Fixed packages name conversion in migration script (#2144)

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
Fixed migrate-to-version-1.0.sh script to properly convert packages names.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated migration tooling to improve package configuration handling
during version upgrades.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

.github/CODEOWNERS

@@ -1 +1 @@
-* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters
+* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters @sircthulhu

Makefile

@@ -1,4 +1,4 @@
-.PHONY: manifests assets unit-tests helm-unit-tests verify-crds
+.PHONY: manifests assets unit-tests helm-unit-tests
 
 include hack/common-envs.mk
 
@@ -38,24 +38,21 @@ build: build-deps
 
 manifests:
 	mkdir -p _out/assets
-	cat packages/core/installer/crds/*.yaml > _out/assets/cozystack-crds.yaml
+	cat internal/crdinstall/manifests/*.yaml > _out/assets/cozystack-crds.yaml
 	# Talos variant (default)
 	helm template installer packages/core/installer -n cozy-system \
-		-s templates/cozystack-operator.yaml \
-		-s templates/packagesource.yaml \
+		--show-only templates/cozystack-operator.yaml \
 		> _out/assets/cozystack-operator-talos.yaml
 	# Generic Kubernetes variant (k3s, kubeadm, RKE2)
 	helm template installer packages/core/installer -n cozy-system \
 		--set cozystackOperator.variant=generic \
 		--set cozystack.apiServerHost=REPLACE_ME \
-		-s templates/cozystack-operator.yaml \
-		-s templates/packagesource.yaml \
+		--show-only templates/cozystack-operator.yaml \
 		> _out/assets/cozystack-operator-generic.yaml
 	# Hosted variant (managed Kubernetes)
 	helm template installer packages/core/installer -n cozy-system \
 		--set cozystackOperator.variant=hosted \
-		-s templates/cozystack-operator.yaml \
-		-s templates/packagesource.yaml \
+		--show-only templates/cozystack-operator.yaml \
 		> _out/assets/cozystack-operator-hosted.yaml
 
 cozypkg:
@@ -80,11 +77,7 @@ test:
 	make -C packages/core/testing apply
 	make -C packages/core/testing test
 
-verify-crds:
-	@diff --recursive packages/core/installer/crds/ internal/crdinstall/manifests/ --exclude='.*' \
-		|| (echo "ERROR: CRD manifests out of sync. Run 'make generate' to fix." && exit 1)
-
-unit-tests: helm-unit-tests verify-crds
+unit-tests: helm-unit-tests
 
 helm-unit-tests:
 	hack/helm-unit-tests.sh

cmd/cozystack-operator/main.go

@@ -108,7 +108,7 @@ func main() {
 	flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
 		"Interval between telemetry data collection (e.g. 15m, 1h)")
 	flag.StringVar(&platformSourceURL, "platform-source-url", "", "Platform source URL (oci:// or https://). If specified, generates OCIRepository or GitRepository resource.")
-	flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-packages", "Name for the generated platform source resource (default: cozystack-packages)")
+	flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-platform", "Name for the generated platform source resource and PackageSource")
 	flag.StringVar(&platformSourceRef, "platform-source-ref", "", "Reference specification as key=value pairs (e.g., 'branch=main' or 'digest=sha256:...,tag=v1.0'). For OCI: digest, semver, semverFilter, tag. For Git: branch, tag, semver, name, commit.")
 	flag.StringVar(&cozyValuesSecretName, "cozy-values-secret-name", "cozystack-values", "The name of the secret containing cluster-wide configuration values.")
 	flag.StringVar(&cozyValuesSecretNamespace, "cozy-values-secret-namespace", "cozy-system", "The namespace of the secret containing cluster-wide configuration values.")
@@ -224,6 +224,29 @@ func main() {
 		}
 	}
 
+	// Create platform PackageSource when CRDs are managed by the operator and
+	// a platform source URL is configured. Without a URL there is no Flux source
+	// resource to reference, so creating a PackageSource would leave a dangling SourceRef.
+	if installCRDs && platformSourceURL != "" {
+		sourceRefKind := "OCIRepository"
+		sourceType, _, err := parsePlatformSourceURL(platformSourceURL)
+		if err != nil {
+			setupLog.Error(err, "failed to parse platform source URL for PackageSource")
+			os.Exit(1)
+		}
+		if sourceType == "git" {
+			sourceRefKind = "GitRepository"
+		}
+		setupLog.Info("Creating platform PackageSource", "platformSourceName", platformSourceName)
+		psCtx, psCancel := context.WithTimeout(mgrCtx, 2*time.Minute)
+		defer psCancel()
+		if err := installPlatformPackageSource(psCtx, directClient, platformSourceName, sourceRefKind); err != nil {
+			setupLog.Error(err, "failed to create platform PackageSource")
+			os.Exit(1)
+		}
+		setupLog.Info("Platform PackageSource creation completed successfully")
+	}
+
 	// Setup PackageSource reconciler
 	if err := (&operator.PackageSourceReconciler{
 		Client: mgr.GetClient(),
@@ -552,3 +575,79 @@ func generateGitRepository(name, repoURL string, refMap map[string]string) (*sou
 
 	return obj, nil
 }
+
+// installPlatformPackageSource creates the platform PackageSource resource
+// that references the Flux source resource (OCIRepository or GitRepository).
+//
+// The variant list is intentionally hardcoded here. These are platform-defined
+// deployment profiles (not user-extensible), matching what was previously in
+// the Helm template. Changes require a new operator build and release.
+func installPlatformPackageSource(ctx context.Context, k8sClient client.Client, platformSourceName, sourceRefKind string) error {
+	logger := log.FromContext(ctx)
+
+	packageSourceName := "cozystack." + platformSourceName
+
+	ps := &cozyv1alpha1.PackageSource{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: cozyv1alpha1.GroupVersion.String(),
+			Kind:       "PackageSource",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: packageSourceName,
+			Annotations: map[string]string{
+				"operator.cozystack.io/skip-cozystack-values": "true",
+			},
+		},
+		Spec: cozyv1alpha1.PackageSourceSpec{
+			SourceRef: &cozyv1alpha1.PackageSourceRef{
+				Kind:      sourceRefKind,
+				Name:      platformSourceName,
+				Namespace: "cozy-system",
+				Path:      "/",
+			},
+		},
+	}
+
+	variantData := []struct {
+		name        string
+		valuesFiles []string
+	}{
+		{"default", []string{"values.yaml"}},
+		{"isp-full", []string{"values.yaml", "values-isp-full.yaml"}},
+		{"isp-hosted", []string{"values.yaml", "values-isp-hosted.yaml"}},
+		{"isp-full-generic", []string{"values.yaml", "values-isp-full-generic.yaml"}},
+	}
+
+	variants := make([]cozyv1alpha1.Variant, len(variantData))
+	for i, v := range variantData {
+		variants[i] = cozyv1alpha1.Variant{
+			Name: v.name,
+			Components: []cozyv1alpha1.Component{
+				{
+					Name: "platform",
+					Path: "core/platform",
+					Install: &cozyv1alpha1.ComponentInstall{
+						Namespace:   "cozy-system",
+						ReleaseName: "cozystack-platform",
+					},
+					ValuesFiles: v.valuesFiles,
+				},
+			},
+		}
+	}
+	ps.Spec.Variants = variants
+
+	logger.Info("Applying platform PackageSource", "name", packageSourceName)
+
+	patchOptions := &client.PatchOptions{
+		FieldManager: "cozystack-operator",
+		Force:        func() *bool { b := true; return &b }(),
+	}
+
+	if err := k8sClient.Patch(ctx, ps, client.Apply, patchOptions); err != nil {
+		return fmt.Errorf("failed to apply PackageSource %s: %w", packageSourceName, err)
+	}
+
+	logger.Info("Applied platform PackageSource", "name", packageSourceName)
+	return nil
+}

cmd/cozystack-operator/main_test.go

@@ -0,0 +1,574 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"testing"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func newTestScheme() *runtime.Scheme {
+	s := runtime.NewScheme()
+	_ = cozyv1alpha1.AddToScheme(s)
+	return s
+}
+
+func TestInstallPlatformPackageSource_Creates(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	// Verify name
+	if ps.Name != "cozystack.cozystack-platform" {
+		t.Errorf("expected name %q, got %q", "cozystack.cozystack-platform", ps.Name)
+	}
+
+	// Verify annotation
+	if ps.Annotations["operator.cozystack.io/skip-cozystack-values"] != "true" {
+		t.Errorf("expected skip-cozystack-values annotation to be 'true', got %q", ps.Annotations["operator.cozystack.io/skip-cozystack-values"])
+	}
+
+	// Verify sourceRef
+	if ps.Spec.SourceRef == nil {
+		t.Fatal("expected SourceRef to be set")
+	}
+	if ps.Spec.SourceRef.Kind != "OCIRepository" {
+		t.Errorf("expected sourceRef.kind %q, got %q", "OCIRepository", ps.Spec.SourceRef.Kind)
+	}
+	if ps.Spec.SourceRef.Name != "cozystack-platform" {
+		t.Errorf("expected sourceRef.name %q, got %q", "cozystack-platform", ps.Spec.SourceRef.Name)
+	}
+	if ps.Spec.SourceRef.Namespace != "cozy-system" {
+		t.Errorf("expected sourceRef.namespace %q, got %q", "cozy-system", ps.Spec.SourceRef.Namespace)
+	}
+	if ps.Spec.SourceRef.Path != "/" {
+		t.Errorf("expected sourceRef.path %q, got %q", "/", ps.Spec.SourceRef.Path)
+	}
+
+	// Verify variants
+	expectedVariants := []string{"default", "isp-full", "isp-hosted", "isp-full-generic"}
+	if len(ps.Spec.Variants) != len(expectedVariants) {
+		t.Fatalf("expected %d variants, got %d", len(expectedVariants), len(ps.Spec.Variants))
+	}
+	for i, name := range expectedVariants {
+		if ps.Spec.Variants[i].Name != name {
+			t.Errorf("expected variant[%d].name %q, got %q", i, name, ps.Spec.Variants[i].Name)
+		}
+		if len(ps.Spec.Variants[i].Components) != 1 {
+			t.Errorf("expected variant[%d] to have 1 component, got %d", i, len(ps.Spec.Variants[i].Components))
+		}
+	}
+}
+
+func TestInstallPlatformPackageSource_Updates(t *testing.T) {
+	s := newTestScheme()
+
+	existing := &cozyv1alpha1.PackageSource{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "cozystack.cozystack-platform",
+			ResourceVersion: "1",
+			Labels: map[string]string{
+				"custom-label": "should-be-preserved",
+			},
+		},
+		Spec: cozyv1alpha1.PackageSourceSpec{
+			SourceRef: &cozyv1alpha1.PackageSourceRef{
+				Kind:      "OCIRepository",
+				Name:      "old-name",
+				Namespace: "cozy-system",
+			},
+		},
+	}
+
+	k8sClient := fake.NewClientBuilder().WithScheme(s).WithObjects(existing).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	// Verify sourceRef was updated
+	if ps.Spec.SourceRef.Name != "cozystack-platform" {
+		t.Errorf("expected updated sourceRef.name %q, got %q", "cozystack-platform", ps.Spec.SourceRef.Name)
+	}
+
+	// Verify all 4 variants are present after update
+	if len(ps.Spec.Variants) != 4 {
+		t.Errorf("expected 4 variants after update, got %d", len(ps.Spec.Variants))
+	}
+
+	// Verify that labels set by other controllers are preserved (SSA does not overwrite unmanaged fields)
+	if ps.Labels["custom-label"] != "should-be-preserved" {
+		t.Errorf("expected custom-label to be preserved, got %q", ps.Labels["custom-label"])
+	}
+}
+
+func TestParsePlatformSourceURL(t *testing.T) {
+	tests := []struct {
+		name       string
+		url        string
+		wantType   string
+		wantURL    string
+		wantErr    bool
+	}{
+		{
+			name:     "OCI URL",
+			url:      "oci://ghcr.io/cozystack/cozystack/cozystack-packages",
+			wantType: "oci",
+			wantURL:  "oci://ghcr.io/cozystack/cozystack/cozystack-packages",
+		},
+		{
+			name:     "HTTPS URL",
+			url:      "https://github.com/cozystack/cozystack",
+			wantType: "git",
+			wantURL:  "https://github.com/cozystack/cozystack",
+		},
+		{
+			name:     "SSH URL",
+			url:      "ssh://git@github.com/cozystack/cozystack",
+			wantType: "git",
+			wantURL:  "ssh://git@github.com/cozystack/cozystack",
+		},
+		{
+			name:    "empty URL",
+			url:     "",
+			wantErr: true,
+		},
+		{
+			name:    "unsupported scheme",
+			url:     "ftp://example.com/repo",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sourceType, repoURL, err := parsePlatformSourceURL(tt.url)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error for URL %q, got nil", tt.url)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if sourceType != tt.wantType {
+				t.Errorf("expected type %q, got %q", tt.wantType, sourceType)
+			}
+			if repoURL != tt.wantURL {
+				t.Errorf("expected URL %q, got %q", tt.wantURL, repoURL)
+			}
+		})
+	}
+}
+
+func TestInstallPlatformPackageSource_VariantValuesFiles(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	expectedValuesFiles := map[string][]string{
+		"default":          {"values.yaml"},
+		"isp-full":         {"values.yaml", "values-isp-full.yaml"},
+		"isp-hosted":       {"values.yaml", "values-isp-hosted.yaml"},
+		"isp-full-generic": {"values.yaml", "values-isp-full-generic.yaml"},
+	}
+
+	for _, v := range ps.Spec.Variants {
+		expected, ok := expectedValuesFiles[v.Name]
+		if !ok {
+			t.Errorf("unexpected variant %q", v.Name)
+			continue
+		}
+
+		if len(v.Components) != 1 {
+			t.Errorf("variant %q: expected 1 component, got %d", v.Name, len(v.Components))
+			continue
+		}
+
+		comp := v.Components[0]
+		if comp.Name != "platform" {
+			t.Errorf("variant %q: expected component name %q, got %q", v.Name, "platform", comp.Name)
+		}
+		if comp.Path != "core/platform" {
+			t.Errorf("variant %q: expected component path %q, got %q", v.Name, "core/platform", comp.Path)
+		}
+		if comp.Install == nil {
+			t.Errorf("variant %q: expected Install to be set", v.Name)
+		} else {
+			if comp.Install.Namespace != "cozy-system" {
+				t.Errorf("variant %q: expected install namespace %q, got %q", v.Name, "cozy-system", comp.Install.Namespace)
+			}
+			if comp.Install.ReleaseName != "cozystack-platform" {
+				t.Errorf("variant %q: expected install releaseName %q, got %q", v.Name, "cozystack-platform", comp.Install.ReleaseName)
+			}
+		}
+
+		if len(comp.ValuesFiles) != len(expected) {
+			t.Errorf("variant %q: expected %d valuesFiles, got %d", v.Name, len(expected), len(comp.ValuesFiles))
+			continue
+		}
+		for i, f := range expected {
+			if comp.ValuesFiles[i] != f {
+				t.Errorf("variant %q: expected valuesFiles[%d] %q, got %q", v.Name, i, f, comp.ValuesFiles[i])
+			}
+		}
+	}
+}
+
+func TestInstallPlatformPackageSource_CustomName(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "custom-source", "OCIRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.custom-source"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	if ps.Name != "cozystack.custom-source" {
+		t.Errorf("expected name %q, got %q", "cozystack.custom-source", ps.Name)
+	}
+	if ps.Spec.SourceRef.Name != "custom-source" {
+		t.Errorf("expected sourceRef.name %q, got %q", "custom-source", ps.Spec.SourceRef.Name)
+	}
+}
+
+func TestInstallPlatformPackageSource_GitRepository(t *testing.T) {
+	s := newTestScheme()
+	k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
+
+	err := installPlatformPackageSource(context.Background(), k8sClient, "my-source", "GitRepository")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ps := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.my-source"}, ps); err != nil {
+		t.Fatalf("PackageSource not found: %v", err)
+	}
+
+	if ps.Spec.SourceRef.Kind != "GitRepository" {
+		t.Errorf("expected sourceRef.kind %q, got %q", "GitRepository", ps.Spec.SourceRef.Kind)
+	}
+	if ps.Spec.SourceRef.Name != "my-source" {
+		t.Errorf("expected sourceRef.name %q, got %q", "my-source", ps.Spec.SourceRef.Name)
+	}
+}
+
+func TestParseRefSpec(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		want    map[string]string
+		wantErr bool
+	}{
+		{
+			name:  "empty string",
+			input: "",
+			want:  map[string]string{},
+		},
+		{
+			name:  "single key-value",
+			input: "tag=v1.0",
+			want:  map[string]string{"tag": "v1.0"},
+		},
+		{
+			name:  "multiple key-values",
+			input: "digest=sha256:abc123,tag=v1.0",
+			want:  map[string]string{"digest": "sha256:abc123", "tag": "v1.0"},
+		},
+		{
+			name:  "whitespace around pairs",
+			input: " tag=v1.0 , branch=main ",
+			want:  map[string]string{"tag": "v1.0", "branch": "main"},
+		},
+		{
+			name:  "equals sign in value",
+			input: "digest=sha256:abc=123",
+			want:  map[string]string{"digest": "sha256:abc=123"},
+		},
+		{
+			name:    "missing equals sign",
+			input:   "tag",
+			wantErr: true,
+		},
+		{
+			name:    "empty key",
+			input:   "=value",
+			wantErr: true,
+		},
+		{
+			name:    "empty value",
+			input:   "tag=",
+			wantErr: true,
+		},
+		{
+			name:  "trailing comma",
+			input: "tag=v1.0,",
+			want:  map[string]string{"tag": "v1.0"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseRefSpec(tt.input)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error for input %q, got nil", tt.input)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(got) != len(tt.want) {
+				t.Fatalf("expected %d entries, got %d: %v", len(tt.want), len(got), got)
+			}
+			for k, v := range tt.want {
+				if got[k] != v {
+					t.Errorf("expected %q=%q, got %q=%q", k, v, k, got[k])
+				}
+			}
+		})
+	}
+}
+
+func TestValidateOCIRef(t *testing.T) {
+	tests := []struct {
+		name    string
+		refMap  map[string]string
+		wantErr bool
+	}{
+		{
+			name:   "valid tag",
+			refMap: map[string]string{"tag": "v1.0"},
+		},
+		{
+			name:   "valid digest",
+			refMap: map[string]string{"digest": "sha256:abc123def456"},
+		},
+		{
+			name:   "valid semver",
+			refMap: map[string]string{"semver": ">=1.0.0"},
+		},
+		{
+			name:   "multiple valid keys",
+			refMap: map[string]string{"tag": "v1.0", "digest": "sha256:abc"},
+		},
+		{
+			name:   "empty map",
+			refMap: map[string]string{},
+		},
+		{
+			name:    "invalid key",
+			refMap:  map[string]string{"branch": "main"},
+			wantErr: true,
+		},
+		{
+			name:    "invalid digest format",
+			refMap:  map[string]string{"digest": "md5:abc"},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateOCIRef(tt.refMap)
+			if tt.wantErr && err == nil {
+				t.Fatal("expected error, got nil")
+			}
+			if !tt.wantErr && err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestValidateGitRef(t *testing.T) {
+	tests := []struct {
+		name    string
+		refMap  map[string]string
+		wantErr bool
+	}{
+		{
+			name:   "valid branch",
+			refMap: map[string]string{"branch": "main"},
+		},
+		{
+			name:   "valid commit",
+			refMap: map[string]string{"commit": "abc1234"},
+		},
+		{
+			name:   "valid tag and branch",
+			refMap: map[string]string{"tag": "v1.0", "branch": "release"},
+		},
+		{
+			name:   "empty map",
+			refMap: map[string]string{},
+		},
+		{
+			name:    "invalid key",
+			refMap:  map[string]string{"digest": "sha256:abc"},
+			wantErr: true,
+		},
+		{
+			name:    "commit too short",
+			refMap:  map[string]string{"commit": "abc"},
+			wantErr: true,
+		},
+		{
+			name:    "commit not hex",
+			refMap:  map[string]string{"commit": "zzzzzzz"},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateGitRef(tt.refMap)
+			if tt.wantErr && err == nil {
+				t.Fatal("expected error, got nil")
+			}
+			if !tt.wantErr && err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestGenerateOCIRepository(t *testing.T) {
+	refMap := map[string]string{"tag": "v1.0", "digest": "sha256:abc123"}
+	obj, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", refMap)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if obj.Name != "my-repo" {
+		t.Errorf("expected name %q, got %q", "my-repo", obj.Name)
+	}
+	if obj.Namespace != "cozy-system" {
+		t.Errorf("expected namespace %q, got %q", "cozy-system", obj.Namespace)
+	}
+	if obj.Spec.URL != "oci://registry.example.com/repo" {
+		t.Errorf("expected URL %q, got %q", "oci://registry.example.com/repo", obj.Spec.URL)
+	}
+	if obj.Spec.Reference == nil {
+		t.Fatal("expected Reference to be set")
+	}
+	if obj.Spec.Reference.Tag != "v1.0" {
+		t.Errorf("expected tag %q, got %q", "v1.0", obj.Spec.Reference.Tag)
+	}
+	if obj.Spec.Reference.Digest != "sha256:abc123" {
+		t.Errorf("expected digest %q, got %q", "sha256:abc123", obj.Spec.Reference.Digest)
+	}
+}
+
+func TestGenerateOCIRepository_NoRef(t *testing.T) {
+	obj, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", map[string]string{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if obj.Spec.Reference != nil {
+		t.Error("expected Reference to be nil for empty refMap")
+	}
+}
+
+func TestGenerateOCIRepository_InvalidRef(t *testing.T) {
+	_, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", map[string]string{"branch": "main"})
+	if err == nil {
+		t.Fatal("expected error for invalid OCI ref key, got nil")
+	}
+}
+
+func TestGenerateGitRepository(t *testing.T) {
+	refMap := map[string]string{"branch": "main", "commit": "abc1234def5678"}
+	obj, err := generateGitRepository("my-repo", "https://github.com/user/repo", refMap)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if obj.Name != "my-repo" {
+		t.Errorf("expected name %q, got %q", "my-repo", obj.Name)
+	}
+	if obj.Namespace != "cozy-system" {
+		t.Errorf("expected namespace %q, got %q", "cozy-system", obj.Namespace)
+	}
+	if obj.Spec.URL != "https://github.com/user/repo" {
+		t.Errorf("expected URL %q, got %q", "https://github.com/user/repo", obj.Spec.URL)
+	}
+	if obj.Spec.Reference == nil {
+		t.Fatal("expected Reference to be set")
+	}
+	if obj.Spec.Reference.Branch != "main" {
+		t.Errorf("expected branch %q, got %q", "main", obj.Spec.Reference.Branch)
+	}
+	if obj.Spec.Reference.Commit != "abc1234def5678" {
+		t.Errorf("expected commit %q, got %q", "abc1234def5678", obj.Spec.Reference.Commit)
+	}
+}
+
+func TestGenerateGitRepository_NoRef(t *testing.T) {
+	obj, err := generateGitRepository("my-repo", "https://github.com/user/repo", map[string]string{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if obj.Spec.Reference != nil {
+		t.Error("expected Reference to be nil for empty refMap")
+	}
+}
+
+func TestGenerateGitRepository_InvalidRef(t *testing.T) {
+	_, err := generateGitRepository("my-repo", "https://github.com/user/repo", map[string]string{"digest": "sha256:abc"})
+	if err == nil {
+		t.Fatal("expected error for invalid Git ref key, got nil")
+	}
+}

docs/changelogs/v0.40.5.md

@@ -0,0 +1,15 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.40.5
+-->
+
+## Improvements
+
+* **[dashboard] Improve dashboard session params**: Improved session parameter handling in the dashboard for better user experience and more reliable session management ([**@lllamnyp**](https://github.com/lllamnyp) in #1913, #1919).
+
+## Dependencies
+
+* **Update cozyhr to v1.6.1**: Updated cozyhr to v1.6.1, which fixes a critical bug causing helm-controller v0.37.0+ to unexpectedly uninstall HelmReleases after cozyhr apply by correcting history snapshot fields for helm-controller compatibility ([**@kvaps**](https://github.com/kvaps) in cozystack/cozyhr#10).
+
+---
+
+**Full Changelog**: [v0.40.4...v0.40.5](https://github.com/cozystack/cozystack/compare/v0.40.4...v0.40.5)

docs/changelogs/v0.40.6.md

@@ -0,0 +1,11 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.40.6
+-->
+
+## Fixes
+
+* **[kubernetes] Fix manifests for kubernetes deployment**: Fixed incorrect manifests that prevented proper Kubernetes deployment, restoring correct application behavior ([**@IvanHunters**](https://github.com/IvanHunters) in #1943, #1944).
+
+---
+
+**Full Changelog**: [v0.40.5...v0.40.6](https://github.com/cozystack/cozystack/compare/v0.40.5...v0.40.6)

docs/changelogs/v0.40.7.md

@@ -0,0 +1,11 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.40.7
+-->
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard, ensuring that authentication tokens are properly validated before granting access. This prevents unauthorized access through forged or expired tokens ([**@lllamnyp**](https://github.com/lllamnyp) in #1980, #1984).
+
+---
+
+**Full Changelog**: [v0.40.6...v0.40.7](https://github.com/cozystack/cozystack/compare/v0.40.6...v0.40.7)

docs/changelogs/v0.41.4.md

@@ -0,0 +1,11 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.4
+-->
+
+## Dependencies
+
+* **Update cozyhr to v1.6.1**: Updated cozyhr to v1.6.1, which fixes a critical bug causing helm-controller v0.37.0+ to unexpectedly uninstall HelmReleases after cozyhr apply by correcting history snapshot fields for helm-controller compatibility ([**@kvaps**](https://github.com/kvaps) in cozystack/cozyhr#10).
+
+---
+
+**Full Changelog**: [v0.41.3...v0.41.4](https://github.com/cozystack/cozystack/compare/v0.41.3...v0.41.4)

docs/changelogs/v0.41.5.md

@@ -0,0 +1,21 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.5
+-->
+
+## Features and Improvements
+
+* **[dashboard] Add "Edit" button to all resources**: Added an "Edit" button across all resource views in the dashboard, allowing users to modify resource configurations directly from the UI ([**@sircthulhu**](https://github.com/sircthulhu) in #1928, #1931).
+
+* **[dashboard] Add resource quota usage to tenant details page**: Added resource quota usage display to the tenant details page, giving administrators visibility into how much of allocated resources each tenant is consuming ([**@sircthulhu**](https://github.com/sircthulhu) in #1929, #1932).
+
+* **[branding] Separate values for keycloak**: Separated Keycloak branding values into dedicated configuration, allowing more granular customization of Keycloak appearance without affecting other branding settings ([**@nbykov0**](https://github.com/nbykov0) in #1946).
+
+* **Add instance profile label to workload monitor**: Added instance profile metadata labels to the workload monitor, enabling better resource tracking and monitoring by instance profile type ([**@matthieu-robin**](https://github.com/matthieu-robin) in #1954, #1957).
+
+## Fixes
+
+* **[kubernetes] Fix manifests for kubernetes deployment**: Fixed incorrect manifests that prevented proper Kubernetes deployment, restoring correct application behavior ([**@IvanHunters**](https://github.com/IvanHunters) in #1943, #1945).
+
+---
+
+**Full Changelog**: [v0.41.4...v0.41.5](https://github.com/cozystack/cozystack/compare/v0.41.4...v0.41.5)

docs/changelogs/v0.41.6.md

@@ -0,0 +1,17 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.6
+-->
+
+## Improvements
+
+* **[vm] Allow changing field external after creation**: Users can now modify the external network field on virtual machines after initial creation, providing more flexibility in VM networking configuration without requiring recreation ([**@sircthulhu**](https://github.com/sircthulhu) in #1956, #1962).
+
+* **[branding] Separate values for keycloak**: Separated Keycloak branding values into dedicated configuration for more granular customization of Keycloak appearance ([**@nbykov0**](https://github.com/nbykov0) in #1947, #1963).
+
+## Fixes
+
+* **[kubernetes] Fix coredns serviceaccount to match kubernetes bootstrap RBAC**: Configured the CoreDNS chart to create a `kube-dns` ServiceAccount matching the Kubernetes bootstrap ClusterRoleBinding, fixing RBAC errors (`Failed to watch`) when CoreDNS pods restart ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1958, #1978).
+
+---
+
+**Full Changelog**: [v0.41.5...v0.41.6](https://github.com/cozystack/cozystack/compare/v0.41.5...v0.41.6)

docs/changelogs/v0.41.7.md

@@ -0,0 +1,15 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.7
+-->
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard, ensuring that authentication tokens are properly validated before granting access. This prevents unauthorized access through forged or expired tokens ([**@lllamnyp**](https://github.com/lllamnyp) in #1980, #1983).
+
+## Fixes
+
+* **[postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert**: Fixed incorrect PromQL syntax in the `CNPGClusterOffline` alert rule for CloudNativePG, ensuring the alert fires correctly when all instances of a PostgreSQL cluster are offline ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1981, #1989).
+
+---
+
+**Full Changelog**: [v0.41.6...v0.41.7](https://github.com/cozystack/cozystack/compare/v0.41.6...v0.41.7)

docs/changelogs/v0.41.8.md

@@ -0,0 +1,17 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.8
+-->
+
+## Features and Improvements
+
+* **[kubernetes] Auto-enable Gateway API support in cert-manager**: cert-manager now automatically enables `enableGatewayAPI` when the Gateway API addon is active in the Kubernetes application. Users no longer need to manually configure this setting, and the option can still be overridden via `valuesOverride` ([**@kvaps**](https://github.com/kvaps) in #1997, #2012).
+
+* **[vm] Allow switching between instancetype and custom resources**: Users can now switch virtual machines between instancetype-based and custom resource configurations after creation. The upgrade hook atomically patches VM resources, providing more flexibility in adjusting VM sizing without recreation ([**@sircthulhu**](https://github.com/sircthulhu) in #2008, #2013).
+
+## Fixes
+
+* **[dashboard] Add startupProbe to prevent container restarts on slow hardware**: Added `startupProbe` to both `bff` and `web` containers in the dashboard deployment. On slow hardware, kubelet was killing containers because the `livenessProbe` only allowed ~33 seconds for startup. The `startupProbe` gives containers up to 60 seconds to start before `livenessProbe` kicks in ([**@kvaps**](https://github.com/kvaps) in #1996, #2014).
+
+---
+
+**Full Changelog**: [v0.41.7...v0.41.8](https://github.com/cozystack/cozystack/compare/v0.41.7...v0.41.8)

docs/changelogs/v0.41.9.md

@@ -0,0 +1,15 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.41.9
+-->
+
+## Fixes
+
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Prevented tenant administrators from deleting resource quotas, ensuring that resource limits set by platform administrators cannot be bypassed by tenant-level users ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+
+## Dependencies
+
+* **Update Kube-OVN to v1.15.3**: Updated Kube-OVN CNI to v1.15.3 with latest bug fixes and improvements ([**@kvaps**](https://github.com/kvaps)).
+
+---
+
+**Full Changelog**: [v0.41.8...v0.41.9](https://github.com/cozystack/cozystack/compare/v0.41.8...v0.41.9)

docs/changelogs/v1.0.0-rc.1.md

@@ -0,0 +1,65 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.1
+-->
+
+> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
+
+## Features and Improvements
+
+* **[harbor] Add managed Harbor container registry**: Added Harbor v2.14.2 as a managed tenant-level container registry service. The application uses CloudNativePG for PostgreSQL, the Redis operator for caching, and S3 via COSI BucketClaim (from SeaweedFS) for registry image storage. Auto-generated admin credentials are persisted across upgrades, TLS is handled by cert-manager, and Trivy vulnerability scanner is included. Users can now deploy a fully managed, production-ready OCI container registry within their tenant ([**@lexfrei**](https://github.com/lexfrei) in #2058).
+
+* **[kubernetes] Update supported Kubernetes versions to v1.30–v1.35**: Updated the tenant Kubernetes version matrix to v1.30, v1.31, v1.32, v1.33, v1.34, and v1.35 (now the default). EOL versions v1.28 and v1.29 are removed. Kamaji is updated to edge-26.2.4 with full Kubernetes 1.35 support, and the CAPI Kamaji provider is updated to v0.16.0. A compatibility patch ensures kubelets older than v1.35 are not broken by Kamaji injecting 1.35-specific kubelet fields ([**@lexfrei**](https://github.com/lexfrei) in #2073).
+
+* **[platform] Make cluster issuer name and ACME solver configurable**: Added `publishing.certificates.solver` (`http01` or `dns01`) and `publishing.certificates.issuerName` (default: `letsencrypt-prod`) parameters to the platform chart. This allows operators to point all ingress TLS annotations at any ClusterIssuer — custom ACME, self-signed, or internal CA — without modifying individual package templates. See the Breaking Changes section for the rename from the previous `issuerType` field ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+* **[dashboard] VMInstance dropdowns for disks and instanceType**: The VM instance creation form now renders API-backed dropdowns for the `instanceType` field (populated from `VirtualMachineClusterInstancetype` cluster resources) and for disk `name` fields (populated from `VMDisk` resources in the same namespace). Default values are read from the ApplicationDefinition's OpenAPI schema. This eliminates manual lookups and reduces misconfiguration when attaching disks or selecting VM instance types ([**@sircthulhu**](https://github.com/sircthulhu) in #2071).
+
+* **[installer] Remove CRDs from Helm chart, delegate lifecycle to operator**: The `cozy-installer` Helm chart no longer ships CRDs in its `crds/` directory. CRD lifecycle is now fully managed by the Cozystack operator via the `--install-crds` flag, which applies embedded CRD manifests on every startup using server-side apply. The platform PackageSource is also created by the operator instead of a Helm template. This ensures CRDs and the PackageSource are always up to date after each operator restart, eliminating stale CRDs from Helm's install-only behavior ([**@lexfrei**](https://github.com/lexfrei) in #2074).
+
+## Fixes
+
+* **[kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization**: Updated KubeVirt operator to v1.6.4 and CDI operator to v1.64.0, including live migration of existing VMs during the upgrade. Additionally, disabled serial console logging globally via the KubeVirt CR to prevent a known v1.6.x issue ([upstream #15989](https://github.com/kubevirt/kubevirt/issues/15989)) where the `guest-console-log` init container blocked virt-launcher pods from starting, causing all VMs to get stuck in `PodInitializing` state ([**@nbykov0**](https://github.com/nbykov0) in #1833; [**@kvaps**](https://github.com/kvaps) in 7dfb819).
+
+* **[linstor] Fix DRBD+LUKS+STORAGE resource creation failure**: All newly created encrypted volumes were failing because the DRBD `.res` file was never written due to a missing `setExists(true)` call in the `LuksLayer`. Applied the upstream `skip-adjust-when-device-inaccessible` patch ([LINBIT/linstor-server#477](https://github.com/LINBIT/linstor-server/pull/477)) which fixes the root cause and also prevents unnecessary lsblk calls when devices are not yet physically present ([**@kvaps**](https://github.com/kvaps) in #2072).
+
+* **[system] Fix monitoring-agents FQDN resolution for tenant workload clusters**: Monitoring agents (`vmagent`, `fluent-bit`) in tenant workload clusters were failing to deliver metrics and logs because service addresses used short DNS names without the cluster domain suffix. Fixed by appending the configured cluster domain from `_cluster.cluster-domain` (with fallback to `cluster.local`) to all vmagent remoteWrite URLs and fluent-bit output hosts ([**@IvanHunters**](https://github.com/IvanHunters) in #2075).
+
+* **[cozystack-basics] Preserve existing HelmRelease values during reconciliations**: Fixed a data-loss bug where changes made to the `tenant-root` HelmRelease were silently dropped on the next forced or upgrade reconciliation of the `cozystack-basics` HelmRelease. The reconciler now merges new configuration with existing values instead of overwriting them ([**@sircthulhu**](https://github.com/sircthulhu) in #2068).
+
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Fixed the `cozy:tenant:admin:base` ClusterRole to explicitly deny deletion of `ResourceQuota` objects for tenant admins and superadmins, preventing accidental removal of tenant resource limits ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+
+## Breaking Changes & Upgrade Notes
+
+* **[platform] Certificate issuer configuration parameters renamed**: The `publishing.certificates.issuerType` field is renamed to `publishing.certificates.solver`, and the value `cloudflare` is renamed to `dns01` to align with standard ACME terminology. A new `publishing.certificates.issuerName` field (default: `letsencrypt-prod`) is introduced to allow pointing all ingresses at a custom ClusterIssuer. Migration 32 is included and automatically converts existing configurations during upgrade — no manual action is required ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+## Documentation
+
+* **[website] Migrate ConfigMap references to Platform Package in v1 documentation**: Updated the entire v1 documentation tree to replace legacy ConfigMap-based configuration references with the new Platform Package API, ensuring guides are consistent with the v1 configuration model ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#426).
+
+* **[website] Add generic Kubernetes deployment guide for v1**: Added a new installation guide covering Cozystack deployment on any generic Kubernetes cluster, expanding the set of supported deployment targets beyond provider-specific guides ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#408).
+
+* **[website] Refactor resource planning documentation**: Improved the resource planning guide with a clearer structure and more comprehensive coverage of planning considerations for Cozystack deployments ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#423).
+
+* **[website] Add ServiceAccount API access documentation and update FAQ**: Added a new article documenting ServiceAccount API access token configuration and updated the FAQ to include related troubleshooting guidance ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#421).
+
+* **[website] Update networking-mesh allowed-location-ips example**: Replaced provider-specific CLI usage with standard `kubectl` commands in the multi-location networking guide's `allowed-location-ips` example, making the documentation more universally applicable ([**@kvaps**](https://github.com/kvaps) in cozystack/website#425).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@IvanStukov**](https://github.com/IvanStukov)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@nbykov0**](https://github.com/nbykov0)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-beta.6...v1.0.0-rc.1

docs/changelogs/v1.0.0-rc.2.md

@@ -0,0 +1,57 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.2
+-->
+
+> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
+
+## Features and Improvements
+
+* **[keycloak] Allow custom Ingress hostname via values**: Added an `ingress.host` field to the cozy-keycloak chart values, allowing operators to override the default `keycloak.<root-host>` Ingress hostname. The custom hostname is applied to both the Ingress resource and the `KC_HOSTNAME` environment variable in the StatefulSet. When left empty, the original behavior is preserved (fully backward compatible) ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
+
+## Fixes
+
+* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing. Migration 26 now uses the `cozystack.io/ui=true` label (always present on v0.41.1) instead of the new label that depends on migration 22 having run, and adds robust Helm secret deletion with fallback and verification. Migrations 28 and 29 wrap `grep` calls to prevent `pipefail` exits and fix the reconcile annotation to use RFC3339 format. Migration 27 now skips missing CRDs and adds a name-pattern fallback for Helm secret deletion. The etcd HelmRelease timeout is increased from 10m to 30m to accommodate TLS cert rotation hooks. The `migrate-to-version-1.0.sh` script gains the missing `bundle-disable`, `bundle-enable`, `expose-ingress`, and `expose-services` field mappings ([**@kvaps**](https://github.com/kvaps) in #2096).
+
+* **[platform] Fix orphaned -rd HelmReleases after application renames**: After the `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, the system-level `-rd` HelmReleases in `cozy-system` (`ferretdb-rd`, `mysql-rd`, `virtual-machine-rd`) were left orphaned, referencing ExternalArtifacts that no longer exist and causing persistent reconciliation failures. Migrations 28 and 29 are updated to remove these resources, and migration 33 is added as a safety net for clusters that already passed those migrations ([**@kvaps**](https://github.com/kvaps) in #2102).
+
+* **[monitoring-agents] Fix FQDN resolution regression in tenant workload clusters**: The fix introduced in #2075 used `_cluster.cluster-domain` references in `values.yaml`, but `_cluster` values are not accessible from Helm subchart contexts — meaning fluent-bit received empty hostnames and failed to forward logs. This PR replaces the `_cluster` references with a new `global.clusterDomain` variable (empty by default for management clusters, set to the cluster domain for tenant clusters), which is correctly shared with all subcharts ([**@kvaps**](https://github.com/kvaps) in #2086).
+
+* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized the cluster identifier used across dashboard menu links, administration links, and API request paths, resolving incorrect or broken link targets for the Backups and External IPs sidebar sections ([**@androndo**](https://github.com/androndo) in #2093).
+
+* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed the backup job creation form configuration, adding the required Name, Namespace, Plan Name, Application, and Backup Class fields. Fixed the sidebar backup category identifier that was causing incorrect navigation ([**@androndo**](https://github.com/androndo) in #2103).
+
+## Documentation
+
+* **[website] Add Helm chart development principles guide**: Added a new developer guide section documenting Cozystack's four core Helm chart principles: easy upstream updates, local-first artifacts, local dev/test workflow, and no external dependencies ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
+
+* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack — MetalLB (L2/BGP), Cilium eBPF (kube-proxy replacement), Kube-OVN (centralized IPAM), and tenant isolation with identity-based eBPF policies — with Mermaid diagrams for all major traffic flows ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
+
+* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands throughout installation and configuration guides to use JSON Patch `add` operations for extending arrays instead of replacing them wholesale, making the documented commands safer and more precise ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
+
+* **[website] Update certificates section in Platform Package documentation**: Updated the certificate configuration documentation to reflect the new `solver` and `issuerName` fields introduced in v1.0.0-rc.1, replacing the legacy `issuerType` references ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
+
+* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant Kubernetes clusters in Grafana using VictoriaLogs labels (`tenant`, `kubernetes_namespace_name`, `kubernetes_pod_name`), including the `monitoringAgents` addon prerequisite and step-by-step filtering examples ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
+
+* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install`, `kubectl create -f` to `kubectl apply -f`, and `kubectl create ns` to the dry-run+apply pattern across all installation and deployment guides so commands can be safely re-run ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
+
+* **[website] Fix broken documentation links with `.md` suffix**: Fixed incorrect internal links with `.md` suffix across virtualization guides for both v0 and v1 documentation, standardizing link text to "Developer Guide" ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@cheese**](https://github.com/cheese)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@cheese**](https://github.com/cheese) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-rc.1...v1.0.0-rc.2

docs/changelogs/v1.0.0.md

@@ -0,0 +1,289 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.0
+-->
+
+# Cozystack v1.0.0 — "Stable"
+
+We are thrilled to announce **Cozystack v1.0.0**, the first stable major release of the Cozystack platform. This milestone represents a fundamental architectural evolution from the v0.x series, introducing a fully operator-driven package management system, a comprehensive backup and restore framework, a redesigned virtual machine architecture, and a rich set of new managed applications — all hardened through an extensive alpha, beta, and release-candidate cycle.
+
+## Feature Highlights
+
+### Package-Based Architecture with Cozystack Operator
+
+The most significant architectural change in v1.0.0 is the replacement of HelmRelease bundle deployments with a declarative **Package** and **PackageSource** model managed by the new `cozystack-operator`. Operators now define their platform configuration in a structured `values.yaml` and the operator reconciles the desired state by managing Package and PackageSource resources across the cluster.
+
+The operator also takes ownership of CRD lifecycle — installing and updating CRDs from embedded manifests at every startup — eliminating the stale-CRD problem that affected Helm-only installations. Flux sharding has been added to distribute tenant HelmRelease reconciliation across multiple Flux controllers, providing horizontal scalability in large multi-tenant environments.
+
+A migration script (`hack/migrate-to-version-1.0.sh`) is provided for upgrading existing v0.x clusters, along with 33 incremental migration steps that automate resource renaming, secret cleanup, and configuration conversion.
+
+### Comprehensive Backup and Restore System
+
+v1.0.0 ships a fully featured, production-ready backup and restore framework built on Velero integration. Users can define **BackupClass** resources to describe backup storage targets, create **BackupPlan** schedules, and trigger **RestoreJob** resources for end-to-end application recovery.
+
+Virtual machine backups are supported natively via the Velero KubeVirt plugin, which captures consistent VM disk snapshots alongside metadata. The backup controller and the backup strategy sub-controllers (including the VM-specific strategy) are installed by default, and a full dashboard UI allows users to monitor backup status, view backup job history, and initiate restore workflows.
+
+### Redesigned Virtual Machine Architecture
+
+The legacy `virtual-machine` application has been replaced with a two-resource architecture: **`vm-disk`** for managing persistent disks and **`vm-instance`** for managing VM lifecycle. This separation provides cleaner disk/instance management, allows disks to be reused across VM instances, and aligns with modern KubeVirt patterns.
+
+New capabilities include: a `cpuModel` field for direct CPU model specification without using an instanceType; the ability to switch between `instanceType`-based and custom resource-based configurations; migration from the deprecated `running` field to `runStrategy`; and native **RWX (NFS) filesystem support** in the KubeVirt CSI driver, enabling multiple pods to mount the same persistent volume simultaneously.
+
+### New Managed Applications
+
+v1.0.0 expands the application catalog significantly:
+
+- **MongoDB**: A fully managed MongoDB replica set with persistent storage, monitoring integration, and unified user/database configuration API.
+- **Qdrant**: A high-performance vector database for AI and machine learning workloads, supporting single-replica and clustered modes with API key authentication and optional external LoadBalancer access.
+- **Harbor**: A fully managed OCI container registry backed by CloudNativePG, Redis operator, and COSI BucketClaim (SeaweedFS). Includes Trivy vulnerability scanner, auto-generated admin credentials, and TLS via cert-manager.
+- **NATS**: Enhanced with full Grafana monitoring dashboards for JetStream and server metrics, Prometheus support with TLS-aware configuration, and updated image customization options.
+- **MariaDB**: The `mysql` application is renamed to `mariadb`, accurately reflecting the underlying engine. An automatic migration (migration 27) converts all existing MySQL resources to use the `mariadb` naming.
+
+FerretDB has been removed from the catalog as it is superseded by native MongoDB support.
+
+### Multi-Location Networking with Kilo and cilium-kilo
+
+Cozystack v1.0.0 introduces first-class support for multi-location clusters via the **Kilo** WireGuard mesh networking package. Kilo automatically establishes encrypted WireGuard tunnels between nodes in different network segments, enabling seamless cross-region communication.
+
+A new integrated **`cilium-kilo`** networking variant combines Cilium eBPF CNI with Kilo's WireGuard overlay in a single platform configuration selection. This variant enables `enable-ipip-termination` in Cilium and deploys Kilo with `--compatibility=cilium`, allowing Cilium network policies to function correctly over the WireGuard mesh — without any manual configuration of the two components.
+
+### Flux Sharding for Scalable Multi-Tenancy
+
+Tenant HelmRelease reconciliation is now distributed across multiple Flux controllers via sharding labels. Each tenant workload is assigned to a shard based on a deterministic hash, preventing a single Flux controller from becoming a bottleneck in large multi-tenant environments. The platform operator manages the shard assignment automatically, and new shards can be added by scaling the Flux deployment.
+
+## Major Features and Improvements
+
+### Cozystack Operator
+
+* **[cozystack-operator] Introduce Package and PackageSource APIs**: Added new CRDs for declarative package management, defining the full API for Package and PackageSource resources ([**@kvaps**](https://github.com/kvaps) in #1740, #1741, #1755, #1756, #1760, #1761).
+* **[platform] Migrate from HelmRelease bundles to Package-based deployment**: Replaced HelmRelease bundle system with Package resources managed by cozystack-operator, including restructured values.yaml with full configuration support for networking, publishing, authentication, scheduling, branding, and resources ([**@kvaps**](https://github.com/kvaps) in #1816).
+* **[cozystack-operator] Add automatic CRD installation at startup**: Added `--install-crds` flag to install embedded CRD manifests on every startup via server-side apply, ensuring CRDs and the PackageSource are always up to date ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+* **[installer] Remove CRDs from Helm chart, delegate lifecycle to operator**: The `cozy-installer` Helm chart no longer ships CRDs; CRD lifecycle is fully managed by the Cozystack operator ([**@lexfrei**](https://github.com/lexfrei) in #2074).
+* **[cozystack-operator] Preserve existing suspend field in package reconciler**: Fixed package reconciler to properly preserve the suspend field state during reconciliation ([**@sircthulhu**](https://github.com/sircthulhu) in #2043).
+* **[cozystack-operator] Fix namespace privileged flag resolution and field ownership**: Fixed operator to correctly check all Packages in a namespace when determining privileged status, and resolved SSA field ownership conflicts ([**@kvaps**](https://github.com/kvaps) in #2046).
+* **[platform] Add flux-plunger controller**: Added flux-plunger controller to automatically fix stuck HelmRelease errors by cleaning up failed resources and retrying reconciliation ([**@kvaps**](https://github.com/kvaps) in #1843).
+* **[installer] Add variant-aware templates for generic Kubernetes support**: Extended the installer to support generic and hosted Kubernetes deployments via the `cozystackOperator.variant=generic` parameter ([**@lexfrei**](https://github.com/lexfrei) in #2010).
+* **[installer] Unify operator templates**: Merged separate operator templates into a single variant-based template supporting Talos and non-Talos deployments ([**@kvaps**](https://github.com/kvaps) in #2034).
+
+### API and Platform
+
+* **[api] Rename CozystackResourceDefinition to ApplicationDefinition**: Renamed CRD and all related types for clarity and consistency, with migration 24 handling the transition automatically ([**@kvaps**](https://github.com/kvaps) in #1864).
+* **[platform] Add DNS-1035 validation for Application names**: Added dynamic DNS-1035 label validation for Application names at creation time, preventing resources with invalid names that would fail downstream ([**@lexfrei**](https://github.com/lexfrei) in #1771).
+* **[platform] Make cluster issuer name and ACME solver configurable**: Added `publishing.certificates.solver` and `publishing.certificates.issuerName` parameters to allow pointing all ingress TLS annotations at any ClusterIssuer ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+* **[platform] Add cilium-kilo networking variant**: Added integrated `cilium-kilo` networking variant combining Cilium CNI with Kilo WireGuard mesh overlay ([**@kvaps**](https://github.com/kvaps) in #2064).
+* **[cozystack-api] Switch from DaemonSet to Deployment**: Migrated cozystack-api to a Deployment with PreferClose topology spread constraints, reducing resource consumption while maintaining high availability ([**@kvaps**](https://github.com/kvaps) in #2041, #2048).
+
+### Virtual Machines
+
+* **[vm-instance] Complete migration from virtual-machine to vm-disk and vm-instance**: Fully migrated from `virtual-machine` to the new `vm-disk` and `vm-instance` architecture, with automatic migration script (migration 28) for existing VMs ([**@kvaps**](https://github.com/kvaps) in #2040).
+* **[kubevirt-csi-driver] Add RWX Filesystem (NFS) support**: Added Read-Write-Many filesystem support to kubevirt-csi-driver via automatic NFS server deployment per PVC ([**@kvaps**](https://github.com/kvaps) in #2042).
+* **[vm] Add cpuModel field to specify CPU model without instanceType**: Added cpuModel field to VirtualMachine API for granular CPU control ([**@sircthulhu**](https://github.com/sircthulhu) in #2007).
+* **[vm] Allow switching between instancetype and custom resources**: Implemented atomic upgrade hook for switching between instanceType-based and custom resource VM configurations ([**@sircthulhu**](https://github.com/sircthulhu) in #2008).
+* **[vm] Migrate to runStrategy instead of running**: Migrated VirtualMachine API from deprecated `running` field to `runStrategy` ([**@sircthulhu**](https://github.com/sircthulhu) in #2004).
+* **[vm] Always expose VMs with a service**: Virtual machines are now always exposed with at least a ClusterIP service, ensuring in-cluster DNS names ([**@lllamnyp**](https://github.com/lllamnyp) in #1738, #1751).
+* **[dashboard] VMInstance dropdowns for disks and instanceType**: VM instance creation form now renders API-backed dropdowns for `instanceType` and disk `name` fields ([**@sircthulhu**](https://github.com/sircthulhu) in #2071).
+
+### Backup System
+
+* **[backups] Implement comprehensive backup and restore functionality**: Core backup Plan controller, Velero strategy controller, RestoreJob resource with end-to-end restore workflows, and enhanced backup plans UI ([**@lllamnyp**](https://github.com/lllamnyp) in #1640, #1685, #1687, #1719, #1720, #1737, #1967; [**@androndo**](https://github.com/androndo) in #1762, #1967, #1968, #1811).
+* **[backups] Add kubevirt plugin to velero**: Added KubeVirt plugin to Velero for consistent VM state and data snapshots ([**@lllamnyp**](https://github.com/lllamnyp) in #2017).
+* **[backups] Install backupstrategy controller by default**: Enabled backupstrategy controller by default for automatic backup scheduling ([**@lllamnyp**](https://github.com/lllamnyp) in #2020).
+* **[backups] Better selectors for VM strategy**: Improved VM backup strategy selectors for accurate and reliable backup targeting ([**@lllamnyp**](https://github.com/lllamnyp) in #2023).
+* **[backups] Create RBAC for backup resources**: Added comprehensive RBAC configuration for backup operations and restore jobs ([**@lllamnyp**](https://github.com/lllamnyp) in #2018).
+
+### Networking
+
+* **[kilo] Introduce Kilo WireGuard mesh networking**: Added Kilo as a system package providing secure WireGuard-based VPN mesh for connecting Kubernetes nodes across different networks and regions ([**@kvaps**](https://github.com/kvaps) in #1691).
+* **[kilo] Add Cilium compatibility variant**: Added `cilium` variant enabling Cilium-aware IPIP encapsulation for full network policy enforcement with Kilo mesh ([**@kvaps**](https://github.com/kvaps) in #2055).
+* **[kilo] Update to v0.8.0 with configurable MTU**: Updated Kilo to v0.8.0 with configurable MTU parameter and performance improvements ([**@kvaps**](https://github.com/kvaps) in #2003, #2049, #2053).
+* **[local-ccm] Add local-ccm package**: Added local cloud controller manager for managing load balancer services in bare-metal environments ([**@kvaps**](https://github.com/kvaps) in #1831).
+* **[local-ccm] Add node-lifecycle-controller component**: Added optional node-lifecycle-controller that automatically deletes unreachable NotReady nodes, solving the "zombie" node problem in autoscaled clusters ([**@IvanHunters**](https://github.com/IvanHunters) in #1992).
+* **[tenant] Allow egress to parent ingress pods**: Updated tenant network policies to allow egress traffic to parent cluster ingress pods ([**@lexfrei**](https://github.com/lexfrei) in #1765, #1776).
+
+### New Applications
+
+* **[mongodb] Add MongoDB managed application**: Added MongoDB as a fully managed database with replica sets, persistent storage, and unified user/database configuration ([**@lexfrei**](https://github.com/lexfrei) in #1822; [**@kvaps**](https://github.com/kvaps) in #1923).
+* **[qdrant] Add Qdrant vector database**: Added Qdrant as a high-performance vector database for AI/ML workloads with API key authentication and optional LoadBalancer access ([**@lexfrei**](https://github.com/lexfrei) in #1987).
+* **[harbor] Add managed Harbor container registry**: Added Harbor v2.14.2 as a managed tenant-level container registry with CloudNativePG, Redis operator, COSI BucketClaim storage, and Trivy scanner ([**@lexfrei**](https://github.com/lexfrei) in #2058).
+* **[nats] Add monitoring**: Added Grafana dashboards for NATS JetStream and server metrics, Prometheus monitoring with TLS support ([**@klinch0**](https://github.com/klinch0) in #1381).
+* **[mariadb] Rename mysql application to mariadb**: Renamed MySQL application to MariaDB with automatic migration (migration 27) for all existing resources ([**@kvaps**](https://github.com/kvaps) in #2026).
+* **[ferretdb] Remove FerretDB application**: Removed FerretDB, superseded by native MongoDB support ([**@kvaps**](https://github.com/kvaps) in #2028).
+
+### Kubernetes and System Components
+
+* **[kubernetes] Update supported Kubernetes versions to v1.30–v1.35**: Updated the tenant Kubernetes version matrix, with v1.35 as the new default. Kamaji updated to edge-26.2.4 and CAPI Kamaji provider to v0.16.0 ([**@lexfrei**](https://github.com/lexfrei) in #2073).
+* **[kubernetes] Auto-enable Gateway API support in cert-manager**: Added automatic Gateway API support in cert-manager for tenant clusters ([**@kvaps**](https://github.com/kvaps) in #1997).
+* **[kubernetes] Use ingress-nginx nodeport service**: Changed tenant Kubernetes clusters to use ingress-nginx NodePort service for improved compatibility ([**@sircthulhu**](https://github.com/sircthulhu) in #1948).
+* **[system] Add cluster-autoscaler for Hetzner and Azure**: Added cluster-autoscaler system package for automatically scaling management cluster nodes on Hetzner and Azure ([**@kvaps**](https://github.com/kvaps) in #1964).
+* **[cluster-autoscaler] Enable enforce-node-group-min-size by default**: Ensures node groups are always scaled up to their configured minimum size ([**@kvaps**](https://github.com/kvaps) in #2050).
+* **[system] Add clustersecret-operator package**: Added clustersecret-operator for managing secrets across multiple namespaces ([**@sircthulhu**](https://github.com/sircthulhu) in #2025).
+
+### Monitoring
+
+* **[monitoring] Enable monitoring for core components**: Enhanced monitoring capabilities with dashboards and metrics for core Cozystack components ([**@IvanHunters**](https://github.com/IvanHunters) in #1937).
+* **[monitoring] Add SLACK_SEVERITY_FILTER and VMAgent for tenant monitoring**: Added SLACK_SEVERITY_FILTER for Slack alert filtering and VMAgent for tenant namespace metrics scraping ([**@IvanHunters**](https://github.com/IvanHunters) in #1712).
+* **[monitoring-agents] Fix FQDN resolution for tenant workload clusters**: Fixed monitoring agents in tenant clusters to use full DNS names with cluster domain suffix ([**@IvanHunters**](https://github.com/IvanHunters) in #2075; [**@kvaps**](https://github.com/kvaps) in #2086).
+
+### Storage
+
+* **[linstor] Move CRDs to dedicated piraeus-operator-crds chart**: Moved LINSTOR CRDs to a dedicated chart, ensuring reliable installation of all CRDs including `linstorsatellites.io` ([**@kvaps**](https://github.com/kvaps) in #2036; [**@IvanHunters**](https://github.com/IvanHunters) in #1991).
+* **[seaweedfs] Increase certificate duration to 10 years**: Increased SeaweedFS certificate validity to 10 years to reduce rotation overhead ([**@IvanHunters**](https://github.com/IvanHunters) in #1986).
+
+## Improvements
+
+* **[dashboard] Upgrade dashboard to version 1.4.0**: Updated Cozystack dashboard to v1.4.0 with new features and improvements ([**@sircthulhu**](https://github.com/sircthulhu) in #2051).
+* **[dashboard] Hide Ingresses/Services/Secrets tabs when no selectors defined**: Tabs are now conditionally shown based on whether the ApplicationDefinition has resource selectors configured, reducing UI clutter ([**@kvaps**](https://github.com/kvaps) in #2087).
+* **[dashboard] Add startupProbe to prevent container restarts on slow hardware**: Added startup probe to dashboard pods to prevent unnecessary restarts ([**@kvaps**](https://github.com/kvaps) in #1996).
+* **[keycloak] Allow custom Ingress hostname via values**: Added `ingress.host` field to cozy-keycloak chart values for overriding the default `keycloak.<root-host>` hostname ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
+* **[branding] Separate values for Keycloak**: Separated Keycloak branding values for better customization capabilities ([**@nbykov0**](https://github.com/nbykov0) in #1947).
+* **[rbac] Use hierarchical naming scheme**: Refactored RBAC to use hierarchical naming for cluster roles and role bindings ([**@lllamnyp**](https://github.com/lllamnyp) in #2019).
+* **[tenant,rbac] Use shared clusterroles**: Refactored tenant RBAC to use shared ClusterRoles for improved consistency ([**@lllamnyp**](https://github.com/lllamnyp) in #1999).
+* **[kubernetes] Increase default apiServer resourcesPreset to large**: Increased kube-apiserver resource preset to `large` for more reliable operation under higher workloads ([**@kvaps**](https://github.com/kvaps) in #1875).
+* **[kubernetes] Increase kube-apiserver startup probe threshold**: Increased startup probe threshold to allow more time for API server readiness ([**@kvaps**](https://github.com/kvaps) in #1876).
+* **[etcd] Increase probe thresholds for better recovery**: Increased etcd probe thresholds to improve cluster resilience during temporary slowdowns ([**@kvaps**](https://github.com/kvaps) in #1874).
+* **[etcd-operator] Add vertical-pod-autoscaler dependency**: Added VPA as a dependency to etcd-operator for proper resource scaling ([**@sircthulhu**](https://github.com/sircthulhu) in #2047).
+* **[cilium] Change cilium-operator replicas to 1**: Reduced Cilium operator replicas to decrease resource consumption in smaller deployments ([**@IvanHunters**](https://github.com/IvanHunters) in #1784).
+* **[keycloak-configure,dashboard] Enable insecure TLS verification by default**: Made SSL certificate verification configurable with insecure mode enabled by default for local development ([**@IvanHunters**](https://github.com/IvanHunters) in #2005).
+* **[platform] Split telemetry between operator and controller**: Separated telemetry collection for better metrics isolation ([**@kvaps**](https://github.com/kvaps) in #1869).
+* **[system] Add resource requests and limits to etcd-defrag**: Added resource requests and limits to etcd-defrag job to prevent resource contention ([**@matthieu-robin**](https://github.com/matthieu-robin) in #1785, #1786).
+
+## Fixes
+
+* **[dashboard] Fix sidebar visibility on cluster-level pages**: Fixed broken URLs with double `//` on cluster-level pages by hiding namespace-scoped sidebar items when no tenant is selected ([**@sircthulhu**](https://github.com/sircthulhu) in #2106).
+* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing, including migration 26-29 fixes, RFC3339 format for annotations, and extended etcd HelmRelease timeout to 30m ([**@kvaps**](https://github.com/kvaps) in #2096).
+* **[platform] Fix orphaned -rd HelmReleases after application renames**: Migrations 28-29 updated to remove orphaned `-rd` HelmReleases in `cozy-system` after `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, with migration 33 as a safety net ([**@kvaps**](https://github.com/kvaps) in #2102).
+* **[platform] Adopt tenant-root into cozystack-basics during migration**: Added migration 31 to adopt existing `tenant-root` Namespace and HelmRelease into `cozystack-basics` for a safe v0.41.x → v1.0 upgrade path ([**@kvaps**](https://github.com/kvaps) in #2065).
+* **[platform] Preserve tenant-root HelmRelease during migration**: Fixed data-loss risk during migration where `tenant-root` HelmRelease could be deleted ([**@sircthulhu**](https://github.com/sircthulhu) in #2063).
+* **[platform] Fix cozystack-values secret race condition**: Fixed race condition in cozystack-values secret creation that could cause initialization failures ([**@lllamnyp**](https://github.com/lllamnyp) in #2024).
+* **[cozystack-basics] Preserve existing HelmRelease values during reconciliations**: Fixed data-loss bug where changes to `tenant-root` HelmRelease were dropped on the next reconciliation ([**@sircthulhu**](https://github.com/sircthulhu) in #2068).
+* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Fixed `cozy:tenant:admin:base` ClusterRole to explicitly deny deletion of ResourceQuota objects ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
+* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized cluster identifier across dashboard menu links resolving broken link targets for Backups and External IPs ([**@androndo**](https://github.com/androndo) in #2093).
+* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed backup job creation form fields and fixed sidebar backup category identifier ([**@androndo**](https://github.com/androndo) in #2103).
+* **[kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization**: Updated KubeVirt and CDI and disabled serial console logging globally to fix the `guest-console-log` init container blocking virt-launcher pods ([**@nbykov0**](https://github.com/nbykov0) in #1833; [**@kvaps**](https://github.com/kvaps)).
+* **[linstor] Fix DRBD+LUKS+STORAGE resource creation failure**: Applied upstream fix for all newly created encrypted volumes failing due to missing `setExists(true)` call in `LuksLayer` ([**@kvaps**](https://github.com/kvaps) in #2072).
+* **[platform] Clean up Helm secrets for removed releases**: Added cleanup logic to migration 23 to remove orphaned Helm secrets from removed `-rd` releases ([**@kvaps**](https://github.com/kvaps) in #2035).
+* **[monitoring] Fix YAML parse error in vmagent template**: Fixed YAML parsing error in monitoring-agents vmagent template ([**@kvaps**](https://github.com/kvaps) in #2037).
+* **[monitoring] Remove cozystack-controller dependency**: Fixed monitoring package to remove unnecessary cozystack-controller dependency ([**@IvanHunters**](https://github.com/IvanHunters) in #1990).
+* **[monitoring] Remove duplicate dashboards.list**: Fixed duplicate dashboards.list configuration in extra/monitoring package ([**@IvanHunters**](https://github.com/IvanHunters) in #2016).
+* **[linstor] Update piraeus-server patches with critical fixes**: Backported critical patches fixing edge cases in device management and DRBD resource handling ([**@kvaps**](https://github.com/kvaps) in #1850).
+* **[apiserver] Fix Watch resourceVersion and bookmark handling**: Fixed Watch API handling of resourceVersion and bookmarks for proper event streaming ([**@kvaps**](https://github.com/kvaps) in #1860).
+* **[bootbox] Auto-create bootbox-application as dependency**: Fixed bootbox package to automatically create required bootbox-application dependency ([**@kvaps**](https://github.com/kvaps) in #1974).
+* **[postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert**: Fixed incorrect PromQL syntax in the CNPGClusterOffline Prometheus alert ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1981).
+* **[coredns] Fix serviceaccount to match kubernetes bootstrap RBAC**: Fixed CoreDNS service account to correctly match Kubernetes bootstrap RBAC requirements ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1958).
+* **[dashboard] Verify JWT token**: Added JWT token verification to dashboard for improved security ([**@lllamnyp**](https://github.com/lllamnyp) in #1980).
+* **[codegen] Fix missing gen_client in update-codegen.sh**: Fixed build error in `pkg/generated/applyconfiguration/utils.go` by including `gen_client` in the codegen script ([**@lexfrei**](https://github.com/lexfrei) in #2061).
+* **[kubevirt-operator] Fix typo in VMNotRunningFor10Minutes alert**: Fixed typo in VM alert name ensuring proper alert triggering ([**@lexfrei**](https://github.com/lexfrei) in #1770, #1775).
+
+## Security
+
+* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard for improved authentication security ([**@lllamnyp**](https://github.com/lllamnyp) in #1980).
+
+## Dependencies
+
+* **[cilium] Update to v1.18.6**: Updated Cilium CNI to v1.18.6 with security fixes and performance improvements ([**@sircthulhu**](https://github.com/sircthulhu) in #1868).
+* **[kube-ovn] Update to v1.15.3**: Updated Kube-OVN CNI to v1.15.3 with performance improvements and bug fixes ([**@kvaps**](https://github.com/kvaps) in #2022).
+* **[kilo] Update to v0.8.0**: Updated Kilo WireGuard mesh to v0.8.0 with performance improvements and new compatibility features ([**@kvaps**](https://github.com/kvaps) in #2053).
+* **Update Talos Linux to v1.12.1**: Updated Talos Linux to v1.12.1 with latest features and security patches ([**@kvaps**](https://github.com/kvaps) in #1877).
+
+## System Configuration
+
+* **[vpc] Migrate subnets definition from map to array format**: Migrated VPC subnets from `map[string]Subnet` to `[]Subnet` with explicit `name` field, with automatic migration via migration 30 ([**@kvaps**](https://github.com/kvaps) in #2052).
+* **[migrations] Add migrations 23-33 for v1.0 upgrade path**: Added 11 incremental migrations handling CRD ownership, resource renaming, secret cleanup, Helm adoption, and configuration conversion for the v0.41.x → v1.0.0 upgrade path ([**@kvaps**](https://github.com/kvaps) in #1975, #2035, #2036, #2040, #2026, #2065, #2052, #2102).
+* **[tenant] Run cleanup job from system namespace**: Moved tenant cleanup job to system namespace for improved security and resource isolation ([**@lllamnyp**](https://github.com/lllamnyp) in #1774, #1777).
+
+## Development, Testing, and CI/CD
+
+* **[ci] Use GitHub Copilot CLI for changelog generation**: Automated changelog generation using GitHub Copilot CLI ([**@androndo**](https://github.com/androndo) in #1753).
+* **[ci] Choose runner conditional on label**: Added conditional runner selection in CI based on PR labels ([**@lllamnyp**](https://github.com/lllamnyp) in #1998).
+* **[e2e] Use helm install instead of kubectl apply for cozystack installation**: Replaced static YAML apply flow with direct `helm upgrade --install` of the installer chart in E2E tests ([**@lexfrei**](https://github.com/lexfrei) in #2060).
+* **[e2e] Make kubernetes test retries effective by cleaning up stale resources**: Fixed E2E test retries by adding pre-creation cleanup and increasing deployment wait timeout to 300s ([**@lexfrei**](https://github.com/lexfrei) in #2062).
+* **[e2e] Increase HelmRelease readiness timeout for kubernetes test**: Increased HelmRelease readiness timeout to prevent false failures on slower hardware ([**@lexfrei**](https://github.com/lexfrei) in #2033).
+* **[ci] Improve cozyreport functionality**: Enhanced cozyreport tool with improved reporting for CI/CD pipelines ([**@lllamnyp**](https://github.com/lllamnyp) in #2032).
+* **feat(cozypkg): add cross-platform build targets with version injection**: Added cross-platform build targets for cozypkg/cozyhr tool for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64 ([**@kvaps**](https://github.com/kvaps) in #1862).
+* **refactor: move scripts to hack directory**: Reorganized scripts to the standard `hack/` location ([**@kvaps**](https://github.com/kvaps) in #1863).
+* **Update CODEOWNERS**: Updated CODEOWNERS to include new maintainers ([**@lllamnyp**](https://github.com/lllamnyp) in #1972; [**@IvanHunters**](https://github.com/IvanHunters) in #2015).
+* **[talm] Skip config loading for completion subcommands**: Fixed talm CLI to skip config loading for shell completion commands ([**@kitsunoff**](https://github.com/kitsunoff) in cozystack/talm#109).
+* **[talm] Fix metadata.id type casting in physical_links_info**: Fixed Prometheus query to properly cast metadata.id to string for regexMatch operations ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#110).
+
+## Documentation
+
+* **[website] Add documentation versioning**: Implemented comprehensive documentation versioning with separate v0 and v1 documentation trees and a version selector in the UI ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#415).
+* **[website] Describe upgrade to v1.0**: Added detailed upgrade instructions for migrating from v0.x to v1.0 ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@21bbe84).
+* **[website] Migrate ConfigMap references to Platform Package in v1 docs**: Updated entire v1 documentation to replace legacy ConfigMap-based configuration with the new Platform Package API ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#426).
+* **[website] Add generic Kubernetes deployment guide for v1**: Added installation guide for deploying Cozystack on any generic Kubernetes cluster ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#408).
+* **[website] Describe operator-based and HelmRelease-based package patterns**: Added development documentation explaining operator-based and HelmRelease-based package patterns ([**@kvaps**](https://github.com/kvaps) in cozystack/website#413).
+* **[website] Add Helm chart development principles guide**: Added developer guide documenting Cozystack's four core Helm chart principles ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
+* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack with Mermaid diagrams ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
+* **[website] Add LINSTOR disk preparation guide**: Added comprehensive documentation for preparing disks for LINSTOR storage ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#411).
+* **[website] Add Proxmox VM migration guide**: Added detailed guide for migrating virtual machines from Proxmox to Cozystack ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#410).
+* **[website] Add cluster autoscaler documentation**: Added documentation for Hetzner setup with Talos, vSwitch, and Kilo mesh integration ([**@kvaps**](https://github.com/kvaps) in #1964).
+* **[website] Improve Azure autoscaling troubleshooting guide**: Enhanced Azure autoscaling documentation with serial console instructions and `az vmss update --custom-data` guidance ([**@kvaps**](https://github.com/kvaps) in cozystack/website#424).
+* **[website] Update multi-location documentation for cilium-kilo variant**: Updated multi-location networking docs to reflect the integrated `cilium-kilo` variant selection ([**@kvaps**](https://github.com/kvaps) in cozystack/website@02d63f0).
+* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands to use JSON Patch `add` operations ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
+* **[website] Update certificates section in Platform Package documentation**: Updated certificate configuration docs to reflect new `solver` and `issuerName` fields ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
+* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant clusters in Grafana using VictoriaLogs labels ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
+* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install` and `kubectl create` to `kubectl apply` across all installation guides ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
+* **[website] Fix broken documentation links with .md suffix**: Fixed incorrect internal links across virtualization guides for v0 and v1 documentation ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
+* **[website] Refactor resource planning documentation**: Improved resource planning guide with clearer structure and more comprehensive coverage ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#423).
+* **[website] Add ServiceAccount API access documentation and update FAQ**: Added documentation for ServiceAccount API access token configuration and updated FAQ ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#421).
+* **[website] Update networking-mesh allowed-location-ips example**: Replaced provider-specific CLI with standard `kubectl` commands in multi-location networking guide ([**@kvaps**](https://github.com/kvaps) in cozystack/website#425).
+* **[website] docs(storage): simplify NFS driver setup instructions**: Simplified NFS driver setup documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#399).
+* **[website] Add Hetzner RobotLB documentation**: Added documentation for configuring public IP with Hetzner RobotLB ([**@kvaps**](https://github.com/kvaps) in cozystack/website#394).
+* **[website] Add documentation for creating and managing cloned VMs**: Added comprehensive guide for VM cloning operations ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#401).
+* **[website] Update Talos installation docs for Hetzner and Servers.com**: Updated installation documentation for Hetzner and Servers.com environments ([**@kvaps**](https://github.com/kvaps) in cozystack/website#395).
+* **[website] Add Hidora organization support details**: Added Hidora to the support page ([**@matthieu-robin**](https://github.com/matthieu-robin) in cozystack/website#397, cozystack/website#398).
+* **[website] Check quotas before an upgrade**: Added troubleshooting documentation for checking resource quotas before upgrades ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website#405).
+* **[website] Update support documentation**: Updated support documentation with current contact information ([**@xrmtech-isk**](https://github.com/xrmtech-isk) in cozystack/website#420).
+* **[website] Correct typo in kubeconfig reference in Kubernetes installation guide**: Fixed documentation typo in kubeconfig reference ([**@shkarface**](https://github.com/shkarface) in cozystack/website#414).
+
+## Breaking Changes & Upgrade Notes
+
+* **[api] CozystackResourceDefinition renamed to ApplicationDefinition**: The `CozystackResourceDefinition` CRD has been renamed to `ApplicationDefinition`. Migration 24 handles the transition automatically during upgrade ([**@kvaps**](https://github.com/kvaps) in #1864).
+
+* **[platform] Certificate issuer configuration parameters renamed**: The `publishing.certificates.issuerType` field is renamed to `publishing.certificates.solver`, and the value `cloudflare` is renamed to `dns01`. A new `publishing.certificates.issuerName` field (default: `letsencrypt-prod`) is added. Migration 32 automatically converts existing configurations — no manual action required ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
+
+* **[vpc] VPC subnets definition migrated from map to array format**: VPC subnets are now defined as `[]Subnet` with an explicit `name` field instead of `map[string]Subnet`. Migration 30 handles the conversion automatically ([**@kvaps**](https://github.com/kvaps) in #2052).
+
+* **[vm] virtual-machine application replaced by vm-disk and vm-instance**: The legacy `virtual-machine` application has been fully replaced. Migration 28 automatically converts existing VMs to the new architecture ([**@kvaps**](https://github.com/kvaps) in #2040).
+
+* **[mysql] mysql application renamed to mariadb**: Existing MySQL deployments are automatically renamed to MariaDB via migration 27 ([**@kvaps**](https://github.com/kvaps) in #2026).
+
+### Upgrade Guide
+
+To upgrade from v0.41.x to v1.0.0:
+1. **Backup your cluster** before upgrading.
+2. Run the provided migration script: `hack/migrate-to-version-1.0.sh`.
+3. The 33 incremental migration steps will automatically handle all resource renaming, configuration conversion, CRD adoption, and secret cleanup.
+4. Refer to the [upgrade documentation](https://cozystack.io/docs/v1/upgrade) for detailed instructions and troubleshooting.
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@cheese**](https://github.com/cheese)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@IvanStukov**](https://github.com/IvanStukov)
+* [**@kitsunoff**](https://github.com/kitsunoff)
+* [**@klinch0**](https://github.com/klinch0)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@lllamnyp**](https://github.com/lllamnyp)
+* [**@matthieu-robin**](https://github.com/matthieu-robin)
+* [**@mattia-eleuteri**](https://github.com/mattia-eleuteri)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@nbykov0**](https://github.com/nbykov0)
+* [**@shkarface**](https://github.com/shkarface)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+* [**@xrmtech-isk**](https://github.com/xrmtech-isk)
+
+### New Contributors
+
+We're excited to welcome our first-time contributors:
+
+* [**@cheese**](https://github.com/cheese) - First contribution!
+* [**@IvanStukov**](https://github.com/IvanStukov) - First contribution!
+* [**@kitsunoff**](https://github.com/kitsunoff) - First contribution!
+* [**@shkarface**](https://github.com/shkarface) - First contribution!
+* [**@xrmtech-isk**](https://github.com/xrmtech-isk) - First contribution!
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.41.0...v1.0.0

docs/changelogs/v1.0.1.md

@@ -0,0 +1,21 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.1
+-->
+
+## Fixes
+
+* **[platform] Prevent cozystack-version ConfigMap from deletion**: Added resource protection to prevent the `cozystack-version` ConfigMap from being accidentally deleted, improving platform stability and reliability ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2112, #2114).
+
+* **[installer] Add keep annotation to Namespace and update migration script**: Added `helm.sh/resource-policy: keep` annotation to the `cozy-system` Namespace in the installer Helm chart to prevent Helm from deleting the namespace (and all HelmReleases within it) when the installer release is removed. The v1.0 migration script is also updated to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with this policy before migration ([**@kvaps**](https://github.com/kvaps) in #2122, #2123).
+
+* **[dashboard] Add FlowSchema to exempt BFF from API throttling**: Added a `cozy-dashboard-exempt` FlowSchema to exempt the dashboard Back-End-for-Frontend (BFF) service account from Kubernetes API Priority and Fairness throttling. Previously, the BFF fell under the `workload-low` priority level, causing 429 (Too Many Requests) errors under load, resulting in dashboard unresponsiveness ([**@kvaps**](https://github.com/kvaps) in #2121, #2124).
+
+## Documentation
+
+* **[website] Replace bundles documentation with variants**: Renamed the "Bundles" documentation section to "Variants" to match current Cozystack terminology. Removed deprecated variants (`iaas-full`, `distro-full`, `distro-hosted`) and added new variants: `default` (PackageSources only, for manual package management via cozypkg) and `isp-full-generic` (full PaaS/IaaS on k3s, kubeadm, or RKE2). Updated all cross-references throughout the documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#433).
+
+* **[website] Add step to protect namespace before upgrading**: Updated the cluster upgrade guide and v0.41→v1.0 migration guide with a required step to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with `helm.sh/resource-policy=keep` before running `helm upgrade`, preventing accidental namespace deletion ([**@kvaps**](https://github.com/kvaps) in cozystack/website#435).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0...v1.0.1

docs/changelogs/v1.0.2.md

@@ -0,0 +1,19 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.2
+-->
+
+## Fixes
+
+* **[platform] Suspend cozy-proxy if it conflicts with installer release during migration**: Added a check in the v0.41→v1.0 migration script to detect and automatically suspend the `cozy-proxy` HelmRelease when its `releaseName` is set to `cozystack`, which conflicts with the installer release and would cause `cozystack-operator` deletion during the upgrade ([**@kvaps**](https://github.com/kvaps) in #2128, #2130).
+
+* **[platform] Fix off-by-one error in run-migrations script**: Fixed a bug in the migration runner where the first required migration was always skipped due to an off-by-one error in the migration range calculation, ensuring all upgrade steps execute correctly ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2126, #2132).
+
+* **[system] Fix Keycloak proxy configuration for v26.x**: Replaced the deprecated `KC_PROXY=edge` environment variable with `KC_PROXY_HEADERS=xforwarded` and `KC_HTTP_ENABLED=true` in the Keycloak StatefulSet template. `KC_PROXY` was removed in Keycloak 26.x, previously causing "Non-secure context detected" warnings and broken cookie handling when running behind a reverse proxy with TLS termination ([**@sircthulhu**](https://github.com/sircthulhu) in #2125, #2134).
+
+* **[dashboard] Allow clearing instanceType field and preserve newlines in secret copy**: Added `allowEmpty: true` to the `instanceType` field in the VMInstance form so users can explicitly clear it to use custom KubeVirt resources without a named instance type. Also fixed newline preservation when copying secrets with CMD+C ([**@sircthulhu**](https://github.com/sircthulhu) in #2135, #2137).
+
+* **[dashboard] Restore stock-instance sidebars for namespace-level pages**: Restored `stock-instance-api-form`, `stock-instance-api-table`, `stock-instance-builtin-form`, and `stock-instance-builtin-table` sidebar resources that were inadvertently removed in #2106. Without these sidebars, namespace-level pages such as Backup Plans rendered as empty pages with no interactive content ([**@sircthulhu**](https://github.com/sircthulhu) in #2136, #2138).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.1...v1.0.2

docs/proposals/affinity-class.md

@@ -1,356 +0,0 @@
-# AffinityClass: Named Placement Classes for CozyStack Applications (Draft)
-
-## Concept
-
-Similar to StorageClass in Kubernetes, a new resource **AffinityClass** is introduced — a named abstraction over scheduling constraints. When creating an Application, the user selects an AffinityClass by name without knowing the details of the cluster topology.
-
-```
-StorageClass     →  "which disk"       →  PV provisioning
-AffinityClass    →  "where to place"   →  Pod scheduling
-```
-
-## Design
-
-### 1. AffinityClass CRD
-
-A cluster-scoped resource created by the platform administrator:
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: AffinityClass
-metadata:
-  name: dc1
-spec:
-  # nodeSelector that MUST be present on every pod of the application.
-  # Used for validation by the lineage webhook.
-  nodeSelector:
-    topology.kubernetes.io/zone: dc1
-```
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: AffinityClass
-metadata:
-  name: dc2
-spec:
-  nodeSelector:
-    topology.kubernetes.io/zone: dc2
-```
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: AffinityClass
-metadata:
-  name: gpu
-spec:
-  nodeSelector:
-    node.kubernetes.io/gpu: "true"
-```
-
-An AffinityClass contains a `nodeSelector` — a set of key=value pairs that must be present in `pod.spec.nodeSelector` on every pod of the application. This is a contract: the chart is responsible for setting these selectors, the webhook is responsible for verifying them.
-
-### 2. Tenant: Restricting Available Classes
-
-Tenant gets `allowedAffinityClasses` and `defaultAffinityClass` fields:
-
-```yaml
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Tenant
-metadata:
-  name: acme
-  namespace: tenant-root
-spec:
-  defaultAffinityClass: dc1          # default class for applications
-  allowedAffinityClasses:            # which classes are allowed
-    - dc1
-    - dc2
-  etcd: false
-  ingress: true
-  monitoring: false
-```
-
-These values are propagated to the `cozystack-values` Secret in the child namespace:
-
-```yaml
-# Secret cozystack-values in namespace tenant-acme
-stringData:
-  values.yaml: |
-    _cluster:
-      # ... existing cluster config
-    _namespace:
-      # ... existing namespace config
-      defaultAffinityClass: dc1
-      allowedAffinityClasses:
-        - dc1
-        - dc2
-```
-
-### 3. Application: Selecting a Class
-
-Each application can specify an `affinityClass`. If not specified, the `defaultAffinityClass` from the tenant is used:
-
-```yaml
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Postgres
-metadata:
-  name: main-db
-  namespace: tenant-acme
-spec:
-  affinityClass: dc1       # explicit selection
-  replicas: 3
-```
-
-```yaml
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Redis
-metadata:
-  name: cache
-  namespace: tenant-acme
-spec:
-  # affinityClass not specified → uses tenant's defaultAffinityClass (dc1)
-  replicas: 2
-```
-
-### 4. How affinityClass Reaches the HelmRelease
-
-When creating an Application, the API server (`pkg/registry/apps/application/rest.go`):
-
-1. Extracts `affinityClass` from `spec` (or uses the default from `cozystack-values`)
-2. Records `affinityClass` as a **label on the HelmRelease**:
-   ```
-   apps.cozystack.io/affinity-class: dc1
-   ```
-3. Resolves AffinityClass to `nodeSelector` and passes it into HelmRelease values as `_scheduling`:
-   ```yaml
-   _scheduling:
-     affinityClass: dc1
-     nodeSelector:
-       topology.kubernetes.io/zone: dc1
-   ```
-
-### 5. How Charts Apply Scheduling
-
-A helper is added to `cozy-lib`:
-
-```yaml
-{{- define "cozy-lib.scheduling.nodeSelector" -}}
-{{- if .Values._scheduling }}
-{{- if .Values._scheduling.nodeSelector }}
-nodeSelector:
-  {{- .Values._scheduling.nodeSelector | toYaml | nindent 2 }}
-{{- end }}
-{{- end }}
-{{- end -}}
-```
-
-Each app chart uses the helper when rendering Pod/StatefulSet/Deployment specs:
-
-```yaml
-# packages/apps/postgres/templates/db.yaml
-spec:
-  instances: {{ .Values.replicas }}
-  {{- include "cozy-lib.scheduling.nodeSelector" . | nindent 2 }}
-```
-
-```yaml
-# packages/apps/redis/templates/redis.yaml
-spec:
-  replicas: {{ .Values.replicas }}
-  template:
-    spec:
-      {{- include "cozy-lib.scheduling.nodeSelector" . | nindent 6 }}
-```
-
-Charts **must** apply `_scheduling.nodeSelector`. If they don't, pods will be rejected by the webhook.
-
----
-
-## Validation via Lineage Webhook
-
-### Why Validation, Not Mutation
-
-Mutation (injecting nodeSelector into a pod) creates problems:
-- Requires merging with existing pod nodeSelector/affinity — complex logic with edge cases
-- Operators (CNPG, Strimzi) may overwrite nodeSelector on pod restart
-- Hidden behavior: pod is created with one spec but actually runs with another
-
-Validation is simpler and more reliable:
-- Webhook checks: "does this pod **have** the required nodeSelector?"
-- If not, the pod is **rejected** with a clear error message
-- The chart and operator are responsible for setting the correct spec
-
-### What Already Exists in the Lineage Webhook
-
-The lineage webhook (`internal/lineagecontrollerwebhook/webhook.go`) on every Pod creation:
-
-1. Decodes the Pod
-2. Walks the ownership graph (`lineage.WalkOwnershipGraph`) — finds the **owning HelmRelease**
-3. Extracts labels from the HelmRelease: `apps.cozystack.io/application.kind`, `.group`, `.name`
-4. Applies these labels to the Pod
-
-**Key point:** the webhook already knows which HelmRelease owns each Pod.
-
-### What Is Added
-
-After computing lineage labels, a validation step is added:
-
-```
-Handle(pod):
-  1. [existing] computeLabels(pod)          → finds owning HelmRelease
-  2. [existing] applyLabels(pod, labels)     → mutates labels
-  3. [NEW]      validateAffinity(pod, hr)    → checks nodeSelector
-  4. Return patch or Denied
-```
-
-The `validateAffinity` logic:
-
-```go
-func (h *LineageControllerWebhook) validateAffinity(
-    ctx context.Context,
-    pod *unstructured.Unstructured,
-    hr *helmv2.HelmRelease,
-) *admission.Response {
-    // 1. Extract affinityClass from HelmRelease label
-    affinityClassName, ok := hr.Labels["apps.cozystack.io/affinity-class"]
-    if !ok {
-        return nil // no affinityClass — no validation needed
-    }
-
-    // 2. Look up AffinityClass from cache
-    affinityClass, ok := h.affinityClassMap[affinityClassName]
-    if !ok {
-        resp := admission.Denied(fmt.Sprintf(
-            "AffinityClass %q not found", affinityClassName))
-        return &resp
-    }
-
-    // 3. Check pod's nodeSelector
-    podNodeSelector := extractNodeSelector(pod) // from pod.spec.nodeSelector
-    for key, expected := range affinityClass.Spec.NodeSelector {
-        actual, exists := podNodeSelector[key]
-        if !exists || actual != expected {
-            resp := admission.Denied(fmt.Sprintf(
-                "pod %s/%s belongs to application with AffinityClass %q "+
-                "but missing required nodeSelector %s=%s",
-                pod.GetNamespace(), pod.GetName(),
-                affinityClassName, key, expected))
-            return &resp
-        }
-    }
-
-    return nil // validation passed
-}
-```
-
-### AffinityClass Caching
-
-The lineage webhook controller already caches ApplicationDefinitions (`runtimeConfig.appCRDMap`). An AffinityClass cache is added in the same way:
-
-```go
-type runtimeConfig struct {
-    appCRDMap        map[appRef]*cozyv1alpha1.ApplicationDefinition
-    affinityClassMap map[string]*cozyv1alpha1.AffinityClass  // NEW
-}
-```
-
-The controller adds a watch on AffinityClass:
-
-```go
-func (c *LineageControllerWebhook) SetupWithManagerAsController(mgr ctrl.Manager) error {
-    return ctrl.NewControllerManagedBy(mgr).
-        For(&cozyv1alpha1.ApplicationDefinition{}).
-        Watches(&cozyv1alpha1.AffinityClass{}, &handler.EnqueueRequestForObject{}).
-        Complete(c)
-}
-```
-
-When an AffinityClass changes, the cache is rebuilt.
-
----
-
-## End-to-End Flow
-
-```
-1. Admin creates AffinityClass "dc1" (nodeSelector: zone=dc1)
-
-2. Admin creates Tenant "acme" (defaultAffinityClass: dc1, allowed: [dc1, dc2])
-   → namespace tenant-acme
-   → cozystack-values Secret with defaultAffinityClass
-
-3. User creates Postgres "main-db" (affinityClass: dc1)
-   → API server checks: dc1 ∈ allowedAffinityClasses? ✓
-   → API server resolves AffinityClass → nodeSelector
-   → HelmRelease is created with:
-      - label: apps.cozystack.io/affinity-class=dc1
-      - values: _scheduling.nodeSelector.topology.kubernetes.io/zone=dc1
-
-4. FluxCD deploys HelmRelease → Helm renders the chart
-   → Chart uses cozy-lib helper
-   → CNPG Cluster is created with nodeSelector: {zone: dc1}
-
-5. CNPG operator creates Pod
-   → Pod has nodeSelector: {zone: dc1}
-
-6. Lineage webhook intercepts the Pod:
-   a. WalkOwnershipGraph → finds HelmRelease "main-db"
-   b. HelmRelease label → affinityClass=dc1
-   c. AffinityClass "dc1" → nodeSelector: {zone: dc1}
-   d. Checks: pod.spec.nodeSelector contains zone=dc1? ✓
-   e. Admits Pod (+ standard lineage labels)
-
-7. Scheduler places the Pod on a node in dc1
-```
-
-### Error Scenario (chart forgot to apply nodeSelector):
-
-```
-5. CNPG operator creates Pod WITHOUT nodeSelector
-
-6. Lineage webhook:
-   d. Checks: pod.spec.nodeSelector contains zone=dc1? ✗
-   e. REJECTS Pod:
-      "pod main-db-1 belongs to application with AffinityClass dc1
-       but missing required nodeSelector topology.kubernetes.io/zone=dc1"
-
-7. Pod is not created. CNPG operator sees the error and retries.
-   → Chart developer gets a signal that the chart does not support scheduling.
-```
-
----
-
-## Code Changes
-
-### New Files
-
-| File                                                 | Description             |
-|------------------------------------------------------|-------------------------|
-| `api/v1alpha1/affinityclass_types.go`                | AffinityClass CRD types |
-| `config/crd/bases/cozystack.io_affinityclasses.yaml` | CRD manifest            |
-
-### Modified Files
-
-| File                                                  | Change                                                            |
-|-------------------------------------------------------|-------------------------------------------------------------------|
-| `internal/lineagecontrollerwebhook/webhook.go`        | Add `validateAffinity()` to `Handle()`                            |
-| `internal/lineagecontrollerwebhook/config.go`         | Add `affinityClassMap` to `runtimeConfig`                         |
-| `internal/lineagecontrollerwebhook/controller.go`     | Add watch on AffinityClass                                        |
-| `pkg/registry/apps/application/rest.go`               | On Create/Update: resolve affinityClass, pass to values and label |
-| `packages/apps/tenant/values.yaml`                    | Add `defaultAffinityClass`, `allowedAffinityClasses`              |
-| `packages/apps/tenant/templates/namespace.yaml`       | Propagate to cozystack-values                                     |
-| `packages/system/tenant-rd/cozyrds/tenant.yaml`       | Extend OpenAPI schema                                             |
-| `packages/library/cozy-lib/templates/_cozyconfig.tpl` | Add `cozy-lib.scheduling.nodeSelector` helper                     |
-| `packages/apps/*/templates/*.yaml`                    | Each app chart: add helper usage                                  |
-
----
-
-## Open Questions
-
-1. **AffinityClass outside Tenants**: Should AffinityClass work for applications outside tenant namespaces (system namespace)? Or only for tenant workloads?
-
-2. **affinityClass validation on Application creation**: The API server should verify that the specified affinityClass exists and is included in the tenant's `allowedAffinityClasses`. Where should this be done — in the REST handler (`rest.go`) or in a separate validating webhook?
-
-3. **Soft mode (warn vs deny)**: Is a mode needed where the webhook issues a warning instead of rejecting? This would simplify gradual adoption while not all charts support `_scheduling`.
-
-4. **affinityClass inheritance**: If a child Tenant does not specify `defaultAffinityClass`, should it be inherited from the parent? The current `cozystack-values` architecture supports this inheritance natively.
-
-5. **Multiple nodeSelectors**: Is OR-logic support needed (pod can be in dc1 OR dc2)? With `nodeSelector` this is impossible — AffinityClass would need to be extended to `nodeAffinity`. However, validation becomes significantly more complex.

hack/cozytest.sh

@@ -10,7 +10,11 @@ PATTERN=${2:-*}
 LINE='----------------------------------------------------------------'
 
 cols() { stty size 2>/dev/null | awk '{print $2}' || echo 80; }
-MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
+if [ -t 1 ]; then
+  MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
+else
+  MAXW=0  # no truncation when not a tty (e.g. CI)
+fi
 BEGIN=$(date +%s)
 timestamp() { s=$(( $(date +%s) - BEGIN )); printf '[%02d:%02d]' $((s/60)) $((s%60)); }
 
@@ -45,7 +49,7 @@ run_one() {
           *)       out=$line ;;
         esac
         now=$(( $(date +%s) - START ))
-        [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
+        [ "$MAXW" -gt 0 ] && [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
         printf '┊[%02d:%02d] %s\n' $((now/60)) $((now%60)) "$out"
   done
 

hack/e2e-apps/openbao.bats

@@ -0,0 +1,59 @@
+#!/usr/bin/env bats
+
+@test "Create OpenBAO (standalone)" {
+  name='test'
+  kubectl apply -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: OpenBAO
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  replicas: 1
+  size: 10Gi
+  storageClass: ""
+  resourcesPreset: "small"
+  resources: {}
+  external: false
+  ui: true
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr openbao-$name --timeout=60s --for=condition=ready
+  kubectl -n tenant-test wait hr openbao-$name-system --timeout=120s --for=condition=ready
+
+  # Wait for container to be started (pod Running does not guarantee container is ready for exec on slow CI)
+  if ! timeout 120 sh -ec "until kubectl -n tenant-test get pod openbao-$name-0 --output jsonpath='{.status.containerStatuses[0].started}' 2>/dev/null | grep -q true; do sleep 5; done"; then
+    echo "=== DEBUG: Container did not start in time ===" >&2
+    kubectl -n tenant-test describe pod openbao-$name-0 >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 --previous >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 >&2 || true
+    return 1
+  fi
+
+  # Wait for OpenBAO API to accept connections
+  # bao status exit codes: 0 = unsealed, 1 = error/not ready, 2 = sealed but responsive
+  if ! timeout 60 sh -ec "until kubectl -n tenant-test exec openbao-$name-0 -- bao status >/dev/null 2>&1; rc=\$?; test \$rc -eq 0 -o \$rc -eq 2; do sleep 3; done"; then
+    echo "=== DEBUG: OpenBAO API did not become responsive ===" >&2
+    kubectl -n tenant-test describe pod openbao-$name-0 >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 --previous >&2 || true
+    kubectl -n tenant-test logs openbao-$name-0 >&2 || true
+    return 1
+  fi
+
+  # Initialize OpenBAO (single key share for testing simplicity)
+  init_output=$(kubectl -n tenant-test exec openbao-$name-0 -- bao operator init -key-shares=1 -key-threshold=1 -format=json)
+  unseal_key=$(echo "$init_output" | jq -r '.unseal_keys_b64[0]')
+  if [ -z "$unseal_key" ] || [ "$unseal_key" = "null" ]; then
+    echo "Failed to extract unseal key. Init output: $init_output" >&2
+    return 1
+  fi
+
+  # Unseal OpenBAO
+  kubectl -n tenant-test exec openbao-$name-0 -- bao operator unseal "$unseal_key"
+
+  # Now wait for pod to become ready (readiness probe checks seal status)
+  kubectl -n tenant-test wait sts openbao-$name --timeout=90s --for=jsonpath='{.status.readyReplicas}'=1
+  kubectl -n tenant-test wait pvc data-openbao-$name-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
+  kubectl -n tenant-test delete openbao.apps.cozystack.io $name
+  kubectl -n tenant-test delete pvc data-openbao-$name-0 --ignore-not-found
+}

hack/e2e-apps/run-kubernetes.sh

@@ -86,27 +86,35 @@ EOF
   yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" "tenantkubeconfig-${test_name}"
 
 
-  # Set up port forwarding to the Kubernetes API server for a 200 second timeout
+  # Kill any stale port-forward on this port from a previous retry
+  pkill -f "port-forward.*${port}:" 2>/dev/null || true
+  sleep 1
+
+  # Set up port forwarding to the Kubernetes API server
   bash -c 'timeout 500s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
   # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
   timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
 
-  # Wait for the nodes to be ready (timeout after 2 minutes)
-  timeout 3m bash -c '
-    until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
+  # Wait for at least 2 nodes to join (timeout after 8 minutes)
+  timeout 8m bash -c '
+    until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -ge 2 ]; do
       sleep 2
     done
   '
   # Verify the nodes are ready
-  kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait node --all --timeout=2m --for=condition=Ready
+  if ! kubectl --kubeconfig "tenantkubeconfig-${test_name}" wait node --all --timeout=2m --for=condition=Ready; then
+    # Additional debug messages
+    kubectl --kubeconfig "tenantkubeconfig-${test_name}" describe nodes
+    kubectl -n tenant-test get hr
+  fi
   kubectl --kubeconfig "tenantkubeconfig-${test_name}" get nodes -o wide
 
   # Verify the kubelet version matches what we expect
   versions=$(kubectl --kubeconfig "tenantkubeconfig-${test_name}" \
     get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
-  
+
   node_ok=true
-  
+
   for v in $versions; do
     case "$v" in
       "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
@@ -189,7 +197,7 @@ EOF
 
   # Wait for pods readiness
   kubectl wait deployment --kubeconfig "tenantkubeconfig-${test_name}" "${test_name}-backend" -n tenant-test --for=condition=Available --timeout=300s
-  
+
   # Wait for LoadBalancer to be provisioned (IP or hostname)
   timeout 90 sh -ec "
     until kubectl get svc ${test_name}-backend --kubeconfig tenantkubeconfig-${test_name} -n tenant-test \

hack/e2e-install-cozystack.bats

@@ -8,7 +8,7 @@
 }
 
 @test "Install Cozystack" {
-  # Install cozy-installer chart (CRDs from crds/ are applied automatically)
+  # Install cozy-installer chart (operator installs CRDs on startup via --install-crds)
   helm upgrade installer packages/core/installer \
     --install \
     --namespace cozy-system \
@@ -19,6 +19,14 @@
   # Verify the operator deployment is available
   kubectl wait deployment/cozystack-operator -n cozy-system --timeout=1m --for=condition=Available
 
+  # Wait for operator to install CRDs (happens at startup before reconcile loop).
+  # kubectl wait fails immediately if the CRD does not exist yet, so poll until it appears first.
+  timeout 120 sh -ec 'until kubectl wait crd/packages.cozystack.io --for=condition=Established --timeout=10s 2>/dev/null; do sleep 2; done'
+  timeout 120 sh -ec 'until kubectl wait crd/packagesources.cozystack.io --for=condition=Established --timeout=10s 2>/dev/null; do sleep 2; done'
+
+  # Wait for operator to create the platform PackageSource
+  timeout 120 sh -ec 'until kubectl get packagesource cozystack.cozystack-platform >/dev/null 2>&1; do sleep 2; done'
+
   # Create platform Package with isp-full variant
   kubectl apply -f - <<EOF
 apiVersion: cozystack.io/v1alpha1

hack/migrate-to-version-1.0.sh

@@ -32,6 +32,54 @@ if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
     exit 1
 fi
 
+# Step 0: Annotate critical resources to prevent Helm from deleting them
+echo "Step 0: Protect critical resources from Helm deletion"
+echo ""
+echo "The following resources will be annotated with helm.sh/resource-policy=keep"
+echo "to prevent Helm from deleting them when the installer release is removed:"
+echo "  - Namespace: $NAMESPACE"
+echo "  - ConfigMap: $NAMESPACE/cozystack-version"
+echo ""
+read -p "Do you want to annotate these resources? (y/N) " -n 1 -r
+echo ""
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    echo "Annotating namespace $NAMESPACE..."
+    kubectl annotate namespace "$NAMESPACE" helm.sh/resource-policy=keep --overwrite
+    echo "Annotating ConfigMap cozystack-version..."
+    kubectl annotate configmap -n "$NAMESPACE" cozystack-version helm.sh/resource-policy=keep --overwrite 2>/dev/null || echo "  ConfigMap cozystack-version not found, skipping."
+    echo ""
+    echo "Resources annotated successfully."
+else
+    echo "WARNING: Skipping annotation. If you remove the Helm installer release,"
+    echo "the namespace and its contents may be deleted!"
+fi
+echo ""
+
+# Step 1: Check for cozy-proxy HelmRelease with conflicting releaseName
+# In v0.41.x, cozy-proxy was incorrectly configured with releaseName "cozystack",
+# which conflicts with the installer helm release name. If not suspended, cozy-proxy
+# HelmRelease will overwrite the installer release and delete cozystack-operator.
+COZY_PROXY_RELEASE_NAME=$(kubectl get hr -n "$NAMESPACE" cozy-proxy -o jsonpath='{.spec.releaseName}' 2>/dev/null || true)
+if [ "$COZY_PROXY_RELEASE_NAME" = "cozystack" ]; then
+    echo "WARNING: HelmRelease cozy-proxy has releaseName 'cozystack', which conflicts"
+    echo "with the installer release. It must be suspended before proceeding, otherwise"
+    echo "it will overwrite the installer and delete cozystack-operator."
+    echo ""
+    read -p "Suspend HelmRelease cozy-proxy? (y/N) " -n 1 -r
+    echo ""
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        kubectl -n "$NAMESPACE" patch hr cozy-proxy --type=merge --field-manager=flux-client-side-apply -p '{"spec":{"suspend":true}}'
+        echo "HelmRelease cozy-proxy suspended."
+    else
+        echo "ERROR: Cannot proceed with conflicting cozy-proxy HelmRelease active."
+        echo "Please suspend it manually:"
+        echo "  kubectl -n $NAMESPACE patch hr cozy-proxy --type=merge -p '{\"spec\":{\"suspend\":true}}'"
+        exit 1
+    fi
+    echo ""
+fi
+
 # Read ConfigMap cozystack
 echo "Reading ConfigMap cozystack..."
 COZYSTACK_CM=$(kubectl get configmap -n "$NAMESPACE" cozystack -o json 2>/dev/null || echo "{}")
@@ -52,6 +100,43 @@ OIDC_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["oidc-enabled"] // "false"')
 KEYCLOAK_REDIRECTS=$(echo "$COZYSTACK_CM" | jq -r '.data["extra-keycloak-redirect-uri-for-dashboard"] // ""' )
 TELEMETRY_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["telemetry-enabled"] // "true"')
 BUNDLE_NAME=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-name"] // "paas-full"')
+BUNDLE_DISABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-disable"] // ""')
+BUNDLE_ENABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-enable"] // ""')
+EXPOSE_INGRESS=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-ingress"] // "tenant-root"')
+EXPOSE_SERVICES=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-services"] // ""')
+
+# Certificate issuer configuration (old undocumented field: clusterissuer)
+OLD_CLUSTER_ISSUER=$(echo "$COZYSTACK_CM" | jq -r '.data["clusterissuer"] // ""')
+
+# Convert old clusterissuer value to new solver/issuerName fields
+SOLVER=""
+ISSUER_NAME=""
+case "$OLD_CLUSTER_ISSUER" in
+    cloudflare)
+        SOLVER="dns01"
+        ISSUER_NAME="letsencrypt-prod"
+        ;;
+    http01)
+        SOLVER="http01"
+        ISSUER_NAME="letsencrypt-prod"
+        ;;
+    "")
+        # Field not set; omit from Package so chart defaults apply
+        ;;
+    *)
+        # Unrecognised value — treat as custom ClusterIssuer name with no solver override
+        ISSUER_NAME="$OLD_CLUSTER_ISSUER"
+        ;;
+esac
+
+# Build certificates YAML block (empty string when no override needed)
+if [ -n "$SOLVER" ] || [ -n "$ISSUER_NAME" ]; then
+    CERTIFICATES_SECTION="          certificates:
+            solver: \"${SOLVER}\"
+            issuerName: \"${ISSUER_NAME}\""
+else
+    CERTIFICATES_SECTION=""
+fi
 
 # Network configuration
 POD_CIDR=$(echo "$COZYSTACK_CM" | jq -r '.data["ipv4-pod-cidr"] // "10.244.0.0/16"')
@@ -66,28 +151,31 @@ else
     EXTERNAL_IPS=$(echo "$EXTERNAL_IPS" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
 fi
 
-# Determine bundle type
-case "$BUNDLE_NAME" in
-    paas-full|distro-full)
-        SYSTEM_ENABLED="true"
-        SYSTEM_TYPE="full"
-        ;;
-    paas-hosted|distro-hosted)
-        SYSTEM_ENABLED="false"
-        SYSTEM_TYPE="hosted"
-        ;;
-    *)
-        SYSTEM_ENABLED="false"
-        SYSTEM_TYPE="hosted"
-        ;;
-esac
+# Convert comma-separated lists to YAML arrays
+if [ -z "$BUNDLE_DISABLE" ]; then
+    DISABLED_PACKAGES="[]"
+else
+    DISABLED_PACKAGES=$(echo "$BUNDLE_DISABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - cozystack."$0}')
+fi
+
+if [ -z "$BUNDLE_ENABLE" ]; then
+    ENABLED_PACKAGES="[]"
+else
+    ENABLED_PACKAGES=$(echo "$BUNDLE_ENABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - cozystack."$0}')
+fi
+
+if [ -z "$EXPOSE_SERVICES" ]; then
+    EXPOSED_SERVICES_YAML="[]"
+else
+    EXPOSED_SERVICES_YAML=$(echo "$EXPOSE_SERVICES" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "            - "$0}')
+fi
 
 # Update bundle naming
 BUNDLE_NAME=$(echo "$BUNDLE_NAME" | sed 's/paas/isp/')
 
 # Extract branding if available
 BRANDING=$(echo "$BRANDING_CM" | jq -r '.data // {} | to_entries[] | "\(.key): \"\(.value)\""')
-if [ -z "$BRANDING" ]; then 
+if [ -z "$BRANDING" ]; then
     BRANDING="{}"
 else
     BRANDING=$(echo "$BRANDING" | awk 'BEGIN{print}{print "          " $0}')
@@ -108,8 +196,8 @@ echo "  Root Host: $ROOT_HOST"
 echo "  API Server Endpoint: $API_SERVER_ENDPOINT"
 echo "  OIDC Enabled: $OIDC_ENABLED"
 echo "  Bundle Name: $BUNDLE_NAME"
-echo "  System Enabled: $SYSTEM_ENABLED"
-echo "  System Type: $SYSTEM_TYPE"
+echo "  Certificate Solver: ${SOLVER:-http01 (default)}"
+echo "  Issuer Name: ${ISSUER_NAME:-letsencrypt-prod (default)}"
 echo ""
 
 # Generate Package YAML
@@ -125,15 +213,8 @@ spec:
     platform:
       values:
         bundles:
-          system:
-            enabled: $SYSTEM_ENABLED
-            type: "$SYSTEM_TYPE"
-          iaas:
-            enabled: true
-          paas:
-            enabled: true
-          naas:
-            enabled: true
+          disabledPackages: $DISABLED_PACKAGES
+          enabledPackages: $ENABLED_PACKAGES
         networking:
           clusterDomain: "$CLUSTER_DOMAIN"
           podCIDR: "$POD_CIDR"
@@ -142,8 +223,11 @@ spec:
           joinCIDR: "$JOIN_CIDR"
         publishing:
           host: "$ROOT_HOST"
+          ingressName: "$EXPOSE_INGRESS"
+          exposedServices: $EXPOSED_SERVICES_YAML
           apiServerEndpoint: "$API_SERVER_ENDPOINT"
           externalIPs: $EXTERNAL_IPS
+${CERTIFICATES_SECTION}
         authentication:
           oidc:
             enabled: $OIDC_ENABLED

hack/update-codegen.sh

@@ -24,8 +24,7 @@ API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-ru
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
 CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
 TMPDIR=$(mktemp -d)
-OPERATOR_CRDDIR=packages/core/installer/crds
-OPERATOR_EMBEDDIR=internal/crdinstall/manifests
+OPERATOR_CRDDIR=internal/crdinstall/manifests
 COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/definitions
 COZY_RD_CRDDIR=packages/system/application-definition-crd/definition
 BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
@@ -74,9 +73,6 @@ $CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:arti
 mv ${TMPDIR}/cozystack.io_packages.yaml ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml
 mv ${TMPDIR}/cozystack.io_packagesources.yaml ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml
 
-cp ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml ${OPERATOR_EMBEDDIR}/cozystack.io_packages.yaml
-cp ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml ${OPERATOR_EMBEDDIR}/cozystack.io_packagesources.yaml
-
 mv ${TMPDIR}/cozystack.io_applicationdefinitions.yaml \
         ${COZY_RD_CRDDIR}/cozystack.io_applicationdefinitions.yaml
 

internal/controller/dashboard/README.md

@@ -156,7 +156,7 @@ menuItems = append(menuItems, map[string]any{
         map[string]any{
             "key":   "{plural}",
             "label": "{ResourceLabel}",
-            "link":  "/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}",
+            "link":  "/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}",
         },
     },
 }),
@@ -174,7 +174,7 @@ menuItems = append(menuItems, map[string]any{
 
 **Important Notes**:
 - The sidebar tag (`{lowercase-kind}-sidebar`) must match what the Factory uses
-- The link format: `/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}`
+- The link format: `/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}`
 - All sidebars share the same `keysAndTags` and `menuItems`, so changes affect all sidebar instances
 
 ### Step 4: Verify Integration

internal/controller/dashboard/customformsoverride.go

@@ -46,8 +46,11 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		}
 	}
 
-	// Build schema with multilineString for string fields without enum
+	// Parse OpenAPI schema once for reuse
 	l := log.FromContext(ctx)
+	openAPIProps := parseOpenAPIProperties(crd.Spec.Application.OpenAPISchema)
+
+	// Build schema with multilineString for string fields without enum
 	schema, err := buildMultilineStringSchema(crd.Spec.Application.OpenAPISchema)
 	if err != nil {
 		// If schema parsing fails, log the error and use an empty schema
@@ -55,6 +58,9 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		schema = map[string]any{}
 	}
 
+	// Override specific fields with API-backed dropdowns (listInput type)
+	applyListInputOverrides(schema, kind, openAPIProps)
+
 	spec := map[string]any{
 		"customizationId": customizationID,
 		"hidden":          hidden,
@@ -176,6 +182,130 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
 	return schema, nil
 }
 
+// applyListInputOverrides injects listInput type overrides into the schema
+// for fields that should be rendered as API-backed dropdowns in the dashboard.
+// openAPIProps are the parsed top-level properties from the OpenAPI schema.
+func applyListInputOverrides(schema map[string]any, kind string, openAPIProps map[string]any) {
+	switch kind {
+	case "VMInstance":
+		specProps := ensureSchemaPath(schema, "spec")
+		field := map[string]any{
+			"type": "listInput",
+			"customProps": map[string]any{
+				"valueUri":    "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes",
+				"keysToValue": []any{"metadata", "name"},
+				"keysToLabel": []any{"metadata", "name"},
+				"allowEmpty":  true,
+			},
+		}
+		if prop, _ := openAPIProps["instanceType"].(map[string]any); prop != nil {
+			if def := prop["default"]; def != nil {
+				field["default"] = def
+			}
+		}
+		specProps["instanceType"] = field
+
+		// Override disks[].name to be an API-backed dropdown listing VMDisk resources
+		disksItemProps := ensureArrayItemProps(specProps, "disks")
+		disksItemProps["name"] = map[string]any{
+			"type": "listInput",
+			"customProps": map[string]any{
+				"valueUri":    "/api/clusters/{cluster}/k8s/apis/apps.cozystack.io/v1alpha1/namespaces/{namespace}/vmdisks",
+				"keysToValue": []any{"metadata", "name"},
+				"keysToLabel": []any{"metadata", "name"},
+			},
+		}
+
+	case "ClickHouse", "Harbor", "HTTPCache", "Kubernetes", "MariaDB", "MongoDB",
+		"NATS", "OpenBAO", "Postgres", "Qdrant", "RabbitMQ", "Redis", "VMDisk":
+		specProps := ensureSchemaPath(schema, "spec")
+		specProps["storageClass"] = storageClassListInput()
+
+	case "FoundationDB":
+		storageProps := ensureSchemaPath(schema, "spec", "storage")
+		storageProps["storageClass"] = storageClassListInput()
+
+	case "Kafka":
+		kafkaProps := ensureSchemaPath(schema, "spec", "kafka")
+		kafkaProps["storageClass"] = storageClassListInput()
+		zkProps := ensureSchemaPath(schema, "spec", "zookeeper")
+		zkProps["storageClass"] = storageClassListInput()
+	}
+}
+
+// storageClassListInput returns a listInput field config for a storageClass dropdown
+// backed by the cluster's available StorageClasses.
+func storageClassListInput() map[string]any {
+	return map[string]any{
+		"type": "listInput",
+		"customProps": map[string]any{
+			"valueUri":    "/api/clusters/{cluster}/k8s/apis/storage.k8s.io/v1/storageclasses",
+			"keysToValue": []any{"metadata", "name"},
+			"keysToLabel": []any{"metadata", "name"},
+		},
+	}
+}
+
+// ensureArrayItemProps ensures that parentProps[fieldName].items.properties exists
+// and returns the items properties map. Used for overriding fields inside array items.
+func ensureArrayItemProps(parentProps map[string]any, fieldName string) map[string]any {
+	field, ok := parentProps[fieldName].(map[string]any)
+	if !ok {
+		field = map[string]any{}
+		parentProps[fieldName] = field
+	}
+	items, ok := field["items"].(map[string]any)
+	if !ok {
+		items = map[string]any{}
+		field["items"] = items
+	}
+	props, ok := items["properties"].(map[string]any)
+	if !ok {
+		props = map[string]any{}
+		items["properties"] = props
+	}
+	return props
+}
+
+// parseOpenAPIProperties parses the top-level properties from an OpenAPI schema JSON string.
+func parseOpenAPIProperties(openAPISchema string) map[string]any {
+	if openAPISchema == "" {
+		return nil
+	}
+	var root map[string]any
+	if err := json.Unmarshal([]byte(openAPISchema), &root); err != nil {
+		return nil
+	}
+	props, _ := root["properties"].(map[string]any)
+	return props
+}
+
+// ensureSchemaPath ensures the nested properties structure exists in a schema
+// and returns the innermost properties map.
+// e.g. ensureSchemaPath(schema, "spec") returns schema["properties"]["spec"]["properties"]
+func ensureSchemaPath(schema map[string]any, segments ...string) map[string]any {
+	current := schema
+	for _, seg := range segments {
+		props, ok := current["properties"].(map[string]any)
+		if !ok {
+			props = map[string]any{}
+			current["properties"] = props
+		}
+		child, ok := props[seg].(map[string]any)
+		if !ok {
+			child = map[string]any{}
+			props[seg] = child
+		}
+		current = child
+	}
+	props, ok := current["properties"].(map[string]any)
+	if !ok {
+		props = map[string]any{}
+		current["properties"] = props
+	}
+	return props
+}
+
 // processSpecProperties recursively processes spec properties and adds multilineString type
 // for string fields without enum
 func processSpecProperties(props map[string]any, schemaProps map[string]any) {

internal/controller/dashboard/customformsoverride_test.go

@@ -169,3 +169,301 @@ func TestBuildMultilineStringSchemaInvalidJSON(t *testing.T) {
 		t.Errorf("Expected nil schema for invalid JSON, got %v", schema)
 	}
 }
+
+func TestApplyListInputOverrides_VMInstance(t *testing.T) {
+	openAPIProps := map[string]any{
+		"instanceType": map[string]any{"type": "string", "default": "u1.medium"},
+	}
+
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "VMInstance", openAPIProps)
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+	instanceType, ok := specProps["instanceType"].(map[string]any)
+	if !ok {
+		t.Fatal("instanceType not found in schema.properties.spec.properties")
+	}
+
+	if instanceType["type"] != "listInput" {
+		t.Errorf("expected type listInput, got %v", instanceType["type"])
+	}
+
+	if instanceType["default"] != "u1.medium" {
+		t.Errorf("expected default u1.medium, got %v", instanceType["default"])
+	}
+
+	customProps, ok := instanceType["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("customProps not found")
+	}
+
+	expectedURI := "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes"
+	if customProps["valueUri"] != expectedURI {
+		t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
+	}
+
+	if customProps["allowEmpty"] != true {
+		t.Errorf("expected allowEmpty true, got %v", customProps["allowEmpty"])
+	}
+
+	// Check disks[].name is a listInput
+	disks, ok := specProps["disks"].(map[string]any)
+	if !ok {
+		t.Fatal("disks not found in schema.properties.spec.properties")
+	}
+	items, ok := disks["items"].(map[string]any)
+	if !ok {
+		t.Fatal("disks.items not found")
+	}
+	itemProps, ok := items["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("disks.items.properties not found")
+	}
+	diskName, ok := itemProps["name"].(map[string]any)
+	if !ok {
+		t.Fatal("disks.items.properties.name not found")
+	}
+	if diskName["type"] != "listInput" {
+		t.Errorf("expected disks name type listInput, got %v", diskName["type"])
+	}
+	diskCustomProps, ok := diskName["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("disks name customProps not found")
+	}
+	expectedDiskURI := "/api/clusters/{cluster}/k8s/apis/apps.cozystack.io/v1alpha1/namespaces/{namespace}/vmdisks"
+	if diskCustomProps["valueUri"] != expectedDiskURI {
+		t.Errorf("expected disks valueUri %s, got %v", expectedDiskURI, diskCustomProps["valueUri"])
+	}
+}
+
+func TestApplyListInputOverrides_StorageClassSimple(t *testing.T) {
+	for _, kind := range []string{
+		"ClickHouse", "Harbor", "HTTPCache", "Kubernetes", "MariaDB", "MongoDB",
+		"NATS", "OpenBAO", "Postgres", "Qdrant", "RabbitMQ", "Redis", "VMDisk",
+	} {
+		t.Run(kind, func(t *testing.T) {
+			schema := map[string]any{}
+			applyListInputOverrides(schema, kind, map[string]any{})
+
+			specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+			sc, ok := specProps["storageClass"].(map[string]any)
+			if !ok {
+				t.Fatalf("storageClass not found in spec.properties for kind %s", kind)
+			}
+			assertStorageClassListInput(t, sc)
+		})
+	}
+}
+
+func TestApplyListInputOverrides_StorageClassFoundationDB(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "FoundationDB", map[string]any{})
+
+	storageProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["storage"].(map[string]any)["properties"].(map[string]any)
+	sc, ok := storageProps["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.storage.properties")
+	}
+	assertStorageClassListInput(t, sc)
+}
+
+func TestApplyListInputOverrides_StorageClassKafka(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "Kafka", map[string]any{})
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+
+	kafkaSC, ok := specProps["kafka"].(map[string]any)["properties"].(map[string]any)["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.kafka.properties")
+	}
+	assertStorageClassListInput(t, kafkaSC)
+
+	zkSC, ok := specProps["zookeeper"].(map[string]any)["properties"].(map[string]any)["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.zookeeper.properties")
+	}
+	assertStorageClassListInput(t, zkSC)
+}
+
+// assertStorageClassListInput verifies that a field is a correctly configured storageClass listInput.
+func assertStorageClassListInput(t *testing.T, field map[string]any) {
+	t.Helper()
+	if field["type"] != "listInput" {
+		t.Errorf("expected type listInput, got %v", field["type"])
+	}
+	customProps, ok := field["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("customProps not found")
+	}
+	expectedURI := "/api/clusters/{cluster}/k8s/apis/storage.k8s.io/v1/storageclasses"
+	if customProps["valueUri"] != expectedURI {
+		t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
+	}
+}
+
+func TestApplyListInputOverrides_UnknownKind(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "SomeOtherKind", map[string]any{})
+
+	if len(schema) != 0 {
+		t.Errorf("expected empty schema for unknown kind, got %v", schema)
+	}
+}
+
+func TestApplyListInputOverrides_NoDefault(t *testing.T) {
+	openAPIProps := map[string]any{
+		"instanceType": map[string]any{"type": "string"},
+	}
+
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "VMInstance", openAPIProps)
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+	instanceType := specProps["instanceType"].(map[string]any)
+
+	if _, exists := instanceType["default"]; exists {
+		t.Errorf("expected no default key, got %v", instanceType["default"])
+	}
+}
+
+func TestApplyListInputOverrides_MergesWithExistingSchema(t *testing.T) {
+	openAPIProps := map[string]any{
+		"instanceType": map[string]any{"type": "string", "default": "u1.medium"},
+	}
+
+	// Simulate schema that already has spec.properties from buildMultilineStringSchema
+	schema := map[string]any{
+		"properties": map[string]any{
+			"spec": map[string]any{
+				"properties": map[string]any{
+					"otherField": map[string]any{"type": "multilineString"},
+				},
+			},
+		},
+	}
+	applyListInputOverrides(schema, "VMInstance", openAPIProps)
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+
+	// instanceType should be added
+	if _, ok := specProps["instanceType"].(map[string]any); !ok {
+		t.Fatal("instanceType not found after override")
+	}
+
+	// otherField should be preserved
+	otherField, ok := specProps["otherField"].(map[string]any)
+	if !ok {
+		t.Fatal("otherField was lost after override")
+	}
+	if otherField["type"] != "multilineString" {
+		t.Errorf("otherField type changed, got %v", otherField["type"])
+	}
+}
+
+func TestParseOpenAPIProperties(t *testing.T) {
+	t.Run("extracts properties", func(t *testing.T) {
+		props := parseOpenAPIProperties(`{"type":"object","properties":{"instanceType":{"type":"string","default":"u1.medium"}}}`)
+		field, _ := props["instanceType"].(map[string]any)
+		if field["default"] != "u1.medium" {
+			t.Errorf("expected default u1.medium, got %v", field["default"])
+		}
+	})
+
+	t.Run("empty string", func(t *testing.T) {
+		if props := parseOpenAPIProperties(""); props != nil {
+			t.Errorf("expected nil, got %v", props)
+		}
+	})
+
+	t.Run("invalid JSON", func(t *testing.T) {
+		if props := parseOpenAPIProperties("{bad"); props != nil {
+			t.Errorf("expected nil, got %v", props)
+		}
+	})
+
+	t.Run("no properties key", func(t *testing.T) {
+		if props := parseOpenAPIProperties(`{"type":"object"}`); props != nil {
+			t.Errorf("expected nil, got %v", props)
+		}
+	})
+}
+
+func TestEnsureSchemaPath(t *testing.T) {
+	t.Run("creates path from empty schema", func(t *testing.T) {
+		schema := map[string]any{}
+		props := ensureSchemaPath(schema, "spec")
+
+		props["field"] = "value"
+
+		// Verify structure: schema.properties.spec.properties.field
+		got := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["field"]
+		if got != "value" {
+			t.Errorf("expected value, got %v", got)
+		}
+	})
+
+	t.Run("preserves existing nested properties", func(t *testing.T) {
+		schema := map[string]any{
+			"properties": map[string]any{
+				"spec": map[string]any{
+					"properties": map[string]any{
+						"existing": "keep",
+					},
+				},
+			},
+		}
+		props := ensureSchemaPath(schema, "spec")
+
+		if props["existing"] != "keep" {
+			t.Errorf("existing property lost, got %v", props["existing"])
+		}
+	})
+
+	t.Run("multi-level path", func(t *testing.T) {
+		schema := map[string]any{}
+		props := ensureSchemaPath(schema, "spec", "nested")
+
+		props["deep"] = true
+
+		got := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["nested"].(map[string]any)["properties"].(map[string]any)["deep"]
+		if got != true {
+			t.Errorf("expected true, got %v", got)
+		}
+	})
+}
+
+func TestEnsureArrayItemProps(t *testing.T) {
+	t.Run("creates from empty parent", func(t *testing.T) {
+		parent := map[string]any{}
+		props := ensureArrayItemProps(parent, "disks")
+
+		props["name"] = map[string]any{"type": "listInput"}
+
+		got := parent["disks"].(map[string]any)["items"].(map[string]any)["properties"].(map[string]any)["name"].(map[string]any)["type"]
+		if got != "listInput" {
+			t.Errorf("expected listInput, got %v", got)
+		}
+	})
+
+	t.Run("preserves existing item properties", func(t *testing.T) {
+		parent := map[string]any{
+			"disks": map[string]any{
+				"items": map[string]any{
+					"properties": map[string]any{
+						"bus": map[string]any{"type": "string"},
+					},
+				},
+			},
+		}
+		props := ensureArrayItemProps(parent, "disks")
+		props["name"] = map[string]any{"type": "listInput"}
+
+		if props["bus"].(map[string]any)["type"] != "string" {
+			t.Error("existing bus property was lost")
+		}
+		if props["name"].(map[string]any)["type"] != "listInput" {
+			t.Error("name property was not added")
+		}
+	})
+}

internal/controller/dashboard/factory.go

@@ -582,15 +582,14 @@ type factoryFlags struct {
 	Secrets   bool
 }
 
-// factoryFeatureFlags tries several conventional locations so you can evolve the API
-// without breaking the controller. Defaults are false (hidden).
+// factoryFeatureFlags determines which tabs to show based on whether the
+// ApplicationDefinition has non-empty Include resource selectors.
+// Workloads tab is always shown.
 func factoryFeatureFlags(crd *cozyv1alpha1.ApplicationDefinition) factoryFlags {
-	var f factoryFlags
-
-	f.Workloads = true
-	f.Ingresses = true
-	f.Services = true
-	f.Secrets = true
-
-	return f
+	return factoryFlags{
+		Workloads: true,
+		Ingresses: len(crd.Spec.Ingresses.Include) > 0,
+		Services:  len(crd.Spec.Services.Include) > 0,
+		Secrets:   len(crd.Spec.Secrets.Include) > 0,
+	}
 }

internal/controller/dashboard/manager.go

@@ -299,10 +299,6 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
 
 		// Add other stock sidebars that are created for each CRD
 		stockSidebars := []string{
-			"stock-instance-api-form",
-			"stock-instance-api-table",
-			"stock-instance-builtin-form",
-			"stock-instance-builtin-table",
 			"stock-project-factory-marketplace",
 			"stock-project-factory-workloadmonitor-details",
 			"stock-project-api-form",
@@ -311,6 +307,10 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
 			"stock-project-builtin-table",
 			"stock-project-crd-form",
 			"stock-project-crd-table",
+			"stock-instance-api-form",
+			"stock-instance-api-table",
+			"stock-instance-builtin-form",
+			"stock-instance-builtin-table",
 		}
 		for _, sidebarID := range stockSidebars {
 			expected["Sidebar"][sidebarID] = true

internal/controller/dashboard/sidebar.go

@@ -17,8 +17,7 @@ import (
 
 // ensureSidebar creates/updates multiple Sidebar resources that share the same menu:
 //   - The "details" sidebar tied to the current kind (stock-project-factory-<kind>-details)
-//   - The stock-instance sidebars: api-form, api-table, builtin-form, builtin-table
-//   - The stock-project sidebars:  api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
+//   - The stock-project sidebars: api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
 //
 // Menu rules:
 //   - The first section is "Marketplace" with two hardcoded entries:
@@ -176,23 +175,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 
 	// Add hardcoded Backups section
 	menuItems = append(menuItems, map[string]any{
-		"key":   "backups",
+		"key":   "backups-category",
 		"label": "Backups",
 		"children": []any{
 			map[string]any{
 				"key":   "plans",
 				"label": "Plans",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
 			},
 			map[string]any{
 				"key":   "backupjobs",
 				"label": "BackupJobs",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
 			},
 			map[string]any{
 				"key":   "backups",
 				"label": "Backups",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
+				"link":  "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
 			},
 		},
 	})
@@ -215,7 +214,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 			map[string]any{
 				"key":   "loadbalancer-services",
 				"label": "External IPs",
-				"link":  "/openapi-ui/{clusterName}/{namespace}/factory/external-ips",
+				"link":  "/openapi-ui/{cluster}/{namespace}/factory/external-ips",
 			},
 			map[string]any{
 				"key":   "tenants",
@@ -228,13 +227,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 	// 6) Prepare the list of Sidebar IDs to upsert with the SAME content
 	// Create sidebars for ALL CRDs with dashboard config
 	targetIDs := []string{
-		// stock-instance sidebars
-		"stock-instance-api-form",
-		"stock-instance-api-table",
-		"stock-instance-builtin-form",
-		"stock-instance-builtin-table",
-
-		// stock-project sidebars
+		// stock-project sidebars (namespace-level, full menu)
 		"stock-project-factory-marketplace",
 		"stock-project-factory-workloadmonitor-details",
 		"stock-project-factory-kube-service-details",
@@ -250,6 +243,11 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 		"stock-project-builtin-table",
 		"stock-project-crd-form",
 		"stock-project-crd-table",
+		// stock-instance sidebars (namespace-level pages after namespace is selected)
+		"stock-instance-api-form",
+		"stock-instance-api-table",
+		"stock-instance-builtin-form",
+		"stock-instance-builtin-table",
 	}
 
 	// Add details sidebars for all CRDs with dashboard config

internal/controller/dashboard/static_refactored.go

@@ -503,18 +503,27 @@ func CreateAllCustomFormsOverrides() []*dashboardv1alpha1.CustomFormsOverride {
 				createFormItem("metadata.namespace", "Namespace", "text"),
 				createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
 				createFormItem("spec.applicationRef.name", "Application Name", "text"),
-				createFormItemWithAPI("spec.backupClassName", "Backup Class", "select", map[string]any{
-					"api": map[string]any{
-						"fetchUrl":       "/api/clusters/{clusterName}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
-						"pathToItems":    []any{"items"},
-						"pathToValue":    []any{"metadata", "name"},
-						"pathToLabel":    []any{"metadata", "name"},
-						"clusterNameVar": "clusterName",
-					},
-				}),
 				createFormItem("spec.schedule.type", "Schedule Type", "text"),
 				createFormItem("spec.schedule.cron", "Schedule Cron", "text"),
 			},
+			"schema": createSchema(map[string]any{
+				"backupClassName": listInputScemaItemBackupClass(),
+			}),
+		}),
+
+		// BackupJobs form override - backups.cozystack.io/v1alpha1
+		createCustomFormsOverride("default-/backups.cozystack.io/v1alpha1/backupjobs", map[string]any{
+			"formItems": []any{
+				createFormItem("metadata.name", "Name", "text"),
+				createFormItem("metadata.namespace", "Namespace", "text"),
+				createFormItem("spec.planRef.name", "Plan Name (optional)", "text"),
+				createFormItem("spec.applicationRef.apiGroup", "Application API Group", "text"),
+				createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
+				createFormItem("spec.applicationRef.name", "Application Name", "text"),
+			},
+			"schema": createSchema(map[string]any{
+				"backupClassName": listInputScemaItemBackupClass(),
+			}),
 		}),
 	}
 }
@@ -2042,9 +2051,9 @@ func createCustomFormsOverride(customizationId string, spec map[string]any) *das
 		"strategy":        "merge",
 	}
 
-	// Merge caller-provided fields (like formItems) into newSpec
+	// Merge into newSpec caller-provided fields without: customizationId, hidden, strategy
 	for key, value := range spec {
-		if key != "customizationId" && key != "hidden" && key != "schema" && key != "strategy" {
+		if key != "customizationId" && key != "hidden" && key != "strategy" {
 			newSpec[key] = value
 		}
 	}
@@ -2089,6 +2098,28 @@ func createNavigation(name string, spec map[string]any) *dashboardv1alpha1.Navig
 	}
 }
 
+func listInputScemaItemBackupClass() map[string]any {
+	return map[string]any{
+		"type": "listInput",
+		"customProps": map[string]any{
+			"valueUri":    "/api/clusters/{cluster}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
+			"keysToValue": []any{"metadata", "name"},
+			"keysToLabel": []any{"metadata", "name"},
+		},
+	}
+}
+
+// backupClassSchema returns the schema for spec.backupClassName as listInput (BackupJob/Plan).
+func createSchema(customProps map[string]any) map[string]any {
+	return map[string]any{
+		"properties": map[string]any{
+			"spec": map[string]any{
+				"properties": customProps,
+			},
+		},
+	}
+}
+
 // createFormItem creates a form item for CustomFormsOverride
 func createFormItem(path, label, fieldType string) map[string]any {
 	return map[string]any{

packages/apps/bucket/templates/bucketclaim.yaml

@@ -17,3 +17,13 @@ spec:
   bucketClaimName: {{ .Release.Name }}
   credentialsSecretName: {{ .Release.Name }}
   protocol: s3
+---
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccess
+metadata:
+  name: {{ .Release.Name }}-readonly
+spec:
+  bucketAccessClassName: {{ $seaweedfs }}-readonly
+  bucketClaimName: {{ .Release.Name }}
+  credentialsSecretName: {{ .Release.Name }}-readonly
+  protocol: s3

packages/apps/bucket/templates/dashboard-resourcemap.yaml

@@ -10,6 +10,7 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   - {{ .Release.Name }}-credentials
+  - {{ .Release.Name }}-readonly
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - networking.k8s.io

packages/apps/harbor/templates/ingress.yaml

@@ -1,7 +1,8 @@
 {{- $ingress := .Values._namespace.ingress }}
 {{- $host := .Values._namespace.host }}
 {{- $harborHost := .Values.host | default (printf "%s.%s" .Release.Name $host) }}
-{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
+{{- $solver := (index .Values._cluster "solver") | default "http01" }}
+{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -13,10 +14,10 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-send-timeout: "900"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-    {{- if ne $issuerType "cloudflare" }}
+    {{- if eq $solver "http01" }}
     acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
     {{- end }}
-    cert-manager.io/cluster-issuer: letsencrypt-prod
+    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
 spec:
   ingressClassName: {{ $ingress }}
   tls:

packages/apps/kubernetes/Makefile

@@ -1,4 +1,4 @@
-KUBERNETES_VERSION = v1.33
+KUBERNETES_VERSION = v1.35
 KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 
 include ../../../hack/common-envs.mk

packages/apps/kubernetes/README.md

@@ -104,7 +104,7 @@ See the reference for components utilized in this service:
 | `nodeGroups[name].resources.memory` | Memory (RAM) available.                                                                        | `quantity`          | `""`        |
 | `nodeGroups[name].gpus`             | List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).                            | `[]object`          | `[]`        |
 | `nodeGroups[name].gpus[i].name`     | Name of GPU, such as "nvidia.com/AD102GL_L40S".                                                | `string`            | `""`        |
-| `version`                           | Kubernetes major.minor version to deploy                                                       | `string`            | `v1.33`     |
+| `version`                           | Kubernetes major.minor version to deploy                                                       | `string`            | `v1.35`     |
 | `host`                              | External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty. | `string`            | `""`        |
 
 

packages/apps/kubernetes/files/konnectivity-versions.yaml

@@ -0,0 +1,4 @@
+# Konnectivity proxy version overrides per Kubernetes minor version.
+# When empty or absent, Kamaji auto-derives v0.{minor}.0 from the Kubernetes version.
+# Add entries here only when the auto-derived image tag does not exist in the registry.
+"v1.35": "v0.34.0"

packages/apps/kubernetes/files/versions.yaml

@@ -1,6 +1,6 @@
-"v1.33": "v1.33.0"
-"v1.32": "v1.32.10"
+"v1.35": "v1.35.1"
+"v1.34": "v1.34.4"
+"v1.33": "v1.33.8"
+"v1.32": "v1.32.12"
 "v1.31": "v1.31.14"
 "v1.30": "v1.30.14"
-"v1.29": "v1.29.15"
-"v1.28": "v1.28.15"

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:7deeee117e7eec599cb453836ca95eadd131dfc8c875dc457ef29dc1433395e0
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:604561e23df1b8eb25c24cf73fd93c7aaa6d1e7c56affbbda5c6f0f83424e4b1
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:434aa3b8e2a3cbf6681426b174e1c4fde23bafd12a6cccd046b5cb1749092ec4

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:19ee4c76f0b3b7b40b97995ca78988ad8c82f6e9c75288d8b7b4b88a64f75d50
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.35@sha256:39f626c802dd84f95720ffb54fcd80dfb8a58ac280498870d0a1aa30d4252f94

packages/apps/kubernetes/templates/_versions.tpl

@@ -5,3 +5,10 @@
 {{- end }}
 {{- index $versionMap .Values.version }}
 {{- end }}
+
+{{- define "kubernetes.konnectivityVersion" }}
+{{- $konnVersionMap := .Files.Get "files/konnectivity-versions.yaml" | fromYaml }}
+{{- if hasKey $konnVersionMap .Values.version }}
+{{- index $konnVersionMap .Values.version }}
+{{- end }}
+{{- end }}

packages/apps/kubernetes/templates/cluster.yaml

@@ -126,8 +126,16 @@ spec:
   dataStoreName: "{{ $etcd }}"
   addons:
     konnectivity:
+      {{- $konnVersion := include "kubernetes.konnectivityVersion" $ | trim }}
+      {{- if $konnVersion }}
+      agent:
+        version: {{ $konnVersion }}
+      {{- end }}
       server:
         port: 8132
+        {{- if $konnVersion }}
+        version: {{ $konnVersion }}
+        {{- end }}
         resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.controlPlane.konnectivity.server.resourcesPreset .Values.controlPlane.konnectivity.server.resources $) | nindent 10 }}
   kubelet:
     cgroupfs: systemd

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

@@ -1,4 +1,5 @@
 {{- $targetTenant := .Values._namespace.monitoring }}
+{{- $clusterDomain := (index .Values._cluster "cluster-domain") | default "cozy.local" }}
 {{- if .Values.addons.monitoringAgents.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -49,7 +50,7 @@ spec:
         cluster: {{ .Release.Name }}
         tenant: {{ .Release.Namespace }}
       remoteWrite:
-        url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
+        url: http://vminsert-shortterm.{{ $targetTenant }}.svc.{{ $clusterDomain }}:8480/insert/0/prometheus
     fluent-bit:
       readinessProbe:
         httpGet:
@@ -72,7 +73,7 @@ spec:
           [OUTPUT]
               Name http
               Match kube.*
-              Host vlogs-generic.{{ $targetTenant }}.svc
+              Host vlogs-generic.{{ $targetTenant }}.svc.{{ $clusterDomain }}
               port 9428
               compress gzip
               uri /insert/jsonline?_stream_fields=stream,kubernetes_pod_name,kubernetes_container_name,kubernetes_namespace_name&_msg_field=log&_time_field=date

packages/apps/kubernetes/values.schema.json

@@ -621,14 +621,14 @@
     "version": {
       "description": "Kubernetes major.minor version to deploy",
       "type": "string",
-      "default": "v1.33",
+      "default": "v1.35",
       "enum": [
+        "v1.35",
+        "v1.34",
         "v1.33",
         "v1.32",
         "v1.31",
-        "v1.30",
-        "v1.29",
-        "v1.28"
+        "v1.30"
       ]
     }
   }

packages/apps/kubernetes/values.yaml

@@ -48,15 +48,15 @@ nodeGroups:
 
 ##
 ## @enum {string} Version
+## @value v1.35
+## @value v1.34
 ## @value v1.33
 ## @value v1.32
 ## @value v1.31
 ## @value v1.30
-## @value v1.29
-## @value v1.28
 
 ## @param {Version} version - Kubernetes major.minor version to deploy
-version: "v1.33"
+version: "v1.35"
 
 
 ## @param {string} host - External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.

packages/apps/openbao/.helmignore

@@ -0,0 +1,3 @@
+.helmignore
+/logos
+/Makefile

packages/apps/openbao/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: openbao
+description: Managed OpenBAO secrets management service
+icon: /logos/openbao.svg
+type: application
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+appVersion: "2.5.0"

packages/apps/openbao/Makefile

@@ -0,0 +1,5 @@
+include ../../../hack/package.mk
+
+generate:
+	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	../../../hack/update-crd.sh

packages/apps/openbao/README.md

@@ -0,0 +1,27 @@
+# Managed OpenBAO Service
+
+OpenBAO is an open-source secrets management solution forked from HashiCorp Vault.
+It provides identity-based secrets and encryption management for cloud infrastructure.
+
+## Parameters
+
+### Common parameters
+
+| Name               | Description                                                                                                                                                                           | Type       | Value   |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
+| `replicas`         | Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas > 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration. | `int`      | `1`     |
+| `resources`        | Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.                                                     | `object`   | `{}`    |
+| `resources.cpu`    | CPU available to each replica.                                                                                                                                                        | `quantity` | `""`    |
+| `resources.memory` | Memory (RAM) available to each replica.                                                                                                                                               | `quantity` | `""`    |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                                                                               | `string`   | `small` |
+| `size`             | Persistent Volume Claim size for data storage.                                                                                                                                        | `quantity` | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data.                                                                                                                                                  | `string`   | `""`    |
+| `external`         | Enable external access from outside the cluster.                                                                                                                                      | `bool`     | `false` |
+
+
+### Application-specific parameters
+
+| Name | Description                | Type   | Value  |
+| ---- | -------------------------- | ------ | ------ |
+| `ui` | Enable the OpenBAO web UI. | `bool` | `true` |
+

packages/apps/openbao/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/openbao/logos/openbao.svg

@@ -0,0 +1,11 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear)"/>
+<rect width="144" height="144" rx="24" fill="black" fill-opacity="0.3"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M72 30C53.222 30 38 45.222 38 64v8c-3.314 0-6 2.686-6 6v30c0 3.314 2.686 6 6 6h68c3.314 0 6-2.686 6-6V78c0-3.314-2.686-6-6-6v-8C106 45.222 90.778 30 72 30zm-8 42v-8c0-4.418 3.582-8 8-8s8 3.582 8 8v8H64zm26 0v-8c0-8.837-7.163-16-16-16s-16 7.163-16 16v8h-2v28h60V72H90zm-22 14a4 4 0 118 0 4 4 0 01-8 0zm4-8a8 8 0 100 16 8 8 0 000-16z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear" x1="10" y1="15.5" x2="144" y2="131.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#87d6be"/>
+<stop offset="1" stop-color="#79c0ab"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/openbao/templates/_resources.tpl

@@ -0,0 +1,49 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "resources.preset" -}}
+{{- $presets := dict
+  "nano" (dict
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "128Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "256Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "512Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict
+      "requests" (dict "cpu" "500m" "memory" "1Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "1Gi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict
+      "requests" (dict "cpu" "1" "memory" "2Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "2Gi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict
+      "requests" (dict "cpu" "2" "memory" "4Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "4Gi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict
+      "requests" (dict "cpu" "4" "memory" "8Gi" "ephemeral-storage" "50Mi")
+      "limits" (dict "memory" "8Gi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}

packages/apps/openbao/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  - {{ .Release.Name }}-internal
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/openbao/templates/openbao.yaml

@@ -0,0 +1,99 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-system
+  labels:
+    sharding.fluxcd.io/key: tenants
+spec:
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-openbao-application-default-openbao-system
+    namespace: cozy-system
+  interval: 5m
+  timeout: 10m
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    force: true
+    remediation:
+      retries: -1
+  valuesFrom:
+  - kind: Secret
+    name: cozystack-values
+  values:
+    openbao:
+      fullnameOverride: {{ .Release.Name }}
+      global:
+        tlsDisable: true
+      server:
+        podManagementPolicy: Parallel
+        resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 10 }}
+        dataStorage:
+          enabled: true
+          size: {{ .Values.size }}
+          {{- with .Values.storageClass }}
+          storageClass: {{ . }}
+          {{- end }}
+        {{- if gt (int .Values.replicas) 1 }}
+        standalone:
+          enabled: false
+        ha:
+          enabled: true
+          replicas: {{ .Values.replicas }}
+          raft:
+            enabled: true
+            setNodeId: true
+            config: |
+              ui = {{ .Values.ui }}
+
+              listener "tcp" {
+                address = "[::]:8200"
+                cluster_address = "[::]:8201"
+                tls_disable = true
+              }
+
+              storage "raft" {
+                path = "/openbao/data"
+              {{- range $i := until (int $.Values.replicas) }}
+                retry_join {
+                  leader_api_addr = "http://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-internal:8200"
+                }
+              {{- end }}
+              }
+
+              service_registration "kubernetes" {}
+        {{- else }}
+        standalone:
+          enabled: true
+          config: |
+            ui = {{ .Values.ui }}
+
+            listener "tcp" {
+              address = "[::]:8200"
+              cluster_address = "[::]:8201"
+              tls_disable = true
+            }
+
+            storage "file" {
+              path = "/openbao/data"
+            }
+            # Note: service_registration "kubernetes" {} is intentionally omitted
+            # in standalone mode — it requires an HA-capable storage backend and
+            # causes a fatal error with storage "file".
+        ha:
+          enabled: false
+        {{- end }}
+        {{- if .Values.external }}
+        service:
+          type: LoadBalancer
+        {{- end }}
+      ui:
+        enabled: {{ .Values.ui }}
+        {{- if .Values.external }}
+        serviceType: LoadBalancer
+        {{- end }}
+      injector:
+        enabled: false
+      csi:
+        enabled: false

packages/apps/openbao/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: openbao
+  type: openbao
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}-system
+  version: {{ $.Chart.Version }}

packages/apps/openbao/values.schema.json

@@ -0,0 +1,87 @@
+{
+  "title": "Chart Values",
+  "type": "object",
+  "properties": {
+    "external": {
+      "description": "Enable external access from outside the cluster.",
+      "type": "boolean",
+      "default": false
+    },
+    "replicas": {
+      "description": "Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas \u003e 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration.",
+      "type": "integer",
+      "default": 1
+    },
+    "resources": {
+      "description": "Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "type": "object",
+      "default": {},
+      "properties": {
+        "cpu": {
+          "description": "CPU available to each replica.",
+          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+          "anyOf": [
+            {
+              "type": "integer"
+            },
+            {
+              "type": "string"
+            }
+          ],
+          "x-kubernetes-int-or-string": true
+        },
+        "memory": {
+          "description": "Memory (RAM) available to each replica.",
+          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+          "anyOf": [
+            {
+              "type": "integer"
+            },
+            {
+              "type": "string"
+            }
+          ],
+          "x-kubernetes-int-or-string": true
+        }
+      }
+    },
+    "resourcesPreset": {
+      "description": "Default sizing preset used when `resources` is omitted.",
+      "type": "string",
+      "default": "small",
+      "enum": [
+        "nano",
+        "micro",
+        "small",
+        "medium",
+        "large",
+        "xlarge",
+        "2xlarge"
+      ]
+    },
+    "size": {
+      "description": "Persistent Volume Claim size for data storage.",
+      "default": "10Gi",
+      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+      "anyOf": [
+        {
+          "type": "integer"
+        },
+        {
+          "type": "string"
+        }
+      ],
+      "x-kubernetes-int-or-string": true
+    },
+    "storageClass": {
+      "description": "StorageClass used to store the data.",
+      "type": "string",
+      "default": ""
+    },
+    "ui": {
+      "description": "Enable the OpenBAO web UI.",
+      "type": "boolean",
+      "default": true
+    }
+  }
+}

packages/apps/openbao/values.yaml

@@ -0,0 +1,41 @@
+##
+## @section Common parameters
+##
+
+## @typedef {struct} Resources - Explicit CPU and memory configuration for each OpenBAO replica.
+## @field {quantity} [cpu] - CPU available to each replica.
+## @field {quantity} [memory] - Memory (RAM) available to each replica.
+
+## @enum {string} ResourcesPreset - Default sizing preset.
+## @value nano
+## @value micro
+## @value small
+## @value medium
+## @value large
+## @value xlarge
+## @value 2xlarge
+
+## @param {int} replicas - Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas > 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration.
+replicas: 1
+
+## @param {Resources} [resources] - Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.
+resources: {}
+
+## @param {ResourcesPreset} resourcesPreset="small" - Default sizing preset used when `resources` is omitted.
+resourcesPreset: "small"
+
+## @param {quantity} size - Persistent Volume Claim size for data storage.
+size: 10Gi
+
+## @param {string} storageClass - StorageClass used to store the data.
+storageClass: ""
+
+## @param {bool} external - Enable external access from outside the cluster.
+external: false
+
+##
+## @section Application-specific parameters
+##
+
+## @param {bool} ui - Enable the OpenBAO web UI.
+ui: true

packages/apps/rabbitmq/Chart.yaml

@@ -4,4 +4,4 @@ description: Managed RabbitMQ service
 icon: /logos/rabbitmq.svg
 type: application
 version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
-appVersion: "3.13.2"
+appVersion: "4.2.4"

packages/apps/rabbitmq/Makefile

@@ -3,3 +3,7 @@ include ../../../hack/package.mk
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
 	../../../hack/update-crd.sh
+
+update:
+	hack/update-versions.sh
+	make generate

packages/apps/rabbitmq/README.md

@@ -23,6 +23,7 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 | `size`             | Persistent Volume Claim size available for application data.                                                                       | `quantity` | `10Gi`  |
 | `storageClass`     | StorageClass used to store the data.                                                                                               | `string`   | `""`    |
 | `external`         | Enable external access from outside the cluster.                                                                                   | `bool`     | `false` |
+| `version`          | RabbitMQ major.minor version to deploy                                                                                             | `string`   | `v4.2`  |
 
 
 ### Application-specific parameters

packages/apps/rabbitmq/files/versions.yaml

@@ -0,0 +1,4 @@
+"v4.2": "4.2.4"
+"v4.1": "4.1.8"
+"v4.0": "4.0.9"
+"v3.13": "3.13.7"

packages/apps/rabbitmq/hack/update-versions.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RABBITMQ_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${RABBITMQ_DIR}/values.yaml"
+VERSIONS_FILE="${RABBITMQ_DIR}/files/versions.yaml"
+GITHUB_API_URL="https://api.github.com/repos/rabbitmq/rabbitmq-server/releases"
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Fetch releases from GitHub API
+echo "Fetching releases from GitHub API..."
+RELEASES_JSON=$(curl -sSL "${GITHUB_API_URL}?per_page=100")
+
+if [ -z "$RELEASES_JSON" ]; then
+    echo "Error: Could not fetch releases from GitHub API" >&2
+    exit 1
+fi
+
+# Extract stable release tags (format: v3.13.7, v4.0.3, etc.)
+# Filter out pre-releases and draft releases
+RELEASE_TAGS=$(echo "$RELEASES_JSON" | jq -r '.[] | select(.prerelease == false) | select(.draft == false) | .tag_name' | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V)
+
+if [ -z "$RELEASE_TAGS" ]; then
+    echo "Error: Could not find any stable release tags" >&2
+    exit 1
+fi
+
+echo "Found release tags: $(echo "$RELEASE_TAGS" | tr '\n' ' ')"
+
+# Supported major.minor versions (newest first)
+# We support the last few minor releases of each active major
+SUPPORTED_MAJORS=("4.2" "4.1" "4.0" "3.13")
+
+# Build versions map: major.minor -> latest patch version
+declare -A VERSION_MAP
+MAJOR_VERSIONS=()
+
+for major_minor in "${SUPPORTED_MAJORS[@]}"; do
+    # Find the latest patch version for this major.minor
+    MATCHING=$(echo "$RELEASE_TAGS" | grep -E "^v${major_minor//./\\.}\.[0-9]+$" | tail -n1)
+
+    if [ -n "$MATCHING" ]; then
+        # Strip the 'v' prefix for the value (Docker tag format is e.g. 3.13.7)
+        TAG_VERSION="${MATCHING#v}"
+        VERSION_MAP["v${major_minor}"]="${TAG_VERSION}"
+        MAJOR_VERSIONS+=("v${major_minor}")
+        echo "Found version: v${major_minor} -> ${TAG_VERSION}"
+    else
+        echo "Warning: No stable releases found for ${major_minor}, skipping..." >&2
+    fi
+done
+
+if [ ${#MAJOR_VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+echo "Major versions to add: ${MAJOR_VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for major_ver in "${MAJOR_VERSIONS[@]}"; do
+        echo "\"${major_ver}\": \"${VERSION_MAP[$major_ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major.minor versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for major_ver in "${MAJOR_VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $major_ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - RabbitMQ major.minor version to deploy
+version: ${MAJOR_VERSIONS[0]}"
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with major.minor versions: ${MAJOR_VERSIONS[*]}"

packages/apps/rabbitmq/templates/_versions.tpl

@@ -0,0 +1,8 @@
+{{- define "rabbitmq.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `RabbitMQ version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}
+

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -7,6 +7,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
   replicas: {{ .Values.replicas }}
+  image: 'rabbitmq:{{ include "rabbitmq.versionMap" $ }}-management'
   {{- if .Values.external }}
   service:
     type: LoadBalancer

packages/apps/rabbitmq/values.schema.json

@@ -92,6 +92,17 @@
         }
       }
     },
+    "version": {
+      "description": "RabbitMQ major.minor version to deploy",
+      "type": "string",
+      "default": "v4.2",
+      "enum": [
+        "v4.2",
+        "v4.1",
+        "v4.0",
+        "v3.13"
+      ]
+    },
     "vhosts": {
       "description": "Virtual hosts configuration map.",
       "type": "object",

packages/apps/rabbitmq/values.yaml

@@ -34,6 +34,15 @@ storageClass: ""
 external: false
 
 ##
+## @enum {string} Version
+## @value v4.2
+## @value v4.1
+## @value v4.0
+## @value v3.13
+
+## @param {Version} version - RabbitMQ major.minor version to deploy
+version: v4.2
+
 ## @section Application-specific parameters
 ##
 

packages/apps/tenant/templates/etcd.yaml

@@ -18,7 +18,7 @@ spec:
     name: cozystack-etcd-application-default-etcd
     namespace: cozy-system
   interval: 5m
-  timeout: 10m
+  timeout: 30m
   install:
     remediation:
       retries: -1

packages/core/installer/crds/.gitattributes

@@ -1 +0,0 @@
-*.yaml linguist-generated

packages/core/installer/crds/cozystack.io_packages.yaml

@@ -1,171 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.4
-  name: packages.cozystack.io
-spec:
-  group: cozystack.io
-  names:
-    kind: Package
-    listKind: PackageList
-    plural: packages
-    shortNames:
-    - pkg
-    - pkgs
-    singular: package
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - description: Selected variant
-      jsonPath: .spec.variant
-      name: Variant
-      type: string
-    - description: Ready status
-      jsonPath: .status.conditions[?(@.type=='Ready')].status
-      name: Ready
-      type: string
-    - description: Ready message
-      jsonPath: .status.conditions[?(@.type=='Ready')].message
-      name: Status
-      type: string
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: Package is the Schema for the packages API
-        properties:
-          apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-            type: string
-          kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: PackageSpec defines the desired state of Package
-            properties:
-              components:
-                additionalProperties:
-                  description: PackageComponent defines overrides for a specific component
-                  properties:
-                    enabled:
-                      description: |-
-                        Enabled indicates whether this component should be installed
-                        If false, the component will be disabled even if it's defined in the PackageSource
-                      type: boolean
-                    values:
-                      description: |-
-                        Values contains Helm chart values as a JSON object
-                        These values will be merged with the default values from the PackageSource
-                      x-kubernetes-preserve-unknown-fields: true
-                  type: object
-                description: |-
-                  Components is a map of release name to component overrides
-                  Allows overriding values and enabling/disabling specific components from the PackageSource
-                type: object
-              ignoreDependencies:
-                description: |-
-                  IgnoreDependencies is a list of package source dependencies to ignore
-                  Dependencies listed here will not be installed even if they are specified in the PackageSource
-                items:
-                  type: string
-                type: array
-              variant:
-                description: |-
-                  Variant is the name of the variant to use from the PackageSource
-                  If not specified, defaults to "default"
-                type: string
-            type: object
-          status:
-            description: PackageStatus defines the observed state of Package
-            properties:
-              conditions:
-                description: Conditions represents the latest available observations
-                  of a Package's state
-                items:
-                  description: Condition contains details for one aspect of the current
-                    state of this API Resource.
-                  properties:
-                    lastTransitionTime:
-                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
-                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: |-
-                        message is a human readable message indicating details about the transition.
-                        This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: |-
-                        observedGeneration represents the .metadata.generation that the condition was set based upon.
-                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-                        with respect to the current state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: |-
-                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
-                        Producers of specific condition types may define expected values and meanings for this field,
-                        and whether the values are considered a guaranteed API.
-                        The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              dependencies:
-                additionalProperties:
-                  description: DependencyStatus represents the readiness status of
-                    a dependency
-                  properties:
-                    ready:
-                      description: Ready indicates whether the dependency is ready
-                      type: boolean
-                  required:
-                  - ready
-                  type: object
-                description: |-
-                  Dependencies tracks the readiness status of each dependency
-                  Key is the dependency package name, value indicates if the dependency is ready
-                type: object
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}

packages/core/installer/crds/cozystack.io_packagesources.yaml

@@ -1,250 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.4
-  name: packagesources.cozystack.io
-spec:
-  group: cozystack.io
-  names:
-    kind: PackageSource
-    listKind: PackageSourceList
-    plural: packagesources
-    shortNames:
-    - pks
-    singular: packagesource
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - description: Package variants (comma-separated)
-      jsonPath: .status.variants
-      name: Variants
-      type: string
-    - description: Ready status
-      jsonPath: .status.conditions[?(@.type=='Ready')].status
-      name: Ready
-      type: string
-    - description: Ready message
-      jsonPath: .status.conditions[?(@.type=='Ready')].message
-      name: Status
-      type: string
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: PackageSource is the Schema for the packagesources API
-        properties:
-          apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-            type: string
-          kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: PackageSourceSpec defines the desired state of PackageSource
-            properties:
-              sourceRef:
-                description: SourceRef is the source reference for the package source
-                  charts
-                properties:
-                  kind:
-                    description: Kind of the source reference
-                    enum:
-                    - GitRepository
-                    - OCIRepository
-                    type: string
-                  name:
-                    description: Name of the source reference
-                    type: string
-                  namespace:
-                    description: Namespace of the source reference
-                    type: string
-                  path:
-                    description: |-
-                      Path is the base path where packages are located in the source.
-                      For GitRepository, defaults to "packages" if not specified.
-                      For OCIRepository, defaults to empty string (root) if not specified.
-                    type: string
-                required:
-                - kind
-                - name
-                - namespace
-                type: object
-              variants:
-                description: |-
-                  Variants is a list of package source variants
-                  Each variant defines components, applications, dependencies, and libraries for a specific configuration
-                items:
-                  description: Variant defines a single variant configuration
-                  properties:
-                    components:
-                      description: Components is a list of Helm releases to be installed
-                        as part of this variant
-                      items:
-                        description: Component defines a single Helm release component
-                          within a package source
-                        properties:
-                          install:
-                            description: Install defines installation parameters for
-                              this component
-                            properties:
-                              dependsOn:
-                                description: DependsOn is a list of component names
-                                  that must be installed before this component
-                                items:
-                                  type: string
-                                type: array
-                              namespace:
-                                description: Namespace is the Kubernetes namespace
-                                  where the release will be installed
-                                type: string
-                              privileged:
-                                description: Privileged indicates whether this release
-                                  requires privileged access
-                                type: boolean
-                              releaseName:
-                                description: |-
-                                  ReleaseName is the name of the HelmRelease resource that will be created
-                                  If not specified, defaults to the component Name field
-                                type: string
-                            type: object
-                          libraries:
-                            description: |-
-                              Libraries is a list of library names that this component depends on
-                              These libraries must be defined at the variant level
-                            items:
-                              type: string
-                            type: array
-                          name:
-                            description: Name is the unique identifier for this component
-                              within the package source
-                            type: string
-                          path:
-                            description: Path is the path to the Helm chart directory
-                            type: string
-                          valuesFiles:
-                            description: ValuesFiles is a list of values file names
-                              to use
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - name
-                        - path
-                        type: object
-                      type: array
-                    dependsOn:
-                      description: |-
-                        DependsOn is a list of package source dependencies
-                        For example: "cozystack.networking"
-                      items:
-                        type: string
-                      type: array
-                    libraries:
-                      description: Libraries is a list of Helm library charts used
-                        by components in this variant
-                      items:
-                        description: Library defines a Helm library chart
-                        properties:
-                          name:
-                            description: Name is the optional name for library placed
-                              in charts
-                            type: string
-                          path:
-                            description: Path is the path to the library chart directory
-                            type: string
-                        required:
-                        - path
-                        type: object
-                      type: array
-                    name:
-                      description: Name is the unique identifier for this variant
-                      type: string
-                  required:
-                  - name
-                  type: object
-                type: array
-            type: object
-          status:
-            description: PackageSourceStatus defines the observed state of PackageSource
-            properties:
-              conditions:
-                description: Conditions represents the latest available observations
-                  of a PackageSource's state
-                items:
-                  description: Condition contains details for one aspect of the current
-                    state of this API Resource.
-                  properties:
-                    lastTransitionTime:
-                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
-                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: |-
-                        message is a human readable message indicating details about the transition.
-                        This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: |-
-                        observedGeneration represents the .metadata.generation that the condition was set based upon.
-                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-                        with respect to the current state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: |-
-                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
-                        Producers of specific condition types may define expected values and meanings for this field,
-                        and whether the values are considered a guaranteed API.
-                        The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              variants:
-                description: |-
-                  Variants is a comma-separated list of package variant names
-                  This field is populated by the controller based on spec.variants keys
-                type: string
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}

packages/core/installer/templates/cozystack-operator.yaml

@@ -1,3 +1,7 @@
+{{- $validVariants := list "talos" "generic" "hosted" -}}
+{{- if not (has .Values.cozystackOperator.variant $validVariants) -}}
+{{- fail (printf "Invalid cozystackOperator.variant %q: must be one of talos, generic, hosted" .Values.cozystackOperator.variant) -}}
+{{- end -}}
 ---
 apiVersion: v1
 kind: Namespace
@@ -6,6 +10,8 @@ metadata:
   labels:
     cozystack.io/system: "true"
     pod-security.kubernetes.io/enforce: privileged
+  annotations:
+    helm.sh/resource-policy: keep
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -53,10 +59,9 @@ spec:
         args:
         - --leader-elect=true
         - --install-flux=true
-        # CRDs are also in crds/ for initial helm install, but Helm never updates
-        # them on upgrade and never deletes them on uninstall. The operator applies
-        # embedded CRDs via server-side apply on every startup, ensuring they stay
-        # up to date. To fully remove CRDs, delete them manually after helm uninstall.
+        # The operator applies embedded CRDs via server-side apply on every
+        # startup, ensuring they stay up to date.
+        # To fully remove CRDs, delete them manually after helm uninstall.
         - --install-crds=true
         - --metrics-bind-address=0
         - --health-probe-bind-address=0

packages/core/installer/templates/packagesource.yaml

@@ -1,57 +0,0 @@
-{{- $validVariants := list "talos" "generic" "hosted" -}}
-{{- if not (has .Values.cozystackOperator.variant $validVariants) -}}
-{{- fail (printf "Invalid cozystackOperator.variant %q: must be one of talos, generic, hosted" .Values.cozystackOperator.variant) -}}
-{{- end -}}
----
-apiVersion: cozystack.io/v1alpha1
-kind: PackageSource
-metadata:
-  name: cozystack.cozystack-platform
-  annotations:
-    operator.cozystack.io/skip-cozystack-values: "true"
-spec:
-  sourceRef:
-    kind: OCIRepository
-    name: cozystack-platform
-    namespace: cozy-system
-    path: /
-  variants:
-  - name: default
-    components:
-    - install:
-        namespace: cozy-system
-        releaseName: cozystack-platform
-      name: platform
-      path: core/platform
-      valuesFiles:
-      - values.yaml
-  - name: isp-full
-    components:
-    - install:
-        namespace: cozy-system
-        releaseName: cozystack-platform
-      name: platform
-      path: core/platform
-      valuesFiles:
-      - values.yaml
-      - values-isp-full.yaml
-  - name: isp-hosted
-    components:
-    - install:
-        namespace: cozy-system
-        releaseName: cozystack-platform
-      name: platform
-      path: core/platform
-      valuesFiles:
-      - values.yaml
-      - values-isp-hosted.yaml
-  - name: isp-full-generic
-    components:
-    - install:
-        namespace: cozy-system
-        releaseName: cozystack-platform
-      name: platform
-      path: core/platform
-      valuesFiles:
-      - values.yaml
-      - values-isp-full-generic.yaml

packages/core/installer/values.yaml

@@ -1,9 +1,9 @@
 cozystackOperator:
   # Deployment variant: talos, generic, hosted
   variant: talos
-  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.0-beta.6@sha256:c7490da9c1ccb51bff4dd5657ca6a33a29ac71ad9861dfa8c72fdfc8b5765b93
+  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.0@sha256:9e5229764b6077809a1c16566881a524c33e8986e36597e6833f8857a7e6a335
   platformSourceUrl: 'oci://ghcr.io/cozystack/cozystack/cozystack-packages'
-  platformSourceRef: 'digest=sha256:b29b87d1a2b80452ffd4db7516a102c30c55121552dcdb237055d4124d12c55d'
+  platformSourceRef: 'digest=sha256:ef3e4ba7d21572a61794d8be594805f063aa04f4a8c3753351fc89c7804d337e'
 # Generic variant configuration (only used when cozystackOperator.variant=generic)
 cozystack:
   # Kubernetes API server host (IP only, no protocol/port)

packages/core/platform/images/migrations/migrations/26

@@ -2,6 +2,7 @@
 # Migration 26 --> 27
 # Migrate monitoring resources from extra/monitoring to system/monitoring
 # This migration re-labels resources so they become owned by monitoring-system HelmRelease
+# and deletes old helm release secrets so that helm does not diff old vs new chart manifests.
 
 set -euo pipefail
 
@@ -35,10 +36,39 @@ relabel_resources() {
   done
 }
 
+# Delete all helm release secrets for a given release name in a namespace.
+# Uses both label selector and name-pattern matching to ensure complete cleanup.
+delete_helm_secrets() {
+  local ns="$1"
+  local release="$2"
+
+  # Primary: delete by label selector
+  kubectl delete secrets -n "$ns" -l "name=${release},owner=helm" --ignore-not-found
+
+  # Fallback: find and delete by name pattern (in case labels were modified)
+  local remaining
+  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+  if [ -n "$remaining" ]; then
+    echo "  Found secrets not matched by label selector, deleting by name..."
+    echo "$remaining" | while IFS= read -r secret; do
+      echo "    Deleting $secret"
+      kubectl delete -n "$ns" "$secret" --ignore-not-found
+    done
+  fi
+
+  # Verify all secrets are gone
+  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
+  if [ -n "$remaining" ]; then
+    echo "  ERROR: Failed to delete helm release secrets:"
+    echo "$remaining"
+    return 1
+  fi
+}
+
 # Find all tenant namespaces with monitoring HelmRelease
 echo "Finding tenant namespaces with monitoring HelmRelease..."
-NAMESPACES=$(kubectl get hr --all-namespaces -l apps.cozystack.io/application.kind=Monitoring \
-  -o jsonpath='{range .items[*]}{.metadata.namespace}{"\n"}{end}' 2>/dev/null | sort -u || true)
+NAMESPACES=$(kubectl get hr --all-namespaces -l cozystack.io/ui=true --field-selector=metadata.name=monitoring \
+  -o jsonpath='{range .items[*]}{.metadata.namespace}{"\n"}{end}' | sort -u)
 
 if [ -z "$NAMESPACES" ]; then
   echo "No monitoring HelmReleases found in tenant namespaces, skipping migration"
@@ -66,7 +96,7 @@ for ns in $NAMESPACES; do
   # Step 1: Suspend the HelmRelease
   echo ""
   echo "Step 1: Suspending HelmRelease monitoring..."
-  kubectl patch hr -n "$ns" monitoring --type=merge -p '{"spec":{"suspend":true}}' 2>/dev/null || true
+  kubectl patch hr -n "$ns" monitoring --type=merge -p '{"spec":{"suspend":true}}'
 
   # Wait a moment for reconciliation to stop
   sleep 2
@@ -74,7 +104,7 @@ for ns in $NAMESPACES; do
   # Step 2: Delete helm secrets for the monitoring release
   echo ""
   echo "Step 2: Deleting helm secrets for monitoring release..."
-  kubectl delete secrets -n "$ns" -l name=monitoring,owner=helm --ignore-not-found
+  delete_helm_secrets "$ns" "monitoring"
 
   # Step 3: Relabel resources to be owned by monitoring-system
   echo ""
@@ -121,7 +151,9 @@ for ns in $NAMESPACES; do
   echo "Processing Cozystack resources..."
   relabel_resources "$ns" "workloadmonitors.cozystack.io"
 
-  # Step 4: Delete the suspended HelmRelease (Flux won't delete resources when HR is suspended)
+  # Step 4: Delete the suspended HelmRelease
+  # Helm secrets are already gone, so flux finalizer will find no release to uninstall
+  # and will simply remove the finalizer without deleting any resources.
   echo ""
   echo "Step 4: Deleting suspended HelmRelease monitoring..."
   kubectl delete hr -n "$ns" monitoring --ignore-not-found

packages/core/platform/images/migrations/migrations/27

@@ -5,10 +5,24 @@ set -euo pipefail
 
 # Migrate Piraeus CRDs to piraeus-operator-crds Helm release
 for crd in linstorclusters.piraeus.io linstornodeconnections.piraeus.io linstorsatelliteconfigurations.piraeus.io linstorsatellites.piraeus.io; do
-  kubectl annotate crd "$crd" meta.helm.sh/release-namespace=cozy-linstor meta.helm.sh/release-name=piraeus-operator-crds --overwrite
-  kubectl label crd "$crd" app.kubernetes.io/managed-by=Helm helm.toolkit.fluxcd.io/namespace=cozy-linstor helm.toolkit.fluxcd.io/name=piraeus-operator-crds --overwrite
+  if kubectl get crd "$crd" >/dev/null 2>&1; then
+    echo "  Relabeling CRD $crd"
+    kubectl annotate crd "$crd" meta.helm.sh/release-namespace=cozy-linstor meta.helm.sh/release-name=piraeus-operator-crds --overwrite
+    kubectl label crd "$crd" app.kubernetes.io/managed-by=Helm helm.toolkit.fluxcd.io/namespace=cozy-linstor helm.toolkit.fluxcd.io/name=piraeus-operator-crds --overwrite
+  else
+    echo "  CRD $crd not found, skipping"
+  fi
 done
+
+# Delete old piraeus-operator helm secrets (by label and by name pattern)
 kubectl delete secret -n cozy-linstor -l name=piraeus-operator,owner=helm --ignore-not-found
+remaining=$(kubectl get secrets -n cozy-linstor -o name 2>/dev/null | { grep "^secret/sh\.helm\.release\.v1\.piraeus-operator\." || true; })
+if [ -n "$remaining" ]; then
+  echo "  Deleting remaining piraeus-operator helm secrets by name..."
+  echo "$remaining" | while IFS= read -r secret; do
+    kubectl delete -n cozy-linstor "$secret" --ignore-not-found
+  done
+fi
 
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \

packages/core/platform/images/migrations/migrations/28

@@ -348,7 +348,7 @@ PVCEOF
   # --- 3g: Clone Secrets ---
   echo "  --- Clone Secrets ---"
   for secret in $(kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release"); do
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; }); do
     old_secret_name="${secret#secret/}"
     new_secret_name="${NEW_NAME}${old_secret_name#${OLD_NAME}}"
     clone_resource "$NAMESPACE" "secret" "$old_secret_name" "$new_secret_name" "$OLD_NAME" "$NEW_NAME"
@@ -357,7 +357,7 @@ PVCEOF
   # --- 3h: Clone ConfigMaps ---
   echo "  --- Clone ConfigMaps ---"
   for cm in $(kubectl -n "$NAMESPACE" get configmap -o name 2>/dev/null \
-    | grep "configmap/${OLD_NAME}"); do
+    | { grep "configmap/${OLD_NAME}" || true; }); do
     old_cm_name="${cm#configmap/}"
     new_cm_name="${NEW_NAME}${old_cm_name#${OLD_NAME}}"
     clone_resource "$NAMESPACE" "configmap" "$old_cm_name" "$new_cm_name" "$OLD_NAME" "$NEW_NAME"
@@ -468,13 +468,13 @@ PVCEOF
   fi
 
   for secret in $(kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release"); do
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; }); do
     old_secret_name="${secret#secret/}"
     delete_resource "$NAMESPACE" "secret" "$old_secret_name"
   done
 
   for cm in $(kubectl -n "$NAMESPACE" get configmap -o name 2>/dev/null \
-    | grep "configmap/${OLD_NAME}"); do
+    | { grep "configmap/${OLD_NAME}" || true; }); do
     old_cm_name="${cm#configmap/}"
     delete_resource "$NAMESPACE" "configmap" "$old_cm_name"
   done
@@ -611,6 +611,19 @@ done
 echo ""
 echo "=== Migration complete (${#INSTANCES[@]} instance(s)) ==="
 
+# ============================================================
+# STEP 8: Clean up orphaned mysql-rd system HelmRelease
+# ============================================================
+echo ""
+echo "--- Step 8: Clean up orphaned mysql-rd HelmRelease ---"
+if kubectl -n cozy-system get hr mysql-rd --no-headers 2>/dev/null | grep -q .; then
+  echo "  [DELETE] hr/mysql-rd"
+  kubectl -n cozy-system delete hr mysql-rd --wait=false
+else
+  echo "  [SKIP] hr/mysql-rd already gone"
+fi
+kubectl -n cozy-system delete secret -l "owner=helm,name=mysql-rd" --ignore-not-found
+
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
   --from-literal=version=29 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/migrations/29

@@ -9,8 +9,6 @@ set -euo pipefail
 OLD_PREFIX="virtual-machine"
 NEW_DISK_PREFIX="vm-disk"
 NEW_INSTANCE_PREFIX="vm-instance"
-PROTECTION_WEBHOOK_NAME="protection-webhook"
-PROTECTION_WEBHOOK_NS="protection-webhook"
 CDI_APISERVER_NS="cozy-kubevirt-cdi"
 CDI_APISERVER_DEPLOY="cdi-apiserver"
 CDI_VALIDATING_WEBHOOKS="cdi-api-datavolume-validate cdi-api-dataimportcron-validate cdi-api-populator-validate cdi-api-validate"
@@ -88,7 +86,6 @@ echo "  Total: ${#INSTANCES[@]} instance(s)"
 # STEP 2: Migrate each instance
 # ============================================================
 ALL_PV_NAMES=()
-ALL_PROTECTED_RESOURCES=()
 
 for entry in "${INSTANCES[@]}"; do
   NAMESPACE="${entry%%/*}"
@@ -315,7 +312,7 @@ PVCEOF
   # --- 2i: Clone Secrets ---
   echo "  --- Clone Secrets ---"
   kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release" | grep -v "values" \
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; } | { grep -v "values" || true; } \
     | while IFS= read -r secret; do
     old_secret_name="${secret#secret/}"
     suffix="${old_secret_name#${OLD_NAME}}"
@@ -542,7 +539,7 @@ SVCEOF
   # --- 2q: Delete old resources ---
   echo "  --- Delete old resources ---"
   kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
-    | grep "secret/${OLD_NAME}" | grep -v "sh.helm.release" | grep -v "values" \
+    | { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; } | { grep -v "values" || true; } \
     | while IFS= read -r secret; do
     old_secret_name="${secret#secret/}"
     delete_resource "$NAMESPACE" "secret" "$old_secret_name"
@@ -564,71 +561,17 @@ SVCEOF
     delete_resource "$NAMESPACE" "secret" "$VALUES_SECRET"
   fi
 
-  # Collect protected resources for batch deletion
+  # Delete old service (if exists)
   if resource_exists "$NAMESPACE" "svc" "$OLD_NAME"; then
-    ALL_PROTECTED_RESOURCES+=("${NAMESPACE}:svc/${OLD_NAME}")
+    delete_resource "$NAMESPACE" "svc" "$OLD_NAME"
   fi
 done
 
 # ============================================================
-# STEP 3: Delete protected resources (Services)
+# STEP 3: Restore PV reclaim policies
 # ============================================================
 echo ""
-echo "--- Step 3: Delete protected resources ---"
-
-if [ ${#ALL_PROTECTED_RESOURCES[@]} -gt 0 ]; then
-  WEBHOOK_EXISTS=false
-  if kubectl -n "$PROTECTION_WEBHOOK_NS" get deploy "$PROTECTION_WEBHOOK_NAME" --no-headers 2>/dev/null | grep -q .; then
-    WEBHOOK_EXISTS=true
-  fi
-
-  if [ "$WEBHOOK_EXISTS" = "true" ]; then
-    echo "  --- Temporarily disabling protection-webhook ---"
-
-    WEBHOOK_REPLICAS=$(kubectl -n "$PROTECTION_WEBHOOK_NS" get deploy "$PROTECTION_WEBHOOK_NAME" \
-      -o jsonpath='{.spec.replicas}' 2>/dev/null || echo "1")
-
-    echo "  [SCALE] ${PROTECTION_WEBHOOK_NAME} -> 0 (was ${WEBHOOK_REPLICAS})"
-    kubectl -n "$PROTECTION_WEBHOOK_NS" scale deploy "$PROTECTION_WEBHOOK_NAME" --replicas=0
-
-    echo "  [PATCH] Set failurePolicy=Ignore on ValidatingWebhookConfiguration/${PROTECTION_WEBHOOK_NAME}"
-    kubectl get validatingwebhookconfiguration "$PROTECTION_WEBHOOK_NAME" -o json | \
-      jq '.webhooks[].failurePolicy = "Ignore"' | \
-      kubectl apply -f - 2>/dev/null || true
-
-    echo "  Waiting for webhook pods to terminate..."
-    kubectl -n "$PROTECTION_WEBHOOK_NS" wait --for=delete pod \
-      -l app.kubernetes.io/name=protection-webhook --timeout=60s 2>/dev/null || true
-    sleep 3
-  fi
-
-  for entry in "${ALL_PROTECTED_RESOURCES[@]}"; do
-    ns="${entry%%:*}"
-    res="${entry#*:}"
-    echo "  [DELETE] ${ns}/${res}"
-    kubectl -n "$ns" delete "$res" --wait=false 2>/dev/null || true
-  done
-
-  if [ "$WEBHOOK_EXISTS" = "true" ]; then
-    echo "  [PATCH] Set failurePolicy=Fail on ValidatingWebhookConfiguration/${PROTECTION_WEBHOOK_NAME}"
-    kubectl get validatingwebhookconfiguration "$PROTECTION_WEBHOOK_NAME" -o json | \
-      jq '.webhooks[].failurePolicy = "Fail"' | \
-      kubectl apply -f - 2>/dev/null || true
-
-    echo "  [SCALE] ${PROTECTION_WEBHOOK_NAME} -> ${WEBHOOK_REPLICAS}"
-    kubectl -n "$PROTECTION_WEBHOOK_NS" scale deploy "$PROTECTION_WEBHOOK_NAME" \
-      --replicas="$WEBHOOK_REPLICAS"
-    echo "  --- protection-webhook restored ---"
-  fi
-else
-  echo "  [SKIP] No protected resources to delete"
-fi
-
-# ============================================================
-# STEP 4: Restore PV reclaim policies
-# ============================================================
-echo ""
-echo "--- Step 4: Restore PV reclaim policies ---"
+echo "--- Step 3: Restore PV reclaim policies ---"
 for pv_name in "${ALL_PV_NAMES[@]}"; do
   if [ -n "$pv_name" ]; then
     current_policy=$(kubectl get pv "$pv_name" \
@@ -643,7 +586,7 @@ for pv_name in "${ALL_PV_NAMES[@]}"; do
 done
 
 # ============================================================
-# STEP 5: Temporarily disable CDI datavolume webhooks
+# STEP 4: Temporarily disable CDI datavolume webhooks
 # ============================================================
 # CDI's datavolume-validate webhook rejects DataVolume creation when a PVC
 # with the same name already exists. We must disable it so that vm-disk
@@ -652,7 +595,7 @@ done
 # cdi-apiserver (which serves the webhooks), then delete webhook configs.
 # Both are restored after vm-disk HRs reconcile.
 echo ""
-echo "--- Step 5: Temporarily disable CDI webhooks ---"
+echo "--- Step 4: Temporarily disable CDI webhooks ---"
 
 CDI_OPERATOR_REPLICAS=$(kubectl -n "$CDI_APISERVER_NS" get deploy cdi-operator \
   -o jsonpath='{.spec.replicas}' 2>/dev/null || echo "1")
@@ -685,10 +628,10 @@ done
 sleep 2
 
 # ============================================================
-# STEP 6: Unsuspend vm-disk HelmReleases first
+# STEP 5: Unsuspend vm-disk HelmReleases first
 # ============================================================
 echo ""
-echo "--- Step 6: Unsuspend vm-disk HelmReleases ---"
+echo "--- Step 5: Unsuspend vm-disk HelmReleases ---"
 for entry in "${INSTANCES[@]}"; do
   ns="${entry%%/*}"
   instance="${entry#*/}"
@@ -705,7 +648,7 @@ for entry in "${INSTANCES[@]}"; do
     # Force immediate reconciliation
     echo "  [TRIGGER] Reconcile ${ns}/hr/${disk_name}"
     kubectl -n "$ns" annotate hr "$disk_name" --overwrite \
-      "reconcile.fluxcd.io/requestedAt=$(date +%s)" 2>/dev/null || true
+      "reconcile.fluxcd.io/requestedAt=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" 2>/dev/null || true
   fi
 done
 
@@ -729,12 +672,12 @@ for entry in "${INSTANCES[@]}"; do
 done
 
 # ============================================================
-# STEP 7: Restore CDI webhooks
+# STEP 6: Restore CDI webhooks
 # ============================================================
 # Scale cdi-operator and cdi-apiserver back up.
 # cdi-apiserver will recreate webhook configurations automatically on start.
 echo ""
-echo "--- Step 7: Restore CDI webhooks ---"
+echo "--- Step 6: Restore CDI webhooks ---"
 
 echo "  [SCALE] cdi-operator -> ${CDI_OPERATOR_REPLICAS}"
 kubectl -n "$CDI_APISERVER_NS" scale deploy cdi-operator \
@@ -749,10 +692,10 @@ kubectl -n "$CDI_APISERVER_NS" rollout status deploy "$CDI_APISERVER_DEPLOY" --t
 echo "  --- CDI webhooks restored ---"
 
 # ============================================================
-# STEP 8: Unsuspend vm-instance HelmReleases
+# STEP 7: Unsuspend vm-instance HelmReleases
 # ============================================================
 echo ""
-echo "--- Step 8: Unsuspend vm-instance HelmReleases ---"
+echo "--- Step 7: Unsuspend vm-instance HelmReleases ---"
 for entry in "${INSTANCES[@]}"; do
   ns="${entry%%/*}"
   instance="${entry#*/}"
@@ -772,6 +715,19 @@ done
 echo ""
 echo "=== Migration complete (${#INSTANCES[@]} instance(s)) ==="
 
+# ============================================================
+# STEP 8: Clean up orphaned virtual-machine-rd system HelmRelease
+# ============================================================
+echo ""
+echo "--- Step 8: Clean up orphaned virtual-machine-rd HelmRelease ---"
+if kubectl -n cozy-system get hr virtual-machine-rd --no-headers 2>/dev/null | grep -q .; then
+  echo "  [DELETE] hr/virtual-machine-rd"
+  kubectl -n cozy-system delete hr virtual-machine-rd --wait=false
+else
+  echo "  [SKIP] hr/virtual-machine-rd already gone"
+fi
+kubectl -n cozy-system delete secret -l "owner=helm,name=virtual-machine-rd" --ignore-not-found
+
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
   --from-literal=version=30 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/migrations/32

@@ -0,0 +1,92 @@
+#!/bin/sh
+# Migration 32 --> 33
+# Convert publishing.certificates.issuerType to solver + issuerName in
+# the cozystack-platform Package resource.
+#
+# Old field (pre-refactor schema):
+#   publishing.certificates.issuerType: "http01" | "cloudflare"
+# New fields:
+#   publishing.certificates.solver: "http01" | "dns01"
+#   publishing.certificates.issuerName: "letsencrypt-prod" (or custom)
+#
+# Conversion table:
+#   cloudflare  -> solver: dns01,  issuerName: letsencrypt-prod
+#   http01      -> solver: http01, issuerName: letsencrypt-prod
+#   <custom>    -> issuerName: <custom>  (solver left at chart default)
+#   <absent>    -> no-op
+
+set -euo pipefail
+
+PACKAGE_NAME="cozystack.cozystack-platform"
+
+# Check if Package exists
+if ! kubectl get package "$PACKAGE_NAME" >/dev/null 2>&1; then
+  echo "Package $PACKAGE_NAME not found, skipping migration"
+  kubectl create configmap -n cozy-system cozystack-version \
+    --from-literal=version=33 --dry-run=client -o yaml | kubectl apply -f -
+  exit 0
+fi
+
+# Read current issuerType value
+ISSUER_TYPE=$(kubectl get package "$PACKAGE_NAME" -o json | \
+  jq -r '.spec.components.platform.values.publishing.certificates.issuerType // ""')
+
+if [ -z "$ISSUER_TYPE" ]; then
+  echo "No issuerType found in Package $PACKAGE_NAME, nothing to migrate"
+  kubectl create configmap -n cozy-system cozystack-version \
+    --from-literal=version=33 --dry-run=client -o yaml | kubectl apply -f -
+  exit 0
+fi
+
+echo "Found issuerType: $ISSUER_TYPE"
+
+# Convert old issuerType to new solver/issuerName
+SOLVER=""
+ISSUER_NAME=""
+case "$ISSUER_TYPE" in
+  cloudflare)
+    SOLVER="dns01"
+    ISSUER_NAME="letsencrypt-prod"
+    ;;
+  http01)
+    SOLVER="http01"
+    ISSUER_NAME="letsencrypt-prod"
+    ;;
+  *)
+    # Unrecognised value — treat as custom ClusterIssuer name, no solver override
+    ISSUER_NAME="$ISSUER_TYPE"
+    ;;
+esac
+
+echo "Converting to: solver=${SOLVER:-<chart default>}, issuerName=${ISSUER_NAME:-<chart default>}"
+
+# Build the certificates patch:
+#   - null removes issuerType (JSON merge patch semantics)
+#   - solver and issuerName are included only when non-empty
+CERTS_PATCH=$(jq -n --arg solver "$SOLVER" --arg issuerName "$ISSUER_NAME" '
+  {"issuerType": null}
+  + (if $solver != "" then {"solver": $solver} else {} end)
+  + (if $issuerName != "" then {"issuerName": $issuerName} else {} end)
+')
+
+PATCH_JSON=$(jq -n --argjson certs "$CERTS_PATCH" '{
+  "spec": {
+    "components": {
+      "platform": {
+        "values": {
+          "publishing": {
+            "certificates": $certs
+          }
+        }
+      }
+    }
+  }
+}')
+
+kubectl patch package "$PACKAGE_NAME" --type=merge --patch "$PATCH_JSON"
+
+echo "Migration complete: issuerType=$ISSUER_TYPE -> solver=${SOLVER:-<unset>} issuerName=${ISSUER_NAME:-<unset>}"
+
+# Stamp version
+kubectl create configmap -n cozy-system cozystack-version \
+  --from-literal=version=33 --dry-run=client -o yaml | kubectl apply -f -

packages/core/platform/images/migrations/migrations/33

@@ -0,0 +1,30 @@
+#!/bin/sh
+# Migration 33 --> 34
+# Clean up orphaned system -rd HelmReleases left after application renames.
+#
+# These HelmReleases reference ExternalArtifacts that no longer exist:
+#   ferretdb-rd   -> replaced by mongodb-rd
+#   mysql-rd      -> replaced by mariadb-rd (migration 28 handled user HRs only)
+#   virtual-machine-rd -> replaced by vm-disk-rd + vm-instance-rd (migration 29 handled user HRs only)
+#
+# Idempotent: safe to re-run.
+
+set -euo pipefail
+
+echo "=== Cleaning up orphaned -rd HelmReleases ==="
+
+for hr_name in ferretdb-rd mysql-rd virtual-machine-rd; do
+  if kubectl -n cozy-system get hr "$hr_name" --no-headers 2>/dev/null | grep -q .; then
+    echo "  [DELETE] hr/${hr_name}"
+    kubectl -n cozy-system delete hr "$hr_name" --wait=false
+  else
+    echo "  [SKIP] hr/${hr_name} already gone"
+  fi
+  kubectl -n cozy-system delete secret -l "owner=helm,name=${hr_name}" --ignore-not-found
+done
+
+echo "=== Cleanup complete ==="
+
+# Stamp version
+kubectl create configmap -n cozy-system cozystack-version \
+  --from-literal=version=34 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/migrations/34

@@ -0,0 +1,37 @@
+#!/bin/sh
+# Migration 34 --> 35
+# Backfill spec.version on rabbitmq.apps.cozystack.io resources.
+#
+# Before this migration RabbitMQ had no user-selectable version; the
+# operator always used its built-in default image (v3.x).  A version field
+# was added in this release.  Without this migration every existing cluster
+# would be upgraded to the new default (v4.2) on the next reconcile.
+#
+# Set spec.version to "v3.13" for any rabbitmq app resource that does not
+# already have it set.
+
+set -euo pipefail
+
+DEFAULT_VERSION="v3.13"
+RABBITMQS=$(kubectl get rabbitmqs.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}{"\n"}{end}')
+for resource in $RABBITMQS; do
+  NS="${resource%%/*}"
+  APP_NAME="${resource##*/}"
+
+  # Skip if spec.version is already set
+  CURRENT_VER=$(kubectl get rabbitmqs.apps.cozystack.io -n "$NS" "$APP_NAME" \
+    -o jsonpath='{.spec.version}')
+  if [ -n "$CURRENT_VER" ]; then
+    echo "SKIP $NS/$APP_NAME: spec.version already set to '$CURRENT_VER'"
+    continue
+  fi
+
+  echo "Patching rabbitmq/$APP_NAME in $NS: setting version=$DEFAULT_VERSION"
+
+  kubectl patch rabbitmqs.apps.cozystack.io -n "$NS" "$APP_NAME" --type=merge \
+    --patch "{\"spec\":{\"version\":\"${DEFAULT_VERSION}\"}}"
+done
+
+# Stamp version
+kubectl create configmap -n cozy-system cozystack-version \
+  --from-literal=version=35 --dry-run=client -o yaml | kubectl apply -f-

packages/core/platform/images/migrations/run-migrations.sh

@@ -24,7 +24,7 @@ if [ "$CURRENT_VERSION" -ge "$TARGET_VERSION" ]; then
 fi
 
 # Run migrations sequentially from current version to target version
-for i in $(seq $((CURRENT_VERSION + 1)) $TARGET_VERSION); do
+for i in $(seq $CURRENT_VERSION $((TARGET_VERSION - 1))); do
   if [ -f "/migrations/$i" ]; then
     echo "Running migration $i"
     chmod +x /migrations/$i

packages/core/platform/sources/openbao-application.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: PackageSource
+metadata:
+  name: cozystack.openbao-application
+spec:
+  sourceRef:
+    kind: OCIRepository
+    name: cozystack-packages
+    namespace: cozy-system
+    path: /
+  variants:
+    - name: default
+      dependsOn:
+        - cozystack.networking
+      libraries:
+        - name: cozy-lib
+          path: library/cozy-lib
+      components:
+        - name: openbao-system
+          path: system/openbao
+        - name: openbao
+          path: apps/openbao
+          libraries: ["cozy-lib"]
+        - name: openbao-rd
+          path: system/openbao-rd
+          install:
+            namespace: cozy-system
+            releaseName: openbao-rd

packages/core/platform/templates/apps.yaml

@@ -21,7 +21,8 @@ stringData:
     _cluster:
       root-host: {{ $rootHost | quote }}
       bundle-name: {{ .Values.bundles.system.variant | quote }}
-      clusterissuer: {{ .Values.publishing.certificates.issuerType | quote }}
+      solver: {{ .Values.publishing.certificates.solver | quote }}
+      issuer-name: {{ .Values.publishing.certificates.issuerName | quote }}
       oidc-enabled: {{ .Values.authentication.oidc.enabled | quote }}
       oidc-insecure-skip-verify: {{ .Values.authentication.oidc.insecureSkipVerify | quote }}
       extra-keycloak-redirect-uri-for-dashboard: {{ index .Values.authentication.oidc.keycloakExtraRedirectUri | quote }}

packages/core/platform/templates/bundles/paas.yaml

@@ -16,6 +16,7 @@
 {{include "cozystack.platform.package.default" (list "cozystack.mariadb-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.mongodb-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.nats-application" $) }}
+{{include "cozystack.platform.package.default" (list "cozystack.openbao-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.postgres-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.qdrant-application" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.rabbitmq-application" $) }}

packages/core/platform/templates/cozystack-version.yaml

@@ -6,6 +6,8 @@ kind: ConfigMap
 metadata:
   name: cozystack-version
   namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/resource-policy: keep
 data:
   version: {{ .Values.migrations.targetVersion | quote }}
 {{- end }}

packages/core/platform/values.yaml

@@ -5,8 +5,8 @@ sourceRef:
   path: /
 migrations:
   enabled: false
-  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.0-beta.6@sha256:37c78dafcedbdad94acd9912550db0b4875897150666b8a06edfa894de99064e
-  targetVersion: 32
+  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.0@sha256:68dabdebc38ac439228ae07031cc70e0fa184a24bd4e5b3b22c17466b2a55201
+  targetVersion: 35
 # Bundle deployment configuration
 bundles:
   system:
@@ -46,7 +46,8 @@ publishing:
   apiServerEndpoint: "" # example: "https://api.example.org"
   externalIPs: []
   certificates:
-    issuerType: http01 # "http01" or "cloudflare"
+    solver: http01 # "http01" or "dns01"
+    issuerName: letsencrypt-prod
 # Authentication configuration
 authentication:
   oidc:

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.0-beta.6@sha256:09af5901abcbed2b612d2d93c163e8ad3948bc55a1d8beae714b4fb2b8f7d91d
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.0@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v1.0.0-beta.6@sha256:212f624957447f5a932fd5d4564eb8c97694d336b7dc877a2833c1513c0d074d
+ghcr.io/cozystack/cozystack/matchbox:v1.0.0@sha256:c48eb7b23f01a8ff58d409fdb51c88e771f819cb914eee03da89471e62302f33

packages/extra/bootbox/templates/matchbox/ingress.yaml

@@ -1,4 +1,5 @@
-{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
+{{- $solver := (index .Values._cluster "solver") | default "http01" }}
+{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
 {{- $ingress := .Values._namespace.ingress }}
 {{- $host := .Values._namespace.host }}
 apiVersion: networking.k8s.io/v1
@@ -8,10 +9,10 @@ metadata:
   labels:
     app: bootbox
   annotations:
-    {{- if ne $issuerType "cloudflare" }}
+    {{- if eq $solver "http01" }}
     acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
     {{- end }}
-    cert-manager.io/cluster-issuer: letsencrypt-prod
+    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
     {{- if .Values.whitelistHTTP }}
     nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.whitelist | default "0.0.0.0/32") }}"
     {{- end }}

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -104,6 +104,7 @@ spec:
       - {{ .Release.Name }}
   secretName: etcd-peer-ca-tls
   privateKey:
+    rotationPolicy: Never
     algorithm: RSA
     size: 4096
   issuerRef:
@@ -130,6 +131,7 @@ spec:
       - {{ .Release.Name }}
   secretName: etcd-ca-tls
   privateKey:
+    rotationPolicy: Never
     algorithm: RSA
     size: 4096
   issuerRef:

packages/extra/seaweedfs/README.md

@@ -1,4 +1,4 @@
-# Managed NATS Service
+# Managed SeaweedFS Service
 
 ## Parameters
 
@@ -13,46 +13,68 @@
 
 ### SeaweedFS Components Configuration
 
-| Name                          | Description                                                                                              | Type                | Value   |
-| ----------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------- | ------- |
-| `db`                          | Database configuration.                                                                                  | `object`            | `{}`    |
-| `db.replicas`                 | Number of database replicas.                                                                             | `int`               | `2`     |
-| `db.size`                     | Persistent Volume size.                                                                                  | `quantity`          | `10Gi`  |
-| `db.storageClass`             | StorageClass used to store the data.                                                                     | `string`            | `""`    |
-| `db.resources`                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `db.resources.cpu`            | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `db.resources.memory`         | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `db.resourcesPreset`          | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `master`                      | Master service configuration.                                                                            | `object`            | `{}`    |
-| `master.replicas`             | Number of master replicas.                                                                               | `int`               | `3`     |
-| `master.resources`            | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `master.resources.cpu`        | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `master.resources.memory`     | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `master.resourcesPreset`      | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `filer`                       | Filer service configuration.                                                                             | `object`            | `{}`    |
-| `filer.replicas`              | Number of filer replicas.                                                                                | `int`               | `2`     |
-| `filer.resources`             | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `filer.resources.cpu`         | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `filer.resources.memory`      | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `filer.resourcesPreset`       | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `filer.grpcHost`              | The hostname used to expose or access the filer service externally.                                      | `string`            | `""`    |
-| `filer.grpcPort`              | The port used to access the filer service externally.                                                    | `int`               | `443`   |
-| `filer.whitelist`             | A list of IP addresses or CIDR ranges that are allowed to access the filer service.                      | `[]string`          | `[]`    |
-| `volume`                      | Volume service configuration.                                                                            | `object`            | `{}`    |
-| `volume.replicas`             | Number of volume replicas.                                                                               | `int`               | `2`     |
-| `volume.size`                 | Persistent Volume size.                                                                                  | `quantity`          | `10Gi`  |
-| `volume.storageClass`         | StorageClass used to store the data.                                                                     | `string`            | `""`    |
-| `volume.resources`            | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `volume.resources.cpu`        | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `volume.resources.memory`     | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `volume.resourcesPreset`      | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
-| `volume.zones`                | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.           | `map[string]object` | `{}`    |
-| `volume.zones[name].replicas` | Number of replicas in the zone.                                                                          | `int`               | `0`     |
-| `volume.zones[name].size`     | Zone storage size.                                                                                       | `quantity`          | `""`    |
-| `s3`                          | S3 service configuration.                                                                                | `object`            | `{}`    |
-| `s3.replicas`                 | Number of S3 replicas.                                                                                   | `int`               | `2`     |
-| `s3.resources`                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`            | `{}`    |
-| `s3.resources.cpu`            | Number of CPU cores allocated.                                                                           | `quantity`          | `""`    |
-| `s3.resources.memory`         | Amount of memory allocated.                                                                              | `quantity`          | `""`    |
-| `s3.resourcesPreset`          | Default sizing preset used when `resources` is omitted.                                                  | `string`            | `small` |
+| Name                                              | Description                                                                                                   | Type                | Value   |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------- | ------- |
+| `db`                                              | Database configuration.                                                                                       | `object`            | `{}`    |
+| `db.replicas`                                     | Number of database replicas.                                                                                  | `int`               | `2`     |
+| `db.size`                                         | Persistent Volume size.                                                                                       | `quantity`          | `10Gi`  |
+| `db.storageClass`                                 | StorageClass used to store the data.                                                                          | `string`            | `""`    |
+| `db.resources`                                    | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `db.resources.cpu`                                | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `db.resources.memory`                             | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `db.resourcesPreset`                              | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `master`                                          | Master service configuration.                                                                                 | `object`            | `{}`    |
+| `master.replicas`                                 | Number of master replicas.                                                                                    | `int`               | `3`     |
+| `master.resources`                                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `master.resources.cpu`                            | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `master.resources.memory`                         | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `master.resourcesPreset`                          | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `filer`                                           | Filer service configuration.                                                                                  | `object`            | `{}`    |
+| `filer.replicas`                                  | Number of filer replicas.                                                                                     | `int`               | `2`     |
+| `filer.resources`                                 | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `filer.resources.cpu`                             | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `filer.resources.memory`                          | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `filer.resourcesPreset`                           | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `filer.grpcHost`                                  | The hostname used to expose or access the filer service externally.                                           | `string`            | `""`    |
+| `filer.grpcPort`                                  | The port used to access the filer service externally.                                                         | `int`               | `443`   |
+| `filer.whitelist`                                 | A list of IP addresses or CIDR ranges that are allowed to access the filer service.                           | `[]string`          | `[]`    |
+| `volume`                                          | Volume service configuration.                                                                                 | `object`            | `{}`    |
+| `volume.replicas`                                 | Number of volume replicas.                                                                                    | `int`               | `2`     |
+| `volume.size`                                     | Persistent Volume size.                                                                                       | `quantity`          | `10Gi`  |
+| `volume.storageClass`                             | StorageClass used to store the data.                                                                          | `string`            | `""`    |
+| `volume.diskType`                                 | SeaweedFS disk type tag for the default volume servers (e.g., "hdd", "ssd").                                  | `string`            | `""`    |
+| `volume.resources`                                | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `volume.resources.cpu`                            | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `volume.resources.memory`                         | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `volume.resourcesPreset`                          | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
+| `volume.zones`                                    | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.                | `map[string]object` | `{}`    |
+| `volume.zones[name].replicas`                     | Number of replicas in the zone.                                                                               | `int`               | `0`     |
+| `volume.zones[name].size`                         | Zone storage size.                                                                                            | `quantity`          | `""`    |
+| `volume.zones[name].dataCenter`                   | SeaweedFS data center name for this zone. Defaults to the zone name.                                          | `string`            | `""`    |
+| `volume.zones[name].nodeSelector`                 | YAML nodeSelector for this zone (default: topology.kubernetes.io/zone: <zoneName>).                           | `string`            | `""`    |
+| `volume.zones[name].storageClass`                 | StorageClass used to store zone data. Defaults to volume.storageClass.                                        | `string`            | `""`    |
+| `volume.zones[name].pools`                        | A map of storage pools for this zone. Each pool creates a separate Volume StatefulSet per zone.               | `map[string]object` | `{}`    |
+| `volume.zones[name].pools[name].diskType`         | SeaweedFS disk type tag (e.g., "ssd", "hdd", "nvme").                                                         | `string`            | `""`    |
+| `volume.zones[name].pools[name].replicas`         | Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone). | `int`               | `0`     |
+| `volume.zones[name].pools[name].size`             | Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).                | `quantity`          | `""`    |
+| `volume.zones[name].pools[name].storageClass`     | Kubernetes StorageClass for the pool. Defaults to volume.storageClass.                                        | `string`            | `""`    |
+| `volume.zones[name].pools[name].resources`        | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `volume.zones[name].pools[name].resources.cpu`    | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `volume.zones[name].pools[name].resources.memory` | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `volume.zones[name].pools[name].resourcesPreset`  | Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.                   | `string`            | `{}`    |
+| `volume.pools`                                    | A map of storage pools. Each pool creates a separate Volume StatefulSet with its own disk type.               | `map[string]object` | `{}`    |
+| `volume.pools[name].diskType`                     | SeaweedFS disk type tag (e.g., "ssd", "hdd", "nvme").                                                         | `string`            | `""`    |
+| `volume.pools[name].replicas`                     | Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone). | `int`               | `0`     |
+| `volume.pools[name].size`                         | Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).                | `quantity`          | `""`    |
+| `volume.pools[name].storageClass`                 | Kubernetes StorageClass for the pool. Defaults to volume.storageClass.                                        | `string`            | `""`    |
+| `volume.pools[name].resources`                    | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `volume.pools[name].resources.cpu`                | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `volume.pools[name].resources.memory`             | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `volume.pools[name].resourcesPreset`              | Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.                   | `string`            | `{}`    |
+| `s3`                                              | S3 service configuration.                                                                                     | `object`            | `{}`    |
+| `s3.replicas`                                     | Number of S3 replicas.                                                                                        | `int`               | `2`     |
+| `s3.resources`                                    | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.      | `object`            | `{}`    |
+| `s3.resources.cpu`                                | Number of CPU cores allocated.                                                                                | `quantity`          | `""`    |
+| `s3.resources.memory`                             | Amount of memory allocated.                                                                                   | `quantity`          | `""`    |
+| `s3.resourcesPreset`                              | Default sizing preset used when `resources` is omitted.                                                       | `string`            | `small` |
 

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.0.0-beta.6@sha256:235b194a531b70e266a10ef78d2955d19f5b659513f23d8b3cfbbc0dff7fc1c0
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.0.0@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f

packages/extra/seaweedfs/images/seaweedfs-cosi-driver.tag

@@ -1 +1 @@
-ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.2.0
+ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.3.0

packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml

@@ -25,8 +25,21 @@ rules:
   resourceNames:
   - {{ $.Release.Name }}-master
   - {{ $.Release.Name }}-filer
-  - {{ $.Release.Name }}-volume
   - {{ $.Release.Name }}-db
+  - {{ $.Release.Name }}-s3
+  {{- if eq .Values.topology "Simple" }}
+  - {{ $.Release.Name }}-volume
+  {{- range $poolName, $pool := .Values.volume.pools }}
+  - {{ $.Release.Name }}-volume-{{ $poolName }}
+  {{- end }}
+  {{- else if eq .Values.topology "MultiZone" }}
+  {{- range $zoneName, $zone := .Values.volume.zones }}
+  - {{ $.Release.Name }}-volume-{{ $zoneName }}
+  {{- range $poolName, $pool := (dig "pools" dict $zone) }}
+  - {{ $.Release.Name }}-volume-{{ $zoneName }}-{{ $poolName }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
   verbs: ["get", "list", "watch"]
 {{- end }}
 

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -16,6 +16,65 @@
 {{-     fail "replicationFactor must be less than or equal to the number of zones defined in .Values.volume.zones." }}
 {{-   end }}
 {{- end }}
+{{- if and (eq .Values.topology "Client") (gt (len .Values.volume.pools) 0) }}
+{{-   fail "volume.pools is not supported with Client topology." }}
+{{- end }}
+{{- if and (eq .Values.topology "MultiZone") (gt (len .Values.volume.pools) 0) }}
+{{-   fail "volume.pools is not supported with MultiZone topology. Use volume.zones[name].pools instead." }}
+{{- end }}
+{{- if and .Values.volume.diskType (not (regexMatch "^[a-z0-9]+$" .Values.volume.diskType)) }}
+{{-   fail (printf "volume.diskType must be lowercase alphanumeric (got: %s)." .Values.volume.diskType) }}
+{{- end }}
+
+{{- /* Collect and validate all pools from volume.pools and zones[].pools */ -}}
+{{- $allPools := dict }}
+{{- range $poolName, $pool := .Values.volume.pools }}
+{{-   if not (regexMatch "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$" $poolName) }}
+{{-     fail (printf "volume.pools key '%s' must be a valid DNS label (lowercase alphanumeric and hyphens, no dots)." $poolName) }}
+{{-   end }}
+{{-   if or (hasSuffix "-worm" $poolName) (hasSuffix "-readonly" $poolName) }}
+{{-     fail (printf "volume.pools key '%s' must not end with '-worm' or '-readonly' (reserved suffixes for COSI resources)." $poolName) }}
+{{-   end }}
+{{-   if not $pool.diskType }}
+{{-     fail (printf "volume.pools.%s.diskType is required." $poolName) }}
+{{-   end }}
+{{-   if not (regexMatch "^[a-z0-9]+$" $pool.diskType) }}
+{{-     fail (printf "volume.pools.%s.diskType must be lowercase alphanumeric (got: %s)." $poolName $pool.diskType) }}
+{{-   end }}
+{{-   if and $.Values.volume.diskType (eq $pool.diskType $.Values.volume.diskType) }}
+{{-     fail (printf "volume.pools.%s.diskType '%s' must differ from volume.diskType." $poolName $pool.diskType) }}
+{{-   end }}
+{{-   $_ := set $allPools $poolName $pool.diskType }}
+{{- end }}
+{{- if eq .Values.topology "MultiZone" }}
+{{-   range $zoneName, $zone := .Values.volume.zones }}
+{{-     range $poolName, $pool := (dig "pools" dict $zone) }}
+{{-       if not (regexMatch "^[a-z0-9]([a-z0-9-]*[a-z0-9])?$" $poolName) }}
+{{-         fail (printf "volume.zones.%s.pools key '%s' must be a valid DNS label." $zoneName $poolName) }}
+{{-       end }}
+{{-       if or (hasSuffix "-worm" $poolName) (hasSuffix "-readonly" $poolName) }}
+{{-         fail (printf "volume.zones.%s.pools key '%s' must not end with '-worm' or '-readonly' (reserved suffixes for COSI resources)." $zoneName $poolName) }}
+{{-       end }}
+{{-       if not $pool.diskType }}
+{{-         fail (printf "volume.zones.%s.pools.%s.diskType is required." $zoneName $poolName) }}
+{{-       end }}
+{{-       if not (regexMatch "^[a-z0-9]+$" $pool.diskType) }}
+{{-         fail (printf "volume.zones.%s.pools.%s.diskType must be lowercase alphanumeric (got: %s)." $zoneName $poolName $pool.diskType) }}
+{{-       end }}
+{{-       if and $.Values.volume.diskType (eq $pool.diskType $.Values.volume.diskType) }}
+{{-         fail (printf "volume.zones.%s.pools.%s.diskType '%s' must differ from volume.diskType." $zoneName $poolName $pool.diskType) }}
+{{-       end }}
+{{-       if and (hasKey $allPools $poolName) (ne (get $allPools $poolName) $pool.diskType) }}
+{{-         fail (printf "Pool '%s' has inconsistent diskType across zones (expected '%s', got '%s' in zone '%s')." $poolName (get $allPools $poolName) $pool.diskType $zoneName) }}
+{{-       end }}
+{{-       $_ := set $allPools $poolName $pool.diskType }}
+{{-       $composedName := printf "%s-%s" $zoneName $poolName }}
+{{-       if hasKey $.Values.volume.zones $composedName }}
+{{-         fail (printf "Composed volume name '%s' (from zone '%s' and pool '%s') collides with an existing zone name." $composedName $zoneName $poolName) }}
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
 
 {{- $detectedTopology := "Unknown" }}
 {{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-deployed-topology" .Release.Name) }}
@@ -36,6 +95,8 @@
 {{- if not (eq .Values.topology "Client") }}
 {{- $ingress := .Values._namespace.ingress }}
 {{- $host := .Values._namespace.host }}
+{{- $solver := (index .Values._cluster "solver") | default "http01" }}
+{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -92,30 +153,77 @@ spec:
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0
-      {{ if eq .Values.topology "MultiZone" }}
+        {{- if .Values.volume.diskType }}
+        extraArgs:
+        - "-disk={{ .Values.volume.diskType }}"
+        {{- end }}
+      {{- if or (and (eq .Values.topology "Simple") (gt (len .Values.volume.pools) 0)) (eq .Values.topology "MultiZone") }}
       volumes:
-        {{- range $zoneName, $zone := .Values.volume.zones }}
-        {{ $zoneName }}:
-          {{ with $zone.replicas }}
-          replicas: {{ . }}
-          {{- end }}
+        {{- if eq .Values.topology "Simple" }}
+        {{- range $poolName, $pool := .Values.volume.pools }}
+        {{ $poolName }}:
+          replicas: {{ ternary $pool.replicas $.Values.volume.replicas (hasKey $pool "replicas") }}
+          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list ($pool.resourcesPreset | default $.Values.volume.resourcesPreset) (default dict $pool.resources) $) | nindent 12 }}
           dataDirs:
           - name: data1
             type: "persistentVolumeClaim"
-            {{- if $zone.size }}
-            size: "{{ $zone.size }}"
-            {{- else }}
-            size: "{{ $.Values.volume.size }}"
+            size: "{{ $pool.size | default $.Values.volume.size }}"
+            {{- with ($pool.storageClass | default $.Values.volume.storageClass) }}
+            storageClass: "{{ . }}"
             {{- end }}
-            {{- if $zone.storageClass }}
-            storageClass: {{ $zone.storageClass }}
-            {{- else if $.Values.volume.storageClass }}
-            storageClass: {{ $.Values.volume.storageClass }}
+            maxVolumes: 0
+          extraArgs:
+          - "-disk={{ $pool.diskType }}"
+        {{- end }}
+        {{- else if eq .Values.topology "MultiZone" }}
+        {{- range $zoneName, $zone := .Values.volume.zones }}
+        {{ $zoneName }}:
+          replicas: {{ ternary $zone.replicas $.Values.volume.replicas (hasKey $zone "replicas") }}
+          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list $.Values.volume.resourcesPreset $.Values.volume.resources $) | nindent 12 }}
+          dataDirs:
+          - name: data1
+            type: "persistentVolumeClaim"
+            size: "{{ $zone.size | default $.Values.volume.size }}"
+            {{- with ($zone.storageClass | default $.Values.volume.storageClass) }}
+            storageClass: "{{ . }}"
             {{- end }}
             maxVolumes: 0
           nodeSelector: |
+            {{- with $zone.nodeSelector }}
+{{ . | indent 12 }}
+            {{- else }}
             topology.kubernetes.io/zone: {{ $zoneName }}
+            {{- end }}
           dataCenter: {{ $zone.dataCenter | default $zoneName }}
+          {{- if $.Values.volume.diskType }}
+          extraArgs:
+          - "-disk={{ $.Values.volume.diskType }}"
+          {{- end }}
+        {{- end }}
+        {{- range $zoneName, $zone := .Values.volume.zones }}
+        {{- range $poolName, $pool := (dig "pools" dict $zone) }}
+        {{ $zoneName }}-{{ $poolName }}:
+          replicas: {{ ternary $pool.replicas (ternary $zone.replicas $.Values.volume.replicas (hasKey $zone "replicas")) (hasKey $pool "replicas") }}
+          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list ($pool.resourcesPreset | default $.Values.volume.resourcesPreset) (default dict $pool.resources) $) | nindent 12 }}
+          dataDirs:
+          - name: data1
+            type: "persistentVolumeClaim"
+            size: "{{ $pool.size | default $zone.size | default $.Values.volume.size }}"
+            {{- with ($pool.storageClass | default $zone.storageClass | default $.Values.volume.storageClass) }}
+            storageClass: "{{ . }}"
+            {{- end }}
+            maxVolumes: 0
+          nodeSelector: |
+            {{- with $zone.nodeSelector }}
+{{ . | indent 12 }}
+            {{- else }}
+            topology.kubernetes.io/zone: {{ $zoneName }}
+            {{- end }}
+          dataCenter: {{ $zone.dataCenter | default $zoneName }}
+          extraArgs:
+          - "-disk={{ $pool.diskType }}"
+        {{- end }}
+        {{- end }}
         {{- end }}
       {{- end }}
       filer:
@@ -134,8 +242,10 @@ spec:
           annotations:
             nginx.ingress.kubernetes.io/proxy-body-size: "0"
             nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+            {{- if eq $solver "http01" }}
             acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
-            cert-manager.io/cluster-issuer: letsencrypt-prod
+            {{- end }}
+            cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
           tls:
             - hosts:
               - {{ .Values.host | default (printf "s3.%s" $host) }}
@@ -195,6 +305,22 @@ spec:
     app.kubernetes.io/component: volume
     app.kubernetes.io/name: seaweedfs
   version: {{ $.Chart.Version }}
+{{- range $poolName, $pool := .Values.volume.pools }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-volume-{{ $poolName }}
+spec:
+  replicas: {{ ternary $pool.replicas $.Values.volume.replicas (hasKey $pool "replicas") }}
+  minReplicas: 1
+  kind: seaweedfs
+  type: volume
+  selector:
+    app.kubernetes.io/component: volume-{{ $poolName }}
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+{{- end }}
 {{- else if eq .Values.topology "MultiZone" }}
 {{- range $zoneName, $zoneSpec := .Values.volume.zones }}
 ---
@@ -203,7 +329,7 @@ kind: WorkloadMonitor
 metadata:
   name: {{ $.Release.Name }}-volume-{{ $zoneName }}
 spec:
-  replicas: {{ default $.Values.volume.replicas $zoneSpec.replicas }}
+  replicas: {{ ternary $zoneSpec.replicas $.Values.volume.replicas (hasKey $zoneSpec "replicas") }}
   minReplicas: 1
   kind: seaweedfs
   type: volume
@@ -211,6 +337,22 @@ spec:
     app.kubernetes.io/component: volume-{{ $zoneName }}
     app.kubernetes.io/name: seaweedfs
   version: {{ $.Chart.Version }}
+{{- range $poolName, $pool := (dig "pools" dict $zoneSpec) }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-volume-{{ $zoneName }}-{{ $poolName }}
+spec:
+  replicas: {{ ternary $pool.replicas (ternary $zoneSpec.replicas $.Values.volume.replicas (hasKey $zoneSpec "replicas")) (hasKey $pool "replicas") }}
+  minReplicas: 1
+  kind: seaweedfs
+  type: volume
+  selector:
+    app.kubernetes.io/component: volume-{{ $zoneName }}-{{ $poolName }}
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+{{- end }}
 {{- end }}
 {{- end }}
 ---

packages/extra/seaweedfs/templates/storage-pool-bucket-classes.yaml

@@ -0,0 +1,55 @@
+{{- if ne .Values.topology "Client" }}
+{{- /* Collect unique pools from volume.pools and zones[].pools */ -}}
+{{- $uniquePools := dict }}
+{{- range $poolName, $pool := .Values.volume.pools }}
+{{-   $_ := set $uniquePools $poolName $pool.diskType }}
+{{- end }}
+{{- if eq .Values.topology "MultiZone" }}
+{{-   range $zoneName, $zone := .Values.volume.zones }}
+{{-     range $poolName, $pool := (dig "pools" dict $zone) }}
+{{-       $_ := set $uniquePools $poolName $pool.diskType }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+{{- range $poolName, $diskType := $uniquePools }}
+---
+kind: BucketClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+deletionPolicy: Delete
+parameters:
+  disk: {{ $diskType }}
+---
+kind: BucketClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}-worm
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+deletionPolicy: Retain
+parameters:
+  disk: {{ $diskType }}
+  objectLockEnabled: "true"
+  objectLockRetentionMode: COMPLIANCE
+  objectLockRetentionDays: "36500"
+---
+kind: BucketAccessClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+authenticationType: KEY
+parameters:
+  accessPolicy: readwrite
+---
+kind: BucketAccessClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ $.Release.Namespace }}-{{ $poolName }}-readonly
+driverName: {{ $.Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+authenticationType: KEY
+parameters:
+  accessPolicy: readonly
+{{- end }}
+{{- end }}

packages/extra/seaweedfs/values.schema.json

@@ -300,6 +300,94 @@
       "type": "object",
       "default": {},
       "properties": {
+        "diskType": {
+          "description": "SeaweedFS disk type tag for the default volume servers (e.g., \"hdd\", \"ssd\").",
+          "type": "string",
+          "default": ""
+        },
+        "pools": {
+          "description": "A map of storage pools. Each pool creates a separate Volume StatefulSet with its own disk type.",
+          "type": "object",
+          "default": {},
+          "additionalProperties": {
+            "type": "object",
+            "required": [
+              "diskType"
+            ],
+            "properties": {
+              "diskType": {
+                "description": "SeaweedFS disk type tag (e.g., \"ssd\", \"hdd\", \"nvme\").",
+                "type": "string"
+              },
+              "replicas": {
+                "description": "Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone).",
+                "type": "integer"
+              },
+              "resources": {
+                "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+                "type": "object",
+                "properties": {
+                  "cpu": {
+                    "description": "Number of CPU cores allocated.",
+                    "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                    "anyOf": [
+                      {
+                        "type": "integer"
+                      },
+                      {
+                        "type": "string"
+                      }
+                    ],
+                    "x-kubernetes-int-or-string": true
+                  },
+                  "memory": {
+                    "description": "Amount of memory allocated.",
+                    "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                    "anyOf": [
+                      {
+                        "type": "integer"
+                      },
+                      {
+                        "type": "string"
+                      }
+                    ],
+                    "x-kubernetes-int-or-string": true
+                  }
+                }
+              },
+              "resourcesPreset": {
+                "description": "Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.",
+                "type": "string",
+                "enum": [
+                  "nano",
+                  "micro",
+                  "small",
+                  "medium",
+                  "large",
+                  "xlarge",
+                  "2xlarge"
+                ]
+              },
+              "size": {
+                "description": "Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).",
+                "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                "anyOf": [
+                  {
+                    "type": "integer"
+                  },
+                  {
+                    "type": "string"
+                  }
+                ],
+                "x-kubernetes-int-or-string": true
+              },
+              "storageClass": {
+                "description": "Kubernetes StorageClass for the pool. Defaults to volume.storageClass.",
+                "type": "string"
+              }
+            }
+          }
+        },
         "replicas": {
           "description": "Number of volume replicas.",
           "type": "integer",
@@ -378,6 +466,96 @@
           "additionalProperties": {
             "type": "object",
             "properties": {
+              "dataCenter": {
+                "description": "SeaweedFS data center name for this zone. Defaults to the zone name.",
+                "type": "string"
+              },
+              "nodeSelector": {
+                "description": "YAML nodeSelector for this zone (default: topology.kubernetes.io/zone: \u003czoneName\u003e).",
+                "type": "string"
+              },
+              "pools": {
+                "description": "A map of storage pools for this zone. Each pool creates a separate Volume StatefulSet per zone.",
+                "type": "object",
+                "additionalProperties": {
+                  "type": "object",
+                  "required": [
+                    "diskType"
+                  ],
+                  "properties": {
+                    "diskType": {
+                      "description": "SeaweedFS disk type tag (e.g., \"ssd\", \"hdd\", \"nvme\").",
+                      "type": "string"
+                    },
+                    "replicas": {
+                      "description": "Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone).",
+                      "type": "integer"
+                    },
+                    "resources": {
+                      "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+                      "type": "object",
+                      "properties": {
+                        "cpu": {
+                          "description": "Number of CPU cores allocated.",
+                          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                          "anyOf": [
+                            {
+                              "type": "integer"
+                            },
+                            {
+                              "type": "string"
+                            }
+                          ],
+                          "x-kubernetes-int-or-string": true
+                        },
+                        "memory": {
+                          "description": "Amount of memory allocated.",
+                          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                          "anyOf": [
+                            {
+                              "type": "integer"
+                            },
+                            {
+                              "type": "string"
+                            }
+                          ],
+                          "x-kubernetes-int-or-string": true
+                        }
+                      }
+                    },
+                    "resourcesPreset": {
+                      "description": "Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.",
+                      "type": "string",
+                      "enum": [
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                      ]
+                    },
+                    "size": {
+                      "description": "Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).",
+                      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
+                      "anyOf": [
+                        {
+                          "type": "integer"
+                        },
+                        {
+                          "type": "string"
+                        }
+                      ],
+                      "x-kubernetes-int-or-string": true
+                    },
+                    "storageClass": {
+                      "description": "Kubernetes StorageClass for the pool. Defaults to volume.storageClass.",
+                      "type": "string"
+                    }
+                  }
+                }
+              },
               "replicas": {
                 "description": "Number of replicas in the zone.",
                 "type": "integer"
@@ -394,6 +572,10 @@
                   }
                 ],
                 "x-kubernetes-int-or-string": true
+              },
+              "storageClass": {
+                "description": "StorageClass used to store zone data. Defaults to volume.storageClass.",
+                "type": "string"
               }
             }
           }

packages/extra/seaweedfs/values.yaml

@@ -76,26 +76,49 @@ filer:
   grpcPort: 443
   whitelist: []
 
+## @typedef {struct} StoragePool - Storage pool configuration for separating buckets by disk type.
+## @field {string} diskType - SeaweedFS disk type tag (e.g., "ssd", "hdd", "nvme").
+## @field {int} [replicas] - Number of volume replicas. Defaults to volume.replicas (Simple) or zone.replicas/volume.replicas (MultiZone).
+## @field {quantity} [size] - Persistent Volume size. Defaults to volume.size (Simple) or zone.size/volume.size (MultiZone).
+## @field {string} [storageClass] - Kubernetes StorageClass for the pool. Defaults to volume.storageClass.
+## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+## @field {ResourcesPreset} [resourcesPreset] - Default sizing preset used when `resources` is omitted. Defaults to volume.resourcesPreset.
+
 ## @typedef {struct} Zone - Zone configuration.
 ## @field {int} [replicas] - Number of replicas in the zone.
 ## @field {quantity} [size] - Zone storage size.
+## @field {string} [dataCenter] - SeaweedFS data center name for this zone. Defaults to the zone name.
+## @field {string} [nodeSelector] - YAML nodeSelector for this zone (default: topology.kubernetes.io/zone: <zoneName>).
+## @field {string} [storageClass] - StorageClass used to store zone data. Defaults to volume.storageClass.
+## @field {map[string]StoragePool} [pools] - A map of storage pools for this zone. Each pool creates a separate Volume StatefulSet per zone.
+## NOTE: Zone-level resources/resourcesPreset are inherited from volume.* settings. Pools within a zone can define their own resources.
 
 ## @typedef {struct} Volume - Volume service configuration.
 ## @field {int} [replicas] - Number of volume replicas.
 ## @field {quantity} [size] - Persistent Volume size.
 ## @field {string} [storageClass] - StorageClass used to store the data.
+## @field {string} [diskType] - SeaweedFS disk type tag for the default volume servers (e.g., "hdd", "ssd").
 ## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
 ## @field {ResourcesPreset} [resourcesPreset] - Default sizing preset used when `resources` is omitted.
 ## @field {map[string]Zone} [zones] - A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.
+## @field {map[string]StoragePool} [pools] - A map of storage pools. Each pool creates a separate Volume StatefulSet with its own disk type.
 
 ## @param {Volume} [volume] - Volume service configuration.
 volume:
   replicas: 2
   size: 10Gi
   storageClass: ""
+  diskType: ""
   resources: {}
   resourcesPreset: "small"
   zones: {}
+  pools: {}
+  #pools:
+  #  fast:
+  #    diskType: ssd
+  #    replicas: 2
+  #    size: 50Gi
+  #    storageClass: "local-nvme"
 
 ## @typedef {struct} S3 - S3 service configuration.
 ## @field {int} [replicas] - Number of S3 replicas.