[bucket] Add script for locking bucket

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/auto-release.yaml

@@ -33,7 +33,6 @@ jobs:
           git config user.name  "cozystack-bot"
           git config user.email "217169706+cozystack-bot@users.noreply.github.com"
           git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
-          git config --unset-all http.https://github.com/.extraheader || true
 
       - name: Process release branches
         uses: actions/github-script@v7
@@ -48,8 +47,6 @@ jobs:
             execSync('git config user.name "cozystack-bot"', { encoding: 'utf8' });
             execSync('git config user.email "217169706+cozystack-bot@users.noreply.github.com"', { encoding: 'utf8' });
             execSync(`git remote set-url origin https://cozystack-bot:${process.env.GH_PAT}@github.com/${process.env.GITHUB_REPOSITORY}`, { encoding: 'utf8' });
-            // Remove GITHUB_TOKEN extraheader to ensure PAT is used (needed to trigger other workflows)
-            execSync('git config --unset-all http.https://github.com/.extraheader || true', { encoding: 'utf8' });
 
             // Get all release-X.Y branches
             const branches = execSync('git branch -r | grep -E "origin/release-[0-9]+\\.[0-9]+$" | sed "s|origin/||" | tr -d " "', { encoding: 'utf8' })

.github/workflows/pull-requests-release.yaml

@@ -110,95 +110,67 @@ jobs:
               }
             }
 
-      # Publish draft release and ensure correct latest flag
-      - name: Publish draft release
+      # Get the latest published release
+      - name: Get the latest published release
+        id: latest_release
         uses: actions/github-script@v7
         with:
           script: |
-            const tag = '${{ steps.get_tag.outputs.tag }}';
+            try {
+              const rel = await github.rest.repos.getLatestRelease({
+                owner: context.repo.owner,
+                repo:  context.repo.repo
+              });
+              core.setOutput('tag', rel.data.tag_name);
+            } catch (_) {
+              core.setOutput('tag', '');
+            }
+
+      # Compare current tag vs latest using semver-utils
+      - name: Semver compare
+        id: semver
+        uses: madhead/semver-utils@v4.3.0
+        with:
+          version:    ${{ steps.get_tag.outputs.tag }}
+          compare-to: ${{ steps.latest_release.outputs.tag }}
+
+      # Derive flags: prerelease?  make_latest?
+      - name: Calculate publish flags
+        id: flags
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const tag = '${{ steps.get_tag.outputs.tag }}';              // v0.31.5-rc.1
             const m = tag.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);
             if (!m) {
               core.setFailed(`❌ tag '${tag}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
               return;
             }
-            const isRc = Boolean(m[2]);
+            const version = m[1] + (m[2] ?? '');                         // 0.31.5-rc.1
+            const isRc    = Boolean(m[2]);
+            core.setOutput('is_rc',      isRc);
+            const outdated = '${{ steps.semver.outputs.comparison-result }}' === '<';
+            core.setOutput('make_latest', isRc || outdated ? 'false' : 'legacy');
 
-            // Parse semver string to comparable numbers
-            function parseSemver(v) {
-              const match = v.replace(/^v/, '').match(/^(\d+)\.(\d+)\.(\d+)/);
-              if (!match) return null;
-              return {
-                major: parseInt(match[1]),
-                minor: parseInt(match[2]),
-                patch: parseInt(match[3])
-              };
-            }
-
-            // Compare two semver objects
-            function compareSemver(a, b) {
-              if (a.major !== b.major) return a.major - b.major;
-              if (a.minor !== b.minor) return a.minor - b.minor;
-              return a.patch - b.patch;
-            }
-
-            const currentSemver = parseSemver(tag);
-
-            // Get all releases
+      # Publish draft release with correct flags
+      - name: Publish draft release
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const tag = '${{ steps.get_tag.outputs.tag }}';
             const releases = await github.rest.repos.listReleases({
               owner: context.repo.owner,
-              repo: context.repo.repo,
-              per_page: 100
+              repo:  context.repo.repo
             });
-
-            // Find draft release to publish
             const draft = releases.data.find(r => r.tag_name === tag && r.draft);
             if (!draft) throw new Error(`Draft release for ${tag} not found`);
-
-            // Find max semver among published releases (excluding current draft)
-            const publishedReleases = releases.data
-              .filter(r => !r.draft && !r.prerelease)
-              .filter(r => /^v\d+\.\d+\.\d+$/.test(r.tag_name))
-              .map(r => ({ id: r.id, tag: r.tag_name, semver: parseSemver(r.tag_name) }))
-              .filter(r => r.semver !== null);
-
-            let maxRelease = null;
-            for (const rel of publishedReleases) {
-              if (!maxRelease || compareSemver(rel.semver, maxRelease.semver) > 0) {
-                maxRelease = rel;
-              }
-            }
-
-            // Determine if this release should be latest
-            const isOutdated = maxRelease && compareSemver(currentSemver, maxRelease.semver) < 0;
-            const makeLatest = (isRc || isOutdated) ? 'false' : 'true';
-
-            if (isRc) {
-              console.log(`🏷️  ${tag} is a prerelease, make_latest: false`);
-            } else if (isOutdated) {
-              console.log(`🏷️  ${tag} < ${maxRelease.tag} (max semver), make_latest: false`);
-            } else {
-              console.log(`🏷️  ${tag} is the highest version, make_latest: true`);
-            }
-
-            // Publish the release
             await github.rest.repos.updateRelease({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              release_id: draft.id,
-              draft: false,
-              prerelease: isRc,
-              make_latest: makeLatest
+              owner:       context.repo.owner,
+              repo:        context.repo.repo,
+              release_id:  draft.id,
+              draft:       false,
+              prerelease:  ${{ steps.flags.outputs.is_rc }},
+              make_latest: '${{ steps.flags.outputs.make_latest }}'
             });
-            console.log(`🚀 Published release ${tag}`);
 
-            // If this is a backport/outdated release, ensure the correct release is marked as latest
-            if (isOutdated && maxRelease) {
-              console.log(`🔧 Ensuring ${maxRelease.tag} remains the latest release...`);
-              await github.rest.repos.updateRelease({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                release_id: maxRelease.id,
-                make_latest: 'true'
-              });
-              console.log(`✅ Restored ${maxRelease.tag} as latest release`);
-            }
+            console.log(`🚀 Published release for ${tag}`);

.github/workflows/retest.yaml

@@ -1,78 +0,0 @@
-name: Retest
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  retest:
-    name: Retest PR
-    runs-on: ubuntu-latest
-    if: |
-      github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/retest')
-    permissions:
-      actions: write
-      pull-requests: read
-
-    steps:
-      - name: Rerun from Prepare environment
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prNumber = context.issue.number;
-
-            // Get the PR to find the head SHA
-            const pr = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: prNumber
-            });
-
-            // Find the latest workflow run for this PR
-            const runs = await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'pull-requests.yaml',
-              head_sha: pr.data.head.sha
-            });
-
-            if (runs.data.workflow_runs.length === 0) {
-              core.setFailed('No workflow runs found for this PR');
-              return;
-            }
-
-            const latestRun = runs.data.workflow_runs[0];
-            console.log(`Found workflow run: ${latestRun.id} (${latestRun.status})`);
-
-            // Check if workflow is waiting for approval (fork PRs)
-            if (latestRun.conclusion === 'action_required') {
-              core.setFailed('Workflow is waiting for approval. A maintainer must approve the workflow first.');
-              return;
-            }
-
-            // Get jobs for this run
-            const jobs = await github.rest.actions.listJobsForWorkflowRun({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              run_id: latestRun.id
-            });
-
-            // Find "Prepare environment" job
-            const prepareJob = jobs.data.jobs.find(j => j.name === 'Prepare environment');
-
-            if (!prepareJob) {
-              core.setFailed('Could not find "Prepare environment" job');
-              return;
-            }
-
-            console.log(`Found job: ${prepareJob.name} (id: ${prepareJob.id}, status: ${prepareJob.status})`);
-
-            // Rerun the job
-            await github.rest.actions.reRunJobForWorkflowRun({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              job_id: prepareJob.id
-            });
-
-            console.log(`✅ Triggered rerun of job "${prepareJob.name}" (${prepareJob.id})`);

.github/workflows/tags.yaml

@@ -123,6 +123,32 @@ jobs:
           git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
           git push origin HEAD || true
 
+      # Get `latest_version` from latest published release 
+      - name: Get latest published release
+        if: steps.check_release.outputs.skip == 'false'
+        id: latest_release
+        uses: actions/github-script@v7
+        with:
+          script: |
+            try {
+              const rel = await github.rest.repos.getLatestRelease({
+                owner: context.repo.owner,
+                repo:  context.repo.repo
+              });
+              core.setOutput('tag', rel.data.tag_name);
+            } catch (_) {
+              core.setOutput('tag', '');
+            }
+
+      # Compare tag (A) with latest (B)
+      - name: Semver compare
+        if: steps.check_release.outputs.skip == 'false'
+        id: semver
+        uses: madhead/semver-utils@v4.3.0
+        with:
+          version:     ${{ steps.tag.outputs.tag }}            # A
+          compare-to:  ${{ steps.latest_release.outputs.tag }} # B
+
       # Create or reuse draft release
       - name: Create / reuse draft release
         if: steps.check_release.outputs.skip == 'false'

api/backups/strategy/v1alpha1/velero_types.go

@@ -6,7 +6,6 @@
 package v1alpha1
 
 import (
-	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -48,15 +47,7 @@ type VeleroList struct {
 }
 
 // VeleroSpec specifies the desired strategy for backing up with Velero.
-type VeleroSpec struct {
-	Template VeleroTemplate `json:"template"`
-}
-
-// VeleroTemplate describes the data a backup.velero.io should have when
-// templated from a Velero backup strategy.
-type VeleroTemplate struct {
-	Spec velerov1.BackupSpec `json:"spec"`
-}
+type VeleroSpec struct{}
 
 type VeleroStatus struct {
 	Conditions []metav1.Condition `json:"conditions,omitempty"`

api/backups/strategy/v1alpha1/zz_generated.deepcopy.go

@@ -127,7 +127,7 @@ func (in *Velero) DeepCopyInto(out *Velero) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
+	out.Spec = in.Spec
 	in.Status.DeepCopyInto(&out.Status)
 }
 
@@ -184,7 +184,6 @@ func (in *VeleroList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VeleroSpec) DeepCopyInto(out *VeleroSpec) {
 	*out = *in
-	in.Template.DeepCopyInto(&out.Template)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VeleroSpec.
@@ -218,19 +217,3 @@ func (in *VeleroStatus) DeepCopy() *VeleroStatus {
 	in.DeepCopyInto(out)
 	return out
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VeleroTemplate) DeepCopyInto(out *VeleroTemplate) {
-	*out = *in
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VeleroTemplate.
-func (in *VeleroTemplate) DeepCopy() *VeleroTemplate {
-	if in == nil {
-		return nil
-	}
-	out := new(VeleroTemplate)
-	in.DeepCopyInto(out)
-	return out
-}

api/backups/v1alpha1/backupjob_types.go

@@ -21,11 +21,6 @@ func init() {
 	})
 }
 
-const (
-	OwningJobNameLabel      = thisGroup + "/owned-by.BackupJobName"
-	OwningJobNamespaceLabel = thisGroup + "/owned-by.BackupJobNamespace"
-)
-
 // BackupJobPhase represents the lifecycle phase of a BackupJob.
 type BackupJobPhase string
 
@@ -90,8 +85,6 @@ type BackupJobStatus struct {
 // The field indexing on applicationRef will be needed later to display per-app backup resources.
 
 // +kubebuilder:object:root=true
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase",priority=0
 // +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
 // +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
 // +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`

api/backups/v1alpha1/groupversion_info.go

@@ -25,13 +25,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const (
-	thisGroup   = "backups.cozystack.io"
-	thisVersion = "v1alpha1"
-)
-
 var (
-	GroupVersion  = schema.GroupVersion{Group: thisGroup, Version: thisVersion}
+	GroupVersion  = schema.GroupVersion{Group: "backups.cozystack.io", Version: "v1alpha1"}
 	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
 	AddToScheme   = SchemeBuilder.AddToScheme
 )

cmd/backup-controller/main.go

@@ -35,10 +35,8 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	strategyv1alpha1 "github.com/cozystack/cozystack/api/backups/strategy/v1alpha1"
 	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
 	"github.com/cozystack/cozystack/internal/backupcontroller"
-	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -51,8 +49,6 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(strategyv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(velerov1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 
@@ -159,15 +155,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = (&backupcontroller.BackupJobReconciler{
-		Client:   mgr.GetClient(),
-		Scheme:   mgr.GetScheme(),
-		Recorder: mgr.GetEventRecorderFor("backup-controller"),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "BackupJob")
-		os.Exit(1)
-	}
-
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

examples/desired-backup.yaml

@@ -1,20 +0,0 @@
-apiVersion: backups.cozystack.io/v1alpha1
-kind: BackupJob
-metadata:
-  name: desired-backup
-  namespace: tenant-root
-  labels:
-    backups.cozystack.io/triggered-by: manual
-spec:
-  applicationRef:
-    apiGroup: apps.cozystack.io
-    kind: VirtualMachine
-    name: vm1
-  storageRef:
-    apiGroup: apps.cozystack.io
-    kind: Bucket
-    name: test-bucket
-  strategyRef:
-    apiGroup: strategy.backups.cozystack.io
-    kind: Velero
-    name: velero-strategy-default

go.mod

@@ -17,7 +17,6 @@ require (
 	github.com/prometheus/client_golang v1.22.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/cobra v1.9.1
-	github.com/vmware-tanzu/velero v1.17.1
 	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.34.1
@@ -81,8 +80,8 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
@@ -91,14 +90,14 @@ require (
 	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
 	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
@@ -106,18 +105,18 @@ require (
 	golang.org/x/crypto v0.42.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.45.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/term v0.35.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.37.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect

go.sum

@@ -144,10 +144,10 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
 github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
-github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
-github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
@@ -179,8 +179,6 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
-github.com/vmware-tanzu/velero v1.17.1 h1:ldKeiTuUwkThOw7zrUucNA1NwnLG66zl13YetWAoE0I=
-github.com/vmware-tanzu/velero v1.17.1/go.mod h1:3KTxuUN6Un38JzmYAX+8U6j2k6EexGoNNxa8jrJML8U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk=
@@ -203,24 +201,24 @@ go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
-go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -248,8 +246,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
 golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -266,8 +264,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
 golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -280,14 +278,14 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
+google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

hack/e2e-apps/backup.bats.disabled

@@ -1,226 +0,0 @@
-#!/usr/bin/env bats
-
-# Test variables - stored for teardown
-TEST_NAMESPACE='tenant-test'
-TEST_BUCKET_NAME='test-backup-bucket'
-TEST_VM_NAME='test-backup-vm'
-TEST_BACKUPJOB_NAME='test-backup-job'
-
-teardown() {
-  # Clean up resources (runs even if test fails)
-  namespace="${TEST_NAMESPACE}"
-  bucket_name="${TEST_BUCKET_NAME}"
-  vm_name="${TEST_VM_NAME}"
-  backupjob_name="${TEST_BACKUPJOB_NAME}"
-  
-  # Clean up port-forward if still running
-  pkill -f "kubectl.*port-forward.*seaweedfs-s3" 2>/dev/null || true
-  
-  # Clean up Velero resources in cozy-velero namespace
-  # Find Velero backup by pattern matching namespace-backupjob
-  for backup in $(kubectl -n cozy-velero get backups.velero.io -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || true); do
-    if echo "$backup" | grep -q "^${namespace}-${backupjob_name}-"; then
-      kubectl -n cozy-velero delete backups.velero.io ${backup} --wait=false 2>/dev/null || true
-    fi
-  done
-  
-  # Clean up BackupStorageLocation and VolumeSnapshotLocation (named: namespace-backupjob)
-  BSL_NAME="${namespace}-${backupjob_name}"
-  kubectl -n cozy-velero delete backupstoragelocations.velero.io ${BSL_NAME} --wait=false 2>/dev/null || true
-  kubectl -n cozy-velero delete volumesnapshotlocations.velero.io ${BSL_NAME} --wait=false 2>/dev/null || true
-  
-  # Clean up Velero credentials secret
-  SECRET_NAME="backup-${namespace}-${backupjob_name}-s3-credentials"
-  kubectl -n cozy-velero delete secret ${SECRET_NAME} --wait=false 2>/dev/null || true
-  
-  # Clean up BackupJob
-  kubectl -n ${namespace} delete backupjob ${backupjob_name} --wait=false 2>/dev/null || true
-  
-  # Clean up Virtual Machine
-  kubectl -n ${namespace} delete virtualmachines.apps.cozystack.io ${vm_name} --wait=false 2>/dev/null || true
-  
-  # Clean up Bucket
-  kubectl -n ${namespace} delete bucket.apps.cozystack.io ${bucket_name} --wait=false 2>/dev/null || true
-
-  # Clean up temporary files
-  rm -f /tmp/bucket-backup-credentials.json
-}
-
-print_log() {
-  echo "# $1" >&3
-}
-
-@test "Create Backup for Virtual Machine" {
-  # Test variables
-  bucket_name="${TEST_BUCKET_NAME}"
-  vm_name="${TEST_VM_NAME}"
-  backupjob_name="${TEST_BACKUPJOB_NAME}"
-  namespace="${TEST_NAMESPACE}"
-
-  print_log "Step 0:Ensure BackupJob and Velero strategy CRDs are installed"
-  kubectl apply -f packages/system/backup-controller/definitions/backups.cozystack.io_backupjobs.yaml
-  kubectl apply -f packages/system/backupstrategy-controller/definitions/strategy.backups.cozystack.io_veleroes.yaml
-  # Wait for CRDs to be ready
-  kubectl wait --for condition=established --timeout=30s crd backupjobs.backups.cozystack.io
-  kubectl wait --for condition=established --timeout=30s crd veleroes.strategy.backups.cozystack.io
-  
-  # Ensure velero-strategy-default resource exists
-  kubectl apply -f packages/system/backup-controller/templates/strategy.yaml
-
-  print_log "Step 1: Create the bucket resource"
-  kubectl apply -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Bucket
-metadata:
-  name: ${bucket_name}
-  namespace: ${namespace}
-spec: {}
-EOF
-
-  print_log "Wait for the bucket to be ready"
-  kubectl -n ${namespace} wait hr bucket-${bucket_name} --timeout=100s --for=condition=ready
-  kubectl -n ${namespace} wait bucketclaims.objectstorage.k8s.io bucket-${bucket_name} --timeout=300s --for=jsonpath='{.status.bucketReady}'=true
-  kubectl -n ${namespace} wait bucketaccesses.objectstorage.k8s.io bucket-${bucket_name} --timeout=300s --for=jsonpath='{.status.accessGranted}'=true
-
-  # Get bucket credentials for later S3 verification
-  kubectl -n ${namespace} get secret bucket-${bucket_name} -ojsonpath='{.data.BucketInfo}' | base64 -d > /tmp/bucket-backup-credentials.json
-  ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' /tmp/bucket-backup-credentials.json)
-  SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' /tmp/bucket-backup-credentials.json)
-  BUCKET_NAME=$(jq -r '.spec.bucketName' /tmp/bucket-backup-credentials.json)
-
-  print_log "Step 2: Create the Virtual Machine"
-  kubectl apply -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: VirtualMachine
-metadata:
-  name: ${vm_name}
-  namespace: ${namespace}
-spec:
-  external: false
-  externalMethod: PortList
-  externalPorts:
-  - 22
-  instanceType: "u1.medium"
-  instanceProfile: ubuntu
-  systemDisk:
-    image: ubuntu
-    storage: 5Gi
-    storageClass: replicated
-  gpus: []
-  resources: {}
-  sshKeys:
-  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
-    test@test
-  cloudInit: |
-    #cloud-config
-    users:
-      - name: test
-        shell: /bin/bash
-        sudo: ['ALL=(ALL) NOPASSWD: ALL']
-        groups: sudo
-        ssh_authorized_keys:
-          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
-  cloudInitSeed: ""
-EOF
-
-  print_log "Wait for VM to be ready"
-  sleep 5
-  kubectl -n ${namespace} wait hr virtual-machine-${vm_name} --timeout=10s --for=condition=ready
-  kubectl -n ${namespace} wait dv virtual-machine-${vm_name} --timeout=150s --for=condition=ready
-  kubectl -n ${namespace} wait pvc virtual-machine-${vm_name} --timeout=100s --for=jsonpath='{.status.phase}'=Bound
-  kubectl -n ${namespace} wait vm virtual-machine-${vm_name} --timeout=100s --for=condition=ready
-
-  print_log "Step 3: Create BackupJob"
-  kubectl apply -f - <<EOF
-apiVersion: backups.cozystack.io/v1alpha1
-kind: BackupJob
-metadata:
-  name: ${backupjob_name}
-  namespace: ${namespace}
-  labels:
-    backups.cozystack.io/triggered-by: e2e-test
-spec:
-  applicationRef:
-    apiGroup: apps.cozystack.io
-    kind: VirtualMachine
-    name: ${vm_name}
-  storageRef:
-    apiGroup: apps.cozystack.io
-    kind: Bucket
-    name: ${bucket_name}
-  strategyRef:
-    apiGroup: strategy.backups.cozystack.io
-    kind: Velero
-    name: velero-strategy-default
-EOF
-
-  print_log "Wait for BackupJob to start"
-  kubectl -n ${namespace} wait backupjob ${backupjob_name} --timeout=60s --for=jsonpath='{.status.phase}'=Running
-
-  print_log "Wait for BackupJob to complete"
-  kubectl -n ${namespace} wait backupjob ${backupjob_name} --timeout=300s --for=jsonpath='{.status.phase}'=Succeeded
-
-  print_log "Verify BackupJob status"
-  PHASE=$(kubectl -n ${namespace} get backupjob ${backupjob_name} -o jsonpath='{.status.phase}')
-  [ "$PHASE" = "Succeeded" ]
-
-  # Verify BackupJob has a backupRef
-  BACKUP_REF=$(kubectl -n ${namespace} get backupjob ${backupjob_name} -o jsonpath='{.status.backupRef.name}')
-  [ -n "$BACKUP_REF" ]
-
-  # Find the Velero backup by searching for backups matching the namespace-backupjob pattern
-  # Format: namespace-backupjob-timestamp
-  VELERO_BACKUP_NAME=""
-  VELERO_BACKUP_PHASE=""
-  
-  print_log "Wait a bit for the backup to be created and appear in the API"
-  sleep 30
-  
-  # Find backup by pattern matching namespace-backupjob
-  for backup in $(kubectl -n cozy-velero get backups.velero.io -o jsonpath='{.items[*].metadata.name}' 2>/dev/null); do
-    if echo "$backup" | grep -q "^${namespace}-${backupjob_name}-"; then
-      VELERO_BACKUP_NAME=$backup
-      VELERO_BACKUP_PHASE=$(kubectl -n cozy-velero get backups.velero.io $backup -o jsonpath='{.status.phase}' 2>/dev/null || echo "")
-      break
-    fi
-  done
-
-  print_log "Verify Velero Backup was found"
-  [ -n "$VELERO_BACKUP_NAME" ]
-  
-  echo '# Wait for Velero Backup to complete' >&3
-  until kubectl -n cozy-velero get backups.velero.io ${VELERO_BACKUP_NAME} -o jsonpath='{.status.phase}' | grep -q 'Completed\|Failed'; do
-    sleep 5
-  done
-
-  print_log "Verify Velero Backup is Completed"
-  timeout 90 sh -ec "until [ \"\$(kubectl -n cozy-velero get backups.velero.io ${VELERO_BACKUP_NAME} -o jsonpath='{.status.phase}' 2>/dev/null)\" = \"Completed\" ]; do sleep 30; done"
-  
-  # Final verification
-  VELERO_BACKUP_PHASE=$(kubectl -n cozy-velero get backups.velero.io ${VELERO_BACKUP_NAME} -o jsonpath='{.status.phase}' 2>/dev/null || echo "")
-  [ "$VELERO_BACKUP_PHASE" = "Completed" ]
-
-  print_log "Step 4: Verify S3 has backup data"
-  # Start port-forwarding to S3 service (with timeout to keep it alive)
-  bash -c 'timeout 100s kubectl port-forward service/seaweedfs-s3 -n tenant-root 8333:8333 > /dev/null 2>&1 &'
-
-  # Wait for port-forward to be ready
-  timeout 30 sh -ec "until nc -z localhost 8333; do sleep 1; done"
-
-  # Wait a bit for backup data to be written to S3
-  sleep 30
-  
-  # Set up MinIO client with insecure flag (use environment variable for all commands)
-  export MC_INSECURE=1
-  mc alias set local https://localhost:8333 $ACCESS_KEY $SECRET_KEY
-
-  # Verify backup directory exists in S3
-  BACKUP_PATH="${BUCKET_NAME}/backups/${VELERO_BACKUP_NAME}"
-  mc ls local/${BACKUP_PATH}/ 2>/dev/null
-  [ $? -eq 0 ]
-  
-  # Verify backup files exist (at least metadata files)
-  BACKUP_FILES=$(mc ls local/${BACKUP_PATH}/ 2>/dev/null | wc -l || echo "0")
-  [ "$BACKUP_FILES" -gt "0" ]
-}
-

hack/e2e-apps/run-kubernetes.sh

@@ -72,7 +72,7 @@ EOF
   kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-${test_name} --timeout=4m
 
   # Wait for Kubernetes resources to be ready (timeout after 2 minutes)
-  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=5m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
 
   # Wait for all required deployments to be available (timeout after 4 minutes)
   kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-${test_name} kubernetes-${test_name}-cluster-autoscaler kubernetes-${test_name}-kccm kubernetes-${test_name}-kcsi-controller
@@ -87,7 +87,7 @@ EOF
 
 
   # Set up port forwarding to the Kubernetes API server for a 200 second timeout
-  bash -c 'timeout 500s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
+  bash -c 'timeout 300s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
   # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
   timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
 
@@ -124,100 +124,6 @@ EOF
     exit 1
   fi
 
-
-  kubectl --kubeconfig tenantkubeconfig-${test_name} apply -f - <<EOF
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tenant-test
-EOF
-
-  # Backend 1
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "${test_name}-backend"
-  namespace: tenant-test
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: backend
-      backend: "${test_name}-backend"
-  template:
-    metadata:
-      labels:
-        app: backend
-        backend: "${test_name}-backend"
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:alpine
-        ports:
-        - containerPort: 80
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 80
-          initialDelaySeconds: 2
-          periodSeconds: 2
-EOF
-
-  # LoadBalancer Service
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
-apiVersion: v1
-kind: Service
-metadata:
-  name: "${test_name}-backend"
-  namespace: tenant-test
-spec:
-  type: LoadBalancer
-  selector:
-    app: backend
-    backend: "${test_name}-backend"
-  ports:
-  - port: 80
-    targetPort: 80
-EOF
-
-  # Wait for pods readiness
-  kubectl wait deployment --kubeconfig tenantkubeconfig-${test_name} ${test_name}-backend -n tenant-test --for=condition=Available --timeout=90s
-  
-  # Wait for LoadBalancer to be provisioned (IP or hostname)
-  timeout 90 sh -ec "
-    until kubectl get svc ${test_name}-backend --kubeconfig tenantkubeconfig-${test_name} -n tenant-test \
-      -o jsonpath='{.status.loadBalancer.ingress[0]}' | grep -q .; do
-      sleep 5
-    done
-  "
-
-LB_ADDR=$(
-  kubectl get svc --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" \
-    -n tenant-test \
-    -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}'
-)
-
-if [ -z "$LB_ADDR" ]; then
-  echo "LoadBalancer address is empty" >&2
-  exit 1
-fi
-
-  for i in $(seq 1 20); do
-    echo "Attempt $i"
-    curl --silent --fail "http://${LB_ADDR}" && break
-    sleep 3
-  done
-
-  if [ "$i" -eq 20 ]; then
-    echo "LoadBalancer not reachable" >&2
-    exit 1
-  fi
-
-  # Cleanup
-  kubectl delete deployment --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-  kubectl delete service --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-
   # Wait for all machine deployment replicas to be ready (timeout after 10 minutes)
   kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
 

hack/update-crd.sh

@@ -8,6 +8,7 @@ need yq; need jq; need base64
 CHART_YAML="${CHART_YAML:-Chart.yaml}"
 VALUES_YAML="${VALUES_YAML:-values.yaml}"
 SCHEMA_JSON="${SCHEMA_JSON:-values.schema.json}"
+CRD_DIR="../../system/cozystack-resource-definitions/cozyrds"
 
 [[ -f "$CHART_YAML" ]] || { echo "No $CHART_YAML found"; exit 1; }
 [[ -f "$SCHEMA_JSON" ]] || { echo "No $SCHEMA_JSON found"; exit 1; }
@@ -21,8 +22,6 @@ if [[ -z "$NAME" ]]; then
   echo "Chart.yaml: .name is empty"; exit 1
 fi
 
-CRD_DIR="../../system/${NAME}-rd/cozyrds"
-
 # Resolve icon path
 # Accepts:
 #   /logos/foo.svg  -> ./logos/foo.svg

internal/backupcontroller/backupjob_controller.go

@@ -2,18 +2,12 @@ package backupcontroller
 
 import (
 	"context"
-	"net/http"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	strategyv1alpha1 "github.com/cozystack/cozystack/api/backups/strategy/v1alpha1"
@@ -24,69 +18,35 @@ import (
 // Velero.strategy.backups.cozystack.io objects.
 type BackupJobReconciler struct {
 	client.Client
-	dynamic.Interface
-	meta.RESTMapper
-	Scheme   *runtime.Scheme
-	Recorder record.EventRecorder
+	Scheme *runtime.Scheme
 }
 
 func (r *BackupJobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-	logger.Info("reconciling BackupJob", "namespace", req.Namespace, "name", req.Name)
-
+	_ = log.FromContext(ctx)
 	j := &backupsv1alpha1.BackupJob{}
 	err := r.Get(ctx, types.NamespacedName{Namespace: req.Namespace, Name: req.Name}, j)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
-			logger.V(1).Info("BackupJob not found, skipping")
 			return ctrl.Result{}, nil
 		}
-		logger.Error(err, "failed to get BackupJob")
 		return ctrl.Result{}, err
 	}
-
-	if j.Spec.StrategyRef.APIGroup == nil {
-		logger.V(1).Info("BackupJob has nil StrategyRef.APIGroup, skipping", "backupjob", j.Name)
+	if j.Spec.StrategyRef.APIGroup == nil || *j.Spec.StrategyRef.APIGroup != strategyv1alpha1.GroupVersion.Group {
 		return ctrl.Result{}, nil
 	}
-
-	if *j.Spec.StrategyRef.APIGroup != strategyv1alpha1.GroupVersion.Group {
-		logger.V(1).Info("BackupJob StrategyRef.APIGroup doesn't match, skipping",
-			"backupjob", j.Name,
-			"expected", strategyv1alpha1.GroupVersion.Group,
-			"got", *j.Spec.StrategyRef.APIGroup)
-		return ctrl.Result{}, nil
-	}
-
-	logger.Info("processing BackupJob", "backupjob", j.Name, "strategyKind", j.Spec.StrategyRef.Kind)
 	switch j.Spec.StrategyRef.Kind {
 	case strategyv1alpha1.JobStrategyKind:
 		return r.reconcileJob(ctx, j)
 	case strategyv1alpha1.VeleroStrategyKind:
 		return r.reconcileVelero(ctx, j)
 	default:
-		logger.V(1).Info("BackupJob StrategyRef.Kind not supported, skipping",
-			"backupjob", j.Name,
-			"kind", j.Spec.StrategyRef.Kind,
-			"supported", []string{strategyv1alpha1.JobStrategyKind, strategyv1alpha1.VeleroStrategyKind})
 		return ctrl.Result{}, nil
 	}
+
 }
 
 // SetupWithManager registers our controller with the Manager and sets up watches.
 func (r *BackupJobReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	cfg := mgr.GetConfig()
-	var err error
-	if r.Interface, err = dynamic.NewForConfig(cfg); err != nil {
-		return err
-	}
-	var h *http.Client
-	if h, err = rest.HTTPClientFor(cfg); err != nil {
-		return err
-	}
-	if r.RESTMapper, err = apiutil.NewDynamicRESTMapper(cfg, h); err != nil {
-		return err
-	}
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&backupsv1alpha1.BackupJob{}).
 		Complete(r)

internal/backupcontroller/velerostrategy_controller.go

@@ -2,626 +2,14 @@ package backupcontroller
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
-	"reflect"
-	"time"
 
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/api/meta"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
-	strategyv1alpha1 "github.com/cozystack/cozystack/api/backups/strategy/v1alpha1"
 	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
-	"github.com/cozystack/cozystack/internal/template"
-
-	"github.com/go-logr/logr"
-	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 )
 
-func getLogger(ctx context.Context) loggerWithDebug {
-	return loggerWithDebug{Logger: log.FromContext(ctx)}
-}
-
-// loggerWithDebug wraps a logr.Logger and provides a Debug() method
-// that maps to V(1).Info() for convenience.
-type loggerWithDebug struct {
-	logr.Logger
-}
-
-// Debug logs at debug level (equivalent to V(1).Info())
-func (l loggerWithDebug) Debug(msg string, keysAndValues ...interface{}) {
-	l.Logger.V(1).Info(msg, keysAndValues...)
-}
-
-// S3Credentials holds the discovered S3 credentials from a Bucket storageRef
-type S3Credentials struct {
-	BucketName      string
-	Endpoint        string
-	Region          string
-	AccessKeyID     string
-	AccessSecretKey string
-}
-
-// bucketInfo represents the structure of BucketInfo stored in the secret
-type bucketInfo struct {
-	Spec struct {
-		BucketName string `json:"bucketName"`
-		SecretS3   struct {
-			Endpoint        string `json:"endpoint"`
-			Region          string `json:"region"`
-			AccessKeyID     string `json:"accessKeyID"`
-			AccessSecretKey string `json:"accessSecretKey"`
-		} `json:"secretS3"`
-	} `json:"spec"`
-}
-
-const (
-	defaultRequeueAfter             = 5 * time.Second
-	defaultActiveJobPollingInterval = defaultRequeueAfter
-	// Velero requires API objects and secrets to be in the cozy-velero namespace
-	veleroNamespace      = "cozy-velero"
-	virtualMachinePrefix = "virtual-machine-"
-)
-
-func storageS3SecretName(namespace, backupJobName string) string {
-	return fmt.Sprintf("backup-%s-%s-s3-credentials", namespace, backupJobName)
-}
-
-func boolPtr(b bool) *bool {
-	return &b
-}
-
 func (r *BackupJobReconciler) reconcileVelero(ctx context.Context, j *backupsv1alpha1.BackupJob) (ctrl.Result, error) {
-	logger := getLogger(ctx)
-	logger.Debug("reconciling Velero strategy", "backupjob", j.Name, "phase", j.Status.Phase)
-
-	// If already completed, no need to reconcile
-	if j.Status.Phase == backupsv1alpha1.BackupJobPhaseSucceeded ||
-		j.Status.Phase == backupsv1alpha1.BackupJobPhaseFailed {
-		logger.Debug("BackupJob already completed, skipping", "phase", j.Status.Phase)
-		return ctrl.Result{}, nil
-	}
-
-	// Step 1: On first reconcile, set startedAt (but not phase yet - phase will be set after backup creation)
-	logger.Debug("checking BackupJob status", "startedAt", j.Status.StartedAt, "phase", j.Status.Phase)
-	if j.Status.StartedAt == nil {
-		logger.Debug("setting BackupJob StartedAt")
-		now := metav1.Now()
-		j.Status.StartedAt = &now
-		// Don't set phase to Running yet - will be set after Velero backup is successfully created
-		if err := r.Status().Update(ctx, j); err != nil {
-			logger.Error(err, "failed to update BackupJob status")
-			return ctrl.Result{}, err
-		}
-		logger.Debug("set BackupJob StartedAt", "startedAt", j.Status.StartedAt)
-	} else {
-		logger.Debug("BackupJob already started", "startedAt", j.Status.StartedAt, "phase", j.Status.Phase)
-	}
-
-	// Step 2: Resolve inputs - Read Strategy, Storage, Application, optionally Plan
-	logger.Debug("fetching Velero strategy", "strategyName", j.Spec.StrategyRef.Name)
-	veleroStrategy := &strategyv1alpha1.Velero{}
-	if err := r.Get(ctx, client.ObjectKey{Name: j.Spec.StrategyRef.Name}, veleroStrategy); err != nil {
-		if errors.IsNotFound(err) {
-			logger.Error(err, "Velero strategy not found", "strategyName", j.Spec.StrategyRef.Name)
-			return r.markBackupJobFailed(ctx, j, fmt.Sprintf("Velero strategy not found: %s", j.Spec.StrategyRef.Name))
-		}
-		logger.Error(err, "failed to get Velero strategy")
-		return ctrl.Result{}, err
-	}
-	logger.Debug("fetched Velero strategy", "strategyName", veleroStrategy.Name)
-
-	// Step 3: Execute backup logic
-	// Check if we already created a Velero Backup
-	// Use human-readable timestamp: YYYY-MM-DD-HH-MM-SS
-	if j.Status.StartedAt == nil {
-		logger.Error(nil, "StartedAt is nil after status update, this should not happen")
-		return ctrl.Result{RequeueAfter: defaultRequeueAfter}, nil
-	}
-	logger.Debug("checking for existing Velero Backup", "namespace", veleroNamespace)
-	veleroBackupList := &velerov1.BackupList{}
-	opts := []client.ListOption{
-		client.InNamespace(veleroNamespace),
-		client.MatchingLabels{
-			backupsv1alpha1.OwningJobNamespaceLabel: j.Namespace,
-			backupsv1alpha1.OwningJobNameLabel:      j.Name,
-		},
-	}
-
-	if err := r.List(ctx, veleroBackupList, opts...); err != nil {
-		logger.Error(err, "failed to get Velero Backup")
-		return ctrl.Result{}, err
-	}
-
-	if len(veleroBackupList.Items) == 0 {
-		// Create Velero Backup
-		logger.Debug("Velero Backup not found, creating new one")
-		if err := r.createVeleroBackup(ctx, j, veleroStrategy); err != nil {
-			logger.Error(err, "failed to create Velero Backup")
-			return r.markBackupJobFailed(ctx, j, fmt.Sprintf("failed to create Velero Backup: %v", err))
-		}
-		// After successful Velero backup creation, set phase to Running
-		if j.Status.Phase != backupsv1alpha1.BackupJobPhaseRunning {
-			logger.Debug("setting BackupJob phase to Running after successful Velero backup creation")
-			j.Status.Phase = backupsv1alpha1.BackupJobPhaseRunning
-			if err := r.Status().Update(ctx, j); err != nil {
-				logger.Error(err, "failed to update BackupJob phase to Running")
-				return ctrl.Result{}, err
-			}
-		}
-		logger.Debug("created Velero Backup, requeuing")
-		// Requeue to check status
-		return ctrl.Result{RequeueAfter: defaultRequeueAfter}, nil
-	}
-
-	if len(veleroBackupList.Items) > 1 {
-		logger.Error(fmt.Errorf("too many Velero backups for BackupJob"), "found more than one Velero Backup referencing a single BackupJob as owner")
-		j.Status.Phase = backupsv1alpha1.BackupJobPhaseFailed
-		if err := r.Status().Update(ctx, j); err != nil {
-			logger.Error(err, "failed to update BackupJob status")
-		}
-		return ctrl.Result{}, nil
-	}
-
-	veleroBackup := veleroBackupList.Items[0].DeepCopy()
-	logger.Debug("found existing Velero Backup", "phase", veleroBackup.Status.Phase)
-
-	// If Velero backup exists but phase is not Running, set it to Running
-	// This handles the case where the backup was created but phase wasn't set yet
-	if j.Status.Phase != backupsv1alpha1.BackupJobPhaseRunning {
-		logger.Debug("setting BackupJob phase to Running (Velero backup already exists)")
-		j.Status.Phase = backupsv1alpha1.BackupJobPhaseRunning
-		if err := r.Status().Update(ctx, j); err != nil {
-			logger.Error(err, "failed to update BackupJob phase to Running")
-			return ctrl.Result{}, err
-		}
-	}
-
-	// Check Velero Backup status
-	phase := string(veleroBackup.Status.Phase)
-	if phase == "" {
-		// Still in progress, requeue
-		return ctrl.Result{RequeueAfter: defaultActiveJobPollingInterval}, nil
-	}
-
-	// Step 4: On success - Create Backup resource and update status
-	if phase == "Completed" {
-		// Check if we already created the Backup resource
-		if j.Status.BackupRef == nil {
-			backup, err := r.createBackupResource(ctx, j, veleroBackup)
-			if err != nil {
-				return r.markBackupJobFailed(ctx, j, fmt.Sprintf("failed to create Backup resource: %v", err))
-			}
-
-			now := metav1.Now()
-			j.Status.BackupRef = &corev1.LocalObjectReference{Name: backup.Name}
-			j.Status.CompletedAt = &now
-			j.Status.Phase = backupsv1alpha1.BackupJobPhaseSucceeded
-			if err := r.Status().Update(ctx, j); err != nil {
-				logger.Error(err, "failed to update BackupJob status")
-				return ctrl.Result{}, err
-			}
-			logger.Debug("BackupJob succeeded", "backup", backup.Name)
-		}
-		return ctrl.Result{}, nil
-	}
-
-	// Step 5: On failure
-	if phase == "Failed" || phase == "PartiallyFailed" {
-		message := fmt.Sprintf("Velero Backup failed with phase: %s", phase)
-		if len(veleroBackup.Status.ValidationErrors) > 0 {
-			message = fmt.Sprintf("%s: %v", message, veleroBackup.Status.ValidationErrors)
-		}
-		return r.markBackupJobFailed(ctx, j, message)
-	}
-
-	// Still in progress (InProgress, New, etc.)
-	return ctrl.Result{RequeueAfter: 5 * time.Second}, nil
-}
-
-// resolveBucketStorageRef discovers S3 credentials from a Bucket storageRef
-// It follows this flow:
-// 1. Get the Bucket resource (apps.cozystack.io/v1alpha1)
-// 2. Find the BucketAccess that references this bucket
-// 3. Get the secret from BucketAccess.spec.credentialsSecretName
-// 4. Decode BucketInfo from secret.data.BucketInfo and extract S3 credentials
-func (r *BackupJobReconciler) resolveBucketStorageRef(ctx context.Context, storageRef corev1.TypedLocalObjectReference, namespace string) (*S3Credentials, error) {
-	logger := getLogger(ctx)
-
-	// Step 1: Get the Bucket resource
-	bucket := &unstructured.Unstructured{}
-	bucket.SetGroupVersionKind(schema.GroupVersionKind{
-		Group:   *storageRef.APIGroup,
-		Version: "v1alpha1",
-		Kind:    storageRef.Kind,
-	})
-
-	if *storageRef.APIGroup != "apps.cozystack.io" {
-		return nil, fmt.Errorf("Unsupported storage APIGroup: %v, expected apps.cozystack.io", storageRef.APIGroup)
-	}
-	bucketKey := client.ObjectKey{Namespace: namespace, Name: storageRef.Name}
-
-	if err := r.Get(ctx, bucketKey, bucket); err != nil {
-		return nil, fmt.Errorf("failed to get Bucket %s: %w", storageRef.Name, err)
-	}
-
-	// Step 2: Determine the bucket claim name
-	// For apps.cozystack.io Bucket, the BucketClaim name is typically the same as the Bucket name
-	// or follows a pattern. Based on the templates, it's usually the Release.Name which equals the Bucket name
-	bucketName := storageRef.Name
-
-	// Step 3: Get BucketAccess by name (assuming BucketAccess name matches bucketName)
-	bucketAccess := &unstructured.Unstructured{}
-	bucketAccess.SetGroupVersionKind(schema.GroupVersionKind{
-		Group:   "objectstorage.k8s.io",
-		Version: "v1alpha1",
-		Kind:    "BucketAccess",
-	})
-
-	bucketAccessKey := client.ObjectKey{Name: "bucket-" + bucketName, Namespace: namespace}
-	if err := r.Get(ctx, bucketAccessKey, bucketAccess); err != nil {
-		return nil, fmt.Errorf("failed to get BucketAccess %s in namespace %s: %w", bucketName, namespace, err)
-	}
-
-	// Step 4: Get the secret name from BucketAccess
-	secretName, found, err := unstructured.NestedString(bucketAccess.Object, "spec", "credentialsSecretName")
-	if err != nil {
-		return nil, fmt.Errorf("failed to get credentialsSecretName from BucketAccess: %w", err)
-	}
-	if !found || secretName == "" {
-		return nil, fmt.Errorf("credentialsSecretName not found in BucketAccess %s", bucketAccessKey.Name)
-	}
-
-	// Step 5: Get the secret
-	secret := &corev1.Secret{}
-	secretKey := client.ObjectKey{Namespace: namespace, Name: secretName}
-	if err := r.Get(ctx, secretKey, secret); err != nil {
-		return nil, fmt.Errorf("failed to get secret %s: %w", secretName, err)
-	}
-
-	// Step 6: Decode BucketInfo from secret.data.BucketInfo
-	bucketInfoData, found := secret.Data["BucketInfo"]
-	if !found {
-		return nil, fmt.Errorf("BucketInfo key not found in secret %s", secretName)
-	}
-
-	// Parse JSON value
-	var info bucketInfo
-	if err := json.Unmarshal(bucketInfoData, &info); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal BucketInfo from secret %s: %w", secretName, err)
-	}
-
-	// Step 7: Extract and return S3 credentials
-	creds := &S3Credentials{
-		BucketName:      info.Spec.BucketName,
-		Endpoint:        info.Spec.SecretS3.Endpoint,
-		Region:          info.Spec.SecretS3.Region,
-		AccessKeyID:     info.Spec.SecretS3.AccessKeyID,
-		AccessSecretKey: info.Spec.SecretS3.AccessSecretKey,
-	}
-
-	logger.Debug("resolved S3 credentials from Bucket storageRef",
-		"bucket", storageRef.Name,
-		"bucketName", creds.BucketName,
-		"endpoint", creds.Endpoint)
-
-	return creds, nil
-}
-
-// createS3CredsForVelero creates or updates a Kubernetes Secret containing
-// Velero S3 credentials in the format expected by Velero's cloud-credentials plugin.
-func (r *BackupJobReconciler) createS3CredsForVelero(ctx context.Context, backupJob *backupsv1alpha1.BackupJob, creds *S3Credentials) error {
-	logger := getLogger(ctx)
-	secretName := storageS3SecretName(backupJob.Namespace, backupJob.Name)
-	secretNamespace := veleroNamespace
-
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secretName,
-			Namespace: secretNamespace,
-		},
-		Type: corev1.SecretTypeOpaque,
-		StringData: map[string]string{
-			"cloud": fmt.Sprintf(`[default]
-aws_access_key_id=%s
-aws_secret_access_key=%s
-
-services = seaweed-s3
-[services seaweed-s3]
-s3 =
-    endpoint_url = %s
-`, creds.AccessKeyID, creds.AccessSecretKey, creds.Endpoint),
-		},
-	}
-
-	foundSecret := &corev1.Secret{}
-	secretKey := client.ObjectKey{Name: secretName, Namespace: secretNamespace}
-	err := r.Get(ctx, secretKey, foundSecret)
-	if err != nil && errors.IsNotFound(err) {
-		// Create the Secret
-		if err := r.Create(ctx, secret); err != nil {
-			r.Recorder.Event(backupJob, corev1.EventTypeWarning, "SecretCreationFailed",
-				fmt.Sprintf("Failed to create Velero credentials secret %s/%s: %v", secretNamespace, secretName, err))
-			return fmt.Errorf("failed to create Velero credentials secret: %w", err)
-		}
-		logger.Debug("created Velero credentials secret", "secret", secretName)
-		r.Recorder.Event(backupJob, corev1.EventTypeNormal, "SecretCreated",
-			fmt.Sprintf("Created Velero credentials secret %s/%s", secretNamespace, secretName))
-	} else if err == nil {
-		// Update if necessary - only update if the secret data has actually changed
-		// Compare the new secret data with existing secret data
-		existingData := foundSecret.Data
-		if existingData == nil {
-			existingData = make(map[string][]byte)
-		}
-		newData := make(map[string][]byte)
-		for k, v := range secret.StringData {
-			newData[k] = []byte(v)
-		}
-
-		// Check if data has changed
-		dataChanged := false
-		if len(existingData) != len(newData) {
-			dataChanged = true
-		} else {
-			for k, newVal := range newData {
-				existingVal, exists := existingData[k]
-				if !exists || !reflect.DeepEqual(existingVal, newVal) {
-					dataChanged = true
-					break
-				}
-			}
-		}
-
-		if dataChanged {
-			foundSecret.StringData = secret.StringData
-			foundSecret.Data = nil // Clear .Data so .StringData will be used
-			if err := r.Update(ctx, foundSecret); err != nil {
-				r.Recorder.Event(backupJob, corev1.EventTypeWarning, "SecretUpdateFailed",
-					fmt.Sprintf("Failed to update Velero credentials secret %s/%s: %v", secretNamespace, secretName, err))
-				return fmt.Errorf("failed to update Velero credentials secret: %w", err)
-			}
-			logger.Debug("updated Velero credentials secret", "secret", secretName)
-			r.Recorder.Event(backupJob, corev1.EventTypeNormal, "SecretUpdated",
-				fmt.Sprintf("Updated Velero credentials secret %s/%s", secretNamespace, secretName))
-		} else {
-			logger.Debug("Velero credentials secret data unchanged, skipping update", "secret", secretName)
-		}
-	} else if err != nil {
-		return fmt.Errorf("error checking for existing Velero credentials secret: %w", err)
-	}
-
-	return nil
-}
-
-// createBackupStorageLocation creates or updates a Velero BackupStorageLocation resource.
-func (r *BackupJobReconciler) createBackupStorageLocation(ctx context.Context, bsl *velerov1.BackupStorageLocation) error {
-	logger := getLogger(ctx)
-	foundBSL := &velerov1.BackupStorageLocation{}
-	bslKey := client.ObjectKey{Name: bsl.Name, Namespace: bsl.Namespace}
-
-	err := r.Get(ctx, bslKey, foundBSL)
-	if err != nil && errors.IsNotFound(err) {
-		// Create the BackupStorageLocation
-		if err := r.Create(ctx, bsl); err != nil {
-			return fmt.Errorf("failed to create BackupStorageLocation: %w", err)
-		}
-		logger.Debug("created BackupStorageLocation", "name", bsl.Name, "namespace", bsl.Namespace)
-	} else if err == nil {
-		// Update if necessary - use patch to avoid conflicts with Velero's status updates
-		// Only update if the spec has actually changed
-		if !reflect.DeepEqual(foundBSL.Spec, bsl.Spec) {
-			// Retry on conflict since Velero may be updating status concurrently
-			for i := 0; i < 3; i++ {
-				if err := r.Get(ctx, bslKey, foundBSL); err != nil {
-					return fmt.Errorf("failed to get BackupStorageLocation for update: %w", err)
-				}
-				foundBSL.Spec = bsl.Spec
-				if err := r.Update(ctx, foundBSL); err != nil {
-					if errors.IsConflict(err) && i < 2 {
-						logger.Debug("conflict updating BackupStorageLocation, retrying", "attempt", i+1)
-						time.Sleep(100 * time.Millisecond)
-						continue
-					}
-					return fmt.Errorf("failed to update BackupStorageLocation: %w", err)
-				}
-				logger.Debug("updated BackupStorageLocation", "name", bsl.Name, "namespace", bsl.Namespace)
-				return nil
-			}
-		} else {
-			logger.Debug("BackupStorageLocation spec unchanged, skipping update", "name", bsl.Name, "namespace", bsl.Namespace)
-		}
-	} else if err != nil {
-		return fmt.Errorf("error checking for existing BackupStorageLocation: %w", err)
-	}
-
-	return nil
-}
-
-// createVolumeSnapshotLocation creates or updates a Velero VolumeSnapshotLocation resource.
-func (r *BackupJobReconciler) createVolumeSnapshotLocation(ctx context.Context, vsl *velerov1.VolumeSnapshotLocation) error {
-	logger := getLogger(ctx)
-	foundVSL := &velerov1.VolumeSnapshotLocation{}
-	vslKey := client.ObjectKey{Name: vsl.Name, Namespace: vsl.Namespace}
-
-	err := r.Get(ctx, vslKey, foundVSL)
-	if err != nil && errors.IsNotFound(err) {
-		// Create the VolumeSnapshotLocation
-		if err := r.Create(ctx, vsl); err != nil {
-			return fmt.Errorf("failed to create VolumeSnapshotLocation: %w", err)
-		}
-		logger.Debug("created VolumeSnapshotLocation", "name", vsl.Name, "namespace", vsl.Namespace)
-	} else if err == nil {
-		// Update if necessary - only update if the spec has actually changed
-		if !reflect.DeepEqual(foundVSL.Spec, vsl.Spec) {
-			// Retry on conflict since Velero may be updating status concurrently
-			for i := 0; i < 3; i++ {
-				if err := r.Get(ctx, vslKey, foundVSL); err != nil {
-					return fmt.Errorf("failed to get VolumeSnapshotLocation for update: %w", err)
-				}
-				foundVSL.Spec = vsl.Spec
-				if err := r.Update(ctx, foundVSL); err != nil {
-					if errors.IsConflict(err) && i < 2 {
-						logger.Debug("conflict updating VolumeSnapshotLocation, retrying", "attempt", i+1)
-						time.Sleep(100 * time.Millisecond)
-						continue
-					}
-					return fmt.Errorf("failed to update VolumeSnapshotLocation: %w", err)
-				}
-				logger.Debug("updated VolumeSnapshotLocation", "name", vsl.Name, "namespace", vsl.Namespace)
-				return nil
-			}
-		} else {
-			logger.Debug("VolumeSnapshotLocation spec unchanged, skipping update", "name", vsl.Name, "namespace", vsl.Namespace)
-		}
-	} else if err != nil {
-		return fmt.Errorf("error checking for existing VolumeSnapshotLocation: %w", err)
-	}
-
-	return nil
-}
-
-func (r *BackupJobReconciler) markBackupJobFailed(ctx context.Context, backupJob *backupsv1alpha1.BackupJob, message string) (ctrl.Result, error) {
-	logger := getLogger(ctx)
-	now := metav1.Now()
-	backupJob.Status.CompletedAt = &now
-	backupJob.Status.Phase = backupsv1alpha1.BackupJobPhaseFailed
-	backupJob.Status.Message = message
-
-	// Add condition
-	backupJob.Status.Conditions = append(backupJob.Status.Conditions, metav1.Condition{
-		Type:               "Ready",
-		Status:             metav1.ConditionFalse,
-		Reason:             "BackupFailed",
-		Message:            message,
-		LastTransitionTime: now,
-	})
-
-	if err := r.Status().Update(ctx, backupJob); err != nil {
-		logger.Error(err, "failed to update BackupJob status to Failed")
-		return ctrl.Result{}, err
-	}
-	logger.Debug("BackupJob failed", "message", message)
+	_ = log.FromContext(ctx)
 	return ctrl.Result{}, nil
 }
-
-func (r *BackupJobReconciler) createVeleroBackup(ctx context.Context, backupJob *backupsv1alpha1.BackupJob, strategy *strategyv1alpha1.Velero) error {
-	logger := getLogger(ctx)
-	logger.Debug("createVeleroBackup called", "strategy", strategy.Name)
-
-	mapping, err := r.RESTMapping(schema.GroupKind{Group: *backupJob.Spec.ApplicationRef.APIGroup, Kind: backupJob.Spec.ApplicationRef.Kind})
-	if err != nil {
-		return err
-	}
-	ns := backupJob.Namespace
-	if mapping.Scope.Name() != meta.RESTScopeNameNamespace {
-		ns = ""
-	}
-	app, err := r.Resource(mapping.Resource).Namespace(ns).Get(ctx, backupJob.Spec.ApplicationRef.Name, metav1.GetOptions{})
-	if err != nil {
-		return err
-	}
-
-	veleroBackupSpec, err := template.Template(&strategy.Spec.Template.Spec, app.Object)
-	if err != nil {
-		return err
-	}
-	veleroBackup := &velerov1.Backup{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: fmt.Sprintf("%s.%s-", backupJob.Namespace, backupJob.Name),
-			Namespace:    veleroNamespace,
-			Labels: map[string]string{
-				backupsv1alpha1.OwningJobNameLabel:      backupJob.Name,
-				backupsv1alpha1.OwningJobNamespaceLabel: backupJob.Namespace,
-			},
-		},
-		Spec: *veleroBackupSpec,
-	}
-	name := veleroBackup.GenerateName
-	if err := r.Create(ctx, veleroBackup); err != nil {
-		if veleroBackup.Name != "" {
-			name = veleroBackup.Name
-		}
-		logger.Error(err, "failed to create Velero Backup", "name", veleroBackup.Name)
-		r.Recorder.Event(backupJob, corev1.EventTypeWarning, "VeleroBackupCreationFailed",
-			fmt.Sprintf("Failed to create Velero Backup %s/%s: %v", veleroNamespace, name, err))
-		return err
-	}
-
-	logger.Debug("created Velero Backup", "name", veleroBackup.Name, "namespace", veleroBackup.Namespace)
-	r.Recorder.Event(backupJob, corev1.EventTypeNormal, "VeleroBackupCreated",
-		fmt.Sprintf("Created Velero Backup %s/%s", veleroNamespace, name))
-	return nil
-}
-
-func (r *BackupJobReconciler) createBackupResource(ctx context.Context, backupJob *backupsv1alpha1.BackupJob, veleroBackup *velerov1.Backup) (*backupsv1alpha1.Backup, error) {
-	logger := getLogger(ctx)
-	// Extract artifact information from Velero Backup
-	// Create a basic artifact referencing the Velero backup
-	artifact := &backupsv1alpha1.BackupArtifact{
-		URI: fmt.Sprintf("velero://%s/%s", backupJob.Namespace, veleroBackup.Name),
-	}
-
-	// Get takenAt from Velero Backup creation timestamp or status
-	takenAt := metav1.Now()
-	if veleroBackup.Status.StartTimestamp != nil {
-		takenAt = *veleroBackup.Status.StartTimestamp
-	} else if !veleroBackup.CreationTimestamp.IsZero() {
-		takenAt = veleroBackup.CreationTimestamp
-	}
-
-	// Extract driver metadata (e.g., Velero backup name)
-	driverMetadata := map[string]string{
-		"velero.io/backup-name":      veleroBackup.Name,
-		"velero.io/backup-namespace": veleroBackup.Namespace,
-	}
-
-	backup := &backupsv1alpha1.Backup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      fmt.Sprintf("%s", backupJob.Name),
-			Namespace: backupJob.Namespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					APIVersion: backupJob.APIVersion,
-					Kind:       backupJob.Kind,
-					Name:       backupJob.Name,
-					UID:        backupJob.UID,
-					Controller: boolPtr(true),
-				},
-			},
-		},
-		Spec: backupsv1alpha1.BackupSpec{
-			ApplicationRef: backupJob.Spec.ApplicationRef,
-			StorageRef:     backupJob.Spec.StorageRef,
-			StrategyRef:    backupJob.Spec.StrategyRef,
-			TakenAt:        takenAt,
-			DriverMetadata: driverMetadata,
-		},
-		Status: backupsv1alpha1.BackupStatus{
-			Phase: backupsv1alpha1.BackupPhaseReady,
-		},
-	}
-
-	if backupJob.Spec.PlanRef != nil {
-		backup.Spec.PlanRef = backupJob.Spec.PlanRef
-	}
-
-	if artifact != nil {
-		backup.Status.Artifact = artifact
-	}
-
-	if err := r.Create(ctx, backup); err != nil {
-		logger.Error(err, "failed to create Backup resource")
-		return nil, err
-	}
-
-	logger.Debug("created Backup resource", "name", backup.Name)
-	return backup, nil
-}

internal/template/template.go

@@ -1,68 +0,0 @@
-package template
-
-import (
-	"bytes"
-	"encoding/json"
-	tmpl "text/template"
-)
-
-func Template[T any](obj *T, templateContext map[string]any) (*T, error) {
-	b, err := json.Marshal(obj)
-	if err != nil {
-		return nil, err
-	}
-	var unstructured any
-	err = json.Unmarshal(b, &unstructured)
-	if err != nil {
-		return nil, err
-	}
-	templateFunc := func(in string) string {
-		out, err := template(in, templateContext)
-		if err != nil {
-			return in
-		}
-		return out
-	}
-	unstructured = mapAtStrings(unstructured, templateFunc)
-	b, err = json.Marshal(unstructured)
-	if err != nil {
-		return nil, err
-	}
-	var out T
-	err = json.Unmarshal(b, &out)
-	if err != nil {
-		return nil, err
-	}
-	return &out, nil
-}
-
-func mapAtStrings(v any, f func(string) string) any {
-	switch x := v.(type) {
-	case map[string]any:
-		for k, val := range x {
-			x[k] = mapAtStrings(val, f)
-		}
-		return x
-	case []any:
-		for i, val := range x {
-			x[i] = mapAtStrings(val, f)
-		}
-		return x
-	case string:
-		return f(x)
-	default:
-		return v
-	}
-}
-
-func template(in string, templateContext map[string]any) (string, error) {
-	tpl, err := tmpl.New("this").Parse(in)
-	if err != nil {
-		return "", err
-	}
-	var buf bytes.Buffer
-	if err := tpl.Execute(&buf, templateContext); err != nil {
-		return "", err
-	}
-	return buf.String(), nil
-}

internal/template/template_test.go

@@ -1,68 +0,0 @@
-package template
-
-import (
-	"encoding/json"
-	"testing"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestTemplate_PodTemplateSpec(t *testing.T) {
-	original := corev1.PodTemplateSpec{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "my-pod",
-			Labels: map[string]string{
-				"app": "demo",
-			},
-			Annotations: map[string]string{
-				"note": "hello",
-			},
-		},
-		Spec: corev1.PodSpec{
-			Containers: []corev1.Container{
-				{
-					Name:  "{{ .Release.Name }}",
-					Image: "nginx:1.21",
-					Args:  []string{"--flag={{ .Values.value }}"},
-					Env: []corev1.EnvVar{
-						{
-							Name:  "FOO",
-							Value: "{{ .Release.Namespace }}",
-						},
-					},
-				},
-			},
-		},
-	}
-	templateContext := map[string]any{
-		"Release": map[string]any{
-			"Name":      "foo",
-			"Namespace": "notdefault",
-		},
-		"Values": map[string]any{
-			"value": 3,
-		},
-	}
-	reference := *original.DeepCopy()
-	reference.Spec.Containers[0].Name = "foo"
-	reference.Spec.Containers[0].Args[0] = "--flag=3"
-	reference.Spec.Containers[0].Env[0].Value = "notdefault"
-	got, err := Template(&original, templateContext)
-	if err != nil {
-		t.Fatalf("Template returned error: %v", err)
-	}
-	b1, err := json.Marshal(reference)
-	t.Logf("reference:\n%s", string(b1))
-	if err != nil {
-		t.Fatalf("failed to marshal reference value: %v", err)
-	}
-	b2, err := json.Marshal(got)
-	t.Logf("got:\n%s", string(b2))
-	if err != nil {
-		t.Fatalf("failed to marshal transformed value: %v", err)
-	}
-	if string(b1) != string(b2) {
-		t.Fatalf("transformed value not equal to reference value, expected: %s, got: %s", string(b1), string(b2))
-	}
-}

packages/apps/bucket/.helmignore

@@ -0,0 +1,4 @@
+.helmignore
+/logos
+/Makefile
+/hack

packages/apps/bucket/hack/bucket-lock.sh

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+set -e
+
+usage() {
+    echo "Usage: $0 <lock|unlock> <namespace> <bucket-name>"
+    echo ""
+    echo "Commands:"
+    echo "  lock    - Block deletion and modification of objects in the bucket"
+    echo "  unlock  - Restore full access to the bucket"
+    echo ""
+    echo "Example:"
+    echo "  $0 lock tenant-root somebucket"
+    echo "  $0 unlock tenant-root somebucket"
+    exit 1
+}
+
+if [ $# -ne 3 ]; then
+    usage
+fi
+
+ACTION="$1"
+NAMESPACE="$2"
+BUCKET_NAME="$3"
+
+if [ "$ACTION" != "lock" ] && [ "$ACTION" != "unlock" ]; then
+    echo "Error: First argument must be 'lock' or 'unlock'"
+    usage
+fi
+
+# Check if bucket exists
+if ! kubectl get buckets.apps.cozystack.io -n "$NAMESPACE" "$BUCKET_NAME" > /dev/null 2>&1; then
+    echo "Error: Bucket '$BUCKET_NAME' not found in namespace '$NAMESPACE'"
+    exit 1
+fi
+
+# Get secret and extract bucket config and bucket name using go-template + jq
+SECRET_NAME="bucket-$BUCKET_NAME"
+BUCKET_INFO=$(kubectl get secret -n "$NAMESPACE" "$SECRET_NAME" -o go-template='{{ .data.BucketInfo | base64decode }}')
+BUCKET_CONFIG=$(echo "$BUCKET_INFO" | jq -r '.metadata.name')
+S3_BUCKET_NAME=$(echo "$BUCKET_INFO" | jq -r '.spec.bucketName')
+
+# Convert bc- prefix to ba- for bucket account username
+BUCKET_ACCOUNT=$(echo "$BUCKET_CONFIG" | sed 's/^bc-/ba-/')
+
+if [ -z "$BUCKET_ACCOUNT" ] || [ -z "$S3_BUCKET_NAME" ]; then
+    echo "Error: Could not extract bucket account or bucket name from secret '$SECRET_NAME'"
+    exit 1
+fi
+
+# Get seaweedfs namespace from namespace annotation
+SEAWEEDFS_NS=$(kubectl get namespace "$NAMESPACE" -o jsonpath='{.metadata.annotations.namespace\.cozystack\.io/seaweedfs}')
+
+if [ -z "$SEAWEEDFS_NS" ]; then
+    echo "Error: Could not find seaweedfs namespace annotation on namespace '$NAMESPACE'"
+    exit 1
+fi
+
+# Build the s3.configure command
+ACTIONS="Read:$S3_BUCKET_NAME,Write:$S3_BUCKET_NAME,List:$S3_BUCKET_NAME,Tagging:$S3_BUCKET_NAME"
+
+if [ "$ACTION" = "lock" ]; then
+    S3_CMD="s3.configure -actions $ACTIONS -user $BUCKET_ACCOUNT --delete --apply"
+    echo "Locking bucket '$BUCKET_NAME' in namespace '$NAMESPACE'..."
+else
+    S3_CMD="s3.configure -actions $ACTIONS -user $BUCKET_ACCOUNT --apply"
+    echo "Unlocking bucket '$BUCKET_NAME' in namespace '$NAMESPACE'..."
+fi
+
+echo "Executing command in seaweedfs-master-0 (namespace: $SEAWEEDFS_NS):"
+echo "  $S3_CMD"
+echo ""
+
+# Execute the command
+echo "$S3_CMD" | kubectl exec -i -n "$SEAWEEDFS_NS" seaweedfs-master-0 -- weed shell
+
+echo ""
+echo "Done. Bucket '$BUCKET_NAME' has been ${ACTION}ed."

packages/core/platform/bundles/distro-full.yaml

@@ -62,155 +62,11 @@ releases:
   namespace: cozy-system
   dependsOn: [cilium]
 
-- name: bootbox-rd
-  releaseName: bootbox-rd
-  chart: bootbox-rd
+- name: cozystack-resource-definitions
+  releaseName: cozystack-resource-definitions
+  chart: cozystack-resource-definitions
   namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: bucket-rd
-  releaseName: bucket-rd
-  chart: bucket-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: clickhouse-rd
-  releaseName: clickhouse-rd
-  chart: clickhouse-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: etcd-rd
-  releaseName: etcd-rd
-  chart: etcd-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: ferretdb-rd
-  releaseName: ferretdb-rd
-  chart: ferretdb-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: foundationdb-rd
-  releaseName: foundationdb-rd
-  chart: foundationdb-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: http-cache-rd
-  releaseName: http-cache-rd
-  chart: http-cache-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: info-rd
-  releaseName: info-rd
-  chart: info-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: ingress-rd
-  releaseName: ingress-rd
-  chart: ingress-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: kafka-rd
-  releaseName: kafka-rd
-  chart: kafka-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: kubernetes-rd
-  releaseName: kubernetes-rd
-  chart: kubernetes-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: monitoring-rd
-  releaseName: monitoring-rd
-  chart: monitoring-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: mysql-rd
-  releaseName: mysql-rd
-  chart: mysql-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: nats-rd
-  releaseName: nats-rd
-  chart: nats-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: postgres-rd
-  releaseName: postgres-rd
-  chart: postgres-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: rabbitmq-rd
-  releaseName: rabbitmq-rd
-  chart: rabbitmq-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: redis-rd
-  releaseName: redis-rd
-  chart: redis-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: seaweedfs-rd
-  releaseName: seaweedfs-rd
-  chart: seaweedfs-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: tcp-balancer-rd
-  releaseName: tcp-balancer-rd
-  chart: tcp-balancer-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: tenant-rd
-  releaseName: tenant-rd
-  chart: tenant-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: virtual-machine-rd
-  releaseName: virtual-machine-rd
-  chart: virtual-machine-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: virtualprivatecloud-rd
-  releaseName: virtualprivatecloud-rd
-  chart: virtualprivatecloud-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vm-disk-rd
-  releaseName: vm-disk-rd
-  chart: vm-disk-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vm-instance-rd
-  releaseName: vm-instance-rd
-  chart: vm-instance-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vpn-rd
-  releaseName: vpn-rd
-  chart: vpn-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
+  dependsOn: [cilium,cozystack-controller,cozystack-resource-definition-crd]
 
 - name: cert-manager
   releaseName: cert-manager

packages/core/platform/bundles/paas-full.yaml

@@ -112,155 +112,11 @@ releases:
   namespace: cozy-system
   dependsOn: [cilium,kubeovn,cozystack-api,cozystack-controller]
 
-- name: bootbox-rd
-  releaseName: bootbox-rd
-  chart: bootbox-rd
+- name: cozystack-resource-definitions
+  releaseName: cozystack-resource-definitions
+  chart: cozystack-resource-definitions
   namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: bucket-rd
-  releaseName: bucket-rd
-  chart: bucket-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: clickhouse-rd
-  releaseName: clickhouse-rd
-  chart: clickhouse-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: etcd-rd
-  releaseName: etcd-rd
-  chart: etcd-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: ferretdb-rd
-  releaseName: ferretdb-rd
-  chart: ferretdb-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: foundationdb-rd
-  releaseName: foundationdb-rd
-  chart: foundationdb-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: http-cache-rd
-  releaseName: http-cache-rd
-  chart: http-cache-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: info-rd
-  releaseName: info-rd
-  chart: info-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: ingress-rd
-  releaseName: ingress-rd
-  chart: ingress-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: kafka-rd
-  releaseName: kafka-rd
-  chart: kafka-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: kubernetes-rd
-  releaseName: kubernetes-rd
-  chart: kubernetes-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: monitoring-rd
-  releaseName: monitoring-rd
-  chart: monitoring-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: mysql-rd
-  releaseName: mysql-rd
-  chart: mysql-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: nats-rd
-  releaseName: nats-rd
-  chart: nats-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: postgres-rd
-  releaseName: postgres-rd
-  chart: postgres-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: rabbitmq-rd
-  releaseName: rabbitmq-rd
-  chart: rabbitmq-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: redis-rd
-  releaseName: redis-rd
-  chart: redis-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: seaweedfs-rd
-  releaseName: seaweedfs-rd
-  chart: seaweedfs-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: tcp-balancer-rd
-  releaseName: tcp-balancer-rd
-  chart: tcp-balancer-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: tenant-rd
-  releaseName: tenant-rd
-  chart: tenant-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: virtual-machine-rd
-  releaseName: virtual-machine-rd
-  chart: virtual-machine-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: virtualprivatecloud-rd
-  releaseName: virtualprivatecloud-rd
-  chart: virtualprivatecloud-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vm-disk-rd
-  releaseName: vm-disk-rd
-  chart: vm-disk-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vm-instance-rd
-  releaseName: vm-instance-rd
-  chart: vm-instance-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vpn-rd
-  releaseName: vpn-rd
-  chart: vpn-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
+  dependsOn: [cilium,kubeovn,cozystack-api,cozystack-controller,cozystack-resource-definition-crd]
 
 - name: cert-manager
   releaseName: cert-manager

packages/core/platform/bundles/paas-hosted.yaml

@@ -55,155 +55,11 @@ releases:
   namespace: cozy-system
   dependsOn: [cozystack-api,cozystack-controller]
 
-- name: bootbox-rd
-  releaseName: bootbox-rd
-  chart: bootbox-rd
+- name: cozystack-resource-definitions
+  releaseName: cozystack-resource-definitions
+  chart: cozystack-resource-definitions
   namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: bucket-rd
-  releaseName: bucket-rd
-  chart: bucket-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: clickhouse-rd
-  releaseName: clickhouse-rd
-  chart: clickhouse-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: etcd-rd
-  releaseName: etcd-rd
-  chart: etcd-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: ferretdb-rd
-  releaseName: ferretdb-rd
-  chart: ferretdb-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: foundationdb-rd
-  releaseName: foundationdb-rd
-  chart: foundationdb-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: http-cache-rd
-  releaseName: http-cache-rd
-  chart: http-cache-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: info-rd
-  releaseName: info-rd
-  chart: info-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: ingress-rd
-  releaseName: ingress-rd
-  chart: ingress-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: kafka-rd
-  releaseName: kafka-rd
-  chart: kafka-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: kubernetes-rd
-  releaseName: kubernetes-rd
-  chart: kubernetes-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: monitoring-rd
-  releaseName: monitoring-rd
-  chart: monitoring-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: mysql-rd
-  releaseName: mysql-rd
-  chart: mysql-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: nats-rd
-  releaseName: nats-rd
-  chart: nats-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: postgres-rd
-  releaseName: postgres-rd
-  chart: postgres-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: rabbitmq-rd
-  releaseName: rabbitmq-rd
-  chart: rabbitmq-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: redis-rd
-  releaseName: redis-rd
-  chart: redis-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: seaweedfs-rd
-  releaseName: seaweedfs-rd
-  chart: seaweedfs-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: tcp-balancer-rd
-  releaseName: tcp-balancer-rd
-  chart: tcp-balancer-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: tenant-rd
-  releaseName: tenant-rd
-  chart: tenant-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: virtual-machine-rd
-  releaseName: virtual-machine-rd
-  chart: virtual-machine-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: virtualprivatecloud-rd
-  releaseName: virtualprivatecloud-rd
-  chart: virtualprivatecloud-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vm-disk-rd
-  releaseName: vm-disk-rd
-  chart: vm-disk-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vm-instance-rd
-  releaseName: vm-instance-rd
-  chart: vm-instance-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
-
-- name: vpn-rd
-  releaseName: vpn-rd
-  chart: vpn-rd
-  namespace: cozy-system
-  dependsOn: [cozystack-resource-definition-crd]
+  dependsOn: [cozystack-api,cozystack-controller,cozystack-resource-definition-crd]
 
 - name: cert-manager
   releaseName: cert-manager

packages/extra/etcd/templates/etcd-defrag.yaml

@@ -12,13 +12,6 @@ spec:
           containers:
           - name: etcd-defrag
             image: ghcr.io/ahrtr/etcd-defrag:v0.13.0
-            resources:
-              requests:
-                cpu: 200m
-                memory: 256Mi
-              limits:
-                cpu: 500m
-                memory: 512Mi
             args:
             - --endpoints={{ range $i, $e := until (int .Values.replicas) }}{{ if $i }},{{ end }}https://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc:2379{{ end }}
             - --cacert=/etc/etcd/pki/client/cert/ca.crt

packages/system/backup-controller/definitions/backups.cozystack.io_backupjobs.yaml

@@ -14,11 +14,7 @@ spec:
     singular: backupjob
   scope: Namespaced
   versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.phase
-      name: Phase
-      type: string
-    name: v1alpha1
+  - name: v1alpha1
     schema:
       openAPIV3Schema:
         description: |-
@@ -237,5 +233,3 @@ spec:
     - jsonPath: .spec.applicationRef.name
     served: true
     storage: true
-    subresources:
-      status: {}

packages/system/backup-controller/templates/rbac.yaml

@@ -8,25 +8,4 @@ rules:
   verbs: ["get", "list", "watch"]
 - apiGroups: ["backups.cozystack.io"]
   resources: ["backupjobs"]
-  verbs: ["create", "get", "list", "watch", "update", "patch"]
-- apiGroups: ["backups.cozystack.io"]
-  resources: ["backupjobs/status"]
-  verbs: ["get", "update", "patch"]
-- apiGroups: ["backups.cozystack.io"]
-  resources: ["backups"]
   verbs: ["create", "get", "list", "watch"]
-- apiGroups: ["apps.cozystack.io"]
-  resources: ["buckets", "bucketaccesses", "virtualmachines"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["objectstorage.k8s.io"]
-  resources: ["buckets", "bucketaccesses"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "get", "list", "watch", "update", "patch"]
-- apiGroups: ["kubevirt.io"]
-  resources: ["virtualmachines"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["velero.io"]
-  resources: ["backups", "backupstoragelocations", "volumesnapshotlocations", "restores"]
-  verbs: ["create", "get", "list", "watch", "update", "patch"]

packages/system/backup-controller/templates/strategy.yaml

@@ -1,5 +0,0 @@
-apiVersion: strategy.backups.cozystack.io/v1alpha1
-kind: Velero
-metadata:
-  name: velero-strategy-default
-spec: {}

packages/system/bucket-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: bucket-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/bucket-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=bucket-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/bucket-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/bucket-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/clickhouse-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: clickhouse-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/clickhouse-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=clickhouse-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/clickhouse-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/clickhouse-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/cozystack-resource-definitions/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
-name: bootbox-rd
+name: cozystack-resource-definitions
 version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/cozystack-resource-definitions/Makefile

@@ -1,4 +1,4 @@
-export NAME=bootbox-rd
+export NAME=cozystack-resource-definitions
 export NAMESPACE=cozy-system
 
 include ../../../scripts/package.mk

packages/system/cozystack-values/Chart.yaml

@@ -1,4 +0,0 @@
-apiVersion: v2
-name: cozy-cozystack-values
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
-

packages/system/cozystack-values/helmrelease.yaml

@@ -1,65 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cozystack-values
-  namespace: tenant-root
-  labels:
-    cozystack.io/repository: system
-    cozystack.io/system-app: "true"
-spec:
-  interval: 5m
-  releaseName: cozystack-values
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
-  chart:
-    spec:
-      chart: cozy-cozystack-values
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
-  valuesFrom:
-    # Cluster configuration from cozystack ConfigMap
-    # The ConfigMap data keys (root-host, bundle-name, etc.) will be mapped to _cluster
-    - kind: ConfigMap
-      name: cozystack
-      namespace: cozy-system
-      targetPath: _cluster
-    # Branding configuration from cozystack-branding ConfigMap
-    # All keys from the ConfigMap data will be nested under _cluster.branding
-    - kind: ConfigMap
-      name: cozystack-branding
-      namespace: cozy-system
-      targetPath: _cluster.branding
-      optional: true
-    # Scheduling configuration from cozystack-scheduling ConfigMap
-    # All keys from the ConfigMap data will be nested under _cluster.scheduling
-    - kind: ConfigMap
-      name: cozystack-scheduling
-      namespace: cozy-system
-      targetPath: _cluster.scheduling
-      optional: true
-    # Kube root CA from kube-root-ca.crt ConfigMap
-    # Extract the ca.crt key and place it at _cluster.kubeRootCa
-    - kind: ConfigMap
-      name: kube-root-ca.crt
-      namespace: kube-system
-      targetPath: _cluster.kubeRootCa
-      valuesKey: ca.crt
-      optional: true
-  values:
-    _namespace:
-      etcd: tenant-root
-      monitoring: tenant-root
-      ingress: tenant-root
-      seaweedfs: tenant-root
-      # host will be determined from _cluster.root-host or tenantRootHost
-      # Default to example.org if neither is set
-      host: "example.org"
-

packages/system/cozystack-values/templates/secret.yaml

@@ -1,54 +0,0 @@
-{{- /* Default values for _cluster config to ensure all required keys exist */}}
-{{- $clusterDefaults := dict
-    "root-host" ""
-    "bundle-name" ""
-    "clusterissuer" "http01"
-    "oidc-enabled" "false"
-    "expose-services" ""
-    "expose-ingress" "tenant-root"
-    "expose-external-ips" ""
-    "cluster-domain" "cozy.local"
-    "api-server-endpoint" ""
-}}
-{{- $clusterConfig := mergeOverwrite $clusterDefaults (.Values._cluster | default dict) }}
-{{- $host := .Values._namespace.host | default "example.org" }}
-{{- if .Values._cluster }}
-  {{- if index .Values._cluster "root-host" }}
-    {{- $host = index .Values._cluster "root-host" }}
-  {{- end }}
-{{- end }}
-{{- /* Check if tenant-root HelmRelease host value is available */}}
-{{- if .Values.tenantRootHost }}
-  {{- $host = .Values.tenantRootHost }}
-{{- end }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cozystack-values
-  namespace: {{ .Values._namespace.etcd | default "tenant-root" }}
-  labels:
-    reconcile.fluxcd.io/watch: Enabled
-type: Opaque
-stringData:
-  values.yaml: |
-    _cluster:
-      {{- $clusterConfig | toYaml | nindent 6 }}
-      {{- with .Values._cluster.branding }}
-      branding:
-        {{- . | toYaml | nindent 8 }}
-      {{- end }}
-      {{- with .Values._cluster.scheduling }}
-      scheduling:
-        {{- . | toYaml | nindent 8 }}
-      {{- end }}
-      {{- with .Values._cluster.kubeRootCa }}
-      kube-root-ca: {{ . | b64enc | quote }}
-      {{- end }}
-    _namespace:
-      etcd: {{ .Values._namespace.etcd | default "tenant-root" | quote }}
-      monitoring: {{ .Values._namespace.monitoring | default "tenant-root" | quote }}
-      ingress: {{ .Values._namespace.ingress | default "tenant-root" | quote }}
-      seaweedfs: {{ .Values._namespace.seaweedfs | default "tenant-root" | quote }}
-      host: {{ $host | quote }}
-

packages/system/cozystack-values/values.yaml

@@ -1,18 +0,0 @@
-# Default values for cozystack-values chart
-# These values will be populated via valuesFrom in the HelmRelease
-
-# Cluster configuration from cozystack ConfigMap
-# The ConfigMap data keys will be mapped directly to _cluster
-_cluster: {}
-
-# Namespace configuration
-_namespace:
-  etcd: tenant-root
-  monitoring: tenant-root
-  ingress: tenant-root
-  seaweedfs: tenant-root
-  host: "example.org"
-
-# Host value from tenant-root HelmRelease (if available)
-tenantRootHost: ""
-

packages/system/etcd-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: etcd-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/etcd-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=etcd-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/etcd-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/etcd-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/ferretdb-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: ferretdb-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/ferretdb-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=ferretdb-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/ferretdb-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/ferretdb-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/foundationdb-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: foundationdb-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/foundationdb-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=foundationdb-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/foundationdb-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/foundationdb-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/http-cache-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: http-cache-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/http-cache-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=http-cache-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/http-cache-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/http-cache-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/info-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: info-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/info-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=info-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/info-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/info-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/ingress-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: ingress-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/ingress-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=ingress-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/ingress-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/ingress-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/kafka-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: kafka-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/kafka-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=kafka-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk

packages/system/kafka-rd/templates/cozyrd.yaml

@@ -1,4 +0,0 @@
-{{- range $path, $_ := .Files.Glob "cozyrds/*" }}
----
-{{ $.Files.Get $path }}
-{{- end }}

packages/system/kafka-rd/values.yaml

@@ -1 +0,0 @@
-{}

packages/system/kubernetes-rd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: kubernetes-rd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/kubernetes-rd/Makefile

@@ -1,4 +0,0 @@
-export NAME=kubernetes-rd
-export NAMESPACE=cozy-system
-
-include ../../../scripts/package.mk