[linstor] Add linstor-affinity-controller

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
[backups] Stub the Job backup strategy controller (#1720 )
2026-03-03 21:48:57 +00:00 · 2025-12-16 02:43:06 +01:00 · 2025-12-15 10:53:47 +04:00 · 2025-12-14 04:04:20 +04:00 · 2025-12-12 18:02:30 +04:00 · 2025-12-12 16:07:48 +03:00
255 changed files with 27918 additions and 1656 deletions
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -2,7 +2,7 @@ name: Automatic Backport

 on:
  pull_request_target:
-    types: [closed]   # fires when PR is closed (merged)
+    types: [closed, labeled]   # fires when PR is closed (merged) or labeled

 concurrency:
  group: backport-${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -13,22 +13,46 @@ permissions:
  pull-requests: write

 jobs:
-  backport:
+  # Determine which backports are needed
+  prepare:
    if: |
      github.event.pull_request.merged == true &&
-      contains(github.event.pull_request.labels.*.name, 'backport')
+      (
+        contains(github.event.pull_request.labels.*.name, 'backport') ||
+        contains(github.event.pull_request.labels.*.name, 'backport-previous') ||
+        (github.event.action == 'labeled' && (github.event.label.name == 'backport' || github.event.label.name == 'backport-previous'))
+      )
    runs-on: [self-hosted]
-
+    outputs:
+      backport_current: ${{ steps.labels.outputs.backport }}
+      backport_previous: ${{ steps.labels.outputs.backport_previous }}
+      current_branch: ${{ steps.branches.outputs.current_branch }}
+      previous_branch: ${{ steps.branches.outputs.previous_branch }}
    steps:
-      # 1. Decide which maintenance branch should receive the back‑port
-      - name: Determine target maintenance branch
-        id: target
+      - name: Check which labels are present
+        id: labels
        uses: actions/github-script@v7
        with:
          script: |
-            let rel;
+            const pr = context.payload.pull_request;
+            const labels = pr.labels.map(l => l.name);
+            const isBackport = labels.includes('backport');
+            const isBackportPrevious = labels.includes('backport-previous');
+            
+            core.setOutput('backport', isBackport ? 'true' : 'false');
+            core.setOutput('backport_previous', isBackportPrevious ? 'true' : 'false');
+            
+            console.log(`backport label: ${isBackport}, backport-previous label: ${isBackportPrevious}`);
+      
+      - name: Determine target branches
+        id: branches
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Get latest release
+            let latestRelease;
            try {
-              rel = await github.rest.repos.getLatestRelease({
+              latestRelease = await github.rest.repos.getLatestRelease({
                owner: context.repo.owner,
                repo: context.repo.repo
              });
@@ -36,18 +60,70 @@ jobs:
              core.setFailed('No existing releases found; cannot determine backport target.');
              return;
            }
-            const [maj, min] = rel.data.tag_name.replace(/^v/, '').split('.');
-            const branch = `release-${maj}.${min}`;
-            core.setOutput('branch', branch);
-            console.log(`Latest release ${rel.data.tag_name}; backporting to ${branch}`);
+            
+            const [maj, min] = latestRelease.data.tag_name.replace(/^v/, '').split('.');
+            const currentBranch = `release-${maj}.${min}`;
+            const prevMin = parseInt(min) - 1;
+            const previousBranch = prevMin >= 0 ? `release-${maj}.${prevMin}` : '';
+            
+            core.setOutput('current_branch', currentBranch);
+            core.setOutput('previous_branch', previousBranch);
+            
+            console.log(`Current branch: ${currentBranch}, Previous branch: ${previousBranch || 'N/A'}`);
+            
+            // Verify previous branch exists if we need it
+            if (previousBranch && '${{ steps.labels.outputs.backport_previous }}' === 'true') {
+              try {
+                await github.rest.repos.getBranch({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  branch: previousBranch
+                });
+                console.log(`Previous branch ${previousBranch} exists`);
+              } catch (e) {
+                core.setFailed(`Previous branch ${previousBranch} does not exist.`);
+                return;
+              }
+            }
+
+  backport:
+    needs: prepare
+    if: |
+      github.event.pull_request.merged == true &&
+      (needs.prepare.outputs.backport_current == 'true' || needs.prepare.outputs.backport_previous == 'true')
+    runs-on: [self-hosted]
+    strategy:
+      matrix:
+        backport_type: [current, previous]
+    steps:
+      # 1. Determine target branch based on matrix
+      - name: Set target branch
+        id: target
+        if: |
+          (matrix.backport_type == 'current' && needs.prepare.outputs.backport_current == 'true') ||
+          (matrix.backport_type == 'previous' && needs.prepare.outputs.backport_previous == 'true')
+        run: |
+          if [ "${{ matrix.backport_type }}" == "current" ]; then
+            echo "branch=${{ needs.prepare.outputs.current_branch }}" >> $GITHUB_OUTPUT
+            echo "Target branch: ${{ needs.prepare.outputs.current_branch }}"
+          else
+            echo "branch=${{ needs.prepare.outputs.previous_branch }}" >> $GITHUB_OUTPUT
+            echo "Target branch: ${{ needs.prepare.outputs.previous_branch }}"
+          fi
+      
      # 2. Checkout (required by backport‑action)
      - name: Checkout repository
+        if: steps.target.outcome == 'success'
        uses: actions/checkout@v4

      # 3. Create the back‑port pull request
      - name: Create back‑port PR
-        uses: korthout/backport-action@v3
+        id: backport
+        if: steps.target.outcome == 'success'
+        uses: korthout/backport-action@v3.2.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          label_pattern: '' # don't read labels for targets
          target_branches: ${{ steps.target.outputs.branch }}
+          merge_commits: skip
+          conflict_resolution: draft_commit_conflicts
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -28,7 +28,7 @@ jobs:

      - name: Install generate
        run: |
-          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v1.0.5/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen
+          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v1.0.6/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen

      - name: Run pre-commit hooks
        run: |
--- a/3
+++ b/3
@@ -15,9 +15,9 @@ build: build-deps
 	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
 	make -C packages/system/cozystack-controller image
+	make -C packages/system/backup-controller image
 	make -C packages/system/lineage-controller-webhook image
 	make -C packages/system/cilium image
-	make -C packages/system/kubeovn image
 	make -C packages/system/kubeovn-webhook image
 	make -C packages/system/kubeovn-plunger image
 	make -C packages/system/dashboard image
@@ -26,6 +26,7 @@ build: build-deps
 	make -C packages/system/bucket image
 	make -C packages/system/objectstorage-controller image
 	make -C packages/core/testing image
+	make -C packages/core/platform image
 	make -C packages/core/installer image
 	make manifests

--- a/api/.gitattributes
+++ b/api/.gitattributes
@@ -0,0 +1 @@
+zz_generated_deepcopy.go linguist-generated
--- a/api/backups/strategy/v1alpha1/groupversion_info.go
+++ b/api/backups/strategy/v1alpha1/groupversion_info.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=strategy.backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "strategy.backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}
--- a/api/backups/strategy/v1alpha1/job_types.go
+++ b/api/backups/strategy/v1alpha1/job_types.go
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines strategy.backups.cozystack.io API types.
+//
+// Group: strategy.backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Job{},
+			&JobList{},
+		)
+		return nil
+	})
+}
+
+const (
+	JobStrategyKind = "Job"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// Job defines a backup strategy using a one-shot Job
+type Job struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   JobSpec   `json:"spec,omitempty"`
+	Status JobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// JobList contains a list of backup Jobs.
+type JobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Job `json:"items"`
+}
+
+// JobSpec specifies the desired behavior of a backup job.
+type JobSpec struct {
+	// Template holds a PodTemplateSpec with the right shape to
+	// run a single pod to completion and create a tarball with
+	// a given apps data. Helm-like Go templates are supported.
+	// The values of the source application are available under
+	// `.Values`. `.Release.Name` and `.Release.Namespace` are
+	// also exported.
+	Template corev1.PodTemplateSpec `json:"template"`
+}
+
+type JobStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
--- a/api/backups/strategy/v1alpha1/zz_generated.deepcopy.go
+++ b/api/backups/strategy/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,123 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Job) DeepCopyInto(out *Job) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Job.
+func (in *Job) DeepCopy() *Job {
+	if in == nil {
+		return nil
+	}
+	out := new(Job)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Job) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobList) DeepCopyInto(out *JobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Job, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobList.
+func (in *JobList) DeepCopy() *JobList {
+	if in == nil {
+		return nil
+	}
+	out := new(JobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobSpec) DeepCopyInto(out *JobSpec) {
+	*out = *in
+	in.Template.DeepCopyInto(&out.Template)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobSpec.
+func (in *JobSpec) DeepCopy() *JobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobStatus) DeepCopyInto(out *JobStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobStatus.
+func (in *JobStatus) DeepCopy() *JobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/api/backups/v1alpha1/DESIGN.md
+++ b/api/backups/v1alpha1/DESIGN.md
@@ -0,0 +1,421 @@
+# Cozystack Backups – Core API & Contracts (Draft)
+
+## 1. Overview
+
+Cozystack’s backup subsystem provides a generic, composable way to back up and restore managed applications:
+
+* Every **application instance** can have one or more **backup plans**.
+* Backups are stored in configurable **storage locations**.
+* The mechanics of *how* a backup/restore is performed are delegated to **strategy drivers**, each implementing driver-specific **BackupStrategy** CRDs.
+
+The core API:
+
+* Orchestrates **when** backups happen and **where** they’re stored.
+* Tracks **what** backups exist and their status.
+* Defines contracts with drivers via shared resources (`BackupJob`, `Backup`, `RestoreJob`).
+
+It does **not** implement the backup logic itself.
+
+This document covers only the **core** API and its contracts with drivers, not driver implementations.
+
+---
+
+## 2. Goals and non-goals
+
+### Goals
+
+* Provide a **stable core API** for:
+
+  * Declaring **backup plans** per application.
+  * Configuring **storage targets** (S3, in-cluster bucket, etc.).
+  * Tracking **backup artifacts**.
+  * Initiating and tracking **restores**.
+* Allow multiple **strategy drivers** to plug in, each supporting specific kinds of applications and strategies.
+* Let application/product authors implement backup for their kinds by:
+
+  * Creating **Plan** objects referencing a **driver-specific strategy**.
+  * Not having to write a backup engine themselves.
+
+### Non-goals
+
+* Implement backup logic for any specific application or storage backend.
+* Define the internal structure of driver-specific strategy CRDs.
+* Handle tenant-facing UI/UX (that’s built on top of these APIs).
+
+---
+
+## 3. Architecture
+
+High-level components:
+
+* **Core backups controller(s)** (Cozystack-owned):
+
+  * Group: `backups.cozystack.io`
+  * Own:
+
+    * `Plan`
+    * `BackupJob`
+    * `Backup`
+    * `RestoreJob`
+  * Responsibilities:
+
+    * Schedule backups based on `Plan`.
+    * Create `BackupJob` objects when due.
+    * Provide stable contracts for drivers to:
+
+      * Perform backups and create `Backup`s.
+      * Perform restores based on `Backup`s.
+
+* **Strategy drivers** (pluggable, possibly third-party):
+
+  * Their own API groups, e.g. `jobdriver.backups.cozystack.io`.
+  * Own **strategy CRDs** (e.g. `JobBackupStrategy`).
+  * Implement controllers that:
+
+    * Watch `BackupJob` / `RestoreJob`.
+    * Match runs whose `strategyRef` GVK they support.
+    * Execute backup/restore logic.
+    * Create and update `Backup` and run statuses.
+
+Strategy drivers and core communicate entirely via Kubernetes objects; there are no webhook/HTTP calls between them.
+
+* **Storage drivers** (pluggable, possibly third-party):
+
+  * **TBD**
+
+---
+
+## 4. Core API resources
+
+### 4.1 Plan
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Plan`
+
+**Purpose**
+Describe **when**, **how**, and **where** to back up a specific managed application.
+
+**Key fields (spec)**
+
+```go
+type PlanSpec struct {
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Where backups should be stored.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // When backups should run.
+    Schedule PlanSchedule `json:"schedule"`
+}
+```
+
+`PlanSchedule` (initially) supports only cron:
+
+```go
+type PlanScheduleType string
+
+const (
+    PlanScheduleTypeEmpty PlanScheduleType = ""
+    PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+```
+
+```go
+type PlanSchedule struct {
+    // Type is the schedule type. Currently only "cron" is supported.
+    // Defaults to "cron".
+    Type PlanScheduleType `json:"type,omitempty"`
+
+    // Cron expression (required for cron type).
+    Cron string `json:"cron,omitempty"`
+}
+```
+
+**Plan reconciliation contract**
+
+Core Plan controller:
+
+1. **Read schedule** from `spec.schedule` and compute the next fire time.
+2. When due:
+
+   * Create a `BackupJob` in the same namespace:
+
+     * `spec.planRef.name = plan.Name`
+     * `spec.applicationRef = plan.spec.applicationRef`
+     * `spec.storageRef = plan.spec.storageRef`
+     * `spec.strategyRef = plan.spec.strategyRef`
+     * `spec.triggeredBy = "Plan"`
+   * Set `ownerReferences` so the `BackupJob` is owned by the `Plan`.
+
+The Plan controller does **not**:
+
+* Execute backups itself.
+* Modify driver resources or `Backup` objects.
+* Touch `BackupJob.spec` after creation.
+
+---
+
+### 4.2 Storage
+
+**API Shape**
+
+TBD
+
+**Storage usage**
+
+* `Plan` and `BackupJob` reference `Storage` via `TypedLocalObjectReference`.
+* Drivers read `Storage` to know how/where to store or read artifacts.
+* Core treats `Storage` spec as opaque; it does not directly talk to S3 or buckets.
+
+---
+
+### 4.3 BackupJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=BackupJob`
+
+**Purpose**
+Represent a single **execution** of a backup operation, typically created when a `Plan` fires or when a user triggers an ad-hoc backup.
+
+**Key fields (spec)**
+
+```go
+type BackupJobSpec struct {
+    // Plan that triggered this run, if any.
+    PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Storage to use.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // Informational: what triggered this run ("Plan", "Manual", etc.).
+    TriggeredBy string `json:"triggeredBy,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupJobStatus struct {
+    Phase       BackupJobPhase         `json:"phase,omitempty"`
+    BackupRef   *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+    StartedAt   *metav1.Time           `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time           `json:"completedAt,omitempty"`
+    Message     string                 `json:"message,omitempty"`
+    Conditions  []metav1.Condition     `json:"conditions,omitempty"`
+}
+```
+
+`BackupJobPhase` is one of: `Pending`, `Running`, `Succeeded`, `Failed`.
+
+**BackupJob contract with drivers**
+
+* Core **creates** `BackupJob` and must treat `spec` as immutable afterwards.
+* Each driver controller:
+
+  * Watches `BackupJob`.
+  * Reconciles runs where `spec.strategyRef.apiGroup/kind` matches its **strategy type(s)**.
+* Driver responsibilities:
+
+  1. On first reconcile:
+
+     * Set `status.startedAt` if unset.
+     * Set `status.phase = Running`.
+  2. Resolve inputs:
+
+     * Read `Strategy` (driver-owned CRD), `Storage`, `Application`, optionally `Plan`.
+  3. Execute backup logic (implementation-specific).
+  4. On success:
+
+     * Create a `Backup` resource (see below).
+     * Set `status.backupRef` to the created `Backup`.
+     * Set `status.completedAt`.
+     * Set `status.phase = Succeeded`.
+  5. On failure:
+
+     * Set `status.completedAt`.
+     * Set `status.phase = Failed`.
+     * Set `status.message` and conditions.
+
+Drivers must **not** modify `BackupJob.spec` or delete `BackupJob` themselves.
+
+---
+
+### 4.4 Backup
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Backup`
+
+**Purpose**
+Represent a single **backup artifact** for a given application, decoupled from a particular run. usable as a stable, listable “thing you can restore from”.
+
+**Key fields (spec)**
+
+```go
+type BackupSpec struct {
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+    PlanRef        *corev1.LocalObjectReference     `json:"planRef,omitempty"`
+    StorageRef     corev1.TypedLocalObjectReference `json:"storageRef"`
+    StrategyRef    corev1.TypedLocalObjectReference `json:"strategyRef"`
+    TakenAt        metav1.Time                      `json:"takenAt"`
+    DriverMetadata map[string]string                `json:"driverMetadata,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupStatus struct {
+    Phase      BackupPhase       `json:"phase,omitempty"` // Pending, Ready, Failed, etc.
+    Artifact   *BackupArtifact   `json:"artifact,omitempty"`
+    Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+`BackupArtifact` describes the artifact (URI, size, checksum).
+
+**Backup contract with drivers**
+
+* On successful completion of a `BackupJob`, the **driver**:
+
+  * Creates a `Backup` in the same namespace (typically owned by the `BackupJob`).
+  * Populates `spec` fields with:
+
+    * The application, storage, strategy references.
+    * `takenAt`.
+    * Optional `driverMetadata`.
+  * Sets `status` with:
+
+    * `phase = Ready` (or equivalent when fully usable).
+    * `artifact` describing the stored object.
+* Core:
+
+  * Treats `Backup` spec as mostly immutable and opaque.
+  * Uses it to:
+
+    * List backups for a given application/plan.
+    * Anchor `RestoreJob` operations.
+    * Implement higher-level policies (retention) if needed.
+
+---
+
+### 4.5 RestoreJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=RestoreJob`
+
+**Purpose**
+Represent a single **restore operation** from a `Backup`, either back into the same application or into a new target application.
+
+**Key fields (spec)**
+
+```go
+type RestoreJobSpec struct {
+    // Backup to restore from.
+    BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+    // Target application; if omitted, drivers SHOULD restore into
+    // backup.spec.applicationRef.
+    TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type RestoreJobStatus struct {
+    Phase       RestoreJobPhase   `json:"phase,omitempty"` // Pending, Running, Succeeded, Failed
+    StartedAt   *metav1.Time      `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time      `json:"completedAt,omitempty"`
+    Message     string            `json:"message,omitempty"`
+    Conditions  []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+**RestoreJob contract with drivers**
+
+* RestoreJob is created either manually or by core.
+* Driver controller:
+
+  1. Watches `RestoreJob`.
+  2. On reconcile:
+
+     * Fetches the referenced `Backup`.
+     * Determines effective:
+
+       * **Strategy**: `backup.spec.strategyRef`.
+       * **Storage**: `backup.spec.storageRef`.
+       * **Target application**: `spec.targetApplicationRef` or `backup.spec.applicationRef`.
+     * If effective strategy’s GVK is one of its supported strategy types → driver is responsible.
+  3. Behaviour:
+
+     * On first reconcile, set `status.startedAt` and `phase = Running`.
+     * Resolve `Backup`, `Storage`, `Strategy`, target application.
+     * Execute restore logic (implementation-specific).
+     * On success:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Succeeded`.
+     * On failure:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Failed`.
+       * Set `status.message` and conditions.
+
+Drivers must not modify `RestoreJob.spec` or delete `RestoreJob`.
+
+---
+
+## 5. Strategy drivers (high-level)
+
+Strategy drivers are separate controllers that:
+
+* Define their own **strategy CRDs** (e.g. `JobBackupStrategy`) in their own API groups:
+
+  * e.g. `jobdriver.backups.cozystack.io/v1alpha1, Kind=JobBackupStrategy`
+* Implement the **BackupJob contract**:
+
+  * Watch `BackupJob`.
+  * Filter by `spec.strategyRef.apiGroup/kind`.
+  * Execute backup logic.
+  * Create/update `Backup`.
+* Implement the **RestoreJob contract**:
+
+  * Watch `RestoreJob`.
+  * Resolve `Backup`, then effective `strategyRef`.
+  * Filter by effective strategy GVK.
+  * Execute restore logic.
+
+The core backups API **does not** dictate:
+
+* The fields and structure of driver strategy specs.
+* How drivers implement backup/restore internally (Jobs, snapshots, native operator CRDs, etc.).
+
+Drivers are interchangeable as long as they respect:
+
+* The `BackupJob` and `RestoreJob` contracts.
+* The shapes and semantics of `Backup` objects.
+
+---
+
+## 6. Summary
+
+The Cozystack backups core API:
+
+* Uses a single group, `backups.cozystack.io`, for all core CRDs.
+* Cleanly separates:
+
+  * **When & where** (Plan + Storage) – core-owned.
+  * **What backup artifacts exist** (Backup) – driver-created but cluster-visible.
+  * **Execution lifecycle** (BackupJob, RestoreJob) – shared contract boundary.
+* Allows multiple strategy drivers to implement backup/restore logic without entangling their implementation with the core API.
+
--- a/api/backups/v1alpha1/backup_types.go
+++ b/api/backups/v1alpha1/backup_types.go
@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Backup{},
+			&BackupList{},
+		)
+		return nil
+	})
+}
+
+// BackupPhase represents the lifecycle phase of a Backup.
+type BackupPhase string
+
+const (
+	BackupPhaseEmpty   BackupPhase = ""
+	BackupPhasePending BackupPhase = "Pending"
+	BackupPhaseReady   BackupPhase = "Ready"
+	BackupPhaseFailed  BackupPhase = "Failed"
+)
+
+// BackupArtifact describes the stored backup object (tarball, snapshot, etc.).
+type BackupArtifact struct {
+	// URI is a driver-/storage-specific URI pointing to the backup artifact.
+	// For example: s3://bucket/prefix/file.tar.gz
+	URI string `json:"uri"`
+
+	// SizeBytes is the size of the artifact in bytes, if known.
+	// +optional
+	SizeBytes int64 `json:"sizeBytes,omitempty"`
+
+	// Checksum is the checksum of the artifact, if computed.
+	// For example: "sha256:<hex>".
+	// +optional
+	Checksum string `json:"checksum,omitempty"`
+}
+
+// BackupSpec describes an immutable backup artifact produced by a BackupJob.
+type BackupSpec struct {
+	// ApplicationRef refers to the application that was backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// PlanRef refers to the Plan that produced this backup, if any.
+	// For manually triggered backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// StorageRef refers to the Storage object that describes where the backup
+	// artifact is stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef refers to the driver-specific BackupStrategy that was used
+	// to create this backup. This allows the driver to later perform restores.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// TakenAt is the time at which the backup was taken (as reported by the
+	// driver). It may differ slightly from metadata.creationTimestamp.
+	TakenAt metav1.Time `json:"takenAt"`
+
+	// DriverMetadata holds driver-specific, opaque metadata associated with
+	// this backup (for example snapshot IDs, schema versions, etc.).
+	// This data is not interpreted by the core backup controllers.
+	// +optional
+	DriverMetadata map[string]string `json:"driverMetadata,omitempty"`
+}
+
+// BackupStatus represents the observed state of a Backup.
+type BackupStatus struct {
+	// Phase is a simple, high-level summary of the backup's state.
+	// Typical values are: Pending, Ready, Failed.
+	// +optional
+	Phase BackupPhase `json:"phase,omitempty"`
+
+	// Artifact describes the stored backup object, if available.
+	// +optional
+	Artifact *BackupArtifact `json:"artifact,omitempty"`
+
+	// Conditions represents the latest available observations of a Backup's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Backup represents a single backup artifact for a given application.
+type Backup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupSpec   `json:"spec,omitempty"`
+	Status BackupStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupList contains a list of Backups.
+type BackupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Backup `json:"items"`
+}
--- a/api/backups/v1alpha1/backupjob_types.go
+++ b/api/backups/v1alpha1/backupjob_types.go
@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&BackupJob{},
+			&BackupJobList{},
+		)
+		return nil
+	})
+}
+
+// BackupJobPhase represents the lifecycle phase of a BackupJob.
+type BackupJobPhase string
+
+const (
+	BackupJobPhaseEmpty     BackupJobPhase = ""
+	BackupJobPhasePending   BackupJobPhase = "Pending"
+	BackupJobPhaseRunning   BackupJobPhase = "Running"
+	BackupJobPhaseSucceeded BackupJobPhase = "Succeeded"
+	BackupJobPhaseFailed    BackupJobPhase = "Failed"
+)
+
+// BackupJobSpec describes the execution of a single backup operation.
+type BackupJobSpec struct {
+	// PlanRef refers to the Plan that requested this backup run.
+	// For ad-hoc/manual backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// ApplicationRef holds a reference to the managed application whose state
+	// is being backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that describes where
+	// the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the driver-specific BackupStrategy object
+	// that describes how the backup should be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+}
+
+// BackupJobStatus represents the observed state of a BackupJob.
+type BackupJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase BackupJobPhase `json:"phase,omitempty"`
+
+	// BackupRef refers to the Backup object created by this run, if any.
+	// +optional
+	BackupRef *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+
+	// StartedAt is the time at which the backup run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the backup run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// backup run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a BackupJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// BackupJob represents a single execution of a backup.
+// It is typically created by a Plan controller when a schedule fires.
+type BackupJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupJobSpec   `json:"spec,omitempty"`
+	Status BackupJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupJobList contains a list of BackupJobs.
+type BackupJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BackupJob `json:"items"`
+}
--- a/api/backups/v1alpha1/groupversion_info.go
+++ b/api/backups/v1alpha1/groupversion_info.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}
--- a/api/backups/v1alpha1/plan_types.go
+++ b/api/backups/v1alpha1/plan_types.go
@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Plan{},
+			&PlanList{},
+		)
+		return nil
+	})
+}
+
+type PlanScheduleType string
+
+const (
+	PlanScheduleTypeEmpty PlanScheduleType = ""
+	PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+
+// Condtions
+const (
+	PlanConditionError = "Error"
+)
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Plan describes the schedule, method and storage location for the
+// backup of a given target application.
+type Plan struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PlanSpec   `json:"spec,omitempty"`
+	Status PlanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PlanList contains a list of backup Plans.
+type PlanList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Plan `json:"items"`
+}
+
+// PlanSpec references the storage, the strategy, the application to be
+// backed up and specifies the timetable on which the backups will run.
+type PlanSpec struct {
+	// ApplicationRef holds a reference to the managed application,
+	// whose state and configuration must be backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that
+	// describes the location where the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the Strategy object that
+	// describes, how a backup copy is to be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// Schedule specifies when backup copies are created.
+	Schedule PlanSchedule `json:"schedule"`
+}
+
+// PlanSchedule specifies when backup copies are created.
+type PlanSchedule struct {
+	// Type is the type of schedule specification. Supported values are
+	// [`cron`]. If omitted, defaults to `cron`.
+	// +optional
+	Type PlanScheduleType `json:"type,omitempty"`
+
+	// Cron contains the cron spec for scheduling backups. Must be
+	// specified if the schedule type is `cron`. Since only `cron` is
+	// supported, omitting this field is not allowed.
+	// +optional
+	Cron string `json:"cron,omitempty"`
+}
+
+type PlanStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
--- a/api/backups/v1alpha1/restorejob_types.go
+++ b/api/backups/v1alpha1/restorejob_types.go
@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&RestoreJob{},
+			&RestoreJobList{},
+		)
+		return nil
+	})
+}
+
+// RestoreJobPhase represents the lifecycle phase of a RestoreJob.
+type RestoreJobPhase string
+
+const (
+	RestoreJobPhaseEmpty     RestoreJobPhase = ""
+	RestoreJobPhasePending   RestoreJobPhase = "Pending"
+	RestoreJobPhaseRunning   RestoreJobPhase = "Running"
+	RestoreJobPhaseSucceeded RestoreJobPhase = "Succeeded"
+	RestoreJobPhaseFailed    RestoreJobPhase = "Failed"
+)
+
+// RestoreJobSpec describes the execution of a single restore operation.
+type RestoreJobSpec struct {
+	// BackupRef refers to the Backup that should be restored.
+	BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+	// TargetApplicationRef refers to the application into which the backup
+	// should be restored. If omitted, the driver SHOULD restore into the same
+	// application as referenced by backup.spec.applicationRef.
+	// +optional
+	TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+
+// RestoreJobStatus represents the observed state of a RestoreJob.
+type RestoreJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase RestoreJobPhase `json:"phase,omitempty"`
+
+	// StartedAt is the time at which the restore run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the restore run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// restore run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a RestoreJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJob represents a single execution of a restore from a Backup.
+type RestoreJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RestoreJobSpec   `json:"spec,omitempty"`
+	Status RestoreJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJobList contains a list of RestoreJobs.
+type RestoreJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RestoreJob `json:"items"`
+}
--- a/api/backups/v1alpha1/zz_generated.deepcopy.go
+++ b/api/backups/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,501 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Backup) DeepCopyInto(out *Backup) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Backup.
+func (in *Backup) DeepCopy() *Backup {
+	if in == nil {
+		return nil
+	}
+	out := new(Backup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Backup) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupArtifact) DeepCopyInto(out *BackupArtifact) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupArtifact.
+func (in *BackupArtifact) DeepCopy() *BackupArtifact {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupArtifact)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJob) DeepCopyInto(out *BackupJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJob.
+func (in *BackupJob) DeepCopy() *BackupJob {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobList) DeepCopyInto(out *BackupJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]BackupJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobList.
+func (in *BackupJobList) DeepCopy() *BackupJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobSpec) DeepCopyInto(out *BackupJobSpec) {
+	*out = *in
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobSpec.
+func (in *BackupJobSpec) DeepCopy() *BackupJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobStatus) DeepCopyInto(out *BackupJobStatus) {
+	*out = *in
+	if in.BackupRef != nil {
+		in, out := &in.BackupRef, &out.BackupRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobStatus.
+func (in *BackupJobStatus) DeepCopy() *BackupJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupList) DeepCopyInto(out *BackupList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Backup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupList.
+func (in *BackupList) DeepCopy() *BackupList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupSpec) DeepCopyInto(out *BackupSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	in.TakenAt.DeepCopyInto(&out.TakenAt)
+	if in.DriverMetadata != nil {
+		in, out := &in.DriverMetadata, &out.DriverMetadata
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupSpec.
+func (in *BackupSpec) DeepCopy() *BackupSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupStatus) DeepCopyInto(out *BackupStatus) {
+	*out = *in
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(BackupArtifact)
+		**out = **in
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupStatus.
+func (in *BackupStatus) DeepCopy() *BackupStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Plan) DeepCopyInto(out *Plan) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Plan.
+func (in *Plan) DeepCopy() *Plan {
+	if in == nil {
+		return nil
+	}
+	out := new(Plan)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Plan) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanList) DeepCopyInto(out *PlanList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Plan, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanList.
+func (in *PlanList) DeepCopy() *PlanList {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PlanList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSchedule) DeepCopyInto(out *PlanSchedule) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSchedule.
+func (in *PlanSchedule) DeepCopy() *PlanSchedule {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSchedule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSpec) DeepCopyInto(out *PlanSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	out.Schedule = in.Schedule
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSpec.
+func (in *PlanSpec) DeepCopy() *PlanSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanStatus) DeepCopyInto(out *PlanStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanStatus.
+func (in *PlanStatus) DeepCopy() *PlanStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJob) DeepCopyInto(out *RestoreJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJob.
+func (in *RestoreJob) DeepCopy() *RestoreJob {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobList) DeepCopyInto(out *RestoreJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RestoreJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobList.
+func (in *RestoreJobList) DeepCopy() *RestoreJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobSpec) DeepCopyInto(out *RestoreJobSpec) {
+	*out = *in
+	out.BackupRef = in.BackupRef
+	if in.TargetApplicationRef != nil {
+		in, out := &in.TargetApplicationRef, &out.TargetApplicationRef
+		*out = new(v1.TypedLocalObjectReference)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobSpec.
+func (in *RestoreJobSpec) DeepCopy() *RestoreJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobStatus) DeepCopyInto(out *RestoreJobStatus) {
+	*out = *in
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobStatus.
+func (in *RestoreJobStatus) DeepCopy() *RestoreJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/cmd/backup-controller/main.go
+++ b/cmd/backup-controller/main.go
@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "core.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.PlanReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Plan")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}
--- a/cmd/backupstrategy-controller/main.go
+++ b/cmd/backupstrategy-controller/main.go
@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "strategy.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.BackupJobStrategyReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Job")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}
--- a/docs/agents/changelog.md
+++ b/docs/agents/changelog.md
@@ -139,15 +139,15 @@ This will include all commits from v0.37.1, v0.37.2, v0.37.3, etc., up to v0.38.
 Cozystack release may include changes from related repositories. Check and include commits from these repositories if tags were released during the release period:

 **Required repositories:**
- **Documentation**: https://github.com/cozystack/website
+- **Documentation**: [https://github.com/cozystack/website](https://github.com/cozystack/website)
  - **MANDATORY**: Always check this repository for documentation changes during the release period
  - **MANDATORY**: Get GitHub username for EVERY commit. Extract PR number from commit message, then use `gh pr view <PR_NUMBER> --repo cozystack/website --json author --jq .author.login` to get PR author. Only if no PR number, fall back to `gh api repos/cozystack/website/commits/<hash> --jq '.author.login'`

 **Optional repositories (MUST check ALL of them for tags during release period):**
- https://github.com/cozystack/talm
- https://github.com/cozystack/boot-to-talos
- https://github.com/cozystack/cozypkg
- https://github.com/cozystack/cozy-proxy
+- [https://github.com/cozystack/talm](https://github.com/cozystack/talm)
+- [https://github.com/cozystack/boot-to-talos](https://github.com/cozystack/boot-to-talos)
+- [https://github.com/cozystack/cozypkg](https://github.com/cozystack/cozypkg)
+- [https://github.com/cozystack/cozy-proxy](https://github.com/cozystack/cozy-proxy)

 **⚠️ IMPORTANT**: You MUST check ALL optional repositories for tags created during the release period. Do NOT skip this step even if you think there might not be any tags. Use the process below to verify.

@@ -309,21 +309,21 @@ git log <previous_version>..<new_version> --format="%s%n%b" | grep -oE '#[0-9]+'
   
   **Why this matters**: Using the wrong author in changelogs gives incorrect credit and can confuse contributors. The merge/squash commit is created by the person who clicks "Merge" in GitHub, not the PR author.
   
-   **For commits without PR numbers (rare):**
-   - Only if a commit has no PR number, fall back to commit author: `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
-   - But this should be very rare - most commits should have PR numbers
+**For commits without PR numbers (rare):**
+- Only if a commit has no PR number, fall back to commit author: `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
+- But this should be very rare - most commits should have PR numbers

 **Extract PR number from commit messages:**
-   - Check commit message subject (`%s`) and body (`%b`) for PR references: `#1234` or `(#1234)`
-   - **Primary method**: Extract from commit message format `(#PR_NUMBER)` or `in #PR_NUMBER` or `Merge pull request #1234`
-   - Use regex: `grep -oE '#[0-9]+'` to find all PR numbers
-   
-   **⚠️ CRITICAL: Verify PR numbers match commit messages!**
-   - Always verify that the PR number in the changelog matches the PR number in the commit message
-   - Common mistake: Using wrong PR number (e.g., #1614 instead of #1617) when multiple similar commits exist
-   - To verify: Check the actual commit message: `git log <commit_hash> -1 --format="%s%n%b" | grep -oE '#[0-9]+'`
-   - If multiple PR numbers appear in a commit, use the one that matches the PR title/description
-   - For merge commits, check the merged branch commits, not just the merge commit message
+- Check commit message subject (`%s`) and body (`%b`) for PR references: `#1234` or `(#1234)`
+- **Primary method**: Extract from commit message format `(#PR_NUMBER)` or `in #PR_NUMBER` or `Merge pull request #1234`
+- Use regex: `grep -oE '#[0-9]+'` to find all PR numbers
+
+**⚠️ CRITICAL: Verify PR numbers match commit messages!**
+- Always verify that the PR number in the changelog matches the PR number in the commit message
+- Common mistake: Using wrong PR number (e.g., #1614 instead of #1617) when multiple similar commits exist
+- To verify: Check the actual commit message: `git log <commit_hash> -1 --format="%s%n%b" | grep -oE '#[0-9]+'`
+- If multiple PR numbers appear in a commit, use the one that matches the PR title/description
+- For merge commits, check the merged branch commits, not just the merge commit message

 3. **Understand the change:**
   ```bash
--- a/docs/agents/contributing.md
+++ b/docs/agents/contributing.md
@@ -95,6 +95,83 @@ Clean up:
 rm /tmp/pr_body.md
 ```

+## Addressing AI Bot Reviewer Comments
+
+When the user asks to fix comments from AI bot reviewers (like Qodo, Copilot, etc.):
+
+### 1. Get PR Comments
+
+View all comments on the pull request:
+
+```bash
+gh pr view <PR-number> --comments
+```
+
+Or for the current branch:
+
+```bash
+gh pr view --comments
+```
+
+### 2. Review Each Comment Carefully
+
+**Important**: Do NOT blindly apply all suggestions. Each comment should be evaluated:
+
+- **Consider context** - Does the suggestion make sense for this specific case?
+- **Check project conventions** - Does it align with Cozystack patterns?
+- **Evaluate impact** - Will this improve code quality or introduce issues?
+- **Question validity** - AI bots can be wrong or miss context
+
+**When to apply:**
+- ✅ Legitimate bugs or security issues
+- ✅ Clear improvements to code quality
+- ✅ Better error handling or edge cases
+- ✅ Conformance to project conventions
+
+**When to skip:**
+- ❌ Stylistic preferences that don't match project style
+- ❌ Over-engineering simple code
+- ❌ Changes that break existing patterns
+- ❌ Suggestions that show misunderstanding of the code
+
+### 3. Apply Valid Fixes
+
+Make changes addressing the valid comments. Use your judgment.
+
+### 4. Leave Changes Uncommitted
+
+**Critical**: Do NOT commit or push the changes automatically.
+
+Leave the changes in the working directory so the user can:
+- Review the fixes
+- Decide whether to commit them
+- Make additional adjustments if needed
+
+```bash
+# After making changes, show status but DON'T commit
+git status
+git diff
+```
+
+The user will commit and push when ready.
+
+### Example Workflow
+
+```bash
+# Get PR comments
+gh pr view 1234 --comments
+
+# Review comments and identify valid ones
+# Make necessary changes to address valid comments
+# ... edit files ...
+
+# Show what was changed (but don't commit)
+git status
+git diff
+
+# Tell the user what was fixed and what was skipped
+```
+
 ## Git Permissions

 Request these permissions when needed:
--- a/docs/changelogs/v0.37.1.md
+++ b/docs/changelogs/v0.37.1.md
@@ -0,0 +1,31 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.1
+-->
+
+## Features and Improvements
+
+* **[api] Efficient listing of TenantNamespaces**: Optimized TenantNamespace listing by replacing per-namespace SubjectAccessReview calls with group-based rolebinding checks, significantly reducing API latency and improving performance ([**@lllamnyp**](https://github.com/lllamnyp) in #1507).
+
+## Fixes
+
+* **[api] Fix RBAC for listing of TenantNamespaces and handle system:masters**: Fixed regression in TenantNamespace listing RBAC and added proper handling for system:masters group to ensure correct authorization ([**@kvaps**](https://github.com/kvaps) in #1511).
+* **[dashboard] Fix logout**: Fixed dashboard logout functionality to properly clear session and redirect users ([**@kvaps**](https://github.com/kvaps) in #1510).
+* **[installer] Add additional check to wait for lineage-webhook**: Added additional readiness check to ensure lineage-webhook is fully ready before proceeding with installation, improving upgrade reliability ([**@kvaps**](https://github.com/kvaps) in #1506).
+
+## Development, Testing, and CI/CD
+
+* **[tests] Make Kubernetes tests POSIX-compatible**: Replaced bash-specific constructs with POSIX-compliant code, ensuring tests work reliably with /bin/sh and improving compatibility across different shell environments ([**@IvanHunters**](https://github.com/IvanHunters) in #1509).
+
+## Documentation
+
+* **[website] Update troubleshooting documentation**: Updated Kubernetes installation troubleshooting guide with additional information and fixes ([**@lb0o**](https://github.com/lb0o) in cozystack/website@82beddd).
+* **[website] Add LLDPD disabling documentation**: Added minimal patch documentation for disabling lldpd based on official LLDPD usage guide ([**@lb0o**](https://github.com/lb0o) in cozystack/website@7ec5d7b).
+* **[website] Fix typo in utility command**: Fixed typo in utility command documentation ([**@lb0o**](https://github.com/lb0o) in cozystack/website@6c76cb5).
+* **[website] Update backup and recovery docs**: Updated backup and recovery documentation with latest information ([**@kvaps**](https://github.com/kvaps) in cozystack/website@2781aa5).
+* **[website] Add Troubleshooting checklist**: Added troubleshooting checklist to help users diagnose and resolve common issues ([**@kvaps**](https://github.com/kvaps) in cozystack/website@59fc304).
+
+---
+
+**Full Changelog**: [v0.37.0...v0.37.1](https://github.com/cozystack/cozystack/compare/v0.37.0...v0.37.1)
+
--- a/docs/changelogs/v0.37.2.md
+++ b/docs/changelogs/v0.37.2.md
@@ -0,0 +1,21 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.2
+-->
+
+## Features and Improvements
+
+* **[lineage] Separate webhook from cozy controller**: Separated the lineage-controller-webhook from cozystack-controller into a separate daemonset component deployed on all control-plane nodes, reducing API server latency and improving performance by decreasing outgoing API calls. Introduced internal label to track resources already handled by the webhook ([**@lllamnyp**](https://github.com/lllamnyp) in #1515).
+
+## Fixes
+
+* **[api] Fix listing tenantnamespaces for non-oidc users**: Fixed TenantNamespace listing functionality for users not using OIDC authentication, ensuring proper namespace visibility for all authentication methods ([**@kvaps**](https://github.com/kvaps) in #1517, #1519).
+
+## Migration and Upgrades
+
+* **[platform] Better migration for 0.36.2->0.37.2+**: Improved migration script for users upgrading directly from 0.36.2 to 0.37.2+, ensuring the new lineage webhook daemonset is properly deployed and fixing a bug where webhook readiness was not appropriately verified during migration ([**@lllamnyp**](https://github.com/lllamnyp) in #1521, #1522).
+
+---
+
+**Full Changelog**: [v0.37.1...v0.37.2](https://github.com/cozystack/cozystack/compare/v0.37.1...v0.37.2)
+
--- a/docs/changelogs/v0.37.3.md
+++ b/docs/changelogs/v0.37.3.md
@@ -0,0 +1,45 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.3
+-->
+
+## Features and Improvements
+
+* **[apps] Make VM service user facing**: Virtual machine services are now marked as user-facing, improving service discovery and visibility in the dashboard ([**@lllamnyp**](https://github.com/lllamnyp) in #1523).
+* **[seaweedfs] Allow users to discover their buckets**: Users can now discover and list their S3 buckets in SeaweedFS, improving usability and bucket management ([**@kvaps**](https://github.com/kvaps) in #1528).
+* **[seaweedfs] Update SeaweedFS v3.99 and deploy S3 as stacked service**: Updated SeaweedFS to version 3.99 and deployed S3 gateway as a stacked service for better integration and performance ([**@kvaps**](https://github.com/kvaps) in #1562).
+* **[dashboard] Show service LB IP**: Fixed JSON path issue to correctly display Service LoadBalancer IPs in the dashboard table view, improving visibility of service endpoints ([**@lllamnyp**](https://github.com/lllamnyp) in #1524).
+* **[dashboard] Update openapi-ui v1.0.3 + fixes**: Updated OpenAPI UI to version 1.0.3 with various fixes and improvements ([**@kvaps**](https://github.com/kvaps) in #1564).
+* **[kubernetes] Use controlPlane.replicas field**: Fixed managed Kubernetes app to properly use the `controlPlane.replicas` field instead of hardcoding the value, allowing users to configure control plane replica count ([**@lllamnyp**](https://github.com/lllamnyp) in #1556).
+* **[monitoring] add settings alert for slack**: Added Slack integration configuration for Alerta alerts, enabling notifications to Slack channels ([**@scooby87**](https://github.com/scooby87) in #1545).
+
+## Fixes
+
+* **[lineage] Check for nil chart in HelmRelease**: Added nil check to prevent crashes when lineage webhook encounters HelmReleases using `chartRef` instead of `chart`, improving stability ([**@lllamnyp**](https://github.com/lllamnyp) in #1525).
+* **[kamaji] Respect 3rd party labels**: Applied patch to Kamaji controller to respect third-party labels, preventing reconciliation loops between lineage webhook and Kamaji controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1531, #1534).
+* **[redis-operator] Build patched operator in-tree**: Moved Redis operator build into Cozystack organization and patched it to prevent overwriting third-party labels on owned resources ([**@lllamnyp**](https://github.com/lllamnyp) in #1547).
+* **[mariadb-operator] Add post-delete job to remove PVCs**: Added post-delete job to automatically remove PersistentVolumeClaims when MariaDB instances are deleted, preventing orphaned storage resources ([**@IvanHunters**](https://github.com/IvanHunters) in #1553).
+* **[velero] Set defaultItemOperationTimeout=24h**: Set default item operation timeout to 24 hours for Velero backups, preventing timeouts on large backup operations ([**@kvaps**](https://github.com/kvaps) in #1542).
+
+## Dependencies
+
+* **Update LINSTOR v1.32.3**: Updated LINSTOR to version 1.32.3 with latest features and bug fixes ([**@kvaps**](https://github.com/kvaps) in #1565).
+
+## System Configuration
+
+* **[system] kube-ovn: turn off enableLb**: Disabled load balancer functionality in Kube-OVN configuration ([**@nbykov0**](https://github.com/nbykov0) in #1548).
+
+## Documentation
+
+* **[website] Update LINSTOR documentation**: Updated LINSTOR guide and set failmode=continue for ZFS configurations ([**@kvaps**](https://github.com/kvaps) in cozystack/website@033804e).
+* **[website] Update managed apps reference**: Updated managed applications reference documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b886a74).
+* **[website] Update external apps documentation**: Updated documentation for external applications ([**@kvaps**](https://github.com/kvaps) in cozystack/website@565dad9).
+* **[website] Add naming conventions**: Added naming conventions documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b227abb).
+* **[website] Update golden image documentation**: Updated documentation for creating golden images for virtual machines ([**@kvaps**](https://github.com/kvaps) in cozystack/website@34c2f3a, cozystack/website@ef65593).
+* **[website] Fix documentation formatting**: Fixed alerts, infoboxes, tabs styles and main page formatting ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e992e97, cozystack/website@b2c4dee).
+* **[website] Fix typo in blog article**: Fixed typo in blog article ([**@kvaps**](https://github.com/kvaps) in cozystack/website@0a4bbf3).
+
+---
+
+**Full Changelog**: [v0.37.2...v0.37.3](https://github.com/cozystack/cozystack/compare/v0.37.2...v0.37.3)
+
--- a/docs/changelogs/v0.37.4.md
+++ b/docs/changelogs/v0.37.4.md
@@ -0,0 +1,29 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.4
+-->
+
+## Features and Improvements
+
+* **[tenant] Allow listing workloads**: Enabled listing of workloads for tenants, improving visibility and management of tenant resources ([**@kvaps**](https://github.com/kvaps) in #1576, #1577).
+
+## Fixes
+
+* **[seaweedfs] Fix migration to v3.99**: Fixed migration issues when upgrading SeaweedFS to version 3.99, ensuring smooth upgrades ([**@kvaps**](https://github.com/kvaps) in #1572, #1575).
+* **[nats] Merge container spec, not podTemplate**: Fixed NATS configuration to properly merge container specifications instead of podTemplate, ensuring correct container configuration ([**@lllamnyp**](https://github.com/lllamnyp) in #1571, #1574).
+
+## Development, Testing, and CI/CD
+
+* **[e2e] Increase Kubernetes connection timeouts**: Increased connection and request timeouts in E2E tests when communicating with Kubernetes API, improving test stability under high load and slow cluster response conditions ([**@IvanHunters**](https://github.com/IvanHunters) in #1570, #1573).
+
+## Documentation
+
+* **[website] Optimize website for mobile devices**: Improved website layout and responsiveness for mobile devices ([**@kvaps**](https://github.com/kvaps) in cozystack/website@3ab2338).
+* **[website] Add OpenAPI UI**: Added OpenAPI UI documentation and integration ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b1c1668).
+* **[website] Update Cozystack video in hero banner**: Updated hero banner with new Cozystack video ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e351137).
+* **[website] Add screenshots carousel**: Added screenshots carousel to showcase Cozystack features ([**@kvaps**](https://github.com/kvaps) in cozystack/website@8422bd0).
+
+---
+
+**Full Changelog**: [v0.37.3...v0.37.4](https://github.com/cozystack/cozystack/compare/v0.37.3...v0.37.4)
+
--- a/docs/changelogs/v0.37.5.md
+++ b/docs/changelogs/v0.37.5.md
@@ -0,0 +1,28 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.5
+-->
+
+## Features and Improvements
+
+* **[dashboard-controller] Move badges generation logic to internal dashboard component**: Moved badges generation logic to internal dashboard component for better code organization and maintainability ([**@kvaps**](https://github.com/kvaps) in #1567).
+
+## Security
+
+* **[redis] Bump Redis image version for security fixes**: Updated Redis image version to include latest security fixes, improving cluster security ([**@IvanHunters**](https://github.com/IvanHunters) in #1580).
+* **[flux] Close Flux Operator ports to external access**: Removed hostPort and hostNetwork from Flux Operator Deployment, ensuring ports 8080 and 8081 are only accessible within the cluster, preventing external exposure and improving security ([**@IvanHunters**](https://github.com/IvanHunters) in #1581).
+* **[ingress] Enforce HTTPS-only for API**: Added force-ssl-redirect annotation to default API Ingress, ensuring all HTTP traffic is redirected to HTTPS, preventing unencrypted external access and improving security ([**@IvanHunters**](https://github.com/IvanHunters) in #1582, #1585).
+
+## Fixes
+
+* **[nats] Fixes for NATS App Helm chart, fix template issues with config.merge**: Fixed template issues in NATS Helm chart related to config.merge value, ensuring correct configuration ([**@insignia96**](https://github.com/insignia96) in #1583, #1591).
+* **[kubevirt] Fix: kubevirt metrics rule**: Fixed KubeVirt metrics rule configuration ([**@kvaps**](https://github.com/kvaps) in #1584, #1588).
+
+## System Configuration
+
+* **[core] rm talos lldp extension**: Removed Talos LLDP extension from core configuration ([**@nbykov0**](https://github.com/nbykov0) in #1586).
+
+---
+
+**Full Changelog**: [v0.37.4...v0.37.5](https://github.com/cozystack/cozystack/compare/v0.37.4...v0.37.5)
+
--- a/docs/changelogs/v0.37.6.md
+++ b/docs/changelogs/v0.37.6.md
@@ -0,0 +1,30 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.6
+-->
+
+## Features and Improvements
+
+* **[api] Use shared informer cache**: Optimized API server by using shared informer cache, reducing API server load and improving performance ([**@lllamnyp**](https://github.com/lllamnyp) in #1539).
+* **[dashboard] sync with upstream & enhancements**: Synchronized dashboard with upstream and added various enhancements ([**@kvaps**](https://github.com/kvaps) in #1603).
+* **[cozystack-api][dashboard] Fix filtering for application services/ingresses/secrets**: Fixed filtering functionality for application services, ingresses, and secrets in both API and dashboard ([**@kvaps**](https://github.com/kvaps) in #1612).
+
+## Fixes
+
+* **[controller] Remove crdmem, handle DaemonSet**: Removed crdmem and improved DaemonSet handling in controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1555).
+* **[dashboard] Revert reconciler removal**: Reverted reconciler removal to restore proper dashboard functionality ([**@lllamnyp**](https://github.com/lllamnyp) in #1559).
+* **[dashboard-controller] Fix static resources reconciliation and showing secrets**: Fixed static resources reconciliation and improved secret display in dashboard controller ([**@kvaps**](https://github.com/kvaps) in #1605).
+* **[api,lineage] Ensure node-local traffic**: Ensured node-local traffic handling for API and lineage components ([**@lllamnyp**](https://github.com/lllamnyp) in #1606).
+* **[virtual-machine] Revert per-vm network policies**: Reverted per-VM network policies to previous behavior ([**@lllamnyp**](https://github.com/lllamnyp) in #1611).
+* **[cozy-lib] Fix: handling resources=nil**: Fixed handling of nil resources in cozy-lib templates ([**@kvaps**](https://github.com/kvaps) in #1607).
+* **[nats] Use dig function to check for existing secret and prevent nil indexing**: Fixed NATS app chart to use dig function for checking existing secrets and prevent nil indexing errors ([**@kvaps**](https://github.com/kvaps) in #1609, #1610).
+
+## Development, Testing, and CI/CD
+
+* **[cozystack-controller] improve API tests**: Improved API tests for cozystack-controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1599).
+* **[kubernetes] Helm hooks for cleanup**: Added Helm hooks for cleanup operations in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1616).
+
+---
+
+**Full Changelog**: [v0.37.5...v0.37.6](https://github.com/cozystack/cozystack/compare/v0.37.5...v0.37.6)
+
--- a/docs/changelogs/v0.37.7.md
+++ b/docs/changelogs/v0.37.7.md
@@ -0,0 +1,18 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.7
+-->
+
+## Fixes
+
+* **[kubernetes] Cleanup loadbalancer services**: Added cleanup functionality for load balancer services in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1622).
+* **[rbac] Fix permissions for high-privilege users**: Fixed RBAC permissions for high-privilege users, ensuring proper access control ([**@lllamnyp**](https://github.com/lllamnyp) in #1624).
+
+## System Configuration
+
+* **[system] kubeovn: increase limits**: Increased resource limits for Kube-OVN components to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1629).
+
+---
+
+**Full Changelog**: [v0.37.6...v0.37.7](https://github.com/cozystack/cozystack/compare/v0.37.6...v0.37.7)
+
--- a/docs/changelogs/v0.37.8.md
+++ b/docs/changelogs/v0.37.8.md
@@ -0,0 +1,19 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.8
+-->
+
+## Fixes
+
+* **[cozy-lib] Fix malformed ResourceQuota rendering for LoadBalancer services**: Fixed malformed ResourceQuota rendering for LoadBalancer services in cozy-lib templates ([**@IvanHunters**](https://github.com/IvanHunters) in #1642).
+* **[extra] ingress: rm spaces from external ip list**: Removed spaces from external IP list in ingress configuration, fixing formatting issues ([**@nbykov0**](https://github.com/nbykov0) in #1652).
+* **scripts: fix 20 migration**: Fixed migration script #20 to ensure proper execution during upgrades ([**@nbykov0**](https://github.com/nbykov0) in #1653).
+
+## System Configuration
+
+* **Increase strimzi memory limit**: Increased memory limit for Strimzi Kafka operator to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1651).
+
+---
+
+**Full Changelog**: [v0.37.7...v0.37.8](https://github.com/cozystack/cozystack/compare/v0.37.7...v0.37.8)
+
--- a/docs/changelogs/v0.37.9.md
+++ b/docs/changelogs/v0.37.9.md
@@ -0,0 +1,19 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.37.9
+-->
+
+## Improvements
+
+* **[seaweedfs] Extended CA certificate duration to reduce disruptive CA rotations**: Extended CA certificate duration to reduce disruptive CA rotations. ([**@IvanHunters**](https://github.com/IvanHunters) in #1657, #1666).
+* **[dashboard] Add config hash annotations to restart pods on config changes**: Added config hash annotations to restart pods when configuration changes, ensuring pods are automatically restarted when their configuration is updated ([**@kvaps**](https://github.com/kvaps) in #1662, #1665).
+
+## Fixes
+
+* **[tenant][kubernetes] Introduce better cleanup logic**: Improved cleanup logic for tenant Kubernetes resources, ensuring proper resource cleanup when tenants are deleted or updated ([**@kvaps**](https://github.com/kvaps) in #1661).
+* **[dashboard] Fix loading arrays in forms when editing existing objects**: Fixed issue where arrays in forms were not loading correctly when editing existing objects in the dashboard ([**@kvaps**](https://github.com/kvaps)).
+
+---
+
+**Full Changelog**: [v0.37.8...v0.37.9](https://github.com/cozystack/cozystack/compare/v0.37.8...v0.37.9)
+
--- a/docs/changelogs/v0.38.0.md
+++ b/docs/changelogs/v0.38.0.md
@@ -0,0 +1,235 @@
+# Cozystack v0.38 — "VPC & Enhanced Networking"
+
+This release introduces **Virtual Private Cloud (VPC)** support, enabling advanced networking capabilities for tenant applications. We've also added VNC console support in the dashboard, made Kubernetes worker versions configurable, and delivered numerous improvements and fixes across the platform.
+
+### Virtual Private Cloud (VPC) Networking
+
+Cozystack v0.38.0 introduces Virtual Private Cloud (VPC) support, enabling platform administrators to create isolated network segments for tenant applications. VPCs provide network isolation and allow fine-grained control over network topology, subnets, and routing. Each VPC can contain multiple subnets, and administrators can configure subnet details including IP ranges, gateway settings, and DNS configuration.
+
+The VPC feature integrates seamlessly with the Cozystack dashboard, allowing users to view and manage VPCs and their subnets through an intuitive interface. Subnet details are exposed in the dashboard as tables, making it easy to understand network configuration at a glance. VPC configuration is stored in ConfigMaps with predictable naming, ensuring reliable access to subnet information.
+
+This feature is particularly valuable for multi-tenant environments where network isolation is critical, and for applications that require specific network configurations or routing rules.
+
+### VNC Console for Virtual Machines
+
+The Cozystack dashboard now includes a built-in VNC console for virtual machines, enabling users to access VM console directly from the web interface without requiring external tools. This feature provides immediate access to virtual machine consoles for troubleshooting, configuration, and maintenance tasks. The VNC console integration streamlines VM management workflows and improves the user experience by keeping all VM operations within the Cozystack dashboard.
+
+## Highlights
+
+* **Virtual Private Cloud (VPC)**: New VPC system module enables advanced networking with Multus CNI, subnet management, and network isolation for tenant applications ([**@nbykov0**](https://github.com/nbykov0) in #1543; [**@lllamnyp**](https://github.com/lllamnyp) in #1587, #1590, #1600, #1621, #1638).
+* **VNC Console in Dashboard**: Users can now access virtual machine consoles directly from the dashboard, improving VM management experience ([**@kvaps**](https://github.com/kvaps) in #1627).
+* **Configurable Kubernetes Worker Versions**: Platform administrators can now configure Kubernetes worker node versions independently, providing more flexibility in cluster management ([**@lllamnyp**](https://github.com/lllamnyp) in #1619).
+* **Security Enhancements**: Multiple security improvements including HTTPS-only enforcement for API, closed Flux Operator ports, and Redis security updates ([**@IvanHunters**](https://github.com/IvanHunters) in #1580, #1581, #1582).
+* **Cozy-lib Improvements**: Enhanced flatten function with better ResourceQuota handling and nil resource support ([**@lllamnyp**](https://github.com/lllamnyp) in #1647; [**@IvanHunters**](https://github.com/IvanHunters) in #1642; [**@kvaps**](https://github.com/kvaps) in #1607).
+
+---
+
+## New features
+
+### VPC (Virtual Private Cloud)
+
+* **[system] Add VPC**: Introduced Virtual Private Cloud system module with Multus CNI integration, enabling advanced networking capabilities for tenant applications ([**@nbykov0**](https://github.com/nbykov0) in #1543).
+* **[vpc] Install Multus by default**: Multus CNI is now installed by default when VPC is enabled, providing multi-network interface support ([**@lllamnyp**](https://github.com/lllamnyp) in #1587).
+* **[vpc] Give predictable name to subnet configmap**: Subnet configuration maps now use predictable naming for better management and debugging ([**@lllamnyp**](https://github.com/lllamnyp) in #1590).
+* **[vpc] Entry per subnet in the subnets configmap**: Each subnet now has its own entry in the subnets configmap, improving subnet organization and management ([**@lllamnyp**](https://github.com/lllamnyp) in #1600).
+* **[vpc,dashboard] Print subnet details as table**: Subnet details are now displayed as a table in the dashboard, improving visibility and management ([**@lllamnyp**](https://github.com/lllamnyp) in #1621).
+* **[apps] Add VPC app**: Added VPC application for tenant use, enabling users to create and manage VPCs ([**@nbykov0**](https://github.com/nbykov0) in #1543).
+
+### Dashboard
+
+* **[dashboard] Introduce VNC console**: Added VNC console support in the dashboard, allowing users to access virtual machine consoles directly from the web interface ([**@kvaps**](https://github.com/kvaps) in #1627).
+* **[dashboard] sync with upstream & enhancements**: Synchronized dashboard with upstream project and added various enhancements ([**@kvaps**](https://github.com/kvaps) in #1603).
+* **[dashboard] Migrate patches to upstream project**: Migrated dashboard patches to upstream project for better maintainability ([**@kvaps**](https://github.com/kvaps) in #1569).
+
+### Kubernetes
+
+* **[kubernetes] Make worker version configurable**: Platform administrators can now configure Kubernetes worker node versions independently from control plane versions, providing more flexibility ([**@lllamnyp**](https://github.com/lllamnyp) in #1619).
+* **[kubernetes] Use controlPlane.replicas field**: Fixed managed Kubernetes app to properly use the `controlPlane.replicas` field instead of hardcoding the value ([**@lllamnyp**](https://github.com/lllamnyp) in #1556).
+* **[kubernetes] Helm hooks for cleanup**: Added Helm hooks for cleanup operations in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1606).
+
+### API & Platform
+
+* **[api] Efficient listing of TenantNamespaces**: Optimized TenantNamespace listing by replacing per-namespace SubjectAccessReview calls with group-based rolebinding checks, significantly reducing API latency ([**@lllamnyp**](https://github.com/lllamnyp) in #1507).
+* **[api] Use shared informer cache**: Optimized API server by using shared informer cache, reducing API server load and improving performance ([**@lllamnyp**](https://github.com/lllamnyp) in #1539).
+* **[api] Fix representation of dynamic list kinds**: Fixed API representation of dynamic list kinds for better compatibility ([**@lllamnyp**](https://github.com/lllamnyp) in #1630).
+* **[api] Delete previous instance when changing type**: API now properly deletes previous instance when changing application type ([**@lllamnyp**](https://github.com/lllamnyp) in #1579).
+
+### Applications
+
+* **[tenant] Allow listing workloads**: Enabled listing of workloads for tenants, improving visibility and management of tenant resources ([**@kvaps**](https://github.com/kvaps) in #1576).
+* **[apps] Make VM service user facing**: Virtual machine services are now marked as user-facing, improving service discovery and visibility in the dashboard ([**@lllamnyp**](https://github.com/lllamnyp) in #1523).
+* **[foundationdb] Upgrade FDB app for latest Cozy**: Upgraded FoundationDB application for compatibility with latest Cozystack version ([**@lllamnyp**](https://github.com/lllamnyp) in #1505).
+
+### Storage & Backups
+
+* **[seaweedfs] Update SeaweedFS v3.99 and deploy S3 as stacked service**: Updated SeaweedFS to version 3.99 and deployed S3 gateway as a stacked service for better integration and performance ([**@kvaps**](https://github.com/kvaps) in #1562).
+* **[seaweedfs] Allow users to discover their buckets**: Users can now discover and list their S3 buckets in SeaweedFS, improving usability and bucket management ([**@kvaps**](https://github.com/kvaps) in #1528).
+* **[velero] Set defaultItemOperationTimeout=24h**: Set default item operation timeout to 24 hours for Velero backups, preventing timeouts on large backup operations ([**@kvaps**](https://github.com/kvaps) in #1542).
+
+### Monitoring & Operations
+
+* **[monitoring] add settings alert for slack**: Added Slack integration configuration for Alerta alerts, enabling notifications to Slack channels ([**@scooby87**](https://github.com/scooby87) in #1545).
+
+---
+
+## Improvements (minor)
+
+* **[lineage] Separate webhook from cozy controller**: Separated the lineage-controller-webhook from cozystack-controller into a separate daemonset component deployed on all control-plane nodes, reducing API server latency ([**@lllamnyp**](https://github.com/lllamnyp) in #1515).
+* **[dashboard] Show service LB IP**: Fixed JSON path issue to correctly display Service LoadBalancer IPs in the dashboard table view ([**@lllamnyp**](https://github.com/lllamnyp) in #1524).
+* **[dashboard] Update openapi-ui v1.0.3 + fixes**: Updated OpenAPI UI to version 1.0.3 with various fixes and improvements ([**@kvaps**](https://github.com/kvaps) in #1564).
+* **[dashboard-controller] Move badges generation logic to internal dashboard component**: Moved badges generation logic to internal dashboard component for better code organization ([**@kvaps**](https://github.com/kvaps) in #1567).
+* **[bucket] Expose bucket name in secrets**: Bucket names are now exposed in secrets for better integration with applications ([**@lllamnyp**](https://github.com/lllamnyp) in #1518).
+* **[platform] Better migration for 0.36.2->0.37.2+**: Improved migration script for users upgrading directly from 0.36.2 to 0.37.2+ ([**@lllamnyp**](https://github.com/lllamnyp) in #1521).
+* **[cozy-lib] Improve flatten function**: Improved flatten function in cozy-lib with better handling of complex resource structures ([**@lllamnyp**](https://github.com/lllamnyp) in #1647).
+* **[dx] JSDoc compatible syntax for values.yaml**: Added JSDoc compatible syntax for values.yaml documentation ([**@kvaps**](https://github.com/kvaps) in #1536).
+* **[system] Tune kubevirt rollout and eviction settings**: Tuned KubeVirt rollout and eviction settings for better stability ([**@nbykov0**](https://github.com/nbykov0) in #1544).
+* **[system] multus: update to the latest version**: Updated Multus CNI to the latest version ([**@nbykov0**](https://github.com/nbykov0) in #1628).
+* **[system] kubeovn: increase limits**: Increased resource limits for Kube-OVN components to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1629).
+* **[linstor] Update Piraeus Operator to v2.10.1 to enable RWX support**: Updated Piraeus Operator to v2.10.1, enabling ReadWriteMany (RWX) volume support ([**@kvaps**](https://github.com/kvaps) in #1650).
+* **[ci,dx] Bump MariaDB operator version**: Bumped MariaDB operator version for latest features and bug fixes ([**@IvanHunters**](https://github.com/IvanHunters) in #1646).
+
+---
+
+## Bug fixes
+
+* **[api] Fix RBAC for listing of TenantNamespaces and handle system:masters**: Fixed regression in TenantNamespace listing RBAC and added proper handling for system:masters group ([**@kvaps**](https://github.com/kvaps) in #1511).
+* **[api] Fix listing tenantnamespaces for non-oidc users**: Fixed TenantNamespace listing functionality for users not using OIDC authentication ([**@kvaps**](https://github.com/kvaps) in #1517).
+* **[dashboard] Fix logout**: Fixed dashboard logout functionality to properly clear session and redirect users ([**@kvaps**](https://github.com/kvaps) in #1510).
+* **[installer] Add additional check to wait for lineage-webhook**: Added additional readiness check to ensure lineage-webhook is fully ready before proceeding with installation ([**@kvaps**](https://github.com/kvaps) in #1506).
+* **[lineage] Check for nil chart in HelmRelease**: Added nil check to prevent crashes when lineage webhook encounters HelmReleases using `chartRef` instead of `chart` ([**@lllamnyp**](https://github.com/lllamnyp) in #1525).
+* **[kamaji] Respect 3rd party labels**: Applied patch to Kamaji controller to respect third-party labels, preventing reconciliation loops ([**@lllamnyp**](https://github.com/lllamnyp) in #1531).
+* **[redis-operator] Build patched operator in-tree**: Moved Redis operator build into Cozystack organization and patched it to prevent overwriting third-party labels ([**@lllamnyp**](https://github.com/lllamnyp) in #1547).
+* **[mariadb-operator] Add post-delete job to remove PVCs**: Added post-delete job to automatically remove PersistentVolumeClaims when MariaDB instances are deleted ([**@IvanHunters**](https://github.com/IvanHunters) in #1553).
+* **[seaweedfs] Fix migration to v3.99**: Fixed migration issues when upgrading SeaweedFS to version 3.99 ([**@kvaps**](https://github.com/kvaps) in #1572).
+* **[nats] Merge container spec, not podTemplate**: Fixed NATS configuration to properly merge container specifications instead of podTemplate ([**@lllamnyp**](https://github.com/lllamnyp) in #1571).
+* **[nats] Fixes for NATS App Helm chart, fix template issues with config.merge**: Fixed template issues in NATS Helm chart related to config.merge value ([**@insignia96**](https://github.com/insignia96) in #1583).
+* **[nats] Fix NATS app chart to use existing secret credentials when present**: Fixed NATS app chart to use existing secret credentials when present, preventing credential regeneration ([**@insignia96**](https://github.com/insignia96) in #1599).
+* **[kubevirt] Fix: kubevirt metrics rule**: Fixed KubeVirt metrics rule configuration ([**@kvaps**](https://github.com/kvaps) in #1584).
+* **[controller] Remove crdmem, handle DaemonSet**: Removed crdmem and improved DaemonSet handling in controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1555).
+* **[dashboard] Revert reconciler removal**: Reverted reconciler removal to restore proper dashboard functionality ([**@lllamnyp**](https://github.com/lllamnyp) in #1559).
+* **[dashboard-controller] Fix static resources reconciliation and showing secrets**: Fixed static resources reconciliation and improved secret display in dashboard controller ([**@kvaps**](https://github.com/kvaps) in #1615).
+* **[cozystack-api][dashboard] Fix filtering for application services/ingresses/secrets**: Fixed filtering functionality for application services, ingresses, and secrets in both API and dashboard ([**@kvaps**](https://github.com/kvaps) in #1612).
+* **[virtual-machine] Revert per-vm network policies**: Reverted per-VM network policies to previous behavior ([**@kvaps**](https://github.com/kvaps) in #1611).
+* **[cozy-lib] Fix: handling resources=nil**: Fixed handling of nil resources in cozy-lib templates ([**@kvaps**](https://github.com/kvaps) in #1607).
+* **[cozy-lib] Fix malformed ResourceQuota rendering for LoadBalancer services**: Fixed malformed ResourceQuota rendering for LoadBalancer services in cozy-lib templates ([**@IvanHunters**](https://github.com/IvanHunters) in #1642).
+* **[kubernetes] Cleanup loadbalancer services**: Added cleanup functionality for load balancer services in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1631).
+* **[rbac] Fix permissions for high-privilege users**: Fixed RBAC permissions for high-privilege users, ensuring proper access control ([**@lllamnyp**](https://github.com/lllamnyp) in #1622).
+* **[vpc] Fix access to subnet details configmap**: Fixed access to subnet details configmap in VPC functionality ([**@lllamnyp**](https://github.com/lllamnyp) in #1638).
+* **[api,lineage] Ensure node-local traffic**: Ensured node-local traffic handling for API and lineage components ([**@lllamnyp**](https://github.com/lllamnyp) in #1554).
+* **[extra] ingress: rm spaces from external ip list**: Removed spaces from external IP list in ingress configuration, fixing formatting issues ([**@nbykov0**](https://github.com/nbykov0) in #1652).
+* **scripts: fix 20 migration**: Fixed migration script #20 to ensure proper execution during upgrades ([**@nbykov0**](https://github.com/nbykov0) in #1653).
+
+---
+
+## Security
+
+* **[redis] Bump Redis image version for security fixes**: Updated Redis image version to include latest security fixes, improving cluster security ([**@IvanHunters**](https://github.com/IvanHunters) in #1580).
+* **[flux] Close Flux Operator ports to external access**: Removed hostPort and hostNetwork from Flux Operator Deployment, ensuring ports 8080 and 8081 are only accessible within the cluster ([**@IvanHunters**](https://github.com/IvanHunters) in #1581).
+* **[ingress] Enforce HTTPS-only for API**: Added force-ssl-redirect annotation to default API Ingress, ensuring all HTTP traffic is redirected to HTTPS ([**@IvanHunters**](https://github.com/IvanHunters) in #1582).
+
+---
+
+## Dependencies & version updates
+
+* **Update LINSTOR v1.32.3**: Updated LINSTOR to version 1.32.3 with latest features and bug fixes ([**@kvaps**](https://github.com/kvaps) in #1565).
+* **Update Talos Linux v1.11.3**: Updated Talos Linux to version 1.11.3 ([**@kvaps**](https://github.com/kvaps) in #1527).
+* **Update Kube-OVN v1.14.11**: Updated Kube-OVN to version 1.14.11 ([**@kvaps**](https://github.com/kvaps) in #1514).
+* **[linstor] Update Piraeus Operator to v2.10.1**: Updated Piraeus Operator to v2.10.1 to enable RWX support ([**@kvaps**](https://github.com/kvaps) in #1650).
+* **[system] multus: update to the latest version**: Updated Multus CNI to the latest version ([**@nbykov0**](https://github.com/nbykov0) in #1628).
+* **[ci,dx] Bump MariaDB operator version**: Bumped MariaDB operator version ([**@IvanHunters**](https://github.com/IvanHunters) in #1646).
+* **Increase strimzi memory limit**: Increased memory limit for Strimzi Kafka operator to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1651).
+
+---
+
+## System Configuration
+
+* **[system] kube-ovn: turn off enableLb**: Disabled load balancer functionality in Kube-OVN configuration ([**@nbykov0**](https://github.com/nbykov0) in #1548).
+* **[core] rm talos lldp extension**: Removed Talos LLDP extension from core configuration ([**@nbykov0**](https://github.com/nbykov0) in #1586).
+
+---
+
+## Development, Testing, and CI/CD
+
+* **[tests] Make Kubernetes tests POSIX-compatible**: Replaced bash-specific constructs with POSIX-compliant code, ensuring tests work reliably with /bin/sh ([**@IvanHunters**](https://github.com/IvanHunters) in #1509).
+* **[ferretdb] fix tests**: Fixed FerretDB tests to ensure proper execution ([**@IvanHunters**](https://github.com/IvanHunters) in #1540).
+* **[e2e] Increase Kubernetes connection timeouts**: Increased connection and request timeouts in E2E tests when communicating with Kubernetes API ([**@IvanHunters**](https://github.com/IvanHunters) in #1570).
+* **[cozystack-controller] improve API tests**: Improved API tests for cozystack-controller ([**@kvaps**](https://github.com/kvaps) in #1617).
+* **[ci] Fix build from external forks**: Fixed build process to work correctly from external forks ([**@kvaps**](https://github.com/kvaps) in #1530).
+* **[ci,dx] Add unit tests for cozy-lib**: Added unit tests for cozy-lib to improve code quality and reliability ([**@lllamnyp**](https://github.com/lllamnyp) in #1643).
+
+---
+
+## Documentation
+
+* **[website] Add VPC page**: Added VPC documentation page explaining VPC features and usage ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@9ccac78).
+* **[website] Add VPC to auto-update list**: Added VPC to auto-update list in documentation ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@ca2bce6).
+* **[website] Update dashboard part in OIDC configuration doc**: Updated OIDC configuration documentation with dashboard information ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@6c44b93).
+* **[website] Update storage requirements**: Updated storage requirements documentation ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@cac3af6).
+* **[website] Add System Resource Planning Recommendations**: Added system resource planning recommendations documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@c877c2a).
+* **[website] Optimize website for mobile devices**: Improved website layout and responsiveness for mobile devices ([**@kvaps**](https://github.com/kvaps) in cozystack/website@3ab2338).
+* **[website] Add OpenAPI UI**: Added OpenAPI UI documentation and integration ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b1c1668).
+* **[website] Update Cozystack video in hero banner**: Updated hero banner with new Cozystack video ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e351137).
+* **[website] Add screenshots carousel**: Added screenshots carousel to showcase Cozystack features ([**@kvaps**](https://github.com/kvaps) in cozystack/website@8422bd0).
+* **[website] Update LINSTOR documentation**: Updated LINSTOR guide and set failmode=continue for ZFS configurations ([**@kvaps**](https://github.com/kvaps) in cozystack/website@033804e).
+* **[website] Update managed apps reference**: Updated managed applications reference documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b886a74, cozystack/website@41c1849, cozystack/website@0ab71fd).
+* **[website] Update external apps documentation**: Updated documentation for external applications ([**@kvaps**](https://github.com/kvaps) in cozystack/website@565dad9).
+* **[website] Add naming conventions**: Added naming conventions documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b227abb).
+* **[website] Update golden image documentation**: Updated documentation for creating golden images for virtual machines ([**@kvaps**](https://github.com/kvaps) in cozystack/website@34c2f3a, cozystack/website@ef65593).
+* **[website] Fix documentation formatting**: Fixed alerts, infoboxes, tabs styles and main page formatting ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e992e97, cozystack/website@b2c4dee).
+* **[website] Fix typo in blog article**: Fixed typo in blog article ([**@kvaps**](https://github.com/kvaps) in cozystack/website@0a4bbf3).
+* **[apps] vpc: more docs**: Added more VPC documentation ([**@nbykov0**](https://github.com/nbykov0) in #1594).
+* **[apps] vpc: fix typo in README**: Fixed typo in VPC README ([**@nbykov0**](https://github.com/nbykov0) in #1637).
+
+---
+
+## Additional Repositories
+
+### boot-to-talos
+
+* **[boot-to-talos] Introduce boot/install mode**: Introduced boot/install mode in boot-to-talos tool ([**@kvaps**](https://github.com/kvaps) in cozystack/boot-to-talos#5).
+
+### cozypkg
+
+* **[cozypkg] Handle valuesFiles from cozypkg.cozystack.io/values-files annotation**: Added support for handling valuesFiles from annotation in cozypkg ([**@kvaps**](https://github.com/kvaps) in cozystack/cozypkg#8).
+
+---
+
+## Refactors & chores
+
+* **[dashboard] Migrate patches to upstream project**: Migrated dashboard patches to upstream project for better maintainability ([**@kvaps**](https://github.com/kvaps) in #1569).
+* **Update CODEOWNERS**: Updated CODEOWNERS file ([**@nbykov0**](https://github.com/nbykov0) in #1537).
+* **Add QOSI to ADOPTERS.md**: Added QOSI to adopters list ([**@tabu-a**](https://github.com/tabu-a) in #1589).
+
+---
+
+## Breaking changes & upgrade notes
+
+No breaking changes in this release.
+
+---
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@insignia96**](https://github.com/insignia96)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lllamnyp**](https://github.com/lllamnyp)
+* [**@nbykov0**](https://github.com/nbykov0)
+* [**@scooby87**](https://github.com/scooby87)
+* [**@tabu-a**](https://github.com/tabu-a)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@tabu-a**](https://github.com/tabu-a) - First contribution!
+
+---
+
+**Full Changelog**: [v0.37.0...v0.38.0](https://github.com/cozystack/cozystack/compare/v0.37.0...v0.38.0)
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.38.0
+-->
--- a/docs/changelogs/v0.38.1.md
+++ b/docs/changelogs/v0.38.1.md
@@ -0,0 +1,19 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.38.1
+-->
+
+## Improvements
+
+* **[seaweedfs] Extended CA certificate duration to reduce disruptive CA rotations**: Extended CA certificate duration to reduce disruptive CA rotations. ([**@IvanHunters**](https://github.com/IvanHunters) in #1657, #1666).
+* **[dashboard] Add config hash annotations to restart pods on config changes**: Added config hash annotations to restart pods when configuration changes, ensuring pods are automatically restarted when their configuration is updated ([**@kvaps**](https://github.com/kvaps) in #1662, #1665).
+
+## Fixes
+
+* **[tenant][kubernetes] Introduce better cleanup logic**: Improved cleanup logic for tenant Kubernetes resources, ensuring proper resource cleanup when tenants are deleted or updated ([**@kvaps**](https://github.com/kvaps) in #1661).
+* **[dashboard] Fix loading arrays in forms when editing existing objects**: Fixed issue where arrays in forms were not loading correctly when editing existing objects in the dashboard ([**@kvaps**](https://github.com/kvaps)).
+
+---
+
+**Full Changelog**: [v0.38.0...v0.38.1](https://github.com/cozystack/cozystack/compare/v0.38.0...v0.38.1)
+
--- a/docs/changelogs/v0.38.2.md
+++ b/docs/changelogs/v0.38.2.md
@@ -0,0 +1,13 @@
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.38.2
+-->
+
+## Fixes
+
+* **[api] Revert dynamic list kinds representation fix (fixes namespace deletion regression)**: Reverted changes from #1630 that caused a regression affecting namespace deletion and upgrades from previous versions. The regression caused namespace deletion failures with errors like "content is not a list: []unstructured.Unstructured" during namespace finalization. This revert restores compatibility with namespace deletion controller and fixes upgrade issues from previous versions, particularly when running migration 20 ([**@kvaps**](https://github.com/kvaps) in #1677).
+
+---
+
+**Full Changelog**: [v0.38.1...v0.38.2](https://github.com/cozystack/cozystack/compare/v0.38.1...v0.38.2)
+
--- a/go.mod
+++ b/go.mod
@@ -6,11 +6,16 @@ go 1.23.0

 require (
 	github.com/fluxcd/helm-controller/api v1.1.0
+	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/zapr v1.3.0
 	github.com/google/gofuzz v1.2.0
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
+	github.com/prometheus/client_golang v1.19.1
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
+	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
@@ -44,9 +49,7 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -74,7 +77,6 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -94,7 +96,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.33.0 // indirect
@@ -119,3 +120,6 @@ require (
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+// See: issues.k8s.io/135537
+replace k8s.io/apimachinery => github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614
--- a/go.sum
+++ b/go.sum
@@ -18,6 +18,8 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614 h1:jH9elECUvhiIs3IMv3oS5k1JgCLVsSK6oU4dmq5gyW8=
+github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -145,6 +147,8 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -291,8 +295,6 @@ k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
 k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
 k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0=
 k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM=
-k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
-k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
 k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
 k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
--- a/hack/check-optional-repos.sh
+++ b/hack/check-optional-repos.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 ###############################################################################
 # check-optional-repos.sh - Check optional repositories for tags and commits #
 # during a release period                                                     #
--- a/hack/e2e-test-openapi.bats
+++ b/hack/e2e-test-openapi.bats
@@ -42,3 +42,12 @@
    exit 1
  fi
 }
+
+@test "Create and delete namespace" {
+  kubectl create ns cozy-test-create-and-delete-namespace --dry-run=client -o yaml | kubectl apply -f -
+  if ! kubectl delete ns cozy-test-create-and-delete-namespace; then
+    echo "Failed to delete namespace"
+    kubectl describe ns cozy-test-create-and-delete-namespace
+    exit 1
+  fi
+}
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -23,6 +23,13 @@ CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-
 API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
 CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
+TMPDIR=$(mktemp -d)
+COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/crds
+COZY_RD_CRDDIR=packages/system/cozystack-resource-definition-crd/definition
+BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
+BACKUPSTRATEGY_CRDDIR=packages/system/backupstrategy-controller/definitions
+
+trap 'rm -rf ${TMPDIR}' EXIT

 source "${CODEGEN_PKG}/kube_codegen.sh"

@@ -53,6 +60,12 @@ kube::codegen::gen_openapi \
    "${SCRIPT_ROOT}/pkg/apis"

 $CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=packages/system/cozystack-controller/crds
-mv packages/system/cozystack-controller/crds/cozystack.io_cozystackresourcedefinitions.yaml \
-        packages/system/cozystack-resource-definition-crd/definition/cozystack.io_cozystackresourcedefinitions.yaml
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR} 
+
+mv ${TMPDIR}/cozystack.io_cozystackresourcedefinitions.yaml \
+        ${COZY_RD_CRDDIR}/cozystack.io_cozystackresourcedefinitions.yaml
+
+mv ${TMPDIR}/backups.cozystack.io*.yaml ${BACKUPS_CORE_CRDDIR}/
+mv ${TMPDIR}/strategy.backups.cozystack.io*.yaml ${BACKUPSTRATEGY_CRDDIR}/
+
+mv ${TMPDIR}/*.yaml ${COZY_CONTROLLER_CRDDIR}/
--- a/internal/backupcontroller/factory/backupjob.go
+++ b/internal/backupcontroller/factory/backupjob.go
@@ -0,0 +1,28 @@
+package factory
+
+import (
+	"fmt"
+	"time"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func BackupJob(p *backupsv1alpha1.Plan, scheduledFor time.Time) *backupsv1alpha1.BackupJob {
+	job := &backupsv1alpha1.BackupJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-%d", p.Name, scheduledFor.Unix()/60),
+			Namespace: p.Namespace,
+		},
+		Spec: backupsv1alpha1.BackupJobSpec{
+			PlanRef: &corev1.LocalObjectReference{
+				Name: p.Name,
+			},
+			ApplicationRef: *p.Spec.ApplicationRef.DeepCopy(),
+			StorageRef:     *p.Spec.StorageRef.DeepCopy(),
+			StrategyRef:    *p.Spec.StrategyRef.DeepCopy(),
+		},
+	}
+	return job
+}
--- a/internal/backupcontroller/jobstrategy_controller.go
+++ b/internal/backupcontroller/jobstrategy_controller.go
@@ -0,0 +1,31 @@
+package backupcontroller
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+)
+
+// BackupJobStrategyReconciler reconciles BackupJob with a strategy referencing
+// Job.strategy.backups.cozystack.io objects.
+type BackupJobStrategyReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *BackupJobStrategyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ = log.FromContext(ctx)
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *BackupJobStrategyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.BackupJob{}).
+		Complete(r)
+}
--- a/internal/backupcontroller/plan_controller.go
+++ b/internal/backupcontroller/plan_controller.go
@@ -0,0 +1,104 @@
+package backupcontroller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	cron "github.com/robfig/cron/v3"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller/factory"
+)
+
+const (
+	minRequeueDelay         = 30 * time.Second
+	startingDeadlineSeconds = 300 * time.Second
+)
+
+// PlanReconciler reconciles a Plan object
+type PlanReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *PlanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	log.V(2).Info("reconciling")
+
+	p := &backupsv1alpha1.Plan{}
+
+	if err := r.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, p); err != nil {
+		if apierrors.IsNotFound(err) {
+			log.V(3).Info("Plan not found")
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	tCheck := time.Now().Add(-startingDeadlineSeconds)
+	sch, err := cron.ParseStandard(p.Spec.Schedule.Cron)
+	if err != nil {
+		errWrapped := fmt.Errorf("could not parse cron %s: %w", p.Spec.Schedule.Cron, err)
+		log.Error(err, "could not parse cron", "cron", p.Spec.Schedule.Cron)
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionTrue,
+			Reason:  "Failed to parse cron spec",
+			Message: errWrapped.Error(),
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// Clear error condition if cron parsing succeeds
+	if condition := meta.FindStatusCondition(p.Status.Conditions, backupsv1alpha1.PlanConditionError); condition != nil && condition.Status == metav1.ConditionTrue {
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionFalse,
+			Reason:  "Cron spec is valid",
+			Message: "The cron schedule has been successfully parsed",
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
+	tNext := sch.Next(tCheck)
+
+	if time.Now().Before(tNext) {
+		return ctrl.Result{RequeueAfter: tNext.Sub(time.Now())}, nil
+	}
+
+	job := factory.BackupJob(p, tNext)
+	if err := controllerutil.SetControllerReference(p, job, r.Scheme); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if err := r.Create(ctx, job); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *PlanReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.Plan{}).
+		Complete(r)
+}
--- a/internal/controller/dashboard/customformsoverride.go
+++ b/internal/controller/dashboard/customformsoverride.go
@@ -105,8 +105,26 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
 		"properties": map[string]any{},
 	}

+	// Check if there's a spec property
+	specProp, ok := props["spec"].(map[string]any)
+	if !ok {
+		return map[string]any{}, nil
+	}
+
+	specProps, ok := specProp["properties"].(map[string]any)
+	if !ok {
+		return map[string]any{}, nil
+	}
+
+	// Create spec.properties structure in schema
+	schemaProps := schema["properties"].(map[string]any)
+	specSchema := map[string]any{
+		"properties": map[string]any{},
+	}
+	schemaProps["spec"] = specSchema
+
 	// Process spec properties recursively
-	processSpecProperties(props, schema["properties"].(map[string]any))
+	processSpecProperties(specProps, specSchema["properties"].(map[string]any))

 	return schema, nil
 }
--- a/internal/controller/dashboard/customformsoverride_test.go
+++ b/internal/controller/dashboard/customformsoverride_test.go
@@ -9,41 +9,46 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	// Test OpenAPI schema with various field types
 	openAPISchema := `{
 		"properties": {
-			"simpleString": {
-				"type": "string",
-				"description": "A simple string field"
-			},
-			"stringWithEnum": {
-				"type": "string",
-				"enum": ["option1", "option2"],
-				"description": "String with enum should be skipped"
-			},
-			"numberField": {
-				"type": "number",
-				"description": "Number field should be skipped"
-			},
-			"nestedObject": {
+			"spec": {
 				"type": "object",
 				"properties": {
-					"nestedString": {
+					"simpleString": {
 						"type": "string",
-						"description": "Nested string should get multilineString"
+						"description": "A simple string field"
 					},
-					"nestedStringWithEnum": {
+					"stringWithEnum": {
 						"type": "string",
-						"enum": ["a", "b"],
-						"description": "Nested string with enum should be skipped"
-					}
-				}
-			},
-			"arrayOfObjects": {
-				"type": "array",
-				"items": {
-					"type": "object",
-					"properties": {
-						"itemString": {
-							"type": "string",
-							"description": "String in array item"
+						"enum": ["option1", "option2"],
+						"description": "String with enum should be skipped"
+					},
+					"numberField": {
+						"type": "number",
+						"description": "Number field should be skipped"
+					},
+					"nestedObject": {
+						"type": "object",
+						"properties": {
+							"nestedString": {
+								"type": "string",
+								"description": "Nested string should get multilineString"
+							},
+							"nestedStringWithEnum": {
+								"type": "string",
+								"enum": ["a", "b"],
+								"description": "Nested string with enum should be skipped"
+							}
+						}
+					},
+					"arrayOfObjects": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"itemString": {
+									"type": "string",
+									"description": "String in array item"
+								}
+							}
 						}
 					}
 				}
@@ -70,33 +75,44 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 		t.Fatal("schema.properties is not a map")
 	}

-	// Check simpleString
-	simpleString, ok := props["simpleString"].(map[string]any)
+	// Check spec property exists
+	spec, ok := props["spec"].(map[string]any)
 	if !ok {
-		t.Fatal("simpleString not found in properties")
+		t.Fatal("spec not found in properties")
+	}
+
+	specProps, ok := spec["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("spec.properties is not a map")
+	}
+
+	// Check simpleString
+	simpleString, ok := specProps["simpleString"].(map[string]any)
+	if !ok {
+		t.Fatal("simpleString not found in spec.properties")
 	}
 	if simpleString["type"] != "multilineString" {
 		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
 	}

 	// Check stringWithEnum should not be present (or should not have multilineString)
-	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
+	if stringWithEnum, ok := specProps["stringWithEnum"].(map[string]any); ok {
 		if stringWithEnum["type"] == "multilineString" {
 			t.Error("stringWithEnum should not have multilineString type")
 		}
 	}

 	// Check numberField should not be present
-	if numberField, ok := props["numberField"].(map[string]any); ok {
+	if numberField, ok := specProps["numberField"].(map[string]any); ok {
 		if numberField["type"] != nil {
 			t.Error("numberField should not have any type override")
 		}
 	}

 	// Check nested object
-	nestedObject, ok := props["nestedObject"].(map[string]any)
+	nestedObject, ok := specProps["nestedObject"].(map[string]any)
 	if !ok {
-		t.Fatal("nestedObject not found in properties")
+		t.Fatal("nestedObject not found in spec.properties")
 	}
 	nestedProps, ok := nestedObject["properties"].(map[string]any)
 	if !ok {
@@ -113,9 +129,9 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	}

 	// Check array of objects
-	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
+	arrayOfObjects, ok := specProps["arrayOfObjects"].(map[string]any)
 	if !ok {
-		t.Fatal("arrayOfObjects not found in properties")
+		t.Fatal("arrayOfObjects not found in spec.properties")
 	}
 	items, ok := arrayOfObjects["items"].(map[string]any)
 	if !ok {
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15
--- a/packages/apps/kubernetes/.helmignore
+++ b/packages/apps/kubernetes/.helmignore
@@ -1,3 +1,4 @@
 .helmignore
 /logos
 /Makefile
+/hack
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -6,9 +6,12 @@ include ../../../scripts/package.mk

 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
-	yq -o=json -i '.properties.version.enum = (load("files/versions.yaml") | keys)' values.schema.json
 	../../../hack/update-crd.sh

+update:
+	hack/update-versions.sh
+	make generate
+
 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler

 image-ubuntu-container-disk:
--- a/packages/apps/kubernetes/README.md
+++ b/packages/apps/kubernetes/README.md
@@ -104,7 +104,7 @@ See the reference for components utilized in this service:
 | `nodeGroups[name].resources.memory` | Memory (RAM) available.                                                                        | `quantity`          | `""`        |
 | `nodeGroups[name].gpus`             | List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).                            | `[]object`          | `[]`        |
 | `nodeGroups[name].gpus[i].name`     | Name of GPU, such as "nvidia.com/AD102GL_L40S".                                                | `string`            | `""`        |
-| `version`                           | Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.                                     | `string`            | `v1.33`     |
+| `version`                           | Kubernetes major.minor version to deploy                                                       | `string`            | `v1.33`     |
 | `host`                              | External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty. | `string`            | `""`        |


--- a/packages/apps/kubernetes/files/versions.yaml
+++ b/packages/apps/kubernetes/files/versions.yaml
@@ -1,6 +1,6 @@
-"v1.28": "v1.28.15"
-"v1.29": "v1.29.15"
-"v1.30": "v1.30.14"
-"v1.31": "v1.31.10"
-"v1.32": "v1.32.6"
 "v1.33": "v1.33.0"
+"v1.32": "v1.32.10"
+"v1.31": "v1.31.14"
+"v1.30": "v1.30.14"
+"v1.29": "v1.29.15"
+"v1.28": "v1.28.15"
--- a/packages/apps/kubernetes/hack/update-versions.sh
+++ b/packages/apps/kubernetes/hack/update-versions.sh
@@ -0,0 +1,260 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+KUBERNETES_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${KUBERNETES_DIR}/values.yaml"
+VERSIONS_FILE="${KUBERNETES_DIR}/files/versions.yaml"
+MAKEFILE="${KUBERNETES_DIR}/Makefile"
+KAMAJI_DOCKERFILE="${KUBERNETES_DIR}/../../system/kamaji/images/kamaji/Dockerfile"
+
+# Check if skopeo is installed
+if ! command -v skopeo &> /dev/null; then
+    echo "Error: skopeo is not installed. Please install skopeo and try again." >&2
+    exit 1
+fi
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Get kamaji version from Dockerfile
+echo "Reading kamaji version from Dockerfile..."
+if [ ! -f "$KAMAJI_DOCKERFILE" ]; then
+    echo "Error: Kamaji Dockerfile not found at $KAMAJI_DOCKERFILE" >&2
+    exit 1
+fi
+
+KAMAJI_VERSION=$(grep "^ARG VERSION=" "$KAMAJI_DOCKERFILE" | cut -d= -f2 | tr -d '"')
+if [ -z "$KAMAJI_VERSION" ]; then
+    echo "Error: Could not extract kamaji version from Dockerfile" >&2
+    exit 1
+fi
+
+echo "Kamaji version: $KAMAJI_VERSION"
+
+# Get Kubernetes version from kamaji repository
+echo "Fetching Kubernetes version from kamaji repository..."
+KUBERNETES_VERSION_FROM_KAMAJI=$(curl -sSL "https://raw.githubusercontent.com/clastix/kamaji/${KAMAJI_VERSION}/internal/upgrade/kubeadm_version.go" | grep "KubeadmVersion" | sed -E 's/.*KubeadmVersion = "([^"]+)".*/\1/')
+
+if [ -z "$KUBERNETES_VERSION_FROM_KAMAJI" ]; then
+    echo "Error: Could not fetch Kubernetes version from kamaji repository" >&2
+    exit 1
+fi
+
+echo "Kubernetes version from kamaji: $KUBERNETES_VERSION_FROM_KAMAJI"
+
+# Extract major.minor version (e.g., "1.33" from "v1.33.0")
+KUBERNETES_MAJOR_MINOR=$(echo "$KUBERNETES_VERSION_FROM_KAMAJI" | sed -E 's/v([0-9]+)\.([0-9]+)\.[0-9]+/\1.\2/')
+KUBERNETES_MAJOR=$(echo "$KUBERNETES_MAJOR_MINOR" | cut -d. -f1)
+KUBERNETES_MINOR=$(echo "$KUBERNETES_MAJOR_MINOR" | cut -d. -f2)
+
+echo "Kubernetes major.minor: $KUBERNETES_MAJOR_MINOR"
+
+# Get available image tags
+echo "Fetching available image tags from registry..."
+AVAILABLE_TAGS=$(skopeo list-tags docker://registry.k8s.io/kube-apiserver | jq -r '.Tags[] | select(test("^v[0-9]+\\.[0-9]+\\.[0-9]+$"))' | sort -V)
+
+if [ -z "$AVAILABLE_TAGS" ]; then
+    echo "Error: Could not fetch available image tags" >&2
+    exit 1
+fi
+
+# Filter out versions higher than KUBERNETES_VERSION_FROM_KAMAJI
+echo "Filtering versions above ${KUBERNETES_VERSION_FROM_KAMAJI}..."
+FILTERED_TAGS=$(echo "$AVAILABLE_TAGS" | while read tag; do
+    if [ -n "$tag" ]; then
+        # Compare tag with KUBERNETES_VERSION_FROM_KAMAJI using version sort
+        # Include tag if it's less than or equal to KUBERNETES_VERSION_FROM_KAMAJI
+        if [ "$(printf '%s\n%s\n' "$tag" "$KUBERNETES_VERSION_FROM_KAMAJI" | sort -V | head -1)" = "$tag" ] || [ "$tag" = "$KUBERNETES_VERSION_FROM_KAMAJI" ]; then
+            echo "$tag"
+        fi
+    fi
+done)
+
+if [ -z "$FILTERED_TAGS" ]; then
+    echo "Error: No versions found after filtering" >&2
+    exit 1
+fi
+
+AVAILABLE_TAGS="$FILTERED_TAGS"
+echo "Filtered to $(echo "$AVAILABLE_TAGS" | wc -l | tr -d ' ') versions"
+
+# Find the latest patch version for the supported major.minor version
+echo "Finding latest patch version for ${KUBERNETES_MAJOR_MINOR}..."
+SUPPORTED_PATCH_TAGS=$(echo "$AVAILABLE_TAGS" | grep "^v${KUBERNETES_MAJOR}\\.${KUBERNETES_MINOR}\\.")
+if [ -z "$SUPPORTED_PATCH_TAGS" ]; then
+    echo "Error: Could not find any patch versions for ${KUBERNETES_MAJOR_MINOR}" >&2
+    exit 1
+fi
+KUBERNETES_VERSION=$(echo "$SUPPORTED_PATCH_TAGS" | tail -n1)
+echo "Using latest patch version: $KUBERNETES_VERSION"
+
+# Build versions map: major.minor -> latest patch version
+# First, collect all unique major.minor versions from available tags
+echo "Collecting all available major.minor versions..."
+ALL_MAJOR_MINOR_VERSIONS=$(echo "$AVAILABLE_TAGS" | sed -E 's/v([0-9]+)\.([0-9]+)\.[0-9]+/v\1.\2/' | sort -V -u)
+
+# Find the position of the supported version in the sorted list
+SUPPORTED_MAJOR_MINOR="v${KUBERNETES_MAJOR}.${KUBERNETES_MINOR}"
+echo "Looking for supported version: $SUPPORTED_MAJOR_MINOR"
+
+# Get all versions that are <= supported version
+# Create a temporary file for filtering
+TEMP_VERSIONS=$(mktemp)
+
+echo "$ALL_MAJOR_MINOR_VERSIONS" | while read version; do
+    # Compare versions using sort -V (version sort)
+    # If version <= supported, include it
+    if [ "$(printf '%s\n%s\n' "$version" "$SUPPORTED_MAJOR_MINOR" | sort -V | head -1)" = "$version" ] || [ "$version" = "$SUPPORTED_MAJOR_MINOR" ]; then
+        echo "$version"
+    fi
+done > "$TEMP_VERSIONS"
+
+# Get the supported version and 5 previous versions (total 6 versions)
+# First, find the position of supported version
+SUPPORTED_POS=$(grep -n "^${SUPPORTED_MAJOR_MINOR}$" "$TEMP_VERSIONS" | cut -d: -f1)
+
+if [ -z "$SUPPORTED_POS" ]; then
+    echo "Error: Supported version $SUPPORTED_MAJOR_MINOR not found in available versions" >&2
+    exit 1
+fi
+
+# Calculate start position (5 versions before supported, or from beginning if less than 5 available)
+TOTAL_LINES=$(wc -l < "$TEMP_VERSIONS" | tr -d ' ')
+START_POS=$((SUPPORTED_POS - 5))
+if [ $START_POS -lt 1 ]; then
+    START_POS=1
+fi
+
+# Extract versions from START_POS to SUPPORTED_POS (inclusive)
+CANDIDATE_VERSIONS=$(sed -n "${START_POS},${SUPPORTED_POS}p" "$TEMP_VERSIONS")
+
+if [ -z "$CANDIDATE_VERSIONS" ]; then
+    echo "Error: Could not find supported version $SUPPORTED_MAJOR_MINOR in available versions" >&2
+    exit 1
+fi
+
+declare -A VERSION_MAP
+VERSIONS=()
+
+# Process each candidate version
+for major_minor_key in $CANDIDATE_VERSIONS; do
+    # Extract major and minor for matching
+    major=$(echo "$major_minor_key" | sed -E 's/v([0-9]+)\.([0-9]+)/\1/')
+    minor=$(echo "$major_minor_key" | sed -E 's/v([0-9]+)\.([0-9]+)/\2/')
+    
+    # Find all tags that match this major.minor version
+    matching_tags=$(echo "$AVAILABLE_TAGS" | grep "^v${major}\\.${minor}\\.")
+    
+    if [ -n "$matching_tags" ]; then
+        # Get the latest patch version for this major.minor version
+        latest_tag=$(echo "$matching_tags" | tail -n1)
+        
+        VERSION_MAP["${major_minor_key}"]="${latest_tag}"
+        VERSIONS+=("${major_minor_key}")
+        echo "Found version: ${major_minor_key} -> ${latest_tag}"
+    fi
+done
+
+if [ ${#VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+# Sort versions in descending order (newest first)
+IFS=$'\n' VERSIONS=($(printf '%s\n' "${VERSIONS[@]}" | sort -V -r))
+unset IFS
+
+echo "Versions to add: ${VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for ver in "${VERSIONS[@]}"; do
+        echo "\"${ver}\": \"${VERSION_MAP[$ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major.minor versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE $TEMP_VERSIONS" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for ver in "${VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - Kubernetes major.minor version to deploy
+version: \"${VERSIONS[0]}\""
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+    
+    # Use awk to replace the section from "## @enum {string} Version" to "version: " (inclusive)
+    # Delete the old section and insert the new one
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+    
+    # Use awk to insert before "## @section Application-specific parameters"
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with versions: ${VERSIONS[*]}"
+
+# Update KUBERNETES_VERSION in Makefile
+# Extract major.minor from KUBERNETES_VERSION (e.g., "v1.33" from "v1.33.4")
+KUBERNETES_MAJOR_MINOR_FOR_MAKEFILE=$(echo "$KUBERNETES_VERSION" | sed -E 's/v([0-9]+)\.([0-9]+)\.[0-9]+/v\1.\2/')
+
+if grep -q "^KUBERNETES_VERSION" "$MAKEFILE"; then
+    # Update existing KUBERNETES_VERSION line using awk
+    echo "Updating KUBERNETES_VERSION in $MAKEFILE..."
+    awk -v new_version="${KUBERNETES_MAJOR_MINOR_FOR_MAKEFILE}" '
+        /^KUBERNETES_VERSION = / {
+            print "KUBERNETES_VERSION = " new_version
+            next
+        }
+        { print }
+    ' "$MAKEFILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$MAKEFILE"
+    echo "Successfully updated KUBERNETES_VERSION in $MAKEFILE to ${KUBERNETES_MAJOR_MINOR_FOR_MAKEFILE}"
+else
+    echo "Warning: KUBERNETES_VERSION not found in $MAKEFILE" >&2
+fi
+
--- a/packages/apps/kubernetes/templates/delete.yaml
+++ b/packages/apps/kubernetes/templates/delete.yaml
@@ -3,12 +3,15 @@ apiVersion: batch/v1
 kind: Job
 metadata:
  annotations:
-    "helm.sh/hook": post-delete
+    "helm.sh/hook": pre-delete
    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-cleanup
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+  name: {{ .Release.Name }}-pre-cleanup
 spec:
  template:
+    metadata:
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
      serviceAccountName: {{ .Release.Name }}-cleanup
      restartPolicy: Never
@@ -24,15 +27,43 @@ spec:
          command:
            - /bin/sh
            - -c
-            - kubectl -n {{ .Release.Namespace }} delete datavolumes
-              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
-              --ignore-not-found=true
+            - |
+              set -e
+              echo "Step 1: Suspending all HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
+              for hr in $(kubectl -n {{ .Release.Namespace }} get helmreleases.helm.toolkit.fluxcd.io -l "cozystack.io/target-cluster-name={{ .Release.Name }}" -o name 2>/dev/null || true); do
+                if [ -n "$hr" ]; then           
+                  echo "  Suspending $hr"
+                  kubectl -n {{ .Release.Namespace }} patch "$hr" \
+                    -p '{"spec": {"suspend": true}}' \
+                    --type=merge --field-manager=flux-client-side-apply
+                fi
+              done

-              kubectl -n {{ .Release.Namespace }} delete services
-              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
-              --field-selector spec.type=LoadBalancer
-              --ignore-not-found=true
+              echo "Step 2: Deleting HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete helmreleases.helm.toolkit.fluxcd.io \
+                -l "cozystack.io/target-cluster-name={{ .Release.Name }}" \
+                --ignore-not-found=true --wait=true

+              echo "Step 3: Deleting KamajiControlPlane {{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete kamajicontrolplanes.controlplane.cluster.x-k8s.io {{ .Release.Name }} \
+                --ignore-not-found=true
+
+              echo "Step 4: Deleting TenantControlPlane {{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete tenantcontrolplanes.kamaji.clastix.io {{ .Release.Name }} \
+                --ignore-not-found=true
+
+              echo "Step 5: Cleaning up DataVolumes"
+              kubectl -n {{ .Release.Namespace }} delete datavolumes \
+                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
+                --ignore-not-found=true
+
+              echo "Step 6: Cleaning up LoadBalancer Services"
+              kubectl -n {{ .Release.Namespace }} delete services \
+                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
+                --field-selector spec.type=LoadBalancer \
+                --ignore-not-found=true
+
+              echo "Cleanup completed successfully"

 ---
 apiVersion: v1
@@ -40,19 +71,47 @@ kind: ServiceAccount
 metadata:
  name: {{ .Release.Name }}-cleanup
  annotations:
-    helm.sh/hook: post-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
    helm.sh/hook-weight: "0"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  annotations:
-    "helm.sh/hook": post-delete
+    "helm.sh/hook": pre-delete
    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
    "helm.sh/hook-weight": "5"
  name: {{ .Release.Name }}-cleanup
 rules:
+  - apiGroups:
+      - "helm.toolkit.fluxcd.io"
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - delete
+  - apiGroups:
+      - "controlplane.cluster.x-k8s.io"
+    resources:
+      - kamajicontrolplanes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - "kamaji.clastix.io"
+    resources:
+      - tenantcontrolplanes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
  - apiGroups:
      - "cdi.kubevirt.io"
    resources:
@@ -60,6 +119,7 @@ rules:
    verbs:
      - get
      - list
+      - watch
      - delete
  - apiGroups:
      - ""
@@ -68,13 +128,14 @@ rules:
    verbs:
      - get
      - list
+      - watch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  annotations:
-    "helm.sh/hook": post-delete
+    "helm.sh/hook": pre-delete
    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
    "helm.sh/hook-weight": "5"
  name: {{ .Release.Name }}-cleanup
@@ -86,4 +147,3 @@ subjects:
  - kind: ServiceAccount
    name: {{ .Release.Name }}-cleanup
    namespace: {{ .Release.Namespace }}
-
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
@@ -45,8 +45,6 @@ spec:
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
 {{- if .Values.addons.certManager.valuesOverride }}
 ---
 apiVersion: v1
--- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml
@@ -37,6 +37,8 @@ spec:
  dependsOn:
  - name: {{ .Release.Name }}-vsnap-crd
    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml
@@ -1,104 +0,0 @@
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-flux-teardown
-spec:
-  template:
-    spec:
-      serviceAccountName: {{ .Release.Name }}-flux-teardown
-      restartPolicy: Never
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
-      containers:
-        - name: kubectl
-          image: docker.io/clastix/kubectl:v1.32
-          command:
-            - /bin/sh
-            - -c
-            - >-
-              kubectl
-              --namespace={{ .Release.Namespace }}
-              patch
-              helmrelease
-              {{ .Release.Name }}-cilium
-              {{ .Release.Name }}-gateway-api-crds
-              {{ .Release.Name }}-csi
-              {{ .Release.Name }}-cert-manager
-              {{ .Release.Name }}-cert-manager-crds
-              {{ .Release.Name }}-vertical-pod-autoscaler
-              {{ .Release.Name }}-vertical-pod-autoscaler-crds
-              {{ .Release.Name }}-ingress-nginx
-              {{ .Release.Name }}-fluxcd-operator
-              {{ .Release.Name }}-fluxcd
-              {{ .Release.Name }}-gpu-operator
-              {{ .Release.Name }}-velero
-              {{ .Release.Name }}-coredns
-              -p '{"spec": {"suspend": true}}'
-              --type=merge --field-manager=flux-client-side-apply || true
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-flux-teardown
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
-    helm.sh/hook-weight: "0"
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  annotations:
-    "helm.sh/hook": pre-install,post-install,pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-flux-teardown
-rules:
-  - apiGroups:
-      - "helm.toolkit.fluxcd.io"
-    resources:
-      - helmreleases
-    verbs:
-      - get
-      - patch
-    resourceNames:
-      - {{ .Release.Name }}-cilium
-      - {{ .Release.Name }}-csi
-      - {{ .Release.Name }}-cert-manager
-      - {{ .Release.Name }}-cert-manager-crds
-      - {{ .Release.Name }}-gateway-api-crds
-      - {{ .Release.Name }}-vertical-pod-autoscaler
-      - {{ .Release.Name }}-vertical-pod-autoscaler-crds
-      - {{ .Release.Name }}-ingress-nginx
-      - {{ .Release.Name }}-fluxcd-operator
-      - {{ .Release.Name }}-fluxcd
-      - {{ .Release.Name }}-gpu-operator
-      - {{ .Release.Name }}-velero
-      - {{ .Release.Name }}-coredns
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
-    helm.sh/hook-weight: "5"
-  name: {{ .Release.Name }}-flux-teardown
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-flux-teardown
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-flux-teardown
-    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/templates/helmreleases/metrics-server.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/metrics-server.yaml
@@ -0,0 +1,42 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-metrics-server
+  labels:
+    cozystack.io/repository: system
+    cozystack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  releaseName: metrics-server
+  chart:
+    spec:
+      chart: cozy-metrics-server
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
+  targetNamespace: cozy-monitoring
+  storageNamespace: cozy-monitoring
+  interval: 5m
+  timeout: 10m
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-prometheus-operator-crds
+    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
@@ -44,6 +44,10 @@ spec:
    namespace: {{ .Release.Namespace }}
  - name: {{ .Release.Name }}-vertical-pod-autoscaler-crds
    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-prometheus-operator-crds
+    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-metrics-server
+    namespace: {{ .Release.Namespace }}
  values:
    vmagent:
      externalLabels:
--- a/packages/apps/kubernetes/templates/helmreleases/prometheus-operator-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/prometheus-operator-crds.yaml
@@ -0,0 +1,37 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-prometheus-operator-crds
+  labels:
+    cozystack.io/repository: system
+    cozystack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  releaseName: prometheus-operator-crds
+  chart:
+    spec:
+      chart: cozy-prometheus-operator-crds
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
+  targetNamespace: cozy-victoria-metrics-operator
+  storageNamespace: cozy-victoria-metrics-operator
+  interval: 5m
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler-crds.yaml
@@ -37,6 +37,4 @@ spec:
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/volumesnapshot-crd.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/volumesnapshot-crd.yaml
@@ -37,5 +37,3 @@ spec:
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -492,7 +492,7 @@
      }
    },
    "host": {
-      "description": "External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.",
+      "description": "External hostname for Kubernetes cluster. Defaults to `\u003ccluster-name\u003e.\u003ctenant-host\u003e` if empty.",
      "type": "string",
      "default": ""
    },
@@ -615,17 +615,17 @@
      "default": "replicated"
    },
    "version": {
-      "description": "Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.",
+      "description": "Kubernetes major.minor version to deploy",
      "type": "string",
      "default": "v1.33",
      "enum": [
-        "v1.28",
-        "v1.29",
-        "v1.30",
-        "v1.31",
+        "v1.33",
        "v1.32",
-        "v1.33"
+        "v1.31",
+        "v1.30",
+        "v1.29",
+        "v1.28"
      ]
    }
  }
-}
+}
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -46,9 +46,19 @@ nodeGroups:
    resources: {}
    gpus: []

-## @param {string} version - Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.
+##
+## @enum {string} Version
+## @value v1.33
+## @value v1.32
+## @value v1.31
+## @value v1.30
+## @value v1.29
+## @value v1.28
+
+## @param {Version} version - Kubernetes major.minor version to deploy
 version: "v1.33"

+
 ## @param {string} host - External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.
 host: ""

--- a/packages/apps/mysql/.helmignore
+++ b/packages/apps/mysql/.helmignore
@@ -1,3 +1,4 @@
 .helmignore
 /logos
 /Makefile
+/hack
--- a/packages/apps/mysql/Makefile
+++ b/packages/apps/mysql/Makefile
@@ -7,6 +7,10 @@ generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
 	../../../hack/update-crd.sh

+update:
+	hack/update-versions.sh
+	make generate
+
 image:
 	docker buildx build images/mariadb-backup \
 		--tag $(REGISTRY)/mariadb-backup:$(call settag,$(MARIADB_BACKUP_TAG)) \
--- a/packages/apps/mysql/README.md
+++ b/packages/apps/mysql/README.md
@@ -79,6 +79,7 @@ more details:
 | `size`             | Persistent Volume Claim size available for application data.                                                                      | `quantity` | `10Gi`  |
 | `storageClass`     | StorageClass used to store the data.                                                                                              | `string`   | `""`    |
 | `external`         | Enable external access from outside the cluster.                                                                                  | `bool`     | `false` |
+| `version`          | MariaDB major.minor version to deploy                                                                                             | `string`   | `v11.8` |


 ### Application-specific parameters
--- a/packages/apps/mysql/files/versions.yaml
+++ b/packages/apps/mysql/files/versions.yaml
@@ -0,0 +1,4 @@
+"v11.8": "11.8.5"
+"v11.4": "11.4.9"
+"v10.11": "10.11.15"
+"v10.6": "10.6.24"
--- a/packages/apps/mysql/hack/update-versions.sh
+++ b/packages/apps/mysql/hack/update-versions.sh
@@ -0,0 +1,151 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+MYSQL_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${MYSQL_DIR}/values.yaml"
+VERSIONS_FILE="${MYSQL_DIR}/files/versions.yaml"
+MARIADB_API_URL="https://downloads.mariadb.org/rest-api/mariadb/"
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Get LTS versions from MariaDB REST API
+echo "Fetching LTS versions from MariaDB REST API..."
+LTS_VERSIONS_JSON=$(curl -sSL "${MARIADB_API_URL}")
+
+if [ -z "$LTS_VERSIONS_JSON" ]; then
+    echo "Error: Could not fetch versions from MariaDB REST API" >&2
+    exit 1
+fi
+
+# Extract LTS stable major versions
+LTS_MAJOR_VERSIONS=$(echo "$LTS_VERSIONS_JSON" | jq -r '.major_releases[] | select(.release_support_type == "Long Term Support") | select(.release_status == "Stable") | .release_id' | sort -V -r)
+
+if [ -z "$LTS_MAJOR_VERSIONS" ]; then
+    echo "Error: Could not find any LTS stable versions" >&2
+    exit 1
+fi
+
+echo "Found LTS major versions: $(echo "$LTS_MAJOR_VERSIONS" | tr '\n' ' ')"
+
+# Build versions map: major version -> latest patch version
+declare -A VERSION_MAP
+MAJOR_VERSIONS=()
+
+for major_version in $LTS_MAJOR_VERSIONS; do
+    echo "Fetching patch versions for ${major_version}..."
+    
+    # Get patch versions for this major version
+    PATCH_VERSIONS_JSON=$(curl -sSL "${MARIADB_API_URL}${major_version}")
+    
+    if [ -z "$PATCH_VERSIONS_JSON" ]; then
+        echo "Warning: Could not fetch patch versions for ${major_version}, skipping..." >&2
+        continue
+    fi
+    
+    # Extract all stable patch version IDs (format: MAJOR.MINOR.PATCH)
+    # Filter only Stable releases
+    PATCH_VERSIONS=$(echo "$PATCH_VERSIONS_JSON" | jq -r --arg major "$major_version" '.releases | to_entries[] | select(.key | startswith($major + ".")) | select(.value.release_status == "Stable") | .key' | sort -V)
+    
+    # If no stable releases found, try to get any releases (for backwards compatibility)
+    if [ -z "$PATCH_VERSIONS" ]; then
+        PATCH_VERSIONS=$(echo "$PATCH_VERSIONS_JSON" | jq -r '.releases | keys[]' | grep -E "^${major_version}\." | sort -V)
+    fi
+    
+    if [ -z "$PATCH_VERSIONS" ]; then
+        echo "Warning: Could not find any patch versions for ${major_version}, skipping..." >&2
+        continue
+    fi
+    
+    # Get the latest patch version
+    LATEST_PATCH=$(echo "$PATCH_VERSIONS" | tail -n1)
+    
+    # major_version already has format MAJOR.MINOR (e.g., "11.8")
+    VERSION_MAP["v${major_version}"]="${LATEST_PATCH}"
+    MAJOR_VERSIONS+=("v${major_version}")
+    echo "Found version: v${major_version} -> ${LATEST_PATCH}"
+done
+
+if [ ${#MAJOR_VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+# Sort major versions in descending order (newest first)
+IFS=$'\n' MAJOR_VERSIONS=($(printf '%s\n' "${MAJOR_VERSIONS[@]}" | sort -V -r))
+unset IFS
+
+echo "Major versions to add: ${MAJOR_VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for major_ver in "${MAJOR_VERSIONS[@]}"; do
+        echo "\"${major_ver}\": \"${VERSION_MAP[$major_ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major.minor versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for major_ver in "${MAJOR_VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $major_ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - MariaDB major.minor version to deploy
+version: ${MAJOR_VERSIONS[0]}"
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+    
+    # Use awk to replace the section from "## @enum {string} Version" to "version: " (inclusive)
+    # Delete the old section and insert the new one
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+    
+    # Use awk to insert before "## @section Application-specific parameters"
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with major.minor versions: ${MAJOR_VERSIONS[*]}"
+
--- a/packages/apps/mysql/templates/_versions.tpl
+++ b/packages/apps/mysql/templates/_versions.tpl
@@ -0,0 +1,8 @@
+{{- define "mysql.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `MariaDB version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}
+
--- a/packages/apps/mysql/templates/mariadb.yaml
+++ b/packages/apps/mysql/templates/mariadb.yaml
@@ -8,7 +8,7 @@ spec:
    name: {{ .Release.Name }}-credentials
    key: root

-  image: "mariadb:11.0.2"
+  image: "mariadb:{{ include "mysql.versionMap" $ }}"

  port: 3306

--- a/packages/apps/mysql/values.schema.json
+++ b/packages/apps/mysql/values.schema.json
@@ -186,6 +186,17 @@
          }
        }
      }
+    },
+    "version": {
+      "description": "MariaDB major.minor version to deploy",
+      "type": "string",
+      "default": "v11.8",
+      "enum": [
+        "v11.8",
+        "v11.4",
+        "v10.11",
+        "v10.6"
+      ]
    }
  }
 }
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -33,6 +33,16 @@ storageClass: ""
 ## @param {bool} external - Enable external access from outside the cluster.
 external: false

+##
+## @enum {string} Version
+## @value v11.8
+## @value v11.4
+## @value v10.11
+## @value v10.6
+
+## @param {Version} version - MariaDB major.minor version to deploy
+version: v11.8
+
 ##
 ## @section Application-specific parameters
 ##
--- a/packages/apps/postgres/.helmignore
+++ b/packages/apps/postgres/.helmignore
@@ -1,3 +1,4 @@
 .helmignore
 /logos
 /Makefile
+/hack
--- a/packages/apps/postgres/Makefile
+++ b/packages/apps/postgres/Makefile
@@ -3,3 +3,7 @@ include ../../../scripts/package.mk
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
 	../../../hack/update-crd.sh
+
+update:
+	hack/update-versions.sh
+	make generate
--- a/packages/apps/postgres/README.md
+++ b/packages/apps/postgres/README.md
@@ -76,6 +76,7 @@ See:
 | `size`             | Persistent Volume Claim size available for application data.                                                                         | `quantity` | `10Gi`  |
 | `storageClass`     | StorageClass used to store the data.                                                                                                 | `string`   | `""`    |
 | `external`         | Enable external access from outside the cluster.                                                                                     | `bool`     | `false` |
+| `version`          | PostgreSQL major version to deploy                                                                                                   | `string`   | `v18`   |


 ### Application-specific parameters
--- a/packages/apps/postgres/files/versions.yaml
+++ b/packages/apps/postgres/files/versions.yaml
@@ -0,0 +1,6 @@
+"v18": "v18.1"
+"v17": "v17.7"
+"v16": "v16.11"
+"v15": "v15.15"
+"v14": "v14.20"
+"v13": "v13.22"
--- a/packages/apps/postgres/hack/update-versions.sh
+++ b/packages/apps/postgres/hack/update-versions.sh
@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+POSTGRES_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${POSTGRES_DIR}/values.yaml"
+VERSIONS_FILE="${POSTGRES_DIR}/files/versions.yaml"
+
+# Get supported major versions from GitHub README
+echo "Fetching supported major versions from GitHub..."
+SUPPORTED_MAJOR_VERSIONS=$(curl -sSL 'https://raw.githubusercontent.com/cloudnative-pg/postgres-containers/refs/heads/main/README.md' | sed -n '/# CNPG PostgreSQL Container Images/,/#/p' | awk -F' +| +' '$4 ~ /[0-9]+\-[0-9]+\-[0-9]+/ && $6 ~ /[0-9]+\-[0-9]+\-[0-9]+/ {print $2}' | sort -u | xargs)
+
+if [ -z "$SUPPORTED_MAJOR_VERSIONS" ]; then
+    echo "Error: Could not fetch supported major versions" >&2
+    exit 1
+fi
+
+echo "Supported major versions: $SUPPORTED_MAJOR_VERSIONS"
+
+# Check if skopeo is installed
+if ! command -v skopeo &> /dev/null; then
+    echo "Error: skopeo is not installed. Please install skopeo and try again." >&2
+    exit 1
+fi
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Get available image tags
+echo "Fetching available image tags from registry..."
+AVAILABLE_TAGS=$(skopeo list-tags docker://ghcr.io/cloudnative-pg/postgresql | jq -r '.Tags[] | select(test("^[0-9]+\\.[0-9]+$"))' | sort -V)
+
+if [ -z "$AVAILABLE_TAGS" ]; then
+    echo "Error: Could not fetch available image tags" >&2
+    exit 1
+fi
+
+# Build versions map: major version -> latest minor version
+declare -A VERSION_MAP
+MAJOR_VERSIONS=()
+
+for major_version in $SUPPORTED_MAJOR_VERSIONS; do
+    # Extract major version number (e.g., "18" from "18.1")
+    major_num=$(echo "$major_version" | cut -d. -f1)
+    
+    # Find all tags that match this major version
+    matching_tags=$(echo "$AVAILABLE_TAGS" | grep "^${major_num}\\.")
+    
+    if [ -n "$matching_tags" ]; then
+        # Get the latest minor version for this major version
+        latest_tag=$(echo "$matching_tags" | tail -n1)
+        VERSION_MAP["v${major_num}"]="v${latest_tag}"
+        MAJOR_VERSIONS+=("v${major_num}")
+        echo "Found version: v${major_num} -> v${latest_tag}"
+    fi
+done
+
+if [ ${#MAJOR_VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+# Sort major versions in descending order (newest first)
+IFS=$'\n' MAJOR_VERSIONS=($(printf '%s\n' "${MAJOR_VERSIONS[@]}" | sort -V -r))
+unset IFS
+
+echo "Major versions to add: ${MAJOR_VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for major_ver in "${MAJOR_VERSIONS[@]}"; do
+        echo "\"${major_ver}\": \"${VERSION_MAP[$major_ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for major_ver in "${MAJOR_VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $major_ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - PostgreSQL major version to deploy
+version: ${MAJOR_VERSIONS[0]}"
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+    
+    # Use awk to replace the section from "## @enum {string} Version" to "version: " (inclusive)
+    # Delete the old section and insert the new one
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+    
+    # Use awk to insert before "## @section Application-specific parameters"
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with major versions: ${MAJOR_VERSIONS[*]}"
--- a/packages/apps/postgres/templates/_versions.tpl
+++ b/packages/apps/postgres/templates/_versions.tpl
@@ -0,0 +1,8 @@
+{{- define "postgres.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `PostgreSQL version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}
+
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -44,6 +44,7 @@ spec:

  resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 4 }}

+  imageName: ghcr.io/cloudnative-pg/postgresql:{{ include "postgres.versionMap" $ | trimPrefix "v" }}
  enableSuperuserAccess: true
  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
  {{- if $configMap }}
--- a/packages/apps/postgres/templates/init-job.yaml
+++ b/packages/apps/postgres/templates/init-job.yaml
@@ -16,7 +16,7 @@ spec:
      restartPolicy: Never
      containers:
      - name: postgres
-        image: ghcr.io/cloudnative-pg/postgresql:15.3
+        image: ghcr.io/cloudnative-pg/postgresql:{{ include "postgres.versionMap" $ | trimPrefix "v" }}
        command:
        - bash
        - /scripts/init.sh
--- a/packages/apps/postgres/values.schema.json
+++ b/packages/apps/postgres/values.schema.json
@@ -243,6 +243,19 @@
          }
        }
      }
+    },
+    "version": {
+      "description": "PostgreSQL major version to deploy",
+      "type": "string",
+      "default": "v18",
+      "enum": [
+        "v18",
+        "v17",
+        "v16",
+        "v15",
+        "v14",
+        "v13"
+      ]
    }
  }
 }
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -34,6 +34,17 @@ storageClass: ""
 external: false

 ##
+## @enum {string} Version
+## @value v18
+## @value v17
+## @value v16
+## @value v15
+## @value v14
+## @value v13
+
+## @param {Version} version - PostgreSQL major version to deploy
+version: v18
+
 ## @section Application-specific parameters
 ##

--- a/packages/apps/redis/.helmignore
+++ b/packages/apps/redis/.helmignore
@@ -1,3 +1,4 @@
 .helmignore
 /logos
 /Makefile
+/hack
--- a/packages/apps/redis/Makefile
+++ b/packages/apps/redis/Makefile
@@ -3,3 +3,7 @@ include ../../../scripts/package.mk
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
 	../../../hack/update-crd.sh
+
+update:
+	hack/update-versions.sh
+	make generate
--- a/packages/apps/redis/README.md
+++ b/packages/apps/redis/README.md
@@ -23,6 +23,7 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche
 | `size`             | Persistent Volume Claim size available for application data.                                                                    | `quantity` | `1Gi`   |
 | `storageClass`     | StorageClass used to store the data.                                                                                            | `string`   | `""`    |
 | `external`         | Enable external access from outside the cluster.                                                                                | `bool`     | `false` |
+| `version`          | Redis major version to deploy                                                                                                   | `string`   | `v8`    |


 ### Application-specific parameters
--- a/packages/apps/redis/files/versions.yaml
+++ b/packages/apps/redis/files/versions.yaml
@@ -0,0 +1,2 @@
+"v8": "8.4.0"
+"v7": "7.4.7"
--- a/packages/apps/redis/hack/update-versions.sh
+++ b/packages/apps/redis/hack/update-versions.sh
@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REDIS_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${REDIS_DIR}/values.yaml"
+VERSIONS_FILE="${REDIS_DIR}/files/versions.yaml"
+REDIS_IMAGE="docker://docker.io/redis"
+
+# Check if skopeo is installed
+if ! command -v skopeo &> /dev/null; then
+    echo "Error: skopeo is not installed. Please install skopeo and try again." >&2
+    exit 1
+fi
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Get available image tags
+echo "Fetching available image tags from registry..."
+AVAILABLE_TAGS=$(skopeo list-tags "${REDIS_IMAGE}" | jq -r '.Tags[] | select(test("^[0-9]+\\.[0-9]+\\.[0-9]+$"))' | sort -V)
+
+if [ -z "$AVAILABLE_TAGS" ]; then
+    echo "Error: Could not fetch available image tags" >&2
+    exit 1
+fi
+
+# Get all unique major versions and find Latest and Previous
+echo "Finding Latest and Previous major versions..."
+ALL_MAJOR_VERSIONS=$(echo "$AVAILABLE_TAGS" | cut -d. -f1 | sort -u -n -r)
+MAJOR_VERSIONS_ARRAY=($ALL_MAJOR_VERSIONS)
+
+if [ ${#MAJOR_VERSIONS_ARRAY[@]} -lt 1 ]; then
+    echo "Error: Could not find any major versions" >&2
+    exit 1
+fi
+
+# Get Latest and Previous major versions
+LATEST_MAJOR=${MAJOR_VERSIONS_ARRAY[0]}
+PREVIOUS_MAJOR=""
+
+if [ ${#MAJOR_VERSIONS_ARRAY[@]} -ge 2 ]; then
+    PREVIOUS_MAJOR=${MAJOR_VERSIONS_ARRAY[1]}
+fi
+
+if [ -z "$PREVIOUS_MAJOR" ]; then
+    echo "Warning: Only one major version found (${LATEST_MAJOR}), using it as both Latest and Previous"
+    PREVIOUS_MAJOR=$LATEST_MAJOR
+fi
+
+echo "Latest major version: ${LATEST_MAJOR}"
+echo "Previous major version: ${PREVIOUS_MAJOR}"
+
+# Build versions map: major version -> latest patch version
+declare -A VERSION_MAP
+MAJOR_VERSIONS=()
+PROCESSED_MAJORS=()
+
+for major_version in "$LATEST_MAJOR" "$PREVIOUS_MAJOR"; do
+    # Skip if we already processed this major version
+    if [[ " ${PROCESSED_MAJORS[@]} " =~ " ${major_version} " ]]; then
+        continue
+    fi
+    PROCESSED_MAJORS+=("${major_version}")
+    
+    # Find all tags that match this major version
+    matching_tags=$(echo "$AVAILABLE_TAGS" | grep "^${major_version}\\.")
+    
+    if [ -n "$matching_tags" ]; then
+        # Get the latest patch version for this major version
+        latest_tag=$(echo "$matching_tags" | tail -n1)
+        VERSION_MAP["v${major_version}"]="${latest_tag}"
+        MAJOR_VERSIONS+=("v${major_version}")
+        echo "Found version: v${major_version} -> ${latest_tag}"
+    else
+        echo "Warning: Could not find any patch versions for ${major_version}, skipping..." >&2
+    fi
+done
+
+if [ ${#MAJOR_VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+# Sort major versions in descending order (newest first)
+IFS=$'\n' MAJOR_VERSIONS=($(printf '%s\n' "${MAJOR_VERSIONS[@]}" | sort -V -r))
+unset IFS
+
+echo "Major versions to add: ${MAJOR_VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for major_ver in "${MAJOR_VERSIONS[@]}"; do
+        echo "\"${major_ver}\": \"${VERSION_MAP[$major_ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for major_ver in "${MAJOR_VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $major_ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - Redis major version to deploy
+version: ${MAJOR_VERSIONS[0]}"
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+    
+    # Use awk to replace the section from "## @enum {string} Version" to "version: " (inclusive)
+    # Delete the old section and insert the new one
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+    
+    # Use awk to insert before "## @section Application-specific parameters"
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with major versions: ${MAJOR_VERSIONS[*]}"
+
--- a/packages/apps/redis/templates/_versions.tpl
+++ b/packages/apps/redis/templates/_versions.tpl
@@ -0,0 +1,8 @@
+{{- define "redis.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `Redis version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}
+
--- a/packages/apps/redis/templates/redisfailover.yaml
+++ b/packages/apps/redis/templates/redisfailover.yaml
@@ -27,7 +27,7 @@ spec:
    replicas: 3
    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 6 }}
  redis:
-    image: "redis:8.2.0"
+    image: "redis:{{ include "redis.versionMap" $ }}"
    resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 6 }}
    replicas: {{ .Values.replicas }}
    {{- with .Values.size }}
--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -82,6 +82,15 @@
      "description": "StorageClass used to store the data.",
      "type": "string",
      "default": ""
+    },
+    "version": {
+      "description": "Redis major version to deploy",
+      "type": "string",
+      "default": "v8",
+      "enum": [
+        "v8",
+        "v7"
+      ]
    }
  }
 }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -33,6 +33,13 @@ storageClass: ""
 ## @param {bool} external - Enable external access from outside the cluster.
 external: false

+## @enum {string} Version
+## @value v8
+## @value v7
+
+## @param {Version} version - Redis major version to deploy
+version: v8
+
 ##
 ## @section Application-specific parameters
 ##
--- a/packages/apps/tenant/templates/cleanup-job.yaml
+++ b/packages/apps/tenant/templates/cleanup-job.yaml
@@ -0,0 +1,85 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+rules:
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources: ["helmreleases"]
+  verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "tenant.name" . }}-cleanup
+subjects:
+- kind: ServiceAccount
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "0"
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "tenant.name" . }}-cleanup
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ include "tenant.name" . }}-cleanup
+      restartPolicy: OnFailure
+      containers:
+      - name: cleanup
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/bash
+        - -c
+        - |
+          set -e
+          NAMESPACE="{{ include "tenant.name" . }}"
+          
+          echo "Cleaning up HelmReleases in namespace: $NAMESPACE"
+          
+          echo "Deleting Applications"
+          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
+            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule!=true' \
+            --ignore-not-found=true --wait=true
+          
+          echo "Deleting Tenant Modules"
+          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
+            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule=true' \
+            --ignore-not-found=true --wait=true
+          
+          echo "Cleanup completed successfully"
--- a/packages/apps/virtual-machine/templates/vm-update-hook.yaml
+++ b/packages/apps/virtual-machine/templates/vm-update-hook.yaml
@@ -27,7 +27,11 @@
 {{- if and $existingPVC $desiredStorage -}}
  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
  {{- if not (eq $currentStorage $desiredStorage) -}}
-    {{- $needResizePVC = true -}}
+    {{- $oldSize := (include "cozy-lib.resources.toFloat" $currentStorage) | float64 -}}
+    {{- $newSize := (include "cozy-lib.resources.toFloat" $desiredStorage) | float64 -}}
+    {{- if gt $newSize $oldSize -}}
+      {{- $needResizePVC = true -}}
+    {{- end -}}
  {{- end -}}
 {{- end -}}

--- a/packages/apps/vm-disk/templates/pvc-resize-hook.yaml
+++ b/packages/apps/vm-disk/templates/pvc-resize-hook.yaml
@@ -1,5 +1,17 @@
 {{- $existingPVC := lookup "v1" "PersistentVolumeClaim" .Release.Namespace .Release.Name }}
-{{- if and $existingPVC (ne ($existingPVC.spec.resources.requests.storage | toString) .Values.storage) -}}
+{{- $shouldResize := false -}}
+{{- if and $existingPVC .Values.storage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if ne $currentStorage .Values.storage -}}
+    {{- $oldSize := (include "cozy-lib.resources.toFloat" $currentStorage) | float64 -}}
+    {{- $newSize := (include "cozy-lib.resources.toFloat" .Values.storage) | float64 -}}
+    {{- if gt $newSize $oldSize -}}
+      {{- $shouldResize = true -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if $shouldResize -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -23,6 +35,7 @@ spec:
          command: ["sh", "-xec"]
          args:
            - |
+              echo "Resizing PVC to {{ .Values.storage }}..."
              kubectl patch pvc {{ .Release.Name }} -p '{"spec":{"resources":{"requests":{"storage":"{{ .Values.storage }}"}}}}'
 ---
 apiVersion: v1
--- a/packages/core/flux-aio/Chart.yaml
+++ b/packages/core/flux-aio/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-fluxcd
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/core/flux-aio/Makefile
+++ b/packages/core/flux-aio/Makefile
@@ -0,0 +1,22 @@
+NAME=flux-aio
+NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/common-envs.mk
+
+show:
+	cozypkg show -n $(NAMESPACE) $(NAME) --plain
+
+apply:
+	cozypkg show -n $(NAMESPACE) $(NAME) --plain | kubectl apply -f- --server-side --force-conflicts
+
+diff:
+	cozypkg show -n $(NAMESPACE) $(NAME) --plain | kubectl diff -f-
+
+update:
+	timoni bundle build -f flux-aio.cue > templates/fluxcd.yaml
+	yq eval '(select(.kind == "Namespace") | .metadata.labels."pod-security.kubernetes.io/enforce") = "privileged"' -i templates/fluxcd.yaml
+	sed -i templates/fluxcd.yaml \
+		-e '/timoni/d' \
+		-e 's|\.cluster\.local\.,||g' -e 's|\.cluster\.local\,||g' -e 's|\.cluster\.local\.||g' \
+		-e '/value: .svc/a \            {{- include "cozy.kubernetes_envs" . | nindent 12 }}' \
+		-e '/hostNetwork: true/i \      dnsPolicy: ClusterFirstWithHostNet'
--- a/packages/core/flux-aio/flux-aio.cue
+++ b/packages/core/flux-aio/flux-aio.cue
@@ -0,0 +1,16 @@
+bundle: {
+	apiVersion: "v1alpha1"
+	name:       "flux-aio"
+	instances: {
+		"flux": {
+			module: {
+				url:     "oci://ghcr.io/stefanprodan/modules/flux-aio"
+				version: "latest"
+			}
+			namespace: "cozy-fluxcd"
+			values: {
+				securityProfile: "privileged"
+			}
+		}
+	}
+}
--- a/packages/core/flux-aio/templates/_helpers.tpl
+++ b/packages/core/flux-aio/templates/_helpers.tpl
@@ -0,0 +1,13 @@
+{{- define "cozy.kubernetes_envs" }}
+{{- $cozyDeployment := lookup "apps/v1" "Deployment" "cozy-system" "cozystack" }}
+{{- $cozyContainers := dig "spec" "template" "spec" "containers" dict $cozyDeployment }}
+{{- range $cozyContainers }}
+{{- if eq .name "cozystack" }}
+{{- range .env }}
+{{- if has .name (list "KUBERNETES_SERVICE_HOST" "KUBERNETES_SERVICE_PORT") }}
+- {{ toJson . }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/packages/core/flux-aio/templates/fluxcd.yaml
+++ b/packages/core/flux-aio/templates/fluxcd.yaml
--- a/packages/core/installer/images/cozystack/Dockerfile
+++ b/packages/core/installer/images/cozystack/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine as k8s-await-election-builder
+FROM golang:1.24-alpine AS k8s-await-election-builder

 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
@@ -13,7 +13,7 @@ RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
 && make \
 && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election

-FROM golang:1.24-alpine as builder
+FROM golang:1.24-alpine AS builder

 ARG TARGETOS
 ARG TARGETARCH
@@ -26,23 +26,16 @@ WORKDIR /src

 RUN go mod download

-RUN go build -o /cozystack-assets-server -ldflags '-extldflags "-static" -w -s' ./cmd/cozystack-assets-server
-
-RUN make repos
-
 FROM alpine:3.22

 RUN wget -O- https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh | sh -s -- -v 1.2.0

-RUN apk add --no-cache make kubectl helm coreutils git jq
+RUN apk add --no-cache make kubectl helm coreutils git jq openssl

 COPY --from=builder /src/scripts /cozystack/scripts
 COPY --from=builder /src/packages/core /cozystack/packages/core
 COPY --from=builder /src/packages/system /cozystack/packages/system
-COPY --from=builder /src/_out/repos /cozystack/assets/repos
-COPY --from=builder /cozystack-assets-server /usr/bin/cozystack-assets-server
 COPY --from=k8s-await-election-builder /k8s-await-election /usr/bin/k8s-await-election
-COPY --from=builder /src/dashboards /cozystack/assets/dashboards

 WORKDIR /cozystack
 ENTRYPOINT ["/usr/bin/k8s-await-election", "/cozystack/scripts/installer.sh" ]
--- a/packages/core/installer/templates/cozystack.yaml
+++ b/packages/core/installer/templates/cozystack.yaml
@@ -54,6 +54,8 @@ spec:
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
+        - name: INSTALL_FLUX
+          value: "true"
        - name: KUBERNETES_SERVICE_PORT
          value: "7445"
        - name: K8S_AWAIT_ELECTION_ENABLED
@@ -68,15 +70,6 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
-      - name: assets
-        image: "{{ .Values.cozystack.image }}"
-        command:
-        - /usr/bin/cozystack-assets-server
-        - "-dir=/cozystack/assets"
-        - "-address=:8123"
-        ports:
-        - name: http
-          containerPort: 8123
      tolerations:
      - key: "node.kubernetes.io/not-ready"
        operator: "Exists"
@@ -84,17 +77,3 @@ spec:
      - key: "node.cilium.io/agent-not-ready"
        operator: "Exists"
        effect: "NoSchedule"
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: cozystack
-  namespace: cozy-system
-spec:
-  ports:
-  - name: http
-    port: 80
-    targetPort: 8123
-  selector:
-    app: cozystack
-  type: ClusterIP
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.38.0@sha256:1a902ebd15fe375079098c088dd5b40475926c8d9576faf6348433f0fd86a963
+  image: ghcr.io/cozystack/cozystack/installer:v0.38.2@sha256:9ff92b655de6f9bea3cba4cd42dcffabd9aace6966dcfb1cc02dda2420ea4a15
--- a/packages/core/platform/Makefile
+++ b/packages/core/platform/Makefile
@@ -1,6 +1,8 @@
 NAME=platform
 NAMESPACE=cozy-system

+include ../../../scripts/common-envs.mk
+
 show:
 	cozypkg show -n $(NAMESPACE) $(NAME) --plain

@@ -18,3 +20,15 @@ namespaces-apply:

 diff:
 	cozypkg show -n $(NAMESPACE) $(NAME) --plain | kubectl diff -f-
+
+image: image-assets
+image-assets:
+	docker buildx build -f images/cozystack-assets/Dockerfile ../../.. \
+		--tag $(REGISTRY)/cozystack-assets:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/cozystack-assets:latest \
+		--cache-to type=inline \
+		--metadata-file images/cozystack-assets.json \
+		$(BUILDX_ARGS)
+	IMAGE="$(REGISTRY)/cozystack-assets:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/cozystack-assets.json -o json -r)" \
+		yq -i '.assets.image = strenv(IMAGE)' values.yaml
+	rm -f images/cozystack-assets.json
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -2,24 +2,6 @@
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}

 releases:
- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator,cilium]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cilium
  releaseName: cilium
  chart: cozy-cilium
@@ -74,6 +56,18 @@ releases:
  namespace: cozy-system
  dependsOn: [cozystack-controller,cilium,cert-manager]

+- name: cozystack-resource-definition-crd
+  releaseName: cozystack-resource-definition-crd
+  chart: cozystack-resource-definition-crd
+  namespace: cozy-system
+  dependsOn: [cilium]
+
+- name: cozystack-resource-definitions
+  releaseName: cozystack-resource-definitions
+  chart: cozystack-resource-definitions
+  namespace: cozy-system
+  dependsOn: [cilium,cozystack-controller,cozystack-resource-definition-crd]
+
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
@@ -84,15 +78,26 @@ releases:
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
-  optional: true
  dependsOn: [cilium,cert-manager]

+- name: prometheus-operator-crds
+  releaseName: prometheus-operator-crds
+  chart: cozy-prometheus-operator-crds
+  namespace: cozy-victoria-metrics-operator
+  dependsOn: []
+
+- name: metrics-server
+  releaseName: metrics-server
+  chart: cozy-metrics-server
+  namespace: cozy-monitoring
+  dependsOn: [cilium,prometheus-operator-crds]
+
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  optional: true
-  dependsOn: [cilium,cert-manager]
+  dependsOn: [cilium,cert-manager,prometheus-operator-crds]

 - name: monitoring-agents
  releaseName: monitoring-agents
@@ -100,7 +105,7 @@ releases:
  namespace: cozy-monitoring
  privileged: true
  optional: true
-  dependsOn: [cilium,victoria-metrics-operator]
+  dependsOn: [cilium,victoria-metrics-operator,metrics-server]
  values:
    scrapeRules:
      etcd:
@@ -192,7 +197,7 @@ releases:
  releaseName: snapshot-controller
  chart: cozy-snapshot-controller
  namespace: cozy-snapshot-controller
-  dependsOn: [cilium]
+  dependsOn: [cilium,cert-manager-issuers]

 - name: objectstorage-controller
  releaseName: objectstorage-controller
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -2,24 +2,6 @@
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}

 releases:
- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cert-manager-crds
  releaseName: cert-manager-crds
  chart: cozy-cert-manager-crds
@@ -55,12 +37,24 @@ releases:
  optional: true
  dependsOn: [cert-manager]

+- name: prometheus-operator-crds
+  releaseName: prometheus-operator-crds
+  chart: cozy-prometheus-operator-crds
+  namespace: cozy-victoria-metrics-operator
+  dependsOn: []
+
+- name: metrics-server
+  releaseName: metrics-server
+  chart: cozy-metrics-server
+  namespace: cozy-monitoring
+  dependsOn: [prometheus-operator-crds]
+
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  optional: true
-  dependsOn: [cert-manager]
+  dependsOn: [prometheus-operator-crds,cert-manager]

 - name: monitoring-agents
  releaseName: monitoring-agents
@@ -68,7 +62,7 @@ releases:
  namespace: cozy-monitoring
  privileged: true
  optional: true
-  dependsOn: [victoria-metrics-operator]
+  dependsOn: [victoria-metrics-operator, metrics-server]
  values:
    scrapeRules:
      etcd:
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -11,24 +11,6 @@
 {{- end }}

 releases:
- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator,cilium,kubeovn]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cilium
  releaseName: cilium
  chart: cozy-cilium
@@ -112,6 +94,12 @@ releases:
      disableTelemetry: true
  {{- end }}

+- name: backup-controller
+  releaseName: backup-controller
+  chart: cozy-backup-controller
+  namespace: cozy-backup-controller
+  dependsOn: [cilium,kubeovn]
+
 - name: lineage-controller-webhook
  releaseName: lineage-controller-webhook
  chart: cozy-lineage-controller-webhook
@@ -142,18 +130,30 @@ releases:
  namespace: cozy-cert-manager
  dependsOn: [cilium,kubeovn,cert-manager]

+- name: prometheus-operator-crds
+  releaseName: prometheus-operator-crds
+  chart: cozy-prometheus-operator-crds
+  namespace: cozy-victoria-metrics-operator
+  dependsOn: []
+
+- name: metrics-server
+  releaseName: metrics-server
+  chart: cozy-metrics-server
+  namespace: cozy-monitoring
+  dependsOn: [cilium,kubeovn,prometheus-operator-crds]
+
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
-  dependsOn: [cilium,kubeovn,cert-manager]
+  dependsOn: [cilium,kubeovn,cert-manager,prometheus-operator-crds]

 - name: monitoring-agents
  releaseName: monitoring-agents
  chart: cozy-monitoring-agents
  namespace: cozy-monitoring
  privileged: true
-  dependsOn: [victoria-metrics-operator, vertical-pod-autoscaler-crds]
+  dependsOn: [victoria-metrics-operator, vertical-pod-autoscaler-crds, metrics-server]
  values:
    scrapeRules:
      etcd:
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`zz_generated_deepcopy.go linguist-generated`