[docs] Added actual go types

Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
[docs] Changed update website docs job to push model
2026-03-14 10:58:57 +00:00 · 2026-03-13 20:06:24 +05:00 · 2026-03-13 19:38:58 +05:00 · 2026-03-13 18:28:36 +05:00 · 2026-03-11 18:14:38 +01:00 · 2026-03-11 21:58:55 +05:00
708 changed files with 88984 additions and 78376 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1 @@
-* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters
+* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters @sircthulhu
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -6,8 +6,6 @@ env:
 on:
  pull_request:
    types: [opened, synchronize, reopened]
-    paths-ignore:
-      - 'docs/**/*'

 # Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
@@ -15,6 +13,19 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  detect-changes:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      code: ${{ steps.filter.outputs.code }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            code:
+              - '!docs/**'
+
  build:
    name: Build
    runs-on: [self-hosted]
@@ -22,9 +33,11 @@ jobs:
      contents: read
      packages: write

-    # Never run when the PR carries the "release" label.
+    needs: ["detect-changes"]
+    # Never run when the PR carries the "release" label or only docs changed.
    if: |
-      !contains(github.event.pull_request.labels.*.name, 'release')
+      needs.detect-changes.outputs.code == 'true'
+      && !contains(github.event.pull_request.labels.*.name, 'release')

    steps:
      - name: Checkout code
@@ -71,18 +84,6 @@ jobs:
          name: pr-patch
          path: _out/assets/pr.patch
     
-      - name: Upload CRDs
-        uses: actions/upload-artifact@v4
-        with:
-          name: cozystack-crds
-          path: _out/assets/cozystack-crds.yaml
-
-      - name: Upload operator
-        uses: actions/upload-artifact@v4
-        with:
-          name: cozystack-operator
-          path: _out/assets/cozystack-operator-talos.yaml
-
      - name: Upload Talos image
        uses: actions/upload-artifact@v4
        with:
@@ -94,8 +95,6 @@ jobs:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'release')
    outputs:
-      crds_id:      ${{ steps.fetch_assets.outputs.crds_id }}
-      operator_id:  ${{ steps.fetch_assets.outputs.operator_id }}
      disk_id:      ${{ steps.fetch_assets.outputs.disk_id }}

    steps:
@@ -139,15 +138,11 @@ jobs:
              return;
            }
            const find = (n) => draft.assets.find(a => a.name === n)?.id;
-            const crdsId     = find('cozystack-crds.yaml');
-            const operatorId = find('cozystack-operator-talos.yaml');
            const diskId     = find('nocloud-amd64.raw.xz');
-            if (!crdsId || !operatorId || !diskId) {
+            if (!diskId) {
              core.setFailed('Required assets missing in draft release');
              return;
            }
-            core.setOutput('crds_id',     crdsId);
-            core.setOutput('operator_id', operatorId);
            core.setOutput('disk_id',     diskId);


@@ -174,20 +169,6 @@ jobs:
          name: talos-image
          path: _out/assets

-      - name: "Download CRDs (regular PR)"
-        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
-        uses: actions/download-artifact@v4
-        with:
-          name: cozystack-crds
-          path: _out/assets
-
-      - name: "Download operator (regular PR)"
-        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
-        uses: actions/download-artifact@v4
-        with:
-          name: cozystack-operator
-          path: _out/assets
-
      - name: Download PR patch
        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
        uses: actions/download-artifact@v4
@@ -208,12 +189,6 @@ jobs:
          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
            -o _out/assets/nocloud-amd64.raw.xz \
            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.disk_id }}"
-          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
-            -o _out/assets/cozystack-crds.yaml \
-            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.crds_id }}"
-          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
-            -o _out/assets/cozystack-operator-talos.yaml \
-            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.operator_id }}"
        env:
          GH_PAT: ${{ secrets.GH_PAT }}

--- a/.github/workflows/tags.yaml
+++ b/.github/workflows/tags.yaml
@@ -123,6 +123,20 @@ jobs:
          git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
          git push origin HEAD || true

+      # Tag the api/apps/v1alpha1 submodule for pkg.go.dev
+      - name: Tag API submodule
+        if: steps.check_release.outputs.skip == 'false'
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+        run: |
+          VTAG="${{ steps.tag.outputs.tag }}"
+          SUBTAG="api/apps/v1alpha1/${VTAG}"
+          git config user.name  "cozystack-bot"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
+          git tag "${SUBTAG}" "${VTAG}^{}" 2>/dev/null || git tag "${SUBTAG}" HEAD
+          git push origin "${SUBTAG}" || true
+
      # Create or reuse draft release
      - name: Create / reuse draft release
        if: steps.check_release.outputs.skip == 'false'
@@ -370,3 +384,74 @@ jobs:
              
              console.log(`Created PR #${pr.data.number} for changelog`);
            }
+
+  update-website-docs:
+    name: Update Website Docs
+    runs-on: [self-hosted]
+    needs: [generate-changelog]
+    if: needs.generate-changelog.result == 'success'
+    permissions:
+      contents: read
+    steps:
+      - name: Parse tag
+        id: tag
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const ref = context.ref.replace('refs/tags/', '');
+            const m = ref.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);
+            if (!m) {
+              core.setFailed(`❌ tag '${ref}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
+              return;
+            }
+            const version = m[1] + (m[2] ?? '');
+            core.setOutput('tag',     ref);      // v0.22.0
+            core.setOutput('version', version);  // 0.22.0
+
+      - name: Checkout website repo
+        uses: actions/checkout@v4
+        with:
+          repository: cozystack/website
+          token: ${{ secrets.GH_PAT }}
+          ref: main
+
+      - name: Update docs from release branch
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+        run: make update-all BRANCH=release-${{ steps.tag.outputs.version }} RELEASE_TAG=${{ steps.tag.outputs.tag }}
+
+      - name: Commit and push
+        id: commit
+        run: |
+          git config user.name  "cozystack-bot"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git add content
+          if git diff --cached --quiet; then
+            echo "No changes to commit"
+            echo "changed=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          BRANCH="update-docs-v${{ steps.tag.outputs.version }}"
+          git branch -D "$BRANCH" 2>/dev/null || true
+          git checkout -b "$BRANCH"
+          git commit --signoff -m "[docs] Update managed apps reference for v${{ steps.tag.outputs.version }}"
+          git push --force --set-upstream origin "$BRANCH"
+          echo "changed=true" >> $GITHUB_OUTPUT
+
+      - name: Open pull request
+        if: steps.commit.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+        run: |
+          BRANCH="update-docs-v${{ steps.tag.outputs.version }}"
+          pr_state=$(gh pr view "$BRANCH" --repo cozystack/website --json state --jq .state 2>/dev/null || echo "")
+          if [[ "$pr_state" == "OPEN" ]]; then
+            echo "PR already open, skipping creation."
+          else
+            gh pr create \
+              --repo cozystack/website \
+              --title "[docs] Update managed apps reference for v${{ steps.tag.outputs.version }}" \
+              --body "Automated docs update for release \`v${{ steps.tag.outputs.version }}\`." \
+              --head "update-docs-v${{ steps.tag.outputs.version }}" \
+              --base main
+          fi
--- a/20
+++ b/20
@@ -38,31 +38,31 @@ build: build-deps

 manifests:
 	mkdir -p _out/assets
-	helm template installer packages/core/installer -n cozy-system \
-		-s templates/crds.yaml \
-		> _out/assets/cozystack-crds.yaml
+	cat internal/crdinstall/manifests/*.yaml > _out/assets/cozystack-crds.yaml
 	# Talos variant (default)
 	helm template installer packages/core/installer -n cozy-system \
-		-s templates/cozystack-operator.yaml \
-		-s templates/packagesource.yaml \
+		--show-only templates/cozystack-operator.yaml \
 		> _out/assets/cozystack-operator-talos.yaml
 	# Generic Kubernetes variant (k3s, kubeadm, RKE2)
 	helm template installer packages/core/installer -n cozy-system \
-		-s templates/cozystack-operator.yaml \
-		-s templates/packagesource.yaml \
 		--set cozystackOperator.variant=generic \
+		--set cozystack.apiServerHost=REPLACE_ME \
+		--show-only templates/cozystack-operator.yaml \
 		> _out/assets/cozystack-operator-generic.yaml
 	# Hosted variant (managed Kubernetes)
 	helm template installer packages/core/installer -n cozy-system \
-		-s templates/cozystack-operator.yaml \
-		-s templates/packagesource.yaml \
 		--set cozystackOperator.variant=hosted \
+		--show-only templates/cozystack-operator.yaml \
 		> _out/assets/cozystack-operator-hosted.yaml

 cozypkg:
 	go build -ldflags "-X github.com/cozystack/cozystack/cmd/cozypkg/cmd.Version=v$(COZYSTACK_VERSION)" -o _out/bin/cozypkg ./cmd/cozypkg

-assets: assets-talos assets-cozypkg
+assets: assets-talos assets-cozypkg openapi-json
+
+openapi-json:
+	mkdir -p _out/assets
+	VERSION=$(shell git describe --tags --always 2>/dev/null || echo dev) go run ./tools/openapi-gen/ > _out/assets/openapi.json

 assets-talos:
 	make -C packages/core/talos assets
--- a/api/apps/v1alpha1/bucket/types.go
+++ b/api/apps/v1alpha1/bucket/types.go
@@ -0,0 +1,35 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package bucket
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Provisions bucket from the `-lock` BucketClass (with object lock enabled).
+	// +kubebuilder:default:=false
+	Locking bool `json:"locking"`
+	// Selects a specific BucketClass by storage pool name.
+	// +kubebuilder:default:=""
+	StoragePool string `json:"storagePool,omitempty"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type User struct {
+	// Whether the user has read-only access.
+	Readonly bool `json:"readonly,omitempty"`
+}
--- a/api/apps/v1alpha1/clickhouse/types.go
+++ b/api/apps/v1alpha1/clickhouse/types.go
@@ -0,0 +1,114 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package clickhouse
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// ClickHouse Keeper configuration.
+	// +kubebuilder:default:={}
+	ClickhouseKeeper ClickHouseKeeper `json:"clickhouseKeeper"`
+	// Size of Persistent Volume for logs.
+	// +kubebuilder:default:="2Gi"
+	LogStorageSize resource.Quantity `json:"logStorageSize"`
+	// TTL (expiration time) for `query_log` and `query_thread_log`.
+	// +kubebuilder:default:=15
+	LogTTL int `json:"logTTL"`
+	// Number of ClickHouse replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each ClickHouse replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Number of ClickHouse shards.
+	// +kubebuilder:default:=1
+	Shards int `json:"shards"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type ClickHouseKeeper struct {
+	// Deploy ClickHouse Keeper for cluster coordination.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled,omitempty"`
+	// Number of Keeper replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas,omitempty"`
+	// Default sizing preset.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="1Gi"
+	Size resource.Quantity `json:"size,omitempty"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+	// User is readonly (default: false).
+	Readonly bool `json:"readonly,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Backup struct {
+	// Retention strategy for cleaning up old backups.
+	// +kubebuilder:default:="--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+	CleanupStrategy string `json:"cleanupStrategy"`
+	// Enable regular backups (default: false).
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Password for Restic backup encryption.
+	// +kubebuilder:default:="<password>"
+	ResticPassword string `json:"resticPassword"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:="<your-access-key>"
+	S3AccessKey string `json:"s3AccessKey"`
+	// S3 bucket used for storing backups.
+	// +kubebuilder:default:="s3.example.org/clickhouse-backups"
+	S3Bucket string `json:"s3Bucket"`
+	// AWS S3 region where backups are stored.
+	// +kubebuilder:default:="us-east-1"
+	S3Region string `json:"s3Region"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:="<your-secret-key>"
+	S3SecretKey string `json:"s3SecretKey"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * *"
+	Schedule string `json:"schedule"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/foundationdb/types.go
+++ b/api/apps/v1alpha1/foundationdb/types.go
@@ -0,0 +1,164 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package foundationdb
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable automatic pod replacements.
+	// +kubebuilder:default:=true
+	AutomaticReplacements bool `json:"automaticReplacements"`
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Cluster configuration.
+	// +kubebuilder:default:={}
+	Cluster Cluster `json:"cluster"`
+	// Custom parameters to pass to FoundationDB.
+	// +kubebuilder:default:={}
+	CustomParameters []string `json:"customParameters,omitempty"`
+	// Container image deployment type.
+	// +kubebuilder:default:="unified"
+	ImageType ImageType `json:"imageType"`
+	// Monitoring configuration.
+	// +kubebuilder:default:={}
+	Monitoring Monitoring `json:"monitoring"`
+	// Explicit CPU and memory configuration for each FoundationDB instance. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="medium"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Security context for containers.
+	// +kubebuilder:default:={}
+	SecurityContext SecurityContext `json:"securityContext"`
+	// Storage configuration.
+	// +kubebuilder:default:={}
+	Storage Storage `json:"storage"`
+}
+
+type Cluster struct {
+	// Fault domain configuration.
+	// +kubebuilder:default:={}
+	FaultDomain ClusterFaultDomain `json:"faultDomain"`
+	// Process counts for different roles.
+	// +kubebuilder:default:={}
+	ProcessCounts ClusterProcessCounts `json:"processCounts"`
+	// Database redundancy mode (single, double, triple, three_datacenter, three_datacenter_fallback).
+	// +kubebuilder:default:="double"
+	RedundancyMode string `json:"redundancyMode"`
+	// Storage engine (ssd-2, ssd-redwood-v1, ssd-rocksdb-v1, memory).
+	// +kubebuilder:default:="ssd-2"
+	StorageEngine string `json:"storageEngine"`
+	// Version of FoundationDB to use.
+	// +kubebuilder:default:="7.3.63"
+	Version string `json:"version"`
+}
+
+type BackupS3Credentials struct {
+	// S3 access key ID.
+	// +kubebuilder:default:=""
+	AccessKeyId string `json:"accessKeyId"`
+	// S3 secret access key.
+	// +kubebuilder:default:=""
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type BackupS3 struct {
+	// S3 bucket name.
+	// +kubebuilder:default:=""
+	Bucket string `json:"bucket"`
+	// S3 credentials.
+	// +kubebuilder:default:={}
+	Credentials BackupS3Credentials `json:"credentials"`
+	// S3 endpoint URL.
+	// +kubebuilder:default:=""
+	Endpoint string `json:"endpoint"`
+	// S3 region.
+	// +kubebuilder:default:="us-east-1"
+	Region string `json:"region"`
+}
+
+type SecurityContext struct {
+	// Group ID to run the container.
+	// +kubebuilder:default:=4059
+	RunAsGroup int `json:"runAsGroup"`
+	// User ID to run the container.
+	// +kubebuilder:default:=4059
+	RunAsUser int `json:"runAsUser"`
+}
+
+type ClusterFaultDomain struct {
+	// Fault domain key.
+	// +kubebuilder:default:="kubernetes.io/hostname"
+	Key string `json:"key"`
+	// Fault domain value source.
+	// +kubebuilder:default:="spec.nodeName"
+	ValueFrom string `json:"valueFrom"`
+}
+
+type Storage struct {
+	// Size of persistent volumes for each instance.
+	// +kubebuilder:default:="16Gi"
+	Size resource.Quantity `json:"size"`
+	// Storage class (if not set, uses cluster default).
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Resources struct {
+	// CPU available to each instance.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each instance.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Backup struct {
+	// Enable backups.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Retention policy for backups.
+	// +kubebuilder:default:="7d"
+	RetentionPolicy string `json:"retentionPolicy"`
+	// S3 configuration for backups.
+	// +kubebuilder:default:={}
+	S3 BackupS3 `json:"s3"`
+}
+
+type ClusterProcessCounts struct {
+	// Number of cluster controller processes.
+	// +kubebuilder:default:=1
+	ClusterController int `json:"cluster_controller"`
+	// Number of stateless processes (-1 for automatic).
+	// +kubebuilder:default:=-1
+	Stateless int `json:"stateless"`
+	// Number of storage processes (determines cluster size).
+	// +kubebuilder:default:=3
+	Storage int `json:"storage"`
+}
+
+type Monitoring struct {
+	// Enable WorkloadMonitor integration.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled"`
+}
+
+// +kubebuilder:validation:Enum="unified";"split"
+type ImageType string
+
+// +kubebuilder:validation:Enum="small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/go.mod
+++ b/api/apps/v1alpha1/go.mod
@@ -0,0 +1,24 @@
+module github.com/cozystack/cozystack/api/apps/v1alpha1
+
+go 1.25.0
+
+require k8s.io/apimachinery v0.35.2
+
+require (
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+)
--- a/api/apps/v1alpha1/go.sum
+++ b/api/apps/v1alpha1/go.sum
@@ -0,0 +1,56 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=
+k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
--- a/api/apps/v1alpha1/harbor/types.go
+++ b/api/apps/v1alpha1/harbor/types.go
@@ -0,0 +1,116 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package harbor
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Core API server configuration.
+	// +kubebuilder:default:={}
+	Core Core `json:"core"`
+	// PostgreSQL database configuration.
+	// +kubebuilder:default:={}
+	Database Database `json:"database"`
+	// Hostname for external access to Harbor (defaults to 'harbor' subdomain for the tenant host).
+	// +kubebuilder:default:=""
+	Host string `json:"host,omitempty"`
+	// Background job service configuration.
+	// +kubebuilder:default:={}
+	Jobservice Jobservice `json:"jobservice"`
+	// Redis cache configuration.
+	// +kubebuilder:default:={}
+	Redis Redis `json:"redis"`
+	// Container image registry configuration.
+	// +kubebuilder:default:={}
+	Registry Registry `json:"registry"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Trivy vulnerability scanner configuration.
+	// +kubebuilder:default:={}
+	Trivy Trivy `json:"trivy"`
+}
+
+type Trivy struct {
+	// Enable or disable the vulnerability scanner.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+	// Persistent Volume size for vulnerability database cache.
+	// +kubebuilder:default:="5Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type Jobservice struct {
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+}
+
+type Resources struct {
+	// Number of CPU cores allocated.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Amount of memory allocated.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Database struct {
+	// Number of database instances.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Persistent Volume size for database storage.
+	// +kubebuilder:default:="5Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type Redis struct {
+	// Number of Redis replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Persistent Volume size for cache storage.
+	// +kubebuilder:default:="1Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type Core struct {
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+}
+
+type Registry struct {
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/httpcache/types.go
+++ b/api/apps/v1alpha1/httpcache/types.go
@@ -0,0 +1,74 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package httpcache
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Endpoints configuration, as a list of <ip:port>.
+	// +kubebuilder:default:={}
+	Endpoints []string `json:"endpoints,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// HAProxy configuration.
+	// +kubebuilder:default:={}
+	Haproxy HAProxy `json:"haproxy"`
+	// Nginx configuration.
+	// +kubebuilder:default:={}
+	Nginx Nginx `json:"nginx"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type HAProxy struct {
+	// Number of HAProxy replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type Nginx struct {
+	// Number of Nginx replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/kafka/types.go
+++ b/api/apps/v1alpha1/kafka/types.go
@@ -0,0 +1,92 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package kafka
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Kafka configuration.
+	// +kubebuilder:default:={}
+	Kafka Kafka `json:"kafka"`
+	// Topics configuration.
+	// +kubebuilder:default:={}
+	Topics []Topic `json:"topics,omitempty"`
+	// ZooKeeper configuration.
+	// +kubebuilder:default:={}
+	Zookeeper ZooKeeper `json:"zookeeper"`
+}
+
+type ZooKeeper struct {
+	// Number of ZooKeeper replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume size for ZooKeeper.
+	// +kubebuilder:default:="5Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the ZooKeeper data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Topic struct {
+	// Topic configuration.
+	Config k8sRuntime.RawExtension `json:"config"`
+	// Topic name.
+	Name string `json:"name"`
+	// Number of partitions.
+	Partitions int `json:"partitions"`
+	// Number of replicas.
+	Replicas int `json:"replicas"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Kafka struct {
+	// Number of Kafka replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume size for Kafka.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the Kafka data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/kubernetes/types.go
+++ b/api/apps/v1alpha1/kubernetes/types.go
@@ -0,0 +1,260 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package kubernetes
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Cluster addons configuration.
+	// +kubebuilder:default:={}
+	Addons Addons `json:"addons"`
+	// Kubernetes control-plane configuration.
+	// +kubebuilder:default:={}
+	ControlPlane ControlPlane `json:"controlPlane"`
+	// External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.
+	// +kubebuilder:default:=""
+	Host string `json:"host"`
+	// Worker nodes configuration map.
+	// +kubebuilder:default:={"md0":{"ephemeralStorage":"20Gi","gpus":{},"instanceType":"u1.medium","maxReplicas":10,"minReplicas":0,"resources":{},"roles":{"ingress-nginx"}}}
+	NodeGroups map[string]NodeGroup `json:"nodeGroups,omitempty"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:="replicated"
+	StorageClass string `json:"storageClass"`
+	// Kubernetes major.minor version to deploy
+	// +kubebuilder:default:="v1.35"
+	Version Version `json:"version"`
+}
+
+type VeleroAddon struct {
+	// Enable Velero.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type KonnectivityServer struct {
+	// CPU and memory resources for Konnectivity.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type IngressNginxAddon struct {
+	// Enable the controller (requires nodes labeled `ingress-nginx`).
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Method to expose the controller. Allowed values: `Proxied`, `LoadBalancer`.
+	// +kubebuilder:default:="Proxied"
+	ExposeMethod IngressNginxExposeMethod `json:"exposeMethod"`
+	// Domains routed to this tenant cluster when `exposeMethod` is `Proxied`.
+	// +kubebuilder:default:={}
+	Hosts []string `json:"hosts,omitempty"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type FluxCDAddon struct {
+	// Enable FluxCD.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type APIServer struct {
+	// CPU and memory resources for API Server.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="large"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type Resources struct {
+	// CPU available.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type CoreDNSAddon struct {
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type Konnectivity struct {
+	// Konnectivity Server configuration.
+	// +kubebuilder:default:={}
+	Server KonnectivityServer `json:"server"`
+}
+
+type ControlPlane struct {
+	// API Server configuration.
+	// +kubebuilder:default:={}
+	ApiServer APIServer `json:"apiServer"`
+	// Controller Manager configuration.
+	// +kubebuilder:default:={}
+	ControllerManager ControllerManager `json:"controllerManager"`
+	// Konnectivity configuration.
+	// +kubebuilder:default:={}
+	Konnectivity Konnectivity `json:"konnectivity"`
+	// Number of control-plane replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Scheduler configuration.
+	// +kubebuilder:default:={}
+	Scheduler Scheduler `json:"scheduler"`
+}
+
+type GPUOperatorAddon struct {
+	// Enable GPU Operator.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type Addons struct {
+	// Cert-manager addon.
+	// +kubebuilder:default:={}
+	CertManager CertManagerAddon `json:"certManager"`
+	// Cilium CNI plugin.
+	// +kubebuilder:default:={}
+	Cilium CiliumAddon `json:"cilium"`
+	// CoreDNS addon.
+	// +kubebuilder:default:={}
+	Coredns CoreDNSAddon `json:"coredns"`
+	// FluxCD GitOps operator.
+	// +kubebuilder:default:={}
+	Fluxcd FluxCDAddon `json:"fluxcd"`
+	// Gateway API addon.
+	// +kubebuilder:default:={}
+	GatewayAPI GatewayAPIAddon `json:"gatewayAPI"`
+	// NVIDIA GPU Operator.
+	// +kubebuilder:default:={}
+	GpuOperator GPUOperatorAddon `json:"gpuOperator"`
+	// Ingress-NGINX controller.
+	// +kubebuilder:default:={}
+	IngressNginx IngressNginxAddon `json:"ingressNginx"`
+	// Monitoring agents.
+	// +kubebuilder:default:={}
+	MonitoringAgents MonitoringAgentsAddon `json:"monitoringAgents"`
+	// Velero backup/restore addon.
+	// +kubebuilder:default:={}
+	Velero VeleroAddon `json:"velero"`
+	// Vertical Pod Autoscaler.
+	// +kubebuilder:default:={}
+	VerticalPodAutoscaler VerticalPodAutoscalerAddon `json:"verticalPodAutoscaler"`
+}
+
+type Scheduler struct {
+	// CPU and memory resources for Scheduler.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type CertManagerAddon struct {
+	// Enable cert-manager.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type MonitoringAgentsAddon struct {
+	// Enable monitoring agents.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type GPU struct {
+	// Name of GPU, such as "nvidia.com/AD102GL_L40S".
+	Name string `json:"name"`
+}
+
+type GatewayAPIAddon struct {
+	// Enable Gateway API.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+}
+
+type VerticalPodAutoscalerAddon struct {
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type ControllerManager struct {
+	// CPU and memory resources for Controller Manager.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type NodeGroup struct {
+	// Ephemeral storage size.
+	// +kubebuilder:default:="20Gi"
+	EphemeralStorage resource.Quantity `json:"ephemeralStorage"`
+	// List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
+	Gpus []GPU `json:"gpus,omitempty"`
+	// Virtual machine instance type.
+	// +kubebuilder:default:="u1.medium"
+	InstanceType string `json:"instanceType"`
+	// Maximum number of replicas.
+	// +kubebuilder:default:=10
+	MaxReplicas int `json:"maxReplicas"`
+	// Minimum number of replicas.
+	// +kubebuilder:default:=0
+	MinReplicas int `json:"minReplicas"`
+	// CPU and memory resources for each worker node.
+	Resources Resources `json:"resources"`
+	// List of node roles.
+	Roles []string `json:"roles,omitempty"`
+}
+
+type CiliumAddon struct {
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+// +kubebuilder:validation:Enum="v1.35";"v1.34";"v1.33";"v1.32";"v1.31";"v1.30"
+type Version string
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="Proxied";"LoadBalancer"
+type IngressNginxExposeMethod string
--- a/api/apps/v1alpha1/mariadb/types.go
+++ b/api/apps/v1alpha1/mariadb/types.go
@@ -0,0 +1,111 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package mariadb
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Databases configuration map.
+	// +kubebuilder:default:={}
+	Databases map[string]Database `json:"databases,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of MariaDB replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each MariaDB replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// MariaDB major.minor version to deploy
+	// +kubebuilder:default:="v11.8"
+	Version Version `json:"version"`
+}
+
+type Backup struct {
+	// Retention strategy for cleaning up old backups.
+	// +kubebuilder:default:="--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+	CleanupStrategy string `json:"cleanupStrategy"`
+	// Enable regular backups (default: false).
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Password for Restic backup encryption.
+	// +kubebuilder:default:="<password>"
+	ResticPassword string `json:"resticPassword"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:="<your-access-key>"
+	S3AccessKey string `json:"s3AccessKey"`
+	// S3 bucket used for storing backups.
+	// +kubebuilder:default:="s3.example.org/mariadb-backups"
+	S3Bucket string `json:"s3Bucket"`
+	// AWS S3 region where backups are stored.
+	// +kubebuilder:default:="us-east-1"
+	S3Region string `json:"s3Region"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:="<your-secret-key>"
+	S3SecretKey string `json:"s3SecretKey"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * *"
+	Schedule string `json:"schedule"`
+}
+
+type Database struct {
+	// Roles assigned to users.
+	Roles DatabaseRoles `json:"roles,omitempty"`
+}
+
+type DatabaseRoles struct {
+	// List of users with admin privileges.
+	Admin []string `json:"admin,omitempty"`
+	// List of users with read-only privileges.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+type User struct {
+	// Maximum number of connections.
+	MaxUserConnections int `json:"maxUserConnections"`
+	// Password for the user.
+	Password string `json:"password"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v11.8";"v11.4";"v10.11";"v10.6"
+type Version string
--- a/api/apps/v1alpha1/mongodb/types.go
+++ b/api/apps/v1alpha1/mongodb/types.go
@@ -0,0 +1,151 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package mongodb
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Bootstrap configuration.
+	// +kubebuilder:default:={}
+	Bootstrap Bootstrap `json:"bootstrap"`
+	// Databases configuration map.
+	// +kubebuilder:default:={}
+	Databases map[string]Database `json:"databases,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of MongoDB replicas in replica set.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each MongoDB replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Enable sharded cluster mode. When disabled, deploys a replica set.
+	// +kubebuilder:default:=false
+	Sharding bool `json:"sharding"`
+	// Configuration for sharded cluster mode.
+	// +kubebuilder:default:={}
+	ShardingConfig ShardingConfig `json:"shardingConfig"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// MongoDB major version to deploy.
+	// +kubebuilder:default:="v8"
+	Version Version `json:"version"`
+}
+
+type Shard struct {
+	// Shard name.
+	Name string `json:"name"`
+	// Number of replicas in this shard.
+	Replicas int `json:"replicas"`
+	// PVC size for this shard.
+	Size resource.Quantity `json:"size"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type DatabaseRoles struct {
+	// List of users with admin privileges (readWrite + dbAdmin).
+	Admin []string `json:"admin,omitempty"`
+	// List of users with read-only privileges.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+type Backup struct {
+	// Destination path for backups (e.g. s3://bucket/path/).
+	// +kubebuilder:default:="s3://bucket/path/to/folder/"
+	DestinationPath string `json:"destinationPath,omitempty"`
+	// Enable regular backups.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// S3 endpoint URL for uploads.
+	// +kubebuilder:default:="http://minio-gateway-service:9000"
+	EndpointURL string `json:"endpointURL,omitempty"`
+	// Retention policy (e.g. "30d").
+	// +kubebuilder:default:="30d"
+	RetentionPolicy string `json:"retentionPolicy,omitempty"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:=""
+	S3AccessKey string `json:"s3AccessKey,omitempty"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:=""
+	S3SecretKey string `json:"s3SecretKey,omitempty"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * *"
+	Schedule string `json:"schedule,omitempty"`
+}
+
+type ShardingConfig struct {
+	// PVC size for config servers.
+	// +kubebuilder:default:="3Gi"
+	ConfigServerSize resource.Quantity `json:"configServerSize"`
+	// Number of config server replicas.
+	// +kubebuilder:default:=3
+	ConfigServers int `json:"configServers"`
+	// Number of mongos router replicas.
+	// +kubebuilder:default:=2
+	Mongos int `json:"mongos"`
+	// List of shard configurations.
+	// +kubebuilder:default:={{"name":"rs0","replicas":3,"size":"10Gi"}}
+	Shards []Shard `json:"shards,omitempty"`
+}
+
+type Bootstrap struct {
+	// Name of backup to restore from.
+	// +kubebuilder:default:=""
+	BackupName string `json:"backupName"`
+	// Whether to restore from a backup.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Timestamp for point-in-time recovery; empty means latest.
+	// +kubebuilder:default:=""
+	RecoveryTime string `json:"recoveryTime,omitempty"`
+}
+
+type User struct {
+	// Password for the user (auto-generated if omitted).
+	Password string `json:"password,omitempty"`
+}
+
+type Database struct {
+	// Roles assigned to users.
+	Roles DatabaseRoles `json:"roles,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="v8";"v7";"v6"
+type Version string
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/nats/types.go
+++ b/api/apps/v1alpha1/nats/types.go
@@ -0,0 +1,80 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package nats
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// NATS configuration.
+	// +kubebuilder:default:={}
+	Config ValuesConfig `json:"config"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Jetstream configuration.
+	// +kubebuilder:default:={}
+	Jetstream Jetstream `json:"jetstream"`
+	// Number of replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each NATS replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Jetstream struct {
+	// Enable or disable Jetstream for persistent messaging in NATS.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled"`
+	// Jetstream persistent storage size.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type ValuesConfig struct {
+	// Additional configuration to merge into NATS config.
+	// +kubebuilder:default:={}
+	Merge *k8sRuntime.RawExtension `json:"merge,omitempty"`
+	// Additional resolver configuration to merge into NATS config.
+	// +kubebuilder:default:={}
+	Resolver *k8sRuntime.RawExtension `json:"resolver,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/openbao/types.go
+++ b/api/apps/v1alpha1/openbao/types.go
@@ -0,0 +1,53 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package openbao
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas > 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration.
+	// +kubebuilder:default:=1
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size for data storage.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Enable the OpenBAO web UI.
+	// +kubebuilder:default:=true
+	Ui bool `json:"ui"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/postgresql/types.go
+++ b/api/apps/v1alpha1/postgresql/types.go
@@ -0,0 +1,152 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package postgresql
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Bootstrap configuration.
+	// +kubebuilder:default:={}
+	Bootstrap Bootstrap `json:"bootstrap"`
+	// Databases configuration map.
+	// +kubebuilder:default:={}
+	Databases map[string]Database `json:"databases,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// PostgreSQL server configuration.
+	// +kubebuilder:default:={}
+	Postgresql PostgreSQL `json:"postgresql"`
+	// Quorum configuration for synchronous replication.
+	// +kubebuilder:default:={}
+	Quorum Quorum `json:"quorum"`
+	// Number of Postgres replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each PostgreSQL replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// PostgreSQL major version to deploy
+	// +kubebuilder:default:="v18"
+	Version Version `json:"version"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+	// Whether the user has replication privileges.
+	Replication bool `json:"replication,omitempty"`
+}
+
+type Bootstrap struct {
+	// Whether to restore from a backup.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Previous cluster name before deletion.
+	// +kubebuilder:default:=""
+	OldName string `json:"oldName"`
+	// Timestamp (RFC3339) for point-in-time recovery; empty means latest.
+	// +kubebuilder:default:=""
+	RecoveryTime string `json:"recoveryTime,omitempty"`
+}
+
+type Quorum struct {
+	// Maximum number of synchronous replicas allowed (must be less than total replicas).
+	// +kubebuilder:default:=0
+	MaxSyncReplicas int `json:"maxSyncReplicas"`
+	// Minimum number of synchronous replicas required for commit.
+	// +kubebuilder:default:=0
+	MinSyncReplicas int `json:"minSyncReplicas"`
+}
+
+type DatabaseRoles struct {
+	// List of users with admin privileges.
+	Admin []string `json:"admin,omitempty"`
+	// List of users with read-only privileges.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+type Database struct {
+	// List of enabled PostgreSQL extensions.
+	Extensions []string `json:"extensions,omitempty"`
+	// Roles assigned to users.
+	Roles DatabaseRoles `json:"roles,omitempty"`
+}
+
+type Backup struct {
+	// Destination path for backups (e.g. s3://bucket/path/).
+	// +kubebuilder:default:="s3://bucket/path/to/folder/"
+	DestinationPath string `json:"destinationPath,omitempty"`
+	// Enable regular backups.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// S3 endpoint URL for uploads.
+	// +kubebuilder:default:="http://minio-gateway-service:9000"
+	EndpointURL string `json:"endpointURL,omitempty"`
+	// Retention policy (e.g. "30d").
+	// +kubebuilder:default:="30d"
+	RetentionPolicy string `json:"retentionPolicy,omitempty"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:="<your-access-key>"
+	S3AccessKey string `json:"s3AccessKey,omitempty"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:="<your-secret-key>"
+	S3SecretKey string `json:"s3SecretKey,omitempty"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * * *"
+	Schedule string `json:"schedule,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type PostgreSQLParameters struct {
+	// Maximum number of concurrent connections to the database server.
+	// +kubebuilder:default:=100
+	MaxConnections int `json:"max_connections,omitempty"`
+}
+
+type PostgreSQL struct {
+	// PostgreSQL server parameters.
+	// +kubebuilder:default:={}
+	Parameters PostgreSQLParameters `json:"parameters,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v18";"v17";"v16";"v15";"v14";"v13"
+type Version string
--- a/api/apps/v1alpha1/qdrant/types.go
+++ b/api/apps/v1alpha1/qdrant/types.go
@@ -0,0 +1,50 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package qdrant
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of Qdrant replicas. Cluster mode is automatically enabled when replicas > 1.
+	// +kubebuilder:default:=1
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each Qdrant replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for vector data storage.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/apps/v1alpha1/rabbitmq/types.go
+++ b/api/apps/v1alpha1/rabbitmq/types.go
@@ -0,0 +1,79 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package rabbitmq
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of RabbitMQ replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each RabbitMQ replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// RabbitMQ major.minor version to deploy
+	// +kubebuilder:default:="v4.2"
+	Version Version `json:"version"`
+	// Virtual hosts configuration map.
+	// +kubebuilder:default:={}
+	Vhosts map[string]Vhost `json:"vhosts,omitempty"`
+}
+
+type Vhost struct {
+	// Virtual host roles list.
+	Roles Roles `json:"roles"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Roles struct {
+	// List of admin users.
+	Admin []string `json:"admin,omitempty"`
+	// List of readonly users.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v4.2";"v4.1";"v4.0";"v3.13"
+type Version string
--- a/api/apps/v1alpha1/redis/types.go
+++ b/api/apps/v1alpha1/redis/types.go
@@ -0,0 +1,59 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package redis
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable password generation.
+	// +kubebuilder:default:=true
+	AuthEnabled bool `json:"authEnabled"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of Redis replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each Redis replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="1Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Redis major version to deploy
+	// +kubebuilder:default:="v8"
+	Version Version `json:"version"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v8";"v7"
+type Version string
--- a/api/apps/v1alpha1/tcpbalancer/types.go
+++ b/api/apps/v1alpha1/tcpbalancer/types.go
@@ -0,0 +1,77 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package tcpbalancer
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// HTTP and HTTPS configuration.
+	// +kubebuilder:default:={}
+	HttpAndHttps HttpAndHttps `json:"httpAndHttps"`
+	// Number of HAProxy replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each TCP Balancer replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// List of allowed client networks.
+	// +kubebuilder:default:={}
+	Whitelist []string `json:"whitelist,omitempty"`
+	// Secure HTTP by whitelisting client networks (default: false).
+	// +kubebuilder:default:=false
+	WhitelistHTTP bool `json:"whitelistHTTP"`
+}
+
+type TargetPorts struct {
+	// HTTP port number.
+	// +kubebuilder:default:=80
+	Http int `json:"http"`
+	// HTTPS port number.
+	// +kubebuilder:default:=443
+	Https int `json:"https"`
+}
+
+type HttpAndHttps struct {
+	// Endpoint addresses list.
+	// +kubebuilder:default:={}
+	Endpoints []string `json:"endpoints,omitempty"`
+	// Mode for balancer.
+	// +kubebuilder:default:="tcp"
+	Mode Mode `json:"mode"`
+	// Target ports configuration.
+	// +kubebuilder:default:={}
+	TargetPorts TargetPorts `json:"targetPorts"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="tcp";"tcp-with-proxy"
+type Mode string
--- a/api/apps/v1alpha1/tenant/types.go
+++ b/api/apps/v1alpha1/tenant/types.go
@@ -0,0 +1,40 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package tenant
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Deploy own Etcd cluster.
+	// +kubebuilder:default:=false
+	Etcd bool `json:"etcd"`
+	// The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).
+	// +kubebuilder:default:=""
+	Host string `json:"host,omitempty"`
+	// Deploy own Ingress Controller.
+	// +kubebuilder:default:=false
+	Ingress bool `json:"ingress"`
+	// Deploy own Monitoring Stack.
+	// +kubebuilder:default:=false
+	Monitoring bool `json:"monitoring"`
+	// Define resource quotas for the tenant.
+	// +kubebuilder:default:={}
+	ResourceQuotas map[string]resource.Quantity `json:"resourceQuotas,omitempty"`
+	// Deploy own SeaweedFS.
+	// +kubebuilder:default:=false
+	Seaweedfs bool `json:"seaweedfs"`
+}
--- a/api/apps/v1alpha1/vmdisk/types.go
+++ b/api/apps/v1alpha1/vmdisk/types.go
@@ -0,0 +1,53 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vmdisk
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Defines if disk should be considered optical.
+	// +kubebuilder:default:=false
+	Optical bool `json:"optical"`
+	// The source image location used to create a disk.
+	// +kubebuilder:default:={}
+	Source Source `json:"source"`
+	// The size of the disk allocated for the virtual machine.
+	// +kubebuilder:default:="5Gi"
+	Storage resource.Quantity `json:"storage"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:="replicated"
+	StorageClass string `json:"storageClass"`
+}
+
+type SourceImage struct {
+	// Name of the image to use (uploaded as "golden image" or from the list: `ubuntu`, `fedora`, `cirros`, `alpine`, `talos`).
+	Name string `json:"name"`
+}
+
+type SourceHTTP struct {
+	// URL to download the image.
+	Url string `json:"url"`
+}
+
+type Source struct {
+	// Download image from an HTTP source.
+	Http *SourceHTTP `json:"http,omitempty"`
+	// Use image by name.
+	Image *SourceImage `json:"image,omitempty"`
+	// Upload local image.
+	Upload *SourceUpload `json:"upload,omitempty"`
+}
--- a/api/apps/v1alpha1/vminstance/types.go
+++ b/api/apps/v1alpha1/vminstance/types.go
@@ -0,0 +1,96 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vminstance
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Cloud-init user data.
+	// +kubebuilder:default:=""
+	CloudInit string `json:"cloudInit"`
+	// Seed string to generate SMBIOS UUID for the VM.
+	// +kubebuilder:default:=""
+	CloudInitSeed string `json:"cloudInitSeed"`
+	// Model specifies the CPU model inside the VMI. List of available models https://github.com/libvirt/libvirt/tree/master/src/cpu_map
+	// +kubebuilder:default:=""
+	CpuModel string `json:"cpuModel"`
+	// List of disks to attach.
+	// +kubebuilder:default:={}
+	Disks []Disk `json:"disks,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Method to pass through traffic to the VM.
+	// +kubebuilder:default:="PortList"
+	ExternalMethod ExternalMethod `json:"externalMethod"`
+	// Ports to forward from outside the cluster.
+	// +kubebuilder:default:={22}
+	ExternalPorts []int `json:"externalPorts,omitempty"`
+	// List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
+	// +kubebuilder:default:={}
+	Gpus []GPU `json:"gpus,omitempty"`
+	// Virtual Machine preferences profile.
+	// +kubebuilder:default:="ubuntu"
+	InstanceProfile string `json:"instanceProfile"`
+	// Virtual Machine instance type.
+	// +kubebuilder:default:="u1.medium"
+	InstanceType string `json:"instanceType"`
+	// Resource configuration for the virtual machine.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Requested running state of the VirtualMachineInstance
+	// +kubebuilder:default:="Always"
+	RunStrategy RunStrategy `json:"runStrategy"`
+	// List of SSH public keys for authentication.
+	// +kubebuilder:default:={}
+	SshKeys []string `json:"sshKeys,omitempty"`
+	// Additional subnets
+	// +kubebuilder:default:={}
+	Subnets []Subnet `json:"subnets,omitempty"`
+}
+
+type Disk struct {
+	// Disk bus type (e.g. "sata").
+	Bus string `json:"bus,omitempty"`
+	// Disk name.
+	Name string `json:"name"`
+}
+
+type Subnet struct {
+	// Subnet name
+	Name string `json:"name,omitempty"`
+}
+
+type GPU struct {
+	// The name of the GPU resource to attach.
+	Name string `json:"name"`
+}
+
+type Resources struct {
+	// Number of CPU cores allocated.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Amount of memory allocated.
+	Memory resource.Quantity `json:"memory,omitempty"`
+	// Number of CPU sockets (vCPU topology).
+	Sockets resource.Quantity `json:"sockets,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="Always";"Halted";"Manual";"RerunOnFailure";"Once"
+type RunStrategy string
+
+// +kubebuilder:validation:Enum="PortList";"WholeIP"
+type ExternalMethod string
--- a/api/apps/v1alpha1/vpc/types.go
+++ b/api/apps/v1alpha1/vpc/types.go
@@ -0,0 +1,31 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vpc
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Subnets of a VPC
+	// +kubebuilder:default:={}
+	Subnets []Subnet `json:"subnets,omitempty"`
+}
+
+type Subnet struct {
+	// IP address range
+	Cidr string `json:"cidr,omitempty"`
+	// Subnet name
+	Name string `json:"name"`
+}
--- a/api/apps/v1alpha1/vpn/types.go
+++ b/api/apps/v1alpha1/vpn/types.go
@@ -0,0 +1,58 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vpn
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// List of externalIPs for service. Optional. If not specified, will use LoadBalancer service by default.
+	// +kubebuilder:default:={}
+	ExternalIPs []string `json:"externalIPs,omitempty"`
+	// Host used to substitute into generated URLs.
+	// +kubebuilder:default:=""
+	Host string `json:"host"`
+	// Number of VPN server replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each VPN server replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type User struct {
+	// Password for the user (autogenerated if not provided).
+	Password string `json:"password,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
--- a/api/dashboard/v1alpha1/dashboard_resources.go
+++ b/api/dashboard/v1alpha1/dashboard_resources.go
@@ -253,3 +253,25 @@ type FactoryList struct {
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []Factory `json:"items"`
 }
+
+// -----------------------------------------------------------------------------
+// CustomFormsOverrideMapping
+// -----------------------------------------------------------------------------
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=cfomappings,scope=Cluster
+// +kubebuilder:subresource:status
+type CFOMapping struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ArbitrarySpec `json:"spec"`
+	Status CommonStatus  `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+type CFOMappingList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CFOMapping `json:"items"`
+}
--- a/api/dashboard/v1alpha1/groupversion_info.go
+++ b/api/dashboard/v1alpha1/groupversion_info.go
@@ -69,6 +69,9 @@ func addKnownTypes(scheme *runtime.Scheme) error {

 		&Factory{},
 		&FactoryList{},
+
+		&CFOMapping{},
+		&CFOMappingList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
--- a/api/dashboard/v1alpha1/zz_generated.deepcopy.go
+++ b/api/dashboard/v1alpha1/zz_generated.deepcopy.go
@@ -159,6 +159,65 @@ func (in *BreadcrumbList) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CFOMapping) DeepCopyInto(out *CFOMapping) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CFOMapping.
+func (in *CFOMapping) DeepCopy() *CFOMapping {
+	if in == nil {
+		return nil
+	}
+	out := new(CFOMapping)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CFOMapping) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CFOMappingList) DeepCopyInto(out *CFOMappingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CFOMapping, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CFOMappingList.
+func (in *CFOMappingList) DeepCopy() *CFOMappingList {
+	if in == nil {
+		return nil
+	}
+	out := new(CFOMappingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CFOMappingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommonStatus) DeepCopyInto(out *CommonStatus) {
 	*out = *in
--- a/cmd/cozystack-operator/main.go
+++ b/cmd/cozystack-operator/main.go
@@ -50,6 +50,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"

 	"github.com/cozystack/cozystack/internal/cozyvaluesreplicator"
+	"github.com/cozystack/cozystack/internal/crdinstall"
 	"github.com/cozystack/cozystack/internal/fluxinstall"
 	"github.com/cozystack/cozystack/internal/operator"
 	"github.com/cozystack/cozystack/internal/telemetry"
@@ -77,6 +78,7 @@ func main() {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
+	var installCRDs bool
 	var installFlux bool
 	var disableTelemetry bool
 	var telemetryEndpoint string
@@ -97,6 +99,7 @@ func main() {
 		"If set the metrics endpoint is served securely")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.BoolVar(&installCRDs, "install-crds", false, "Install Cozystack CRDs before starting reconcile loop")
 	flag.BoolVar(&installFlux, "install-flux", false, "Install Flux components before starting reconcile loop")
 	flag.BoolVar(&disableTelemetry, "disable-telemetry", false,
 		"Disable telemetry collection")
@@ -105,7 +108,7 @@ func main() {
 	flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
 		"Interval between telemetry data collection (e.g. 15m, 1h)")
 	flag.StringVar(&platformSourceURL, "platform-source-url", "", "Platform source URL (oci:// or https://). If specified, generates OCIRepository or GitRepository resource.")
-	flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-packages", "Name for the generated platform source resource (default: cozystack-packages)")
+	flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-platform", "Name for the generated platform source resource and PackageSource")
 	flag.StringVar(&platformSourceRef, "platform-source-ref", "", "Reference specification as key=value pairs (e.g., 'branch=main' or 'digest=sha256:...,tag=v1.0'). For OCI: digest, semver, semverFilter, tag. For Git: branch, tag, semver, name, commit.")
 	flag.StringVar(&cozyValuesSecretName, "cozy-values-secret-name", "cozystack-values", "The name of the secret containing cluster-wide configuration values.")
 	flag.StringVar(&cozyValuesSecretNamespace, "cozy-values-secret-namespace", "cozy-system", "The namespace of the secret containing cluster-wide configuration values.")
@@ -134,8 +137,7 @@ func main() {
 		os.Exit(1)
 	}

-	// Start the controller manager
-	setupLog.Info("Starting controller manager")
+	// Initialize the controller manager
 	mgr, err := ctrl.NewManager(config, ctrl.Options{
 		Scheme: scheme,
 		Cache: cache.Options{
@@ -177,10 +179,26 @@ func main() {
 		os.Exit(1)
 	}

+	// Set up signal handler early so install phases respect SIGTERM
+	mgrCtx := ctrl.SetupSignalHandler()
+
+	// Install Cozystack CRDs before starting reconcile loop
+	if installCRDs {
+		setupLog.Info("Installing Cozystack CRDs before starting reconcile loop")
+		installCtx, installCancel := context.WithTimeout(mgrCtx, 2*time.Minute)
+		defer installCancel()
+
+		if err := crdinstall.Install(installCtx, directClient, crdinstall.WriteEmbeddedManifests); err != nil {
+			setupLog.Error(err, "failed to install CRDs")
+			os.Exit(1)
+		}
+		setupLog.Info("CRD installation completed successfully")
+	}
+
 	// Install Flux before starting reconcile loop
 	if installFlux {
 		setupLog.Info("Installing Flux components before starting reconcile loop")
-		installCtx, installCancel := context.WithTimeout(context.Background(), 5*time.Minute)
+		installCtx, installCancel := context.WithTimeout(mgrCtx, 5*time.Minute)
 		defer installCancel()

 		// Use direct client for pre-start operations (cache is not ready yet)
@@ -194,7 +212,7 @@ func main() {
 	// Generate and install platform source resource if specified
 	if platformSourceURL != "" {
 		setupLog.Info("Generating platform source resource", "url", platformSourceURL, "name", platformSourceName, "ref", platformSourceRef)
-		installCtx, installCancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		installCtx, installCancel := context.WithTimeout(mgrCtx, 2*time.Minute)
 		defer installCancel()

 		// Use direct client for pre-start operations (cache is not ready yet)
@@ -206,6 +224,29 @@ func main() {
 		}
 	}

+	// Create platform PackageSource when CRDs are managed by the operator and
+	// a platform source URL is configured. Without a URL there is no Flux source
+	// resource to reference, so creating a PackageSource would leave a dangling SourceRef.
+	if installCRDs && platformSourceURL != "" {
+		sourceRefKind := "OCIRepository"
+		sourceType, _, err := parsePlatformSourceURL(platformSourceURL)
+		if err != nil {
+			setupLog.Error(err, "failed to parse platform source URL for PackageSource")
+			os.Exit(1)
+		}
+		if sourceType == "git" {
+			sourceRefKind = "GitRepository"
+		}
+		setupLog.Info("Creating platform PackageSource", "platformSourceName", platformSourceName)
+		psCtx, psCancel := context.WithTimeout(mgrCtx, 2*time.Minute)
+		defer psCancel()
+		if err := installPlatformPackageSource(psCtx, directClient, platformSourceName, sourceRefKind); err != nil {
+			setupLog.Error(err, "failed to create platform PackageSource")
+			os.Exit(1)
+		}
+		setupLog.Info("Platform PackageSource creation completed successfully")
+	}
+
 	// Setup PackageSource reconciler
 	if err := (&operator.PackageSourceReconciler{
 		Client: mgr.GetClient(),
@@ -276,7 +317,6 @@ func main() {
 	}

 	setupLog.Info("Starting controller manager")
-	mgrCtx := ctrl.SetupSignalHandler()
 	if err := mgr.Start(mgrCtx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
@@ -535,3 +575,79 @@ func generateGitRepository(name, repoURL string, refMap map[string]string) (*sou

 	return obj, nil
 }
+
+// installPlatformPackageSource creates the platform PackageSource resource
+// that references the Flux source resource (OCIRepository or GitRepository).
+//
+// The variant list is intentionally hardcoded here. These are platform-defined
+// deployment profiles (not user-extensible), matching what was previously in
+// the Helm template. Changes require a new operator build and release.
+func installPlatformPackageSource(ctx context.Context, k8sClient client.Client, platformSourceName, sourceRefKind string) error {
+	logger := log.FromContext(ctx)
+
+	packageSourceName := "cozystack." + platformSourceName
+
+	ps := &cozyv1alpha1.PackageSource{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: cozyv1alpha1.GroupVersion.String(),
+			Kind:       "PackageSource",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: packageSourceName,
+			Annotations: map[string]string{
+				"operator.cozystack.io/skip-cozystack-values": "true",
+			},
+		},
+		Spec: cozyv1alpha1.PackageSourceSpec{
+			SourceRef: &cozyv1alpha1.PackageSourceRef{
+				Kind:      sourceRefKind,
+				Name:      platformSourceName,
+				Namespace: "cozy-system",
+				Path:      "/",
+			},
+		},
+	}
+
+	variantData := []struct {
+		name        string
+		valuesFiles []string
+	}{
+		{"default", []string{"values.yaml"}},
+		{"isp-full", []string{"values.yaml", "values-isp-full.yaml"}},
+		{"isp-hosted", []string{"values.yaml", "values-isp-hosted.yaml"}},
+		{"isp-full-generic", []string{"values.yaml", "values-isp-full-generic.yaml"}},
+	}
+
+	variants := make([]cozyv1alpha1.Variant, len(variantData))
+	for i, v := range variantData {
+		variants[i] = cozyv1alpha1.Variant{
+			Name: v.name,
+			Components: []cozyv1alpha1.Component{
+				{
+					Name: "platform",
+					Path: "core/platform",
+					Install: &cozyv1alpha1.ComponentInstall{
+						Namespace:   "cozy-system",
+						ReleaseName: "cozystack-platform",
+					},
+					ValuesFiles: v.valuesFiles,
+				},
+			},
+		}
+	}
+	ps.Spec.Variants = variants
+
+	logger.Info("Applying platform PackageSource", "name", packageSourceName)
+
+	patchOptions := &client.PatchOptions{
+		FieldManager: "cozystack-operator",
+		Force:        func() *bool { b := true; return &b }(),
+	}
+
+	if err := k8sClient.Patch(ctx, ps, client.Apply, patchOptions); err != nil {
+		return fmt.Errorf("failed to apply PackageSource %s: %w", packageSourceName, err)
+	}
+
+	logger.Info("Applied platform PackageSource", "name", packageSourceName)
+	return nil
+}
--- a/cmd/cozystack-operator/main_test.go
+++ b/cmd/cozystack-operator/main_test.go
@@ -0,0 +1,574 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"testing"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func newTestScheme() *runtime.Scheme {
+	s := runtime.NewScheme()
+	_ = cozyv1alpha1.AddToScheme(s)
+	return s
+}
+
+func TestInstallPlatformPackageSource_Creates(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	// Verify name
+	if ps.Name != "cozystack.cozystack-platform" {
+		t.Errorf("expected name %q, got %q", "cozystack.cozystack-platform", ps.Name)
+	}
+
+	// Verify annotation
+	if ps.Annotations["operator.cozystack.io/skip-cozystack-values"] != "true" {
+		t.Errorf("expected skip-cozystack-values annotation to be 'true', got %q", ps.Annotations["operator.cozystack.io/skip-cozystack-values"])
+	}
+
+	// Verify sourceRef
+	if ps.Spec.SourceRef == nil {
+		t.Fatal("expected SourceRef to be set")
+	}
+	if ps.Spec.SourceRef.Kind != "OCIRepository" {
+		t.Errorf("expected sourceRef.kind %q, got %q", "OCIRepository", ps.Spec.SourceRef.Kind)
+	}
+	if ps.Spec.SourceRef.Name != "cozystack-platform" {
+		t.Errorf("expected sourceRef.name %q, got %q", "cozystack-platform", ps.Spec.SourceRef.Name)
+	}
+	if ps.Spec.SourceRef.Namespace != "cozy-system" {
+		t.Errorf("expected sourceRef.namespace %q, got %q", "cozy-system", ps.Spec.SourceRef.Namespace)
+	}
+	if ps.Spec.SourceRef.Path != "/" {
+		t.Errorf("expected sourceRef.path %q, got %q", "/", ps.Spec.SourceRef.Path)
+	}
+
+	// Verify variants
+	expectedVariants := []string{"default", "isp-full", "isp-hosted", "isp-full-generic"}
+	if len(ps.Spec.Variants) != len(expectedVariants) {
+		t.Fatalf("expected %d variants, got %d", len(expectedVariants), len(ps.Spec.Variants))
+	}
+	for i, name := range expectedVariants {
+		if ps.Spec.Variants[i].Name != name {
+			t.Errorf("expected variant[%d].name %q, got %q", i, name, ps.Spec.Variants[i].Name)
+		}
+		if len(ps.Spec.Variants[i].Components) != 1 {
+			t.Errorf("expected variant[%d] to have 1 component, got %d", i, len(ps.Spec.Variants[i].Components))
+		}
+	}
+}
+
+func TestInstallPlatformPackageSource_Updates(t *testing.T) {
+	s := newTestScheme()
+
+	existing := &cozyv1alpha1.PackageSource{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "cozystack.cozystack-platform",
+			ResourceVersion: "1",
+			Labels: map[string]string{
+				"custom-label": "should-be-preserved",
+			},
+		},
+		Spec: cozyv1alpha1.PackageSourceSpec{
+			SourceRef: &cozyv1alpha1.PackageSourceRef{
+				Kind:      "OCIRepository",
+				Name:      "old-name",
+				Namespace: "cozy-system",
+			},
+		},
+	}
+
+	k8sClient := fake.NewClientBuilder().WithScheme(s).WithObjects(existing).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	// Verify sourceRef was updated
+	if ps.Spec.SourceRef.Name != "cozystack-platform" {
+		t.Errorf("expected updated sourceRef.name %q, got %q", "cozystack-platform", ps.Spec.SourceRef.Name)
+	}
+
+	// Verify all 4 variants are present after update
+	if len(ps.Spec.Variants) != 4 {
+		t.Errorf("expected 4 variants after update, got %d", len(ps.Spec.Variants))
+	}
+
+	// Verify that labels set by other controllers are preserved (SSA does not overwrite unmanaged fields)
+	if ps.Labels["custom-label"] != "should-be-preserved" {
+		t.Errorf("expected custom-label to be preserved, got %q", ps.Labels["custom-label"])
+	}
+}
+
+func TestParsePlatformSourceURL(t *testing.T) {
+	tests := []struct {
+		name       string
+		url        string
+		wantType   string
+		wantURL    string
+		wantErr    bool
+	}{
+		{
+			name:     "OCI URL",
+			url:      "oci://ghcr.io/cozystack/cozystack/cozystack-packages",
+			wantType: "oci",
+			wantURL:  "oci://ghcr.io/cozystack/cozystack/cozystack-packages",
+		},
+		{
+			name:     "HTTPS URL",
+			url:      "https://github.com/cozystack/cozystack",
+			wantType: "git",
+			wantURL:  "https://github.com/cozystack/cozystack",
+		},
+		{
+			name:     "SSH URL",
+			url:      "ssh://git@github.com/cozystack/cozystack",
+			wantType: "git",
+			wantURL:  "ssh://git@github.com/cozystack/cozystack",
+		},
+		{
+			name:    "empty URL",
+			url:     "",
+			wantErr: true,
+		},
+		{
+			name:    "unsupported scheme",
+			url:     "ftp://example.com/repo",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sourceType, repoURL, err := parsePlatformSourceURL(tt.url)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error for URL %q, got nil", tt.url)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if sourceType != tt.wantType {
+				t.Errorf("expected type %q, got %q", tt.wantType, sourceType)
+			}
+			if repoURL != tt.wantURL {
+				t.Errorf("expected URL %q, got %q", tt.wantURL, repoURL)
+			}
+		})
+	}
+}
+
+func TestInstallPlatformPackageSource_VariantValuesFiles(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	expectedValuesFiles := map[string][]string{
+		"default":          {"values.yaml"},
+		"isp-full":         {"values.yaml", "values-isp-full.yaml"},
+		"isp-hosted":       {"values.yaml", "values-isp-hosted.yaml"},
+		"isp-full-generic": {"values.yaml", "values-isp-full-generic.yaml"},
+	}
+
+	for _, v := range ps.Spec.Variants {
+		expected, ok := expectedValuesFiles[v.Name]
+		if !ok {
+			t.Errorf("unexpected variant %q", v.Name)
+			continue
+		}
+
+		if len(v.Components) != 1 {
+			t.Errorf("variant %q: expected 1 component, got %d", v.Name, len(v.Components))
+			continue
+		}
+
+		comp := v.Components[0]
+		if comp.Name != "platform" {
+			t.Errorf("variant %q: expected component name %q, got %q", v.Name, "platform", comp.Name)
+		}
+		if comp.Path != "core/platform" {
+			t.Errorf("variant %q: expected component path %q, got %q", v.Name, "core/platform", comp.Path)
+		}
+		if comp.Install == nil {
+			t.Errorf("variant %q: expected Install to be set", v.Name)
+		} else {
+			if comp.Install.Namespace != "cozy-system" {
+				t.Errorf("variant %q: expected install namespace %q, got %q", v.Name, "cozy-system", comp.Install.Namespace)
+			}
+			if comp.Install.ReleaseName != "cozystack-platform" {
+				t.Errorf("variant %q: expected install releaseName %q, got %q", v.Name, "cozystack-platform", comp.Install.ReleaseName)
+			}
+		}
+
+		if len(comp.ValuesFiles) != len(expected) {
+			t.Errorf("variant %q: expected %d valuesFiles, got %d", v.Name, len(expected), len(comp.ValuesFiles))
+			continue
+		}
+		for i, f := range expected {
+			if comp.ValuesFiles[i] != f {
+				t.Errorf("variant %q: expected valuesFiles[%d] %q, got %q", v.Name, i, f, comp.ValuesFiles[i])
+			}
+		}
+	}
+}
+
+func TestInstallPlatformPackageSource_CustomName(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "custom-source", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.custom-source"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	if ps.Name != "cozystack.custom-source" {
+		t.Errorf("expected name %q, got %q", "cozystack.custom-source", ps.Name)
+	}
+	if ps.Spec.SourceRef.Name != "custom-source" {
+		t.Errorf("expected sourceRef.name %q, got %q", "custom-source", ps.Spec.SourceRef.Name)
+	}
+}
+
+func TestInstallPlatformPackageSource_GitRepository(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "my-source", "GitRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.my-source"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	if ps.Spec.SourceRef.Kind != "GitRepository" {
+		t.Errorf("expected sourceRef.kind %q, got %q", "GitRepository", ps.Spec.SourceRef.Kind)
+	}
+	if ps.Spec.SourceRef.Name != "my-source" {
+		t.Errorf("expected sourceRef.name %q, got %q", "my-source", ps.Spec.SourceRef.Name)
+	}
+}
+
+func TestParseRefSpec(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		want    map[string]string
+		wantErr bool
+	}{
+		{
+			name:  "empty string",
+			input: "",
+			want:  map[string]string{},
+		},
+		{
+			name:  "single key-value",
+			input: "tag=v1.0",
+			want:  map[string]string{"tag": "v1.0"},
+		},
+		{
+			name:  "multiple key-values",
+			input: "digest=sha256:abc123,tag=v1.0",
+			want:  map[string]string{"digest": "sha256:abc123", "tag": "v1.0"},
+		},
+		{
+			name:  "whitespace around pairs",
+			input: " tag=v1.0 , branch=main ",
+			want:  map[string]string{"tag": "v1.0", "branch": "main"},
+		},
+		{
+			name:  "equals sign in value",
+			input: "digest=sha256:abc=123",
+			want:  map[string]string{"digest": "sha256:abc=123"},
+		},
+		{
+			name:    "missing equals sign",
+			input:   "tag",
+			wantErr: true,
+		},
+		{
+			name:    "empty key",
+			input:   "=value",
+			wantErr: true,
+		},
+		{
+			name:    "empty value",
+			input:   "tag=",
+			wantErr: true,
+		},
+		{
+			name:  "trailing comma",
+			input: "tag=v1.0,",
+			want:  map[string]string{"tag": "v1.0"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseRefSpec(tt.input)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error for input %q, got nil", tt.input)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(got) != len(tt.want) {
+				t.Fatalf("expected %d entries, got %d: %v", len(tt.want), len(got), got)
+			}
+			for k, v := range tt.want {
+				if got[k] != v {
+					t.Errorf("expected %q=%q, got %q=%q", k, v, k, got[k])
+				}
+			}
+		})
+	}
+}
+
+func TestValidateOCIRef(t *testing.T) {
+	tests := []struct {
+		name    string
+		refMap  map[string]string
+		wantErr bool
+	}{
+		{
+			name:   "valid tag",
+			refMap: map[string]string{"tag": "v1.0"},
+		},
+		{
+			name:   "valid digest",
+			refMap: map[string]string{"digest": "sha256:abc123def456"},
+		},
+		{
+			name:   "valid semver",
+			refMap: map[string]string{"semver": ">=1.0.0"},
+		},
+		{
+			name:   "multiple valid keys",
+			refMap: map[string]string{"tag": "v1.0", "digest": "sha256:abc"},
+		},
+		{
+			name:   "empty map",
+			refMap: map[string]string{},
+		},
+		{
+			name:    "invalid key",
+			refMap:  map[string]string{"branch": "main"},
+			wantErr: true,
+		},
+		{
+			name:    "invalid digest format",
+			refMap:  map[string]string{"digest": "md5:abc"},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateOCIRef(tt.refMap)
+			if tt.wantErr && err == nil {
+				t.Fatal("expected error, got nil")
+			}
+			if !tt.wantErr && err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestValidateGitRef(t *testing.T) {
+	tests := []struct {
+		name    string
+		refMap  map[string]string
+		wantErr bool
+	}{
+		{
+			name:   "valid branch",
+			refMap: map[string]string{"branch": "main"},
+		},
+		{
+			name:   "valid commit",
+			refMap: map[string]string{"commit": "abc1234"},
+		},
+		{
+			name:   "valid tag and branch",
+			refMap: map[string]string{"tag": "v1.0", "branch": "release"},
+		},
+		{
+			name:   "empty map",
+			refMap: map[string]string{},
+		},
+		{
+			name:    "invalid key",
+			refMap:  map[string]string{"digest": "sha256:abc"},
+			wantErr: true,
+		},
+		{
+			name:    "commit too short",
+			refMap:  map[string]string{"commit": "abc"},
+			wantErr: true,
+		},
+		{
+			name:    "commit not hex",
+			refMap:  map[string]string{"commit": "zzzzzzz"},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateGitRef(tt.refMap)
+			if tt.wantErr && err == nil {
+				t.Fatal("expected error, got nil")
+			}
+			if !tt.wantErr && err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestGenerateOCIRepository(t *testing.T) {
+	refMap := map[string]string{"tag": "v1.0", "digest": "sha256:abc123"}
+	obj, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", refMap)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if obj.Name != "my-repo" {
+		t.Errorf("expected name %q, got %q", "my-repo", obj.Name)
+	}
+	if obj.Namespace != "cozy-system" {
+		t.Errorf("expected namespace %q, got %q", "cozy-system", obj.Namespace)
+	}
+	if obj.Spec.URL != "oci://registry.example.com/repo" {
+		t.Errorf("expected URL %q, got %q", "oci://registry.example.com/repo", obj.Spec.URL)
+	}
+	if obj.Spec.Reference == nil {
+		t.Fatal("expected Reference to be set")
+	}
+	if obj.Spec.Reference.Tag != "v1.0" {
+		t.Errorf("expected tag %q, got %q", "v1.0", obj.Spec.Reference.Tag)
+	}
+	if obj.Spec.Reference.Digest != "sha256:abc123" {
+		t.Errorf("expected digest %q, got %q", "sha256:abc123", obj.Spec.Reference.Digest)
+	}
+}
+
+func TestGenerateOCIRepository_NoRef(t *testing.T) {
+	obj, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", map[string]string{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if obj.Spec.Reference != nil {
+		t.Error("expected Reference to be nil for empty refMap")
+	}
+}
+
+func TestGenerateOCIRepository_InvalidRef(t *testing.T) {
+	_, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", map[string]string{"branch": "main"})
+	if err == nil {
+		t.Fatal("expected error for invalid OCI ref key, got nil")
+	}
+}
+
+func TestGenerateGitRepository(t *testing.T) {
+	refMap := map[string]string{"branch": "main", "commit": "abc1234def5678"}
+	obj, err := generateGitRepository("my-repo", "https://github.com/user/repo", refMap)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if obj.Name != "my-repo" {
+		t.Errorf("expected name %q, got %q", "my-repo", obj.Name)
+	}
+	if obj.Namespace != "cozy-system" {
+		t.Errorf("expected namespace %q, got %q", "cozy-system", obj.Namespace)
+	}
+	if obj.Spec.URL != "https://github.com/user/repo" {
+		t.Errorf("expected URL %q, got %q", "https://github.com/user/repo", obj.Spec.URL)
+	}
+	if obj.Spec.Reference == nil {
+		t.Fatal("expected Reference to be set")
+	}
+	if obj.Spec.Reference.Branch != "main" {
+		t.Errorf("expected branch %q, got %q", "main", obj.Spec.Reference.Branch)
+	}
+	if obj.Spec.Reference.Commit != "abc1234def5678" {
+		t.Errorf("expected commit %q, got %q", "abc1234def5678", obj.Spec.Reference.Commit)
+	}
+}
+
+func TestGenerateGitRepository_NoRef(t *testing.T) {
+	obj, err := generateGitRepository("my-repo", "https://github.com/user/repo", map[string]string{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if obj.Spec.Reference != nil {
+		t.Error("expected Reference to be nil for empty refMap")
+	}
+}
+
+func TestGenerateGitRepository_InvalidRef(t *testing.T) {
+	_, err := generateGitRepository("my-repo", "https://github.com/user/repo", map[string]string{"digest": "sha256:abc"})
+	if err == nil {
+		t.Fatal("expected error for invalid Git ref key, got nil")
+	}
+}
--- a/dashboards/mongodb/mongodb-inmemory.json
+++ b/dashboards/mongodb/mongodb-inmemory.json
--- a/dashboards/mongodb/mongodb-overview.json
+++ b/dashboards/mongodb/mongodb-overview.json
--- a/dashboards/nats/nats-jetstream.json
+++ b/dashboards/nats/nats-jetstream.json
--- a/dashboards/nats/nats-server.json
+++ b/dashboards/nats/nats-server.json
--- a/docs/changelogs/v0.40.5.md
+++ b/docs/changelogs/v0.40.5.md
@@ -0,0 +1,15 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.40.5
+-->
+
+## Improvements
+
+* **[dashboard] Improve dashboard session params**: Improved session parameter handling in the dashboard for better user experience and more reliable session management ([**@lllamnyp**](https://github.com/lllamnyp) in #1913, #1919).
+
+## Dependencies
+
+* **Update cozyhr to v1.6.1**: Updated cozyhr to v1.6.1, which fixes a critical bug causing helm-controller v0.37.0+ to unexpectedly uninstall HelmReleases after cozyhr apply by correcting history snapshot fields for helm-controller compatibility ([**@kvaps**](https://github.com/kvaps) in cozystack/cozyhr#10).
+
+---
+
+**Full Changelog**: [v0.40.4...v0.40.5](https://github.com/cozystack/cozystack/compare/v0.40.4...v0.40.5)
--- a/docs/changelogs/v0.40.6.md
+++ b/docs/changelogs/v0.40.6.md
@@ -0,0 +1,11 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.40.6
+-->
+
+## Fixes
+
+* **[kubernetes] Fix manifests for kubernetes deployment**: Fixed incorrect manifests that prevented proper Kubernetes deployment, restoring correct application behavior ([**@IvanHunters**](https://github.com/IvanHunters) in #1943, #1944).
+
+---
+
+**Full Changelog**: [v0.40.5...v0.40.6](https://github.com/cozystack/cozystack/compare/v0.40.5...v0.40.6)
--- a/docs/changelogs/v0.40.7.md
+++ b/docs/changelogs/v0.40.7.md
@@ -0,0 +1,11 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.40.7
+-->
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard, ensuring that authentication tokens are properly validated before granting access. This prevents unauthorized access through forged or expired tokens ([**@lllamnyp**](https://github.com/lllamnyp) in #1980, #1984).
+
+---
+
+**Full Changelog**: [v0.40.6...v0.40.7](https://github.com/cozystack/cozystack/compare/v0.40.6...v0.40.7)
--- a/docs/changelogs/v0.41.4.md
+++ b/docs/changelogs/v0.41.4.md
@@ -0,0 +1,11 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.4
+-->
+
+## Dependencies
+
+* **Update cozyhr to v1.6.1**: Updated cozyhr to v1.6.1, which fixes a critical bug causing helm-controller v0.37.0+ to unexpectedly uninstall HelmReleases after cozyhr apply by correcting history snapshot fields for helm-controller compatibility ([**@kvaps**](https://github.com/kvaps) in cozystack/cozyhr#10).
+
+---
+
+**Full Changelog**: [v0.41.3...v0.41.4](https://github.com/cozystack/cozystack/compare/v0.41.3...v0.41.4)
--- a/docs/changelogs/v0.41.5.md
+++ b/docs/changelogs/v0.41.5.md
@@ -0,0 +1,21 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.5
+-->
+
+## Features and Improvements
+
+* **[dashboard] Add "Edit" button to all resources**: Added an "Edit" button across all resource views in the dashboard, allowing users to modify resource configurations directly from the UI ([**@sircthulhu**](https://github.com/sircthulhu) in #1928, #1931).
+
+* **[dashboard] Add resource quota usage to tenant details page**: Added resource quota usage display to the tenant details page, giving administrators visibility into how much of allocated resources each tenant is consuming ([**@sircthulhu**](https://github.com/sircthulhu) in #1929, #1932).
+
+* **[branding] Separate values for keycloak**: Separated Keycloak branding values into dedicated configuration, allowing more granular customization of Keycloak appearance without affecting other branding settings ([**@nbykov0**](https://github.com/nbykov0) in #1946).
+
+* **Add instance profile label to workload monitor**: Added instance profile metadata labels to the workload monitor, enabling better resource tracking and monitoring by instance profile type ([**@matthieu-robin**](https://github.com/matthieu-robin) in #1954, #1957).
+
+## Fixes
+
+* **[kubernetes] Fix manifests for kubernetes deployment**: Fixed incorrect manifests that prevented proper Kubernetes deployment, restoring correct application behavior ([**@IvanHunters**](https://github.com/IvanHunters) in #1943, #1945).
+
+---
+
+**Full Changelog**: [v0.41.4...v0.41.5](https://github.com/cozystack/cozystack/compare/v0.41.4...v0.41.5)
--- a/docs/changelogs/v0.41.6.md
+++ b/docs/changelogs/v0.41.6.md
@@ -0,0 +1,17 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.6
+-->
+
+## Improvements
+
+* **[vm] Allow changing field external after creation**: Users can now modify the external network field on virtual machines after initial creation, providing more flexibility in VM networking configuration without requiring recreation ([**@sircthulhu**](https://github.com/sircthulhu) in #1956, #1962).
+
+* **[branding] Separate values for keycloak**: Separated Keycloak branding values into dedicated configuration for more granular customization of Keycloak appearance ([**@nbykov0**](https://github.com/nbykov0) in #1947, #1963).
+
+## Fixes
+
+* **[kubernetes] Fix coredns serviceaccount to match kubernetes bootstrap RBAC**: Configured the CoreDNS chart to create a `kube-dns` ServiceAccount matching the Kubernetes bootstrap ClusterRoleBinding, fixing RBAC errors (`Failed to watch`) when CoreDNS pods restart ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1958, #1978).
+
+---
+
+**Full Changelog**: [v0.41.5...v0.41.6](https://github.com/cozystack/cozystack/compare/v0.41.5...v0.41.6)
--- a/docs/changelogs/v0.41.7.md
+++ b/docs/changelogs/v0.41.7.md
@@ -0,0 +1,15 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.7
+-->
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard, ensuring that authentication tokens are properly validated before granting access. This prevents unauthorized access through forged or expired tokens ([**@lllamnyp**](https://github.com/lllamnyp) in #1980, #1983).
+
+## Fixes
+
+* **[postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert**: Fixed incorrect PromQL syntax in the `CNPGClusterOffline` alert rule for CloudNativePG, ensuring the alert fires correctly when all instances of a PostgreSQL cluster are offline ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1981, #1989).
+
+---
+
+**Full Changelog**: [v0.41.6...v0.41.7](https://github.com/cozystack/cozystack/compare/v0.41.6...v0.41.7)
--- a/docs/changelogs/v0.41.8.md
+++ b/docs/changelogs/v0.41.8.md
@@ -0,0 +1,17 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.8
+-->
+
+## Features and Improvements
+
+* **[kubernetes] Auto-enable Gateway API support in cert-manager**: cert-manager now automatically enables `enableGatewayAPI` when the Gateway API addon is active in the Kubernetes application. Users no longer need to manually configure this setting, and the option can still be overridden via `valuesOverride` ([**@kvaps**](https://github.com/kvaps) in #1997, #2012).
+
+* **[vm] Allow switching between instancetype and custom resources**: Users can now switch virtual machines between instancetype-based and custom resource configurations after creation. The upgrade hook atomically patches VM resources, providing more flexibility in adjusting VM sizing without recreation ([**@sircthulhu**](https://github.com/sircthulhu) in #2008, #2013).
+
+## Fixes
+
+* **[dashboard] Add startupProbe to prevent container restarts on slow hardware**: Added `startupProbe` to both `bff` and `web` containers in the dashboard deployment. On slow hardware, kubelet was killing containers because the `livenessProbe` only allowed ~33 seconds for startup. The `startupProbe` gives containers up to 60 seconds to start before `livenessProbe` kicks in ([**@kvaps**](https://github.com/kvaps) in #1996, #2014).
+
+---
+
+**Full Changelog**: [v0.41.7...v0.41.8](https://github.com/cozystack/cozystack/compare/v0.41.7...v0.41.8)
--- a/docs/changelogs/v0.41.9.md
+++ b/docs/changelogs/v0.41.9.md
@@ -0,0 +1,15 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.9
+-->
+
+## Fixes
+
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Prevented tenant administrators from deleting resource quotas, ensuring that resource limits set by platform administrators cannot be bypassed by tenant-level users ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+
+## Dependencies
+
+* **Update Kube-OVN to v1.15.3**: Updated Kube-OVN CNI to v1.15.3 with latest bug fixes and improvements ([**@kvaps**](https://github.com/kvaps)).
+
+---
+
+**Full Changelog**: [v0.41.8...v0.41.9](https://github.com/cozystack/cozystack/compare/v0.41.8...v0.41.9)
--- a/docs/changelogs/v1.0.0-beta.5.md
+++ b/docs/changelogs/v1.0.0-beta.5.md
@@ -0,0 +1,36 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-beta.5
+-->
+
+> **⚠️ Beta Release Warning**: This is a pre-release version intended for testing and early adoption. Breaking changes may occur before the stable v1.0.0 release.
+
+## Features and Improvements
+
+* **[installer] Add variant-aware templates for generic Kubernetes support**: Extended the installer chart to support generic and hosted Kubernetes deployments via the existing `cozystackOperator.variant` parameter. When using `variant=generic`, the installer now renders separate templates for the Cozystack operator, skipping Talos-specific components. This enables users to deploy Cozystack on standard Kubernetes distributions and hosted Kubernetes services, expanding platform compatibility beyond Talos Linux ([**@lexfrei**](https://github.com/lexfrei) in #2010).
+
+* **[kilo] Add Cilium compatibility variant**: Added a new `cilium` variant to the kilo PackageSource that deploys kilo with the `--compatibility=cilium` flag. This enables Cilium-aware IPIP encapsulation where the outer packet IP matches the inner packet source, allowing Cilium's network policies to function correctly with kilo's WireGuard mesh networking. Users can now run kilo alongside Cilium CNI while maintaining full network policy enforcement capabilities ([**@kvaps**](https://github.com/kvaps) in #2055).
+
+* **[cluster-autoscaler] Enable enforce-node-group-min-size by default**: Enabled the `enforce-node-group-min-size` option for the system cluster-autoscaler chart. This ensures node groups are always scaled up to their configured minimum size, even when current workload demands are lower, preventing unexpected scale-down below minimum thresholds and improving cluster stability for production workloads ([**@kvaps**](https://github.com/kvaps) in #2050).
+
+* **[dashboard] Upgrade dashboard to version 1.4.0**: Updated the Cozystack dashboard to version 1.4.0 with new features and improvements for better user experience and cluster management capabilities ([**@sircthulhu**](https://github.com/sircthulhu) in #2051).
+
+## Breaking Changes & Upgrade Notes
+
+* **[vpc] Migrate subnets definition from map to array format**: Migrated VPC subnets definition from map format (`map[string]Subnet`) to array format (`[]Subnet`) with an explicit `name` field. This aligns VPC subnet definitions with the vm-instance `networks` field pattern and provides more intuitive configuration. Existing VPC deployments are automatically migrated via migration 30, which converts the subnet map to an array while preserving all existing subnet configurations and network connectivity ([**@kvaps**](https://github.com/kvaps) in #2052).
+
+## Dependencies
+
+* **[kilo] Update to v0.8.0**: Updated Kilo WireGuard mesh networking to v0.8.0 with performance improvements, bug fixes, and new compatibility features ([**@kvaps**](https://github.com/kvaps) in #2053).
+
+* **[talm] Skip config loading for __complete command**: Fixed CLI completion behavior by skipping config loading for the `__complete` command, preventing errors during shell completion when configuration files are not available or misconfigured ([**@kitsunoff**](https://github.com/kitsunoff) in cozystack/talm#109).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@kitsunoff**](https://github.com/kitsunoff)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-beta.4...v1.0.0-beta.5
--- a/docs/changelogs/v1.0.0-beta.6.md
+++ b/docs/changelogs/v1.0.0-beta.6.md
@@ -0,0 +1,46 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-beta.6
+-->
+
+> **⚠️ Beta Release Warning**: This is a pre-release version intended for testing and early adoption. Breaking changes may occur before the stable v1.0.0 release.
+
+## Features and Improvements
+
+* **[platform] Add cilium-kilo networking variant**: Added a new `cilium-kilo` networking variant that combines Cilium CNI with Kilo WireGuard mesh overlay. This variant enables `enable-ipip-termination` in Cilium for proper IPIP packet handling and deploys Kilo with `--compatibility=cilium` flag. Users can now select `cilium-kilo` as their networking variant during platform setup, simplifying the multi-location WireGuard setup compared to manually combining Cilium and standalone Kilo ([**@kvaps**](https://github.com/kvaps) in #2064).
+
+* **[nats] Add monitoring**: Added Grafana dashboards for NATS JetStream and server metrics monitoring, along with Prometheus monitoring support with TLS-aware endpoint configuration. Includes updated image customization options (digest and full image name) and component version upgrades for the NATS exporter and utilities. Users now have full observability into NATS message broker performance and health ([**@klinch0**](https://github.com/klinch0) in #1381).
+
+* **[platform] Add DNS-1035 validation for Application names**: Added dynamic DNS-1035 label validation for Application names in the Cozystack API, using `IsDNS1035Label` from `k8s.io/apimachinery`. Validation is performed at creation time and accounts for the root host length to prevent names that would exceed Kubernetes resource naming limits. This prevents creation of resources with invalid names that would fail downstream Kubernetes resource creation ([**@lexfrei**](https://github.com/lexfrei) in #1771).
+
+* **[operator] Add automatic CRD installation at startup**: Added `--install-crds` flag to the Cozystack operator that installs embedded CRD manifests at startup, ensuring CRDs exist before the operator begins reconciliation. CRD manifests are now embedded in the operator binary and verified for consistency with the Helm `crds/` directory via a new CI Makefile check. This eliminates ordering issues during initial cluster setup where CRDs might not yet be present ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+
+## Fixes
+
+* **[platform] Adopt tenant-root into cozystack-basics during migration**: Added migration 31 to adopt existing `tenant-root` Namespace and HelmRelease into the `cozystack-basics` Helm release when upgrading from v0.41.x to v1.0. Previously these resources were applied via `kubectl apply` with no Helm release tracking, causing Helm to treat them as foreign resources and potentially delete them during reconciliation. This migration ensures a safe upgrade path by annotating and labeling these resources for Helm adoption ([**@kvaps**](https://github.com/kvaps) in #2065).
+
+* **[platform] Preserve tenant-root HelmRelease during migration**: Fixed a data-loss risk during migration from v0.41.x to v1.0.0-beta where the `tenant-root` HelmRelease (and the namespace it manages) could be deleted, causing tenant service outages. Added safety annotation to the HelmRelease and lookup logic to preserve current parameters during migration, preventing unwanted deletion of tenant-root resources ([**@sircthulhu**](https://github.com/sircthulhu) in #2063).
+
+* **[codegen] Add gen_client to update-codegen.sh and regenerate applyconfiguration**: Fixed a build error in `pkg/generated/applyconfiguration/utils.go` caused by a reference to `testing.TypeConverter` which was removed in client-go v0.34.1. The root cause was that `hack/update-codegen.sh` never called `gen_client`, leaving the generated applyconfiguration code stale. Running the full code generation now produces a consistent and compilable codebase ([**@lexfrei**](https://github.com/lexfrei) in #2061).
+
+* **[e2e] Make kubernetes test retries effective by cleaning up stale resources**: Fixed E2E test retries for the Kubernetes tenant test by adding pre-creation cleanup of backend deployment/service and NFS pod/PVC in `run-kubernetes.sh`. Previously, retries would fail immediately because stale resources from a failed attempt blocked re-creation. Also increased the tenant deployment wait timeout from 90s to 300s to handle CI resource pressure ([**@lexfrei**](https://github.com/lexfrei) in #2062).
+
+## Development, Testing, and CI/CD
+
+* **[e2e] Use helm install instead of kubectl apply for cozystack installation**: Replaced the pre-rendered static YAML application flow (`kubectl apply`) with direct `helm upgrade --install` of the `packages/core/installer` chart in E2E tests. Removed the CRD/operator artifact upload/download steps from the CI workflow, simplifying the pipeline. The chart with correct values is already present in the sandbox via workspace copy and `pr.patch` ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+
+## Documentation
+
+* **[website] Improve Azure autoscaling troubleshooting guide**: Enhanced the Azure autoscaling troubleshooting documentation with serial console instructions for debugging VMSS worker nodes, a troubleshooting section for nodes stuck in maintenance mode due to invalid or missing machine config, `az vmss update --custom-data` instructions for updating machine config, and a warning that Azure does not support reading back `customData` ([**@kvaps**](https://github.com/kvaps) in cozystack/website#424).
+
+* **[website] Update multi-location documentation for cilium-kilo variant**: Updated multi-location networking documentation to reflect the new integrated `cilium-kilo` variant selection during platform setup, replacing the previous manual Kilo installation and Cilium configuration steps. Added explanation of `enable-ipip-termination` and updated the troubleshooting section ([**@kvaps**](https://github.com/kvaps) in cozystack/website@02d63f0).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@klinch0**](https://github.com/klinch0)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-beta.5...v1.0.0-beta.6
--- a/docs/changelogs/v1.0.0-rc.1.md
+++ b/docs/changelogs/v1.0.0-rc.1.md
@@ -0,0 +1,65 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.1
+-->
+
+> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
+
+## Features and Improvements
+
+* **[harbor] Add managed Harbor container registry**: Added Harbor v2.14.2 as a managed tenant-level container registry service. The application uses CloudNativePG for PostgreSQL, the Redis operator for caching, and S3 via COSI BucketClaim (from SeaweedFS) for registry image storage. Auto-generated admin credentials are persisted across upgrades, TLS is handled by cert-manager, and Trivy vulnerability scanner is included. Users can now deploy a fully managed, production-ready OCI container registry within their tenant ([**@lexfrei**](https://github.com/lexfrei) in #2058).
+
+* **[kubernetes] Update supported Kubernetes versions to v1.30–v1.35**: Updated the tenant Kubernetes version matrix to v1.30, v1.31, v1.32, v1.33, v1.34, and v1.35 (now the default). EOL versions v1.28 and v1.29 are removed. Kamaji is updated to edge-26.2.4 with full Kubernetes 1.35 support, and the CAPI Kamaji provider is updated to v0.16.0. A compatibility patch ensures kubelets older than v1.35 are not broken by Kamaji injecting 1.35-specific kubelet fields ([**@lexfrei**](https://github.com/lexfrei) in #2073).
+
+* **[platform] Make cluster issuer name and ACME solver configurable**: Added `publishing.certificates.solver` (`http01` or `dns01`) and `publishing.certificates.issuerName` (default: `letsencrypt-prod`) parameters to the platform chart. This allows operators to point all ingress TLS annotations at any ClusterIssuer — custom ACME, self-signed, or internal CA — without modifying individual package templates. See the Breaking Changes section for the rename from the previous `issuerType` field ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+* **[dashboard] VMInstance dropdowns for disks and instanceType**: The VM instance creation form now renders API-backed dropdowns for the `instanceType` field (populated from `VirtualMachineClusterInstancetype` cluster resources) and for disk `name` fields (populated from `VMDisk` resources in the same namespace). Default values are read from the ApplicationDefinition's OpenAPI schema. This eliminates manual lookups and reduces misconfiguration when attaching disks or selecting VM instance types ([**@sircthulhu**](https://github.com/sircthulhu) in #2071).
+
+* **[installer] Remove CRDs from Helm chart, delegate lifecycle to operator**: The `cozy-installer` Helm chart no longer ships CRDs in its `crds/` directory. CRD lifecycle is now fully managed by the Cozystack operator via the `--install-crds` flag, which applies embedded CRD manifests on every startup using server-side apply. The platform PackageSource is also created by the operator instead of a Helm template. This ensures CRDs and the PackageSource are always up to date after each operator restart, eliminating stale CRDs from Helm's install-only behavior ([**@lexfrei**](https://github.com/lexfrei) in #2074).
+
+## Fixes
+
+* **[kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization**: Updated KubeVirt operator to v1.6.4 and CDI operator to v1.64.0, including live migration of existing VMs during the upgrade. Additionally, disabled serial console logging globally via the KubeVirt CR to prevent a known v1.6.x issue ([upstream #15989](https://github.com/kubevirt/kubevirt/issues/15989)) where the `guest-console-log` init container blocked virt-launcher pods from starting, causing all VMs to get stuck in `PodInitializing` state ([**@nbykov0**](https://github.com/nbykov0) in #1833; [**@kvaps**](https://github.com/kvaps) in 7dfb819).
+
+* **[linstor] Fix DRBD+LUKS+STORAGE resource creation failure**: All newly created encrypted volumes were failing because the DRBD `.res` file was never written due to a missing `setExists(true)` call in the `LuksLayer`. Applied the upstream `skip-adjust-when-device-inaccessible` patch ([LINBIT/linstor-server#477](https://github.com/LINBIT/linstor-server/pull/477)) which fixes the root cause and also prevents unnecessary lsblk calls when devices are not yet physically present ([**@kvaps**](https://github.com/kvaps) in #2072).
+
+* **[system] Fix monitoring-agents FQDN resolution for tenant workload clusters**: Monitoring agents (`vmagent`, `fluent-bit`) in tenant workload clusters were failing to deliver metrics and logs because service addresses used short DNS names without the cluster domain suffix. Fixed by appending the configured cluster domain from `_cluster.cluster-domain` (with fallback to `cluster.local`) to all vmagent remoteWrite URLs and fluent-bit output hosts ([**@IvanHunters**](https://github.com/IvanHunters) in #2075).
+
+* **[cozystack-basics] Preserve existing HelmRelease values during reconciliations**: Fixed a data-loss bug where changes made to the `tenant-root` HelmRelease were silently dropped on the next forced or upgrade reconciliation of the `cozystack-basics` HelmRelease. The reconciler now merges new configuration with existing values instead of overwriting them ([**@sircthulhu**](https://github.com/sircthulhu) in #2068).
+
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Fixed the `cozy:tenant:admin:base` ClusterRole to explicitly deny deletion of `ResourceQuota` objects for tenant admins and superadmins, preventing accidental removal of tenant resource limits ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+
+## Breaking Changes & Upgrade Notes
+
+* **[platform] Certificate issuer configuration parameters renamed**: The `publishing.certificates.issuerType` field is renamed to `publishing.certificates.solver`, and the value `cloudflare` is renamed to `dns01` to align with standard ACME terminology. A new `publishing.certificates.issuerName` field (default: `letsencrypt-prod`) is introduced to allow pointing all ingresses at a custom ClusterIssuer. Migration 32 is included and automatically converts existing configurations during upgrade — no manual action is required ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+## Documentation
+
+* **[website] Migrate ConfigMap references to Platform Package in v1 documentation**: Updated the entire v1 documentation tree to replace legacy ConfigMap-based configuration references with the new Platform Package API, ensuring guides are consistent with the v1 configuration model ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#426).
+
+* **[website] Add generic Kubernetes deployment guide for v1**: Added a new installation guide covering Cozystack deployment on any generic Kubernetes cluster, expanding the set of supported deployment targets beyond provider-specific guides ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#408).
+
+* **[website] Refactor resource planning documentation**: Improved the resource planning guide with a clearer structure and more comprehensive coverage of planning considerations for Cozystack deployments ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#423).
+
+* **[website] Add ServiceAccount API access documentation and update FAQ**: Added a new article documenting ServiceAccount API access token configuration and updated the FAQ to include related troubleshooting guidance ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#421).
+
+* **[website] Update networking-mesh allowed-location-ips example**: Replaced provider-specific CLI usage with standard `kubectl` commands in the multi-location networking guide's `allowed-location-ips` example, making the documentation more universally applicable ([**@kvaps**](https://github.com/kvaps) in cozystack/website#425).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@IvanStukov**](https://github.com/IvanStukov)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@nbykov0**](https://github.com/nbykov0)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-beta.6...v1.0.0-rc.1
--- a/docs/changelogs/v1.0.0-rc.2.md
+++ b/docs/changelogs/v1.0.0-rc.2.md
@@ -0,0 +1,57 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.2
+-->
+
+> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
+
+## Features and Improvements
+
+* **[keycloak] Allow custom Ingress hostname via values**: Added an `ingress.host` field to the cozy-keycloak chart values, allowing operators to override the default `keycloak.<root-host>` Ingress hostname. The custom hostname is applied to both the Ingress resource and the `KC_HOSTNAME` environment variable in the StatefulSet. When left empty, the original behavior is preserved (fully backward compatible) ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
+
+## Fixes
+
+* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing. Migration 26 now uses the `cozystack.io/ui=true` label (always present on v0.41.1) instead of the new label that depends on migration 22 having run, and adds robust Helm secret deletion with fallback and verification. Migrations 28 and 29 wrap `grep` calls to prevent `pipefail` exits and fix the reconcile annotation to use RFC3339 format. Migration 27 now skips missing CRDs and adds a name-pattern fallback for Helm secret deletion. The etcd HelmRelease timeout is increased from 10m to 30m to accommodate TLS cert rotation hooks. The `migrate-to-version-1.0.sh` script gains the missing `bundle-disable`, `bundle-enable`, `expose-ingress`, and `expose-services` field mappings ([**@kvaps**](https://github.com/kvaps) in #2096).
+
+* **[platform] Fix orphaned -rd HelmReleases after application renames**: After the `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, the system-level `-rd` HelmReleases in `cozy-system` (`ferretdb-rd`, `mysql-rd`, `virtual-machine-rd`) were left orphaned, referencing ExternalArtifacts that no longer exist and causing persistent reconciliation failures. Migrations 28 and 29 are updated to remove these resources, and migration 33 is added as a safety net for clusters that already passed those migrations ([**@kvaps**](https://github.com/kvaps) in #2102).
+
+* **[monitoring-agents] Fix FQDN resolution regression in tenant workload clusters**: The fix introduced in #2075 used `_cluster.cluster-domain` references in `values.yaml`, but `_cluster` values are not accessible from Helm subchart contexts — meaning fluent-bit received empty hostnames and failed to forward logs. This PR replaces the `_cluster` references with a new `global.clusterDomain` variable (empty by default for management clusters, set to the cluster domain for tenant clusters), which is correctly shared with all subcharts ([**@kvaps**](https://github.com/kvaps) in #2086).
+
+* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized the cluster identifier used across dashboard menu links, administration links, and API request paths, resolving incorrect or broken link targets for the Backups and External IPs sidebar sections ([**@androndo**](https://github.com/androndo) in #2093).
+
+* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed the backup job creation form configuration, adding the required Name, Namespace, Plan Name, Application, and Backup Class fields. Fixed the sidebar backup category identifier that was causing incorrect navigation ([**@androndo**](https://github.com/androndo) in #2103).
+
+## Documentation
+
+* **[website] Add Helm chart development principles guide**: Added a new developer guide section documenting Cozystack's four core Helm chart principles: easy upstream updates, local-first artifacts, local dev/test workflow, and no external dependencies ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
+
+* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack — MetalLB (L2/BGP), Cilium eBPF (kube-proxy replacement), Kube-OVN (centralized IPAM), and tenant isolation with identity-based eBPF policies — with Mermaid diagrams for all major traffic flows ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
+
+* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands throughout installation and configuration guides to use JSON Patch `add` operations for extending arrays instead of replacing them wholesale, making the documented commands safer and more precise ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
+
+* **[website] Update certificates section in Platform Package documentation**: Updated the certificate configuration documentation to reflect the new `solver` and `issuerName` fields introduced in v1.0.0-rc.1, replacing the legacy `issuerType` references ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
+
+* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant Kubernetes clusters in Grafana using VictoriaLogs labels (`tenant`, `kubernetes_namespace_name`, `kubernetes_pod_name`), including the `monitoringAgents` addon prerequisite and step-by-step filtering examples ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
+
+* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install`, `kubectl create -f` to `kubectl apply -f`, and `kubectl create ns` to the dry-run+apply pattern across all installation and deployment guides so commands can be safely re-run ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
+
+* **[website] Fix broken documentation links with `.md` suffix**: Fixed incorrect internal links with `.md` suffix across virtualization guides for both v0 and v1 documentation, standardizing link text to "Developer Guide" ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@cheese**](https://github.com/cheese)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@cheese**](https://github.com/cheese) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-rc.1...v1.0.0-rc.2
--- a/docs/changelogs/v1.0.0.md
+++ b/docs/changelogs/v1.0.0.md
@@ -0,0 +1,289 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0
+-->
+
+# Cozystack v1.0.0 — "Stable"
+
+We are thrilled to announce **Cozystack v1.0.0**, the first stable major release of the Cozystack platform. This milestone represents a fundamental architectural evolution from the v0.x series, introducing a fully operator-driven package management system, a comprehensive backup and restore framework, a redesigned virtual machine architecture, and a rich set of new managed applications — all hardened through an extensive alpha, beta, and release-candidate cycle.
+
+## Feature Highlights
+
+### Package-Based Architecture with Cozystack Operator
+
+The most significant architectural change in v1.0.0 is the replacement of HelmRelease bundle deployments with a declarative **Package** and **PackageSource** model managed by the new `cozystack-operator`. Operators now define their platform configuration in a structured `values.yaml` and the operator reconciles the desired state by managing Package and PackageSource resources across the cluster.
+
+The operator also takes ownership of CRD lifecycle — installing and updating CRDs from embedded manifests at every startup — eliminating the stale-CRD problem that affected Helm-only installations. Flux sharding has been added to distribute tenant HelmRelease reconciliation across multiple Flux controllers, providing horizontal scalability in large multi-tenant environments.
+
+A migration script (`hack/migrate-to-version-1.0.sh`) is provided for upgrading existing v0.x clusters, along with 33 incremental migration steps that automate resource renaming, secret cleanup, and configuration conversion.
+
+### Comprehensive Backup and Restore System
+
+v1.0.0 ships a fully featured, production-ready backup and restore framework built on Velero integration. Users can define **BackupClass** resources to describe backup storage targets, create **BackupPlan** schedules, and trigger **RestoreJob** resources for end-to-end application recovery.
+
+Virtual machine backups are supported natively via the Velero KubeVirt plugin, which captures consistent VM disk snapshots alongside metadata. The backup controller and the backup strategy sub-controllers (including the VM-specific strategy) are installed by default, and a full dashboard UI allows users to monitor backup status, view backup job history, and initiate restore workflows.
+
+### Redesigned Virtual Machine Architecture
+
+The legacy `virtual-machine` application has been replaced with a two-resource architecture: **`vm-disk`** for managing persistent disks and **`vm-instance`** for managing VM lifecycle. This separation provides cleaner disk/instance management, allows disks to be reused across VM instances, and aligns with modern KubeVirt patterns.
+
+New capabilities include: a `cpuModel` field for direct CPU model specification without using an instanceType; the ability to switch between `instanceType`-based and custom resource-based configurations; migration from the deprecated `running` field to `runStrategy`; and native **RWX (NFS) filesystem support** in the KubeVirt CSI driver, enabling multiple pods to mount the same persistent volume simultaneously.
+
+### New Managed Applications
+
+v1.0.0 expands the application catalog significantly:
+
+- **MongoDB**: A fully managed MongoDB replica set with persistent storage, monitoring integration, and unified user/database configuration API.
+- **Qdrant**: A high-performance vector database for AI and machine learning workloads, supporting single-replica and clustered modes with API key authentication and optional external LoadBalancer access.
+- **Harbor**: A fully managed OCI container registry backed by CloudNativePG, Redis operator, and COSI BucketClaim (SeaweedFS). Includes Trivy vulnerability scanner, auto-generated admin credentials, and TLS via cert-manager.
+- **NATS**: Enhanced with full Grafana monitoring dashboards for JetStream and server metrics, Prometheus support with TLS-aware configuration, and updated image customization options.
+- **MariaDB**: The `mysql` application is renamed to `mariadb`, accurately reflecting the underlying engine. An automatic migration (migration 27) converts all existing MySQL resources to use the `mariadb` naming.
+
+FerretDB has been removed from the catalog as it is superseded by native MongoDB support.
+
+### Multi-Location Networking with Kilo and cilium-kilo
+
+Cozystack v1.0.0 introduces first-class support for multi-location clusters via the **Kilo** WireGuard mesh networking package. Kilo automatically establishes encrypted WireGuard tunnels between nodes in different network segments, enabling seamless cross-region communication.
+
+A new integrated **`cilium-kilo`** networking variant combines Cilium eBPF CNI with Kilo's WireGuard overlay in a single platform configuration selection. This variant enables `enable-ipip-termination` in Cilium and deploys Kilo with `--compatibility=cilium`, allowing Cilium network policies to function correctly over the WireGuard mesh — without any manual configuration of the two components.
+
+### Flux Sharding for Scalable Multi-Tenancy
+
+Tenant HelmRelease reconciliation is now distributed across multiple Flux controllers via sharding labels. Each tenant workload is assigned to a shard based on a deterministic hash, preventing a single Flux controller from becoming a bottleneck in large multi-tenant environments. The platform operator manages the shard assignment automatically, and new shards can be added by scaling the Flux deployment.
+
+## Major Features and Improvements
+
+### Cozystack Operator
+
+* **[cozystack-operator] Introduce Package and PackageSource APIs**: Added new CRDs for declarative package management, defining the full API for Package and PackageSource resources ([**@kvaps**](https://github.com/kvaps) in #1740, #1741, #1755, #1756, #1760, #1761).
+* **[platform] Migrate from HelmRelease bundles to Package-based deployment**: Replaced HelmRelease bundle system with Package resources managed by cozystack-operator, including restructured values.yaml with full configuration support for networking, publishing, authentication, scheduling, branding, and resources ([**@kvaps**](https://github.com/kvaps) in #1816).
+* **[cozystack-operator] Add automatic CRD installation at startup**: Added `--install-crds` flag to install embedded CRD manifests on every startup via server-side apply, ensuring CRDs and the PackageSource are always up to date ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+* **[installer] Remove CRDs from Helm chart, delegate lifecycle to operator**: The `cozy-installer` Helm chart no longer ships CRDs; CRD lifecycle is fully managed by the Cozystack operator ([**@lexfrei**](https://github.com/lexfrei) in #2074).
+* **[cozystack-operator] Preserve existing suspend field in package reconciler**: Fixed package reconciler to properly preserve the suspend field state during reconciliation ([**@sircthulhu**](https://github.com/sircthulhu) in #2043).
+* **[cozystack-operator] Fix namespace privileged flag resolution and field ownership**: Fixed operator to correctly check all Packages in a namespace when determining privileged status, and resolved SSA field ownership conflicts ([**@kvaps**](https://github.com/kvaps) in #2046).
+* **[platform] Add flux-plunger controller**: Added flux-plunger controller to automatically fix stuck HelmRelease errors by cleaning up failed resources and retrying reconciliation ([**@kvaps**](https://github.com/kvaps) in #1843).
+* **[installer] Add variant-aware templates for generic Kubernetes support**: Extended the installer to support generic and hosted Kubernetes deployments via the `cozystackOperator.variant=generic` parameter ([**@lexfrei**](https://github.com/lexfrei) in #2010).
+* **[installer] Unify operator templates**: Merged separate operator templates into a single variant-based template supporting Talos and non-Talos deployments ([**@kvaps**](https://github.com/kvaps) in #2034).
+
+### API and Platform
+
+* **[api] Rename CozystackResourceDefinition to ApplicationDefinition**: Renamed CRD and all related types for clarity and consistency, with migration 24 handling the transition automatically ([**@kvaps**](https://github.com/kvaps) in #1864).
+* **[platform] Add DNS-1035 validation for Application names**: Added dynamic DNS-1035 label validation for Application names at creation time, preventing resources with invalid names that would fail downstream ([**@lexfrei**](https://github.com/lexfrei) in #1771).
+* **[platform] Make cluster issuer name and ACME solver configurable**: Added `publishing.certificates.solver` and `publishing.certificates.issuerName` parameters to allow pointing all ingress TLS annotations at any ClusterIssuer ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+* **[platform] Add cilium-kilo networking variant**: Added integrated `cilium-kilo` networking variant combining Cilium CNI with Kilo WireGuard mesh overlay ([**@kvaps**](https://github.com/kvaps) in #2064).
+* **[cozystack-api] Switch from DaemonSet to Deployment**: Migrated cozystack-api to a Deployment with PreferClose topology spread constraints, reducing resource consumption while maintaining high availability ([**@kvaps**](https://github.com/kvaps) in #2041, #2048).
+
+### Virtual Machines
+
+* **[vm-instance] Complete migration from virtual-machine to vm-disk and vm-instance**: Fully migrated from `virtual-machine` to the new `vm-disk` and `vm-instance` architecture, with automatic migration script (migration 28) for existing VMs ([**@kvaps**](https://github.com/kvaps) in #2040).
+* **[kubevirt-csi-driver] Add RWX Filesystem (NFS) support**: Added Read-Write-Many filesystem support to kubevirt-csi-driver via automatic NFS server deployment per PVC ([**@kvaps**](https://github.com/kvaps) in #2042).
+* **[vm] Add cpuModel field to specify CPU model without instanceType**: Added cpuModel field to VirtualMachine API for granular CPU control ([**@sircthulhu**](https://github.com/sircthulhu) in #2007).
+* **[vm] Allow switching between instancetype and custom resources**: Implemented atomic upgrade hook for switching between instanceType-based and custom resource VM configurations ([**@sircthulhu**](https://github.com/sircthulhu) in #2008).
+* **[vm] Migrate to runStrategy instead of running**: Migrated VirtualMachine API from deprecated `running` field to `runStrategy` ([**@sircthulhu**](https://github.com/sircthulhu) in #2004).
+* **[vm] Always expose VMs with a service**: Virtual machines are now always exposed with at least a ClusterIP service, ensuring in-cluster DNS names ([**@lllamnyp**](https://github.com/lllamnyp) in #1738, #1751).
+* **[dashboard] VMInstance dropdowns for disks and instanceType**: VM instance creation form now renders API-backed dropdowns for `instanceType` and disk `name` fields ([**@sircthulhu**](https://github.com/sircthulhu) in #2071).
+
+### Backup System
+
+* **[backups] Implement comprehensive backup and restore functionality**: Core backup Plan controller, Velero strategy controller, RestoreJob resource with end-to-end restore workflows, and enhanced backup plans UI ([**@lllamnyp**](https://github.com/lllamnyp) in #1640, #1685, #1687, #1719, #1720, #1737, #1967; [**@androndo**](https://github.com/androndo) in #1762, #1967, #1968, #1811).
+* **[backups] Add kubevirt plugin to velero**: Added KubeVirt plugin to Velero for consistent VM state and data snapshots ([**@lllamnyp**](https://github.com/lllamnyp) in #2017).
+* **[backups] Install backupstrategy controller by default**: Enabled backupstrategy controller by default for automatic backup scheduling ([**@lllamnyp**](https://github.com/lllamnyp) in #2020).
+* **[backups] Better selectors for VM strategy**: Improved VM backup strategy selectors for accurate and reliable backup targeting ([**@lllamnyp**](https://github.com/lllamnyp) in #2023).
+* **[backups] Create RBAC for backup resources**: Added comprehensive RBAC configuration for backup operations and restore jobs ([**@lllamnyp**](https://github.com/lllamnyp) in #2018).
+
+### Networking
+
+* **[kilo] Introduce Kilo WireGuard mesh networking**: Added Kilo as a system package providing secure WireGuard-based VPN mesh for connecting Kubernetes nodes across different networks and regions ([**@kvaps**](https://github.com/kvaps) in #1691).
+* **[kilo] Add Cilium compatibility variant**: Added `cilium` variant enabling Cilium-aware IPIP encapsulation for full network policy enforcement with Kilo mesh ([**@kvaps**](https://github.com/kvaps) in #2055).
+* **[kilo] Update to v0.8.0 with configurable MTU**: Updated Kilo to v0.8.0 with configurable MTU parameter and performance improvements ([**@kvaps**](https://github.com/kvaps) in #2003, #2049, #2053).
+* **[local-ccm] Add local-ccm package**: Added local cloud controller manager for managing load balancer services in bare-metal environments ([**@kvaps**](https://github.com/kvaps) in #1831).
+* **[local-ccm] Add node-lifecycle-controller component**: Added optional node-lifecycle-controller that automatically deletes unreachable NotReady nodes, solving the "zombie" node problem in autoscaled clusters ([**@IvanHunters**](https://github.com/IvanHunters) in #1992).
+* **[tenant] Allow egress to parent ingress pods**: Updated tenant network policies to allow egress traffic to parent cluster ingress pods ([**@lexfrei**](https://github.com/lexfrei) in #1765, #1776).
+
+### New Applications
+
+* **[mongodb] Add MongoDB managed application**: Added MongoDB as a fully managed database with replica sets, persistent storage, and unified user/database configuration ([**@lexfrei**](https://github.com/lexfrei) in #1822; [**@kvaps**](https://github.com/kvaps) in #1923).
+* **[qdrant] Add Qdrant vector database**: Added Qdrant as a high-performance vector database for AI/ML workloads with API key authentication and optional LoadBalancer access ([**@lexfrei**](https://github.com/lexfrei) in #1987).
+* **[harbor] Add managed Harbor container registry**: Added Harbor v2.14.2 as a managed tenant-level container registry with CloudNativePG, Redis operator, COSI BucketClaim storage, and Trivy scanner ([**@lexfrei**](https://github.com/lexfrei) in #2058).
+* **[nats] Add monitoring**: Added Grafana dashboards for NATS JetStream and server metrics, Prometheus monitoring with TLS support ([**@klinch0**](https://github.com/klinch0) in #1381).
+* **[mariadb] Rename mysql application to mariadb**: Renamed MySQL application to MariaDB with automatic migration (migration 27) for all existing resources ([**@kvaps**](https://github.com/kvaps) in #2026).
+* **[ferretdb] Remove FerretDB application**: Removed FerretDB, superseded by native MongoDB support ([**@kvaps**](https://github.com/kvaps) in #2028).
+
+### Kubernetes and System Components
+
+* **[kubernetes] Update supported Kubernetes versions to v1.30–v1.35**: Updated the tenant Kubernetes version matrix, with v1.35 as the new default. Kamaji updated to edge-26.2.4 and CAPI Kamaji provider to v0.16.0 ([**@lexfrei**](https://github.com/lexfrei) in #2073).
+* **[kubernetes] Auto-enable Gateway API support in cert-manager**: Added automatic Gateway API support in cert-manager for tenant clusters ([**@kvaps**](https://github.com/kvaps) in #1997).
+* **[kubernetes] Use ingress-nginx nodeport service**: Changed tenant Kubernetes clusters to use ingress-nginx NodePort service for improved compatibility ([**@sircthulhu**](https://github.com/sircthulhu) in #1948).
+* **[system] Add cluster-autoscaler for Hetzner and Azure**: Added cluster-autoscaler system package for automatically scaling management cluster nodes on Hetzner and Azure ([**@kvaps**](https://github.com/kvaps) in #1964).
+* **[cluster-autoscaler] Enable enforce-node-group-min-size by default**: Ensures node groups are always scaled up to their configured minimum size ([**@kvaps**](https://github.com/kvaps) in #2050).
+* **[system] Add clustersecret-operator package**: Added clustersecret-operator for managing secrets across multiple namespaces ([**@sircthulhu**](https://github.com/sircthulhu) in #2025).
+
+### Monitoring
+
+* **[monitoring] Enable monitoring for core components**: Enhanced monitoring capabilities with dashboards and metrics for core Cozystack components ([**@IvanHunters**](https://github.com/IvanHunters) in #1937).
+* **[monitoring] Add SLACK_SEVERITY_FILTER and VMAgent for tenant monitoring**: Added SLACK_SEVERITY_FILTER for Slack alert filtering and VMAgent for tenant namespace metrics scraping ([**@IvanHunters**](https://github.com/IvanHunters) in #1712).
+* **[monitoring-agents] Fix FQDN resolution for tenant workload clusters**: Fixed monitoring agents in tenant clusters to use full DNS names with cluster domain suffix ([**@IvanHunters**](https://github.com/IvanHunters) in #2075; [**@kvaps**](https://github.com/kvaps) in #2086).
+
+### Storage
+
+* **[linstor] Move CRDs to dedicated piraeus-operator-crds chart**: Moved LINSTOR CRDs to a dedicated chart, ensuring reliable installation of all CRDs including `linstorsatellites.io` ([**@kvaps**](https://github.com/kvaps) in #2036; [**@IvanHunters**](https://github.com/IvanHunters) in #1991).
+* **[seaweedfs] Increase certificate duration to 10 years**: Increased SeaweedFS certificate validity to 10 years to reduce rotation overhead ([**@IvanHunters**](https://github.com/IvanHunters) in #1986).
+
+## Improvements
+
+* **[dashboard] Upgrade dashboard to version 1.4.0**: Updated Cozystack dashboard to v1.4.0 with new features and improvements ([**@sircthulhu**](https://github.com/sircthulhu) in #2051).
+* **[dashboard] Hide Ingresses/Services/Secrets tabs when no selectors defined**: Tabs are now conditionally shown based on whether the ApplicationDefinition has resource selectors configured, reducing UI clutter ([**@kvaps**](https://github.com/kvaps) in #2087).
+* **[dashboard] Add startupProbe to prevent container restarts on slow hardware**: Added startup probe to dashboard pods to prevent unnecessary restarts ([**@kvaps**](https://github.com/kvaps) in #1996).
+* **[keycloak] Allow custom Ingress hostname via values**: Added `ingress.host` field to cozy-keycloak chart values for overriding the default `keycloak.<root-host>` hostname ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
+* **[branding] Separate values for Keycloak**: Separated Keycloak branding values for better customization capabilities ([**@nbykov0**](https://github.com/nbykov0) in #1947).
+* **[rbac] Use hierarchical naming scheme**: Refactored RBAC to use hierarchical naming for cluster roles and role bindings ([**@lllamnyp**](https://github.com/lllamnyp) in #2019).
+* **[tenant,rbac] Use shared clusterroles**: Refactored tenant RBAC to use shared ClusterRoles for improved consistency ([**@lllamnyp**](https://github.com/lllamnyp) in #1999).
+* **[kubernetes] Increase default apiServer resourcesPreset to large**: Increased kube-apiserver resource preset to `large` for more reliable operation under higher workloads ([**@kvaps**](https://github.com/kvaps) in #1875).
+* **[kubernetes] Increase kube-apiserver startup probe threshold**: Increased startup probe threshold to allow more time for API server readiness ([**@kvaps**](https://github.com/kvaps) in #1876).
+* **[etcd] Increase probe thresholds for better recovery**: Increased etcd probe thresholds to improve cluster resilience during temporary slowdowns ([**@kvaps**](https://github.com/kvaps) in #1874).
+* **[etcd-operator] Add vertical-pod-autoscaler dependency**: Added VPA as a dependency to etcd-operator for proper resource scaling ([**@sircthulhu**](https://github.com/sircthulhu) in #2047).
+* **[cilium] Change cilium-operator replicas to 1**: Reduced Cilium operator replicas to decrease resource consumption in smaller deployments ([**@IvanHunters**](https://github.com/IvanHunters) in #1784).
+* **[keycloak-configure,dashboard] Enable insecure TLS verification by default**: Made SSL certificate verification configurable with insecure mode enabled by default for local development ([**@IvanHunters**](https://github.com/IvanHunters) in #2005).
+* **[platform] Split telemetry between operator and controller**: Separated telemetry collection for better metrics isolation ([**@kvaps**](https://github.com/kvaps) in #1869).
+* **[system] Add resource requests and limits to etcd-defrag**: Added resource requests and limits to etcd-defrag job to prevent resource contention ([**@matthieu-robin**](https://github.com/matthieu-robin) in #1785, #1786).
+
+## Fixes
+
+* **[dashboard] Fix sidebar visibility on cluster-level pages**: Fixed broken URLs with double `//` on cluster-level pages by hiding namespace-scoped sidebar items when no tenant is selected ([**@sircthulhu**](https://github.com/sircthulhu) in #2106).
+* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing, including migration 26-29 fixes, RFC3339 format for annotations, and extended etcd HelmRelease timeout to 30m ([**@kvaps**](https://github.com/kvaps) in #2096).
+* **[platform] Fix orphaned -rd HelmReleases after application renames**: Migrations 28-29 updated to remove orphaned `-rd` HelmReleases in `cozy-system` after `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, with migration 33 as a safety net ([**@kvaps**](https://github.com/kvaps) in #2102).
+* **[platform] Adopt tenant-root into cozystack-basics during migration**: Added migration 31 to adopt existing `tenant-root` Namespace and HelmRelease into `cozystack-basics` for a safe v0.41.x → v1.0 upgrade path ([**@kvaps**](https://github.com/kvaps) in #2065).
+* **[platform] Preserve tenant-root HelmRelease during migration**: Fixed data-loss risk during migration where `tenant-root` HelmRelease could be deleted ([**@sircthulhu**](https://github.com/sircthulhu) in #2063).
+* **[platform] Fix cozystack-values secret race condition**: Fixed race condition in cozystack-values secret creation that could cause initialization failures ([**@lllamnyp**](https://github.com/lllamnyp) in #2024).
+* **[cozystack-basics] Preserve existing HelmRelease values during reconciliations**: Fixed data-loss bug where changes to `tenant-root` HelmRelease were dropped on the next reconciliation ([**@sircthulhu**](https://github.com/sircthulhu) in #2068).
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Fixed `cozy:tenant:admin:base` ClusterRole to explicitly deny deletion of ResourceQuota objects ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized cluster identifier across dashboard menu links resolving broken link targets for Backups and External IPs ([**@androndo**](https://github.com/androndo) in #2093).
+* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed backup job creation form fields and fixed sidebar backup category identifier ([**@androndo**](https://github.com/androndo) in #2103).
+* **[kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization**: Updated KubeVirt and CDI and disabled serial console logging globally to fix the `guest-console-log` init container blocking virt-launcher pods ([**@nbykov0**](https://github.com/nbykov0) in #1833; [**@kvaps**](https://github.com/kvaps)).
+* **[linstor] Fix DRBD+LUKS+STORAGE resource creation failure**: Applied upstream fix for all newly created encrypted volumes failing due to missing `setExists(true)` call in `LuksLayer` ([**@kvaps**](https://github.com/kvaps) in #2072).
+* **[platform] Clean up Helm secrets for removed releases**: Added cleanup logic to migration 23 to remove orphaned Helm secrets from removed `-rd` releases ([**@kvaps**](https://github.com/kvaps) in #2035).
+* **[monitoring] Fix YAML parse error in vmagent template**: Fixed YAML parsing error in monitoring-agents vmagent template ([**@kvaps**](https://github.com/kvaps) in #2037).
+* **[monitoring] Remove cozystack-controller dependency**: Fixed monitoring package to remove unnecessary cozystack-controller dependency ([**@IvanHunters**](https://github.com/IvanHunters) in #1990).
+* **[monitoring] Remove duplicate dashboards.list**: Fixed duplicate dashboards.list configuration in extra/monitoring package ([**@IvanHunters**](https://github.com/IvanHunters) in #2016).
+* **[linstor] Update piraeus-server patches with critical fixes**: Backported critical patches fixing edge cases in device management and DRBD resource handling ([**@kvaps**](https://github.com/kvaps) in #1850).
+* **[apiserver] Fix Watch resourceVersion and bookmark handling**: Fixed Watch API handling of resourceVersion and bookmarks for proper event streaming ([**@kvaps**](https://github.com/kvaps) in #1860).
+* **[bootbox] Auto-create bootbox-application as dependency**: Fixed bootbox package to automatically create required bootbox-application dependency ([**@kvaps**](https://github.com/kvaps) in #1974).
+* **[postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert**: Fixed incorrect PromQL syntax in the CNPGClusterOffline Prometheus alert ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1981).
+* **[coredns] Fix serviceaccount to match kubernetes bootstrap RBAC**: Fixed CoreDNS service account to correctly match Kubernetes bootstrap RBAC requirements ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1958).
+* **[dashboard] Verify JWT token**: Added JWT token verification to dashboard for improved security ([**@lllamnyp**](https://github.com/lllamnyp) in #1980).
+* **[codegen] Fix missing gen_client in update-codegen.sh**: Fixed build error in `pkg/generated/applyconfiguration/utils.go` by including `gen_client` in the codegen script ([**@lexfrei**](https://github.com/lexfrei) in #2061).
+* **[kubevirt-operator] Fix typo in VMNotRunningFor10Minutes alert**: Fixed typo in VM alert name ensuring proper alert triggering ([**@lexfrei**](https://github.com/lexfrei) in #1770, #1775).
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard for improved authentication security ([**@lllamnyp**](https://github.com/lllamnyp) in #1980).
+
+## Dependencies
+
+* **[cilium] Update to v1.18.6**: Updated Cilium CNI to v1.18.6 with security fixes and performance improvements ([**@sircthulhu**](https://github.com/sircthulhu) in #1868).
+* **[kube-ovn] Update to v1.15.3**: Updated Kube-OVN CNI to v1.15.3 with performance improvements and bug fixes ([**@kvaps**](https://github.com/kvaps) in #2022).
+* **[kilo] Update to v0.8.0**: Updated Kilo WireGuard mesh to v0.8.0 with performance improvements and new compatibility features ([**@kvaps**](https://github.com/kvaps) in #2053).
+* **Update Talos Linux to v1.12.1**: Updated Talos Linux to v1.12.1 with latest features and security patches ([**@kvaps**](https://github.com/kvaps) in #1877).
+
+## System Configuration
+
+* **[vpc] Migrate subnets definition from map to array format**: Migrated VPC subnets from `map[string]Subnet` to `[]Subnet` with explicit `name` field, with automatic migration via migration 30 ([**@kvaps**](https://github.com/kvaps) in #2052).
+* **[migrations] Add migrations 23-33 for v1.0 upgrade path**: Added 11 incremental migrations handling CRD ownership, resource renaming, secret cleanup, Helm adoption, and configuration conversion for the v0.41.x → v1.0.0 upgrade path ([**@kvaps**](https://github.com/kvaps) in #1975, #2035, #2036, #2040, #2026, #2065, #2052, #2102).
+* **[tenant] Run cleanup job from system namespace**: Moved tenant cleanup job to system namespace for improved security and resource isolation ([**@lllamnyp**](https://github.com/lllamnyp) in #1774, #1777).
+
+## Development, Testing, and CI/CD
+
+* **[ci] Use GitHub Copilot CLI for changelog generation**: Automated changelog generation using GitHub Copilot CLI ([**@androndo**](https://github.com/androndo) in #1753).
+* **[ci] Choose runner conditional on label**: Added conditional runner selection in CI based on PR labels ([**@lllamnyp**](https://github.com/lllamnyp) in #1998).
+* **[e2e] Use helm install instead of kubectl apply for cozystack installation**: Replaced static YAML apply flow with direct `helm upgrade --install` of the installer chart in E2E tests ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+* **[e2e] Make kubernetes test retries effective by cleaning up stale resources**: Fixed E2E test retries by adding pre-creation cleanup and increasing deployment wait timeout to 300s ([**@lexfrei**](https://github.com/lexfrei) in #2062).
+* **[e2e] Increase HelmRelease readiness timeout for kubernetes test**: Increased HelmRelease readiness timeout to prevent false failures on slower hardware ([**@lexfrei**](https://github.com/lexfrei) in #2033).
+* **[ci] Improve cozyreport functionality**: Enhanced cozyreport tool with improved reporting for CI/CD pipelines ([**@lllamnyp**](https://github.com/lllamnyp) in #2032).
+* **feat(cozypkg): add cross-platform build targets with version injection**: Added cross-platform build targets for cozypkg/cozyhr tool for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64 ([**@kvaps**](https://github.com/kvaps) in #1862).
+* **refactor: move scripts to hack directory**: Reorganized scripts to the standard `hack/` location ([**@kvaps**](https://github.com/kvaps) in #1863).
+* **Update CODEOWNERS**: Updated CODEOWNERS to include new maintainers ([**@lllamnyp**](https://github.com/lllamnyp) in #1972; [**@IvanHunters**](https://github.com/IvanHunters) in #2015).
+* **[talm] Skip config loading for completion subcommands**: Fixed talm CLI to skip config loading for shell completion commands ([**@kitsunoff**](https://github.com/kitsunoff) in cozystack/talm#109).
+* **[talm] Fix metadata.id type casting in physical_links_info**: Fixed Prometheus query to properly cast metadata.id to string for regexMatch operations ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#110).
+
+## Documentation
+
+* **[website] Add documentation versioning**: Implemented comprehensive documentation versioning with separate v0 and v1 documentation trees and a version selector in the UI ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#415).
+* **[website] Describe upgrade to v1.0**: Added detailed upgrade instructions for migrating from v0.x to v1.0 ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@21bbe84).
+* **[website] Migrate ConfigMap references to Platform Package in v1 docs**: Updated entire v1 documentation to replace legacy ConfigMap-based configuration with the new Platform Package API ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#426).
+* **[website] Add generic Kubernetes deployment guide for v1**: Added installation guide for deploying Cozystack on any generic Kubernetes cluster ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#408).
+* **[website] Describe operator-based and HelmRelease-based package patterns**: Added development documentation explaining operator-based and HelmRelease-based package patterns ([**@kvaps**](https://github.com/kvaps) in cozystack/website#413).
+* **[website] Add Helm chart development principles guide**: Added developer guide documenting Cozystack's four core Helm chart principles ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
+* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack with Mermaid diagrams ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
+* **[website] Add LINSTOR disk preparation guide**: Added comprehensive documentation for preparing disks for LINSTOR storage ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#411).
+* **[website] Add Proxmox VM migration guide**: Added detailed guide for migrating virtual machines from Proxmox to Cozystack ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#410).
+* **[website] Add cluster autoscaler documentation**: Added documentation for Hetzner setup with Talos, vSwitch, and Kilo mesh integration ([**@kvaps**](https://github.com/kvaps) in #1964).
+* **[website] Improve Azure autoscaling troubleshooting guide**: Enhanced Azure autoscaling documentation with serial console instructions and `az vmss update --custom-data` guidance ([**@kvaps**](https://github.com/kvaps) in cozystack/website#424).
+* **[website] Update multi-location documentation for cilium-kilo variant**: Updated multi-location networking docs to reflect the integrated `cilium-kilo` variant selection ([**@kvaps**](https://github.com/kvaps) in cozystack/website@02d63f0).
+* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands to use JSON Patch `add` operations ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
+* **[website] Update certificates section in Platform Package documentation**: Updated certificate configuration docs to reflect new `solver` and `issuerName` fields ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
+* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant clusters in Grafana using VictoriaLogs labels ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
+* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install` and `kubectl create` to `kubectl apply` across all installation guides ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
+* **[website] Fix broken documentation links with .md suffix**: Fixed incorrect internal links across virtualization guides for v0 and v1 documentation ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
+* **[website] Refactor resource planning documentation**: Improved resource planning guide with clearer structure and more comprehensive coverage ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#423).
+* **[website] Add ServiceAccount API access documentation and update FAQ**: Added documentation for ServiceAccount API access token configuration and updated FAQ ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#421).
+* **[website] Update networking-mesh allowed-location-ips example**: Replaced provider-specific CLI with standard `kubectl` commands in multi-location networking guide ([**@kvaps**](https://github.com/kvaps) in cozystack/website#425).
+* **[website] docs(storage): simplify NFS driver setup instructions**: Simplified NFS driver setup documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#399).
+* **[website] Add Hetzner RobotLB documentation**: Added documentation for configuring public IP with Hetzner RobotLB ([**@kvaps**](https://github.com/kvaps) in cozystack/website#394).
+* **[website] Add documentation for creating and managing cloned VMs**: Added comprehensive guide for VM cloning operations ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#401).
+* **[website] Update Talos installation docs for Hetzner and Servers.com**: Updated installation documentation for Hetzner and Servers.com environments ([**@kvaps**](https://github.com/kvaps) in cozystack/website#395).
+* **[website] Add Hidora organization support details**: Added Hidora to the support page ([**@matthieu-robin**](https://github.com/matthieu-robin) in cozystack/website#397, cozystack/website#398).
+* **[website] Check quotas before an upgrade**: Added troubleshooting documentation for checking resource quotas before upgrades ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website#405).
+* **[website] Update support documentation**: Updated support documentation with current contact information ([**@xrmtech-isk**](https://github.com/xrmtech-isk) in cozystack/website#420).
+* **[website] Correct typo in kubeconfig reference in Kubernetes installation guide**: Fixed documentation typo in kubeconfig reference ([**@shkarface**](https://github.com/shkarface) in cozystack/website#414).
+
+## Breaking Changes & Upgrade Notes
+
+* **[api] CozystackResourceDefinition renamed to ApplicationDefinition**: The `CozystackResourceDefinition` CRD has been renamed to `ApplicationDefinition`. Migration 24 handles the transition automatically during upgrade ([**@kvaps**](https://github.com/kvaps) in #1864).
+
+* **[platform] Certificate issuer configuration parameters renamed**: The `publishing.certificates.issuerType` field is renamed to `publishing.certificates.solver`, and the value `cloudflare` is renamed to `dns01`. A new `publishing.certificates.issuerName` field (default: `letsencrypt-prod`) is added. Migration 32 automatically converts existing configurations — no manual action required ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+* **[vpc] VPC subnets definition migrated from map to array format**: VPC subnets are now defined as `[]Subnet` with an explicit `name` field instead of `map[string]Subnet`. Migration 30 handles the conversion automatically ([**@kvaps**](https://github.com/kvaps) in #2052).
+
+* **[vm] virtual-machine application replaced by vm-disk and vm-instance**: The legacy `virtual-machine` application has been fully replaced. Migration 28 automatically converts existing VMs to the new architecture ([**@kvaps**](https://github.com/kvaps) in #2040).
+
+* **[mysql] mysql application renamed to mariadb**: Existing MySQL deployments are automatically renamed to MariaDB via migration 27 ([**@kvaps**](https://github.com/kvaps) in #2026).
+
+### Upgrade Guide
+
+To upgrade from v0.41.x to v1.0.0:
+1. **Backup your cluster** before upgrading.
+2. Run the provided migration script: `hack/migrate-to-version-1.0.sh`.
+3. The 33 incremental migration steps will automatically handle all resource renaming, configuration conversion, CRD adoption, and secret cleanup.
+4. Refer to the [upgrade documentation](https://cozystack.io/docs/v1/upgrade) for detailed instructions and troubleshooting.
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@cheese**](https://github.com/cheese)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@IvanStukov**](https://github.com/IvanStukov)
+* [**@kitsunoff**](https://github.com/kitsunoff)
+* [**@klinch0**](https://github.com/klinch0)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@lllamnyp**](https://github.com/lllamnyp)
+* [**@matthieu-robin**](https://github.com/matthieu-robin)
+* [**@mattia-eleuteri**](https://github.com/mattia-eleuteri)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@nbykov0**](https://github.com/nbykov0)
+* [**@shkarface**](https://github.com/shkarface)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+* [**@xrmtech-isk**](https://github.com/xrmtech-isk)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@cheese**](https://github.com/cheese) - First contribution!
+* [**@IvanStukov**](https://github.com/IvanStukov) - First contribution!
+* [**@kitsunoff**](https://github.com/kitsunoff) - First contribution!
+* [**@shkarface**](https://github.com/shkarface) - First contribution!
+* [**@xrmtech-isk**](https://github.com/xrmtech-isk) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.41.0...v1.0.0
--- a/docs/changelogs/v1.0.1.md
+++ b/docs/changelogs/v1.0.1.md
@@ -0,0 +1,21 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.1
+-->
+
+## Fixes
+
+* **[platform] Prevent cozystack-version ConfigMap from deletion**: Added resource protection to prevent the `cozystack-version` ConfigMap from being accidentally deleted, improving platform stability and reliability ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2112, #2114).
+
+* **[installer] Add keep annotation to Namespace and update migration script**: Added `helm.sh/resource-policy: keep` annotation to the `cozy-system` Namespace in the installer Helm chart to prevent Helm from deleting the namespace (and all HelmReleases within it) when the installer release is removed. The v1.0 migration script is also updated to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with this policy before migration ([**@kvaps**](https://github.com/kvaps) in #2122, #2123).
+
+* **[dashboard] Add FlowSchema to exempt BFF from API throttling**: Added a `cozy-dashboard-exempt` FlowSchema to exempt the dashboard Back-End-for-Frontend (BFF) service account from Kubernetes API Priority and Fairness throttling. Previously, the BFF fell under the `workload-low` priority level, causing 429 (Too Many Requests) errors under load, resulting in dashboard unresponsiveness ([**@kvaps**](https://github.com/kvaps) in #2121, #2124).
+
+## Documentation
+
+* **[website] Replace bundles documentation with variants**: Renamed the "Bundles" documentation section to "Variants" to match current Cozystack terminology. Removed deprecated variants (`iaas-full`, `distro-full`, `distro-hosted`) and added new variants: `default` (PackageSources only, for manual package management via cozypkg) and `isp-full-generic` (full PaaS/IaaS on k3s, kubeadm, or RKE2). Updated all cross-references throughout the documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#433).
+
+* **[website] Add step to protect namespace before upgrading**: Updated the cluster upgrade guide and v0.41→v1.0 migration guide with a required step to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with `helm.sh/resource-policy=keep` before running `helm upgrade`, preventing accidental namespace deletion ([**@kvaps**](https://github.com/kvaps) in cozystack/website#435).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0...v1.0.1
--- a/docs/changelogs/v1.0.2.md
+++ b/docs/changelogs/v1.0.2.md
@@ -0,0 +1,19 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.2
+-->
+
+## Fixes
+
+* **[platform] Suspend cozy-proxy if it conflicts with installer release during migration**: Added a check in the v0.41→v1.0 migration script to detect and automatically suspend the `cozy-proxy` HelmRelease when its `releaseName` is set to `cozystack`, which conflicts with the installer release and would cause `cozystack-operator` deletion during the upgrade ([**@kvaps**](https://github.com/kvaps) in #2128, #2130).
+
+* **[platform] Fix off-by-one error in run-migrations script**: Fixed a bug in the migration runner where the first required migration was always skipped due to an off-by-one error in the migration range calculation, ensuring all upgrade steps execute correctly ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2126, #2132).
+
+* **[system] Fix Keycloak proxy configuration for v26.x**: Replaced the deprecated `KC_PROXY=edge` environment variable with `KC_PROXY_HEADERS=xforwarded` and `KC_HTTP_ENABLED=true` in the Keycloak StatefulSet template. `KC_PROXY` was removed in Keycloak 26.x, previously causing "Non-secure context detected" warnings and broken cookie handling when running behind a reverse proxy with TLS termination ([**@sircthulhu**](https://github.com/sircthulhu) in #2125, #2134).
+
+* **[dashboard] Allow clearing instanceType field and preserve newlines in secret copy**: Added `allowEmpty: true` to the `instanceType` field in the VMInstance form so users can explicitly clear it to use custom KubeVirt resources without a named instance type. Also fixed newline preservation when copying secrets with CMD+C ([**@sircthulhu**](https://github.com/sircthulhu) in #2135, #2137).
+
+* **[dashboard] Restore stock-instance sidebars for namespace-level pages**: Restored `stock-instance-api-form`, `stock-instance-api-table`, `stock-instance-builtin-form`, and `stock-instance-builtin-table` sidebar resources that were inadvertently removed in #2106. Without these sidebars, namespace-level pages such as Backup Plans rendered as empty pages with no interactive content ([**@sircthulhu**](https://github.com/sircthulhu) in #2136, #2138).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.1...v1.0.2
--- a/docs/changelogs/v1.0.3.md
+++ b/docs/changelogs/v1.0.3.md
@@ -0,0 +1,17 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.3
+-->
+
+## Fixes
+
+* **[platform] Fix package name conversion in migration script**: Fixed the `migrate-to-version-1.0.sh` script to correctly prepend the `cozystack.` prefix when converting `BUNDLE_DISABLE` and `BUNDLE_ENABLE` package name lists, ensuring packages are properly identified during the v0.41→v1.0 upgrade ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2144, #2148).
+
+## Documentation
+
+* **[website] Add white labeling guide**: Added a comprehensive guide for configuring white labeling (branding) in Cozystack v1, covering Dashboard fields (`titleText`, `footerText`, `tenantText`, `logoText`, `logoSvg`, `iconSvg`) and Keycloak fields (`brandName`, `brandHtmlName`). Includes SVG preparation workflow with theme-aware template variables, portable base64 encoding, and migration notes from the v0 ConfigMap approach ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#441).
+
+* **[website] Actualize backup and recovery documentation**: Reworked the backup and recovery docs to be user-focused, separating operator and tenant workflows. Added tenant-facing documentation for `BackupJob` and `Plan` resources and status inspection commands, and added a new Velero administration guide for operators covering storage credentials and backup storage configuration ([**@androndo**](https://github.com/androndo) in cozystack/website#434).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.2...v1.0.3
--- a/docs/changelogs/v1.0.4.md
+++ b/docs/changelogs/v1.0.4.md
@@ -0,0 +1,25 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.4
+-->
+
+## Fixes
+
+* **[system] Fix Keycloak probe crashloop with management port health endpoints**: Fixed a crashloop where Keycloak 26.x was endlessly restarting because liveness and readiness probes were sending HTTP requests to port 8080. Keycloak 26.x redirects all requests on port 8080 to `KC_HOSTNAME` (HTTPS), and since kubelet does not follow redirects, probes failed, eventually triggering container restarts. The fix switches probes to the dedicated management port 9000 (`/health/live`, `/health/ready`) enabled via `KC_HEALTH_ENABLED=true`, exposes management port 9000, and adds a `startupProbe` with appropriate failure thresholds for better startup tolerance ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #2162, #2178).
+
+* **[system] Fix etcd-operator deprecated kube-rbac-proxy image**: Replaced the deprecated `gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0` image with `quay.io/brancz/kube-rbac-proxy:v0.18.1` in the vendored etcd-operator chart. The GCR-hosted image became unavailable after March 18, 2025, causing etcd-operator pods to fail on image pull ([**@kvaps**](https://github.com/kvaps) in #2181, #2183).
+
+* **[platform] Fix VM MAC address not preserved during virtual-machine to vm-instance migration**: During the `virtual-machine` → `vm-instance` migration (script 29), VM MAC addresses were not preserved. Kube-OVN reads MAC addresses exclusively from the pod annotation `ovn.kubernetes.io/mac_address`, not from `spec.macAddress` of the IP resource. Without this annotation, migrated VMs received a new random MAC address, breaking OS-level network configuration that matches by MAC (e.g., netplan). The fix adds a Helm `lookup` in the vm-instance chart template to read the Kube-OVN IP resource and automatically inject the MAC and IP addresses as pod annotations ([**@sircthulhu**](https://github.com/sircthulhu) in #2169, #2191).
+
+* **[dashboard] Fix External IPs page showing empty rows**: Fixed the External IPs administration page displaying empty rows instead of service data. The `EnrichedTable` configuration in the `external-ips` factory was using incorrect property names — replaced `clusterNamePartOfUrl` with `cluster` and changed `pathToItems` from array format to dot-path string format, matching the convention used by all other `EnrichedTable` instances ([**@IvanHunters**](https://github.com/IvanHunters) in #2175, #2192).
+
+* **[dashboard] Fix disabled/hidden state reset on MarketplacePanel reconciliation**: Fixed a bug where the dashboard controller was hardcoding `disabled=false` and `hidden=false` on every reconcile loop, overwriting changes made through the dashboard UI. Services disabled or hidden via the marketplace panel now correctly retain their state after controller reconciliation ([**@IvanHunters**](https://github.com/IvanHunters) in #2176, #2202).
+
+* **[dashboard] Fix hidden MarketplacePanel resources appearing in sidebar menu**: Fixed the sidebar navigation showing all resources regardless of their MarketplacePanel `hidden` state. The controller now fetches MarketplacePanels during sidebar reconciliation and filters out resources where `hidden=true`, ensuring that hiding a resource from the marketplace also removes it from the sidebar navigation. Listing failures are non-fatal — if the configuration fetch fails, no hiding is applied and the dashboard remains functional ([**@IvanHunters**](https://github.com/IvanHunters) in #2177, #2204).
+
+## Documentation
+
+* **[website] Add OIDC self-signed certificates configuration guide**: Added a comprehensive guide for configuring OIDC authentication with Keycloak when using self-signed certificates (the default in Cozystack). Covers Talos machine configuration with certificate mounting and host entries, kubelogin setup instructions, and a troubleshooting section. The guide is available for both v0 and v1 versioned documentation paths ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#443).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.3...v1.0.4
--- a/docs/changelogs/v1.1.0.md
+++ b/docs/changelogs/v1.1.0.md
@@ -0,0 +1,126 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.1.0
+-->
+
+# Cozystack v1.1.0
+
+Cozystack v1.1.0 delivers a major expansion of the managed application catalog with **OpenBAO** (open-source HashiCorp Vault fork) for secrets management, comprehensive **tiered object storage** with SeaweedFS storage pools, a new bucket **user model** with per-user credentials and S3 login support, **RabbitMQ version selection**, and **MongoDB Grafana dashboards**. The dashboard gains storageClass dropdowns for all stateful apps. This release also incorporates all fixes from the v1.0.x patch series.
+
+## Feature Highlights
+
+### OpenBAO: Managed Secrets Management Service
+
+Cozystack now ships **OpenBAO** as a fully managed PaaS application — an open-source fork of HashiCorp Vault providing enterprise-grade secrets management. Users can deploy OpenBAO instances in standalone mode (single replica with file storage) or in high-availability Raft mode (multiple replicas with integrated Raft consensus), with the mode switching automatically based on the `replicas` field.
+
+Each OpenBAO instance gets TLS enabled by default via cert-manager self-signed certificates, with DNS SANs covering all service endpoints and pod addresses. The Vault injector and CSI provider are intentionally disabled (they are cluster-scoped components not safe for per-tenant use). OpenBAO requires manual initialization and unsealing by design — no auto-unseal is configured.
+
+A full end-to-end E2E test covers the complete lifecycle: deploy, wait for certificate and API readiness, init, unseal, verify, and cleanup. OpenBAO is available in the application catalog for tenant namespaces.
+
+### SeaweedFS Tiered Storage Pools
+
+SeaweedFS now supports **tiered storage pools** — operators can define separate storage pools per disk type (SSD, HDD, NVMe) in the `volume.pools` field (Simple topology) or `volume.zones[name].pools` (MultiZone topology). Each pool creates an additional Volume StatefulSet alongside the default one, with SeaweedFS distinguishing storage via the `-disk=<type>` flag on volume servers.
+
+Each pool automatically generates its own set of COSI resources: a standard `BucketClass`, a `-lock` BucketClass (COMPLIANCE mode, 365-day retention), a read-write `BucketAccessClass`, and a `-readonly` BucketAccessClass. This allows applications to place data on specific storage tiers and request appropriate access policies per pool.
+
+In MultiZone topology, pools are defined per zone and each zone × pool combination creates a dedicated StatefulSet (e.g., `us-east-ssd`, `us-west-hdd`), with nodes selected via `topology.kubernetes.io/zone` labels. Existing deployments with no pools defined produce output identical to previous versions — no migration is required.
+
+### Bucket User Model with S3 Login
+
+The bucket application introduces a new **user model** for access management. Instead of a single implicit BucketAccess resource, operators now define a `users` map where each entry creates a dedicated `BucketAccess` with its own credentials secret and an optional `readonly` flag. The S3 Manager UI has been updated with a login screen that uses per-session credentials from the user's own secret, replacing the previous basic-auth approach.
+
+Two new bucket parameters are available: `locking` provisions from the `-lock` BucketClass (COMPLIANCE mode, 365-day object lock retention) for write-once-read-many use cases, and `storagePool` selects a specific pool's BucketClass for tiered storage placement. The COSI driver has been updated to v0.3.0 to support the new `diskType` parameter.
+
+**⚠️ Breaking change**: The implicit default BucketAccess resource is no longer created. Existing buckets that relied on the single auto-generated BucketAccess will need to explicitly define users in the `users` map after upgrading.
+
+### RabbitMQ Version Selection
+
+RabbitMQ instances now support a configurable **version selector** (`version` field with values: `v4.2`, `v4.1`, `v4.0`, `v3.13`; default `v4.2`). The chart validates the selection at deploy time and uses it to pin the runtime image, giving operators control over the RabbitMQ release channel per instance. An automatic migration backfills the `version` field on all existing RabbitMQ resources to `v4.2`.
+
+## Major Features and Improvements
+
+* **[apps] Add OpenBAO as a managed secrets management service**: Deployed as a PaaS application with standalone (file storage) and HA Raft modes, TLS enabled by default via cert-manager, injector and CSI provider disabled for tenant safety, and a full E2E lifecycle test ([**@lexfrei**](https://github.com/lexfrei) in #2059).
+
+* **[seaweedfs] Add storage pools support for tiered storage**: Added `volume.pools` (Simple) and `volume.zones[name].pools` (MultiZone) for per-disk-type StatefulSets, zone overrides (`nodeSelector`, `storageClass`, `dataCenter`), per-pool COSI BucketClass and BucketAccessClass resources, and bumped seaweedfs-cosi-driver to v0.3.0 ([**@sircthulhu**](https://github.com/sircthulhu) in #2097).
+
+* **[apps][system] Add bucket user model with locking and storage pool selection**: Replaced implicit BucketAccess with per-user `users` map, added `locking` and `storagePool` parameters, renamed COSI BucketClass suffix from `-worm` to `-lock`, added `-readonly` BucketAccessClass for all topologies, and updated S3 Manager with login screen using per-user credentials ([**@IvanHunters**](https://github.com/IvanHunters) in #2119).
+
+* **[rabbitmq] Add version selection for RabbitMQ instances**: Added `version` field (`v4.2`, `v4.1`, `v4.0`, `v3.13`) with chart-level validation, default `v4.2`, and an automatic migration to backfill the field on existing instances ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2092).
+
+* **[system] Add MongoDB Overview and InMemory Details Grafana dashboards**: Added two comprehensive Grafana dashboards for MongoDB monitoring — Overview (command operations, connections, cursors, query efficiency, write time) and InMemory Details (WiredTiger cache, transactions, concurrency, eviction). Dashboards are registered in `dashboards.list` for automatic GrafanaDashboard CRD generation ([**@IvanHunters**](https://github.com/IvanHunters) in #2158).
+
+* **[dashboard] Add storageClass dropdown for all stateful apps**: Replaced the free-text `storageClass` input with an API-backed dropdown listing available StorageClasses from the cluster. Affects ClickHouse, Harbor, HTTPCache, Kubernetes, MariaDB, MongoDB, NATS, OpenBAO, Postgres, Qdrant, RabbitMQ, Redis, VMDisk (top-level `storageClass`), FoundationDB (`storage.storageClass`), and Kafka (`kafka.storageClass`, `zookeeper.storageClass`) ([**@sircthulhu**](https://github.com/sircthulhu) in #2131).
+
+* **[bucket] Add readonly S3 access credentials**: Added a readonly `BucketAccessClass` to the SeaweedFS COSI chart and updated the bucket application to automatically provision two sets of S3 credentials per bucket: read-write (for UI) and readonly ([**@IvanHunters**](https://github.com/IvanHunters) in #2105).
+
+* **[dashboard] Hide sidebar on cluster-level pages when no tenant selected**: Fixed broken URLs with double `//` on the main cluster page (before tenant selection) by clearing `CUSTOMIZATION_SIDEBAR_FALLBACK_ID` so no sidebar renders when no namespace is selected ([**@sircthulhu**](https://github.com/sircthulhu) in #2106).
+
+* **[cert-manager] Update cert-manager to v1.19.3**: Upgraded cert-manager with new CRDs moved into a dedicated CRD package, added global `nodeSelector` and `hostUsers` (pod user-namespace isolation), and renamed `ServiceMonitor` targetPort default to `http-metrics` ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2070).
+
+* **[dashboard] Add backupClasses dropdown to Plan/BackupJob forms**: Replaced free-text input for `backupClass` field with an API-backed dropdown populated with available BackupClass resources, making it easier to select the correct backup target ([**@androndo**](https://github.com/androndo) in #2104).
+
+## Fixes
+
+* **[platform] Fix package name conversion in migration script**: Fixed the `migrate-to-version-1.0.sh` script to correctly prepend the `cozystack.` prefix when converting `BUNDLE_DISABLE` and `BUNDLE_ENABLE` package name lists, ensuring packages are properly identified during the v0.41→v1.0 upgrade ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2144, #2148).
+
+* **[backups] Fix RBAC for backup controllers**: Updated RBAC permissions for the backup strategy controller to support enhanced backup and restore capabilities, including Velero integration and status management ([**@androndo**](https://github.com/androndo) in #2145).
+
+* **[kubernetes] Set explicit MTU for Cilium in tenant clusters**: Set explicit MTU 1350 for Cilium in KubeVirt-based tenant Kubernetes clusters to prevent packet drops caused by VXLAN encapsulation overhead. Cilium's auto-detection does not account for VXLAN overhead (50 bytes) when the VM interface inherits MTU 1400 from the parent OVN/Geneve overlay, causing intermittent connectivity issues and HTTP 499 errors under load ([**@IvanHunters**](https://github.com/IvanHunters) in #2147).
+
+* **[platform] Prevent cozystack-version ConfigMap from deletion**: Added resource protection annotations to prevent the `cozystack-version` ConfigMap from being accidentally deleted, improving platform stability ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2112, #2114).
+
+* **[installer] Add keep annotation to Namespace and update migration script**: Added `helm.sh/resource-policy: keep` annotation to the `cozy-system` Namespace in the installer Helm chart to prevent Helm from deleting the namespace and all HelmReleases within it when the installer release is removed. The v1.0 migration script is also updated to annotate the namespace and `cozystack-version` ConfigMap before migration ([**@kvaps**](https://github.com/kvaps) in #2122, #2123).
+
+* **[dashboard] Add FlowSchema to exempt BFF from API throttling**: Added a `cozy-dashboard-exempt` FlowSchema to exempt the dashboard Back-End-for-Frontend service account from Kubernetes API Priority and Fairness throttling, preventing 429 errors under load ([**@kvaps**](https://github.com/kvaps) in #2121, #2124).
+
+* **[platform] Suspend cozy-proxy if it conflicts with installer release during migration**: Added a check in the v0.41→v1.0 migration script to detect and suspend the `cozy-proxy` HelmRelease when its `releaseName` is set to `cozystack`, which conflicts with the installer release and would cause `cozystack-operator` deletion during the upgrade ([**@kvaps**](https://github.com/kvaps) in #2128, #2130).
+
+* **[platform] Fix off-by-one error in run-migrations script**: Fixed a bug in the migration runner where the first required migration was always skipped due to an off-by-one error in the migration range calculation ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2126, #2132).
+
+* **[system] Fix Keycloak proxy configuration for v26.x**: Replaced the deprecated `KC_PROXY=edge` environment variable with `KC_PROXY_HEADERS=xforwarded` and `KC_HTTP_ENABLED=true` in the Keycloak StatefulSet. `KC_PROXY` was removed in Keycloak 26.x, previously causing "Non-secure context detected" warnings and broken cookie handling behind a reverse proxy with TLS termination ([**@sircthulhu**](https://github.com/sircthulhu) in #2125, #2134).
+
+* **[dashboard] Allow clearing instanceType field and preserve newlines in secret copy**: Added `allowEmpty: true` to the `instanceType` field in the VMInstance form so users can explicitly clear it to use custom KubeVirt resources without a named instance type. Also fixed newline preservation when copying secrets with CMD+C ([**@sircthulhu**](https://github.com/sircthulhu) in #2135, #2137).
+
+* **[dashboard] Restore stock-instance sidebars for namespace-level pages**: Restored `stock-instance-api-form`, `stock-instance-api-table`, `stock-instance-builtin-form`, and `stock-instance-builtin-table` sidebar resources that were inadvertently removed in #2106. Without these sidebars, namespace-level pages such as Backup Plans rendered as empty pages ([**@sircthulhu**](https://github.com/sircthulhu) in #2136, #2138).
+
+## System Configuration
+
+* **[platform] Disable private key rotation in CA certs**: Set `rotationPolicy: Never` for all CA/root certificates used by system components (ingress-nginx, linstor, linstor-scheduler, seaweedfs, victoria-metrics-operator, kubeovn-webhook, lineage-controller-webhook, cozystack-api, etcd, linstor API/internal) to prevent trust chain problems when CA certificates are reissued ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2113).
+
+## Development, Testing, and CI/CD
+
+* **[ci] Add debug improvements for CI tests**: Added extra debug commands for Kubernetes startup diagnostics and improved error output in CI test runs ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2111).
+
+## Documentation
+
+* **[website] Add object storage guide (pools, buckets, users)**: Added a comprehensive guide covering SeaweedFS object storage configuration including storage pools for tiered storage, bucket creation with access classes, per-user credential management, and credential rotation procedures ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#438).
+
+* **[website] Add Build Your Own Platform (BYOP) guide**: Added a new "Build Your Own Platform" guide and split the installation documentation into platform installation and BYOP sub-pages, with cross-references throughout the documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#437).
+
+* **[website] Add white labeling guide**: Added a comprehensive guide for configuring white labeling (branding) in Cozystack v1, covering Dashboard fields (`titleText`, `footerText`, `tenantText`, `logoText`, `logoSvg`, `iconSvg`) and Keycloak fields (`brandName`, `brandHtmlName`). Includes SVG preparation workflow with theme-aware template variables and portable base64 encoding ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#441).
+
+* **[website] Actualize backup and recovery documentation**: Reworked the backup and recovery docs to be user-focused, separating operator and tenant workflows. Added tenant-facing documentation for `BackupJob` and `Plan` resources and a new Velero administration guide for operators ([**@androndo**](https://github.com/androndo) in cozystack/website#434).
+
+* **[website] Add step to protect namespace before upgrading**: Updated the cluster upgrade guide and v0.41→v1.0 migration guide with a required step to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with `helm.sh/resource-policy=keep` before running `helm upgrade` ([**@kvaps**](https://github.com/kvaps) in cozystack/website#435).
+
+* **[website] Replace bundles documentation with variants**: Renamed the "Bundles" documentation section to "Variants" to match current Cozystack terminology. Removed deprecated variants and added new ones: `default` and `isp-full-generic` ([**@kvaps**](https://github.com/kvaps) in cozystack/website#433).
+
+* **[website] Fix component values override instructions**: Corrected the component values override documentation to reflect current configuration patterns ([**@kvaps**](https://github.com/kvaps) in cozystack/website#436).
+
+## Breaking Changes & Upgrade Notes
+
+* **[bucket] Bucket user model now requires explicit user definitions**: The implicit default `BucketAccess` resource is no longer created automatically. Existing buckets that relied on a single auto-generated credential secret will need to define users explicitly in the `users` map after upgrading. Each user entry creates its own `BucketAccess` resource and credential secret (optionally with `readonly: true`). The COSI BucketClass suffix has also been renamed from `-worm` to `-lock` ([**@IvanHunters**](https://github.com/IvanHunters) in #2119).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0...v1.1.0
--- a/docs/changelogs/v1.1.1.md
+++ b/docs/changelogs/v1.1.1.md
@@ -0,0 +1,23 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.1.1
+-->
+
+## Fixes
+
+* **[dashboard] Fix hidden MarketplacePanel resources appearing in sidebar menu**: The sidebar was generated independently from MarketplacePanels, always showing all resources regardless of their `hidden` state. Fixed by fetching MarketplacePanels during sidebar reconciliation and skipping resources where `hidden=true`, so hiding a resource from the marketplace also removes it from the sidebar navigation ([**@IvanHunters**](https://github.com/IvanHunters) in #2177, #2203).
+
+* **[dashboard] Fix disabled/hidden state overwritten on every MarketplacePanel reconciliation**: The controller was hardcoding `disabled=false` and `hidden=false` on every reconciliation, silently overwriting any user changes made through the dashboard UI. Fixed by reading and preserving the current `disabled`/`hidden` values from the existing resource before updating ([**@IvanHunters**](https://github.com/IvanHunters) in #2176, #2201).
+
+* **[dashboard] Fix External IPs factory EnrichedTable rendering**: The external-IPs table displayed empty rows because the factory used incorrect `EnrichedTable` properties. Replaced `clusterNamePartOfUrl` with `cluster` and changed `pathToItems` from array to dot-path string format, consistent with all other working `EnrichedTable` instances ([**@IvanHunters**](https://github.com/IvanHunters) in #2175, #2193).
+
+* **[platform] Fix VM MAC address not preserved during virtual-machine to vm-instance migration**: Kube-OVN reads MAC address exclusively from the pod annotation `ovn.kubernetes.io/mac_address`, not from the IP resource `spec.macAddress`. Without the annotation, migrated VMs received a new random MAC, breaking OS-level network configurations that match by MAC (e.g. netplan). Added a Helm `lookup` for the Kube-OVN IP resource in the vm-instance chart so that MAC and IP addresses are automatically injected as pod annotations when the resource exists ([**@sircthulhu**](https://github.com/sircthulhu) in #2169, #2190).
+
+* **[etcd-operator] Replace deprecated kube-rbac-proxy image**: The `gcr.io/kubebuilder/kube-rbac-proxy` image became unavailable after Google Container Registry was deprecated. Replaced it with `quay.io/brancz/kube-rbac-proxy` from the original upstream author, restoring etcd-operator functionality ([**@kvaps**](https://github.com/kvaps) in #2181, #2182).
+
+* **[migrations] Handle missing RabbitMQ CRD in migration 34**: Migration 34 failed with an error when the `rabbitmqs.apps.cozystack.io` CRD did not exist — which occurs on clusters where RabbitMQ was never installed. Added a CRD presence check before attempting to list resources so that migration 34 completes cleanly on such clusters ([**@IvanHunters**](https://github.com/IvanHunters) in #2168, #2180).
+
+* **[keycloak] Fix Keycloak crashloop due to misconfigured health probes**: Keycloak 26.x redirects all HTTP requests on port 8080 to the configured HTTPS hostname; since kubelet does not follow redirects, liveness and readiness probes failed causing a crashloop. Fixed by enabling `KC_HEALTH_ENABLED=true`, exposing management port 9000, and switching all probes to `/health/live` and `/health/ready` on port 9000. Also added a `startupProbe` for improved startup tolerance ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #2162, #2179).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.1.0...v1.1.1
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
 	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
 	sigs.k8s.io/controller-runtime v0.22.4
-	sigs.k8s.io/structured-merge-diff/v4 v4.7.0
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 )

 require (
@@ -125,7 +125,6 @@ require (
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )

--- a/go.sum
+++ b/go.sum
@@ -81,7 +81,6 @@ github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
 github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -324,13 +323,9 @@ sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327U
 sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
-sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
--- a/hack/cozytest.sh
+++ b/hack/cozytest.sh
@@ -10,7 +10,11 @@ PATTERN=${2:-*}
 LINE='----------------------------------------------------------------'

 cols() { stty size 2>/dev/null | awk '{print $2}' || echo 80; }
-MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
+if [ -t 1 ]; then
+  MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
+else
+  MAXW=0  # no truncation when not a tty (e.g. CI)
+fi
 BEGIN=$(date +%s)
 timestamp() { s=$(( $(date +%s) - BEGIN )); printf '[%02d:%02d]' $((s/60)) $((s%60)); }

@@ -45,7 +49,7 @@ run_one() {
          *)       out=$line ;;
        esac
        now=$(( $(date +%s) - START ))
-        [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
+        [ "$MAXW" -gt 0 ] && [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
        printf '┊[%02d:%02d] %s\n' $((now/60)) $((now%60)) "$out"
  done

--- a/hack/download-dashboards.sh
+++ b/hack/download-dashboards.sh
@@ -83,6 +83,8 @@ modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-stats
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kafka/strimzi-kafka.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//seaweedfs/seaweedfs.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//goldpinger/goldpinger.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//nats/nats-jetstream.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//nats/nats-server.json
 EOT


--- a/hack/e2e-apps/bucket.bats
+++ b/hack/e2e-apps/bucket.bats
@@ -1,7 +1,7 @@
 #!/usr/bin/env bats

@test "Create and Verify Seeweedfs Bucket" {
-  # Create the bucket resource
+  # Create the bucket resource with readwrite and readonly users
  name='test'
  kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
@@ -9,21 +9,29 @@ kind: Bucket
 metadata:
  name: ${name}
  namespace: tenant-test
-spec: {}
+spec:
+  users:
+    admin: {}
+    viewer:
+      readonly: true
 EOF

  # Wait for the bucket to be ready
  kubectl -n tenant-test wait hr bucket-${name} --timeout=100s --for=condition=ready
  kubectl -n tenant-test wait bucketclaims.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.bucketReady}'
-  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.accessGranted}'
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name}-admin --timeout=300s --for=jsonpath='{.status.accessGranted}'
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name}-viewer --timeout=300s --for=jsonpath='{.status.accessGranted}'

-  # Get and decode credentials
-  kubectl -n tenant-test get secret bucket-${name} -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-test-credentials.json
+  # Get admin (readwrite) credentials
+  kubectl -n tenant-test get secret bucket-${name}-admin -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-admin-credentials.json
+  ADMIN_ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-admin-credentials.json)
+  ADMIN_SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-admin-credentials.json)
+  BUCKET_NAME=$(jq -r '.spec.bucketName' bucket-admin-credentials.json)

-  # Get credentials from the secret
-  ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-test-credentials.json)
-  SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-test-credentials.json)
-  BUCKET_NAME=$(jq -r '.spec.bucketName' bucket-test-credentials.json)
+  # Get viewer (readonly) credentials
+  kubectl -n tenant-test get secret bucket-${name}-viewer -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-viewer-credentials.json
+  VIEWER_ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-viewer-credentials.json)
+  VIEWER_SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-viewer-credentials.json)

  # Start port-forwarding
  bash -c 'timeout 100s kubectl port-forward service/seaweedfs-s3 -n tenant-root 8333:8333 > /dev/null 2>&1 &'
@@ -31,17 +39,33 @@ EOF
  # Wait for port-forward to be ready
  timeout 30 sh -ec 'until nc -z localhost 8333; do sleep 1; done'

-  # Set up MinIO alias with error handling
-  mc alias set local https://localhost:8333 $ACCESS_KEY $SECRET_KEY --insecure
+  # --- Test readwrite user (admin) ---
+  mc alias set rw-user https://localhost:8333 $ADMIN_ACCESS_KEY $ADMIN_SECRET_KEY --insecure

-  # Upload file to bucket
-  mc cp bucket-test-credentials.json $BUCKET_NAME/bucket-test-credentials.json
+  # Admin can upload
+  echo "readwrite test" > /tmp/rw-test.txt
+  mc cp --insecure /tmp/rw-test.txt rw-user/$BUCKET_NAME/rw-test.txt

-  # Verify file was uploaded
-  mc ls $BUCKET_NAME/bucket-test-credentials.json
+  # Admin can list
+  mc ls --insecure rw-user/$BUCKET_NAME/rw-test.txt

-  # Clean up uploaded file
-  mc rm $BUCKET_NAME/bucket-test-credentials.json
+  # Admin can download
+  mc cp --insecure rw-user/$BUCKET_NAME/rw-test.txt /tmp/rw-test-download.txt

+  # --- Test readonly user (viewer) ---
+  mc alias set ro-user https://localhost:8333 $VIEWER_ACCESS_KEY $VIEWER_SECRET_KEY --insecure
+
+  # Viewer can list
+  mc ls --insecure ro-user/$BUCKET_NAME/rw-test.txt
+
+  # Viewer can download
+  mc cp --insecure ro-user/$BUCKET_NAME/rw-test.txt /tmp/ro-test-download.txt
+
+  # Viewer cannot upload (must fail with Access Denied)
+  echo "readonly test" > /tmp/ro-test.txt
+  ! mc cp --insecure /tmp/ro-test.txt ro-user/$BUCKET_NAME/ro-test.txt
+
+  # --- Cleanup ---
+  mc rm --insecure rw-user/$BUCKET_NAME/rw-test.txt
  kubectl -n tenant-test delete bucket.apps.cozystack.io ${name}
 }
--- a/hack/e2e-apps/external-dns.bats
+++ b/hack/e2e-apps/external-dns.bats
@@ -0,0 +1,50 @@
+#!/usr/bin/env bats
+
+teardown() {
+  kubectl -n tenant-test delete externaldns.apps.cozystack.io --all --ignore-not-found 2>/dev/null || true
+}
+
+@test "Create and Verify ExternalDNS with inmemory provider" {
+  name='test'
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: ExternalDNS
+metadata:
+  name: ${name}
+  namespace: tenant-test
+spec:
+  provider: inmemory
+  domainFilters:
+    - example.com
+EOF
+
+  sleep 5
+  kubectl -n tenant-test wait hr ${name} --timeout=120s --for=condition=ready
+  kubectl -n tenant-test wait hr ${name}-system --timeout=120s --for=condition=ready
+  timeout 60 sh -ec "until kubectl -n tenant-test get deploy -l app.kubernetes.io/instance=${name}-system -o jsonpath='{.items[0].status.readyReplicas}' | grep -q '1'; do sleep 5; done"
+
+  kubectl -n tenant-test delete externaldns.apps.cozystack.io ${name}
+}
+
+@test "Create and Verify ExternalDNS with custom annotationPrefix" {
+  name='test-prefix'
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: ExternalDNS
+metadata:
+  name: ${name}
+  namespace: tenant-test
+spec:
+  provider: inmemory
+  annotationPrefix: custom-dns/
+  domainFilters:
+    - example.org
+EOF
+
+  sleep 5
+  kubectl -n tenant-test wait hr ${name} --timeout=120s --for=condition=ready
+  kubectl -n tenant-test wait hr ${name}-system --timeout=120s --for=condition=ready
+  timeout 60 sh -ec "until kubectl -n tenant-test get deploy -l app.kubernetes.io/instance=${name}-system -o jsonpath='{.items[0].status.readyReplicas}' | grep -q '1'; do sleep 5; done"
+
+  kubectl -n tenant-test delete externaldns.apps.cozystack.io ${name}
+}
--- a/hack/e2e-apps/harbor.bats
+++ b/hack/e2e-apps/harbor.bats
@@ -0,0 +1,74 @@
+#!/usr/bin/env bats
+
+@test "Create Harbor" {
+  name='test'
+  release="harbor-$name"
+
+  # Clean up stale resources from previous failed runs
+  kubectl -n tenant-test delete harbor.apps.cozystack.io $name 2>/dev/null || true
+  kubectl -n tenant-test wait hr $release --timeout=60s --for=delete 2>/dev/null || true
+
+  kubectl apply -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Harbor
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  host: ""
+  storageClass: ""
+  core:
+    resources: {}
+    resourcesPreset: "nano"
+  registry:
+    resources: {}
+    resourcesPreset: "nano"
+  jobservice:
+    resources: {}
+    resourcesPreset: "nano"
+  trivy:
+    enabled: false
+    size: 2Gi
+    resources: {}
+    resourcesPreset: "nano"
+  database:
+    size: 2Gi
+    replicas: 1
+  redis:
+    size: 1Gi
+    replicas: 1
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr $release --timeout=60s --for=condition=ready
+
+  # Wait for COSI to provision bucket
+  kubectl -n tenant-test wait bucketclaims.objectstorage.k8s.io $release-registry \
+    --timeout=300s --for=jsonpath='{.status.bucketReady}'=true
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io $release-registry \
+    --timeout=60s --for=jsonpath='{.status.accessGranted}'=true
+
+  kubectl -n tenant-test wait hr $release-system --timeout=600s --for=condition=ready || {
+    echo "=== HelmRelease status ==="
+    kubectl -n tenant-test get hr $release-system -o yaml 2>&1 || true
+    echo "=== Pods ==="
+    kubectl -n tenant-test get pods 2>&1 || true
+    echo "=== Events ==="
+    kubectl -n tenant-test get events --sort-by='.lastTimestamp' 2>&1 | tail -30 || true
+    echo "=== ExternalArtifact ==="
+    kubectl -n cozy-system get externalartifact cozystack-harbor-application-default-harbor-system -o yaml 2>&1 || true
+    echo "=== BucketClaim status ==="
+    kubectl -n tenant-test get bucketclaims.objectstorage.k8s.io $release-registry -o yaml 2>&1 || true
+    echo "=== BucketAccess status ==="
+    kubectl -n tenant-test get bucketaccesses.objectstorage.k8s.io $release-registry -o yaml 2>&1 || true
+    echo "=== BucketAccess Secret ==="
+    kubectl -n tenant-test get secret $release-registry-bucket -o jsonpath='{.data.BucketInfo}' 2>&1 | base64 -d 2>&1 || true
+    false
+  }
+  kubectl -n tenant-test wait deploy $release-core --timeout=120s --for=condition=available
+  kubectl -n tenant-test wait deploy $release-registry --timeout=120s --for=condition=available
+  kubectl -n tenant-test wait deploy $release-portal --timeout=120s --for=condition=available
+  kubectl -n tenant-test get secret $release-credentials -o jsonpath='{.data.admin-password}' | base64 --decode | grep -q '.'
+  kubectl -n tenant-test get secret $release-credentials -o jsonpath='{.data.url}' | base64 --decode | grep -q 'https://'
+  kubectl -n tenant-test get svc $release -o jsonpath='{.spec.ports[0].port}' | grep -q '80'
+  kubectl -n tenant-test delete harbor.apps.cozystack.io $name
+}
--- a/hack/e2e-apps/openbao.bats
+++ b/hack/e2e-apps/openbao.bats
@@ -0,0 +1,59 @@
+#!/usr/bin/env bats
+
+@test "Create OpenBAO (standalone)" {
+  name='test'
+  kubectl apply -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: OpenBAO
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  replicas: 1
+  size: 10Gi
+  storageClass: ""
+  resourcesPreset: "small"
+  resources: {}
+  external: false
+  ui: true
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr openbao-$name --timeout=60s --for=condition=ready
+  kubectl -n tenant-test wait hr openbao-$name-system --timeout=120s --for=condition=ready
+
+  # Wait for container to be started (pod Running does not guarantee container is ready for exec on slow CI)
+  if ! timeout 120 sh -ec "until kubectl -n tenant-test get pod openbao-$name-0 --output jsonpath='{.status.containerStatuses[0].started}' 2>/dev/null | grep -q true; do sleep 5; done"; then
+    echo "=== DEBUG: Container did not start in time ===" >&2
+    kubectl -n tenant-test describe pod openbao-$name-0 >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 --previous >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 >&2 || true
+    return 1
+  fi
+
+  # Wait for OpenBAO API to accept connections
+  # bao status exit codes: 0 = unsealed, 1 = error/not ready, 2 = sealed but responsive
+  if ! timeout 60 sh -ec "until kubectl -n tenant-test exec openbao-$name-0 -- bao status >/dev/null 2>&1; rc=\$?; test \$rc -eq 0 -o \$rc -eq 2; do sleep 3; done"; then
+    echo "=== DEBUG: OpenBAO API did not become responsive ===" >&2
+    kubectl -n tenant-test describe pod openbao-$name-0 >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 --previous >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 >&2 || true
+    return 1
+  fi
+
+  # Initialize OpenBAO (single key share for testing simplicity)
+  init_output=$(kubectl -n tenant-test exec openbao-$name-0 -- bao operator init -key-shares=1 -key-threshold=1 -format=json)
+  unseal_key=$(echo "$init_output" | jq -r '.unseal_keys_b64[0]')
+  if [ -z "$unseal_key" ] || [ "$unseal_key" = "null" ]; then
+    echo "Failed to extract unseal key. Init output: $init_output" >&2
+    return 1
+  fi
+
+  # Unseal OpenBAO
+  kubectl -n tenant-test exec openbao-$name-0 -- bao operator unseal "$unseal_key"
+
+  # Now wait for pod to become ready (readiness probe checks seal status)
+  kubectl -n tenant-test wait sts openbao-$name --timeout=90s --for=jsonpath='{.status.readyReplicas}'=1
+  kubectl -n tenant-test wait pvc data-openbao-$name-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
+  kubectl -n tenant-test delete openbao.apps.cozystack.io $name
+  kubectl -n tenant-test delete pvc data-openbao-$name-0 --ignore-not-found
+}
--- a/hack/e2e-apps/run-kubernetes.sh
+++ b/hack/e2e-apps/run-kubernetes.sh
@@ -80,33 +80,41 @@ EOF
  # Wait for the machine deployment to scale to 2 replicas (timeout after 1 minute)
  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
  # Get the admin kubeconfig and save it to a file
-  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig-${test_name}
+  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > "tenantkubeconfig-${test_name}"

  # Update the kubeconfig to use localhost for the API server
-  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig-${test_name}
+  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" "tenantkubeconfig-${test_name}"


-  # Set up port forwarding to the Kubernetes API server for a 200 second timeout
+  # Kill any stale port-forward on this port from a previous retry
+  pkill -f "port-forward.*${port}:" 2>/dev/null || true
+  sleep 1
+
+  # Set up port forwarding to the Kubernetes API server
  bash -c 'timeout 500s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
  # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'

-  # Wait for the nodes to be ready (timeout after 2 minutes)
-  timeout 3m bash -c '
-    until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
+  # Wait for at least 2 nodes to join (timeout after 8 minutes)
+  timeout 8m bash -c '
+    until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -ge 2 ]; do
      sleep 2
    done
  '
  # Verify the nodes are ready
-  kubectl --kubeconfig tenantkubeconfig-${test_name} wait node --all --timeout=2m --for=condition=Ready
-  kubectl --kubeconfig tenantkubeconfig-${test_name} get nodes -o wide
+  if ! kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait node --all --timeout=2m --for=condition=Ready; then
+    # Additional debug messages
+    kubectl --kubeconfig "tenantkubeconfig-${test_name}" describe nodes
+    kubectl -n tenant-test get hr
+  fi
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" get nodes -o wide

  # Verify the kubelet version matches what we expect
  versions=$(kubectl --kubeconfig "tenantkubeconfig-${test_name}" \
    get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
-  
+
  node_ok=true
-  
+
  for v in $versions; do
    case "$v" in
      "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
@@ -125,15 +133,21 @@ EOF
  fi


-  kubectl --kubeconfig tenantkubeconfig-${test_name} apply -f - <<EOF
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" apply -f - <<EOF
 apiVersion: v1
 kind: Namespace
 metadata:
  name: tenant-test
 EOF

+  # Clean up backend resources from any previous failed attempt
+  kubectl delete deployment --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" \
+    -n tenant-test --ignore-not-found --timeout=60s || true
+  kubectl delete service --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" \
+    -n tenant-test --ignore-not-found --timeout=60s || true
+
  # Backend 1
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
+  kubectl apply --kubeconfig "tenantkubeconfig-${test_name}" -f- <<EOF
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -165,7 +179,7 @@ spec:
 EOF

  # LoadBalancer Service
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
+  kubectl apply --kubeconfig "tenantkubeconfig-${test_name}" -f- <<EOF
 apiVersion: v1
 kind: Service
 metadata:
@@ -182,8 +196,8 @@ spec:
 EOF

  # Wait for pods readiness
-  kubectl wait deployment --kubeconfig tenantkubeconfig-${test_name} ${test_name}-backend -n tenant-test --for=condition=Available --timeout=90s
-  
+  kubectl wait deployment --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" -n tenant-test --for=condition=Available --timeout=300s
+
  # Wait for LoadBalancer to be provisioned (IP or hostname)
  timeout 90 sh -ec "
    until kubectl get svc ${test_name}-backend --kubeconfig tenantkubeconfig-${test_name} -n tenant-test \
@@ -193,7 +207,7 @@ EOF
  "

 LB_ADDR=$(
-  kubectl get svc --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" \
+  kubectl get svc --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" \
    -n tenant-test \
    -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}'
 )
@@ -215,11 +229,17 @@ fi
  fi

  # Cleanup
-  kubectl delete deployment --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-  kubectl delete service --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
+  kubectl delete deployment --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" -n tenant-test
+  kubectl delete service --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" -n tenant-test
+
+  # Clean up NFS test resources from any previous failed attempt
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" delete pod nfs-test-pod \
+    -n tenant-test --ignore-not-found --timeout=60s || true
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" delete pvc nfs-test-pvc \
+    -n tenant-test --ignore-not-found --timeout=60s || true

  # Test RWX NFS mount in tenant cluster (uses kubevirt CSI driver with RWX support)
-  kubectl --kubeconfig tenantkubeconfig-${test_name} apply -f - <<EOF
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" apply -f - <<EOF
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -235,10 +255,10 @@ spec:
 EOF

  # Wait for PVC to be bound
-  kubectl --kubeconfig tenantkubeconfig-${test_name} wait pvc nfs-test-pvc -n tenant-test --timeout=2m --for=jsonpath='{.status.phase}'=Bound
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait pvc nfs-test-pvc -n tenant-test --timeout=2m --for=jsonpath='{.status.phase}'=Bound

  # Create Pod that writes and reads data from NFS volume
-  kubectl --kubeconfig tenantkubeconfig-${test_name} apply -f - <<EOF
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" apply -f - <<EOF
 apiVersion: v1
 kind: Pod
 metadata:
@@ -260,20 +280,20 @@ spec:
 EOF

  # Wait for Pod to complete successfully
-  kubectl --kubeconfig tenantkubeconfig-${test_name} wait pod nfs-test-pod -n tenant-test --timeout=5m --for=jsonpath='{.status.phase}'=Succeeded
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait pod nfs-test-pod -n tenant-test --timeout=5m --for=jsonpath='{.status.phase}'=Succeeded

  # Verify NFS data integrity
-  nfs_result=$(kubectl --kubeconfig tenantkubeconfig-${test_name} logs nfs-test-pod -n tenant-test)
+  nfs_result=$(kubectl --kubeconfig "tenantkubeconfig-${test_name}" logs nfs-test-pod -n tenant-test)
  if [ "$nfs_result" != "nfs-mount-ok" ]; then
    echo "NFS mount test failed: expected 'nfs-mount-ok', got '$nfs_result'" >&2
-    kubectl --kubeconfig tenantkubeconfig-${test_name} delete pod nfs-test-pod -n tenant-test --wait=false 2>/dev/null || true
-    kubectl --kubeconfig tenantkubeconfig-${test_name} delete pvc nfs-test-pvc -n tenant-test --wait=false 2>/dev/null || true
+    kubectl --kubeconfig "tenantkubeconfig-${test_name}" delete pod nfs-test-pod -n tenant-test --wait=false 2>/dev/null || true
+    kubectl --kubeconfig "tenantkubeconfig-${test_name}" delete pvc nfs-test-pvc -n tenant-test --wait=false 2>/dev/null || true
    exit 1
  fi

  # Cleanup NFS test resources in tenant cluster
-  kubectl --kubeconfig tenantkubeconfig-${test_name} delete pod nfs-test-pod -n tenant-test --wait
-  kubectl --kubeconfig tenantkubeconfig-${test_name} delete pvc nfs-test-pvc -n tenant-test
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" delete pod nfs-test-pod -n tenant-test --wait
+  kubectl --kubeconfig "tenantkubeconfig-${test_name}" delete pvc nfs-test-pvc -n tenant-test

  # Wait for all machine deployment replicas to be ready (timeout after 10 minutes)
  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
--- a/hack/e2e-install-cozystack.bats
+++ b/hack/e2e-install-cozystack.bats
@@ -1,27 +1,32 @@
 #!/usr/bin/env bats

-@test "Required installer assets exist" {
-  if [ ! -f _out/assets/cozystack-crds.yaml ]; then
-    echo "Missing: _out/assets/cozystack-crds.yaml" >&2
-    exit 1
-  fi
-  if [ ! -f _out/assets/cozystack-operator-talos.yaml ]; then
-    echo "Missing: _out/assets/cozystack-operator-talos.yaml" >&2
+@test "Required installer chart exists" {
+  if [ ! -f packages/core/installer/Chart.yaml ]; then
+    echo "Missing: packages/core/installer/Chart.yaml" >&2
    exit 1
  fi
 }

@test "Install Cozystack" {
-  # Create namespace
-  kubectl create namespace cozy-system --dry-run=client -o yaml | kubectl apply -f -
+  # Install cozy-installer chart (operator installs CRDs on startup via --install-crds)
+  helm upgrade installer packages/core/installer \
+    --install \
+    --namespace cozy-system \
+    --create-namespace \
+    --wait \
+    --timeout 2m

-  # Apply installer manifests (CRDs + operator)
-  kubectl apply -f _out/assets/cozystack-crds.yaml
-  kubectl apply -f _out/assets/cozystack-operator-talos.yaml
-
-  # Wait for the operator deployment to become available
+  # Verify the operator deployment is available
  kubectl wait deployment/cozystack-operator -n cozy-system --timeout=1m --for=condition=Available

+  # Wait for operator to install CRDs (happens at startup before reconcile loop).
+  # kubectl wait fails immediately if the CRD does not exist yet, so poll until it appears first.
+  timeout 120 sh -ec 'until kubectl wait crd/packages.cozystack.io --for=condition=Established --timeout=10s 2>/dev/null; do sleep 2; done'
+  timeout 120 sh -ec 'until kubectl wait crd/packagesources.cozystack.io --for=condition=Established --timeout=10s 2>/dev/null; do sleep 2; done'
+
+  # Wait for operator to create the platform PackageSource
+  timeout 120 sh -ec 'until kubectl get packagesource cozystack.cozystack-platform >/dev/null 2>&1; do sleep 2; done'
+
  # Create platform Package with isp-full variant
  kubectl apply -f - <<EOF
 apiVersion: cozystack.io/v1alpha1
@@ -41,6 +46,9 @@ spec:
        publishing:
          host: "example.org"
          apiServerEndpoint: "https://192.168.123.10:6443"
+        bundles:
+          enabledPackages:
+            - cozystack.external-dns-application
 EOF

  # Wait until HelmReleases appear & reconcile them
@@ -170,8 +178,8 @@ EOF

  # VictoriaMetrics components
  kubectl wait vmalert/vmalert-shortterm vmalertmanager/alertmanager -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=15m
-  kubectl wait vlogs/generic -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
-  kubectl wait vmcluster/shortterm vmcluster/longterm -n tenant-root --for=jsonpath='{.status.clusterStatus}'=operational --timeout=5m
+  kubectl wait vlclusters/generic -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
+  kubectl wait vmcluster/shortterm vmcluster/longterm -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m

  # Grafana
  kubectl wait clusters.postgresql.cnpg.io/grafana-db -n tenant-root --for=condition=ready --timeout=5m
--- a/hack/migrate-to-version-1.0.sh
+++ b/hack/migrate-to-version-1.0.sh
@@ -32,6 +32,54 @@ if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
    exit 1
 fi

+# Step 0: Annotate critical resources to prevent Helm from deleting them
+echo "Step 0: Protect critical resources from Helm deletion"
+echo ""
+echo "The following resources will be annotated with helm.sh/resource-policy=keep"
+echo "to prevent Helm from deleting them when the installer release is removed:"
+echo "  - Namespace: $NAMESPACE"
+echo "  - ConfigMap: $NAMESPACE/cozystack-version"
+echo ""
+read -p "Do you want to annotate these resources? (y/N) " -n 1 -r
+echo ""
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    echo "Annotating namespace $NAMESPACE..."
+    kubectl annotate namespace "$NAMESPACE" helm.sh/resource-policy=keep --overwrite
+    echo "Annotating ConfigMap cozystack-version..."
+    kubectl annotate configmap -n "$NAMESPACE" cozystack-version helm.sh/resource-policy=keep --overwrite 2>/dev/null || echo "  ConfigMap cozystack-version not found, skipping."
+    echo ""
+    echo "Resources annotated successfully."
+else
+    echo "WARNING: Skipping annotation. If you remove the Helm installer release,"
+    echo "the namespace and its contents may be deleted!"
+fi
+echo ""
+
+# Step 1: Check for cozy-proxy HelmRelease with conflicting releaseName
+# In v0.41.x, cozy-proxy was incorrectly configured with releaseName "cozystack",
+# which conflicts with the installer helm release name. If not suspended, cozy-proxy
+# HelmRelease will overwrite the installer release and delete cozystack-operator.
+COZY_PROXY_RELEASE_NAME=$(kubectl get hr -n "$NAMESPACE" cozy-proxy -o jsonpath='{.spec.releaseName}' 2>/dev/null || true)
+if [ "$COZY_PROXY_RELEASE_NAME" = "cozystack" ]; then
+    echo "WARNING: HelmRelease cozy-proxy has releaseName 'cozystack', which conflicts"
+    echo "with the installer release. It must be suspended before proceeding, otherwise"
+    echo "it will overwrite the installer and delete cozystack-operator."
+    echo ""
+    read -p "Suspend HelmRelease cozy-proxy? (y/N) " -n 1 -r
+    echo ""
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        kubectl -n "$NAMESPACE" patch hr cozy-proxy --type=merge --field-manager=flux-client-side-apply -p '{"spec":{"suspend":true}}'
+        echo "HelmRelease cozy-proxy suspended."
+    else
+        echo "ERROR: Cannot proceed with conflicting cozy-proxy HelmRelease active."
+        echo "Please suspend it manually:"
+        echo "  kubectl -n $NAMESPACE patch hr cozy-proxy --type=merge -p '{\"spec\":{\"suspend\":true}}'"
+        exit 1
+    fi
+    echo ""
+fi
+
 # Read ConfigMap cozystack
 echo "Reading ConfigMap cozystack..."
 COZYSTACK_CM=$(kubectl get configmap -n "$NAMESPACE" cozystack -o json 2>/dev/null || echo "{}")
@@ -52,6 +100,43 @@ OIDC_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["oidc-enabled"] // "false"')
 KEYCLOAK_REDIRECTS=$(echo "$COZYSTACK_CM" | jq -r '.data["extra-keycloak-redirect-uri-for-dashboard"] // ""' )
 TELEMETRY_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["telemetry-enabled"] // "true"')
 BUNDLE_NAME=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-name"] // "paas-full"')
+BUNDLE_DISABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-disable"] // ""')
+BUNDLE_ENABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-enable"] // ""')
+EXPOSE_INGRESS=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-ingress"] // "tenant-root"')
+EXPOSE_SERVICES=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-services"] // ""')
+
+# Certificate issuer configuration (old undocumented field: clusterissuer)
+OLD_CLUSTER_ISSUER=$(echo "$COZYSTACK_CM" | jq -r '.data["clusterissuer"] // ""')
+
+# Convert old clusterissuer value to new solver/issuerName fields
+SOLVER=""
+ISSUER_NAME=""
+case "$OLD_CLUSTER_ISSUER" in
+    cloudflare)
+        SOLVER="dns01"
+        ISSUER_NAME="letsencrypt-prod"
+        ;;
+    http01)
+        SOLVER="http01"
+        ISSUER_NAME="letsencrypt-prod"
+        ;;
+    "")
+        # Field not set; omit from Package so chart defaults apply
+        ;;
+    *)
+        # Unrecognised value — treat as custom ClusterIssuer name with no solver override
+        ISSUER_NAME="$OLD_CLUSTER_ISSUER"
+        ;;
+esac
+
+# Build certificates YAML block (empty string when no override needed)
+if [ -n "$SOLVER" ] || [ -n "$ISSUER_NAME" ]; then
+    CERTIFICATES_SECTION="          certificates:
+            solver: \"${SOLVER}\"
+            issuerName: \"${ISSUER_NAME}\""
+else
+    CERTIFICATES_SECTION=""
+fi

 # Network configuration
 POD_CIDR=$(echo "$COZYSTACK_CM" | jq -r '.data["ipv4-pod-cidr"] // "10.244.0.0/16"')
@@ -66,28 +151,31 @@ else
    EXTERNAL_IPS=$(echo "$EXTERNAL_IPS" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
 fi

-# Determine bundle type
-case "$BUNDLE_NAME" in
-    paas-full|distro-full)
-        SYSTEM_ENABLED="true"
-        SYSTEM_TYPE="full"
-        ;;
-    paas-hosted|distro-hosted)
-        SYSTEM_ENABLED="false"
-        SYSTEM_TYPE="hosted"
-        ;;
-    *)
-        SYSTEM_ENABLED="false"
-        SYSTEM_TYPE="hosted"
-        ;;
-esac
+# Convert comma-separated lists to YAML arrays
+if [ -z "$BUNDLE_DISABLE" ]; then
+    DISABLED_PACKAGES="[]"
+else
+    DISABLED_PACKAGES=$(echo "$BUNDLE_DISABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - cozystack."$0}')
+fi
+
+if [ -z "$BUNDLE_ENABLE" ]; then
+    ENABLED_PACKAGES="[]"
+else
+    ENABLED_PACKAGES=$(echo "$BUNDLE_ENABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - cozystack."$0}')
+fi
+
+if [ -z "$EXPOSE_SERVICES" ]; then
+    EXPOSED_SERVICES_YAML="[]"
+else
+    EXPOSED_SERVICES_YAML=$(echo "$EXPOSE_SERVICES" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "            - "$0}')
+fi

 # Update bundle naming
 BUNDLE_NAME=$(echo "$BUNDLE_NAME" | sed 's/paas/isp/')

 # Extract branding if available
 BRANDING=$(echo "$BRANDING_CM" | jq -r '.data // {} | to_entries[] | "\(.key): \"\(.value)\""')
-if [ -z "$BRANDING" ]; then 
+if [ -z "$BRANDING" ]; then
    BRANDING="{}"
 else
    BRANDING=$(echo "$BRANDING" | awk 'BEGIN{print}{print "          " $0}')
@@ -108,8 +196,8 @@ echo "  Root Host: $ROOT_HOST"
 echo "  API Server Endpoint: $API_SERVER_ENDPOINT"
 echo "  OIDC Enabled: $OIDC_ENABLED"
 echo "  Bundle Name: $BUNDLE_NAME"
-echo "  System Enabled: $SYSTEM_ENABLED"
-echo "  System Type: $SYSTEM_TYPE"
+echo "  Certificate Solver: ${SOLVER:-http01 (default)}"
+echo "  Issuer Name: ${ISSUER_NAME:-letsencrypt-prod (default)}"
 echo ""

 # Generate Package YAML
@@ -125,15 +213,8 @@ spec:
    platform:
      values:
        bundles:
-          system:
-            enabled: $SYSTEM_ENABLED
-            type: "$SYSTEM_TYPE"
-          iaas:
-            enabled: true
-          paas:
-            enabled: true
-          naas:
-            enabled: true
+          disabledPackages: $DISABLED_PACKAGES
+          enabledPackages: $ENABLED_PACKAGES
        networking:
          clusterDomain: "$CLUSTER_DOMAIN"
          podCIDR: "$POD_CIDR"
@@ -142,8 +223,11 @@ spec:
          joinCIDR: "$JOIN_CIDR"
        publishing:
          host: "$ROOT_HOST"
+          ingressName: "$EXPOSE_INGRESS"
+          exposedServices: $EXPOSED_SERVICES_YAML
          apiServerEndpoint: "$API_SERVER_ENDPOINT"
          externalIPs: $EXTERNAL_IPS
+${CERTIFICATES_SECTION}
        authentication:
          oidc:
            enabled: $OIDC_ENABLED
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -24,7 +24,7 @@ API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-ru
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
 CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
 TMPDIR=$(mktemp -d)
-OPERATOR_CRDDIR=packages/core/installer/definitions
+OPERATOR_CRDDIR=internal/crdinstall/manifests
 COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/definitions
 COZY_RD_CRDDIR=packages/system/application-definition-crd/definition
 BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
@@ -34,7 +34,7 @@ trap 'rm -rf ${TMPDIR}' EXIT

 source "${CODEGEN_PKG}/kube_codegen.sh"

-THIS_PKG="k8s.io/sample-apiserver"
+THIS_PKG="github.com/cozystack/cozystack"

 kube::codegen::gen_helpers \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
@@ -60,8 +60,15 @@ kube::codegen::gen_openapi \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
    "${SCRIPT_ROOT}/pkg/apis"

+kube::codegen::gen_client \
+    --with-applyconfig \
+    --output-dir "${SCRIPT_ROOT}/pkg/generated" \
+    --output-pkg "${THIS_PKG}/pkg/generated" \
+    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
+    "${SCRIPT_ROOT}/pkg/apis"
+
 $CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR} 
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR}

 mv ${TMPDIR}/cozystack.io_packages.yaml ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml
 mv ${TMPDIR}/cozystack.io_packagesources.yaml ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml
@@ -73,3 +80,6 @@ mv ${TMPDIR}/backups.cozystack.io*.yaml ${BACKUPS_CORE_CRDDIR}/
 mv ${TMPDIR}/strategy.backups.cozystack.io*.yaml ${BACKUPSTRATEGY_CRDDIR}/

 mv ${TMPDIR}/*.yaml ${COZY_CONTROLLER_CRDDIR}/
+
+# Tidy dependencies for standalone api/apps/v1alpha1 submodule
+(cd "${SCRIPT_ROOT}/api/apps/v1alpha1" && go mod tidy)
--- a/hack/upload-assets.sh
+++ b/hack/upload-assets.sh
@@ -14,3 +14,4 @@ gh release upload --clobber $version _out/assets/kernel-amd64
 gh release upload --clobber $version _out/assets/initramfs-metal-amd64.xz
 gh release upload --clobber $version _out/assets/cozypkg-*.tar.gz
 gh release upload --clobber $version _out/assets/cozypkg-checksums.txt
+gh release upload --clobber $version _out/assets/openapi.json
--- a/internal/controller/dashboard/README.md
+++ b/internal/controller/dashboard/README.md
@@ -156,7 +156,7 @@ menuItems = append(menuItems, map[string]any{
        map[string]any{
            "key":   "{plural}",
            "label": "{ResourceLabel}",
-            "link":  "/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}",
+            "link":  "/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}",
        },
    },
 }),
@@ -174,7 +174,7 @@ menuItems = append(menuItems, map[string]any{

 **Important Notes**:
 - The sidebar tag (`{lowercase-kind}-sidebar`) must match what the Factory uses
- The link format: `/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}`
+- The link format: `/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}`
 - All sidebars share the same `keysAndTags` and `menuItems`, so changes affect all sidebar instances

 ### Step 4: Verify Integration
--- a/internal/controller/dashboard/breadcrumb.go
+++ b/internal/controller/dashboard/breadcrumb.go
@@ -33,12 +33,12 @@ func (m *Manager) ensureBreadcrumb(ctx context.Context, crd *cozyv1alpha1.Applic

 	key := plural // e.g., "virtualmachines"
 	label := labelPlural
-	link := fmt.Sprintf("/openapi-ui/{clusterName}/{namespace}/api-table/%s/%s/%s", strings.ToLower(group), strings.ToLower(version), plural)
+	link := fmt.Sprintf("/openapi-ui/{cluster}/{namespace}/api-table/%s/%s/%s", strings.ToLower(group), strings.ToLower(version), plural)
 	// If this is a module, change the first breadcrumb item to "Tenant Modules"
 	if crd.Spec.Dashboard != nil && crd.Spec.Dashboard.Module {
 		key = "tenantmodules"
 		label = "Tenant Modules"
-		link = "/openapi-ui/{clusterName}/{namespace}/api-table/core.cozystack.io/v1alpha1/tenantmodules"
+		link = "/openapi-ui/{cluster}/{namespace}/api-table/core.cozystack.io/v1alpha1/tenantmodules"
 	}

 	items := []any{
--- a/internal/controller/dashboard/customformsoverride.go
+++ b/internal/controller/dashboard/customformsoverride.go
@@ -46,8 +46,11 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		}
 	}

-	// Build schema with multilineString for string fields without enum
+	// Parse OpenAPI schema once for reuse
 	l := log.FromContext(ctx)
+	openAPIProps := parseOpenAPIProperties(crd.Spec.Application.OpenAPISchema)
+
+	// Build schema with multilineString for string fields without enum
 	schema, err := buildMultilineStringSchema(crd.Spec.Application.OpenAPISchema)
 	if err != nil {
 		// If schema parsing fails, log the error and use an empty schema
@@ -55,6 +58,9 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		schema = map[string]any{}
 	}

+	// Override specific fields with API-backed dropdowns (listInput type)
+	applyListInputOverrides(schema, kind, openAPIProps)
+
 	spec := map[string]any{
 		"customizationId": customizationID,
 		"hidden":          hidden,
@@ -84,6 +90,53 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 	return err
 }

+// ensureCFOMapping updates the CFOMapping resource to include a mapping for the given CRD
+func (m *Manager) ensureCFOMapping(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+	g, v, kind := pickGVK(crd)
+	plural := pickPlural(kind, crd)
+
+	resourcePath := fmt.Sprintf("/%s/%s/%s", g, v, plural)
+	customizationID := fmt.Sprintf("default-%s", resourcePath)
+
+	obj := &dashv1alpha1.CFOMapping{}
+	obj.SetName("cfomapping")
+
+	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
+		// Parse existing mappings
+		mappings := make(map[string]string)
+		if obj.Spec.JSON.Raw != nil {
+			var spec map[string]any
+			if err := json.Unmarshal(obj.Spec.JSON.Raw, &spec); err == nil {
+				if m, ok := spec["mappings"].(map[string]any); ok {
+					for k, val := range m {
+						if s, ok := val.(string); ok {
+							mappings[k] = s
+						}
+					}
+				}
+			}
+		}
+
+		// Add/update the mapping for this CRD
+		mappings[resourcePath] = customizationID
+
+		specData := map[string]any{
+			"mappings": mappings,
+		}
+		b, err := json.Marshal(specData)
+		if err != nil {
+			return err
+		}
+
+		newSpec := dashv1alpha1.ArbitrarySpec{JSON: apiextv1.JSON{Raw: b}}
+		if !compareArbitrarySpecs(obj.Spec, newSpec) {
+			obj.Spec = newSpec
+		}
+		return nil
+	})
+	return err
+}
+
 // buildMultilineStringSchema parses OpenAPI schema and creates schema with multilineString
 // for all string fields inside spec that don't have enum
 func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
@@ -129,6 +182,130 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
 	return schema, nil
 }

+// applyListInputOverrides injects listInput type overrides into the schema
+// for fields that should be rendered as API-backed dropdowns in the dashboard.
+// openAPIProps are the parsed top-level properties from the OpenAPI schema.
+func applyListInputOverrides(schema map[string]any, kind string, openAPIProps map[string]any) {
+	switch kind {
+	case "VMInstance":
+		specProps := ensureSchemaPath(schema, "spec")
+		field := map[string]any{
+			"type": "listInput",
+			"customProps": map[string]any{
+				"valueUri":    "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes",
+				"keysToValue": []any{"metadata", "name"},
+				"keysToLabel": []any{"metadata", "name"},
+				"allowEmpty":  true,
+			},
+		}
+		if prop, _ := openAPIProps["instanceType"].(map[string]any); prop != nil {
+			if def := prop["default"]; def != nil {
+				field["default"] = def
+			}
+		}
+		specProps["instanceType"] = field
+
+		// Override disks[].name to be an API-backed dropdown listing VMDisk resources
+		disksItemProps := ensureArrayItemProps(specProps, "disks")
+		disksItemProps["name"] = map[string]any{
+			"type": "listInput",
+			"customProps": map[string]any{
+				"valueUri":    "/api/clusters/{cluster}/k8s/apis/apps.cozystack.io/v1alpha1/namespaces/{namespace}/vmdisks",
+				"keysToValue": []any{"metadata", "name"},
+				"keysToLabel": []any{"metadata", "name"},
+			},
+		}
+
+	case "ClickHouse", "Harbor", "HTTPCache", "Kubernetes", "MariaDB", "MongoDB",
+		"NATS", "OpenBAO", "Postgres", "Qdrant", "RabbitMQ", "Redis", "VMDisk":
+		specProps := ensureSchemaPath(schema, "spec")
+		specProps["storageClass"] = storageClassListInput()
+
+	case "FoundationDB":
+		storageProps := ensureSchemaPath(schema, "spec", "storage")
+		storageProps["storageClass"] = storageClassListInput()
+
+	case "Kafka":
+		kafkaProps := ensureSchemaPath(schema, "spec", "kafka")
+		kafkaProps["storageClass"] = storageClassListInput()
+		zkProps := ensureSchemaPath(schema, "spec", "zookeeper")
+		zkProps["storageClass"] = storageClassListInput()
+	}
+}
+
+// storageClassListInput returns a listInput field config for a storageClass dropdown
+// backed by the cluster's available StorageClasses.
+func storageClassListInput() map[string]any {
+	return map[string]any{
+		"type": "listInput",
+		"customProps": map[string]any{
+			"valueUri":    "/api/clusters/{cluster}/k8s/apis/storage.k8s.io/v1/storageclasses",
+			"keysToValue": []any{"metadata", "name"},
+			"keysToLabel": []any{"metadata", "name"},
+		},
+	}
+}
+
+// ensureArrayItemProps ensures that parentProps[fieldName].items.properties exists
+// and returns the items properties map. Used for overriding fields inside array items.
+func ensureArrayItemProps(parentProps map[string]any, fieldName string) map[string]any {
+	field, ok := parentProps[fieldName].(map[string]any)
+	if !ok {
+		field = map[string]any{}
+		parentProps[fieldName] = field
+	}
+	items, ok := field["items"].(map[string]any)
+	if !ok {
+		items = map[string]any{}
+		field["items"] = items
+	}
+	props, ok := items["properties"].(map[string]any)
+	if !ok {
+		props = map[string]any{}
+		items["properties"] = props
+	}
+	return props
+}
+
+// parseOpenAPIProperties parses the top-level properties from an OpenAPI schema JSON string.
+func parseOpenAPIProperties(openAPISchema string) map[string]any {
+	if openAPISchema == "" {
+		return nil
+	}
+	var root map[string]any
+	if err := json.Unmarshal([]byte(openAPISchema), &root); err != nil {
+		return nil
+	}
+	props, _ := root["properties"].(map[string]any)
+	return props
+}
+
+// ensureSchemaPath ensures the nested properties structure exists in a schema
+// and returns the innermost properties map.
+// e.g. ensureSchemaPath(schema, "spec") returns schema["properties"]["spec"]["properties"]
+func ensureSchemaPath(schema map[string]any, segments ...string) map[string]any {
+	current := schema
+	for _, seg := range segments {
+		props, ok := current["properties"].(map[string]any)
+		if !ok {
+			props = map[string]any{}
+			current["properties"] = props
+		}
+		child, ok := props[seg].(map[string]any)
+		if !ok {
+			child = map[string]any{}
+			props[seg] = child
+		}
+		current = child
+	}
+	props, ok := current["properties"].(map[string]any)
+	if !ok {
+		props = map[string]any{}
+		current["properties"] = props
+	}
+	return props
+}
+
 // processSpecProperties recursively processes spec properties and adds multilineString type
 // for string fields without enum
 func processSpecProperties(props map[string]any, schemaProps map[string]any) {
--- a/internal/controller/dashboard/customformsoverride_test.go
+++ b/internal/controller/dashboard/customformsoverride_test.go
@@ -169,3 +169,301 @@ func TestBuildMultilineStringSchemaInvalidJSON(t *testing.T) {
 		t.Errorf("Expected nil schema for invalid JSON, got %v", schema)
 	}
 }
+
+func TestApplyListInputOverrides_VMInstance(t *testing.T) {
+	openAPIProps := map[string]any{
+		"instanceType": map[string]any{"type": "string", "default": "u1.medium"},
+	}
+
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "VMInstance", openAPIProps)
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+	instanceType, ok := specProps["instanceType"].(map[string]any)
+	if !ok {
+		t.Fatal("instanceType not found in schema.properties.spec.properties")
+	}
+
+	if instanceType["type"] != "listInput" {
+		t.Errorf("expected type listInput, got %v", instanceType["type"])
+	}
+
+	if instanceType["default"] != "u1.medium" {
+		t.Errorf("expected default u1.medium, got %v", instanceType["default"])
+	}
+
+	customProps, ok := instanceType["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("customProps not found")
+	}
+
+	expectedURI := "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes"
+	if customProps["valueUri"] != expectedURI {
+		t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
+	}
+
+	if customProps["allowEmpty"] != true {
+		t.Errorf("expected allowEmpty true, got %v", customProps["allowEmpty"])
+	}
+
+	// Check disks[].name is a listInput
+	disks, ok := specProps["disks"].(map[string]any)
+	if !ok {
+		t.Fatal("disks not found in schema.properties.spec.properties")
+	}
+	items, ok := disks["items"].(map[string]any)
+	if !ok {
+		t.Fatal("disks.items not found")
+	}
+	itemProps, ok := items["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("disks.items.properties not found")
+	}
+	diskName, ok := itemProps["name"].(map[string]any)
+	if !ok {
+		t.Fatal("disks.items.properties.name not found")
+	}
+	if diskName["type"] != "listInput" {
+		t.Errorf("expected disks name type listInput, got %v", diskName["type"])
+	}
+	diskCustomProps, ok := diskName["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("disks name customProps not found")
+	}
+	expectedDiskURI := "/api/clusters/{cluster}/k8s/apis/apps.cozystack.io/v1alpha1/namespaces/{namespace}/vmdisks"
+	if diskCustomProps["valueUri"] != expectedDiskURI {
+		t.Errorf("expected disks valueUri %s, got %v", expectedDiskURI, diskCustomProps["valueUri"])
+	}
+}
+
+func TestApplyListInputOverrides_StorageClassSimple(t *testing.T) {
+	for _, kind := range []string{
+		"ClickHouse", "Harbor", "HTTPCache", "Kubernetes", "MariaDB", "MongoDB",
+		"NATS", "OpenBAO", "Postgres", "Qdrant", "RabbitMQ", "Redis", "VMDisk",
+	} {
+		t.Run(kind, func(t *testing.T) {
+			schema := map[string]any{}
+			applyListInputOverrides(schema, kind, map[string]any{})
+
+			specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+			sc, ok := specProps["storageClass"].(map[string]any)
+			if !ok {
+				t.Fatalf("storageClass not found in spec.properties for kind %s", kind)
+			}
+			assertStorageClassListInput(t, sc)
+		})
+	}
+}
+
+func TestApplyListInputOverrides_StorageClassFoundationDB(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "FoundationDB", map[string]any{})
+
+	storageProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["storage"].(map[string]any)["properties"].(map[string]any)
+	sc, ok := storageProps["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.storage.properties")
+	}
+	assertStorageClassListInput(t, sc)
+}
+
+func TestApplyListInputOverrides_StorageClassKafka(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "Kafka", map[string]any{})
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+
+	kafkaSC, ok := specProps["kafka"].(map[string]any)["properties"].(map[string]any)["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.kafka.properties")
+	}
+	assertStorageClassListInput(t, kafkaSC)
+
+	zkSC, ok := specProps["zookeeper"].(map[string]any)["properties"].(map[string]any)["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.zookeeper.properties")
+	}
+	assertStorageClassListInput(t, zkSC)
+}
+
+// assertStorageClassListInput verifies that a field is a correctly configured storageClass listInput.
+func assertStorageClassListInput(t *testing.T, field map[string]any) {
+	t.Helper()
+	if field["type"] != "listInput" {
+		t.Errorf("expected type listInput, got %v", field["type"])
+	}
+	customProps, ok := field["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("customProps not found")
+	}
+	expectedURI := "/api/clusters/{cluster}/k8s/apis/storage.k8s.io/v1/storageclasses"
+	if customProps["valueUri"] != expectedURI {
+		t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
+	}
+}
+
+func TestApplyListInputOverrides_UnknownKind(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "SomeOtherKind", map[string]any{})
+
+	if len(schema) != 0 {
+		t.Errorf("expected empty schema for unknown kind, got %v", schema)
+	}
+}
+
+func TestApplyListInputOverrides_NoDefault(t *testing.T) {
+	openAPIProps := map[string]any{
+		"instanceType": map[string]any{"type": "string"},
+	}
+
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "VMInstance", openAPIProps)
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+	instanceType := specProps["instanceType"].(map[string]any)
+
+	if _, exists := instanceType["default"]; exists {
+		t.Errorf("expected no default key, got %v", instanceType["default"])
+	}
+}
+
+func TestApplyListInputOverrides_MergesWithExistingSchema(t *testing.T) {
+	openAPIProps := map[string]any{
+		"instanceType": map[string]any{"type": "string", "default": "u1.medium"},
+	}
+
+	// Simulate schema that already has spec.properties from buildMultilineStringSchema
+	schema := map[string]any{
+		"properties": map[string]any{
+			"spec": map[string]any{
+				"properties": map[string]any{
+					"otherField": map[string]any{"type": "multilineString"},
+				},
+			},
+		},
+	}
+	applyListInputOverrides(schema, "VMInstance", openAPIProps)
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+
+	// instanceType should be added
+	if _, ok := specProps["instanceType"].(map[string]any); !ok {
+		t.Fatal("instanceType not found after override")
+	}
+
+	// otherField should be preserved
+	otherField, ok := specProps["otherField"].(map[string]any)
+	if !ok {
+		t.Fatal("otherField was lost after override")
+	}
+	if otherField["type"] != "multilineString" {
+		t.Errorf("otherField type changed, got %v", otherField["type"])
+	}
+}
+
+func TestParseOpenAPIProperties(t *testing.T) {
+	t.Run("extracts properties", func(t *testing.T) {
+		props := parseOpenAPIProperties(`{"type":"object","properties":{"instanceType":{"type":"string","default":"u1.medium"}}}`)
+		field, _ := props["instanceType"].(map[string]any)
+		if field["default"] != "u1.medium" {
+			t.Errorf("expected default u1.medium, got %v", field["default"])
+		}
+	})
+
+	t.Run("empty string", func(t *testing.T) {
+		if props := parseOpenAPIProperties(""); props != nil {
+			t.Errorf("expected nil, got %v", props)
+		}
+	})
+
+	t.Run("invalid JSON", func(t *testing.T) {
+		if props := parseOpenAPIProperties("{bad"); props != nil {
+			t.Errorf("expected nil, got %v", props)
+		}
+	})
+
+	t.Run("no properties key", func(t *testing.T) {
+		if props := parseOpenAPIProperties(`{"type":"object"}`); props != nil {
+			t.Errorf("expected nil, got %v", props)
+		}
+	})
+}
+
+func TestEnsureSchemaPath(t *testing.T) {
+	t.Run("creates path from empty schema", func(t *testing.T) {
+		schema := map[string]any{}
+		props := ensureSchemaPath(schema, "spec")
+
+		props["field"] = "value"
+
+		// Verify structure: schema.properties.spec.properties.field
+		got := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["field"]
+		if got != "value" {
+			t.Errorf("expected value, got %v", got)
+		}
+	})
+
+	t.Run("preserves existing nested properties", func(t *testing.T) {
+		schema := map[string]any{
+			"properties": map[string]any{
+				"spec": map[string]any{
+					"properties": map[string]any{
+						"existing": "keep",
+					},
+				},
+			},
+		}
+		props := ensureSchemaPath(schema, "spec")
+
+		if props["existing"] != "keep" {
+			t.Errorf("existing property lost, got %v", props["existing"])
+		}
+	})
+
+	t.Run("multi-level path", func(t *testing.T) {
+		schema := map[string]any{}
+		props := ensureSchemaPath(schema, "spec", "nested")
+
+		props["deep"] = true
+
+		got := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["nested"].(map[string]any)["properties"].(map[string]any)["deep"]
+		if got != true {
+			t.Errorf("expected true, got %v", got)
+		}
+	})
+}
+
+func TestEnsureArrayItemProps(t *testing.T) {
+	t.Run("creates from empty parent", func(t *testing.T) {
+		parent := map[string]any{}
+		props := ensureArrayItemProps(parent, "disks")
+
+		props["name"] = map[string]any{"type": "listInput"}
+
+		got := parent["disks"].(map[string]any)["items"].(map[string]any)["properties"].(map[string]any)["name"].(map[string]any)["type"]
+		if got != "listInput" {
+			t.Errorf("expected listInput, got %v", got)
+		}
+	})
+
+	t.Run("preserves existing item properties", func(t *testing.T) {
+		parent := map[string]any{
+			"disks": map[string]any{
+				"items": map[string]any{
+					"properties": map[string]any{
+						"bus": map[string]any{"type": "string"},
+					},
+				},
+			},
+		}
+		props := ensureArrayItemProps(parent, "disks")
+		props["name"] = map[string]any{"type": "listInput"}
+
+		if props["bus"].(map[string]any)["type"] != "string" {
+			t.Error("existing bus property was lost")
+		}
+		if props["name"].(map[string]any)["type"] != "listInput" {
+			t.Error("name property was not added")
+		}
+	})
+}
--- a/internal/controller/dashboard/factory.go
+++ b/internal/controller/dashboard/factory.go
@@ -47,7 +47,7 @@ func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.Applicati
 	if prefix, ok := vncTabPrefix(kind); ok {
 		tabs = append(tabs, vncTab(prefix))
 	}
-	tabs = append(tabs, yamlTab(plural))
+	tabs = append(tabs, yamlTab(g, v, plural))

 	// Use unified factory creation
 	config := UnifiedResourceConfig{
@@ -160,11 +160,11 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "vpc-subnets-table",
-						"baseprefix":           "/openapi-ui",
-						"clusterNamePartOfUrl": "{2}",
-						"customizationId":      "virtualprivatecloud-subnets",
-						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/configmaps",
+						"id":              "vpc-subnets-table",
+						"baseprefix":      "/openapi-ui",
+						"cluster":         "{2}",
+						"customizationId": "virtualprivatecloud-subnets",
+						"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/configmaps",
 						"fieldSelector": map[string]any{
 							"metadata.name": "virtualprivatecloud-{6}-subnets",
 						},
@@ -188,12 +188,12 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "resource-quotas-table",
-						"baseprefix":           "/openapi-ui",
-						"clusterNamePartOfUrl": "{2}",
-						"customizationId":      "factory-resource-quotas",
-						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{reqsJsonPath[0]['.status.namespace']}/resourcequotas",
-						"pathToItems":          []any{`items`},
+						"id":              "resource-quotas-table",
+						"baseprefix":      "/openapi-ui",
+						"cluster":         "{2}",
+						"customizationId": "factory-resource-quotas",
+						"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{reqsJsonPath[0]['.status.namespace']}/resourcequotas",
+						"pathToItems":     []any{`items`},
 					},
 				},
 			}),
@@ -242,13 +242,13 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "conditions-table",
-						"fetchUrl":             endpoint,
-						"clusterNamePartOfUrl": "{2}",
-						"customizationId":      "factory-status-conditions",
-						"baseprefix":           "/openapi-ui",
-						"withoutControls":      true,
-						"pathToItems":          []any{"status", "conditions"},
+						"id":              "conditions-table",
+						"fetchUrl":        endpoint,
+						"cluster":         "{2}",
+						"customizationId": "factory-status-conditions",
+						"baseprefix":      "/openapi-ui",
+						"withoutControls": true,
+						"pathToItems":     []any{"status", "conditions"},
 					},
 				},
 			}),
@@ -264,12 +264,12 @@ func workloadsTab(kind string) map[string]any {
 			map[string]any{
 				"type": "EnrichedTable",
 				"data": map[string]any{
-					"id":                   "workloads-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloadmonitors",
-					"clusterNamePartOfUrl": "{2}",
-					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-v1alpha1.cozystack.io.workloadmonitors",
-					"pathToItems":          []any{"items"},
+					"id":              "workloads-table",
+					"fetchUrl":        "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloadmonitors",
+					"cluster":         "{2}",
+					"baseprefix":      "/openapi-ui",
+					"customizationId": "factory-details-v1alpha1.cozystack.io.workloadmonitors",
+					"pathToItems":     []any{"items"},
 					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
@@ -289,12 +289,12 @@ func servicesTab(kind string) map[string]any {
 			map[string]any{
 				"type": "EnrichedTable",
 				"data": map[string]any{
-					"id":                   "services-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
-					"clusterNamePartOfUrl": "{2}",
-					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-v1.services",
-					"pathToItems":          []any{"items"},
+					"id":              "services-table",
+					"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
+					"cluster":         "{2}",
+					"baseprefix":      "/openapi-ui",
+					"customizationId": "factory-details-v1.services",
+					"pathToItems":     []any{"items"},
 					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
@@ -315,12 +315,12 @@ func ingressesTab(kind string) map[string]any {
 			map[string]any{
 				"type": "EnrichedTable",
 				"data": map[string]any{
-					"id":                   "ingresses-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/apis/networking.k8s.io/v1/namespaces/{3}/ingresses",
-					"clusterNamePartOfUrl": "{2}",
-					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-networking.k8s.io.v1.ingresses",
-					"pathToItems":          []any{"items"},
+					"id":              "ingresses-table",
+					"fetchUrl":        "/api/clusters/{2}/k8s/apis/networking.k8s.io/v1/namespaces/{3}/ingresses",
+					"cluster":         "{2}",
+					"baseprefix":      "/openapi-ui",
+					"customizationId": "factory-details-networking.k8s.io.v1.ingresses",
+					"pathToItems":     []any{"items"},
 					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
@@ -341,12 +341,12 @@ func secretsTab(kind string) map[string]any {
 			map[string]any{
 				"type": "EnrichedTable",
 				"data": map[string]any{
-					"id":                   "secrets-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecrets",
-					"clusterNamePartOfUrl": "{2}",
-					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecrets",
-					"pathToItems":          []any{"items"},
+					"id":              "secrets-table",
+					"fetchUrl":        "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecrets",
+					"cluster":         "{2}",
+					"baseprefix":      "/openapi-ui",
+					"customizationId": "factory-details-v1alpha1.core.cozystack.io.tenantsecrets",
+					"pathToItems":     []any{"items"},
 					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
@@ -358,7 +358,7 @@ func secretsTab(kind string) map[string]any {
 	}
 }

-func yamlTab(plural string) map[string]any {
+func yamlTab(group, version, plural string) map[string]any {
 	return map[string]any{
 		"key":   "yaml",
 		"label": "YAML",
@@ -369,8 +369,10 @@ func yamlTab(plural string) map[string]any {
 					"id":                        "yaml-editor",
 					"cluster":                   "{2}",
 					"isNameSpaced":              true,
-					"type":                      "builtin",
-					"typeName":                  plural,
+					"type":                      "apis",
+					"apiGroup":                  group,
+					"apiVersion":                version,
+					"plural":                    plural,
 					"prefillValuesRequestIndex": float64(0),
 					"readOnly":                  true,
 					"substractHeight":           float64(400),
@@ -580,15 +582,14 @@ type factoryFlags struct {
 	Secrets   bool
 }

-// factoryFeatureFlags tries several conventional locations so you can evolve the API
-// without breaking the controller. Defaults are false (hidden).
+// factoryFeatureFlags determines which tabs to show based on whether the
+// ApplicationDefinition has non-empty Include resource selectors.
+// Workloads tab is always shown.
 func factoryFeatureFlags(crd *cozyv1alpha1.ApplicationDefinition) factoryFlags {
-	var f factoryFlags
-
-	f.Workloads = true
-	f.Ingresses = true
-	f.Services = true
-	f.Secrets = true
-
-	return f
+	return factoryFlags{
+		Workloads: true,
+		Ingresses: len(crd.Spec.Ingresses.Include) > 0,
+		Services:  len(crd.Spec.Services.Include) > 0,
+		Secrets:   len(crd.Spec.Secrets.Include) > 0,
+	}
 }
--- a/internal/controller/dashboard/manager.go
+++ b/internal/controller/dashboard/manager.go
@@ -132,6 +132,10 @@ func (m *Manager) EnsureForAppDef(ctx context.Context, crd *cozyv1alpha1.Applica
 		return reconcile.Result{}, err
 	}

+	if err := m.ensureCFOMapping(ctx, crd); err != nil {
+		return reconcile.Result{}, err
+	}
+
 	if err := m.ensureSidebar(ctx, crd); err != nil {
 		return reconcile.Result{}, err
 	}
@@ -139,6 +143,10 @@ func (m *Manager) EnsureForAppDef(ctx context.Context, crd *cozyv1alpha1.Applica
 	if err := m.ensureFactory(ctx, crd); err != nil {
 		return reconcile.Result{}, err
 	}
+
+	if err := m.ensureNavigation(ctx, crd); err != nil {
+		return reconcile.Result{}, err
+	}
 	return reconcile.Result{}, nil
 }

@@ -291,10 +299,6 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini

 		// Add other stock sidebars that are created for each CRD
 		stockSidebars := []string{
-			"stock-instance-api-form",
-			"stock-instance-api-table",
-			"stock-instance-builtin-form",
-			"stock-instance-builtin-table",
 			"stock-project-factory-marketplace",
 			"stock-project-factory-workloadmonitor-details",
 			"stock-project-api-form",
@@ -303,6 +307,10 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
 			"stock-project-builtin-table",
 			"stock-project-crd-form",
 			"stock-project-crd-table",
+			"stock-instance-api-form",
+			"stock-instance-api-table",
+			"stock-instance-builtin-form",
+			"stock-instance-builtin-table",
 		}
 		for _, sidebarID := range stockSidebars {
 			expected["Sidebar"][sidebarID] = true
--- a/internal/controller/dashboard/marketplacepanel.go
+++ b/internal/controller/dashboard/marketplacepanel.go
@@ -68,31 +68,46 @@ func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.
 		tags[i] = t
 	}

-	specMap := map[string]any{
-		"description": d.Description,
-		"name":        displayName,
-		"type":        "nonCrd",
-		"apiGroup":    "apps.cozystack.io",
-		"apiVersion":  "v1alpha1",
-		"typeName":    app.Plural, // e.g., "buckets"
-		"disabled":    false,
-		"hidden":      false,
-		"tags":        tags,
-		"icon":        d.Icon,
-	}
-
-	specBytes, err := json.Marshal(specMap)
-	if err != nil {
-		return reconcile.Result{}, err
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
 		if err := controllerutil.SetOwnerReference(crd, mp, m.Scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources
 		m.addDashboardLabels(mp, crd, ResourceTypeDynamic)

+		// Preserve user-set disabled/hidden values from existing resource
+		disabled := false
+		hidden := false
+		if mp.Spec.Raw != nil {
+			var existing map[string]any
+			if err := json.Unmarshal(mp.Spec.Raw, &existing); err == nil {
+				if v, ok := existing["disabled"].(bool); ok {
+					disabled = v
+				}
+				if v, ok := existing["hidden"].(bool); ok {
+					hidden = v
+				}
+			}
+		}
+
+		specMap := map[string]any{
+			"description": d.Description,
+			"name":        displayName,
+			"type":        "nonCrd",
+			"apiGroup":    "apps.cozystack.io",
+			"apiVersion":  "v1alpha1",
+			"plural":      app.Plural, // e.g., "buckets"
+			"disabled":    disabled,
+			"hidden":      hidden,
+			"tags":        tags,
+			"icon":        d.Icon,
+		}
+
+		specBytes, err := json.Marshal(specMap)
+		if err != nil {
+			return err
+		}
+
 		// Only update spec if it's different to avoid unnecessary updates
 		newSpec := dashv1alpha1.ArbitrarySpec{
 			JSON: apiextv1.JSON{Raw: specBytes},
--- a/internal/controller/dashboard/navigation.go
+++ b/internal/controller/dashboard/navigation.go
@@ -0,0 +1,69 @@
+package dashboard
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	dashv1alpha1 "github.com/cozystack/cozystack/api/dashboard/v1alpha1"
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+// ensureNavigation updates the Navigation resource to include a baseFactoriesMapping entry for the given CRD
+func (m *Manager) ensureNavigation(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+	g, v, kind := pickGVK(crd)
+	plural := pickPlural(kind, crd)
+
+	lowerKind := strings.ToLower(kind)
+	factoryKey := fmt.Sprintf("%s-details", lowerKind)
+
+	// All CRD resources are namespaced API resources
+	mappingKey := fmt.Sprintf("base-factory-namespaced-api-%s-%s-%s", g, v, plural)
+
+	obj := &dashv1alpha1.Navigation{}
+	obj.SetName("navigation")
+
+	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
+		// Parse existing spec
+		spec := make(map[string]any)
+		if obj.Spec.JSON.Raw != nil {
+			if err := json.Unmarshal(obj.Spec.JSON.Raw, &spec); err != nil {
+				spec = make(map[string]any)
+			}
+		}
+
+		// Get or create baseFactoriesMapping
+		var mappings map[string]string
+		if existing, ok := spec["baseFactoriesMapping"].(map[string]any); ok {
+			mappings = make(map[string]string, len(existing))
+			for k, val := range existing {
+				if s, ok := val.(string); ok {
+					mappings[k] = s
+				}
+			}
+		} else {
+			mappings = make(map[string]string)
+		}
+
+		// Add/update the mapping for this CRD
+		mappings[mappingKey] = factoryKey
+
+		spec["baseFactoriesMapping"] = mappings
+
+		b, err := json.Marshal(spec)
+		if err != nil {
+			return err
+		}
+
+		newSpec := dashv1alpha1.ArbitrarySpec{JSON: apiextv1.JSON{Raw: b}}
+		if !compareArbitrarySpecs(obj.Spec, newSpec) {
+			obj.Spec = newSpec
+		}
+		return nil
+	})
+	return err
+}
--- a/internal/controller/dashboard/sidebar.go
+++ b/internal/controller/dashboard/sidebar.go
@@ -17,13 +17,12 @@ import (

 // ensureSidebar creates/updates multiple Sidebar resources that share the same menu:
 //   - The "details" sidebar tied to the current kind (stock-project-factory-<kind>-details)
-//   - The stock-instance sidebars: api-form, api-table, builtin-form, builtin-table
-//   - The stock-project sidebars:  api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
+//   - The stock-project sidebars: api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
 //
 // Menu rules:
 //   - The first section is "Marketplace" with two hardcoded entries:
-//   - Marketplace  (/openapi-ui/{clusterName}/{namespace}/factory/marketplace)
-//   - Tenant Info  (/openapi-ui/{clusterName}/{namespace}/factory/info-details/info)
+//   - Marketplace  (/openapi-ui/{cluster}/{namespace}/factory/marketplace)
+//   - Tenant Info  (/openapi-ui/{cluster}/{namespace}/factory/info-details/info)
 //   - All other sections are built from CRDs where spec.dashboard != nil.
 //   - Categories are ordered strictly as:
 //     Marketplace, IaaS, PaaS, NaaS, <others A→Z>, Resources, Backups, Administration
@@ -39,6 +38,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 	}
 	all = crdList.Items

+	// 1b) Fetch all MarketplacePanels to determine which resources are hidden
+	hiddenResources := map[string]bool{}
+	var mpList dashv1alpha1.MarketplacePanelList
+	if err := m.List(ctx, &mpList, &client.ListOptions{}); err == nil {
+		for i := range mpList.Items {
+			mp := &mpList.Items[i]
+			if mp.Spec.Raw != nil {
+				var spec map[string]any
+				if err := json.Unmarshal(mp.Spec.Raw, &spec); err == nil {
+					if hidden, ok := spec["hidden"].(bool); ok && hidden {
+						hiddenResources[mp.Name] = true
+					}
+				}
+			}
+		}
+	}
+
 	// 2) Build category -> []item map (only for CRDs with spec.dashboard != nil)
 	type item struct {
 		Key    string
@@ -64,6 +80,11 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 		plural := pickPlural(kind, def)
 		lowerKind := strings.ToLower(kind)

+		// Skip resources hidden via MarketplacePanel
+		if hiddenResources[def.Name] {
+			continue
+		}
+
 		// Check if this resource is a module
 		if def.Spec.Dashboard.Module {
 			// Special case: info should have its own keysAndTags, not be in modules
@@ -91,7 +112,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 			// Weight (default 0)
 			weight := def.Spec.Dashboard.Weight

-			link := fmt.Sprintf("/openapi-ui/{clusterName}/{namespace}/api-table/%s/%s/%s", g, v, plural)
+			link := fmt.Sprintf("/openapi-ui/{cluster}/{namespace}/api-table/%s/%s/%s", g, v, plural)

 			categories[cat] = append(categories[cat], item{
 				Key:    plural,
@@ -146,7 +167,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 				map[string]any{
 					"key":   "marketplace",
 					"label": "Marketplace",
-					"link":  "/openapi-ui/{clusterName}/{namespace}/factory/marketplace",
+					"link":  "/openapi-ui/{cluster}/{namespace}/factory/marketplace",
 				},
 			},
 		},
@@ -176,23 +197,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati

 	// Add hardcoded Backups section
 	menuItems = append(menuItems, map[string]any{
-		"key":   "backups",
+		"key":   "backups-category",
 		"label": "Backups",
 		"children": []any{
 			map[string]any{
 				"key":   "plans",
 				"label": "Plans",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
 			},
 			map[string]any{
 				"key":   "backupjobs",
 				"label": "BackupJobs",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
 			},
 			map[string]any{
 				"key":   "backups",
 				"label": "Backups",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
 			},
 		},
 	})
@@ -205,22 +226,22 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 			map[string]any{
 				"key":   "info",
 				"label": "Info",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/factory/info-details/info",
+				"link":  "/openapi-ui/{cluster}/{namespace}/factory/info-details/info",
 			},
 			map[string]any{
 				"key":   "modules",
 				"label": "Modules",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/core.cozystack.io/v1alpha1/tenantmodules",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/core.cozystack.io/v1alpha1/tenantmodules",
 			},
 			map[string]any{
 				"key":   "loadbalancer-services",
 				"label": "External IPs",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/factory/external-ips",
+				"link":  "/openapi-ui/{cluster}/{namespace}/factory/external-ips",
 			},
 			map[string]any{
 				"key":   "tenants",
 				"label": "Tenants",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/apps.cozystack.io/v1alpha1/tenants",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/apps.cozystack.io/v1alpha1/tenants",
 			},
 		},
 	})
@@ -228,13 +249,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 	// 6) Prepare the list of Sidebar IDs to upsert with the SAME content
 	// Create sidebars for ALL CRDs with dashboard config
 	targetIDs := []string{
-		// stock-instance sidebars
-		"stock-instance-api-form",
-		"stock-instance-api-table",
-		"stock-instance-builtin-form",
-		"stock-instance-builtin-table",
-
-		// stock-project sidebars
+		// stock-project sidebars (namespace-level, full menu)
 		"stock-project-factory-marketplace",
 		"stock-project-factory-workloadmonitor-details",
 		"stock-project-factory-kube-service-details",
@@ -250,6 +265,11 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 		"stock-project-builtin-table",
 		"stock-project-crd-form",
 		"stock-project-crd-table",
+		// stock-instance sidebars (namespace-level pages after namespace is selected)
+		"stock-instance-api-form",
+		"stock-instance-api-table",
+		"stock-instance-builtin-form",
+		"stock-instance-builtin-table",
 	}

 	// Add details sidebars for all CRDs with dashboard config
--- a/internal/controller/dashboard/static_helpers.go
+++ b/internal/controller/dashboard/static_helpers.go
@@ -1134,7 +1134,7 @@ func yamlEditor(id, cluster string, isNameSpaced bool, typeName string, prefillV
 			"cluster":                   cluster,
 			"isNameSpaced":              isNameSpaced,
 			"type":                      "builtin",
-			"typeName":                  typeName,
+			"plural":                    typeName,
 			"prefillValuesRequestIndex": prefillValuesRequestIndex,
 			"substractHeight":           float64(400),
 		},
--- a/internal/controller/dashboard/static_processor.go
+++ b/internal/controller/dashboard/static_processor.go
@@ -49,6 +49,8 @@ func (m *Manager) ensureStaticResource(ctx context.Context, obj client.Object) e
 			resource.(*dashv1alpha1.Navigation).Spec = o.Spec
 		case *dashv1alpha1.TableUriMapping:
 			resource.(*dashv1alpha1.TableUriMapping).Spec = o.Spec
+		case *dashv1alpha1.CFOMapping:
+			resource.(*dashv1alpha1.CFOMapping).Spec = o.Spec
 		}
 		// Ensure labels are always set
 		m.addDashboardLabels(resource, nil, ResourceTypeStatic)
--- a/internal/controller/dashboard/static_refactored.go
+++ b/internal/controller/dashboard/static_refactored.go
@@ -17,111 +17,111 @@ func CreateAllBreadcrumbs() []*dashboardv1alpha1.Breadcrumb {
 	return []*dashboardv1alpha1.Breadcrumb{
 		// Stock project factory configmap details
 		createBreadcrumb("stock-project-factory-configmap-details", []map[string]any{
-			createBreadcrumbItem("configmaps", "v1/configmaps", "/openapi-ui/{clusterName}/{namespace}/builtin-table/configmaps"),
+			createBreadcrumbItem("configmaps", "v1/configmaps", "/openapi-ui/{cluster}/{namespace}/builtin-table/configmaps"),
 			createBreadcrumbItem("configmap", "{6}"),
 		}),

 		// Stock cluster factory namespace details
 		createBreadcrumb("stock-cluster-factory-namespace-details", []map[string]any{
-			createBreadcrumbItem("namespaces", "v1/namespaces", "/openapi-ui/{clusterName}/builtin-table/namespaces"),
+			createBreadcrumbItem("namespaces", "v1/namespaces", "/openapi-ui/{cluster}/builtin-table/namespaces"),
 			createBreadcrumbItem("namespace", "{5}"),
 		}),

 		// Stock cluster factory node details
 		createBreadcrumb("stock-cluster-factory-node-details", []map[string]any{
-			createBreadcrumbItem("node", "v1/nodes", "/openapi-ui/{clusterName}/builtin-table/nodes"),
+			createBreadcrumbItem("node", "v1/nodes", "/openapi-ui/{cluster}/builtin-table/nodes"),
 			createBreadcrumbItem("node", "{5}"),
 		}),

 		// Stock project factory pod details
 		createBreadcrumb("stock-project-factory-pod-details", []map[string]any{
-			createBreadcrumbItem("pods", "v1/pods", "/openapi-ui/{clusterName}/{namespace}/builtin-table/pods"),
+			createBreadcrumbItem("pods", "v1/pods", "/openapi-ui/{cluster}/{namespace}/builtin-table/pods"),
 			createBreadcrumbItem("pod", "{6}"),
 		}),

 		// Stock project factory secret details
 		createBreadcrumb("stock-project-factory-kube-secret-details", []map[string]any{
-			createBreadcrumbItem("secrets", "v1/secrets", "/openapi-ui/{clusterName}/{namespace}/builtin-table/secrets"),
+			createBreadcrumbItem("secrets", "v1/secrets", "/openapi-ui/{cluster}/{namespace}/builtin-table/secrets"),
 			createBreadcrumbItem("secret", "{6}"),
 		}),

 		// Stock project factory service details
 		createBreadcrumb("stock-project-factory-kube-service-details", []map[string]any{
-			createBreadcrumbItem("services", "v1/services", "/openapi-ui/{clusterName}/{namespace}/builtin-table/services"),
+			createBreadcrumbItem("services", "v1/services", "/openapi-ui/{cluster}/{namespace}/builtin-table/services"),
 			createBreadcrumbItem("service", "{6}"),
 		}),

 		// Stock project factory ingress details
 		createBreadcrumb("stock-project-factory-kube-ingress-details", []map[string]any{
-			createBreadcrumbItem("ingresses", "networking.k8s.io/v1/ingresses", "/openapi-ui/{clusterName}/{namespace}/builtin-table/ingresses"),
+			createBreadcrumbItem("ingresses", "networking.k8s.io/v1/ingresses", "/openapi-ui/{cluster}/{namespace}/builtin-table/ingresses"),
 			createBreadcrumbItem("ingress", "{6}"),
 		}),

 		// Stock cluster api table
 		createBreadcrumb("stock-cluster-api-table", []map[string]any{
-			createBreadcrumbItem("api", "{apiGroup}/{apiVersion}/{typeName}"),
+			createBreadcrumbItem("api", "{apiGroup}/{apiVersion}/{plural}"),
 		}),

 		// Stock cluster api form
 		createBreadcrumb("stock-cluster-api-form", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{typeName}", "/openapi-ui/{clusterName}/api-table/{apiGroup}/{apiVersion}/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{plural}", "/openapi-ui/{cluster}/api-table/{apiGroup}/{apiVersion}/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Create"),
 		}),

 		// Stock cluster api form edit
 		createBreadcrumb("stock-cluster-api-form-edit", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{typeName}", "/openapi-ui/{clusterName}/api-table/{apiGroup}/{apiVersion}/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{plural}", "/openapi-ui/{cluster}/api-table/{apiGroup}/{apiVersion}/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Update"),
 		}),

 		// Stock cluster builtin table
 		createBreadcrumb("stock-cluster-builtin-table", []map[string]any{
-			createBreadcrumbItem("api", "v1/{typeName}"),
+			createBreadcrumbItem("api", "v1/{plural}"),
 		}),

 		// Stock cluster builtin form
 		createBreadcrumb("stock-cluster-builtin-form", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{typeName}", "/openapi-ui/{clusterName}/builtin-table/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{plural}", "/openapi-ui/{cluster}/builtin-table/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Create"),
 		}),

 		// Stock cluster builtin form edit
 		createBreadcrumb("stock-cluster-builtin-form-edit", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{typeName}", "/openapi-ui/{clusterName}/builtin-table/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{plural}", "/openapi-ui/{cluster}/builtin-table/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Update"),
 		}),

 		// Stock project api table
 		createBreadcrumb("stock-project-api-table", []map[string]any{
-			createBreadcrumbItem("api", "{apiGroup}/{apiVersion}/{typeName}"),
+			createBreadcrumbItem("api", "{apiGroup}/{apiVersion}/{plural}"),
 		}),

 		// Stock project api form
 		createBreadcrumb("stock-project-api-form", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{typeName}", "/openapi-ui/{clusterName}/{namespace}/api-table/{apiGroup}/{apiVersion}/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{plural}", "/openapi-ui/{cluster}/{namespace}/api-table/{apiGroup}/{apiVersion}/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Create"),
 		}),

 		// Stock project api form edit
 		createBreadcrumb("stock-project-api-form-edit", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{typeName}", "/openapi-ui/{clusterName}/{namespace}/api-table/{apiGroup}/{apiVersion}/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "{apiGroup}/{apiVersion}/{plural}", "/openapi-ui/{cluster}/{namespace}/api-table/{apiGroup}/{apiVersion}/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Update"),
 		}),

 		// Stock project builtin table
 		createBreadcrumb("stock-project-builtin-table", []map[string]any{
-			createBreadcrumbItem("api", "v1/{typeName}"),
+			createBreadcrumbItem("api", "v1/{plural}"),
 		}),

 		// Stock project builtin form
 		createBreadcrumb("stock-project-builtin-form", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{typeName}", "/openapi-ui/{clusterName}/{namespace}/builtin-table/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{plural}", "/openapi-ui/{cluster}/{namespace}/builtin-table/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Create"),
 		}),

 		// Stock project builtin form edit
 		createBreadcrumb("stock-project-builtin-form-edit", []map[string]any{
-			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{typeName}", "/openapi-ui/{clusterName}/{namespace}/builtin-table/{typeName}"),
+			createBreadcrumbItem("create-api-res-namespaced-table", "v1/{plural}", "/openapi-ui/{cluster}/{namespace}/builtin-table/{plural}"),
 			createBreadcrumbItem("create-api-res-namespaced-typename", "Update"),
 		}),
 	}
@@ -503,18 +503,27 @@ func CreateAllCustomFormsOverrides() []*dashboardv1alpha1.CustomFormsOverride {
 				createFormItem("metadata.namespace", "Namespace", "text"),
 				createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
 				createFormItem("spec.applicationRef.name", "Application Name", "text"),
-				createFormItemWithAPI("spec.backupClassName", "Backup Class", "select", map[string]any{
-					"api": map[string]any{
-						"fetchUrl":       "/api/clusters/{clusterName}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
-						"pathToItems":    []any{"items"},
-						"pathToValue":    []any{"metadata", "name"},
-						"pathToLabel":    []any{"metadata", "name"},
-						"clusterNameVar": "clusterName",
-					},
-				}),
 				createFormItem("spec.schedule.type", "Schedule Type", "text"),
 				createFormItem("spec.schedule.cron", "Schedule Cron", "text"),
 			},
+			"schema": createSchema(map[string]any{
+				"backupClassName": listInputScemaItemBackupClass(),
+			}),
+		}),
+
+		// BackupJobs form override - backups.cozystack.io/v1alpha1
+		createCustomFormsOverride("default-/backups.cozystack.io/v1alpha1/backupjobs", map[string]any{
+			"formItems": []any{
+				createFormItem("metadata.name", "Name", "text"),
+				createFormItem("metadata.namespace", "Namespace", "text"),
+				createFormItem("spec.planRef.name", "Plan Name (optional)", "text"),
+				createFormItem("spec.applicationRef.apiGroup", "Application API Group", "text"),
+				createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
+				createFormItem("spec.applicationRef.name", "Application Name", "text"),
+			},
+			"schema": createSchema(map[string]any{
+				"backupClassName": listInputScemaItemBackupClass(),
+			}),
 		}),
 	}
 }
@@ -535,14 +544,14 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 			}, []any{
 				map[string]any{
 					"data": map[string]any{
-						"baseApiVersion":       "v1alpha1",
-						"baseprefix":           "openapi-ui",
-						"clusterNamePartOfUrl": "{2}",
-						"id":                   311,
-						"mpResourceKind":       "MarketplacePanel",
-						"mpResourceName":       "marketplacepanels",
-						"namespacePartOfUrl":   "{3}",
-						"baseApiGroup":         "dashboard.cozystack.io",
+						"baseApiVersion":    "v1alpha1",
+						"baseprefix":        "openapi-ui",
+						"cluster":           "{2}",
+						"id":                311,
+						"marketplaceKind":   "MarketplacePanel",
+						"marketplacePlural": "marketplacepanels",
+						"namespace":         "{3}",
+						"baseApiGroup":      "dashboard.cozystack.io",
 					},
 					"type": "MarketplaceCard",
 				},
@@ -855,7 +864,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"prefillValuesRequestIndex": 0,
 						"substractHeight":           float64(400),
 						"type":                      "builtin",
-						"typeName":                  "secrets",
+						"plural":                    "secrets",
 						"readOnly":                  true,
 					},
 				},
@@ -1085,13 +1094,13 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 									map[string]any{
 										"type": "EnrichedTable",
 										"data": map[string]any{
-											"id":                   "service-port-mapping-table",
-											"baseprefix":           "/openapi-ui",
-											"clusterNamePartOfUrl": "{2}",
-											"customizationId":      "factory-kube-service-details-port-mapping",
-											"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services/{6}",
-											"pathToItems":          ".spec.ports",
-											"withoutControls":      true,
+											"id":              "service-port-mapping-table",
+											"baseprefix":      "/openapi-ui",
+											"cluster":         "{2}",
+											"customizationId": "factory-kube-service-details-port-mapping",
+											"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services/{6}",
+											"pathToItems":     ".spec.ports",
+											"withoutControls": true,
 										},
 									},
 								}),
@@ -1111,11 +1120,11 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 											map[string]any{
 												"type": "EnrichedTable",
 												"data": map[string]any{
-													"id":                   "service-pod-serving-table",
-													"baseprefix":           "/openapi-ui",
-													"clusterNamePartOfUrl": "{2}",
-													"customizationId":      "factory-kube-service-details-endpointslice",
-													"fetchUrl":             "/api/clusters/{2}/k8s/apis/discovery.k8s.io/v1/namespaces/{3}/endpointslices",
+													"id":              "service-pod-serving-table",
+													"baseprefix":      "/openapi-ui",
+													"cluster":         "{2}",
+													"customizationId": "factory-kube-service-details-endpointslice",
+													"fetchUrl":        "/api/clusters/{2}/k8s/apis/discovery.k8s.io/v1/namespaces/{3}/endpointslices",
 													"labelSelector": map[string]any{
 														"kubernetes.io/service-name": "{reqsJsonPath[0]['.metadata.name']['-']}",
 													},
@@ -1145,7 +1154,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"prefillValuesRequestIndex": 0,
 						"substractHeight":           float64(400),
 						"type":                      "builtin",
-						"typeName":                  "services",
+						"plural":                    "services",
 					},
 				},
 			},
@@ -1168,11 +1177,11 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						map[string]any{
 							"type": "EnrichedTable",
 							"data": map[string]any{
-								"id":                   "pods-table",
-								"baseprefix":           "/openapi-ui",
-								"clusterNamePartOfUrl": "{2}",
-								"customizationId":      "factory-node-details-/v1/pods",
-								"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/pods",
+								"id":              "pods-table",
+								"baseprefix":      "/openapi-ui",
+								"cluster":         "{2}",
+								"customizationId": "factory-node-details-/v1/pods",
+								"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/pods",
 								"labelSelectorFull": map[string]any{
 									"pathToLabels": ".spec.selector",
 									"reqIndex":     0,
@@ -1300,13 +1309,13 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 					map[string]any{
 						"type": "EnrichedTable",
 						"data": map[string]any{
-							"id":                   "rules-table",
-							"fetchUrl":             "/api/clusters/{2}/k8s/apis/networking.k8s.io/v1/namespaces/{3}/ingresses/{6}",
-							"clusterNamePartOfUrl": "{2}",
-							"customizationId":      "factory-kube-ingress-details-rules",
-							"baseprefix":           "/openapi-ui",
-							"withoutControls":      true,
-							"pathToItems":          []any{"spec", "rules"},
+							"id":              "rules-table",
+							"fetchUrl":        "/api/clusters/{2}/k8s/apis/networking.k8s.io/v1/namespaces/{3}/ingresses/{6}",
+							"cluster":         "{2}",
+							"customizationId": "factory-kube-ingress-details-rules",
+							"baseprefix":      "/openapi-ui",
+							"withoutControls": true,
+							"pathToItems":     []any{"spec", "rules"},
 						},
 					},
 				}),
@@ -1322,8 +1331,10 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"id":                        "yaml-editor",
 						"cluster":                   "{2}",
 						"isNameSpaced":              true,
-						"type":                      "builtin",
-						"typeName":                  "ingresses",
+						"type":                      "apis",
+						"apiGroup":                  "networking.k8s.io",
+						"apiVersion":                "v1",
+						"plural":                    "ingresses",
 						"prefillValuesRequestIndex": float64(0),
 						"substractHeight":           float64(400),
 					},
@@ -1452,11 +1463,11 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "workloads-table",
-						"baseprefix":           "/openapi-ui",
-						"clusterNamePartOfUrl": "{2}",
-						"customizationId":      "factory-details-v1alpha1.cozystack.io.workloads",
-						"fetchUrl":             "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloads",
+						"id":              "workloads-table",
+						"baseprefix":      "/openapi-ui",
+						"cluster":         "{2}",
+						"customizationId": "factory-details-v1alpha1.cozystack.io.workloads",
+						"fetchUrl":        "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloads",
 						"labelSelector": map[string]any{
 							"workloads.cozystack.io/monitor": "{reqs[0]['metadata','name']}",
 						},
@@ -1477,8 +1488,10 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"isNameSpaced":              true,
 						"prefillValuesRequestIndex": 0,
 						"substractHeight":           float64(400),
-						"type":                      "builtin",
-						"typeName":                  "workloadmonitors",
+						"type":                      "apis",
+						"apiGroup":                  "cozystack.io",
+						"apiVersion":                "v1alpha1",
+						"plural":                    "workloadmonitors",
 					},
 				},
 			},
@@ -1911,12 +1924,12 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "external-ips-table",
-						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
-						"clusterNamePartOfUrl": "{2}",
-						"baseprefix":           "/openapi-ui",
-						"customizationId":      "factory-details-v1.services",
-						"pathToItems":          []any{"items"},
+						"id":              "external-ips-table",
+						"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
+						"cluster":         "{2}",
+						"baseprefix":      "/openapi-ui",
+						"customizationId": "factory-details-v1.services",
+						"pathToItems":     ".items",
 						"fieldSelector": map[string]any{
 							"spec.type": "LoadBalancer",
 						},
@@ -1960,12 +1973,27 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {

 // CreateAllNavigations creates all navigation resources using helper functions
 func CreateAllNavigations() []*dashboardv1alpha1.Navigation {
+	// Build baseFactoriesMapping for static (built-in) factories
+	baseFactoriesMapping := map[string]string{
+		// Cluster-scoped builtin resources
+		"base-factory-clusterscoped-builtin-v1-namespaces": "namespace-details",
+		"base-factory-clusterscoped-builtin-v1-nodes":      "node-details",
+		// Namespaced builtin resources
+		"base-factory-namespaced-builtin-v1-pods":     "pod-details",
+		"base-factory-namespaced-builtin-v1-secrets":  "kube-secret-details",
+		"base-factory-namespaced-builtin-v1-services": "kube-service-details",
+		// Namespaced API resources
+		"base-factory-namespaced-api-networking.k8s.io-v1-ingresses":         "kube-ingress-details",
+		"base-factory-namespaced-api-cozystack.io-v1alpha1-workloadmonitors": "workloadmonitor-details",
+	}
+
 	return []*dashboardv1alpha1.Navigation{
 		createNavigation("navigation", map[string]any{
 			"namespaces": map[string]any{
 				"change": "/openapi-ui/{selectedCluster}/{value}/factory/marketplace",
 				"clear":  "/openapi-ui/{selectedCluster}/api-table/core.cozystack.io/v1alpha1/tenantnamespaces",
 			},
+			"baseFactoriesMapping": baseFactoriesMapping,
 		}),
 	}
 }
@@ -2023,9 +2051,9 @@ func createCustomFormsOverride(customizationId string, spec map[string]any) *das
 		"strategy":        "merge",
 	}

-	// Merge caller-provided fields (like formItems) into newSpec
+	// Merge into newSpec caller-provided fields without: customizationId, hidden, strategy
 	for key, value := range spec {
-		if key != "customizationId" && key != "hidden" && key != "schema" && key != "strategy" {
+		if key != "customizationId" && key != "hidden" && key != "strategy" {
 			newSpec[key] = value
 		}
 	}
@@ -2070,6 +2098,28 @@ func createNavigation(name string, spec map[string]any) *dashboardv1alpha1.Navig
 	}
 }

+func listInputScemaItemBackupClass() map[string]any {
+	return map[string]any{
+		"type": "listInput",
+		"customProps": map[string]any{
+			"valueUri":    "/api/clusters/{cluster}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
+			"keysToValue": []any{"metadata", "name"},
+			"keysToLabel": []any{"metadata", "name"},
+		},
+	}
+}
+
+// backupClassSchema returns the schema for spec.backupClassName as listInput (BackupJob/Plan).
+func createSchema(customProps map[string]any) map[string]any {
+	return map[string]any{
+		"properties": map[string]any{
+			"spec": map[string]any{
+				"properties": customProps,
+			},
+		},
+	}
+}
+
 // createFormItem creates a form item for CustomFormsOverride
 func createFormItem(path, label, fieldType string) map[string]any {
 	return map[string]any{
@@ -2342,6 +2392,51 @@ func createWorkloadmonitorHeader() map[string]any {
 	}
 }

+// CreateStaticCFOMapping creates the CFOMapping resource with mappings from static CustomFormsOverrides
+func CreateStaticCFOMapping() *dashboardv1alpha1.CFOMapping {
+	// Build mappings from static CustomFormsOverrides
+	customFormsOverrides := CreateAllCustomFormsOverrides()
+	mappings := make(map[string]string, len(customFormsOverrides))
+	for _, cfo := range customFormsOverrides {
+		var spec map[string]any
+		if err := json.Unmarshal(cfo.Spec.JSON.Raw, &spec); err != nil {
+			continue
+		}
+		customizationID, ok := spec["customizationId"].(string)
+		if !ok {
+			continue
+		}
+		// Extract the resource path from customizationId (remove "default-" prefix)
+		resourcePath := strings.TrimPrefix(customizationID, "default-")
+		mappings[resourcePath] = customizationID
+	}
+
+	return createCFOMapping("cfomapping", mappings)
+}
+
+// createCFOMapping creates a CFOMapping resource
+func createCFOMapping(name string, mappings map[string]string) *dashboardv1alpha1.CFOMapping {
+	spec := map[string]any{
+		"mappings": mappings,
+	}
+	jsonData, _ := json.Marshal(spec)
+
+	return &dashboardv1alpha1.CFOMapping{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "dashboard.cozystack.io/v1alpha1",
+			Kind:       "CFOMapping",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: dashboardv1alpha1.ArbitrarySpec{
+			JSON: v1.JSON{
+				Raw: jsonData,
+			},
+		},
+	}
+}
+
 // ---------------- Complete resource creation function ----------------

 // CreateAllStaticResources creates all static dashboard resources using helper functions
@@ -2378,5 +2473,8 @@ func CreateAllStaticResources() []client.Object {
 		resources = append(resources, tableUriMapping)
 	}

+	// Add CFOMapping
+	resources = append(resources, CreateStaticCFOMapping())
+
 	return resources
 }
--- a/internal/controller/workload_controller_test.go
+++ b/internal/controller/workload_controller_test.go
@@ -43,7 +43,7 @@ func TestWorkloadReconciler_DeletesOnMissingMonitor(t *testing.T) {
 			Name:      "pod-foo",
 			Namespace: "default",
 			Labels: map[string]string{
-				"workloadmonitor.cozystack.io/name": "missing-monitor",
+				"workloads.cozystack.io/monitor": "missing-monitor",
 			},
 		},
 	}
@@ -89,7 +89,7 @@ func TestWorkloadReconciler_KeepsWhenAllExist(t *testing.T) {
 			Name:      "pod-foo",
 			Namespace: "default",
 			Labels: map[string]string{
-				"workloadmonitor.cozystack.io/name": "mon",
+				"workloads.cozystack.io/monitor": "mon",
 			},
 		},
 	}
--- a/internal/crdinstall/install.go
+++ b/internal/crdinstall/install.go
@@ -0,0 +1,112 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crdinstall
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/cozystack/cozystack/internal/manifestutil"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// Install applies Cozystack CRDs using embedded manifests.
+// It extracts the manifests and applies them to the cluster using server-side apply,
+// then waits for all CRDs to have the Established condition.
+func Install(ctx context.Context, k8sClient client.Client, writeEmbeddedManifests func(string) error) error {
+	logger := log.FromContext(ctx)
+
+	tmpDir, err := os.MkdirTemp("", "crd-install-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temp directory: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	manifestsDir := filepath.Join(tmpDir, "manifests")
+	if err := os.MkdirAll(manifestsDir, 0755); err != nil {
+		return fmt.Errorf("failed to create manifests directory: %w", err)
+	}
+
+	if err := writeEmbeddedManifests(manifestsDir); err != nil {
+		return fmt.Errorf("failed to extract embedded manifests: %w", err)
+	}
+
+	entries, err := os.ReadDir(manifestsDir)
+	if err != nil {
+		return fmt.Errorf("failed to read manifests directory: %w", err)
+	}
+
+	var manifestFiles []string
+	for _, entry := range entries {
+		if strings.HasSuffix(entry.Name(), ".yaml") {
+			manifestFiles = append(manifestFiles, filepath.Join(manifestsDir, entry.Name()))
+		}
+	}
+
+	if len(manifestFiles) == 0 {
+		return fmt.Errorf("no YAML manifest files found in directory")
+	}
+
+	var objects []*unstructured.Unstructured
+	for _, manifestPath := range manifestFiles {
+		objs, err := manifestutil.ParseManifestFile(manifestPath)
+		if err != nil {
+			return fmt.Errorf("failed to parse manifests from %s: %w", manifestPath, err)
+		}
+		objects = append(objects, objs...)
+	}
+
+	if len(objects) == 0 {
+		return fmt.Errorf("no objects found in manifests")
+	}
+
+	// Validate all objects are CRDs — reject anything else to prevent
+	// accidental force-apply of arbitrary resources.
+	for _, obj := range objects {
+		if obj.GetAPIVersion() != "apiextensions.k8s.io/v1" || obj.GetKind() != "CustomResourceDefinition" {
+			return fmt.Errorf("unexpected object %s %s/%s in CRD manifests, only apiextensions.k8s.io/v1 CustomResourceDefinition is allowed",
+				obj.GetAPIVersion(), obj.GetKind(), obj.GetName())
+		}
+	}
+
+	logger.Info("Applying Cozystack CRDs", "count", len(objects))
+	for _, obj := range objects {
+		patchOptions := &client.PatchOptions{
+			FieldManager: "cozystack-operator",
+			Force:        func() *bool { b := true; return &b }(),
+		}
+
+		if err := k8sClient.Patch(ctx, obj, client.Apply, patchOptions); err != nil {
+			return fmt.Errorf("failed to apply CRD %s: %w", obj.GetName(), err)
+		}
+		logger.Info("Applied CRD", "name", obj.GetName())
+	}
+
+	crdNames := manifestutil.CollectCRDNames(objects)
+	if err := manifestutil.WaitForCRDsEstablished(ctx, k8sClient, crdNames); err != nil {
+		return fmt.Errorf("CRDs not established after apply: %w", err)
+	}
+
+	logger.Info("CRD installation completed successfully")
+	return nil
+}
--- a/internal/crdinstall/install_test.go
+++ b/internal/crdinstall/install_test.go
@@ -0,0 +1,302 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crdinstall
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+func TestWriteEmbeddedManifests(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	if err := WriteEmbeddedManifests(tmpDir); err != nil {
+		t.Fatalf("WriteEmbeddedManifests() error = %v", err)
+	}
+
+	entries, err := os.ReadDir(tmpDir)
+	if err != nil {
+		t.Fatalf("failed to read output dir: %v", err)
+	}
+
+	var yamlFiles []string
+	for _, e := range entries {
+		if strings.HasSuffix(e.Name(), ".yaml") {
+			yamlFiles = append(yamlFiles, e.Name())
+		}
+	}
+
+	if len(yamlFiles) == 0 {
+		t.Error("WriteEmbeddedManifests() produced no YAML files")
+	}
+
+	expectedFiles := []string{
+		"cozystack.io_packages.yaml",
+		"cozystack.io_packagesources.yaml",
+	}
+	for _, expected := range expectedFiles {
+		found := false
+		for _, actual := range yamlFiles {
+			if actual == expected {
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Errorf("expected file %q not found in output, got %v", expected, yamlFiles)
+		}
+	}
+
+	// Verify files are non-empty
+	for _, f := range yamlFiles {
+		data, err := os.ReadFile(filepath.Join(tmpDir, f))
+		if err != nil {
+			t.Errorf("failed to read %s: %v", f, err)
+			continue
+		}
+		if len(data) == 0 {
+			t.Errorf("file %s is empty", f)
+		}
+	}
+}
+
+func TestWriteEmbeddedManifests_filePermissions(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	if err := WriteEmbeddedManifests(tmpDir); err != nil {
+		t.Fatalf("WriteEmbeddedManifests() error = %v", err)
+	}
+
+	entries, err := os.ReadDir(tmpDir)
+	if err != nil {
+		t.Fatalf("failed to read output dir: %v", err)
+	}
+
+	for _, e := range entries {
+		if !strings.HasSuffix(e.Name(), ".yaml") {
+			continue
+		}
+		info, err := e.Info()
+		if err != nil {
+			t.Errorf("failed to get info for %s: %v", e.Name(), err)
+			continue
+		}
+		perm := info.Mode().Perm()
+		if perm&0o077 != 0 {
+			t.Errorf("file %s has overly permissive mode %o, expected no group/other access", e.Name(), perm)
+		}
+	}
+}
+
+// newCRDManifestWriter returns a function that writes test CRD YAML files.
+func newCRDManifestWriter(crds ...string) func(string) error {
+	return func(dir string) error {
+		for i, crd := range crds {
+			filename := filepath.Join(dir, fmt.Sprintf("crd%d.yaml", i+1))
+			if err := os.WriteFile(filename, []byte(crd), 0600); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+var testCRD1 = `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: packages.cozystack.io
+spec:
+  group: cozystack.io
+  names:
+    kind: Package
+    plural: packages
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+`
+
+var testCRD2 = `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: packagesources.cozystack.io
+spec:
+  group: cozystack.io
+  names:
+    kind: PackageSource
+    plural: packagesources
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+`
+
+// establishedInterceptor simulates CRDs becoming Established in the API server.
+func establishedInterceptor() interceptor.Funcs {
+	return interceptor.Funcs{
+		Get: func(ctx context.Context, c client.WithWatch, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
+			if err := c.Get(ctx, key, obj, opts...); err != nil {
+				return err
+			}
+			u, ok := obj.(*unstructured.Unstructured)
+			if !ok {
+				return nil
+			}
+			if u.GetKind() == "CustomResourceDefinition" {
+				_ = unstructured.SetNestedSlice(u.Object, []interface{}{
+					map[string]interface{}{
+						"type":   "Established",
+						"status": "True",
+					},
+				}, "status", "conditions")
+			}
+			return nil
+		},
+	}
+}
+
+func TestInstall_appliesAllCRDs(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	if err := apiextensionsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add apiextensions to scheme: %v", err)
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithInterceptorFuncs(establishedInterceptor()).
+		Build()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := Install(ctx, fakeClient, newCRDManifestWriter(testCRD1, testCRD2))
+	if err != nil {
+		t.Fatalf("Install() error = %v", err)
+	}
+}
+
+func TestInstall_noManifests(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := Install(ctx, fakeClient, func(string) error { return nil })
+	if err == nil {
+		t.Error("Install() expected error for empty manifests, got nil")
+	}
+	if !strings.Contains(err.Error(), "no YAML manifest files found") {
+		t.Errorf("Install() error = %v, want error containing 'no YAML manifest files found'", err)
+	}
+}
+
+func TestInstall_writeManifestsFails(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := Install(ctx, fakeClient, func(string) error { return os.ErrPermission })
+	if err == nil {
+		t.Error("Install() expected error when writeManifests fails, got nil")
+	}
+}
+
+func TestInstall_rejectsNonCRDObjects(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	if err := apiextensionsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add apiextensions to scheme: %v", err)
+	}
+
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	nonCRD := `apiVersion: v1
+kind: Namespace
+metadata:
+  name: should-not-be-applied
+`
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := Install(ctx, fakeClient, newCRDManifestWriter(nonCRD))
+	if err == nil {
+		t.Fatal("Install() expected error for non-CRD object, got nil")
+	}
+	if !strings.Contains(err.Error(), "unexpected object") {
+		t.Errorf("Install() error = %v, want error containing 'unexpected object'", err)
+	}
+}
+
+func TestInstall_crdNotEstablished(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	if err := apiextensionsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add apiextensions to scheme: %v", err)
+	}
+
+	// No interceptor: CRDs will never get Established condition
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := Install(ctx, fakeClient, newCRDManifestWriter(testCRD1))
+	if err == nil {
+		t.Fatal("Install() expected error when CRDs never become established, got nil")
+	}
+	if !strings.Contains(err.Error(), "CRDs not established") {
+		t.Errorf("Install() error = %v, want error containing 'CRDs not established'", err)
+	}
+}
--- a/internal/crdinstall/manifests.embed.go
+++ b/internal/crdinstall/manifests.embed.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crdinstall
+
+import (
+	"embed"
+	"fmt"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+)
+
+//go:embed manifests/*.yaml
+var embeddedCRDManifests embed.FS
+
+// WriteEmbeddedManifests extracts embedded CRD manifests to a directory.
+func WriteEmbeddedManifests(dir string) error {
+	manifests, err := fs.ReadDir(embeddedCRDManifests, "manifests")
+	if err != nil {
+		return fmt.Errorf("failed to read embedded manifests: %w", err)
+	}
+
+	for _, manifest := range manifests {
+		data, err := fs.ReadFile(embeddedCRDManifests, path.Join("manifests", manifest.Name()))
+		if err != nil {
+			return fmt.Errorf("failed to read file %s: %w", manifest.Name(), err)
+		}
+
+		outputPath := filepath.Join(dir, manifest.Name())
+		if err := os.WriteFile(outputPath, data, 0600); err != nil {
+			return fmt.Errorf("failed to write file %s: %w", outputPath, err)
+		}
+	}
+
+	return nil
+}
--- a/packages/core/installer/definitions/.gitattributes
+++ b/packages/core/installer/definitions/.gitattributes
--- a/packages/core/installer/definitions/cozystack.io_packages.yaml
+++ b/packages/core/installer/definitions/cozystack.io_packages.yaml
--- a/packages/core/installer/definitions/cozystack.io_packagesources.yaml
+++ b/packages/core/installer/definitions/cozystack.io_packagesources.yaml
--- a/internal/fluxinstall/install.go
+++ b/internal/fluxinstall/install.go
@@ -17,18 +17,15 @@ limitations under the License.
 package fluxinstall

 import (
-	"bufio"
-	"bytes"
 	"context"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 	"strings"
-	"time"
+
+	"github.com/cozystack/cozystack/internal/manifestutil"

 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -76,7 +73,7 @@ func Install(ctx context.Context, k8sClient client.Client, writeEmbeddedManifest
 	// Parse all manifest files
 	var objects []*unstructured.Unstructured
 	for _, manifestPath := range manifestFiles {
-		objs, err := parseManifests(manifestPath)
+		objs, err := manifestutil.ParseManifestFile(manifestPath)
 		if err != nil {
 			return fmt.Errorf("failed to parse manifests from %s: %w", manifestPath, err)
 		}
@@ -110,56 +107,6 @@ func Install(ctx context.Context, k8sClient client.Client, writeEmbeddedManifest
 	return nil
 }

-// parseManifests parses YAML manifests into unstructured objects.
-func parseManifests(manifestPath string) ([]*unstructured.Unstructured, error) {
-	data, err := os.ReadFile(manifestPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read manifest file: %w", err)
-	}
-
-	return readYAMLObjects(bytes.NewReader(data))
-}
-
-// readYAMLObjects parses multi-document YAML into unstructured objects.
-func readYAMLObjects(reader io.Reader) ([]*unstructured.Unstructured, error) {
-	var objects []*unstructured.Unstructured
-	yamlReader := k8syaml.NewYAMLReader(bufio.NewReader(reader))
-
-	for {
-		doc, err := yamlReader.Read()
-		if err != nil {
-			if err == io.EOF {
-				break
-			}
-			return nil, fmt.Errorf("failed to read YAML document: %w", err)
-		}
-
-		// Skip empty documents
-		if len(bytes.TrimSpace(doc)) == 0 {
-			continue
-		}
-
-		obj := &unstructured.Unstructured{}
-		decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewReader(doc), len(doc))
-		if err := decoder.Decode(obj); err != nil {
-			// Skip documents that can't be decoded (might be comments or empty)
-			if err == io.EOF {
-				continue
-			}
-			return nil, fmt.Errorf("failed to decode YAML document: %w", err)
-		}
-
-		// Skip empty objects (no kind)
-		if obj.GetKind() == "" {
-			continue
-		}
-
-		objects = append(objects, obj)
-	}
-
-	return objects, nil
-}
-
 // applyManifests applies Kubernetes objects using server-side apply.
 func applyManifests(ctx context.Context, k8sClient client.Client, objects []*unstructured.Unstructured) error {
 	logger := log.FromContext(ctx)
@@ -183,8 +130,11 @@ func applyManifests(ctx context.Context, k8sClient client.Client, objects []*uns
 			return fmt.Errorf("failed to apply cluster definitions: %w", err)
 		}

-		// Wait a bit for CRDs to be registered
-		time.Sleep(2 * time.Second)
+		// Wait for CRDs to be established before applying dependent resources
+		crdNames := manifestutil.CollectCRDNames(stageOne)
+		if err := manifestutil.WaitForCRDsEstablished(ctx, k8sClient, crdNames); err != nil {
+			return fmt.Errorf("CRDs not established after apply: %w", err)
+		}
 	}

 	// Apply stage two (everything else)
@@ -215,7 +165,6 @@ func applyObjects(ctx context.Context, k8sClient client.Client, objects []*unstr
 	return nil
 }

-
 // extractNamespace extracts the namespace name from the Namespace object in the manifests.
 func extractNamespace(objects []*unstructured.Unstructured) (string, error) {
 	for _, obj := range objects {
@@ -386,4 +335,3 @@ func setEnvVar(env []interface{}, name, value string) []interface{} {

 	return env
 }
-
--- a/internal/fluxinstall/manifests.embed.go
+++ b/internal/fluxinstall/manifests.embed.go
@@ -22,6 +22,7 @@ import (
 	"io/fs"
 	"os"
 	"path"
+	"path/filepath"
 )

 //go:embed manifests/*.yaml
@@ -40,8 +41,8 @@ func WriteEmbeddedManifests(dir string) error {
 			return fmt.Errorf("failed to read file %s: %w", manifest.Name(), err)
 		}

-		outputPath := path.Join(dir, manifest.Name())
-		if err := os.WriteFile(outputPath, data, 0666); err != nil {
+		outputPath := filepath.Join(dir, manifest.Name())
+		if err := os.WriteFile(outputPath, data, 0600); err != nil {
 			return fmt.Errorf("failed to write file %s: %w", outputPath, err)
 		}
 	}
--- a/internal/manifestutil/crd.go
+++ b/internal/manifestutil/crd.go
@@ -0,0 +1,118 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestutil
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+var crdGVK = schema.GroupVersionKind{
+	Group:   "apiextensions.k8s.io",
+	Version: "v1",
+	Kind:    "CustomResourceDefinition",
+}
+
+// WaitForCRDsEstablished polls the API server until all named CRDs have the
+// Established condition set to True, or the context is cancelled.
+func WaitForCRDsEstablished(ctx context.Context, k8sClient client.Client, crdNames []string) error {
+	if len(crdNames) == 0 {
+		return nil
+	}
+
+	logger := log.FromContext(ctx)
+	ticker := time.NewTicker(500 * time.Millisecond)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return fmt.Errorf("context cancelled while waiting for CRDs to be established: %w", ctx.Err())
+		default:
+		}
+
+		allEstablished := true
+		var pendingCRD string
+		for _, name := range crdNames {
+			crd := &unstructured.Unstructured{}
+			crd.SetGroupVersionKind(crdGVK)
+			if err := k8sClient.Get(ctx, types.NamespacedName{Name: name}, crd); err != nil {
+				allEstablished = false
+				pendingCRD = name
+				break
+			}
+
+			conditions, found, err := unstructured.NestedSlice(crd.Object, "status", "conditions")
+			if err != nil || !found {
+				allEstablished = false
+				pendingCRD = name
+				break
+			}
+
+			established := false
+			for _, c := range conditions {
+				cond, ok := c.(map[string]interface{})
+				if !ok {
+					continue
+				}
+				if cond["type"] == "Established" && cond["status"] == "True" {
+					established = true
+					break
+				}
+			}
+			if !established {
+				allEstablished = false
+				pendingCRD = name
+				break
+			}
+		}
+
+		if allEstablished {
+			logger.Info("All CRDs established", "count", len(crdNames))
+			return nil
+		}
+
+		logger.V(1).Info("Waiting for CRD to be established", "crd", pendingCRD)
+
+		select {
+		case <-ctx.Done():
+			return fmt.Errorf("context cancelled while waiting for CRD %q to be established: %w", pendingCRD, ctx.Err())
+		case <-ticker.C:
+		}
+	}
+}
+
+// CollectCRDNames returns the names of all CustomResourceDefinition objects
+// from the given list of unstructured objects. Only objects with
+// apiVersion "apiextensions.k8s.io/v1" and kind "CustomResourceDefinition"
+// are matched.
+func CollectCRDNames(objects []*unstructured.Unstructured) []string {
+	var names []string
+	for _, obj := range objects {
+		if obj.GetAPIVersion() == "apiextensions.k8s.io/v1" && obj.GetKind() == "CustomResourceDefinition" {
+			names = append(names, obj.GetName())
+		}
+	}
+	return names
+}
--- a/internal/manifestutil/crd_test.go
+++ b/internal/manifestutil/crd_test.go
@@ -0,0 +1,202 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestutil
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+func TestCollectCRDNames(t *testing.T) {
+	objects := []*unstructured.Unstructured{
+		{Object: map[string]interface{}{
+			"apiVersion": "v1",
+			"kind":       "Namespace",
+			"metadata":   map[string]interface{}{"name": "test-ns"},
+		}},
+		{Object: map[string]interface{}{
+			"apiVersion": "apiextensions.k8s.io/v1",
+			"kind":       "CustomResourceDefinition",
+			"metadata":   map[string]interface{}{"name": "packages.cozystack.io"},
+		}},
+		{Object: map[string]interface{}{
+			"apiVersion": "apps/v1",
+			"kind":       "Deployment",
+			"metadata":   map[string]interface{}{"name": "test-deploy"},
+		}},
+		{Object: map[string]interface{}{
+			"apiVersion": "apiextensions.k8s.io/v1",
+			"kind":       "CustomResourceDefinition",
+			"metadata":   map[string]interface{}{"name": "packagesources.cozystack.io"},
+		}},
+	}
+
+	names := CollectCRDNames(objects)
+	if len(names) != 2 {
+		t.Fatalf("CollectCRDNames() returned %d names, want 2", len(names))
+	}
+	if names[0] != "packages.cozystack.io" {
+		t.Errorf("names[0] = %q, want %q", names[0], "packages.cozystack.io")
+	}
+	if names[1] != "packagesources.cozystack.io" {
+		t.Errorf("names[1] = %q, want %q", names[1], "packagesources.cozystack.io")
+	}
+}
+
+func TestCollectCRDNames_ignoresWrongAPIVersion(t *testing.T) {
+	objects := []*unstructured.Unstructured{
+		{Object: map[string]interface{}{
+			"apiVersion": "apiextensions.k8s.io/v1",
+			"kind":       "CustomResourceDefinition",
+			"metadata":   map[string]interface{}{"name": "real.crd.io"},
+		}},
+		{Object: map[string]interface{}{
+			"apiVersion": "apiextensions.k8s.io/v1beta1",
+			"kind":       "CustomResourceDefinition",
+			"metadata":   map[string]interface{}{"name": "legacy.crd.io"},
+		}},
+	}
+
+	names := CollectCRDNames(objects)
+	if len(names) != 1 {
+		t.Fatalf("CollectCRDNames() returned %d names, want 1", len(names))
+	}
+	if names[0] != "real.crd.io" {
+		t.Errorf("names[0] = %q, want %q", names[0], "real.crd.io")
+	}
+}
+
+func TestCollectCRDNames_noCRDs(t *testing.T) {
+	objects := []*unstructured.Unstructured{
+		{Object: map[string]interface{}{
+			"apiVersion": "v1",
+			"kind":       "Namespace",
+			"metadata":   map[string]interface{}{"name": "test"},
+		}},
+	}
+
+	names := CollectCRDNames(objects)
+	if len(names) != 0 {
+		t.Errorf("CollectCRDNames() returned %d names, want 0", len(names))
+	}
+}
+
+func TestWaitForCRDsEstablished_success(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	if err := apiextensionsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add apiextensions to scheme: %v", err)
+	}
+
+	// Create a CRD object in the fake client
+	crd := &unstructured.Unstructured{Object: map[string]interface{}{
+		"apiVersion": "apiextensions.k8s.io/v1",
+		"kind":       "CustomResourceDefinition",
+		"metadata":   map[string]interface{}{"name": "packages.cozystack.io"},
+	}}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(crd).
+		WithInterceptorFuncs(interceptor.Funcs{
+			Get: func(ctx context.Context, c client.WithWatch, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
+				if err := c.Get(ctx, key, obj, opts...); err != nil {
+					return err
+				}
+				u, ok := obj.(*unstructured.Unstructured)
+				if !ok {
+					return nil
+				}
+				if u.GetKind() == "CustomResourceDefinition" {
+					_ = unstructured.SetNestedSlice(u.Object, []interface{}{
+						map[string]interface{}{
+							"type":   "Established",
+							"status": "True",
+						},
+					}, "status", "conditions")
+				}
+				return nil
+			},
+		}).
+		Build()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := WaitForCRDsEstablished(ctx, fakeClient, []string{"packages.cozystack.io"})
+	if err != nil {
+		t.Fatalf("WaitForCRDsEstablished() error = %v", err)
+	}
+}
+
+func TestWaitForCRDsEstablished_timeout(t *testing.T) {
+	log.SetLogger(zap.New(zap.UseDevMode(true)))
+
+	scheme := runtime.NewScheme()
+	if err := apiextensionsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add apiextensions to scheme: %v", err)
+	}
+
+	// CRD exists but never gets Established condition
+	crd := &unstructured.Unstructured{Object: map[string]interface{}{
+		"apiVersion": "apiextensions.k8s.io/v1",
+		"kind":       "CustomResourceDefinition",
+		"metadata":   map[string]interface{}{"name": "packages.cozystack.io"},
+	}}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(crd).
+		Build()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	ctx = log.IntoContext(ctx, log.FromContext(context.Background()))
+
+	err := WaitForCRDsEstablished(ctx, fakeClient, []string{"packages.cozystack.io"})
+	if err == nil {
+		t.Fatal("WaitForCRDsEstablished() expected error on timeout, got nil")
+	}
+	if !strings.Contains(err.Error(), "packages.cozystack.io") {
+		t.Errorf("error should mention stuck CRD name, got: %v", err)
+	}
+}
+
+func TestWaitForCRDsEstablished_empty(t *testing.T) {
+	scheme := runtime.NewScheme()
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	ctx := context.Background()
+	err := WaitForCRDsEstablished(ctx, fakeClient, nil)
+	if err != nil {
+		t.Fatalf("WaitForCRDsEstablished() with empty names should return nil, got: %v", err)
+	}
+}
+
--- a/internal/manifestutil/parse.go
+++ b/internal/manifestutil/parse.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestutil
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
+)
+
+// ParseManifestFile reads a YAML file and parses it into unstructured objects.
+func ParseManifestFile(manifestPath string) ([]*unstructured.Unstructured, error) {
+	data, err := os.ReadFile(manifestPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read manifest file: %w", err)
+	}
+
+	return ReadYAMLObjects(bytes.NewReader(data))
+}
+
+// ReadYAMLObjects parses multi-document YAML from a reader into unstructured objects.
+// Empty documents and documents without a kind are skipped.
+func ReadYAMLObjects(reader io.Reader) ([]*unstructured.Unstructured, error) {
+	var objects []*unstructured.Unstructured
+	yamlReader := k8syaml.NewYAMLReader(bufio.NewReader(reader))
+
+	for {
+		doc, err := yamlReader.Read()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, fmt.Errorf("failed to read YAML document: %w", err)
+		}
+
+		if len(bytes.TrimSpace(doc)) == 0 {
+			continue
+		}
+
+		obj := &unstructured.Unstructured{}
+		decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewReader(doc), len(doc))
+		if err := decoder.Decode(obj); err != nil {
+			if err == io.EOF {
+				continue
+			}
+			return nil, fmt.Errorf("failed to decode YAML document: %w", err)
+		}
+
+		if obj.GetKind() == "" {
+			continue
+		}
+
+		objects = append(objects, obj)
+	}
+
+	return objects, nil
+}
--- a/internal/manifestutil/parse_test.go
+++ b/internal/manifestutil/parse_test.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestutil
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestReadYAMLObjects(t *testing.T) {
+	tests := []struct {
+		name      string
+		input     string
+		wantCount int
+		wantErr   bool
+	}{
+		{
+			name: "single document",
+			input: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test
+`,
+			wantCount: 1,
+		},
+		{
+			name: "multiple documents",
+			input: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test1
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test2
+`,
+			wantCount: 2,
+		},
+		{
+			name:      "empty input",
+			input:     "",
+			wantCount: 0,
+		},
+		{
+			name: "decoder rejects document without kind",
+			input: `apiVersion: v1
+metadata:
+  name: test
+`,
+			wantErr: true,
+		},
+		{
+			name: "whitespace-only document between separators is skipped",
+			input: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test1
+---
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test2
+`,
+			wantCount: 2,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			objects, err := ReadYAMLObjects(strings.NewReader(tt.input))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ReadYAMLObjects() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if len(objects) != tt.wantCount {
+				t.Errorf("ReadYAMLObjects() returned %d objects, want %d", len(objects), tt.wantCount)
+			}
+		})
+	}
+}
+
+func TestReadYAMLObjects_preservesFields(t *testing.T) {
+	input := `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: packages.cozystack.io
+spec:
+  group: cozystack.io
+`
+	objects, err := ReadYAMLObjects(strings.NewReader(input))
+	if err != nil {
+		t.Fatalf("ReadYAMLObjects() error = %v", err)
+	}
+	if len(objects) != 1 {
+		t.Fatalf("expected 1 object, got %d", len(objects))
+	}
+
+	obj := objects[0]
+	if obj.GetKind() != "CustomResourceDefinition" {
+		t.Errorf("kind = %q, want %q", obj.GetKind(), "CustomResourceDefinition")
+	}
+	if obj.GetName() != "packages.cozystack.io" {
+		t.Errorf("name = %q, want %q", obj.GetName(), "packages.cozystack.io")
+	}
+	if obj.GetAPIVersion() != "apiextensions.k8s.io/v1" {
+		t.Errorf("apiVersion = %q, want %q", obj.GetAPIVersion(), "apiextensions.k8s.io/v1")
+	}
+}
+
+func TestParseManifestFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	manifestPath := filepath.Join(tmpDir, "test.yaml")
+
+	content := `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm1
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm2
+`
+	if err := os.WriteFile(manifestPath, []byte(content), 0600); err != nil {
+		t.Fatalf("failed to write test manifest: %v", err)
+	}
+
+	objects, err := ParseManifestFile(manifestPath)
+	if err != nil {
+		t.Fatalf("ParseManifestFile() error = %v", err)
+	}
+	if len(objects) != 2 {
+		t.Errorf("ParseManifestFile() returned %d objects, want 2", len(objects))
+	}
+}
+
+func TestParseManifestFile_notFound(t *testing.T) {
+	_, err := ParseManifestFile("/nonexistent/path/test.yaml")
+	if err == nil {
+		t.Error("ParseManifestFile() expected error for nonexistent file, got nil")
+	}
+}
--- a/packages/apps/bucket/Makefile
+++ b/packages/apps/bucket/Makefile
@@ -1,6 +1,5 @@
 include ../../../hack/package.mk

 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
-	yq -o json -i '.properties = {}' values.schema.json
+	cozyvalues-gen -m 'bucket' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/bucket/types.go
 	../../../hack/update-crd.sh
--- a/packages/apps/bucket/README.md
+++ b/packages/apps/bucket/README.md
@@ -1,3 +1,13 @@
 # S3 bucket

 ## Parameters
+
+### Parameters
+
+| Name                   | Description                                                                | Type                | Value   |
+| ---------------------- | -------------------------------------------------------------------------- | ------------------- | ------- |
+| `locking`              | Provisions bucket from the `-lock` BucketClass (with object lock enabled). | `bool`              | `false` |
+| `storagePool`          | Selects a specific BucketClass by storage pool name.                       | `string`            | `""`    |
+| `users`                | Users configuration map.                                                   | `map[string]object` | `{}`    |
+| `users[name].readonly` | Whether the user has read-only access.                                     | `bool`              | `false` |
+
--- a/packages/apps/bucket/templates/bucketclaim.yaml
+++ b/packages/apps/bucket/templates/bucketclaim.yaml
@@ -1,19 +1,22 @@
 {{- $seaweedfs := .Values._namespace.seaweedfs }}
+{{- $pool := .Values.storagePool }}
 apiVersion: objectstorage.k8s.io/v1alpha1
 kind: BucketClaim
 metadata:
  name: {{ .Release.Name }}
 spec:
-  bucketClassName: {{ $seaweedfs }}
+  bucketClassName: {{ $seaweedfs }}{{- if $pool }}-{{ $pool }}{{- end }}{{- if .Values.locking }}-lock{{- end }}
  protocols:
    - s3
+{{- range $name, $user := .Values.users }}
 ---
 apiVersion: objectstorage.k8s.io/v1alpha1
 kind: BucketAccess
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ $.Release.Name }}-{{ $name }}
 spec:
-  bucketAccessClassName: {{ $seaweedfs }}
-  bucketClaimName: {{ .Release.Name }}
-  credentialsSecretName: {{ .Release.Name }}
+  bucketAccessClassName: {{ $seaweedfs }}{{- if $pool }}-{{ $pool }}{{- end }}{{- if $user.readonly }}-readonly{{- end }}
+  bucketClaimName: {{ $.Release.Name }}
+  credentialsSecretName: {{ $.Release.Name }}-{{ $name }}
  protocol: s3
+{{- end }}
--- a/packages/apps/bucket/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/bucket/templates/dashboard-resourcemap.yaml
@@ -8,8 +8,9 @@ rules:
  resources:
  - secrets
  resourceNames:
-  - {{ .Release.Name }}
-  - {{ .Release.Name }}-credentials
+  {{- range $name, $user := .Values.users }}
+  - {{ $.Release.Name }}-{{ $name }}-credentials
+  {{- end }}
  verbs: ["get", "list", "watch"]
 - apiGroups:
  - networking.k8s.io
--- a/packages/apps/bucket/templates/helmrelease.yaml
+++ b/packages/apps/bucket/templates/helmrelease.yaml
@@ -23,3 +23,4 @@ spec:
    name: cozystack-values
  values:
    bucketName: {{ .Release.Name }}
+    users: {{ .Values.users | toJson }}
--- a/packages/apps/bucket/values.schema.json
+++ b/packages/apps/bucket/values.schema.json
@@ -1,5 +1,30 @@
 {
  "title": "Chart Values",
  "type": "object",
-  "properties": {}
-}
+  "properties": {
+    "locking": {
+      "description": "Provisions bucket from the `-lock` BucketClass (with object lock enabled).",
+      "type": "boolean",
+      "default": false
+    },
+    "storagePool": {
+      "description": "Selects a specific BucketClass by storage pool name.",
+      "type": "string",
+      "default": ""
+    },
+    "users": {
+      "description": "Users configuration map.",
+      "type": "object",
+      "default": {},
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "readonly": {
+            "description": "Whether the user has read-only access.",
+            "type": "boolean"
+          }
+        }
+      }
+    }
+  }
+}
--- a/Show More
+++ b/Show More