fix(migration): delete helm release secrets to protect keycloak data

Replace HelmRelease annotation approach with helm secret deletion.
Annotating HelmReleases with resource-policy=keep does not prevent
FluxCD from running helm uninstall when spec.chart changes to
spec.chartRef. Deleting helm release secrets ensures FluxCD has
nothing to uninstall and performs helm install instead, adopting
existing resources.

Update manual migration script with the same protection and fix
error handling for cozy-keycloak namespace check.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>

.github/CODEOWNERS

@@ -1 +1 @@
-* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters
+* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters @sircthulhu

docs/changelogs/v1.0.0-rc.2.md

@@ -0,0 +1,57 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.2
+-->
+
+> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
+
+## Features and Improvements
+
+* **[keycloak] Allow custom Ingress hostname via values**: Added an `ingress.host` field to the cozy-keycloak chart values, allowing operators to override the default `keycloak.<root-host>` Ingress hostname. The custom hostname is applied to both the Ingress resource and the `KC_HOSTNAME` environment variable in the StatefulSet. When left empty, the original behavior is preserved (fully backward compatible) ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
+
+## Fixes
+
+* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing. Migration 26 now uses the `cozystack.io/ui=true` label (always present on v0.41.1) instead of the new label that depends on migration 22 having run, and adds robust Helm secret deletion with fallback and verification. Migrations 28 and 29 wrap `grep` calls to prevent `pipefail` exits and fix the reconcile annotation to use RFC3339 format. Migration 27 now skips missing CRDs and adds a name-pattern fallback for Helm secret deletion. The etcd HelmRelease timeout is increased from 10m to 30m to accommodate TLS cert rotation hooks. The `migrate-to-version-1.0.sh` script gains the missing `bundle-disable`, `bundle-enable`, `expose-ingress`, and `expose-services` field mappings ([**@kvaps**](https://github.com/kvaps) in #2096).
+
+* **[platform] Fix orphaned -rd HelmReleases after application renames**: After the `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, the system-level `-rd` HelmReleases in `cozy-system` (`ferretdb-rd`, `mysql-rd`, `virtual-machine-rd`) were left orphaned, referencing ExternalArtifacts that no longer exist and causing persistent reconciliation failures. Migrations 28 and 29 are updated to remove these resources, and migration 33 is added as a safety net for clusters that already passed those migrations ([**@kvaps**](https://github.com/kvaps) in #2102).
+
+* **[monitoring-agents] Fix FQDN resolution regression in tenant workload clusters**: The fix introduced in #2075 used `_cluster.cluster-domain` references in `values.yaml`, but `_cluster` values are not accessible from Helm subchart contexts — meaning fluent-bit received empty hostnames and failed to forward logs. This PR replaces the `_cluster` references with a new `global.clusterDomain` variable (empty by default for management clusters, set to the cluster domain for tenant clusters), which is correctly shared with all subcharts ([**@kvaps**](https://github.com/kvaps) in #2086).
+
+* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized the cluster identifier used across dashboard menu links, administration links, and API request paths, resolving incorrect or broken link targets for the Backups and External IPs sidebar sections ([**@androndo**](https://github.com/androndo) in #2093).
+
+* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed the backup job creation form configuration, adding the required Name, Namespace, Plan Name, Application, and Backup Class fields. Fixed the sidebar backup category identifier that was causing incorrect navigation ([**@androndo**](https://github.com/androndo) in #2103).
+
+## Documentation
+
+* **[website] Add Helm chart development principles guide**: Added a new developer guide section documenting Cozystack's four core Helm chart principles: easy upstream updates, local-first artifacts, local dev/test workflow, and no external dependencies ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
+
+* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack — MetalLB (L2/BGP), Cilium eBPF (kube-proxy replacement), Kube-OVN (centralized IPAM), and tenant isolation with identity-based eBPF policies — with Mermaid diagrams for all major traffic flows ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
+
+* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands throughout installation and configuration guides to use JSON Patch `add` operations for extending arrays instead of replacing them wholesale, making the documented commands safer and more precise ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
+
+* **[website] Update certificates section in Platform Package documentation**: Updated the certificate configuration documentation to reflect the new `solver` and `issuerName` fields introduced in v1.0.0-rc.1, replacing the legacy `issuerType` references ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
+
+* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant Kubernetes clusters in Grafana using VictoriaLogs labels (`tenant`, `kubernetes_namespace_name`, `kubernetes_pod_name`), including the `monitoringAgents` addon prerequisite and step-by-step filtering examples ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
+
+* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install`, `kubectl create -f` to `kubectl apply -f`, and `kubectl create ns` to the dry-run+apply pattern across all installation and deployment guides so commands can be safely re-run ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
+
+* **[website] Fix broken documentation links with `.md` suffix**: Fixed incorrect internal links with `.md` suffix across virtualization guides for both v0 and v1 documentation, standardizing link text to "Developer Guide" ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@cheese**](https://github.com/cheese)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@cheese**](https://github.com/cheese) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-rc.1...v1.0.0-rc.2

docs/changelogs/v1.0.0.md

@@ -0,0 +1,289 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0
+-->
+
+# Cozystack v1.0.0 — "Stable"
+
+We are thrilled to announce **Cozystack v1.0.0**, the first stable major release of the Cozystack platform. This milestone represents a fundamental architectural evolution from the v0.x series, introducing a fully operator-driven package management system, a comprehensive backup and restore framework, a redesigned virtual machine architecture, and a rich set of new managed applications — all hardened through an extensive alpha, beta, and release-candidate cycle.
+
+## Feature Highlights
+
+### Package-Based Architecture with Cozystack Operator
+
+The most significant architectural change in v1.0.0 is the replacement of HelmRelease bundle deployments with a declarative **Package** and **PackageSource** model managed by the new `cozystack-operator`. Operators now define their platform configuration in a structured `values.yaml` and the operator reconciles the desired state by managing Package and PackageSource resources across the cluster.
+
+The operator also takes ownership of CRD lifecycle — installing and updating CRDs from embedded manifests at every startup — eliminating the stale-CRD problem that affected Helm-only installations. Flux sharding has been added to distribute tenant HelmRelease reconciliation across multiple Flux controllers, providing horizontal scalability in large multi-tenant environments.
+
+A migration script (`hack/migrate-to-version-1.0.sh`) is provided for upgrading existing v0.x clusters, along with 33 incremental migration steps that automate resource renaming, secret cleanup, and configuration conversion.
+
+### Comprehensive Backup and Restore System
+
+v1.0.0 ships a fully featured, production-ready backup and restore framework built on Velero integration. Users can define **BackupClass** resources to describe backup storage targets, create **BackupPlan** schedules, and trigger **RestoreJob** resources for end-to-end application recovery.
+
+Virtual machine backups are supported natively via the Velero KubeVirt plugin, which captures consistent VM disk snapshots alongside metadata. The backup controller and the backup strategy sub-controllers (including the VM-specific strategy) are installed by default, and a full dashboard UI allows users to monitor backup status, view backup job history, and initiate restore workflows.
+
+### Redesigned Virtual Machine Architecture
+
+The legacy `virtual-machine` application has been replaced with a two-resource architecture: **`vm-disk`** for managing persistent disks and **`vm-instance`** for managing VM lifecycle. This separation provides cleaner disk/instance management, allows disks to be reused across VM instances, and aligns with modern KubeVirt patterns.
+
+New capabilities include: a `cpuModel` field for direct CPU model specification without using an instanceType; the ability to switch between `instanceType`-based and custom resource-based configurations; migration from the deprecated `running` field to `runStrategy`; and native **RWX (NFS) filesystem support** in the KubeVirt CSI driver, enabling multiple pods to mount the same persistent volume simultaneously.
+
+### New Managed Applications
+
+v1.0.0 expands the application catalog significantly:
+
+- **MongoDB**: A fully managed MongoDB replica set with persistent storage, monitoring integration, and unified user/database configuration API.
+- **Qdrant**: A high-performance vector database for AI and machine learning workloads, supporting single-replica and clustered modes with API key authentication and optional external LoadBalancer access.
+- **Harbor**: A fully managed OCI container registry backed by CloudNativePG, Redis operator, and COSI BucketClaim (SeaweedFS). Includes Trivy vulnerability scanner, auto-generated admin credentials, and TLS via cert-manager.
+- **NATS**: Enhanced with full Grafana monitoring dashboards for JetStream and server metrics, Prometheus support with TLS-aware configuration, and updated image customization options.
+- **MariaDB**: The `mysql` application is renamed to `mariadb`, accurately reflecting the underlying engine. An automatic migration (migration 27) converts all existing MySQL resources to use the `mariadb` naming.
+
+FerretDB has been removed from the catalog as it is superseded by native MongoDB support.
+
+### Multi-Location Networking with Kilo and cilium-kilo
+
+Cozystack v1.0.0 introduces first-class support for multi-location clusters via the **Kilo** WireGuard mesh networking package. Kilo automatically establishes encrypted WireGuard tunnels between nodes in different network segments, enabling seamless cross-region communication.
+
+A new integrated **`cilium-kilo`** networking variant combines Cilium eBPF CNI with Kilo's WireGuard overlay in a single platform configuration selection. This variant enables `enable-ipip-termination` in Cilium and deploys Kilo with `--compatibility=cilium`, allowing Cilium network policies to function correctly over the WireGuard mesh — without any manual configuration of the two components.
+
+### Flux Sharding for Scalable Multi-Tenancy
+
+Tenant HelmRelease reconciliation is now distributed across multiple Flux controllers via sharding labels. Each tenant workload is assigned to a shard based on a deterministic hash, preventing a single Flux controller from becoming a bottleneck in large multi-tenant environments. The platform operator manages the shard assignment automatically, and new shards can be added by scaling the Flux deployment.
+
+## Major Features and Improvements
+
+### Cozystack Operator
+
+* **[cozystack-operator] Introduce Package and PackageSource APIs**: Added new CRDs for declarative package management, defining the full API for Package and PackageSource resources ([**@kvaps**](https://github.com/kvaps) in #1740, #1741, #1755, #1756, #1760, #1761).
+* **[platform] Migrate from HelmRelease bundles to Package-based deployment**: Replaced HelmRelease bundle system with Package resources managed by cozystack-operator, including restructured values.yaml with full configuration support for networking, publishing, authentication, scheduling, branding, and resources ([**@kvaps**](https://github.com/kvaps) in #1816).
+* **[cozystack-operator] Add automatic CRD installation at startup**: Added `--install-crds` flag to install embedded CRD manifests on every startup via server-side apply, ensuring CRDs and the PackageSource are always up to date ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+* **[installer] Remove CRDs from Helm chart, delegate lifecycle to operator**: The `cozy-installer` Helm chart no longer ships CRDs; CRD lifecycle is fully managed by the Cozystack operator ([**@lexfrei**](https://github.com/lexfrei) in #2074).
+* **[cozystack-operator] Preserve existing suspend field in package reconciler**: Fixed package reconciler to properly preserve the suspend field state during reconciliation ([**@sircthulhu**](https://github.com/sircthulhu) in #2043).
+* **[cozystack-operator] Fix namespace privileged flag resolution and field ownership**: Fixed operator to correctly check all Packages in a namespace when determining privileged status, and resolved SSA field ownership conflicts ([**@kvaps**](https://github.com/kvaps) in #2046).
+* **[platform] Add flux-plunger controller**: Added flux-plunger controller to automatically fix stuck HelmRelease errors by cleaning up failed resources and retrying reconciliation ([**@kvaps**](https://github.com/kvaps) in #1843).
+* **[installer] Add variant-aware templates for generic Kubernetes support**: Extended the installer to support generic and hosted Kubernetes deployments via the `cozystackOperator.variant=generic` parameter ([**@lexfrei**](https://github.com/lexfrei) in #2010).
+* **[installer] Unify operator templates**: Merged separate operator templates into a single variant-based template supporting Talos and non-Talos deployments ([**@kvaps**](https://github.com/kvaps) in #2034).
+
+### API and Platform
+
+* **[api] Rename CozystackResourceDefinition to ApplicationDefinition**: Renamed CRD and all related types for clarity and consistency, with migration 24 handling the transition automatically ([**@kvaps**](https://github.com/kvaps) in #1864).
+* **[platform] Add DNS-1035 validation for Application names**: Added dynamic DNS-1035 label validation for Application names at creation time, preventing resources with invalid names that would fail downstream ([**@lexfrei**](https://github.com/lexfrei) in #1771).
+* **[platform] Make cluster issuer name and ACME solver configurable**: Added `publishing.certificates.solver` and `publishing.certificates.issuerName` parameters to allow pointing all ingress TLS annotations at any ClusterIssuer ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+* **[platform] Add cilium-kilo networking variant**: Added integrated `cilium-kilo` networking variant combining Cilium CNI with Kilo WireGuard mesh overlay ([**@kvaps**](https://github.com/kvaps) in #2064).
+* **[cozystack-api] Switch from DaemonSet to Deployment**: Migrated cozystack-api to a Deployment with PreferClose topology spread constraints, reducing resource consumption while maintaining high availability ([**@kvaps**](https://github.com/kvaps) in #2041, #2048).
+
+### Virtual Machines
+
+* **[vm-instance] Complete migration from virtual-machine to vm-disk and vm-instance**: Fully migrated from `virtual-machine` to the new `vm-disk` and `vm-instance` architecture, with automatic migration script (migration 28) for existing VMs ([**@kvaps**](https://github.com/kvaps) in #2040).
+* **[kubevirt-csi-driver] Add RWX Filesystem (NFS) support**: Added Read-Write-Many filesystem support to kubevirt-csi-driver via automatic NFS server deployment per PVC ([**@kvaps**](https://github.com/kvaps) in #2042).
+* **[vm] Add cpuModel field to specify CPU model without instanceType**: Added cpuModel field to VirtualMachine API for granular CPU control ([**@sircthulhu**](https://github.com/sircthulhu) in #2007).
+* **[vm] Allow switching between instancetype and custom resources**: Implemented atomic upgrade hook for switching between instanceType-based and custom resource VM configurations ([**@sircthulhu**](https://github.com/sircthulhu) in #2008).
+* **[vm] Migrate to runStrategy instead of running**: Migrated VirtualMachine API from deprecated `running` field to `runStrategy` ([**@sircthulhu**](https://github.com/sircthulhu) in #2004).
+* **[vm] Always expose VMs with a service**: Virtual machines are now always exposed with at least a ClusterIP service, ensuring in-cluster DNS names ([**@lllamnyp**](https://github.com/lllamnyp) in #1738, #1751).
+* **[dashboard] VMInstance dropdowns for disks and instanceType**: VM instance creation form now renders API-backed dropdowns for `instanceType` and disk `name` fields ([**@sircthulhu**](https://github.com/sircthulhu) in #2071).
+
+### Backup System
+
+* **[backups] Implement comprehensive backup and restore functionality**: Core backup Plan controller, Velero strategy controller, RestoreJob resource with end-to-end restore workflows, and enhanced backup plans UI ([**@lllamnyp**](https://github.com/lllamnyp) in #1640, #1685, #1687, #1719, #1720, #1737, #1967; [**@androndo**](https://github.com/androndo) in #1762, #1967, #1968, #1811).
+* **[backups] Add kubevirt plugin to velero**: Added KubeVirt plugin to Velero for consistent VM state and data snapshots ([**@lllamnyp**](https://github.com/lllamnyp) in #2017).
+* **[backups] Install backupstrategy controller by default**: Enabled backupstrategy controller by default for automatic backup scheduling ([**@lllamnyp**](https://github.com/lllamnyp) in #2020).
+* **[backups] Better selectors for VM strategy**: Improved VM backup strategy selectors for accurate and reliable backup targeting ([**@lllamnyp**](https://github.com/lllamnyp) in #2023).
+* **[backups] Create RBAC for backup resources**: Added comprehensive RBAC configuration for backup operations and restore jobs ([**@lllamnyp**](https://github.com/lllamnyp) in #2018).
+
+### Networking
+
+* **[kilo] Introduce Kilo WireGuard mesh networking**: Added Kilo as a system package providing secure WireGuard-based VPN mesh for connecting Kubernetes nodes across different networks and regions ([**@kvaps**](https://github.com/kvaps) in #1691).
+* **[kilo] Add Cilium compatibility variant**: Added `cilium` variant enabling Cilium-aware IPIP encapsulation for full network policy enforcement with Kilo mesh ([**@kvaps**](https://github.com/kvaps) in #2055).
+* **[kilo] Update to v0.8.0 with configurable MTU**: Updated Kilo to v0.8.0 with configurable MTU parameter and performance improvements ([**@kvaps**](https://github.com/kvaps) in #2003, #2049, #2053).
+* **[local-ccm] Add local-ccm package**: Added local cloud controller manager for managing load balancer services in bare-metal environments ([**@kvaps**](https://github.com/kvaps) in #1831).
+* **[local-ccm] Add node-lifecycle-controller component**: Added optional node-lifecycle-controller that automatically deletes unreachable NotReady nodes, solving the "zombie" node problem in autoscaled clusters ([**@IvanHunters**](https://github.com/IvanHunters) in #1992).
+* **[tenant] Allow egress to parent ingress pods**: Updated tenant network policies to allow egress traffic to parent cluster ingress pods ([**@lexfrei**](https://github.com/lexfrei) in #1765, #1776).
+
+### New Applications
+
+* **[mongodb] Add MongoDB managed application**: Added MongoDB as a fully managed database with replica sets, persistent storage, and unified user/database configuration ([**@lexfrei**](https://github.com/lexfrei) in #1822; [**@kvaps**](https://github.com/kvaps) in #1923).
+* **[qdrant] Add Qdrant vector database**: Added Qdrant as a high-performance vector database for AI/ML workloads with API key authentication and optional LoadBalancer access ([**@lexfrei**](https://github.com/lexfrei) in #1987).
+* **[harbor] Add managed Harbor container registry**: Added Harbor v2.14.2 as a managed tenant-level container registry with CloudNativePG, Redis operator, COSI BucketClaim storage, and Trivy scanner ([**@lexfrei**](https://github.com/lexfrei) in #2058).
+* **[nats] Add monitoring**: Added Grafana dashboards for NATS JetStream and server metrics, Prometheus monitoring with TLS support ([**@klinch0**](https://github.com/klinch0) in #1381).
+* **[mariadb] Rename mysql application to mariadb**: Renamed MySQL application to MariaDB with automatic migration (migration 27) for all existing resources ([**@kvaps**](https://github.com/kvaps) in #2026).
+* **[ferretdb] Remove FerretDB application**: Removed FerretDB, superseded by native MongoDB support ([**@kvaps**](https://github.com/kvaps) in #2028).
+
+### Kubernetes and System Components
+
+* **[kubernetes] Update supported Kubernetes versions to v1.30–v1.35**: Updated the tenant Kubernetes version matrix, with v1.35 as the new default. Kamaji updated to edge-26.2.4 and CAPI Kamaji provider to v0.16.0 ([**@lexfrei**](https://github.com/lexfrei) in #2073).
+* **[kubernetes] Auto-enable Gateway API support in cert-manager**: Added automatic Gateway API support in cert-manager for tenant clusters ([**@kvaps**](https://github.com/kvaps) in #1997).
+* **[kubernetes] Use ingress-nginx nodeport service**: Changed tenant Kubernetes clusters to use ingress-nginx NodePort service for improved compatibility ([**@sircthulhu**](https://github.com/sircthulhu) in #1948).
+* **[system] Add cluster-autoscaler for Hetzner and Azure**: Added cluster-autoscaler system package for automatically scaling management cluster nodes on Hetzner and Azure ([**@kvaps**](https://github.com/kvaps) in #1964).
+* **[cluster-autoscaler] Enable enforce-node-group-min-size by default**: Ensures node groups are always scaled up to their configured minimum size ([**@kvaps**](https://github.com/kvaps) in #2050).
+* **[system] Add clustersecret-operator package**: Added clustersecret-operator for managing secrets across multiple namespaces ([**@sircthulhu**](https://github.com/sircthulhu) in #2025).
+
+### Monitoring
+
+* **[monitoring] Enable monitoring for core components**: Enhanced monitoring capabilities with dashboards and metrics for core Cozystack components ([**@IvanHunters**](https://github.com/IvanHunters) in #1937).
+* **[monitoring] Add SLACK_SEVERITY_FILTER and VMAgent for tenant monitoring**: Added SLACK_SEVERITY_FILTER for Slack alert filtering and VMAgent for tenant namespace metrics scraping ([**@IvanHunters**](https://github.com/IvanHunters) in #1712).
+* **[monitoring-agents] Fix FQDN resolution for tenant workload clusters**: Fixed monitoring agents in tenant clusters to use full DNS names with cluster domain suffix ([**@IvanHunters**](https://github.com/IvanHunters) in #2075; [**@kvaps**](https://github.com/kvaps) in #2086).
+
+### Storage
+
+* **[linstor] Move CRDs to dedicated piraeus-operator-crds chart**: Moved LINSTOR CRDs to a dedicated chart, ensuring reliable installation of all CRDs including `linstorsatellites.io` ([**@kvaps**](https://github.com/kvaps) in #2036; [**@IvanHunters**](https://github.com/IvanHunters) in #1991).
+* **[seaweedfs] Increase certificate duration to 10 years**: Increased SeaweedFS certificate validity to 10 years to reduce rotation overhead ([**@IvanHunters**](https://github.com/IvanHunters) in #1986).
+
+## Improvements
+
+* **[dashboard] Upgrade dashboard to version 1.4.0**: Updated Cozystack dashboard to v1.4.0 with new features and improvements ([**@sircthulhu**](https://github.com/sircthulhu) in #2051).
+* **[dashboard] Hide Ingresses/Services/Secrets tabs when no selectors defined**: Tabs are now conditionally shown based on whether the ApplicationDefinition has resource selectors configured, reducing UI clutter ([**@kvaps**](https://github.com/kvaps) in #2087).
+* **[dashboard] Add startupProbe to prevent container restarts on slow hardware**: Added startup probe to dashboard pods to prevent unnecessary restarts ([**@kvaps**](https://github.com/kvaps) in #1996).
+* **[keycloak] Allow custom Ingress hostname via values**: Added `ingress.host` field to cozy-keycloak chart values for overriding the default `keycloak.<root-host>` hostname ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
+* **[branding] Separate values for Keycloak**: Separated Keycloak branding values for better customization capabilities ([**@nbykov0**](https://github.com/nbykov0) in #1947).
+* **[rbac] Use hierarchical naming scheme**: Refactored RBAC to use hierarchical naming for cluster roles and role bindings ([**@lllamnyp**](https://github.com/lllamnyp) in #2019).
+* **[tenant,rbac] Use shared clusterroles**: Refactored tenant RBAC to use shared ClusterRoles for improved consistency ([**@lllamnyp**](https://github.com/lllamnyp) in #1999).
+* **[kubernetes] Increase default apiServer resourcesPreset to large**: Increased kube-apiserver resource preset to `large` for more reliable operation under higher workloads ([**@kvaps**](https://github.com/kvaps) in #1875).
+* **[kubernetes] Increase kube-apiserver startup probe threshold**: Increased startup probe threshold to allow more time for API server readiness ([**@kvaps**](https://github.com/kvaps) in #1876).
+* **[etcd] Increase probe thresholds for better recovery**: Increased etcd probe thresholds to improve cluster resilience during temporary slowdowns ([**@kvaps**](https://github.com/kvaps) in #1874).
+* **[etcd-operator] Add vertical-pod-autoscaler dependency**: Added VPA as a dependency to etcd-operator for proper resource scaling ([**@sircthulhu**](https://github.com/sircthulhu) in #2047).
+* **[cilium] Change cilium-operator replicas to 1**: Reduced Cilium operator replicas to decrease resource consumption in smaller deployments ([**@IvanHunters**](https://github.com/IvanHunters) in #1784).
+* **[keycloak-configure,dashboard] Enable insecure TLS verification by default**: Made SSL certificate verification configurable with insecure mode enabled by default for local development ([**@IvanHunters**](https://github.com/IvanHunters) in #2005).
+* **[platform] Split telemetry between operator and controller**: Separated telemetry collection for better metrics isolation ([**@kvaps**](https://github.com/kvaps) in #1869).
+* **[system] Add resource requests and limits to etcd-defrag**: Added resource requests and limits to etcd-defrag job to prevent resource contention ([**@matthieu-robin**](https://github.com/matthieu-robin) in #1785, #1786).
+
+## Fixes
+
+* **[dashboard] Fix sidebar visibility on cluster-level pages**: Fixed broken URLs with double `//` on cluster-level pages by hiding namespace-scoped sidebar items when no tenant is selected ([**@sircthulhu**](https://github.com/sircthulhu) in #2106).
+* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing, including migration 26-29 fixes, RFC3339 format for annotations, and extended etcd HelmRelease timeout to 30m ([**@kvaps**](https://github.com/kvaps) in #2096).
+* **[platform] Fix orphaned -rd HelmReleases after application renames**: Migrations 28-29 updated to remove orphaned `-rd` HelmReleases in `cozy-system` after `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, with migration 33 as a safety net ([**@kvaps**](https://github.com/kvaps) in #2102).
+* **[platform] Adopt tenant-root into cozystack-basics during migration**: Added migration 31 to adopt existing `tenant-root` Namespace and HelmRelease into `cozystack-basics` for a safe v0.41.x → v1.0 upgrade path ([**@kvaps**](https://github.com/kvaps) in #2065).
+* **[platform] Preserve tenant-root HelmRelease during migration**: Fixed data-loss risk during migration where `tenant-root` HelmRelease could be deleted ([**@sircthulhu**](https://github.com/sircthulhu) in #2063).
+* **[platform] Fix cozystack-values secret race condition**: Fixed race condition in cozystack-values secret creation that could cause initialization failures ([**@lllamnyp**](https://github.com/lllamnyp) in #2024).
+* **[cozystack-basics] Preserve existing HelmRelease values during reconciliations**: Fixed data-loss bug where changes to `tenant-root` HelmRelease were dropped on the next reconciliation ([**@sircthulhu**](https://github.com/sircthulhu) in #2068).
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Fixed `cozy:tenant:admin:base` ClusterRole to explicitly deny deletion of ResourceQuota objects ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized cluster identifier across dashboard menu links resolving broken link targets for Backups and External IPs ([**@androndo**](https://github.com/androndo) in #2093).
+* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed backup job creation form fields and fixed sidebar backup category identifier ([**@androndo**](https://github.com/androndo) in #2103).
+* **[kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization**: Updated KubeVirt and CDI and disabled serial console logging globally to fix the `guest-console-log` init container blocking virt-launcher pods ([**@nbykov0**](https://github.com/nbykov0) in #1833; [**@kvaps**](https://github.com/kvaps)).
+* **[linstor] Fix DRBD+LUKS+STORAGE resource creation failure**: Applied upstream fix for all newly created encrypted volumes failing due to missing `setExists(true)` call in `LuksLayer` ([**@kvaps**](https://github.com/kvaps) in #2072).
+* **[platform] Clean up Helm secrets for removed releases**: Added cleanup logic to migration 23 to remove orphaned Helm secrets from removed `-rd` releases ([**@kvaps**](https://github.com/kvaps) in #2035).
+* **[monitoring] Fix YAML parse error in vmagent template**: Fixed YAML parsing error in monitoring-agents vmagent template ([**@kvaps**](https://github.com/kvaps) in #2037).
+* **[monitoring] Remove cozystack-controller dependency**: Fixed monitoring package to remove unnecessary cozystack-controller dependency ([**@IvanHunters**](https://github.com/IvanHunters) in #1990).
+* **[monitoring] Remove duplicate dashboards.list**: Fixed duplicate dashboards.list configuration in extra/monitoring package ([**@IvanHunters**](https://github.com/IvanHunters) in #2016).
+* **[linstor] Update piraeus-server patches with critical fixes**: Backported critical patches fixing edge cases in device management and DRBD resource handling ([**@kvaps**](https://github.com/kvaps) in #1850).
+* **[apiserver] Fix Watch resourceVersion and bookmark handling**: Fixed Watch API handling of resourceVersion and bookmarks for proper event streaming ([**@kvaps**](https://github.com/kvaps) in #1860).
+* **[bootbox] Auto-create bootbox-application as dependency**: Fixed bootbox package to automatically create required bootbox-application dependency ([**@kvaps**](https://github.com/kvaps) in #1974).
+* **[postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert**: Fixed incorrect PromQL syntax in the CNPGClusterOffline Prometheus alert ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1981).
+* **[coredns] Fix serviceaccount to match kubernetes bootstrap RBAC**: Fixed CoreDNS service account to correctly match Kubernetes bootstrap RBAC requirements ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1958).
+* **[dashboard] Verify JWT token**: Added JWT token verification to dashboard for improved security ([**@lllamnyp**](https://github.com/lllamnyp) in #1980).
+* **[codegen] Fix missing gen_client in update-codegen.sh**: Fixed build error in `pkg/generated/applyconfiguration/utils.go` by including `gen_client` in the codegen script ([**@lexfrei**](https://github.com/lexfrei) in #2061).
+* **[kubevirt-operator] Fix typo in VMNotRunningFor10Minutes alert**: Fixed typo in VM alert name ensuring proper alert triggering ([**@lexfrei**](https://github.com/lexfrei) in #1770, #1775).
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard for improved authentication security ([**@lllamnyp**](https://github.com/lllamnyp) in #1980).
+
+## Dependencies
+
+* **[cilium] Update to v1.18.6**: Updated Cilium CNI to v1.18.6 with security fixes and performance improvements ([**@sircthulhu**](https://github.com/sircthulhu) in #1868).
+* **[kube-ovn] Update to v1.15.3**: Updated Kube-OVN CNI to v1.15.3 with performance improvements and bug fixes ([**@kvaps**](https://github.com/kvaps) in #2022).
+* **[kilo] Update to v0.8.0**: Updated Kilo WireGuard mesh to v0.8.0 with performance improvements and new compatibility features ([**@kvaps**](https://github.com/kvaps) in #2053).
+* **Update Talos Linux to v1.12.1**: Updated Talos Linux to v1.12.1 with latest features and security patches ([**@kvaps**](https://github.com/kvaps) in #1877).
+
+## System Configuration
+
+* **[vpc] Migrate subnets definition from map to array format**: Migrated VPC subnets from `map[string]Subnet` to `[]Subnet` with explicit `name` field, with automatic migration via migration 30 ([**@kvaps**](https://github.com/kvaps) in #2052).
+* **[migrations] Add migrations 23-33 for v1.0 upgrade path**: Added 11 incremental migrations handling CRD ownership, resource renaming, secret cleanup, Helm adoption, and configuration conversion for the v0.41.x → v1.0.0 upgrade path ([**@kvaps**](https://github.com/kvaps) in #1975, #2035, #2036, #2040, #2026, #2065, #2052, #2102).
+* **[tenant] Run cleanup job from system namespace**: Moved tenant cleanup job to system namespace for improved security and resource isolation ([**@lllamnyp**](https://github.com/lllamnyp) in #1774, #1777).
+
+## Development, Testing, and CI/CD
+
+* **[ci] Use GitHub Copilot CLI for changelog generation**: Automated changelog generation using GitHub Copilot CLI ([**@androndo**](https://github.com/androndo) in #1753).
+* **[ci] Choose runner conditional on label**: Added conditional runner selection in CI based on PR labels ([**@lllamnyp**](https://github.com/lllamnyp) in #1998).
+* **[e2e] Use helm install instead of kubectl apply for cozystack installation**: Replaced static YAML apply flow with direct `helm upgrade --install` of the installer chart in E2E tests ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+* **[e2e] Make kubernetes test retries effective by cleaning up stale resources**: Fixed E2E test retries by adding pre-creation cleanup and increasing deployment wait timeout to 300s ([**@lexfrei**](https://github.com/lexfrei) in #2062).
+* **[e2e] Increase HelmRelease readiness timeout for kubernetes test**: Increased HelmRelease readiness timeout to prevent false failures on slower hardware ([**@lexfrei**](https://github.com/lexfrei) in #2033).
+* **[ci] Improve cozyreport functionality**: Enhanced cozyreport tool with improved reporting for CI/CD pipelines ([**@lllamnyp**](https://github.com/lllamnyp) in #2032).
+* **feat(cozypkg): add cross-platform build targets with version injection**: Added cross-platform build targets for cozypkg/cozyhr tool for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64 ([**@kvaps**](https://github.com/kvaps) in #1862).
+* **refactor: move scripts to hack directory**: Reorganized scripts to the standard `hack/` location ([**@kvaps**](https://github.com/kvaps) in #1863).
+* **Update CODEOWNERS**: Updated CODEOWNERS to include new maintainers ([**@lllamnyp**](https://github.com/lllamnyp) in #1972; [**@IvanHunters**](https://github.com/IvanHunters) in #2015).
+* **[talm] Skip config loading for completion subcommands**: Fixed talm CLI to skip config loading for shell completion commands ([**@kitsunoff**](https://github.com/kitsunoff) in cozystack/talm#109).
+* **[talm] Fix metadata.id type casting in physical_links_info**: Fixed Prometheus query to properly cast metadata.id to string for regexMatch operations ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#110).
+
+## Documentation
+
+* **[website] Add documentation versioning**: Implemented comprehensive documentation versioning with separate v0 and v1 documentation trees and a version selector in the UI ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#415).
+* **[website] Describe upgrade to v1.0**: Added detailed upgrade instructions for migrating from v0.x to v1.0 ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@21bbe84).
+* **[website] Migrate ConfigMap references to Platform Package in v1 docs**: Updated entire v1 documentation to replace legacy ConfigMap-based configuration with the new Platform Package API ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#426).
+* **[website] Add generic Kubernetes deployment guide for v1**: Added installation guide for deploying Cozystack on any generic Kubernetes cluster ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#408).
+* **[website] Describe operator-based and HelmRelease-based package patterns**: Added development documentation explaining operator-based and HelmRelease-based package patterns ([**@kvaps**](https://github.com/kvaps) in cozystack/website#413).
+* **[website] Add Helm chart development principles guide**: Added developer guide documenting Cozystack's four core Helm chart principles ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
+* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack with Mermaid diagrams ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
+* **[website] Add LINSTOR disk preparation guide**: Added comprehensive documentation for preparing disks for LINSTOR storage ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#411).
+* **[website] Add Proxmox VM migration guide**: Added detailed guide for migrating virtual machines from Proxmox to Cozystack ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#410).
+* **[website] Add cluster autoscaler documentation**: Added documentation for Hetzner setup with Talos, vSwitch, and Kilo mesh integration ([**@kvaps**](https://github.com/kvaps) in #1964).
+* **[website] Improve Azure autoscaling troubleshooting guide**: Enhanced Azure autoscaling documentation with serial console instructions and `az vmss update --custom-data` guidance ([**@kvaps**](https://github.com/kvaps) in cozystack/website#424).
+* **[website] Update multi-location documentation for cilium-kilo variant**: Updated multi-location networking docs to reflect the integrated `cilium-kilo` variant selection ([**@kvaps**](https://github.com/kvaps) in cozystack/website@02d63f0).
+* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands to use JSON Patch `add` operations ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
+* **[website] Update certificates section in Platform Package documentation**: Updated certificate configuration docs to reflect new `solver` and `issuerName` fields ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
+* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant clusters in Grafana using VictoriaLogs labels ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
+* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install` and `kubectl create` to `kubectl apply` across all installation guides ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
+* **[website] Fix broken documentation links with .md suffix**: Fixed incorrect internal links across virtualization guides for v0 and v1 documentation ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
+* **[website] Refactor resource planning documentation**: Improved resource planning guide with clearer structure and more comprehensive coverage ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#423).
+* **[website] Add ServiceAccount API access documentation and update FAQ**: Added documentation for ServiceAccount API access token configuration and updated FAQ ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#421).
+* **[website] Update networking-mesh allowed-location-ips example**: Replaced provider-specific CLI with standard `kubectl` commands in multi-location networking guide ([**@kvaps**](https://github.com/kvaps) in cozystack/website#425).
+* **[website] docs(storage): simplify NFS driver setup instructions**: Simplified NFS driver setup documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#399).
+* **[website] Add Hetzner RobotLB documentation**: Added documentation for configuring public IP with Hetzner RobotLB ([**@kvaps**](https://github.com/kvaps) in cozystack/website#394).
+* **[website] Add documentation for creating and managing cloned VMs**: Added comprehensive guide for VM cloning operations ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#401).
+* **[website] Update Talos installation docs for Hetzner and Servers.com**: Updated installation documentation for Hetzner and Servers.com environments ([**@kvaps**](https://github.com/kvaps) in cozystack/website#395).
+* **[website] Add Hidora organization support details**: Added Hidora to the support page ([**@matthieu-robin**](https://github.com/matthieu-robin) in cozystack/website#397, cozystack/website#398).
+* **[website] Check quotas before an upgrade**: Added troubleshooting documentation for checking resource quotas before upgrades ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website#405).
+* **[website] Update support documentation**: Updated support documentation with current contact information ([**@xrmtech-isk**](https://github.com/xrmtech-isk) in cozystack/website#420).
+* **[website] Correct typo in kubeconfig reference in Kubernetes installation guide**: Fixed documentation typo in kubeconfig reference ([**@shkarface**](https://github.com/shkarface) in cozystack/website#414).
+
+## Breaking Changes & Upgrade Notes
+
+* **[api] CozystackResourceDefinition renamed to ApplicationDefinition**: The `CozystackResourceDefinition` CRD has been renamed to `ApplicationDefinition`. Migration 24 handles the transition automatically during upgrade ([**@kvaps**](https://github.com/kvaps) in #1864).
+
+* **[platform] Certificate issuer configuration parameters renamed**: The `publishing.certificates.issuerType` field is renamed to `publishing.certificates.solver`, and the value `cloudflare` is renamed to `dns01`. A new `publishing.certificates.issuerName` field (default: `letsencrypt-prod`) is added. Migration 32 automatically converts existing configurations — no manual action required ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+* **[vpc] VPC subnets definition migrated from map to array format**: VPC subnets are now defined as `[]Subnet` with an explicit `name` field instead of `map[string]Subnet`. Migration 30 handles the conversion automatically ([**@kvaps**](https://github.com/kvaps) in #2052).
+
+* **[vm] virtual-machine application replaced by vm-disk and vm-instance**: The legacy `virtual-machine` application has been fully replaced. Migration 28 automatically converts existing VMs to the new architecture ([**@kvaps**](https://github.com/kvaps) in #2040).
+
+* **[mysql] mysql application renamed to mariadb**: Existing MySQL deployments are automatically renamed to MariaDB via migration 27 ([**@kvaps**](https://github.com/kvaps) in #2026).
+
+### Upgrade Guide
+
+To upgrade from v0.41.x to v1.0.0:
+1. **Backup your cluster** before upgrading.
+2. Run the provided migration script: `hack/migrate-to-version-1.0.sh`.
+3. The 33 incremental migration steps will automatically handle all resource renaming, configuration conversion, CRD adoption, and secret cleanup.
+4. Refer to the [upgrade documentation](https://cozystack.io/docs/v1/upgrade) for detailed instructions and troubleshooting.
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@cheese**](https://github.com/cheese)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@IvanStukov**](https://github.com/IvanStukov)
+* [**@kitsunoff**](https://github.com/kitsunoff)
+* [**@klinch0**](https://github.com/klinch0)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@lllamnyp**](https://github.com/lllamnyp)
+* [**@matthieu-robin**](https://github.com/matthieu-robin)
+* [**@mattia-eleuteri**](https://github.com/mattia-eleuteri)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@nbykov0**](https://github.com/nbykov0)
+* [**@shkarface**](https://github.com/shkarface)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+* [**@xrmtech-isk**](https://github.com/xrmtech-isk)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@cheese**](https://github.com/cheese) - First contribution!
+* [**@IvanStukov**](https://github.com/IvanStukov) - First contribution!
+* [**@kitsunoff**](https://github.com/kitsunoff) - First contribution!
+* [**@shkarface**](https://github.com/shkarface) - First contribution!
+* [**@xrmtech-isk**](https://github.com/xrmtech-isk) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.41.0...v1.0.0

docs/changelogs/v1.0.1.md

@@ -0,0 +1,21 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.1
+-->
+
+## Fixes
+
+* **[platform] Prevent cozystack-version ConfigMap from deletion**: Added resource protection to prevent the `cozystack-version` ConfigMap from being accidentally deleted, improving platform stability and reliability ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2112, #2114).
+
+* **[installer] Add keep annotation to Namespace and update migration script**: Added `helm.sh/resource-policy: keep` annotation to the `cozy-system` Namespace in the installer Helm chart to prevent Helm from deleting the namespace (and all HelmReleases within it) when the installer release is removed. The v1.0 migration script is also updated to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with this policy before migration ([**@kvaps**](https://github.com/kvaps) in #2122, #2123).
+
+* **[dashboard] Add FlowSchema to exempt BFF from API throttling**: Added a `cozy-dashboard-exempt` FlowSchema to exempt the dashboard Back-End-for-Frontend (BFF) service account from Kubernetes API Priority and Fairness throttling. Previously, the BFF fell under the `workload-low` priority level, causing 429 (Too Many Requests) errors under load, resulting in dashboard unresponsiveness ([**@kvaps**](https://github.com/kvaps) in #2121, #2124).
+
+## Documentation
+
+* **[website] Replace bundles documentation with variants**: Renamed the "Bundles" documentation section to "Variants" to match current Cozystack terminology. Removed deprecated variants (`iaas-full`, `distro-full`, `distro-hosted`) and added new variants: `default` (PackageSources only, for manual package management via cozypkg) and `isp-full-generic` (full PaaS/IaaS on k3s, kubeadm, or RKE2). Updated all cross-references throughout the documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#433).
+
+* **[website] Add step to protect namespace before upgrading**: Updated the cluster upgrade guide and v0.41→v1.0 migration guide with a required step to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with `helm.sh/resource-policy=keep` before running `helm upgrade`, preventing accidental namespace deletion ([**@kvaps**](https://github.com/kvaps) in cozystack/website#435).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0...v1.0.1

hack/cozytest.sh

@@ -10,7 +10,11 @@ PATTERN=${2:-*}
 LINE='----------------------------------------------------------------'
 
 cols() { stty size 2>/dev/null | awk '{print $2}' || echo 80; }
-MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
+if [ -t 1 ]; then
+  MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
+else
+  MAXW=0  # no truncation when not a tty (e.g. CI)
+fi
 BEGIN=$(date +%s)
 timestamp() { s=$(( $(date +%s) - BEGIN )); printf '[%02d:%02d]' $((s/60)) $((s%60)); }
 
@@ -45,7 +49,7 @@ run_one() {
           *)       out=$line ;;
         esac
         now=$(( $(date +%s) - START ))
-        [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
+        [ "$MAXW" -gt 0 ] && [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
         printf '┊[%02d:%02d] %s\n' $((now/60)) $((now%60)) "$out"
   done
 

hack/e2e-apps/openbao.bats

@@ -0,0 +1,59 @@
+#!/usr/bin/env bats
+
+@test "Create OpenBAO (standalone)" {
+  name='test'
+  kubectl apply -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: OpenBAO
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  replicas: 1
+  size: 10Gi
+  storageClass: ""
+  resourcesPreset: "small"
+  resources: {}
+  external: false
+  ui: true
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr openbao-$name --timeout=60s --for=condition=ready
+  kubectl -n tenant-test wait hr openbao-$name-system --timeout=120s --for=condition=ready
+
+  # Wait for container to be started (pod Running does not guarantee container is ready for exec on slow CI)
+  if ! timeout 120 sh -ec "until kubectl -n tenant-test get pod openbao-$name-0 --output jsonpath='{.status.containerStatuses[0].started}' 2>/dev/null | grep -q true; do sleep 5; done"; then
+    echo "=== DEBUG: Container did not start in time ===" >&2
+    kubectl -n tenant-test describe pod openbao-$name-0 >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 --previous >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 >&2 || true
+    return 1
+  fi
+
+  # Wait for OpenBAO API to accept connections
+  # bao status exit codes: 0 = unsealed, 1 = error/not ready, 2 = sealed but responsive
+  if ! timeout 60 sh -ec "until kubectl -n tenant-test exec openbao-$name-0 -- bao status >/dev/null 2>&1; rc=\$?; test \$rc -eq 0 -o \$rc -eq 2; do sleep 3; done"; then
+    echo "=== DEBUG: OpenBAO API did not become responsive ===" >&2
+    kubectl -n tenant-test describe pod openbao-$name-0 >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 --previous >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 >&2 || true
+    return 1
+  fi
+
+  # Initialize OpenBAO (single key share for testing simplicity)
+  init_output=$(kubectl -n tenant-test exec openbao-$name-0 -- bao operator init -key-shares=1 -key-threshold=1 -format=json)
+  unseal_key=$(echo "$init_output" | jq -r '.unseal_keys_b64[0]')
+  if [ -z "$unseal_key" ] || [ "$unseal_key" = "null" ]; then
+    echo "Failed to extract unseal key. Init output: $init_output" >&2
+    return 1
+  fi
+
+  # Unseal OpenBAO
+  kubectl -n tenant-test exec openbao-$name-0 -- bao operator unseal "$unseal_key"
+
+  # Now wait for pod to become ready (readiness probe checks seal status)
+  kubectl -n tenant-test wait sts openbao-$name --timeout=90s --for=jsonpath='{.status.readyReplicas}'=1
+  kubectl -n tenant-test wait pvc data-openbao-$name-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
+  kubectl -n tenant-test delete openbao.apps.cozystack.io $name
+  kubectl -n tenant-test delete pvc data-openbao-$name-0 --ignore-not-found
+}

hack/e2e-apps/run-kubernetes.sh

@@ -102,15 +102,19 @@ EOF
     done
   '
   # Verify the nodes are ready
-  kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait node --all --timeout=2m --for=condition=Ready
+  if ! kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait node --all --timeout=2m --for=condition=Ready; then
+    # Additional debug messages
+    kubectl --kubeconfig "tenantkubeconfig-${test_name}" describe nodes
+    kubectl -n tenant-test get hr
+  fi
   kubectl --kubeconfig "tenantkubeconfig-${test_name}" get nodes -o wide
 
   # Verify the kubelet version matches what we expect
   versions=$(kubectl --kubeconfig "tenantkubeconfig-${test_name}" \
     get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
-  
+
   node_ok=true
-  
+
   for v in $versions; do
     case "$v" in
       "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
@@ -193,7 +197,7 @@ EOF
 
   # Wait for pods readiness
   kubectl wait deployment --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" -n tenant-test --for=condition=Available --timeout=300s
-  
+
   # Wait for LoadBalancer to be provisioned (IP or hostname)
   timeout 90 sh -ec "
     until kubectl get svc ${test_name}-backend --kubeconfig tenantkubeconfig-${test_name} -n tenant-test \

hack/migrate-to-version-1.0.sh

@@ -32,6 +32,79 @@ if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
     exit 1
 fi
 
+# Step 0: Annotate critical resources to prevent Helm from deleting them
+echo "Step 0: Protect critical resources from Helm deletion"
+echo ""
+echo "The following resources will be annotated with helm.sh/resource-policy=keep"
+echo "to prevent Helm from deleting them when the installer release is removed:"
+echo "  - Namespace: $NAMESPACE"
+echo "  - ConfigMap: $NAMESPACE/cozystack-version"
+echo "  - Namespace: cozy-keycloak"
+echo ""
+read -p "Do you want to annotate these resources? (y/N) " -n 1 -r
+echo ""
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    echo "Annotating namespace $NAMESPACE..."
+    kubectl annotate namespace "$NAMESPACE" helm.sh/resource-policy=keep --overwrite
+    echo "Annotating ConfigMap cozystack-version..."
+    kubectl annotate configmap -n "$NAMESPACE" cozystack-version helm.sh/resource-policy=keep --overwrite 2>/dev/null || echo "  ConfigMap cozystack-version not found, skipping."
+
+    echo "Annotating namespace cozy-keycloak..."
+    if kubectl get namespace cozy-keycloak >/dev/null 2>&1; then
+        kubectl annotate namespace cozy-keycloak helm.sh/resource-policy=keep --overwrite
+    else
+        echo "  Namespace cozy-keycloak not found, skipping."
+    fi
+
+    echo ""
+    echo "Resources annotated successfully."
+else
+    echo "WARNING: Skipping annotation. If you remove the Helm installer release,"
+    echo "the namespace and its contents may be deleted!"
+fi
+echo ""
+
+# Step 0.5: Delete keycloak helm release secrets to prevent FluxCD from running helm uninstall
+# When the Package operator recreates keycloak HelmReleases with spec.chartRef
+# (replacing spec.chart), FluxCD sees an incompatible change and runs helm uninstall,
+# destroying all keycloak data. Without helm secrets, FluxCD has nothing to uninstall
+# and performs helm install instead, adopting existing resources.
+echo "Step 0.5: Protect keycloak data from destruction"
+echo ""
+echo "This will delete Helm release secrets for keycloak releases in cozy-keycloak"
+echo "namespace. Without these secrets, FluxCD cannot run helm uninstall and will"
+echo "adopt existing resources instead of recreating them."
+echo ""
+
+if kubectl get namespace cozy-keycloak >/dev/null 2>&1; then
+    read -p "Do you want to delete keycloak helm release secrets? (y/N) " -n 1 -r
+    echo ""
+
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        for release in keycloak keycloak-operator keycloak-configure; do
+            echo "  Deleting helm release secrets for ${release}..."
+            kubectl delete secrets -n cozy-keycloak -l "name=${release},owner=helm" --ignore-not-found
+            # Fallback: delete by name pattern
+            remaining=$(kubectl get secrets -n cozy-keycloak -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+            if [ -n "$remaining" ]; then
+                echo "$remaining" | while IFS= read -r secret; do
+                    echo "    Deleting $secret"
+                    kubectl delete -n cozy-keycloak "$secret" --ignore-not-found
+                done
+            fi
+        done
+        echo ""
+        echo "Keycloak helm release secrets deleted."
+    else
+        echo "WARNING: Skipping. Keycloak data may be lost during upgrade if FluxCD"
+        echo "runs helm uninstall due to chart source change."
+    fi
+else
+    echo "  Namespace cozy-keycloak does not exist, keycloak not deployed — skipping."
+fi
+echo ""
+
 # Read ConfigMap cozystack
 echo "Reading ConfigMap cozystack..."
 COZYSTACK_CM=$(kubectl get configmap -n "$NAMESPACE" cozystack -o json 2>/dev/null || echo "{}")
@@ -52,6 +125,10 @@ OIDC_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["oidc-enabled"] // "false"')
 KEYCLOAK_REDIRECTS=$(echo "$COZYSTACK_CM" | jq -r '.data["extra-keycloak-redirect-uri-for-dashboard"] // ""' )
 TELEMETRY_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["telemetry-enabled"] // "true"')
 BUNDLE_NAME=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-name"] // "paas-full"')
+BUNDLE_DISABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-disable"] // ""')
+BUNDLE_ENABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-enable"] // ""')
+EXPOSE_INGRESS=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-ingress"] // "tenant-root"')
+EXPOSE_SERVICES=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-services"] // ""')
 
 # Certificate issuer configuration (old undocumented field: clusterissuer)
 OLD_CLUSTER_ISSUER=$(echo "$COZYSTACK_CM" | jq -r '.data["clusterissuer"] // ""')
@@ -99,21 +176,24 @@ else
     EXTERNAL_IPS=$(echo "$EXTERNAL_IPS" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
 fi
 
-# Determine bundle type
-case "$BUNDLE_NAME" in
-    paas-full|distro-full)
-        SYSTEM_ENABLED="true"
-        SYSTEM_TYPE="full"
-        ;;
-    paas-hosted|distro-hosted)
-        SYSTEM_ENABLED="false"
-        SYSTEM_TYPE="hosted"
-        ;;
-    *)
-        SYSTEM_ENABLED="false"
-        SYSTEM_TYPE="hosted"
-        ;;
-esac
+# Convert comma-separated lists to YAML arrays
+if [ -z "$BUNDLE_DISABLE" ]; then
+    DISABLED_PACKAGES="[]"
+else
+    DISABLED_PACKAGES=$(echo "$BUNDLE_DISABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
+fi
+
+if [ -z "$BUNDLE_ENABLE" ]; then
+    ENABLED_PACKAGES="[]"
+else
+    ENABLED_PACKAGES=$(echo "$BUNDLE_ENABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
+fi
+
+if [ -z "$EXPOSE_SERVICES" ]; then
+    EXPOSED_SERVICES_YAML="[]"
+else
+    EXPOSED_SERVICES_YAML=$(echo "$EXPOSE_SERVICES" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "            - "$0}')
+fi
 
 # Update bundle naming
 BUNDLE_NAME=$(echo "$BUNDLE_NAME" | sed 's/paas/isp/')
@@ -141,8 +221,6 @@ echo "  Root Host: $ROOT_HOST"
 echo "  API Server Endpoint: $API_SERVER_ENDPOINT"
 echo "  OIDC Enabled: $OIDC_ENABLED"
 echo "  Bundle Name: $BUNDLE_NAME"
-echo "  System Enabled: $SYSTEM_ENABLED"
-echo "  System Type: $SYSTEM_TYPE"
 echo "  Certificate Solver: ${SOLVER:-http01 (default)}"
 echo "  Issuer Name: ${ISSUER_NAME:-letsencrypt-prod (default)}"
 echo ""
@@ -160,15 +238,8 @@ spec:
     platform:
       values:
         bundles:
-          system:
-            enabled: $SYSTEM_ENABLED
-            type: "$SYSTEM_TYPE"
-          iaas:
-            enabled: true
-          paas:
-            enabled: true
-          naas:
-            enabled: true
+          disabledPackages: $DISABLED_PACKAGES
+          enabledPackages: $ENABLED_PACKAGES
         networking:
           clusterDomain: "$CLUSTER_DOMAIN"
           podCIDR: "$POD_CIDR"
@@ -177,6 +248,8 @@ spec:
           joinCIDR: "$JOIN_CIDR"
         publishing:
           host: "$ROOT_HOST"
+          ingressName: "$EXPOSE_INGRESS"
+          exposedServices: $EXPOSED_SERVICES_YAML
           apiServerEndpoint: "$API_SERVER_ENDPOINT"
           externalIPs: $EXTERNAL_IPS
 ${CERTIFICATES_SECTION}

internal/controller/dashboard/README.md

@@ -156,7 +156,7 @@ menuItems = append(menuItems, map[string]any{
         map[string]any{
             "key":   "{plural}",
             "label": "{ResourceLabel}",
-            "link":  "/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}",
+            "link":  "/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}",
         },
     },
 }),
@@ -174,7 +174,7 @@ menuItems = append(menuItems, map[string]any{
 
 **Important Notes**:
 - The sidebar tag (`{lowercase-kind}-sidebar`) must match what the Factory uses
-- The link format: `/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}`
+- The link format: `/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}`
 - All sidebars share the same `keysAndTags` and `menuItems`, so changes affect all sidebar instances
 
 ### Step 4: Verify Integration

internal/controller/dashboard/factory.go

@@ -582,15 +582,14 @@ type factoryFlags struct {
 	Secrets   bool
 }
 
-// factoryFeatureFlags tries several conventional locations so you can evolve the API
-// without breaking the controller. Defaults are false (hidden).
+// factoryFeatureFlags determines which tabs to show based on whether the
+// ApplicationDefinition has non-empty Include resource selectors.
+// Workloads tab is always shown.
 func factoryFeatureFlags(crd *cozyv1alpha1.ApplicationDefinition) factoryFlags {
-	var f factoryFlags
-
-	f.Workloads = true
-	f.Ingresses = true
-	f.Services = true
-	f.Secrets = true
-
-	return f
+	return factoryFlags{
+		Workloads: true,
+		Ingresses: len(crd.Spec.Ingresses.Include) > 0,
+		Services:  len(crd.Spec.Services.Include) > 0,
+		Secrets:   len(crd.Spec.Secrets.Include) > 0,
+	}
 }

internal/controller/dashboard/manager.go

@@ -299,10 +299,6 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
 
 		// Add other stock sidebars that are created for each CRD
 		stockSidebars := []string{
-			"stock-instance-api-form",
-			"stock-instance-api-table",
-			"stock-instance-builtin-form",
-			"stock-instance-builtin-table",
 			"stock-project-factory-marketplace",
 			"stock-project-factory-workloadmonitor-details",
 			"stock-project-api-form",

internal/controller/dashboard/sidebar.go

@@ -17,8 +17,7 @@ import (
 
 // ensureSidebar creates/updates multiple Sidebar resources that share the same menu:
 //   - The "details" sidebar tied to the current kind (stock-project-factory-<kind>-details)
-//   - The stock-instance sidebars: api-form, api-table, builtin-form, builtin-table
-//   - The stock-project sidebars:  api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
+//   - The stock-project sidebars: api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
 //
 // Menu rules:
 //   - The first section is "Marketplace" with two hardcoded entries:
@@ -176,23 +175,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 
 	// Add hardcoded Backups section
 	menuItems = append(menuItems, map[string]any{
-		"key":   "backups",
+		"key":   "backups-category",
 		"label": "Backups",
 		"children": []any{
 			map[string]any{
 				"key":   "plans",
 				"label": "Plans",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
 			},
 			map[string]any{
 				"key":   "backupjobs",
 				"label": "BackupJobs",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
 			},
 			map[string]any{
 				"key":   "backups",
 				"label": "Backups",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
 			},
 		},
 	})
@@ -215,7 +214,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 			map[string]any{
 				"key":   "loadbalancer-services",
 				"label": "External IPs",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/factory/external-ips",
+				"link":  "/openapi-ui/{cluster}/{namespace}/factory/external-ips",
 			},
 			map[string]any{
 				"key":   "tenants",
@@ -228,13 +227,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 	// 6) Prepare the list of Sidebar IDs to upsert with the SAME content
 	// Create sidebars for ALL CRDs with dashboard config
 	targetIDs := []string{
-		// stock-instance sidebars
-		"stock-instance-api-form",
-		"stock-instance-api-table",
-		"stock-instance-builtin-form",
-		"stock-instance-builtin-table",
-
-		// stock-project sidebars
+		// stock-project sidebars (namespace-level, full menu)
 		"stock-project-factory-marketplace",
 		"stock-project-factory-workloadmonitor-details",
 		"stock-project-factory-kube-service-details",

internal/controller/dashboard/static_refactored.go

@@ -503,18 +503,27 @@ func CreateAllCustomFormsOverrides() []*dashboardv1alpha1.CustomFormsOverride {
 				createFormItem("metadata.namespace", "Namespace", "text"),
 				createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
 				createFormItem("spec.applicationRef.name", "Application Name", "text"),
-				createFormItemWithAPI("spec.backupClassName", "Backup Class", "select", map[string]any{
-					"api": map[string]any{
-						"fetchUrl":       "/api/clusters/{clusterName}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
-						"pathToItems":    []any{"items"},
-						"pathToValue":    []any{"metadata", "name"},
-						"pathToLabel":    []any{"metadata", "name"},
-						"clusterNameVar": "clusterName",
-					},
-				}),
 				createFormItem("spec.schedule.type", "Schedule Type", "text"),
 				createFormItem("spec.schedule.cron", "Schedule Cron", "text"),
 			},
+			"schema": createSchema(map[string]any{
+				"backupClassName": listInputScemaItemBackupClass(),
+			}),
+		}),
+
+		// BackupJobs form override - backups.cozystack.io/v1alpha1
+		createCustomFormsOverride("default-/backups.cozystack.io/v1alpha1/backupjobs", map[string]any{
+			"formItems": []any{
+				createFormItem("metadata.name", "Name", "text"),
+				createFormItem("metadata.namespace", "Namespace", "text"),
+				createFormItem("spec.planRef.name", "Plan Name (optional)", "text"),
+				createFormItem("spec.applicationRef.apiGroup", "Application API Group", "text"),
+				createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
+				createFormItem("spec.applicationRef.name", "Application Name", "text"),
+			},
+			"schema": createSchema(map[string]any{
+				"backupClassName": listInputScemaItemBackupClass(),
+			}),
 		}),
 	}
 }
@@ -2042,9 +2051,9 @@ func createCustomFormsOverride(customizationId string, spec map[string]any) *das
 		"strategy":        "merge",
 	}
 
-	// Merge caller-provided fields (like formItems) into newSpec
+	// Merge into newSpec caller-provided fields without: customizationId, hidden, strategy
 	for key, value := range spec {
-		if key != "customizationId" && key != "hidden" && key != "schema" && key != "strategy" {
+		if key != "customizationId" && key != "hidden" && key != "strategy" {
 			newSpec[key] = value
 		}
 	}
@@ -2089,6 +2098,28 @@ func createNavigation(name string, spec map[string]any) *dashboardv1alpha1.Navig
 	}
 }
 
+func listInputScemaItemBackupClass() map[string]any {
+	return map[string]any{
+		"type": "listInput",
+		"customProps": map[string]any{
+			"valueUri":    "/api/clusters/{cluster}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
+			"keysToValue": []any{"metadata", "name"},
+			"keysToLabel": []any{"metadata", "name"},
+		},
+	}
+}
+
+// backupClassSchema returns the schema for spec.backupClassName as listInput (BackupJob/Plan).
+func createSchema(customProps map[string]any) map[string]any {
+	return map[string]any{
+		"properties": map[string]any{
+			"spec": map[string]any{
+				"properties": customProps,
+			},
+		},
+	}
+}
+
 // createFormItem creates a form item for CustomFormsOverride
 func createFormItem(path, label, fieldType string) map[string]any {
 	return map[string]any{

packages/apps/bucket/templates/bucketclaim.yaml

@@ -17,3 +17,13 @@ spec:
   bucketClaimName: {{ .Release.Name }}
   credentialsSecretName: {{ .Release.Name }}
   protocol: s3
+---
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccess
+metadata:
+  name: {{ .Release.Name }}-readonly
+spec:
+  bucketAccessClassName: {{ $seaweedfs }}-readonly
+  bucketClaimName: {{ .Release.Name }}
+  credentialsSecretName: {{ .Release.Name }}-readonly
+  protocol: s3

packages/apps/bucket/templates/dashboard-resourcemap.yaml

@@ -10,6 +10,7 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   - {{ .Release.Name }}-credentials
+  - {{ .Release.Name }}-readonly
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - networking.k8s.io

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:7deeee117e7eec599cb453836ca95eadd131dfc8c875dc457ef29dc1433395e0
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:604561e23df1b8eb25c24cf73fd93c7aaa6d1e7c56affbbda5c6f0f83424e4b1
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:434aa3b8e2a3cbf6681426b174e1c4fde23bafd12a6cccd046b5cb1749092ec4

packages/apps/openbao/.helmignore

@@ -0,0 +1,3 @@
+.helmignore
+/logos
+/Makefile

packages/apps/openbao/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: openbao
+description: Managed OpenBAO secrets management service
+icon: /logos/openbao.svg
+type: application
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+appVersion: "2.5.0"

packages/apps/openbao/Makefile

@@ -0,0 +1,5 @@
+include ../../../hack/package.mk
+
+generate:
+	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	../../../hack/update-crd.sh

packages/apps/openbao/README.md

@@ -0,0 +1,27 @@
+# Managed OpenBAO Service
+
+OpenBAO is an open-source secrets management solution forked from HashiCorp Vault.
+It provides identity-based secrets and encryption management for cloud infrastructure.
+
+## Parameters
+
+### Common parameters
+
+| Name               | Description                                                                                                                                                                           | Type       | Value   |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
+| `replicas`         | Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas > 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration. | `int`      | `1`     |
+| `resources`        | Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.                                                     | `object`   | `{}`    |
+| `resources.cpu`    | CPU available to each replica.                                                                                                                                                        | `quantity` | `""`    |
+| `resources.memory` | Memory (RAM) available to each replica.                                                                                                                                               | `quantity` | `""`    |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                                                                               | `string`   | `small` |
+| `size`             | Persistent Volume Claim size for data storage.                                                                                                                                        | `quantity` | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data.                                                                                                                                                  | `string`   | `""`    |
+| `external`         | Enable external access from outside the cluster.                                                                                                                                      | `bool`     | `false` |
+
+
+### Application-specific parameters
+
+| Name | Description                | Type   | Value  |
+| ---- | -------------------------- | ------ | ------ |
+| `ui` | Enable the OpenBAO web UI. | `bool` | `true` |
+

packages/apps/openbao/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/openbao/logos/openbao.svg

@@ -0,0 +1,11 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear)"/>
+<rect width="144" height="144" rx="24" fill="black" fill-opacity="0.3"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M72 30C53.222 30 38 45.222 38 64v8c-3.314 0-6 2.686-6 6v30c0 3.314 2.686 6 6 6h68c3.314 0 6-2.686 6-6V78c0-3.314-2.686-6-6-6v-8C106 45.222 90.778 30 72 30zm-8 42v-8c0-4.418 3.582-8 8-8s8 3.582 8 8v8H64zm26 0v-8c0-8.837-7.163-16-16-16s-16 7.163-16 16v8h-2v28h60V72H90zm-22 14a4 4 0 118 0 4 4 0 01-8 0zm4-8a8 8 0 100 16 8 8 0 000-16z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear" x1="10" y1="15.5" x2="144" y2="131.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#87d6be"/>
+<stop offset="1" stop-color="#79c0ab"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/openbao/templates/_resources.tpl

@@ -0,0 +1,49 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "resources.preset" -}}
+{{- $presets := dict
+  "nano" (dict
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "128Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "256Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "512Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict
+      "requests" (dict "cpu" "500m" "memory" "1Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "1Gi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict
+      "requests" (dict "cpu" "1" "memory" "2Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "2Gi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict
+      "requests" (dict "cpu" "2" "memory" "4Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "4Gi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict
+      "requests" (dict "cpu" "4" "memory" "8Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "8Gi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}

packages/apps/openbao/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  - {{ .Release.Name }}-internal
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/openbao/templates/openbao.yaml

@@ -0,0 +1,99 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-system
+  labels:
+    sharding.fluxcd.io/key: tenants
+spec:
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-openbao-application-default-openbao-system
+    namespace: cozy-system
+  interval: 5m
+  timeout: 10m
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    force: true
+    remediation:
+      retries: -1
+  valuesFrom:
+  - kind: Secret
+    name: cozystack-values
+  values:
+    openbao:
+      fullnameOverride: {{ .Release.Name }}
+      global:
+        tlsDisable: true
+      server:
+        podManagementPolicy: Parallel
+        resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 10 }}
+        dataStorage:
+          enabled: true
+          size: {{ .Values.size }}
+          {{- with .Values.storageClass }}
+          storageClass: {{ . }}
+          {{- end }}
+        {{- if gt (int .Values.replicas) 1 }}
+        standalone:
+          enabled: false
+        ha:
+          enabled: true
+          replicas: {{ .Values.replicas }}
+          raft:
+            enabled: true
+            setNodeId: true
+            config: |
+              ui = {{ .Values.ui }}
+
+              listener "tcp" {
+                address = "[::]:8200"
+                cluster_address = "[::]:8201"
+                tls_disable = true
+              }
+
+              storage "raft" {
+                path = "/openbao/data"
+              {{- range $i := until (int $.Values.replicas) }}
+                retry_join {
+                  leader_api_addr = "http://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-internal:8200"
+                }
+              {{- end }}
+              }
+
+              service_registration "kubernetes" {}
+        {{- else }}
+        standalone:
+          enabled: true
+          config: |
+            ui = {{ .Values.ui }}
+
+            listener "tcp" {
+              address = "[::]:8200"
+              cluster_address = "[::]:8201"
+              tls_disable = true
+            }
+
+            storage "file" {
+              path = "/openbao/data"
+            }
+            # Note: service_registration "kubernetes" {} is intentionally omitted
+            # in standalone mode — it requires an HA-capable storage backend and
+            # causes a fatal error with storage "file".
+        ha:
+          enabled: false
+        {{- end }}
+        {{- if .Values.external }}
+        service:
+          type: LoadBalancer
+        {{- end }}
+      ui:
+        enabled: {{ .Values.ui }}
+        {{- if .Values.external }}
+        serviceType: LoadBalancer
+        {{- end }}
+      injector:
+        enabled: false
+      csi:
+        enabled: false

packages/apps/openbao/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: openbao
+  type: openbao
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}-system
+  version: {{ $.Chart.Version }}

packages/apps/openbao/values.schema.json

@@ -0,0 +1,87 @@
+{
+  "title": "Chart Values",
+  "type": "object",
+  "properties": {
+    "external": {
+      "description": "Enable external access from outside the cluster.",
+      "type": "boolean",
+      "default": false
+    },
+    "replicas": {
+      "description": "Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas \u003e 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration.",
+      "type": "integer",
+      "default": 1
+    },
+    "resources": {
+      "description": "Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "type": "object",
+      "default": {},
+      "properties": {
+        "cpu": {
+          "description": "CPU available to each replica.",
+          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+          "anyOf": [
+            {
+              "type": "integer"
+            },
+            {
+              "type": "string"
+            }
+          ],
+          "x-kubernetes-int-or-string": true
+        },
+        "memory": {
+          "description": "Memory (RAM) available to each replica.",
+          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+          "anyOf": [
+            {
+              "type": "integer"
+            },
+            {
+              "type": "string"
+            }
+          ],
+          "x-kubernetes-int-or-string": true
+        }
+      }
+    },
+    "resourcesPreset": {
+      "description": "Default sizing preset used when `resources` is omitted.",
+      "type": "string",
+      "default": "small",
+      "enum": [
+        "nano",
+        "micro",
+        "small",
+        "medium",
+        "large",
+        "xlarge",
+        "2xlarge"
+      ]
+    },
+    "size": {
+      "description": "Persistent Volume Claim size for data storage.",
+      "default": "10Gi",
+      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+      "anyOf": [
+        {
+          "type": "integer"
+        },
+        {
+          "type": "string"
+        }
+      ],
+      "x-kubernetes-int-or-string": true
+    },
+    "storageClass": {
+      "description": "StorageClass used to store the data.",
+      "type": "string",
+      "default": ""
+    },
+    "ui": {
+      "description": "Enable the OpenBAO web UI.",
+      "type": "boolean",
+      "default": true
+    }
+  }
+}

packages/apps/openbao/values.yaml

@@ -0,0 +1,41 @@
+##
+## @section Common parameters
+##
+
+## @typedef {struct} Resources - Explicit CPU and memory configuration for each OpenBAO replica.
+## @field {quantity} [cpu] - CPU available to each replica.
+## @field {quantity} [memory] - Memory (RAM) available to each replica.
+
+## @enum {string} ResourcesPreset - Default sizing preset.
+## @value nano
+## @value micro
+## @value small
+## @value medium
+## @value large
+## @value xlarge
+## @value 2xlarge
+
+## @param {int} replicas - Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas > 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration.
+replicas: 1
+
+## @param {Resources} [resources] - Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.
+resources: {}
+
+## @param {ResourcesPreset} resourcesPreset="small" - Default sizing preset used when `resources` is omitted.
+resourcesPreset: "small"
+
+## @param {quantity} size - Persistent Volume Claim size for data storage.
+size: 10Gi
+
+## @param {string} storageClass - StorageClass used to store the data.
+storageClass: ""
+
+## @param {bool} external - Enable external access from outside the cluster.
+external: false
+
+##
+## @section Application-specific parameters
+##
+
+## @param {bool} ui - Enable the OpenBAO web UI.
+ui: true

packages/apps/tenant/templates/etcd.yaml

@@ -18,7 +18,7 @@ spec:
     name: cozystack-etcd-application-default-etcd
     namespace: cozy-system
   interval: 5m
-  timeout: 10m
+  timeout: 30m
   install:
     remediation:
       retries: -1

packages/core/installer/templates/cozystack-operator.yaml

@@ -10,6 +10,8 @@ metadata:
   labels:
     cozystack.io/system: "true"
     pod-security.kubernetes.io/enforce: privileged
+  annotations:
+    helm.sh/resource-policy: keep
 ---
 apiVersion: v1
 kind: ServiceAccount

packages/core/installer/values.yaml

@@ -1,9 +1,9 @@
 cozystackOperator:
   # Deployment variant: talos, generic, hosted
   variant: talos
-  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.0-rc.1@sha256:5c0148116b2ab425106f6b86bbc1dfec593a83c993947c24eae92946d1c6116a
+  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.0@sha256:9e5229764b6077809a1c16566881a524c33e8986e36597e6833f8857a7e6a335
   platformSourceUrl: 'oci://ghcr.io/cozystack/cozystack/cozystack-packages'
-  platformSourceRef: 'digest=sha256:b4ee831911b9c259a073f00390559f0bd5d8c78e22e48427a64ef05ed90ca008'
+  platformSourceRef: 'digest=sha256:ef3e4ba7d21572a61794d8be594805f063aa04f4a8c3753351fc89c7804d337e'
 # Generic variant configuration (only used when cozystackOperator.variant=generic)
 cozystack:
   # Kubernetes API server host (IP only, no protocol/port)

packages/core/platform/images/migrations/migrations/26

@@ -2,6 +2,7 @@
 # Migration 26 --> 27
 # Migrate monitoring resources from extra/monitoring to system/monitoring
 # This migration re-labels resources so they become owned by monitoring-system HelmRelease
+# and deletes old helm release secrets so that helm does not diff old vs new chart manifests.
 
 set -euo pipefail
 
@@ -35,10 +36,39 @@ relabel_resources() {
   done
 }
 
+# Delete all helm release secrets for a given release name in a namespace.
+# Uses both label selector and name-pattern matching to ensure complete cleanup.
+delete_helm_secrets() {
+  local ns="$1"
+  local release="$2"
+
+  # Primary: delete by label selector
+  kubectl delete secrets -n "$ns" -l "name=${release},owner=helm" --ignore-not-found
+
+  # Fallback: find and delete by name pattern (in case labels were modified)
+  local remaining
+  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+  if [ -n "$remaining" ]; then
+    echo "  Found secrets not matched by label selector, deleting by name..."
+    echo "$remaining" | while IFS= read -r secret; do
+      echo "    Deleting $secret"
+      kubectl delete -n "$ns" "$secret" --ignore-not-found
+    done
+  fi
+
+  # Verify all secrets are gone
+  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+  if [ -n "$remaining" ]; then
+    echo "  ERROR: Failed to delete helm release secrets:"
+    echo "$remaining"
+    return 1
+  fi
+}
+
 # Find all tenant namespaces with monitoring HelmRelease
 echo "Finding tenant namespaces with monitoring HelmRelease..."
-NAMESPACES=$(kubectl get hr --all-namespaces -l apps.cozystack.io/application.kind=Monitoring \
-  -o jsonpath='{range .items[*]}{.metadata.namespace}{"\n"}{end}' 2>/dev/null | sort -u || true)
+NAMESPACES=$(kubectl get hr --all-namespaces -l cozystack.io/ui=true --field-selector=metadata.name=monitoring \
+  -o jsonpath='{range .items[*]}{.metadata.namespace}{"\n"}{end}' | sort -u)
 
 if [ -z "$NAMESPACES" ]; then
   echo "No monitoring HelmReleases found in tenant namespaces, skipping migration"
@@ -66,7 +96,7 @@ for ns in $NAMESPACES; do
   # Step 1: Suspend the HelmRelease
   echo ""
   echo "Step 1: Suspending HelmRelease monitoring..."
-  kubectl patch hr -n "$ns" monitoring --type=merge -p '{"spec":{"suspend":true}}' 2>/dev/null || true
+  kubectl patch hr -n "$ns" monitoring --type=merge -p '{"spec":{"suspend":true}}'
 
   # Wait a moment for reconciliation to stop
   sleep 2
@@ -74,7 +104,7 @@ for ns in $NAMESPACES; do
   # Step 2: Delete helm secrets for the monitoring release
   echo ""
   echo "Step 2: Deleting helm secrets for monitoring release..."
-  kubectl delete secrets -n "$ns" -l name=monitoring,owner=helm --ignore-not-found
+  delete_helm_secrets "$ns" "monitoring"
 
   # Step 3: Relabel resources to be owned by monitoring-system
   echo ""
@@ -121,7 +151,9 @@ for ns in $NAMESPACES; do
   echo "Processing Cozystack resources..."
   relabel_resources "$ns" "workloadmonitors.cozystack.io"
 
-  # Step 4: Delete the suspended HelmRelease (Flux won't delete resources when HR is suspended)
+  # Step 4: Delete the suspended HelmRelease
+  # Helm secrets are already gone, so flux finalizer will find no release to uninstall
+  # and will simply remove the finalizer without deleting any resources.
   echo ""
   echo "Step 4: Deleting suspended HelmRelease monitoring..."
   kubectl delete hr -n "$ns" monitoring --ignore-not-found

packages/core/platform/images/migrations/migrations/27

@@ -5,10 +5,24 @@ set -euo pipefail
 
 # Migrate Piraeus CRDs to piraeus-operator-crds Helm release
 for crd in linstorclusters.piraeus.io linstornodeconnections.piraeus.io linstorsatelliteconfigurations.piraeus.io linstorsatellites.piraeus.io; do
-  kubectl annotate crd "$crd" meta.helm.sh/release-namespace=cozy-linstor meta.helm.sh/release-name=piraeus-operator-crds --overwrite
-  kubectl label crd "$crd" app.kubernetes.io/managed-by=Helm helm.toolkit.fluxcd.io/namespace=cozy-linstor helm.toolkit.fluxcd.io/name=piraeus-operator-crds --overwrite
+  if kubectl get crd "$crd" >/dev/null 2>&1; then
+    echo "  Relabeling CRD $crd"
+    kubectl annotate crd "$crd" meta.helm.sh/release-namespace=cozy-linstor meta.helm.sh/release-name=piraeus-operator-crds --overwrite
+    kubectl label crd "$crd" app.kubernetes.io/managed-by=Helm helm.toolkit.fluxcd.io/namespace=cozy-linstor helm.toolkit.fluxcd.io/name=piraeus-operator-crds --overwrite
+  else
+    echo "  CRD $crd not found, skipping"
+  fi
 done
+
+# Delete old piraeus-operator helm secrets (by label and by name pattern)
 kubectl delete secret -n cozy-linstor -l name=piraeus-operator,owner=helm --ignore-not-found
+remaining=$(kubectl get secrets -n cozy-linstor -o name 2>/dev/null | { grep "^secret/sh\.helm\.release\.v1\.piraeus-operator\." || true; })
+if [ -n "$remaining" ]; then
+  echo "  Deleting remaining piraeus-operator helm secrets by name..."
+  echo "$remaining" | while IFS= read -r secret; do
+    kubectl delete -n cozy-linstor "$secret" --ignore-not-found
+  done
+fi
 
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \

packages/core/platform/images/migrations/migrations/28

@@ -348,7 +348,7 @@ PVCEOF
   # --- 3g: Clone Secrets ---
   echo "  --- Clone Secrets ---"
   for secret in $(kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release"); do
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; }); do
     old_secret_name="${secret#secret/}"
     new_secret_name="${NEW_NAME}${old_secret_name#${OLD_NAME}}"
     clone_resource "$NAMESPACE" "secret" "$old_secret_name" "$new_secret_name" "$OLD_NAME" "$NEW_NAME"
@@ -357,7 +357,7 @@ PVCEOF
   # --- 3h: Clone ConfigMaps ---
   echo "  --- Clone ConfigMaps ---"
   for cm in $(kubectl -n "$NAMESPACE" get configmap -o name 2>/dev/null \
-    | grep "configmap/${OLD_NAME}"); do
+    | { grep "configmap/${OLD_NAME}" || true; }); do
     old_cm_name="${cm#configmap/}"
     new_cm_name="${NEW_NAME}${old_cm_name#${OLD_NAME}}"
     clone_resource "$NAMESPACE" "configmap" "$old_cm_name" "$new_cm_name" "$OLD_NAME" "$NEW_NAME"
@@ -468,13 +468,13 @@ PVCEOF
   fi
 
   for secret in $(kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release"); do
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; }); do
     old_secret_name="${secret#secret/}"
     delete_resource "$NAMESPACE" "secret" "$old_secret_name"
   done
 
   for cm in $(kubectl -n "$NAMESPACE" get configmap -o name 2>/dev/null \
-    | grep "configmap/${OLD_NAME}"); do
+    | { grep "configmap/${OLD_NAME}" || true; }); do
     old_cm_name="${cm#configmap/}"
     delete_resource "$NAMESPACE" "configmap" "$old_cm_name"
   done
@@ -611,6 +611,19 @@ done
 echo ""
 echo "=== Migration complete (${#INSTANCES[@]} instance(s)) ==="
 
+# ============================================================
+# STEP 8: Clean up orphaned mysql-rd system HelmRelease
+# ============================================================
+echo ""
+echo "--- Step 8: Clean up orphaned mysql-rd HelmRelease ---"
+if kubectl -n cozy-system get hr mysql-rd --no-headers 2>/dev/null | grep -q .; then
+  echo "  [DELETE] hr/mysql-rd"
+  kubectl -n cozy-system delete hr mysql-rd --wait=false
+else
+  echo "  [SKIP] hr/mysql-rd already gone"
+fi
+kubectl -n cozy-system delete secret -l "owner=helm,name=mysql-rd" --ignore-not-found
+
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
   --from-literal=version=29 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/migrations/29

@@ -9,8 +9,6 @@ set -euo pipefail
 OLD_PREFIX="virtual-machine"
 NEW_DISK_PREFIX="vm-disk"
 NEW_INSTANCE_PREFIX="vm-instance"
-PROTECTION_WEBHOOK_NAME="protection-webhook"
-PROTECTION_WEBHOOK_NS="protection-webhook"
 CDI_APISERVER_NS="cozy-kubevirt-cdi"
 CDI_APISERVER_DEPLOY="cdi-apiserver"
 CDI_VALIDATING_WEBHOOKS="cdi-api-datavolume-validate cdi-api-dataimportcron-validate cdi-api-populator-validate cdi-api-validate"
@@ -88,7 +86,6 @@ echo "  Total: ${#INSTANCES[@]} instance(s)"
 # STEP 2: Migrate each instance
 # ============================================================
 ALL_PV_NAMES=()
-ALL_PROTECTED_RESOURCES=()
 
 for entry in "${INSTANCES[@]}"; do
   NAMESPACE="${entry%%/*}"
@@ -315,7 +312,7 @@ PVCEOF
   # --- 2i: Clone Secrets ---
   echo "  --- Clone Secrets ---"
   kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release" | grep -v "values" \
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; } | { grep -v "values" || true; } \
     | while IFS= read -r secret; do
     old_secret_name="${secret#secret/}"
     suffix="${old_secret_name#${OLD_NAME}}"
@@ -542,7 +539,7 @@ SVCEOF
   # --- 2q: Delete old resources ---
   echo "  --- Delete old resources ---"
   kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release" | grep -v "values" \
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; } | { grep -v "values" || true; } \
     | while IFS= read -r secret; do
     old_secret_name="${secret#secret/}"
     delete_resource "$NAMESPACE" "secret" "$old_secret_name"
@@ -564,71 +561,17 @@ SVCEOF
     delete_resource "$NAMESPACE" "secret" "$VALUES_SECRET"
   fi
 
-  # Collect protected resources for batch deletion
+  # Delete old service (if exists)
   if resource_exists "$NAMESPACE" "svc" "$OLD_NAME"; then
-    ALL_PROTECTED_RESOURCES+=("${NAMESPACE}:svc/${OLD_NAME}")
+    delete_resource "$NAMESPACE" "svc" "$OLD_NAME"
   fi
 done
 
 # ============================================================
-# STEP 3: Delete protected resources (Services)
+# STEP 3: Restore PV reclaim policies
 # ============================================================
 echo ""
-echo "--- Step 3: Delete protected resources ---"
-
-if [ ${#ALL_PROTECTED_RESOURCES[@]} -gt 0 ]; then
-  WEBHOOK_EXISTS=false
-  if kubectl -n "$PROTECTION_WEBHOOK_NS" get deploy "$PROTECTION_WEBHOOK_NAME" --no-headers 2>/dev/null | grep -q .; then
-    WEBHOOK_EXISTS=true
-  fi
-
-  if [ "$WEBHOOK_EXISTS" = "true" ]; then
-    echo "  --- Temporarily disabling protection-webhook ---"
-
-    WEBHOOK_REPLICAS=$(kubectl -n "$PROTECTION_WEBHOOK_NS" get deploy "$PROTECTION_WEBHOOK_NAME" \
-      -o jsonpath='{.spec.replicas}' 2>/dev/null || echo "1")
-
-    echo "  [SCALE] ${PROTECTION_WEBHOOK_NAME} -> 0 (was ${WEBHOOK_REPLICAS})"
-    kubectl -n "$PROTECTION_WEBHOOK_NS" scale deploy "$PROTECTION_WEBHOOK_NAME" --replicas=0
-
-    echo "  [PATCH] Set failurePolicy=Ignore on ValidatingWebhookConfiguration/${PROTECTION_WEBHOOK_NAME}"
-    kubectl get validatingwebhookconfiguration "$PROTECTION_WEBHOOK_NAME" -o json | \
-      jq '.webhooks[].failurePolicy = "Ignore"' | \
-      kubectl apply -f - 2>/dev/null || true
-
-    echo "  Waiting for webhook pods to terminate..."
-    kubectl -n "$PROTECTION_WEBHOOK_NS" wait --for=delete pod \
-      -l app.kubernetes.io/name=protection-webhook --timeout=60s 2>/dev/null || true
-    sleep 3
-  fi
-
-  for entry in "${ALL_PROTECTED_RESOURCES[@]}"; do
-    ns="${entry%%:*}"
-    res="${entry#*:}"
-    echo "  [DELETE] ${ns}/${res}"
-    kubectl -n "$ns" delete "$res" --wait=false 2>/dev/null || true
-  done
-
-  if [ "$WEBHOOK_EXISTS" = "true" ]; then
-    echo "  [PATCH] Set failurePolicy=Fail on ValidatingWebhookConfiguration/${PROTECTION_WEBHOOK_NAME}"
-    kubectl get validatingwebhookconfiguration "$PROTECTION_WEBHOOK_NAME" -o json | \
-      jq '.webhooks[].failurePolicy = "Fail"' | \
-      kubectl apply -f - 2>/dev/null || true
-
-    echo "  [SCALE] ${PROTECTION_WEBHOOK_NAME} -> ${WEBHOOK_REPLICAS}"
-    kubectl -n "$PROTECTION_WEBHOOK_NS" scale deploy "$PROTECTION_WEBHOOK_NAME" \
-      --replicas="$WEBHOOK_REPLICAS"
-    echo "  --- protection-webhook restored ---"
-  fi
-else
-  echo "  [SKIP] No protected resources to delete"
-fi
-
-# ============================================================
-# STEP 4: Restore PV reclaim policies
-# ============================================================
-echo ""
-echo "--- Step 4: Restore PV reclaim policies ---"
+echo "--- Step 3: Restore PV reclaim policies ---"
 for pv_name in "${ALL_PV_NAMES[@]}"; do
   if [ -n "$pv_name" ]; then
     current_policy=$(kubectl get pv "$pv_name" \
@@ -643,7 +586,7 @@ for pv_name in "${ALL_PV_NAMES[@]}"; do
 done
 
 # ============================================================
-# STEP 5: Temporarily disable CDI datavolume webhooks
+# STEP 4: Temporarily disable CDI datavolume webhooks
 # ============================================================
 # CDI's datavolume-validate webhook rejects DataVolume creation when a PVC
 # with the same name already exists. We must disable it so that vm-disk
@@ -652,7 +595,7 @@ done
 # cdi-apiserver (which serves the webhooks), then delete webhook configs.
 # Both are restored after vm-disk HRs reconcile.
 echo ""
-echo "--- Step 5: Temporarily disable CDI webhooks ---"
+echo "--- Step 4: Temporarily disable CDI webhooks ---"
 
 CDI_OPERATOR_REPLICAS=$(kubectl -n "$CDI_APISERVER_NS" get deploy cdi-operator \
   -o jsonpath='{.spec.replicas}' 2>/dev/null || echo "1")
@@ -685,10 +628,10 @@ done
 sleep 2
 
 # ============================================================
-# STEP 6: Unsuspend vm-disk HelmReleases first
+# STEP 5: Unsuspend vm-disk HelmReleases first
 # ============================================================
 echo ""
-echo "--- Step 6: Unsuspend vm-disk HelmReleases ---"
+echo "--- Step 5: Unsuspend vm-disk HelmReleases ---"
 for entry in "${INSTANCES[@]}"; do
   ns="${entry%%/*}"
   instance="${entry#*/}"
@@ -705,7 +648,7 @@ for entry in "${INSTANCES[@]}"; do
     # Force immediate reconciliation
     echo "  [TRIGGER] Reconcile ${ns}/hr/${disk_name}"
     kubectl -n "$ns" annotate hr "$disk_name" --overwrite \
-      "reconcile.fluxcd.io/requestedAt=$(date +%s)" 2>/dev/null || true
+      "reconcile.fluxcd.io/requestedAt=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" 2>/dev/null || true
   fi
 done
 
@@ -729,12 +672,12 @@ for entry in "${INSTANCES[@]}"; do
 done
 
 # ============================================================
-# STEP 7: Restore CDI webhooks
+# STEP 6: Restore CDI webhooks
 # ============================================================
 # Scale cdi-operator and cdi-apiserver back up.
 # cdi-apiserver will recreate webhook configurations automatically on start.
 echo ""
-echo "--- Step 7: Restore CDI webhooks ---"
+echo "--- Step 6: Restore CDI webhooks ---"
 
 echo "  [SCALE] cdi-operator -> ${CDI_OPERATOR_REPLICAS}"
 kubectl -n "$CDI_APISERVER_NS" scale deploy cdi-operator \
@@ -749,10 +692,10 @@ kubectl -n "$CDI_APISERVER_NS" rollout status deploy "$CDI_APISERVER_DEPLOY" --t
 echo "  --- CDI webhooks restored ---"
 
 # ============================================================
-# STEP 8: Unsuspend vm-instance HelmReleases
+# STEP 7: Unsuspend vm-instance HelmReleases
 # ============================================================
 echo ""
-echo "--- Step 8: Unsuspend vm-instance HelmReleases ---"
+echo "--- Step 7: Unsuspend vm-instance HelmReleases ---"
 for entry in "${INSTANCES[@]}"; do
   ns="${entry%%/*}"
   instance="${entry#*/}"
@@ -772,6 +715,19 @@ done
 echo ""
 echo "=== Migration complete (${#INSTANCES[@]} instance(s)) ==="
 
+# ============================================================
+# STEP 8: Clean up orphaned virtual-machine-rd system HelmRelease
+# ============================================================
+echo ""
+echo "--- Step 8: Clean up orphaned virtual-machine-rd HelmRelease ---"
+if kubectl -n cozy-system get hr virtual-machine-rd --no-headers 2>/dev/null | grep -q .; then
+  echo "  [DELETE] hr/virtual-machine-rd"
+  kubectl -n cozy-system delete hr virtual-machine-rd --wait=false
+else
+  echo "  [SKIP] hr/virtual-machine-rd already gone"
+fi
+kubectl -n cozy-system delete secret -l "owner=helm,name=virtual-machine-rd" --ignore-not-found
+
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
   --from-literal=version=30 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/migrations/33

@@ -0,0 +1,30 @@
+#!/bin/sh
+# Migration 33 --> 34
+# Clean up orphaned system -rd HelmReleases left after application renames.
+#
+# These HelmReleases reference ExternalArtifacts that no longer exist:
+#   ferretdb-rd   -> replaced by mongodb-rd
+#   mysql-rd      -> replaced by mariadb-rd (migration 28 handled user HRs only)
+#   virtual-machine-rd -> replaced by vm-disk-rd + vm-instance-rd (migration 29 handled user HRs only)
+#
+# Idempotent: safe to re-run.
+
+set -euo pipefail
+
+echo "=== Cleaning up orphaned -rd HelmReleases ==="
+
+for hr_name in ferretdb-rd mysql-rd virtual-machine-rd; do
+  if kubectl -n cozy-system get hr "$hr_name" --no-headers 2>/dev/null | grep -q .; then
+    echo "  [DELETE] hr/${hr_name}"
+    kubectl -n cozy-system delete hr "$hr_name" --wait=false
+  else
+    echo "  [SKIP] hr/${hr_name} already gone"
+  fi
+  kubectl -n cozy-system delete secret -l "owner=helm,name=${hr_name}" --ignore-not-found
+done
+
+echo "=== Cleanup complete ==="
+
+# Stamp version
+kubectl create configmap -n cozy-system cozystack-version \
+  --from-literal=version=34 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/migrations/34

@@ -0,0 +1,90 @@
+#!/bin/sh
+# Migration 34 --> 35
+# Protect keycloak data from destruction during v1.0 upgrade.
+#
+# Problem:
+# In v0.41.x keycloak HelmReleases (keycloak, keycloak-operator, keycloak-configure)
+# were created via platform chart template (helmreleases.yaml) with spec.chart
+# pointing to a HelmRepository. In v1.0 the Package operator recreates these
+# HelmReleases with spec.chartRef pointing to an ExternalArtifact.
+# FluxCD sees an incompatible chart source change and runs helm uninstall,
+# destroying all keycloak resources (PVCs, PostgreSQL databases, credentials,
+# realm configuration) before doing a fresh helm install.
+#
+# Solution:
+# Delete Helm release secrets (sh.helm.release.v1.<name>.*) BEFORE the chart
+# source change happens. Without these secrets FluxCD has no release to uninstall,
+# so it performs helm install directly. Existing resources with correct
+# meta.helm.sh/release-name annotations are adopted by the new release.
+#
+# Pattern from migration 26 (monitoring migration).
+
+set -euo pipefail
+
+NAMESPACE="cozy-keycloak"
+
+# Delete all helm release secrets for a given release name in a namespace.
+# Uses both label selector and name-pattern matching to ensure complete cleanup.
+delete_helm_secrets() {
+  local ns="$1"
+  local release="$2"
+
+  # Primary: delete by label selector
+  kubectl delete secrets -n "$ns" -l "name=${release},owner=helm" --ignore-not-found
+
+  # Fallback: find and delete by name pattern (in case labels were modified)
+  local remaining
+  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+  if [ -n "$remaining" ]; then
+    echo "    Found secrets not matched by label selector, deleting by name..."
+    echo "$remaining" | while IFS= read -r secret; do
+      echo "      Deleting $secret"
+      kubectl delete -n "$ns" "$secret" --ignore-not-found
+    done
+  fi
+
+  # Verify all secrets are gone
+  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+  if [ -n "$remaining" ]; then
+    echo "    ERROR: Failed to delete helm release secrets:"
+    echo "$remaining"
+    return 1
+  fi
+}
+
+echo "=== Protecting keycloak data from destruction during upgrade ==="
+
+# Check if namespace exists; if not, keycloak was never deployed — skip
+if ! kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+  echo "  Namespace $NAMESPACE does not exist, keycloak not deployed — skipping"
+  kubectl create configmap -n cozy-system cozystack-version \
+    --from-literal=version=35 --dry-run=client -o yaml | kubectl apply -f-
+  exit 0
+fi
+
+for release in keycloak keycloak-operator keycloak-configure; do
+  # Check if HelmRelease exists (handle missing CRD gracefully)
+  out=$(kubectl get helmrelease "$release" -n "$NAMESPACE" -o name 2>&1) && found=true || found=false
+
+  if [ "$found" = "true" ]; then
+    echo "  [DELETE SECRETS] Removing helm release secrets for ${release} in ${NAMESPACE}"
+    delete_helm_secrets "$NAMESPACE" "$release"
+  else
+    # Distinguish "not found" from real errors
+    case "$out" in
+      *"NotFound"*|*"not found"*|*"the server doesn't have a resource type"*|*"no matches for kind"*)
+        echo "  [SKIP] hr/${release} not found in ${NAMESPACE}"
+        ;;
+      *)
+        echo "  [ERROR] Failed to query hr/${release}: $out" >&2
+        exit 1
+        ;;
+    esac
+  fi
+done
+
+echo "=== Done ==="
+
+# Stamp version
+kubectl create configmap -n cozy-system cozystack-version \
+  --from-literal=version=35 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/sources/openbao-application.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: PackageSource
+metadata:
+  name: cozystack.openbao-application
+spec:
+  sourceRef:
+    kind: OCIRepository
+    name: cozystack-packages
+    namespace: cozy-system
+    path: /
+  variants:
+    - name: default
+      dependsOn:
+        - cozystack.networking
+      libraries:
+        - name: cozy-lib
+          path: library/cozy-lib
+      components:
+        - name: openbao-system
+          path: system/openbao
+        - name: openbao
+          path: apps/openbao
+          libraries: ["cozy-lib"]
+        - name: openbao-rd
+          path: system/openbao-rd
+          install:
+            namespace: cozy-system
+            releaseName: openbao-rd

packages/core/platform/templates/bundles/paas.yaml

@@ -16,6 +16,7 @@
 {{include "cozystack.platform.package.default" (list "cozystack.mariadb-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.mongodb-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.nats-application" $) }}
+{{include "cozystack.platform.package.default" (list "cozystack.openbao-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.postgres-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.qdrant-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.rabbitmq-application" $) }}

packages/core/platform/templates/cozystack-version.yaml

@@ -6,6 +6,8 @@ kind: ConfigMap
 metadata:
   name: cozystack-version
   namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/resource-policy: keep
 data:
   version: {{ .Values.migrations.targetVersion | quote }}
 {{- end }}

packages/core/platform/values.yaml

@@ -5,8 +5,8 @@ sourceRef:
   path: /
 migrations:
   enabled: false
-  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.0-rc.1@sha256:21a09c9f8dfd0a0c9b8c14c70029a39bfce021c66f1d4cacad9764c35dce6e8f
-  targetVersion: 33
+  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.0@sha256:68dabdebc38ac439228ae07031cc70e0fa184a24bd4e5b3b22c17466b2a55201
+  targetVersion: 35
 # Bundle deployment configuration
 bundles:
   system:

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.0-rc.1@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.0@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v1.0.0-rc.1@sha256:3306de19f1ad49a02c735d16b82d7c2ec015c8e0563f120f216274e9a3804431
+ghcr.io/cozystack/cozystack/matchbox:v1.0.0@sha256:c48eb7b23f01a8ff58d409fdb51c88e771f819cb914eee03da89471e62302f33

packages/extra/seaweedfs/README.md

@@ -1,4 +1,4 @@
-# Managed NATS Service
+# Managed SeaweedFS Service
 
 ## Parameters
 
@@ -13,46 +13,68 @@
 
 ### SeaweedFS Components Configuration
 
-| Name                          | Description                                                                                              | Type                | Value   |
-| ----------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------- | ------- |
-| `db`                          | Database configuration.                                                                                  | `object`            | `{}`    |
-| `db.replicas`                 | Number of database replicas.                                                                             | `int`               | `2`     |
-| `db.size`                     | Persistent Volume size.                                                                                  | `quantity`          | `10Gi`  |
-| `db.storageClass`             | StorageClass used to store the data.                                                                     | `string`            | `""`    |
-| `db.resources`                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `db.resources.cpu`            | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `db.resources.memory`         | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `db.resourcesPreset`          | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `master`                      | Master service configuration.                                                                            | `object`            | `{}`    |
-| `master.replicas`             | Number of master replicas.                                                                               | `int`               | `3`     |
-| `master.resources`            | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `master.resources.cpu`        | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `master.resources.memory`     | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `master.resourcesPreset`      | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `filer`                       | Filer service configuration.                                                                             | `object`            | `{}`    |
-| `filer.replicas`              | Number of filer replicas.                                                                                | `int`               | `2`     |
-| `filer.resources`             | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `filer.resources.cpu`         | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `filer.resources.memory`      | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `filer.resourcesPreset`       | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `filer.grpcHost`              | The hostname used to expose or access the filer service externally.                                      | `string`            | `""`    |
-| `filer.grpcPort`              | The port used to access the filer service externally.                                                    | `int`               | `443`   |
-| `filer.whitelist`             | A list of IP addresses or CIDR ranges that are allowed to access the filer service.                      | `[]string`          | `[]`    |
-| `volume`                      | Volume service configuration.                                                                            | `object`            | `{}`    |
-| `volume.replicas`             | Number of volume replicas.                                                                               | `int`               | `2`     |
-| `volume.size`                 | Persistent Volume size.                                                                                  | `quantity`          | `10Gi`  |
-| `volume.storageClass`         | StorageClass used to store the data.                                                                     | `string`            | `""`    |
-| `volume.resources`            | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `volume.resources.cpu`        | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `volume.resources.memory`     | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `volume.resourcesPreset`      | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `volume.zones`                | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.           | `map[string]object` | `{}`    |
-| `volume.zones[name].replicas` | Number of replicas in the zone.                                                                          | `int`               | `0`     |
-| `volume.zones[name].size`     | Zone storage size.                                                                                       | `quantity`          | `""`    |
-| `s3`                          | S3 service configuration.                                                                                | `object`            | `{}`    |
-| `s3.replicas`                 | Number of S3 replicas.                                                                                   | `int`               | `2`     |
-| `s3.resources`                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `s3.resources.cpu`            | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `s3.resources.memory`         | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `s3.resourcesPreset`          | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
+| Name                                              | Description                                                                                                   | Type                | Value   |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------- | ------- |
+| `db`                                              | Database configuration.                                                                                       | `object`            | `{}`    |
+| `db.replicas`                                     | Number of database replicas.                                                                                  | `int`               | `2`     |
+| `db.size`                                         | Persistent Volume size.                                                                                       | `quantity`          | `10Gi`  |
+| `db.storageClass`                                 | StorageClass used to store the data.                                                                          | `string`            | `""`    |
+| `db.resources`                                    | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `db.resources.cpu`                                | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `db.resources.memory`                             | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `db.resourcesPreset`                              | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `master`                                          | Master service configuration.                                                                                 | `object`            | `{}`    |
+| `master.replicas`                                 | Number of master replicas.                                                                                    | `int`               | `3`     |
+| `master.resources`                                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `master.resources.cpu`                            | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `master.resources.memory`                         | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `master.resourcesPreset`                          | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `filer`                                           | Filer service configuration.                                                                                  | `object`            | `{}`    |
+| `filer.replicas`                                  | Number of filer replicas.                                                                                     | `int`               | `2`     |
+| `filer.resources`                                 | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `filer.resources.cpu`                             | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `filer.resources.memory`                          | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `filer.resourcesPreset`                           | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `filer.grpcHost`                                  | The hostname used to expose or access the filer service externally.                                           | `string`            | `""`    |
+| `filer.grpcPort`                                  | The port used to access the filer service externally.                                                         | `int`               | `443`   |
+| `filer.whitelist`                                 | A list of IP addresses or CIDR ranges that are allowed to access the filer service.                           | `[]string`          | `[]`    |
+| `volume`                                          | Volume service configuration.                                                                                 | `object`            | `{}`    |
+| `volume.replicas`                                 | Number of volume replicas.                                                                                    | `int`               | `2`     |
+| `volume.size`                                     | Persistent Volume size.                                                                                       | `quantity`          | `10Gi`  |
+| `volume.storageClass`                             | StorageClass used to store the data.                                                                          | `string`            | `""`    |
+| `volume.diskType`                                 | SeaweedFS disk type tag for the default volume servers (e.g., "hdd", "ssd").                                  | `string`            | `""`    |
+| `volume.resources`                                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `volume.resources.cpu`                            | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `volume.resources.memory`                         | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `volume.resourcesPreset`                          | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `volume.zones`                                    | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.                | `map[string]object` | `{}`    |
+| `volume.zones[name].replicas`                     | Number of replicas in the zone.                                                                               | `int`               | `0`     |
+| `volume.zones[name].size`                         | Zone storage size.                                                                                            | `quantity`          | `""`    |
+| `volume.zones[name].dataCenter`                   | SeaweedFS data center name for this zone. Defaults to the zone name.                                          | `string`            | `""`    |
+| `volume.zones[name].nodeSelector`                 | YAML nodeSelector for this zone (default: topology.kubernetes.io/zone: <zoneName>).                           | `string`            | `""`    |
+| `volume.zones[name].storageClass`                 | StorageClass used to store zone data. Defaults to volume.storageClass.                                        | `string`            | `""`    |
+| `volume.zones[name].pools`                        | A map of storage pools for this zone. Each pool creates a separate Volume StatefulSet per zone.               | `map[string]object` | `{}`    |
+| `volume.zones[name].pools[name].diskType`         | SeaweedFS disk type tag (e.g., "ssd", "hdd", "nvme").                                                         | `string`            | `""`    |
+| `volume.zones[name].pools[name].replicas`         | Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone). | `int`               | `0`     |
+| `volume.zones[name].pools[name].size`             | Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).                | `quantity`          | `""`    |
+| `volume.zones[name].pools[name].storageClass`     | Kubernetes StorageClass for the pool. Defaults to volume.storageClass.                                        | `string`            | `""`    |
+| `volume.zones[name].pools[name].resources`        | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `volume.zones[name].pools[name].resources.cpu`    | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `volume.zones[name].pools[name].resources.memory` | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `volume.zones[name].pools[name].resourcesPreset`  | Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.                   | `string`            | `{}`    |
+| `volume.pools`                                    | A map of storage pools. Each pool creates a separate Volume StatefulSet with its own disk type.               | `map[string]object` | `{}`    |
+| `volume.pools[name].diskType`                     | SeaweedFS disk type tag (e.g., "ssd", "hdd", "nvme").                                                         | `string`            | `""`    |
+| `volume.pools[name].replicas`                     | Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone). | `int`               | `0`     |
+| `volume.pools[name].size`                         | Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).                | `quantity`          | `""`    |
+| `volume.pools[name].storageClass`                 | Kubernetes StorageClass for the pool. Defaults to volume.storageClass.                                        | `string`            | `""`    |
+| `volume.pools[name].resources`                    | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `volume.pools[name].resources.cpu`                | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `volume.pools[name].resources.memory`             | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `volume.pools[name].resourcesPreset`              | Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.                   | `string`            | `{}`    |
+| `s3`                                              | S3 service configuration.                                                                                     | `object`            | `{}`    |
+| `s3.replicas`                                     | Number of S3 replicas.                                                                                        | `int`               | `2`     |
+| `s3.resources`                                    | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `s3.resources.cpu`                                | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `s3.resources.memory`                             | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `s3.resourcesPreset`                              | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
 

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.0.0-rc.1@sha256:235b194a531b70e266a10ef78d2955d19f5b659513f23d8b3cfbbc0dff7fc1c0
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.0.0@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f

packages/extra/seaweedfs/images/seaweedfs-cosi-driver.tag

@@ -1 +1 @@
-ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.2.0
+ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.3.0

packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml

@@ -25,8 +25,21 @@ rules:
   resourceNames:
   - {{ $.Release.Name }}-master
   - {{ $.Release.Name }}-filer
-  - {{ $.Release.Name }}-volume
   - {{ $.Release.Name }}-db
+  - {{ $.Release.Name }}-s3
+  {{- if eq .Values.topology "Simple" }}
+  - {{ $.Release.Name }}-volume
+  {{- range $poolName, $pool := .Values.volume.pools }}
+  - {{ $.Release.Name }}-volume-{{ $poolName }}
+  {{- end }}
+  {{- else if eq .Values.topology "MultiZone" }}
+  {{- range $zoneName, $zone := .Values.volume.zones }}
+  - {{ $.Release.Name }}-volume-{{ $zoneName }}
+  {{- range $poolName, $pool := (dig "pools" dict $zone) }}
+  - {{ $.Release.Name }}-volume-{{ $zoneName }}-{{ $poolName }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
   verbs: ["get", "list", "watch"]
 {{- end }}
 

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -16,6 +16,65 @@
 {{-     fail "replicationFactor must be less than or equal to the number of zones defined in .Values.volume.zones." }}
 {{-   end }}
 {{- end }}
+{{- if and (eq .Values.topology "Client") (gt (len .Values.volume.pools) 0) }}
+{{-   fail "volume.pools is not supported with Client topology." }}
+{{- end }}
+{{- if and (eq .Values.topology "MultiZone") (gt (len .Values.volume.pools) 0) }}
+{{-   fail "volume.pools is not supported with MultiZone topology. Use volume.zones[name].pools instead." }}
+{{- end }}
+{{- if and .Values.volume.diskType (not (regexMatch "^[a-z0-9]+$" .Values.volume.diskType)) }}
+{{-   fail (printf "volume.diskType must be lowercase alphanumeric (got: %s)." .Values.volume.diskType) }}
+{{- end }}
+
+{{- /* Collect and validate all pools from volume.pools and zones[].pools */ -}}
+{{- $allPools := dict }}
+{{- range $poolName, $pool := .Values.volume.pools }}
+{{-   if not (regexMatch "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$" $poolName) }}
+{{-     fail (printf "volume.pools key '%s' must be a valid DNS label (lowercase alphanumeric and hyphens, no dots)." $poolName) }}
+{{-   end }}
+{{-   if or (hasSuffix "-worm" $poolName) (hasSuffix "-readonly" $poolName) }}
+{{-     fail (printf "volume.pools key '%s' must not end with '-worm' or '-readonly' (reserved suffixes for COSI resources)." $poolName) }}
+{{-   end }}
+{{-   if not $pool.diskType }}
+{{-     fail (printf "volume.pools.%s.diskType is required." $poolName) }}
+{{-   end }}
+{{-   if not (regexMatch "^[a-z0-9]+$" $pool.diskType) }}
+{{-     fail (printf "volume.pools.%s.diskType must be lowercase alphanumeric (got: %s)." $poolName $pool.diskType) }}
+{{-   end }}
+{{-   if and $.Values.volume.diskType (eq $pool.diskType $.Values.volume.diskType) }}
+{{-     fail (printf "volume.pools.%s.diskType '%s' must differ from volume.diskType." $poolName $pool.diskType) }}
+{{-   end }}
+{{-   $_ := set $allPools $poolName $pool.diskType }}
+{{- end }}
+{{- if eq .Values.topology "MultiZone" }}
+{{-   range $zoneName, $zone := .Values.volume.zones }}
+{{-     range $poolName, $pool := (dig "pools" dict $zone) }}
+{{-       if not (regexMatch "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$" $poolName) }}
+{{-         fail (printf "volume.zones.%s.pools key '%s' must be a valid DNS label." $zoneName $poolName) }}
+{{-       end }}
+{{-       if or (hasSuffix "-worm" $poolName) (hasSuffix "-readonly" $poolName) }}
+{{-         fail (printf "volume.zones.%s.pools key '%s' must not end with '-worm' or '-readonly' (reserved suffixes for COSI resources)." $zoneName $poolName) }}
+{{-       end }}
+{{-       if not $pool.diskType }}
+{{-         fail (printf "volume.zones.%s.pools.%s.diskType is required." $zoneName $poolName) }}
+{{-       end }}
+{{-       if not (regexMatch "^[a-z0-9]+$" $pool.diskType) }}
+{{-         fail (printf "volume.zones.%s.pools.%s.diskType must be lowercase alphanumeric (got: %s)." $zoneName $poolName $pool.diskType) }}
+{{-       end }}
+{{-       if and $.Values.volume.diskType (eq $pool.diskType $.Values.volume.diskType) }}
+{{-         fail (printf "volume.zones.%s.pools.%s.diskType '%s' must differ from volume.diskType." $zoneName $poolName $pool.diskType) }}
+{{-       end }}
+{{-       if and (hasKey $allPools $poolName) (ne (get $allPools $poolName) $pool.diskType) }}
+{{-         fail (printf "Pool '%s' has inconsistent diskType across zones (expected '%s', got '%s' in zone '%s')." $poolName (get $allPools $poolName) $pool.diskType $zoneName) }}
+{{-       end }}
+{{-       $_ := set $allPools $poolName $pool.diskType }}
+{{-       $composedName := printf "%s-%s" $zoneName $poolName }}
+{{-       if hasKey $.Values.volume.zones $composedName }}
+{{-         fail (printf "Composed volume name '%s' (from zone '%s' and pool '%s') collides with an existing zone name." $composedName $zoneName $poolName) }}
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
 
 {{- $detectedTopology := "Unknown" }}
 {{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-deployed-topology" .Release.Name) }}
@@ -94,30 +153,77 @@ spec:
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0
-      {{ if eq .Values.topology "MultiZone" }}
+        {{- if .Values.volume.diskType }}
+        extraArgs:
+        - "-disk={{ .Values.volume.diskType }}"
+        {{- end }}
+      {{- if or (and (eq .Values.topology "Simple") (gt (len .Values.volume.pools) 0)) (eq .Values.topology "MultiZone") }}
       volumes:
-        {{- range $zoneName, $zone := .Values.volume.zones }}
-        {{ $zoneName }}:
-          {{ with $zone.replicas }}
-          replicas: {{ . }}
-          {{- end }}
+        {{- if eq .Values.topology "Simple" }}
+        {{- range $poolName, $pool := .Values.volume.pools }}
+        {{ $poolName }}:
+          replicas: {{ ternary $pool.replicas $.Values.volume.replicas (hasKey $pool "replicas") }}
+          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list ($pool.resourcesPreset | default $.Values.volume.resourcesPreset) (default dict $pool.resources) $) | nindent 12 }}
           dataDirs:
           - name: data1
             type: "persistentVolumeClaim"
-            {{- if $zone.size }}
-            size: "{{ $zone.size }}"
-            {{- else }}
-            size: "{{ $.Values.volume.size }}"
+            size: "{{ $pool.size | default $.Values.volume.size }}"
+            {{- with ($pool.storageClass | default $.Values.volume.storageClass) }}
+            storageClass: "{{ . }}"
             {{- end }}
-            {{- if $zone.storageClass }}
-            storageClass: {{ $zone.storageClass }}
-            {{- else if $.Values.volume.storageClass }}
-            storageClass: {{ $.Values.volume.storageClass }}
+            maxVolumes: 0
+          extraArgs:
+          - "-disk={{ $pool.diskType }}"
+        {{- end }}
+        {{- else if eq .Values.topology "MultiZone" }}
+        {{- range $zoneName, $zone := .Values.volume.zones }}
+        {{ $zoneName }}:
+          replicas: {{ ternary $zone.replicas $.Values.volume.replicas (hasKey $zone "replicas") }}
+          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list $.Values.volume.resourcesPreset $.Values.volume.resources $) | nindent 12 }}
+          dataDirs:
+          - name: data1
+            type: "persistentVolumeClaim"
+            size: "{{ $zone.size | default $.Values.volume.size }}"
+            {{- with ($zone.storageClass | default $.Values.volume.storageClass) }}
+            storageClass: "{{ . }}"
             {{- end }}
             maxVolumes: 0
           nodeSelector: |
+            {{- with $zone.nodeSelector }}
+{{ . | indent 12 }}
+            {{- else }}
             topology.kubernetes.io/zone: {{ $zoneName }}
+            {{- end }}
           dataCenter: {{ $zone.dataCenter | default $zoneName }}
+          {{- if $.Values.volume.diskType }}
+          extraArgs:
+          - "-disk={{ $.Values.volume.diskType }}"
+          {{- end }}
+        {{- end }}
+        {{- range $zoneName, $zone := .Values.volume.zones }}
+        {{- range $poolName, $pool := (dig "pools" dict $zone) }}
+        {{ $zoneName }}-{{ $poolName }}:
+          replicas: {{ ternary $pool.replicas (ternary $zone.replicas $.Values.volume.replicas (hasKey $zone "replicas")) (hasKey $pool "replicas") }}
+          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list ($pool.resourcesPreset | default $.Values.volume.resourcesPreset) (default dict $pool.resources) $) | nindent 12 }}
+          dataDirs:
+          - name: data1
+            type: "persistentVolumeClaim"
+            size: "{{ $pool.size | default $zone.size | default $.Values.volume.size }}"
+            {{- with ($pool.storageClass | default $zone.storageClass | default $.Values.volume.storageClass) }}
+            storageClass: "{{ . }}"
+            {{- end }}
+            maxVolumes: 0
+          nodeSelector: |
+            {{- with $zone.nodeSelector }}
+{{ . | indent 12 }}
+            {{- else }}
+            topology.kubernetes.io/zone: {{ $zoneName }}
+            {{- end }}
+          dataCenter: {{ $zone.dataCenter | default $zoneName }}
+          extraArgs:
+          - "-disk={{ $pool.diskType }}"
+        {{- end }}
+        {{- end }}
         {{- end }}
       {{- end }}
       filer:
@@ -199,6 +305,22 @@ spec:
     app.kubernetes.io/component: volume
     app.kubernetes.io/name: seaweedfs
   version: {{ $.Chart.Version }}
+{{- range $poolName, $pool := .Values.volume.pools }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-volume-{{ $poolName }}
+spec:
+  replicas: {{ ternary $pool.replicas $.Values.volume.replicas (hasKey $pool "replicas") }}
+  minReplicas: 1
+  kind: seaweedfs
+  type: volume
+  selector:
+    app.kubernetes.io/component: volume-{{ $poolName }}
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+{{- end }}
 {{- else if eq .Values.topology "MultiZone" }}
 {{- range $zoneName, $zoneSpec := .Values.volume.zones }}
 ---
@@ -207,7 +329,7 @@ kind: WorkloadMonitor
 metadata:
   name: {{ $.Release.Name }}-volume-{{ $zoneName }}
 spec:
-  replicas: {{ default $.Values.volume.replicas $zoneSpec.replicas }}
+  replicas: {{ ternary $zoneSpec.replicas $.Values.volume.replicas (hasKey $zoneSpec "replicas") }}
   minReplicas: 1
   kind: seaweedfs
   type: volume
@@ -215,6 +337,22 @@ spec:
     app.kubernetes.io/component: volume-{{ $zoneName }}
     app.kubernetes.io/name: seaweedfs
   version: {{ $.Chart.Version }}
+{{- range $poolName, $pool := (dig "pools" dict $zoneSpec) }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-volume-{{ $zoneName }}-{{ $poolName }}
+spec:
+  replicas: {{ ternary $pool.replicas (ternary $zoneSpec.replicas $.Values.volume.replicas (hasKey $zoneSpec "replicas")) (hasKey $pool "replicas") }}
+  minReplicas: 1
+  kind: seaweedfs
+  type: volume
+  selector:
+    app.kubernetes.io/component: volume-{{ $zoneName }}-{{ $poolName }}
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+{{- end }}
 {{- end }}
 {{- end }}
 ---

packages/extra/seaweedfs/templates/storage-pool-bucket-classes.yaml

@@ -0,0 +1,55 @@
+{{- if ne .Values.topology "Client" }}
+{{- /* Collect unique pools from volume.pools and zones[].pools */ -}}
+{{- $uniquePools := dict }}
+{{- range $poolName, $pool := .Values.volume.pools }}
+{{-   $_ := set $uniquePools $poolName $pool.diskType }}
+{{- end }}
+{{- if eq .Values.topology "MultiZone" }}
+{{-   range $zoneName, $zone := .Values.volume.zones }}
+{{-     range $poolName, $pool := (dig "pools" dict $zone) }}
+{{-       $_ := set $uniquePools $poolName $pool.diskType }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+{{- range $poolName, $diskType := $uniquePools }}
+---
+kind: BucketClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+deletionPolicy: Delete
+parameters:
+  disk: {{ $diskType }}
+---
+kind: BucketClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}-worm
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+deletionPolicy: Retain
+parameters:
+  disk: {{ $diskType }}
+  objectLockEnabled: "true"
+  objectLockRetentionMode: COMPLIANCE
+  objectLockRetentionDays: "36500"
+---
+kind: BucketAccessClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+authenticationType: KEY
+parameters:
+  accessPolicy: readwrite
+---
+kind: BucketAccessClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}-readonly
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+authenticationType: KEY
+parameters:
+  accessPolicy: readonly
+{{- end }}
+{{- end }}

packages/extra/seaweedfs/values.schema.json

@@ -300,6 +300,94 @@
       "type": "object",
       "default": {},
       "properties": {
+        "diskType": {
+          "description": "SeaweedFS disk type tag for the default volume servers (e.g., \"hdd\", \"ssd\").",
+          "type": "string",
+          "default": ""
+        },
+        "pools": {
+          "description": "A map of storage pools. Each pool creates a separate Volume StatefulSet with its own disk type.",
+          "type": "object",
+          "default": {},
+          "additionalProperties": {
+            "type": "object",
+            "required": [
+              "diskType"
+            ],
+            "properties": {
+              "diskType": {
+                "description": "SeaweedFS disk type tag (e.g., \"ssd\", \"hdd\", \"nvme\").",
+                "type": "string"
+              },
+              "replicas": {
+                "description": "Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone).",
+                "type": "integer"
+              },
+              "resources": {
+                "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+                "type": "object",
+                "properties": {
+                  "cpu": {
+                    "description": "Number of CPU cores allocated.",
+                    "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                    "anyOf": [
+                      {
+                        "type": "integer"
+                      },
+                      {
+                        "type": "string"
+                      }
+                    ],
+                    "x-kubernetes-int-or-string": true
+                  },
+                  "memory": {
+                    "description": "Amount of memory allocated.",
+                    "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                    "anyOf": [
+                      {
+                        "type": "integer"
+                      },
+                      {
+                        "type": "string"
+                      }
+                    ],
+                    "x-kubernetes-int-or-string": true
+                  }
+                }
+              },
+              "resourcesPreset": {
+                "description": "Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.",
+                "type": "string",
+                "enum": [
+                  "nano",
+                  "micro",
+                  "small",
+                  "medium",
+                  "large",
+                  "xlarge",
+                  "2xlarge"
+                ]
+              },
+              "size": {
+                "description": "Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).",
+                "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                "anyOf": [
+                  {
+                    "type": "integer"
+                  },
+                  {
+                    "type": "string"
+                  }
+                ],
+                "x-kubernetes-int-or-string": true
+              },
+              "storageClass": {
+                "description": "Kubernetes StorageClass for the pool. Defaults to volume.storageClass.",
+                "type": "string"
+              }
+            }
+          }
+        },
         "replicas": {
           "description": "Number of volume replicas.",
           "type": "integer",
@@ -378,6 +466,96 @@
           "additionalProperties": {
             "type": "object",
             "properties": {
+              "dataCenter": {
+                "description": "SeaweedFS data center name for this zone. Defaults to the zone name.",
+                "type": "string"
+              },
+              "nodeSelector": {
+                "description": "YAML nodeSelector for this zone (default: topology.kubernetes.io/zone: \u003czoneName\u003e).",
+                "type": "string"
+              },
+              "pools": {
+                "description": "A map of storage pools for this zone. Each pool creates a separate Volume StatefulSet per zone.",
+                "type": "object",
+                "additionalProperties": {
+                  "type": "object",
+                  "required": [
+                    "diskType"
+                  ],
+                  "properties": {
+                    "diskType": {
+                      "description": "SeaweedFS disk type tag (e.g., \"ssd\", \"hdd\", \"nvme\").",
+                      "type": "string"
+                    },
+                    "replicas": {
+                      "description": "Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone).",
+                      "type": "integer"
+                    },
+                    "resources": {
+                      "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+                      "type": "object",
+                      "properties": {
+                        "cpu": {
+                          "description": "Number of CPU cores allocated.",
+                          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                          "anyOf": [
+                            {
+                              "type": "integer"
+                            },
+                            {
+                              "type": "string"
+                            }
+                          ],
+                          "x-kubernetes-int-or-string": true
+                        },
+                        "memory": {
+                          "description": "Amount of memory allocated.",
+                          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                          "anyOf": [
+                            {
+                              "type": "integer"
+                            },
+                            {
+                              "type": "string"
+                            }
+                          ],
+                          "x-kubernetes-int-or-string": true
+                        }
+                      }
+                    },
+                    "resourcesPreset": {
+                      "description": "Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.",
+                      "type": "string",
+                      "enum": [
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                      ]
+                    },
+                    "size": {
+                      "description": "Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).",
+                      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                      "anyOf": [
+                        {
+                          "type": "integer"
+                        },
+                        {
+                          "type": "string"
+                        }
+                      ],
+                      "x-kubernetes-int-or-string": true
+                    },
+                    "storageClass": {
+                      "description": "Kubernetes StorageClass for the pool. Defaults to volume.storageClass.",
+                      "type": "string"
+                    }
+                  }
+                }
+              },
               "replicas": {
                 "description": "Number of replicas in the zone.",
                 "type": "integer"
@@ -394,6 +572,10 @@
                   }
                 ],
                 "x-kubernetes-int-or-string": true
+              },
+              "storageClass": {
+                "description": "StorageClass used to store zone data. Defaults to volume.storageClass.",
+                "type": "string"
               }
             }
           }

packages/extra/seaweedfs/values.yaml

@@ -76,26 +76,49 @@ filer:
   grpcPort: 443
   whitelist: []
 
+## @typedef {struct} StoragePool - Storage pool configuration for separating buckets by disk type.
+## @field {string} diskType - SeaweedFS disk type tag (e.g., "ssd", "hdd", "nvme").
+## @field {int} [replicas] - Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone).
+## @field {quantity} [size] - Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).
+## @field {string} [storageClass] - Kubernetes StorageClass for the pool. Defaults to volume.storageClass.
+## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+## @field {ResourcesPreset} [resourcesPreset] - Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.
+
 ## @typedef {struct} Zone - Zone configuration.
 ## @field {int} [replicas] - Number of replicas in the zone.
 ## @field {quantity} [size] - Zone storage size.
+## @field {string} [dataCenter] - SeaweedFS data center name for this zone. Defaults to the zone name.
+## @field {string} [nodeSelector] - YAML nodeSelector for this zone (default: topology.kubernetes.io/zone: <zoneName>).
+## @field {string} [storageClass] - StorageClass used to store zone data. Defaults to volume.storageClass.
+## @field {map[string]StoragePool} [pools] - A map of storage pools for this zone. Each pool creates a separate Volume StatefulSet per zone.
+## NOTE: Zone-level resources/resourcesPreset are inherited from volume.* settings. Pools within a zone can define their own resources.
 
 ## @typedef {struct} Volume - Volume service configuration.
 ## @field {int} [replicas] - Number of volume replicas.
 ## @field {quantity} [size] - Persistent Volume size.
 ## @field {string} [storageClass] - StorageClass used to store the data.
+## @field {string} [diskType] - SeaweedFS disk type tag for the default volume servers (e.g., "hdd", "ssd").
 ## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
 ## @field {ResourcesPreset} [resourcesPreset] - Default sizing preset used when `resources` is omitted.
 ## @field {map[string]Zone} [zones] - A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.
+## @field {map[string]StoragePool} [pools] - A map of storage pools. Each pool creates a separate Volume StatefulSet with its own disk type.
 
 ## @param {Volume} [volume] - Volume service configuration.
 volume:
   replicas: 2
   size: 10Gi
   storageClass: ""
+  diskType: ""
   resources: {}
   resourcesPreset: "small"
   zones: {}
+  pools: {}
+  #pools:
+  #  fast:
+  #    diskType: ssd
+  #    replicas: 2
+  #    size: 50Gi
+  #    storageClass: "local-nvme"
 
 ## @typedef {struct} S3 - S3 service configuration.
 ## @field {int} [replicas] - Number of S3 replicas.

packages/system/backup-controller/values.yaml

@@ -1,5 +1,5 @@
 backupController:
-  image: "ghcr.io/cozystack/cozystack/backup-controller:v1.0.0-rc.1@sha256:0bb4173bdcd3d917a7bd358ecc2c6a053a06ab0bd1fcdb89d1016a66173e6dfb"
+  image: "ghcr.io/cozystack/cozystack/backup-controller:v1.0.0@sha256:e1a6c8ac7ba64442812464b59c53e782e373a339c18b379c2692921b44c6edb5"
   replicas: 2
   debug: false
   metrics:

packages/system/backupstrategy-controller/values.yaml

@@ -1,5 +1,5 @@
 backupStrategyController:
-  image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.0.0-rc.1@sha256:c2d975574ea9edcd785b533e01add37909959a64ef815529162dfe1f472ea702"
+  image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.0.0@sha256:29735d945c69c6bbaab21068bf4ea30f6b63f4c71a7a8d95590f370abcb4b328"
   replicas: 2
   debug: false
   metrics:

packages/system/bucket-rd/cozyrds/bucket.yaml

@@ -33,6 +33,7 @@ spec:
       - resourceNames:
           - bucket-{{ .name }}
           - bucket-{{ .name }}-credentials
+          - bucket-{{ .name }}-readonly
   ingresses:
     exclude: []
     include:

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:291427de7db54a1d19dc9c2c807bdcc664a14caa9538786f31317e8c01a4a008
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:279008f87460d709e99ed25ee8a1e4568a290bb9afa0e3dd3a06d524163a132b

packages/system/cert-manager-crds/Makefile

@@ -1,8 +1,5 @@
+export NAME=cert-manager-crds
+export NAMESPACE=cozy-cert-manager
+
 include ../../../hack/package.mk
 
-update:
-	rm -rf charts
-	helm repo add jetstack https://charts.jetstack.io
-	helm repo update jetstack
-	helm pull jetstack/cert-manager --untar --untardir charts
-	rm -f -- `find charts/cert-manager/templates -maxdepth 1 -mindepth 1 | grep -v 'crds.yaml\|_helpers.tpl'`

packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml

@@ -1,26 +0,0 @@
-annotations:
-  artifacthub.io/category: security
-  artifacthub.io/license: Apache-2.0
-  artifacthub.io/prerelease: "false"
-  artifacthub.io/signKey: |
-    fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
-    url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
-apiVersion: v2
-appVersion: v1.16.3
-description: A Helm chart for cert-manager
-home: https://cert-manager.io
-icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
-keywords:
-- cert-manager
-- kube-lego
-- letsencrypt
-- tls
-kubeVersion: '>= 1.22.0-0'
-maintainers:
-- email: cert-manager-maintainers@googlegroups.com
-  name: cert-manager-maintainers
-  url: https://cert-manager.io
-name: cert-manager
-sources:
-- https://github.com/cert-manager/cert-manager
-version: v1.16.3

packages/system/cert-manager-crds/templates/_helpers.tpl

@@ -187,6 +187,17 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
 {{- end }}
 {{- end }}
 
+{{/*
+Labels for the CRD resources.
+*/}}
+{{- define "cert-manager.crd-labels" -}}
+app: "{{ template "cert-manager.name" . }}"
+app.kubernetes.io/name: "{{ template "cert-manager.name" . }}"
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/component: "crds"
+{{ include "labels" . }}
+{{- end -}}
+
 {{/*
 Check that the user has not set both .installCRDs and .crds.enabled or
 set .installCRDs and disabled .crds.keep.

packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml

@@ -0,0 +1,274 @@
+{{- if or .Values.crds.enabled .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: "orders.acme.cert-manager.io"
+  {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+    {{- include "cert-manager.crd-labels" . | nindent 4 }}
+spec:
+  group: acme.cert-manager.io
+  names:
+    categories:
+      - cert-manager
+      - cert-manager-acme
+    kind: Order
+    listKind: OrderList
+    plural: orders
+    singular: order
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.state
+          name: State
+          type: string
+        - jsonPath: .spec.issuerRef.name
+          name: Issuer
+          priority: 1
+          type: string
+        - jsonPath: .status.reason
+          name: Reason
+          priority: 1
+          type: string
+        - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+          jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      name: v1
+      schema:
+        openAPIV3Schema:
+          description: Order is a type to represent an Order with an ACME server
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              properties:
+                commonName:
+                  description: |-
+                    CommonName is the common name as specified on the DER encoded CSR.
+                    If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+                    This field must match the corresponding field on the DER encoded CSR.
+                  type: string
+                dnsNames:
+                  description: |-
+                    DNSNames is a list of DNS names that should be included as part of the Order
+                    validation process.
+                    This field must match the corresponding field on the DER encoded CSR.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                duration:
+                  description: |-
+                    Duration is the duration for the not after date for the requested certificate.
+                    this is set on order creation as pe the ACME spec.
+                  type: string
+                ipAddresses:
+                  description: |-
+                    IPAddresses is a list of IP addresses that should be included as part of the Order
+                    validation process.
+                    This field must match the corresponding field on the DER encoded CSR.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                issuerRef:
+                  description: |-
+                    IssuerRef references a properly configured ACME-type Issuer which should
+                    be used to create this Order.
+                    If the Issuer does not exist, processing will be retried.
+                    If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+                    Order will be marked as failed.
+                  properties:
+                    group:
+                      description: |-
+                        Group of the issuer being referred to.
+                        Defaults to 'cert-manager.io'.
+                      type: string
+                    kind:
+                      description: |-
+                        Kind of the issuer being referred to.
+                        Defaults to 'Issuer'.
+                      type: string
+                    name:
+                      description: Name of the issuer being referred to.
+                      type: string
+                  required:
+                    - name
+                  type: object
+                profile:
+                  description: |-
+                    Profile allows requesting a certificate profile from the ACME server.
+                    Supported profiles are listed by the server's ACME directory URL.
+                  type: string
+                request:
+                  description: |-
+                    Certificate signing request bytes in DER encoding.
+                    This will be used when finalizing the order.
+                    This field must be set on the order.
+                  format: byte
+                  type: string
+              required:
+                - issuerRef
+                - request
+              type: object
+            status:
+              properties:
+                authorizations:
+                  description: |-
+                    Authorizations contains data returned from the ACME server on what
+                    authorizations must be completed in order to validate the DNS names
+                    specified on the Order.
+                  items:
+                    description: |-
+                      ACMEAuthorization contains data returned from the ACME server on an
+                      authorization that must be completed in order validate a DNS name on an ACME
+                      Order resource.
+                    properties:
+                      challenges:
+                        description: |-
+                          Challenges specifies the challenge types offered by the ACME server.
+                          One of these challenge types will be selected when validating the DNS
+                          name and an appropriate Challenge resource will be created to perform
+                          the ACME challenge process.
+                        items:
+                          description: |-
+                            Challenge specifies a challenge offered by the ACME server for an Order.
+                            An appropriate Challenge resource can be created to perform the ACME
+                            challenge process.
+                          properties:
+                            token:
+                              description: |-
+                                Token is the token that must be presented for this challenge.
+                                This is used to compute the 'key' that must also be presented.
+                              type: string
+                            type:
+                              description: |-
+                                Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+                                'tls-sni-01', etc.
+                                This is the raw value retrieved from the ACME server.
+                                Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+                                will be ignored.
+                              type: string
+                            url:
+                              description: |-
+                                URL is the URL of this challenge. It can be used to retrieve additional
+                                metadata about the Challenge from the ACME server.
+                              type: string
+                          required:
+                            - token
+                            - type
+                            - url
+                          type: object
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      identifier:
+                        description: Identifier is the DNS name to be validated as part of this authorization
+                        type: string
+                      initialState:
+                        description: |-
+                          InitialState is the initial state of the ACME authorization when first
+                          fetched from the ACME server.
+                          If an Authorization is already 'valid', the Order controller will not
+                          create a Challenge resource for the authorization. This will occur when
+                          working with an ACME server that enables 'authz reuse' (such as Let's
+                          Encrypt's production endpoint).
+                          If not set and 'identifier' is set, the state is assumed to be pending
+                          and a Challenge will be created.
+                        enum:
+                          - valid
+                          - ready
+                          - pending
+                          - processing
+                          - invalid
+                          - expired
+                          - errored
+                        type: string
+                      url:
+                        description: URL is the URL of the Authorization that must be completed
+                        type: string
+                      wildcard:
+                        description: |-
+                          Wildcard will be true if this authorization is for a wildcard DNS name.
+                          If this is true, the identifier will be the *non-wildcard* version of
+                          the DNS name.
+                          For example, if '*.example.com' is the DNS name being validated, this
+                          field will be 'true' and the 'identifier' field will be 'example.com'.
+                        type: boolean
+                    required:
+                      - url
+                    type: object
+                  type: array
+                  x-kubernetes-list-type: atomic
+                certificate:
+                  description: |-
+                    Certificate is a copy of the PEM encoded certificate for this Order.
+                    This field will be populated after the order has been successfully
+                    finalized with the ACME server, and the order has transitioned to the
+                    'valid' state.
+                  format: byte
+                  type: string
+                failureTime:
+                  description: |-
+                    FailureTime stores the time that this order failed.
+                    This is used to influence garbage collection and back-off.
+                  format: date-time
+                  type: string
+                finalizeURL:
+                  description: |-
+                    FinalizeURL of the Order.
+                    This is used to obtain certificates for this order once it has been completed.
+                  type: string
+                reason:
+                  description: |-
+                    Reason optionally provides more information about a why the order is in
+                    the current state.
+                  type: string
+                state:
+                  description: |-
+                    State contains the current state of this Order resource.
+                    States 'success' and 'expired' are 'final'
+                  enum:
+                    - valid
+                    - ready
+                    - pending
+                    - processing
+                    - invalid
+                    - expired
+                    - errored
+                  type: string
+                url:
+                  description: |-
+                    URL of the Order.
+                    This will initially be empty when the resource is first created.
+                    The Order controller will populate this field when the Order is first processed.
+                    This field will be immutable after it is initially set.
+                  type: string
+              type: object
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- end }}

packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificaterequests.yaml

@@ -0,0 +1,319 @@
+{{- if or .Values.crds.enabled .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: "certificaterequests.cert-manager.io"
+  {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+    {{- include "cert-manager.crd-labels" . | nindent 4 }}
+spec:
+  group: cert-manager.io
+  names:
+    categories:
+      - cert-manager
+    kind: CertificateRequest
+    listKind: CertificateRequestList
+    plural: certificaterequests
+    shortNames:
+      - cr
+      - crs
+    singular: certificaterequest
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.conditions[?(@.type == "Approved")].status
+          name: Approved
+          type: string
+        - jsonPath: .status.conditions[?(@.type == "Denied")].status
+          name: Denied
+          type: string
+        - jsonPath: .status.conditions[?(@.type == "Ready")].status
+          name: Ready
+          type: string
+        - jsonPath: .spec.issuerRef.name
+          name: Issuer
+          type: string
+        - jsonPath: .spec.username
+          name: Requester
+          type: string
+        - jsonPath: .status.conditions[?(@.type == "Ready")].message
+          name: Status
+          priority: 1
+          type: string
+        - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+          jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      name: v1
+      schema:
+        openAPIV3Schema:
+          description: |-
+            A CertificateRequest is used to request a signed certificate from one of the
+            configured issuers.
+
+            All fields within the CertificateRequest's `spec` are immutable after creation.
+            A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+            condition and its `status.failureTime` field.
+
+            A CertificateRequest is a one-shot resource, meaning it represents a single
+            point in time request for a certificate and cannot be re-used.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: |-
+                Specification of the desired state of the CertificateRequest resource.
+                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+              properties:
+                duration:
+                  description: |-
+                    Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+                    issuer may choose to ignore the requested duration, just like any other
+                    requested attribute.
+                  type: string
+                extra:
+                  additionalProperties:
+                    items:
+                      type: string
+                    type: array
+                  description: |-
+                    Extra contains extra attributes of the user that created the CertificateRequest.
+                    Populated by the cert-manager webhook on creation and immutable.
+                  type: object
+                groups:
+                  description: |-
+                    Groups contains group membership of the user that created the CertificateRequest.
+                    Populated by the cert-manager webhook on creation and immutable.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                isCA:
+                  description: |-
+                    Requested basic constraints isCA value. Note that the issuer may choose
+                    to ignore the requested isCA value, just like any other requested attribute.
+
+                    NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+                    it must have the same isCA value as specified here.
+
+                    If true, this will automatically add the `cert sign` usage to the list
+                    of requested `usages`.
+                  type: boolean
+                issuerRef:
+                  description: |-
+                    Reference to the issuer responsible for issuing the certificate.
+                    If the issuer is namespace-scoped, it must be in the same namespace
+                    as the Certificate. If the issuer is cluster-scoped, it can be used
+                    from any namespace.
+
+                    The `name` field of the reference must always be specified.
+                  properties:
+                    group:
+                      description: |-
+                        Group of the issuer being referred to.
+                        Defaults to 'cert-manager.io'.
+                      type: string
+                    kind:
+                      description: |-
+                        Kind of the issuer being referred to.
+                        Defaults to 'Issuer'.
+                      type: string
+                    name:
+                      description: Name of the issuer being referred to.
+                      type: string
+                  required:
+                    - name
+                  type: object
+                request:
+                  description: |-
+                    The PEM-encoded X.509 certificate signing request to be submitted to the
+                    issuer for signing.
+
+                    If the CSR has a BasicConstraints extension, its isCA attribute must
+                    match the `isCA` value of this CertificateRequest.
+                    If the CSR has a KeyUsage extension, its key usages must match the
+                    key usages in the `usages` field of this CertificateRequest.
+                    If the CSR has a ExtKeyUsage extension, its extended key usages
+                    must match the extended key usages in the `usages` field of this
+                    CertificateRequest.
+                  format: byte
+                  type: string
+                uid:
+                  description: |-
+                    UID contains the uid of the user that created the CertificateRequest.
+                    Populated by the cert-manager webhook on creation and immutable.
+                  type: string
+                usages:
+                  description: |-
+                    Requested key usages and extended key usages.
+
+                    NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+                    ExtKeyUsage extension, these extensions must have the same values
+                    as specified here without any additional values.
+
+                    If unset, defaults to `digital signature` and `key encipherment`.
+                  items:
+                    description: |-
+                      KeyUsage specifies valid usage contexts for keys.
+                      See:
+                      https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+                      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+
+                      Valid KeyUsage values are as follows:
+                      "signing",
+                      "digital signature",
+                      "content commitment",
+                      "key encipherment",
+                      "key agreement",
+                      "data encipherment",
+                      "cert sign",
+                      "crl sign",
+                      "encipher only",
+                      "decipher only",
+                      "any",
+                      "server auth",
+                      "client auth",
+                      "code signing",
+                      "email protection",
+                      "s/mime",
+                      "ipsec end system",
+                      "ipsec tunnel",
+                      "ipsec user",
+                      "timestamping",
+                      "ocsp signing",
+                      "microsoft sgc",
+                      "netscape sgc"
+                    enum:
+                      - signing
+                      - digital signature
+                      - content commitment
+                      - key encipherment
+                      - key agreement
+                      - data encipherment
+                      - cert sign
+                      - crl sign
+                      - encipher only
+                      - decipher only
+                      - any
+                      - server auth
+                      - client auth
+                      - code signing
+                      - email protection
+                      - s/mime
+                      - ipsec end system
+                      - ipsec tunnel
+                      - ipsec user
+                      - timestamping
+                      - ocsp signing
+                      - microsoft sgc
+                      - netscape sgc
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                username:
+                  description: |-
+                    Username contains the name of the user that created the CertificateRequest.
+                    Populated by the cert-manager webhook on creation and immutable.
+                  type: string
+              required:
+                - issuerRef
+                - request
+              type: object
+            status:
+              description: |-
+                Status of the CertificateRequest.
+                This is set and managed automatically.
+                Read-only.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+              properties:
+                ca:
+                  description: |-
+                    The PEM encoded X.509 certificate of the signer, also known as the CA
+                    (Certificate Authority).
+                    This is set on a best-effort basis by different issuers.
+                    If not set, the CA is assumed to be unknown/not available.
+                  format: byte
+                  type: string
+                certificate:
+                  description: |-
+                    The PEM encoded X.509 certificate resulting from the certificate
+                    signing request.
+                    If not set, the CertificateRequest has either not been completed or has
+                    failed. More information on failure can be found by checking the
+                    `conditions` field.
+                  format: byte
+                  type: string
+                conditions:
+                  description: |-
+                    List of status conditions to indicate the status of a CertificateRequest.
+                    Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+                  items:
+                    description: CertificateRequestCondition contains condition information for a CertificateRequest.
+                    properties:
+                      lastTransitionTime:
+                        description: |-
+                          LastTransitionTime is the timestamp corresponding to the last status
+                          change of this condition.
+                        format: date-time
+                        type: string
+                      message:
+                        description: |-
+                          Message is a human readable description of the details of the last
+                          transition, complementing reason.
+                        type: string
+                      reason:
+                        description: |-
+                          Reason is a brief machine readable explanation for the condition's last
+                          transition.
+                        type: string
+                      status:
+                        description: Status of the condition, one of (`True`, `False`, `Unknown`).
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                        type: string
+                      type:
+                        description: |-
+                          Type of the condition, known values are (`Ready`, `InvalidRequest`,
+                          `Approved`, `Denied`).
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                  x-kubernetes-list-map-keys:
+                    - type
+                  x-kubernetes-list-type: map
+                failureTime:
+                  description: |-
+                    FailureTime stores the time that this CertificateRequest failed. This is
+                    used to influence garbage collection and back-off.
+                  format: date-time
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- end }}

packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificates.yaml

@@ -0,0 +1,816 @@
+{{- if or .Values.crds.enabled .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: "certificates.cert-manager.io"
+  {{- if .Values.crds.keep }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+  labels:
+    {{- include "cert-manager.crd-labels" . | nindent 4 }}
+spec:
+  group: cert-manager.io
+  names:
+    categories:
+      - cert-manager
+    kind: Certificate
+    listKind: CertificateList
+    plural: certificates
+    shortNames:
+      - cert
+      - certs
+    singular: certificate
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.conditions[?(@.type == "Ready")].status
+          name: Ready
+          type: string
+        - jsonPath: .spec.secretName
+          name: Secret
+          type: string
+        - jsonPath: .spec.issuerRef.name
+          name: Issuer
+          priority: 1
+          type: string
+        - jsonPath: .status.conditions[?(@.type == "Ready")].message
+          name: Status
+          priority: 1
+          type: string
+        - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+          jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      name: v1
+      schema:
+        openAPIV3Schema:
+          description: |-
+            A Certificate resource should be created to ensure an up to date and signed
+            X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+
+            The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: |-
+                Specification of the desired state of the Certificate resource.
+                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+              properties:
+                additionalOutputFormats:
+                  description: |-
+                    Defines extra output formats of the private key and signed certificate chain
+                    to be written to this Certificate's target Secret.
+                  items:
+                    description: |-
+                      CertificateAdditionalOutputFormat defines an additional output format of a
+                      Certificate resource. These contain supplementary data formats of the signed
+                      certificate chain and paired private key.
+                    properties:
+                      type:
+                        description: |-
+                          Type is the name of the format type that should be written to the
+                          Certificate's target Secret.
+                        enum:
+                          - DER
+                          - CombinedPEM
+                        type: string
+                    required:
+                      - type
+                    type: object
+                  type: array
+                  x-kubernetes-list-type: atomic
+                commonName:
+                  description: |-
+                    Requested common name X509 certificate subject attribute.
+                    More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+                    NOTE: TLS clients will ignore this value when any subject alternative name is
+                    set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+
+                    Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+                    Cannot be set if the `literalSubject` field is set.
+                  type: string
+                dnsNames:
+                  description: Requested DNS subject alternative names.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                duration:
+                  description: |-
+                    Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+                    issuer may choose to ignore the requested duration, just like any other
+                    requested attribute.
+
+                    If unset, this defaults to 90 days.
+                    Minimum accepted duration is 1 hour.
+                    Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+                  type: string
+                emailAddresses:
+                  description: Requested email subject alternative names.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                encodeUsagesInRequest:
+                  description: |-
+                    Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+
+                    This option defaults to true, and should only be disabled if the target
+                    issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+                  type: boolean
+                ipAddresses:
+                  description: Requested IP address subject alternative names.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                isCA:
+                  description: |-
+                    Requested basic constraints isCA value.
+                    The isCA value is used to set the `isCA` field on the created CertificateRequest
+                    resources. Note that the issuer may choose to ignore the requested isCA value, just
+                    like any other requested attribute.
+
+                    If true, this will automatically add the `cert sign` usage to the list
+                    of requested `usages`.
+                  type: boolean
+                issuerRef:
+                  description: |-
+                    Reference to the issuer responsible for issuing the certificate.
+                    If the issuer is namespace-scoped, it must be in the same namespace
+                    as the Certificate. If the issuer is cluster-scoped, it can be used
+                    from any namespace.
+
+                    The `name` field of the reference must always be specified.
+                  properties:
+                    group:
+                      description: |-
+                        Group of the issuer being referred to.
+                        Defaults to 'cert-manager.io'.
+                      type: string
+                    kind:
+                      description: |-
+                        Kind of the issuer being referred to.
+                        Defaults to 'Issuer'.
+                      type: string
+                    name:
+                      description: Name of the issuer being referred to.
+                      type: string
+                  required:
+                    - name
+                  type: object
+                keystores:
+                  description: Additional keystore output formats to be stored in the Certificate's Secret.
+                  properties:
+                    jks:
+                      description: |-
+                        JKS configures options for storing a JKS keystore in the
+                        `spec.secretName` Secret resource.
+                      properties:
+                        alias:
+                          description: |-
+                            Alias specifies the alias of the key in the keystore, required by the JKS format.
+                            If not provided, the default alias `certificate` will be used.
+                          type: string
+                        create:
+                          description: |-
+                            Create enables JKS keystore creation for the Certificate.
+                            If true, a file named `keystore.jks` will be created in the target
+                            Secret resource, encrypted using the password stored in
+                            `passwordSecretRef` or `password`.
+                            The keystore file will be updated immediately.
+                            If the issuer provided a CA certificate, a file named `truststore.jks`
+                            will also be created in the target Secret resource, encrypted using the
+                            password stored in `passwordSecretRef`
+                            containing the issuing Certificate Authority
+                          type: boolean
+                        password:
+                          description: |-
+                            Password provides a literal password used to encrypt the JKS keystore.
+                            Mutually exclusive with passwordSecretRef.
+                            One of password or passwordSecretRef must provide a password with a non-zero length.
+                          type: string
+                        passwordSecretRef:
+                          description: |-
+                            PasswordSecretRef is a reference to a non-empty key in a Secret resource
+                            containing the password used to encrypt the JKS keystore.
+                            Mutually exclusive with password.
+                            One of password or passwordSecretRef must provide a password with a non-zero length.
+                          properties:
+                            key:
+                              description: |-
+                                The key of the entry in the Secret resource's `data` field to be used.
+                                Some instances of this field may be defaulted, in others it may be
+                                required.
+                              type: string
+                            name:
+                              description: |-
+                                Name of the resource being referred to.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          required:
+                            - name
+                          type: object
+                      required:
+                        - create
+                      type: object
+                    pkcs12:
+                      description: |-
+                        PKCS12 configures options for storing a PKCS12 keystore in the
+                        `spec.secretName` Secret resource.
+                      properties:
+                        create:
+                          description: |-
+                            Create enables PKCS12 keystore creation for the Certificate.
+                            If true, a file named `keystore.p12` will be created in the target
+                            Secret resource, encrypted using the password stored in
+                            `passwordSecretRef` or in `password`.
+                            The keystore file will be updated immediately.
+                            If the issuer provided a CA certificate, a file named `truststore.p12` will
+                            also be created in the target Secret resource, encrypted using the
+                            password stored in `passwordSecretRef` containing the issuing Certificate
+                            Authority
+                          type: boolean
+                        password:
+                          description: |-
+                            Password provides a literal password used to encrypt the PKCS#12 keystore.
+                            Mutually exclusive with passwordSecretRef.
+                            One of password or passwordSecretRef must provide a password with a non-zero length.
+                          type: string
+                        passwordSecretRef:
+                          description: |-
+                            PasswordSecretRef is a reference to a non-empty key in a Secret resource
+                            containing the password used to encrypt the PKCS#12 keystore.
+                            Mutually exclusive with password.
+                            One of password or passwordSecretRef must provide a password with a non-zero length.
+                          properties:
+                            key:
+                              description: |-
+                                The key of the entry in the Secret resource's `data` field to be used.
+                                Some instances of this field may be defaulted, in others it may be
+                                required.
+                              type: string
+                            name:
+                              description: |-
+                                Name of the resource being referred to.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          required:
+                            - name
+                          type: object
+                        profile:
+                          description: |-
+                            Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+                            used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+
+                            If provided, allowed values are:
+                            `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+                            `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+                            `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+                            (e.g., because of company policy). Please note that the security of the algorithm is not that important
+                            in reality, because the unencrypted certificate and private key are also stored in the Secret.
+                          enum:
+                            - LegacyRC2
+                            - LegacyDES
+                            - Modern2023
+                          type: string
+                      required:
+                        - create
+                      type: object
+                  type: object
+                literalSubject:
+                  description: |-
+                    Requested X.509 certificate subject, represented using the LDAP "String
+                    Representation of a Distinguished Name" [1].
+                    Important: the LDAP string format also specifies the order of the attributes
+                    in the subject, this is important when issuing certs for LDAP authentication.
+                    Example: `CN=foo,DC=corp,DC=example,DC=com`
+                    More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+                    More info: https://github.com/cert-manager/cert-manager/issues/3203
+                    More info: https://github.com/cert-manager/cert-manager/issues/4424
+
+                    Cannot be set if the `subject` or `commonName` field is set.
+                  type: string
+                nameConstraints:
+                  description: |-
+                    x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+                    More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+
+                    This is an Alpha Feature and is only enabled with the
+                    `--feature-gates=NameConstraints=true` option set on both
+                    the controller and webhook components.
+                  properties:
+                    critical:
+                      description: if true then the name constraints are marked critical.
+                      type: boolean
+                    excluded:
+                      description: |-
+                        Excluded contains the constraints which must be disallowed. Any name matching a
+                        restriction in the excluded field is invalid regardless
+                        of information appearing in the permitted
+                      properties:
+                        dnsDomains:
+                          description: DNSDomains is a list of DNS domains that are permitted or excluded.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        emailAddresses:
+                          description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        ipRanges:
+                          description: |-
+                            IPRanges is a list of IP Ranges that are permitted or excluded.
+                            This should be a valid CIDR notation.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        uriDomains:
+                          description: URIDomains is a list of URI domains that are permitted or excluded.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      type: object
+                    permitted:
+                      description: Permitted contains the constraints in which the names must be located.
+                      properties:
+                        dnsDomains:
+                          description: DNSDomains is a list of DNS domains that are permitted or excluded.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        emailAddresses:
+                          description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        ipRanges:
+                          description: |-
+                            IPRanges is a list of IP Ranges that are permitted or excluded.
+                            This should be a valid CIDR notation.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        uriDomains:
+                          description: URIDomains is a list of URI domains that are permitted or excluded.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      type: object
+                  type: object
+                otherNames:
+                  description: |-
+                    `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+                    Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+                    Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+                    You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+                  items:
+                    properties:
+                      oid:
+                        description: |-
+                          OID is the object identifier for the otherName SAN.
+                          The object identifier must be expressed as a dotted string, for
+                          example, "1.2.840.113556.1.4.221".
+                        type: string
+                      utf8Value:
+                        description: |-
+                          utf8Value is the string value of the otherName SAN.
+                          The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+                        type: string
+                    type: object
+                  type: array
+                  x-kubernetes-list-type: atomic
+                privateKey:
+                  description: |-
+                    Private key options. These include the key algorithm and size, the used
+                    encoding and the rotation policy.
+                  properties:
+                    algorithm:
+                      description: |-
+                        Algorithm is the private key algorithm of the corresponding private key
+                        for this certificate.
+
+                        If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+                        If `algorithm` is specified and `size` is not provided,
+                        key size of 2048 will be used for `RSA` key algorithm and
+                        key size of 256 will be used for `ECDSA` key algorithm.
+                        key size is ignored when using the `Ed25519` key algorithm.
+                      enum:
+                        - RSA
+                        - ECDSA
+                        - Ed25519
+                      type: string
+                    encoding:
+                      description: |-
+                        The private key cryptography standards (PKCS) encoding for this
+                        certificate's private key to be encoded in.
+
+                        If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+                        and PKCS#8, respectively.
+                        Defaults to `PKCS1` if not specified.
+                      enum:
+                        - PKCS1
+                        - PKCS8
+                      type: string
+                    rotationPolicy:
+                      description: |-
+                        RotationPolicy controls how private keys should be regenerated when a
+                        re-issuance is being processed.
+
+                        If set to `Never`, a private key will only be generated if one does not
+                        already exist in the target `spec.secretName`. If one does exist but it
+                        does not have the correct algorithm or size, a warning will be raised
+                        to await user intervention.
+                        If set to `Always`, a private key matching the specified requirements
+                        will be generated whenever a re-issuance occurs.
+                        Default is `Always`.
+                        The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+                        The new default can be disabled by setting the
+                        `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+                        the controller component.
+                      enum:
+                        - Never
+                        - Always
+                      type: string
+                    size:
+                      description: |-
+                        Size is the key bit size of the corresponding private key for this certificate.
+
+                        If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+                        and will default to `2048` if not specified.
+                        If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+                        and will default to `256` if not specified.
+                        If `algorithm` is set to `Ed25519`, Size is ignored.
+                        No other values are allowed.
+                      type: integer
+                  type: object
+                renewBefore:
+                  description: |-
+                    How long before the currently issued certificate's expiry cert-manager should
+                    renew the certificate. For example, if a certificate is valid for 60 minutes,
+                    and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+                    50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+                    the certificate is no longer valid).
+
+                    NOTE: The actual lifetime of the issued certificate is used to determine the
+                    renewal time. If an issuer returns a certificate with a different lifetime than
+                    the one requested, cert-manager will use the lifetime of the issued certificate.
+
+                    If unset, this defaults to 1/3 of the issued certificate's lifetime.
+                    Minimum accepted value is 5 minutes.
+                    Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+                    Cannot be set if the `renewBeforePercentage` field is set.
+                  type: string
+                renewBeforePercentage:
+                  description: |-
+                    `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+                    rather than an absolute duration. For example, if a certificate is valid for 60
+                    minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+                    renew the certificate 45 minutes after it was issued (i.e. when there are 15
+                    minutes (25%) remaining until the certificate is no longer valid).
+
+                    NOTE: The actual lifetime of the issued certificate is used to determine the
+                    renewal time. If an issuer returns a certificate with a different lifetime than
+                    the one requested, cert-manager will use the lifetime of the issued certificate.
+
+                    Value must be an integer in the range (0,100). The minimum effective
+                    `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+                    minutes.
+                    Cannot be set if the `renewBefore` field is set.
+                  format: int32
+                  type: integer
+                revisionHistoryLimit:
+                  description: |-
+                    The maximum number of CertificateRequest revisions that are maintained in
+                    the Certificate's history. Each revision represents a single `CertificateRequest`
+                    created by this Certificate, either when it was created, renewed, or Spec
+                    was changed. Revisions will be removed by oldest first if the number of
+                    revisions exceeds this number.
+
+                    If set, revisionHistoryLimit must be a value of `1` or greater.
+                    Default value is `1`.
+                  format: int32
+                  type: integer
+                secretName:
+                  description: |-
+                    Name of the Secret resource that will be automatically created and
+                    managed by this Certificate resource. It will be populated with a
+                    private key and certificate, signed by the denoted issuer. The Secret
+                    resource lives in the same namespace as the Certificate resource.
+                  type: string
+                secretTemplate:
+                  description: |-
+                    Defines annotations and labels to be copied to the Certificate's Secret.
+                    Labels and annotations on the Secret will be changed as they appear on the
+                    SecretTemplate when added or removed. SecretTemplate annotations are added
+                    in conjunction with, and cannot overwrite, the base set of annotations
+                    cert-manager sets on the Certificate's Secret.
+                  properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description: Annotations is a key value map to be copied to the target Kubernetes Secret.
+                      type: object
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Labels is a key value map to be copied to the target Kubernetes Secret.
+                      type: object
+                  type: object
+                signatureAlgorithm:
+                  description: |-
+                    Signature algorithm to use.
+                    Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+                    Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+                    Allowed values for Ed25519 keys: PureEd25519.
+                  enum:
+                    - SHA256WithRSA
+                    - SHA384WithRSA
+                    - SHA512WithRSA
+                    - ECDSAWithSHA256
+                    - ECDSAWithSHA384
+                    - ECDSAWithSHA512
+                    - PureEd25519
+                  type: string
+                subject:
+                  description: |-
+                    Requested set of X509 certificate subject attributes.
+                    More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+
+                    The common name attribute is specified separately in the `commonName` field.
+                    Cannot be set if the `literalSubject` field is set.
+                  properties:
+                    countries:
+                      description: Countries to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    localities:
+                      description: Cities to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    organizationalUnits:
+                      description: Organizational Units to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    organizations:
+                      description: Organizations to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    postalCodes:
+                      description: Postal codes to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    provinces:
+                      description: State/Provinces to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    serialNumber:
+                      description: Serial number to be used on the Certificate.
+                      type: string
+                    streetAddresses:
+                      description: Street addresses to be used on the Certificate.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                  type: object
+                uris:
+                  description: Requested URI subject alternative names.
+                  items:
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+                usages:
+                  description: |-
+                    Requested key usages and extended key usages.
+                    These usages are used to set the `usages` field on the created CertificateRequest
+                    resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+                    will additionally be encoded in the `request` field which contains the CSR blob.
+
+                    If unset, defaults to `digital signature` and `key encipherment`.
+                  items:
+                    description: |-
+                      KeyUsage specifies valid usage contexts for keys.
+                      See:
+                      https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+                      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+
+                      Valid KeyUsage values are as follows:
+                      "signing",
+                      "digital signature",
+                      "content commitment",
+                      "key encipherment",
+                      "key agreement",
+                      "data encipherment",
+                      "cert sign",
+                      "crl sign",
+                      "encipher only",
+                      "decipher only",
+                      "any",
+                      "server auth",
+                      "client auth",
+                      "code signing",
+                      "email protection",
+                      "s/mime",
+                      "ipsec end system",
+                      "ipsec tunnel",
+                      "ipsec user",
+                      "timestamping",
+                      "ocsp signing",
+                      "microsoft sgc",
+                      "netscape sgc"
+                    enum:
+                      - signing
+                      - digital signature
+                      - content commitment
+                      - key encipherment
+                      - key agreement
+                      - data encipherment
+                      - cert sign
+                      - crl sign
+                      - encipher only
+                      - decipher only
+                      - any
+                      - server auth
+                      - client auth
+                      - code signing
+                      - email protection
+                      - s/mime
+                      - ipsec end system
+                      - ipsec tunnel
+                      - ipsec user
+                      - timestamping
+                      - ocsp signing
+                      - microsoft sgc
+                      - netscape sgc
+                    type: string
+                  type: array
+                  x-kubernetes-list-type: atomic
+              required:
+                - issuerRef
+                - secretName
+              type: object
+            status:
+              description: |-
+                Status of the Certificate.
+                This is set and managed automatically.
+                Read-only.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+              properties:
+                conditions:
+                  description: |-
+                    List of status conditions to indicate the status of certificates.
+                    Known condition types are `Ready` and `Issuing`.
+                  items:
+                    description: CertificateCondition contains condition information for a Certificate.
+                    properties:
+                      lastTransitionTime:
+                        description: |-
+                          LastTransitionTime is the timestamp corresponding to the last status
+                          change of this condition.
+                        format: date-time
+                        type: string
+                      message:
+                        description: |-
+                          Message is a human readable description of the details of the last
+                          transition, complementing reason.
+                        type: string
+                      observedGeneration:
+                        description: |-
+                          If set, this represents the .metadata.generation that the condition was
+                          set based upon.
+                          For instance, if .metadata.generation is currently 12, but the
+                          .status.condition[x].observedGeneration is 9, the condition is out of date
+                          with respect to the current state of the Certificate.
+                        format: int64
+                        type: integer
+                      reason:
+                        description: |-
+                          Reason is a brief machine readable explanation for the condition's last
+                          transition.
+                        type: string
+                      status:
+                        description: Status of the condition, one of (`True`, `False`, `Unknown`).
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                        type: string
+                      type:
+                        description: Type of the condition, known values are (`Ready`, `Issuing`).
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                  x-kubernetes-list-map-keys:
+                    - type
+                  x-kubernetes-list-type: map
+                failedIssuanceAttempts:
+                  description: |-
+                    The number of continuous failed issuance attempts up till now. This
+                    field gets removed (if set) on a successful issuance and gets set to
+                    1 if unset and an issuance has failed. If an issuance has failed, the
+                    delay till the next issuance will be calculated using formula
+                    time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+                  type: integer
+                lastFailureTime:
+                  description: |-
+                    LastFailureTime is set only if the latest issuance for this
+                    Certificate failed and contains the time of the failure. If an
+                    issuance has failed, the delay till the next issuance will be
+                    calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+                    1). If the latest issuance has succeeded this field will be unset.
+                  format: date-time
+                  type: string
+                nextPrivateKeySecretName:
+                  description: |-
+                    The name of the Secret resource containing the private key to be used
+                    for the next certificate iteration.
+                    The keymanager controller will automatically set this field if the
+                    `Issuing` condition is set to `True`.
+                    It will automatically unset this field when the Issuing condition is
+                    not set or False.
+                  type: string
+                notAfter:
+                  description: |-
+                    The expiration time of the certificate stored in the secret named
+                    by this resource in `spec.secretName`.
+                  format: date-time
+                  type: string
+                notBefore:
+                  description: |-
+                    The time after which the certificate stored in the secret named
+                    by this resource in `spec.secretName` is valid.
+                  format: date-time
+                  type: string
+                renewalTime:
+                  description: |-
+                    RenewalTime is the time at which the certificate will be next
+                    renewed.
+                    If not set, no upcoming renewal is scheduled.
+                  format: date-time
+                  type: string
+                revision:
+                  description: |-
+                    The current 'revision' of the certificate as issued.
+
+                    When a CertificateRequest resource is created, it will have the
+                    `cert-manager.io/certificate-revision` set to one greater than the
+                    current value of this field.
+
+                    Upon issuance, this field will be set to the value of the annotation
+                    on the CertificateRequest resource used to issue the certificate.
+
+                    Persisting the value on the CertificateRequest resource allows the
+                    certificates controller to know whether a request is part of an old
+                    issuance or if it is part of the ongoing revision's issuance by
+                    checking if the revision value in the annotation is greater than this
+                    field.
+                  type: integer
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- end }}

packages/system/cert-manager-crds/values.yaml

@@ -1,2 +1,8 @@
-cert-manager:
-  installCRDs: true
+global:
+  commonLabels: {}
+
+creator: helm
+
+crds:
+  enabled: true
+  keep: true

packages/system/cert-manager/Makefile

@@ -8,3 +8,6 @@ update:
 	helm repo add jetstack https://charts.jetstack.io
 	helm repo update jetstack
 	helm pull jetstack/cert-manager --untar --untardir charts
+	rm -rf ../cert-manager-crds/templates/*
+	mv charts/cert-manager/templates/crd-*.yaml ../cert-manager-crds/templates/
+	cp charts/cert-manager/templates/_helpers.tpl ../cert-manager-crds/templates/

packages/system/cert-manager/charts/cert-manager/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
-appVersion: v1.17.2
+appVersion: v1.19.3
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.17.2
+version: v1.19.3

packages/system/cert-manager/charts/cert-manager/README.md

@@ -1,10 +1,10 @@
 # cert-manager
 
-cert-manager is a Kubernetes addon to automate the management and issuance of
-TLS certificates from various issuing sources.
+cert-manager creates TLS certificates for workloads in your Kubernetes or OpenShift cluster and renews the certificates before they expire.
 
-It will ensure certificates are valid and up to date periodically, and attempt
-to renew certificates at an appropriate time before expiry.
+cert-manager can obtain certificates from a [variety of certificate authorities](https://cert-manager.io/docs/configuration/issuers/), including:
+[Let's Encrypt](https://cert-manager.io/docs/configuration/acme/), [HashiCorp Vault](https://cert-manager.io/docs/configuration/vault/),
+[Venafi](https://cert-manager.io/docs/configuration/venafi/) and [private PKI](https://cert-manager.io/docs/configuration/ca/).
 
 ## Prerequisites
 
@@ -13,23 +13,21 @@ to renew certificates at an appropriate time before expiry.
 ## Installing the Chart
 
 Full installation instructions, including details on how to configure extra
-functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/).
-
-Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources.
-This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
-
-```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml
-```
+functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/helm/).
 
 To install the chart with the release name `cert-manager`:
 
 ```console
-## Add the Jetstack Helm repository
-$ helm repo add jetstack https://charts.jetstack.io --force-update
+# Add the Jetstack Helm repository
+helm repo add jetstack https://charts.jetstack.io --force-update
 
-## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.17.2 jetstack/cert-manager
+# Install the cert-manager helm chart
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.19.3 \
+  --set crds.enabled=true
 ```
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -56,17 +54,25 @@ are documented in our full [upgrading guide](https://cert-manager.io/docs/instal
 To uninstall/delete the `cert-manager` deployment:
 
 ```console
-$ helm delete cert-manager --namespace cert-manager
+helm delete cert-manager --namespace cert-manager
 ```
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
 
 If you want to completely uninstall cert-manager from your cluster, you will also need to
-delete the previously installed CustomResourceDefinition resources:
+delete the previously installed CustomResourceDefinition resources.
 
-```console
-$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml
-```
+> ☢️ This will remove all `Issuer`,`ClusterIssuer`,`Certificate`,`CertificateRequest`,`Order` and `Challenge` resources from the cluster:
+>
+> ```console
+> kubectl delete crd \
+>   issuers.cert-manager.io \
+>   clusterissuers.cert-manager.io \
+>   certificates.cert-manager.io \
+>   certificaterequests.cert-manager.io \
+>   orders.acme.cert-manager.io \
+>   challenges.acme.cert-manager.io
+> ```
 
 ## Configuration
 <!-- AUTO-GENERATED -->
@@ -87,6 +93,18 @@ For example:
 imagePullSecrets:
   - name: "image-pull-secret"
 ```
+#### **global.nodeSelector** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Global node selector  
+  
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
+If a component-specific nodeSelector is also set, it will be merged and take precedence.
+
 #### **global.commonLabels** ~ `object`
 > Default value:
 > ```yaml
@@ -108,6 +126,18 @@ The number of old ReplicaSets to retain to allow rollback (if not set, the defau
 > ```
 
 The optional priority class to be used for the cert-manager pods.
+#### **global.hostUsers** ~ `bool`
+
+Set all pods to run in a user namespace without host access. Experimental: may be removed once the Kubernetes User Namespaces feature is GA.  
+  
+Requirements:  
+  - Kubernetes ≥ 1.33, or  
+  - Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.  
+  
+Set to false to run pods in a user namespace without host access.  
+  
+See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.
+
 #### **global.rbac.create** ~ `bool`
 > Default value:
 > ```yaml
@@ -230,13 +260,13 @@ This prevents downtime during voluntary disruptions such as during a Node upgrad
 Pod is currently running.
 #### **podDisruptionBudget.minAvailable** ~ `unknown`
 
-This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+This configures the minimum available pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
 #### **podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if `minAvailable` is set.
+This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). it cannot be used if `minAvailable` is set.
 
 
 #### **featureGates** ~ `string`
@@ -300,7 +330,7 @@ Override the "cert-manager.fullname" value. This value is used as part of most o
 
 #### **nameOverride** ~ `string`
 
-Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. "cainjector.name" which resolves to the value "cainjector").
+Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use, e.g., "cainjector.name" which resolves to the value "cainjector").
 
 #### **serviceAccount.create** ~ `bool`
 > Default value:
@@ -371,10 +401,10 @@ config:
   kubernetesAPIBurst: 9000
   numberOfConcurrentWorkers: 200
   enableGatewayAPI: true
-  # Feature gates as of v1.17.0. Listed with their default values.
+  # Feature gates as of v1.18.1. Listed with their default values.
   # See https://cert-manager.io/docs/cli/controller/
   featureGates:
-    AdditionalCertificateOutputFormats: true # BETA - default=true
+    AdditionalCertificateOutputFormats: true # GA - default=true
     AllAlpha: false # ALPHA - default=false
     AllBeta: false # BETA - default=false
     ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
@@ -386,8 +416,10 @@ config:
     ServerSideApply: false # ALPHA - default=false
     StableCertificateRequestName: true # BETA - default=true
     UseCertificateRequestBasicConstraints: false # ALPHA - default=false
-    UseDomainQualifiedFinalizer: true # BETA - default=false
+    UseDomainQualifiedFinalizer: true # GA - default=true
     ValidateCAA: false # ALPHA - default=false
+    DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true
+    ACMEHTTP01IngressPathTypeExact: true # BETA - default=true
   # Configure the metrics server for TLS
   # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
   metricsTLSConfig:
@@ -425,7 +457,7 @@ Option to disable cert-manager's build-in auto-approver. The auto-approver appro
 > - clusterissuers.cert-manager.io/*
 > ```
 
-List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.  
+List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.  
 ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 
 #### **extraArgs** ~ `array`
@@ -684,7 +716,7 @@ enableServiceLinks indicates whether information about services should be inject
 
 Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a  
 ServiceMonitor resource.  
-Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
+Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
 #### **prometheus.servicemonitor.enabled** ~ `bool`
 > Default value:
 > ```yaml
@@ -703,13 +735,14 @@ The namespace that the service monitor should live in, defaults to the cert-mana
 > ```
 
 Specifies the `prometheus` label on the created ServiceMonitor. This is used when different Prometheus instances have label selectors matching different ServiceMonitors.
-#### **prometheus.servicemonitor.targetPort** ~ `number`
+#### **prometheus.servicemonitor.targetPort** ~ `string,integer`
 > Default value:
 > ```yaml
-> 9402
+> http-metrics
 > ```
 
 The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.
+
 #### **prometheus.servicemonitor.path** ~ `string`
 > Default value:
 > ```yaml
@@ -969,13 +1002,13 @@ This prevents downtime during voluntary disruptions such as during a Node upgrad
 Pod is currently running.
 #### **webhook.podDisruptionBudget.minAvailable** ~ `unknown`
 
-This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
 #### **webhook.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).  
 It cannot be used if `minAvailable` is set.
 
 
@@ -1293,6 +1326,8 @@ Create network policies for the webhooks.
 > - from:
 >     - ipBlock:
 >         cidr: 0.0.0.0/0
+>     - ipBlock:
+>         cidr: ::/0
 > ```
 
 Ingress rule for the webhook network policy. By default, it allows all inbound traffic.
@@ -1314,6 +1349,8 @@ Ingress rule for the webhook network policy. By default, it allows all inbound t
 >   to:
 >     - ipBlock:
 >         cidr: 0.0.0.0/0
+>     - ipBlock:
+>         cidr: ::/0
 > ```
 
 Egress rule for the webhook network policy. By default, it allows all outbound traffic to ports 80 and 443, as well as DNS ports.
@@ -1442,14 +1479,14 @@ Pod is currently running.
 #### **cainjector.podDisruptionBudget.minAvailable** ~ `unknown`
 
 `minAvailable` configures the minimum available pods for disruptions. It can either be set to  
-an integer (e.g. 1) or a percentage value (e.g. 25%).  
+an integer (e.g., 1) or a percentage value (e.g., 25%).  
 Cannot be used if `maxUnavailable` is set.
 
 
 #### **cainjector.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
 `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to  
-an integer (e.g. 1) or a percentage value (e.g. 25%).  
+an integer (e.g., 1) or a percentage value (e.g., 25%).  
 Cannot be used if `minAvailable` is set.
 
 

packages/system/cert-manager/charts/cert-manager/templates/NOTES.txt

@@ -1,6 +1,12 @@
 {{- if .Values.installCRDs }}
 ⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+
 {{- end }}
+⚠️  WARNING: New default private key rotation policy for Certificate resources.
+The default private key rotation policy for Certificate resources was
+changed to `Always` in cert-manager >= v1.18.0.
+Learn more in the [1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18).
+
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer

packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl

@@ -187,6 +187,17 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
 {{- end }}
 {{- end }}
 
+{{/*
+Labels for the CRD resources.
+*/}}
+{{- define "cert-manager.crd-labels" -}}
+app: "{{ template "cert-manager.name" . }}"
+app.kubernetes.io/name: "{{ template "cert-manager.name" . }}"
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/component: "crds"
+{{ include "labels" . }}
+{{- end -}}
+
 {{/*
 Check that the user has not set both .installCRDs and .crds.enabled or
 set .installCRDs and disabled .crds.keep.

packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -67,6 +67,9 @@ spec:
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
+      {{- if (hasKey .Values.global "hostUsers") }}
+      hostUsers: {{ .Values.global.hostUsers }}       
+      {{- end }}
       {{- with .Values.cainjector.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
@@ -136,9 +139,13 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
-      {{- with .Values.cainjector.nodeSelector }}
+      {{- $nodeSelector := .Values.global.nodeSelector | default dict }}
+      {{- $nodeSelector = merge $nodeSelector (.Values.cainjector.nodeSelector | default dict) }}
+      {{- with $nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
       {{- end }}
       {{- with .Values.cainjector.affinity }}
       affinity:

packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml

@@ -66,6 +66,9 @@ spec:
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
+      {{- if (hasKey .Values.global "hostUsers") }}
+      hostUsers: {{ .Values.global.hostUsers }}       
+      {{- end }}
       {{- with .Values.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
@@ -209,9 +212,13 @@ spec:
             failureThreshold: {{ .failureThreshold }}
           {{- end }}
           {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- $nodeSelector := .Values.global.nodeSelector | default dict }}
+      {{- $nodeSelector = merge $nodeSelector (.Values.nodeSelector | default dict) }}
+      {{- with $nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:
@@ -234,4 +241,4 @@ spec:
       {{- end }}
       {{- with .Values.hostAliases }}
       hostAliases: {{ toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml

@@ -49,7 +49,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+  name: {{ template "cert-manager.fullname" . }}-tokenrequest
   namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "cert-manager.name" . }}
@@ -69,7 +69,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" .  }}-tokenrequest
+  name: {{ include "cert-manager.fullname" . }}-tokenrequest
   namespace: {{ include "cert-manager.namespace" . }}
   labels:
     app: {{ include "cert-manager.name" . }}
@@ -80,7 +80,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+  name: {{ template "cert-manager.fullname" . }}-tokenrequest
 subjects:
   - kind: ServiceAccount
     name: {{ template "cert-manager.serviceAccountName" . }}
@@ -256,8 +256,8 @@ rules:
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
-  - apiGroups: [ "gateway.networking.k8s.io" ]
-    resources: [ "httproutes" ]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["httproutes"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
   # We require the ability to specify a custom hostname when we are creating
   # new ingress resources.

packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml

@@ -12,7 +12,8 @@ metadata:
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- range $k, $v := . }}
-      {{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }}
+      {{- $value := $v | quote }}
+      {{- printf "%s: %s" (tpl $k $) (tpl $value $) | nindent 4 }}
     {{- end }} 
   {{- end }}
   labels:

packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml

@@ -16,7 +16,9 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
+    {{- if .Values.prometheus.servicemonitor.prometheusInstance }}
     prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
+    {{- end }}
     {{- with .Values.prometheus.servicemonitor.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -54,8 +56,12 @@ spec:
   endpoints:
   - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
     path: {{ .Values.prometheus.servicemonitor.path }}
+    {{- if .Values.prometheus.servicemonitor.interval }}
     interval: {{ .Values.prometheus.servicemonitor.interval }}
+    {{- end }}
+    {{- if .Values.prometheus.servicemonitor.scrapeTimeout }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
+    {{- end }}
     honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
     {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
     {{- toYaml . | nindent 4 }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -41,6 +41,9 @@ spec:
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
+      {{- if (hasKey .Values.global "hostUsers") }}
+      hostUsers: {{ .Values.global.hostUsers }}       
+      {{- end }}
       {{- with .Values.startupapicheck.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
@@ -76,9 +79,13 @@ spec:
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      {{- with .Values.startupapicheck.nodeSelector }}
+      {{- $nodeSelector := .Values.global.nodeSelector | default dict }}
+      {{- $nodeSelector = merge $nodeSelector (.Values.startupapicheck.nodeSelector | default dict) }}
+      {{- with $nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
       {{- end }}
       {{- with .Values.startupapicheck.affinity }}
       affinity:

packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml

@@ -66,6 +66,9 @@ spec:
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
+      {{- if (hasKey .Values.global "hostUsers") }}
+      hostUsers: {{ .Values.global.hostUsers }}       
+      {{- end }}
       {{- with .Values.webhook.securityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
@@ -102,7 +105,7 @@ spec:
           - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
           - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
           - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
-          {{ if .Values.webhook.url.host }}
+          {{- if .Values.webhook.url.host }}
           - --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
           {{- end }}
           {{- end }}
@@ -137,11 +140,7 @@ spec:
           livenessProbe:
             httpGet:
               path: /livez
-              {{- if $config.healthzPort }}
-              port: {{ $config.healthzPort }}
-              {{- else }}
-              port: 6080
-              {{- end }}
+              port: healthcheck
               scheme: HTTP
             initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
@@ -151,11 +150,7 @@ spec:
           readinessProbe:
             httpGet:
               path: /healthz
-              {{- if $config.healthzPort }}
-              port: {{ $config.healthzPort }}
-              {{- else }}
-              port: 6080
-              {{- end }}
+              port: healthcheck
               scheme: HTTP
             initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
@@ -188,9 +183,13 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
-      {{- with .Values.webhook.nodeSelector }}
+      {{- $nodeSelector := .Values.global.nodeSelector | default dict }}
+      {{- $nodeSelector = merge $nodeSelector (.Values.webhook.nodeSelector | default dict) }}
+      {{- with $nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
       {{- end }}
       {{- with .Values.webhook.affinity }}
       affinity:

packages/system/cert-manager/charts/cert-manager/values.schema.json

@@ -236,7 +236,7 @@
         "issuers.cert-manager.io/*",
         "clusterissuers.cert-manager.io/*"
       ],
-      "description": "List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.\nref: https://cert-manager.io/docs/concepts/certificaterequest/#approval",
+      "description": "List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.\nref: https://cert-manager.io/docs/concepts/certificaterequest/#approval",
       "items": {},
       "type": "array"
     },
@@ -461,10 +461,10 @@
       "type": "boolean"
     },
     "helm-values.cainjector.podDisruptionBudget.maxUnavailable": {
-      "description": "`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to\nan integer (e.g. 1) or a percentage value (e.g. 25%).\nCannot be used if `minAvailable` is set."
+      "description": "`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to\nan integer (e.g., 1) or a percentage value (e.g., 25%).\nCannot be used if `minAvailable` is set."
     },
     "helm-values.cainjector.podDisruptionBudget.minAvailable": {
-      "description": "`minAvailable` configures the minimum available pods for disruptions. It can either be set to\nan integer (e.g. 1) or a percentage value (e.g. 25%).\nCannot be used if `maxUnavailable` is set."
+      "description": "`minAvailable` configures the minimum available pods for disruptions. It can either be set to\nan integer (e.g., 1) or a percentage value (e.g., 25%).\nCannot be used if `maxUnavailable` is set."
     },
     "helm-values.cainjector.podLabels": {
       "default": {},
@@ -579,7 +579,7 @@
     },
     "helm-values.config": {
       "default": {},
-      "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n  apiVersion: controller.config.cert-manager.io/v1alpha1\n  kind: ControllerConfiguration\n  logging:\n    verbosity: 2\n    format: text\n  leaderElectionConfig:\n    namespace: kube-system\n  kubernetesAPIQPS: 9000\n  kubernetesAPIBurst: 9000\n  numberOfConcurrentWorkers: 200\n  enableGatewayAPI: true\n  # Feature gates as of v1.17.0. Listed with their default values.\n  # See https://cert-manager.io/docs/cli/controller/\n  featureGates:\n    AdditionalCertificateOutputFormats: true # BETA - default=true\n    AllAlpha: false # ALPHA - default=false\n    AllBeta: false # BETA - default=false\n    ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n    ExperimentalGatewayAPISupport: true # BETA - default=true\n    LiteralCertificateSubject: true # BETA - default=true\n    NameConstraints: true # BETA - default=true\n    OtherNames: false # ALPHA - default=false\n    SecretsFilteredCaching: true # BETA - default=true\n    ServerSideApply: false # ALPHA - default=false\n    StableCertificateRequestName: true # BETA - default=true\n    UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n    UseDomainQualifiedFinalizer: true # BETA - default=false\n    ValidateCAA: false # ALPHA - default=false\n  # Configure the metrics server for TLS\n  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n  metricsTLSConfig:\n    dynamic:\n      secretNamespace: \"cert-manager\"\n      secretName: \"cert-manager-metrics-ca\"\n      dnsNames:\n      - cert-manager-metrics",
+      "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n  apiVersion: controller.config.cert-manager.io/v1alpha1\n  kind: ControllerConfiguration\n  logging:\n    verbosity: 2\n    format: text\n  leaderElectionConfig:\n    namespace: kube-system\n  kubernetesAPIQPS: 9000\n  kubernetesAPIBurst: 9000\n  numberOfConcurrentWorkers: 200\n  enableGatewayAPI: true\n  # Feature gates as of v1.18.1. Listed with their default values.\n  # See https://cert-manager.io/docs/cli/controller/\n  featureGates:\n    AdditionalCertificateOutputFormats: true # GA - default=true\n    AllAlpha: false # ALPHA - default=false\n    AllBeta: false # BETA - default=false\n    ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n    ExperimentalGatewayAPISupport: true # BETA - default=true\n    LiteralCertificateSubject: true # BETA - default=true\n    NameConstraints: true # BETA - default=true\n    OtherNames: false # ALPHA - default=false\n    SecretsFilteredCaching: true # BETA - default=true\n    ServerSideApply: false # ALPHA - default=false\n    StableCertificateRequestName: true # BETA - default=true\n    UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n    UseDomainQualifiedFinalizer: true # GA - default=true\n    ValidateCAA: false # ALPHA - default=false\n    DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true\n    ACMEHTTP01IngressPathTypeExact: true # BETA - default=true\n  # Configure the metrics server for TLS\n  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n  metricsTLSConfig:\n    dynamic:\n      secretNamespace: \"cert-manager\"\n      secretName: \"cert-manager-metrics-ca\"\n      dnsNames:\n      - cert-manager-metrics",
       "type": "object"
     },
     "helm-values.containerSecurityContext": {
@@ -689,6 +689,9 @@
         "commonLabels": {
           "$ref": "#/$defs/helm-values.global.commonLabels"
         },
+        "hostUsers": {
+          "$ref": "#/$defs/helm-values.global.hostUsers"
+        },
         "imagePullSecrets": {
           "$ref": "#/$defs/helm-values.global.imagePullSecrets"
         },
@@ -698,6 +701,9 @@
         "logLevel": {
           "$ref": "#/$defs/helm-values.global.logLevel"
         },
+        "nodeSelector": {
+          "$ref": "#/$defs/helm-values.global.nodeSelector"
+        },
         "podSecurityPolicy": {
           "$ref": "#/$defs/helm-values.global.podSecurityPolicy"
         },
@@ -718,6 +724,10 @@
       "description": "Labels to apply to all resources.\nPlease note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).\nFor example, secretTemplate in CertificateSpec\nFor more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).",
       "type": "object"
     },
+    "helm-values.global.hostUsers": {
+      "description": "Set all pods to run in a user namespace without host access. Experimental: may be removed once the Kubernetes User Namespaces feature is GA.\n\nRequirements:\n  - Kubernetes ≥ 1.33, or\n  - Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.\n\nSet to false to run pods in a user namespace without host access.\n\nSee [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.",
+      "type": "boolean"
+    },
     "helm-values.global.imagePullSecrets": {
       "default": [],
       "description": "Reference to one or more secrets to be used when pulling images. For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).\n\nFor example:\nimagePullSecrets:\n  - name: \"image-pull-secret\"",
@@ -763,6 +773,11 @@
       "description": "Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose.",
       "type": "number"
     },
+    "helm-values.global.nodeSelector": {
+      "default": {},
+      "description": "Global node selector\n\nThe nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).\n\nIf a component-specific nodeSelector is also set, it will be merged and take precedence.",
+      "type": "object"
+    },
     "helm-values.global.podSecurityPolicy": {
       "properties": {
         "enabled": {
@@ -921,7 +936,7 @@
       "type": "number"
     },
     "helm-values.nameOverride": {
-      "description": "Override the \"cert-manager.name\" value, which is used to annotate some of the resources that are created by this Chart (using \"app.kubernetes.io/name\"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. \"cainjector.name\" which resolves to the value \"cainjector\").",
+      "description": "Override the \"cert-manager.name\" value, which is used to annotate some of the resources that are created by this Chart (using \"app.kubernetes.io/name\"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use, e.g., \"cainjector.name\" which resolves to the value \"cainjector\").",
       "type": "string"
     },
     "helm-values.namespace": {
@@ -965,10 +980,10 @@
       "type": "boolean"
     },
     "helm-values.podDisruptionBudget.maxUnavailable": {
-      "description": "This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if `minAvailable` is set."
+      "description": "This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). it cannot be used if `minAvailable` is set."
     },
     "helm-values.podDisruptionBudget.minAvailable": {
-      "description": "This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `maxUnavailable` is set."
+      "description": "This configures the minimum available pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).\nIt cannot be used if `maxUnavailable` is set."
     },
     "helm-values.podDnsConfig": {
       "description": "Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to \"None\", the dnsConfig field has to be specified. For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config).",
@@ -1000,7 +1015,7 @@
     },
     "helm-values.prometheus.enabled": {
       "default": true,
-      "description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.",
+      "description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.",
       "type": "boolean"
     },
     "helm-values.prometheus.podmonitor": {
@@ -1177,9 +1192,8 @@
       "type": "string"
     },
     "helm-values.prometheus.servicemonitor.targetPort": {
-      "default": 9402,
-      "description": "The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.",
-      "type": "number"
+      "default": "http-metrics",
+      "description": "The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics."
     },
     "helm-values.replicaCount": {
       "default": 1,
@@ -1887,6 +1901,11 @@
               "ipBlock": {
                 "cidr": "0.0.0.0/0"
               }
+            },
+            {
+              "ipBlock": {
+                "cidr": "::/0"
+              }
             }
           ]
         }
@@ -1908,6 +1927,11 @@
               "ipBlock": {
                 "cidr": "0.0.0.0/0"
               }
+            },
+            {
+              "ipBlock": {
+                "cidr": "::/0"
+              }
             }
           ]
         }
@@ -1948,10 +1972,10 @@
       "type": "boolean"
     },
     "helm-values.webhook.podDisruptionBudget.maxUnavailable": {
-      "description": "This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `minAvailable` is set."
+      "description": "This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).\nIt cannot be used if `minAvailable` is set."
     },
     "helm-values.webhook.podDisruptionBudget.minAvailable": {
-      "description": "This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `maxUnavailable` is set."
+      "description": "This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).\nIt cannot be used if `maxUnavailable` is set."
     },
     "helm-values.webhook.podLabels": {
       "default": {},

packages/system/cert-manager/charts/cert-manager/values.yaml

@@ -12,6 +12,16 @@ global:
   #    - name: "image-pull-secret"
   imagePullSecrets: []
 
+  # Global node selector
+  #
+  # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
+  # matching labels.
+  # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+  #
+  # If a component-specific nodeSelector is also set, it will be merged and take precedence.
+  # +docs:property
+  nodeSelector: {}
+  
   # Labels to apply to all resources.
   # Please note that this does not add labels to the resources created dynamically by the controllers.
   # For these resources, you have to add the labels in the template in the cert-manager custom resource:
@@ -28,6 +38,19 @@ global:
   # The optional priority class to be used for the cert-manager pods.
   priorityClassName: ""
 
+  # Set all pods to run in a user namespace without host access.
+  # Experimental: may be removed once the Kubernetes User Namespaces feature is GA.
+  #
+  # Requirements:
+  #   - Kubernetes ≥ 1.33, or
+  #   - Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.
+  #
+  # Set to false to run pods in a user namespace without host access.
+  #
+  # See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.
+  # +docs:property
+  # hostUsers: false
+
   rbac:
     # Create required ClusterRoles and ClusterRoleBindings for cert-manager.
     create: true
@@ -117,14 +140,14 @@ podDisruptionBudget:
   enabled: false
 
   # This configures the minimum available pods for disruptions. It can either be set to
-  # an integer (e.g. 1) or a percentage value (e.g. 25%).
+  # an integer (e.g., 1) or a percentage value (e.g., 25%).
   # It cannot be used if `maxUnavailable` is set.
   # +docs:property
   # +docs:type=unknown
   # minAvailable: 1
 
   # This configures the maximum unavailable pods for disruptions. It can either be set to
-  # an integer (e.g. 1) or a percentage value (e.g. 25%).
+  # an integer (e.g., 1) or a percentage value (e.g., 25%).
   # it cannot be used if `minAvailable` is set.
   # +docs:property
   # +docs:type=unknown
@@ -176,7 +199,7 @@ namespace: ""
 # Override the "cert-manager.name" value, which is used to annotate some of
 # the resources that are created by this Chart (using "app.kubernetes.io/name").
 # NOTE: There are some inconsistencies in the Helm chart when it comes to
-# these annotations (some resources use eg. "cainjector.name" which resolves
+# these annotations (some resources use, e.g., "cainjector.name" which resolves
 # to the value "cainjector").
 # +docs:property
 # nameOverride: "my-cert-manager"
@@ -231,10 +254,10 @@ enableCertificateOwnerRef: false
 #    kubernetesAPIBurst: 9000
 #    numberOfConcurrentWorkers: 200
 #    enableGatewayAPI: true
-#    # Feature gates as of v1.17.0. Listed with their default values.
+#    # Feature gates as of v1.18.1. Listed with their default values.
 #    # See https://cert-manager.io/docs/cli/controller/
 #    featureGates:
-#      AdditionalCertificateOutputFormats: true # BETA - default=true
+#      AdditionalCertificateOutputFormats: true # GA - default=true
 #      AllAlpha: false # ALPHA - default=false
 #      AllBeta: false # BETA - default=false
 #      ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
@@ -246,8 +269,10 @@ enableCertificateOwnerRef: false
 #      ServerSideApply: false # ALPHA - default=false
 #      StableCertificateRequestName: true # BETA - default=true
 #      UseCertificateRequestBasicConstraints: false # ALPHA - default=false
-#      UseDomainQualifiedFinalizer: true # BETA - default=false
+#      UseDomainQualifiedFinalizer: true # GA - default=true
 #      ValidateCAA: false # ALPHA - default=false
+#      DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true
+#      ACMEHTTP01IngressPathTypeExact: true # BETA - default=true
 #    # Configure the metrics server for TLS
 #    # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
 #    metricsTLSConfig:
@@ -278,7 +303,7 @@ disableAutoApproval: false
 # referencing these signer names will be auto-approved by cert-manager. Defaults to just
 # approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty
 # array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval,
-# because eg. you are using approver-policy, you can enable 'disableAutoApproval'.
+# because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.
 # ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 # +docs:property
 approveSignerNames:
@@ -434,7 +459,6 @@ ingressShim: {}
 # +docs:property
 # no_proxy: 127.0.0.1,localhost
 
-
 # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
 #
 # For example:
@@ -502,7 +526,7 @@ prometheus:
   # ServiceMonitor resource.
   # Otherwise, 'prometheus.io' annotations are added to the cert-manager and
   # cert-manager-webhook Deployments.
-  # Note that you can not enable both PodMonitor and ServiceMonitor as they are
+  # Note that you cannot enable both PodMonitor and ServiceMonitor as they are
   # mutually exclusive. Enabling both will result in an error.
   enabled: true
 
@@ -522,7 +546,8 @@ prometheus:
 
     # The target port to set on the ServiceMonitor. This must match the port that the
     # cert-manager controller is listening on for metrics.
-    targetPort: 9402
+    # +docs:type=string,integer
+    targetPort: http-metrics
 
     # The path to scrape for metrics.
     path: /metrics
@@ -556,7 +581,7 @@ prometheus:
     # +docs:property
     endpointAdditionalProperties: {}
 
-  # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
+  # Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
   podmonitor:
     # Create a PodMonitor to add cert-manager to Prometheus.
     enabled: false
@@ -706,14 +731,14 @@ webhook:
     enabled: false
 
     # This property configures the minimum available pods for disruptions. Can either be set to
-    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # an integer (e.g., 1) or a percentage value (e.g., 25%).
     # It cannot be used if `maxUnavailable` is set.
     # +docs:property
     # +docs:type=unknown
     # minAvailable: 1
 
     # This property configures the maximum unavailable pods for disruptions. Can either be set to
-    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # an integer (e.g., 1) or a percentage value (e.g., 25%).
     # It cannot be used if `minAvailable` is set.
     # +docs:property
     # +docs:type=unknown
@@ -959,6 +984,8 @@ webhook:
     - from:
       - ipBlock:
           cidr: 0.0.0.0/0
+      - ipBlock:
+          cidr: "::/0"
 
     # Egress rule for the webhook network policy. By default, it allows all
     # outbound traffic to ports 80 and 443, as well as DNS ports.
@@ -980,6 +1007,8 @@ webhook:
       to:
       - ipBlock:
           cidr: 0.0.0.0/0
+      - ipBlock:
+          cidr: "::/0"
 
   # Additional volumes to add to the cert-manager controller pod.
   volumes: []
@@ -1073,14 +1102,14 @@ cainjector:
     enabled: false
 
     # `minAvailable` configures the minimum available pods for disruptions. It can either be set to
-    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # an integer (e.g., 1) or a percentage value (e.g., 25%).
     # Cannot be used if `maxUnavailable` is set.
     # +docs:property
     # +docs:type=unknown
     # minAvailable: 1
 
     # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
-    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # an integer (e.g., 1) or a percentage value (e.g., 25%).
     # Cannot be used if `minAvailable` is set.
     # +docs:property
     # +docs:type=unknown

packages/system/cert-manager/values.yaml

@@ -1,2 +0,0 @@
-cert-manager:
-  installCRDs: false

packages/system/cozystack-api/values.yaml

@@ -1,3 +1,3 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v1.0.0-rc.1@sha256:9195ac6ef1d29aba3e1903f29a9aeeb72f5bf7ba3dbd7ebd866a06a4433e5915
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v1.0.0@sha256:bd70ecb944bde9a0d6b88114aea89bdbbe2d07e33f03175cfd885de013e88294
   replicas: 2

packages/system/cozystack-controller/values.yaml

@@ -1,4 +1,4 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.0.0-rc.1@sha256:0ac4b6d55daf79e2a7a045cd21b48ba598ac2628442fd9c4d0556cf9af6b83be
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.0.0@sha256:da01085026a4a01514ae435c7bfb48cca2cf00eb17feb2ed7ae88711f82693e0
   debug: false
   disableTelemetry: false

packages/system/dashboard/templates/configmap.yaml

@@ -1,6 +1,6 @@
 {{- $brandingConfig := .Values._cluster.branding | default dict }}
 
-{{- $tenantText := "v1.0.0-rc.1" }}
+{{- $tenantText := "v1.0.0" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}

packages/system/dashboard/templates/flowschema.yaml

@@ -0,0 +1,20 @@
+apiVersion: flowcontrol.apiserver.k8s.io/v1
+kind: FlowSchema
+metadata:
+  name: cozy-dashboard-exempt
+spec:
+  matchingPrecedence: 2
+  priorityLevelConfiguration:
+    name: exempt
+  rules:
+    - subjects:
+        - kind: ServiceAccount
+          serviceAccount:
+            name: incloud-web-web
+            namespace: {{ .Release.Namespace }}
+      resourceRules:
+        - verbs: ["*"]
+          apiGroups: ["*"]
+          resources: ["*"]
+          namespaces: ["*"]
+          clusterScope: true

packages/system/dashboard/templates/rbac.yaml

@@ -12,6 +12,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - backups.cozystack.io
+  resources:
+  - backupclasses
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

packages/system/dashboard/templates/web.yaml

@@ -136,7 +136,7 @@ spec:
             - name: CUSTOMIZATION_NAVIGATION_RESOURCE_PLURAL
               value: navigations
             - name: CUSTOMIZATION_SIDEBAR_FALLBACK_ID
-              value: stock-project-api-table
+              value: ""
             - name: CUSTOMIZATION_BREADCRUMBS_FALLBACK_ID
               value: stock-project-api-table
             - name: INSTANCES_API_GROUP

packages/system/dashboard/values.yaml

@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:v1.0.0-rc.1@sha256:26e787b259ab8722d61f89e07eda200ef2180ed10b0df8596d75bba15526feb0
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v1.0.0@sha256:73a8bd4283a46a99d22536eece9c2059fa2fb1c17b43ddefe6716e8960e4731e
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.0.0-rc.1@sha256:0f508427bfa5a650eda6c5ef01ea32a586ac485a54902d7649ec49cc84f676f7
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.0.0@sha256:c938fee904acd948800d4dc5e121c4c5cd64cb4a3160fb8d2f9dbff0e5168740
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:v1.0.0-rc.1@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
+  image: ghcr.io/cozystack/cozystack/token-proxy:v1.0.0@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc

packages/system/grafana-operator/images/grafana-dashboards.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana-dashboards:v1.0.0-rc.1@sha256:7a3c9af59f8d74d5a23750bbc845c7de64610dbd4d4f84011e10be037b3ce2a0
+ghcr.io/cozystack/cozystack/grafana-dashboards:v1.0.0@sha256:7a3c9af59f8d74d5a23750bbc845c7de64610dbd4d4f84011e10be037b3ce2a0

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v1.0.0-rc.1@sha256:0ca47c0d72a198f52f029bea30e89557680eac65c7914369b092d8ed9cc9997b
+    tag: v1.0.0@sha256:50db517ebe7698083dd32223a96c987b6ed0c88d3a093969beb571e4a96d18e4
     repository: ghcr.io/cozystack/cozystack/kamaji
   resources:
     limits:
@@ -13,4 +13,4 @@ kamaji:
       cpu: 100m
       memory: 100Mi
   extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v1.0.0-rc.1@sha256:0ca47c0d72a198f52f029bea30e89557680eac65c7914369b092d8ed9cc9997b
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v1.0.0@sha256:50db517ebe7698083dd32223a96c987b6ed0c88d3a093969beb571e4a96d18e4

packages/system/keycloak/templates/ingress.yaml

@@ -1,4 +1,5 @@
 {{- $host := index .Values._cluster "root-host" }}
+{{- $ingressHost := .Values.ingress.host | default (printf "keycloak.%s" $host) }}
 {{- $solver := (index .Values._cluster "solver") | default "http01" }}
 {{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
 {{- $exposeIngress := (index .Values._cluster "expose-ingress") | default "tenant-root" }}
@@ -19,10 +20,10 @@ spec:
   ingressClassName: {{ $exposeIngress }}
   tls:
   - hosts:
-      - keycloak.{{ $host }}
+      - {{ $ingressHost }}
     secretName: web-tls
   rules:
-  - host: keycloak.{{ $host }}
+  - host: {{ $ingressHost }}
     http:
       paths:
       - path: /

packages/system/keycloak/templates/sts.yaml

@@ -1,4 +1,5 @@
 {{- $host := index .Values._cluster "root-host" }}
+{{- $ingressHost := .Values.ingress.host | default (printf "keycloak.%s" $host) }}
 {{- $clusterDomain := (index .Values._cluster "cluster-domain") | default "cozy.local" }}
 
 {{- $existingPassword := lookup "v1" "Secret" "cozy-keycloak" (printf "%s-credentials" .Release.Name) }}
@@ -120,7 +121,7 @@ spec:
             - name: KC_FEATURES
               value: "docker"
             - name: KC_HOSTNAME
-              value: https://keycloak.{{ $host }}
+              value: https://{{ $ingressHost }}
             - name: JAVA_OPTS_APPEND
               value: "-Djgroups.dns.query=keycloak-headless.cozy-keycloak.svc.{{ $clusterDomain }}"
           ports:

packages/system/keycloak/values.yaml

@@ -1,6 +1,10 @@
 image: quay.io/keycloak/keycloak:26.0.4
 
 ingress:
+  # Custom hostname for the Keycloak Ingress.
+  # If set, this value will be used as the Ingress hostname (e.g., "auth.example.com").
+  # If left empty, defaults to "keycloak.<root-host>" based on the cluster root-host setting.
+  host: ""
   annotations:
     nginx.ingress.kubernetes.io/affinity: "cookie"
     nginx.ingress.kubernetes.io/session-cookie-expires: "86400"

packages/system/kubeovn-plunger/values.yaml

@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v1.0.0-rc.1@sha256:6be9aa4b2dda15bf7300bd961cbc71c8bbf9ce97bc3cf613ef5a012d329b4e70
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v1.0.0@sha256:b6045fdb4f324b9b1cb44a218c40422aafbbc600b085c819ff58809bb6e97220
 ovnCentralName: ovn-central

packages/system/kubeovn-webhook/values.yaml

@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v1.0.0-rc.1@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v1.0.0@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a