstructured.Unstructured object, got %T", newObj)
+		klog.Errorf(errMsg)
+		return nil, false, fmt.Errorf(errMsg)
+	}
+	app := &appsv1alpha1.Application{}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
+		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
 		klog.Errorf(errMsg)
 		return nil, false, fmt.Errorf(errMsg)
 	}
@@ -516,14 +529,12 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", convertedApp.GetName(), err)
 		return nil, false, fmt.Errorf("failed to convert Application to unstructured: %v", err)
 	}
-
-	// Explicitly set apiVersion and kind in unstructured object
-	unstructuredApp["apiVersion"] = "apps.cozystack.io/v1alpha1"
-	unstructuredApp["kind"] = r.kindName
+	obj := &unstructured.Unstructured{Object: unstructuredApp}
+	obj.SetGroupVersionKind(r.gvk)

 	klog.V(6).Infof("Returning patched Application object: %+v", unstructuredApp)

-	return &unstructured.Unstructured{Object: unstructuredApp}, false, nil
+	return obj, false, nil
 }

 // Delete removes an Application by deleting the corresponding HelmRelease
@@ -723,11 +734,13 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 					klog.Errorf("Failed to convert Application to unstructured: %v", err)
 					continue
 				}
+				obj := &unstructured.Unstructured{Object: unstructuredApp}
+				obj.SetGroupVersionKind(r.gvk)

 				// Create watch event with Application object
 				appEvent := watch.Event{
 					Type:   event.Type,
-					Object: &unstructured.Unstructured{Object: unstructuredApp},
+					Object: obj,
 				}

 				// Send event to custom watcher
@@ -1060,6 +1073,34 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO
 		table = r.buildTableFromApplications(apps)
 		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
 	case *unstructured.Unstructured:
+		var apps []appsv1alpha1.Application
+		for {
+			var items interface{}
+			var ok bool
+			var objects []unstructured.Unstructured
+			if items, ok = obj.Object["items"]; !ok {
+				break
+			}
+			if objects, ok = items.([]unstructured.Unstructured); !ok {
+				break
+			}
+			apps = make([]appsv1alpha1.Application, 0, len(objects))
+			var a appsv1alpha1.Application
+			for i := range objects {
+				err := runtime.DefaultUnstructuredConverter.FromUnstructured(objects[i].Object, &a)
+				if err != nil {
+					klog.Errorf("Failed to convert Unstructured to Application: %v", err)
+					continue
+				}
+				apps = append(apps, a)
+			}
+			break
+		}
+		if apps != nil {
+			table = r.buildTableFromApplications(apps)
+			table.ListMeta.ResourceVersion = obj.GetResourceVersion()
+			break
+		}
 		var app appsv1alpha1.Application
 		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &app)
 		if err != nil {
@@ -1196,12 +1237,17 @@ func (r *REST) Destroy() {

 // New creates a new instance of Application
 func (r *REST) New() runtime.Object {
-	return &appsv1alpha1.Application{}
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(r.gvk)
+	return obj
 }

 // NewList returns an empty list of Application objects
 func (r *REST) NewList() runtime.Object {
-	return &appsv1alpha1.ApplicationList{}
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(r.gvk.GroupVersion().WithKind(r.kindName + "List"))
+	obj.Object["items"] = make([]interface{}, 0)
+	return obj
 }

 // Kind returns the resource kind used for API discovery
--- a/scripts/migrations/20
+++ b/scripts/migrations/20
@@ -25,10 +25,24 @@ sleep 5
 cozypkg -n cozy-system -C packages/system/cozystack-resource-definition-crd apply cozystack-resource-definition-crd --plain
 cozypkg -n cozy-system -C packages/system/cozystack-resource-definitions apply cozystack-resource-definitions --plain
 cozypkg -n cozy-system -C packages/system/cozystack-api apply cozystack-api --plain
+if kubectl get ds cozystack-api -n cozy-system >/dev/null 2>&1; then
+  echo "Waiting for cozystack-api daemonset"
+  kubectl rollout status ds/cozystack-api -n cozy-system --timeout=5m || exit 1
+else
+  echo "Waiting for cozystack-api deployment"
+  kubectl rollout status deploy/cozystack-api -n cozy-system --timeout=5m || exit 1
+fi
+
 helm upgrade --install -n cozy-system cozystack-controller ./packages/system/cozystack-controller/ --take-ownership
+echo "Waiting for cozystack-controller"
+kubectl rollout status deploy/cozystack-controller -n cozy-system --timeout=5m || exit 1
+
 helm upgrade --install -n cozy-system lineage-controller-webhook ./packages/system/lineage-controller-webhook/ --take-ownership
+echo "Waiting for lineage-webhook"
+kubectl rollout status ds/lineage-controller-webhook -n cozy-system --timeout=5m || exit 1

 sleep 5
+echo "Running lineage-webhook test"
 kubectl delete ns cozy-lineage-webhook-test --ignore-not-found && kubectl create ns cozy-lineage-webhook-test
 cleanup_test_ns() {
  kubectl delete ns cozy-lineage-webhook-test --ignore-not-found
@@ -37,9 +51,6 @@ trap cleanup_test_ns ERR
 timeout 60 sh -c 'until kubectl -n cozy-lineage-webhook-test create service clusterip lineage-webhook-test --clusterip="None" --dry-run=server; do sleep 1; done'
 cleanup_test_ns

-kubectl wait deployment/cozystack-api -n cozy-system --timeout=4m --for=condition=available || exit 1
-kubectl wait deployment/cozystack-controller -n cozy-system --timeout=4m --for=condition=available || exit 1
-
 timestamp=$(date --rfc-3339=ns || date)
 kubectl get namespace -o custom-columns=NAME:.metadata.name --no-headers |
  grep '^tenant-' |
@@ -50,6 +61,7 @@ kubectl get namespace -o custom-columns=NAME:.metadata.name --no-headers |
      -n "$namespace" --all \
      migration.cozystack.io="$timestamp" --overwrite || true)
  done
+
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
  --from-literal=version=21 --dry-run=client -o yaml | kubectl apply -f-