Merge branch 'main' into testing/add-vpc

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>

ADOPTERS.md

@@ -31,5 +31,4 @@ This list is sorted in chronological order, based on the submission date.
 | [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01 | Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management. |
 | [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |
 | [Hidora](https://hikube.cloud) | @matthieu-robin | 2025-09-17 | Hidora is a Swiss cloud provider delivering managed services and infrastructure solutions through datacenters located in Switzerland, ensuring data sovereignty and reliability. Its sovereign cloud platform, Hikube, is designed to run workloads with high availability across multiple datacenters, providing enterprises with a secure and scalable foundation for their applications based on Cozystack. |
-| [QOSI](https://qosi.kz) | @tabu-a | 2025-10-04 | QOSI is a non-profit organization driving open-source adoption and digital sovereignty across Kazakhstan and Central Asia. We use Cozystack as a platform for deploying sovereign, GPU-enabled clouds and educational environments under the National AI Program. Our goal is to accelerate the region’s transition toward open, self-hosted cloud-native technologies |
-|
+| 

cmd/cozystack-controller/main.go

@@ -229,15 +229,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	dashboardManager := &dashboard.Manager{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}
-	if err = dashboardManager.SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "DashboardReconciler")
-		os.Exit(1)
-	}
-
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
@@ -263,9 +254,7 @@ func main() {
 	}
 
 	setupLog.Info("starting manager")
-	ctx := ctrl.SetupSignalHandler()
-	dashboardManager.InitializeStaticResources(ctx)
-	if err := mgr.Start(ctx); err != nil {
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

go.mod

@@ -2,21 +2,15 @@
 
 module github.com/cozystack/cozystack
 
-go 1.24.0
-
-toolchain go1.24.5
+go 1.23.0
 
 require (
-	github.com/cilium/cilium v1.16.16
 	github.com/fluxcd/helm-controller/api v1.1.0
-	github.com/go-logr/logr v1.4.2
-	github.com/go-logr/zapr v1.3.0
+	github.com/google/gofuzz v1.2.0
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
-	github.com/prometheus/client_golang v1.19.1
 	github.com/spf13/cobra v1.8.1
-	github.com/stretchr/testify v1.10.0
-	go.uber.org/zap v1.27.0
+	github.com/stretchr/testify v1.9.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
@@ -34,35 +28,28 @@ require (
 require (
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cilium/ebpf v0.15.0 // indirect
-	github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219 // indirect
-	github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.23.0 // indirect
-	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/runtime v0.28.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -70,88 +57,61 @@ require (
 	github.com/google/cel-go v0.21.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/mackerelio/go-osstat v0.2.5 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
-	github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/sasha-s/go-deadlock v0.3.5 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect
-	github.com/spf13/viper v1.19.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.16 // indirect
-	go.mongodb.org/mongo-driver v1.14.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
-	go.uber.org/dig v1.17.1 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.37.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.31.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.32.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/kms v0.31.2 // indirect

go.sum

@@ -1,15 +1,11 @@
-cel.dev/expr v0.20.0 h1:OunBvVCfvpWlt4dN7zg3FM6TDkzOePe1+foGJ9AXeeI=
-cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@@ -18,16 +14,6 @@ github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK3
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cilium/cilium v1.16.16 h1:to8vEEmipowDNqz1/F5J+9qSIiDTAzgb9v+Ohs3Pk9Y=
-github.com/cilium/cilium v1.16.16/go.mod h1:MsrhykzaUeRF39p3YBhv8semoI3PZKdaHT/7rJ6cD3k=
-github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
-github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
-github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219 h1:iX4v9lg63iTv8x8MWUMVbeWqtAGcV6yh/w3Zp9sP3ME=
-github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219/go.mod h1:6tW1eCwSq8Wz8IVtpZE0MemoCWSrEOUa8aLKotmBRCo=
-github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a h1:5pJ6eaVk/y1C8cBMpfUWMuHa+qTefq2jqcNf0et0mGk=
-github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a/go.mod h1:Bs5kHQ+FYHLrAkEaTQpbwblJIv6NfU2Tsuo+wCkN+9s=
-github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
-github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
@@ -40,15 +26,10 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
-github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
-github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
-github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
-github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
-github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
-github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
-github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -59,8 +40,6 @@ github.com/fluxcd/pkg/apis/kustomize v1.6.1 h1:22FJc69Mq4i8aCxnKPlddHhSMyI4UPkQk
 github.com/fluxcd/pkg/apis/kustomize v1.6.1/go.mod h1:5dvQ4IZwz0hMGmuj8tTWGtarsuxW0rWsxJOwC6i+0V8=
 github.com/fluxcd/pkg/apis/meta v1.6.1 h1:maLhcRJ3P/70ArLCY/LF/YovkxXbX+6sTWZwZQBeNq0=
 github.com/fluxcd/pkg/apis/meta v1.6.1/go.mod h1:YndB/gxgGZmKfqpAfFxyCDNFJFP0ikpeJzs66jwq280=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -72,35 +51,21 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
-github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
-github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w=
-github.com/go-openapi/errors v0.22.0/go.mod h1:J3DmZScxCDufmIMsdOuDHxJbdOGC0xtUynjIx092vXE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
-github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
-github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=
-github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc=
-github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
-github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
-github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
-github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
-github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
-github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
-github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -117,26 +82,22 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
-github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k=
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
-github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
-github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
-github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
@@ -147,18 +108,15 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mackerelio/go-osstat v0.2.5 h1:+MqTbZUhoIt4m8qzkVoXUJg1EuifwlAJSk4Yl2GXh+o=
-github.com/mackerelio/go-osstat v0.2.5/go.mod h1:atxwWF+POUZcdtR1wnsUcQxTytoHG4uhl2AKKzrOajY=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8=
 github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -170,23 +128,12 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
-github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
-github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
-github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 h1:Dx7Ovyv/SFnMFw3fD4oEoeorXc6saIiQ23LrGLth0Gw=
-github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
-github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -198,56 +145,30 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
-github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
-github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
-github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
-github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
-github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace h1:9PNP1jnUjRhfmGMlkXHjYPishpcw4jpSt/V/xYY3FMA=
-github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
-github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
-github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
-github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 h1:9fkQcQYvtTr9ayFXuMfDMVuDt4+BYG9FwsGLnrBde0M=
-github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
@@ -270,103 +191,87 @@ go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA=
 go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw=
 go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok=
 go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ=
-go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
-go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
+go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
-go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
-go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
-go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
-go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.uber.org/dig v1.17.1 h1:Tga8Lz8PcYNsWsyHMZ1Vm0OQOUaJNDyvPImgbAu9YSc=
-go.uber.org/dig v1.17.1/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
+go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
+go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
+go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
-go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
-golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
-google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s=
-google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
+google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
+google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
+google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -374,8 +279,6 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
-gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

hack/e2e-apps/run-kubernetes.sh

@@ -87,14 +87,14 @@ EOF
 
 
   # Set up port forwarding to the Kubernetes API server for a 200 second timeout
-  bash -c 'timeout 300s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
+  bash -c 'timeout 200s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
   # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
   timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
 
   # Wait for the nodes to be ready (timeout after 2 minutes)
-  timeout 3m bash -c '
+  timeout 2m bash -c '
     until [ "$(kubectl --kubeconfig tenantkubeconfig get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
-      sleep 2
+      sleep 3
     done
   '
   # Verify the nodes are ready

hack/e2e-prepare-cluster.bats

@@ -132,6 +132,7 @@ machine:
         - usermode_helper=disabled
     - name: zfs
     - name: spl
+    - name: lldpd
   registries:
     mirrors:
       docker.io:

internal/controller/dashboard/breadcrumb.go

@@ -58,8 +58,8 @@ func (m *Manager) ensureBreadcrumb(ctx context.Context, crd *cozyv1alpha1.Cozyst
 		"breadcrumbItems": items,
 	}
 
-	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
-		if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.client, obj, func() error {
+		if err := controllerutil.SetOwnerReference(crd, obj, m.scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources

internal/controller/dashboard/customcolumns.go

@@ -30,6 +30,10 @@ func (m *Manager) ensureCustomColumnsOverride(ctx context.Context, crd *cozyv1al
 	name := fmt.Sprintf("stock-namespace-%s.%s.%s", g, v, plural)
 	id := fmt.Sprintf("stock-namespace-/%s/%s/%s", g, v, plural)
 
+	// Badge content & color derived from kind
+	badgeText := initialsFromKind(kind) // e.g., "VirtualMachine" -> "VM", "Bucket" -> "B"
+	badgeColor := hexColorForKind(kind) // deterministic, dark enough for white text
+
 	obj := &dashv1alpha1.CustomColumnsOverride{}
 	obj.SetName(name)
 
@@ -58,11 +62,25 @@ func (m *Manager) ensureCustomColumnsOverride(ctx context.Context, crd *cozyv1al
 								},
 								"children": []any{
 									map[string]any{
-										"type": "ResourceBadge",
+										"type": "antdText",
 										"data": map[string]any{
 											"id":    "header-badge",
-											"value": kind,
-											// abbreviation auto-generated by ResourceBadge from value
+											"text":  badgeText,
+											"title": strings.ToLower(kind), // optional tooltip
+											"style": map[string]any{
+												"backgroundColor": badgeColor,
+												"borderRadius":    "20px",
+												"color":           "#fff",
+												"display":         "inline-block",
+												"fontFamily":      "RedHatDisplay, Overpass, overpass, helvetica, arial, sans-serif",
+												"fontSize":        "15px",
+												"fontWeight":      400,
+												"lineHeight":      "24px",
+												"minWidth":        24,
+												"padding":         "0 9px",
+												"textAlign":       "center",
+												"whiteSpace":      "nowrap",
+											},
 										},
 									},
 									map[string]any{
@@ -127,8 +145,8 @@ func (m *Manager) ensureCustomColumnsOverride(ctx context.Context, crd *cozyv1al
 		},
 	}
 
-	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
-		if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.client, obj, func() error {
+		if err := controllerutil.SetOwnerReference(crd, obj, m.scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources

internal/controller/dashboard/customformsoverride.go

@@ -11,7 +11,6 @@ import (
 
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // ensureCustomFormsOverride creates or updates a CustomFormsOverride resource for the given CRD
@@ -46,25 +45,16 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		}
 	}
 
-	// Build schema with multilineString for string fields without enum
-	l := log.FromContext(ctx)
-	schema, err := buildMultilineStringSchema(crd.Spec.Application.OpenAPISchema)
-	if err != nil {
-		// If schema parsing fails, log the error and use an empty schema
-		l.Error(err, "failed to build multiline string schema, using empty schema", "crd", crd.Name)
-		schema = map[string]any{}
-	}
-
 	spec := map[string]any{
 		"customizationId": customizationID,
 		"hidden":          hidden,
 		"sort":            sort,
-		"schema":          schema,
+		"schema":          map[string]any{}, // {}
 		"strategy":        "merge",
 	}
 
-	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
-		if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.client, obj, func() error {
+		if err := controllerutil.SetOwnerReference(crd, obj, m.scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources
@@ -83,94 +73,3 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 	})
 	return err
 }
-
-// buildMultilineStringSchema parses OpenAPI schema and creates schema with multilineString
-// for all string fields inside spec that don't have enum
-func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
-	if openAPISchema == "" {
-		return map[string]any{}, nil
-	}
-
-	var root map[string]any
-	if err := json.Unmarshal([]byte(openAPISchema), &root); err != nil {
-		return nil, fmt.Errorf("cannot parse openAPISchema: %w", err)
-	}
-
-	props, _ := root["properties"].(map[string]any)
-	if props == nil {
-		return map[string]any{}, nil
-	}
-
-	schema := map[string]any{
-		"properties": map[string]any{},
-	}
-
-	// Process spec properties recursively
-	processSpecProperties(props, schema["properties"].(map[string]any))
-
-	return schema, nil
-}
-
-// processSpecProperties recursively processes spec properties and adds multilineString type
-// for string fields without enum
-func processSpecProperties(props map[string]any, schemaProps map[string]any) {
-	for pname, raw := range props {
-		sub, ok := raw.(map[string]any)
-		if !ok {
-			continue
-		}
-
-		typ, _ := sub["type"].(string)
-
-		switch typ {
-		case "string":
-			// Check if this string field has enum
-			if !hasEnum(sub) {
-				// Add multilineString type for this field
-				if schemaProps[pname] == nil {
-					schemaProps[pname] = map[string]any{}
-				}
-				fieldSchema := schemaProps[pname].(map[string]any)
-				fieldSchema["type"] = "multilineString"
-			}
-		case "object":
-			// Recursively process nested objects
-			if childProps, ok := sub["properties"].(map[string]any); ok {
-				fieldSchema, ok := schemaProps[pname].(map[string]any)
-				if !ok {
-					fieldSchema = map[string]any{}
-					schemaProps[pname] = fieldSchema
-				}
-				nestedSchemaProps, ok := fieldSchema["properties"].(map[string]any)
-				if !ok {
-					nestedSchemaProps = map[string]any{}
-					fieldSchema["properties"] = nestedSchemaProps
-				}
-				processSpecProperties(childProps, nestedSchemaProps)
-			}
-		case "array":
-			// Check if array items are objects with properties
-			if items, ok := sub["items"].(map[string]any); ok {
-				if itemProps, ok := items["properties"].(map[string]any); ok {
-					// Create array item schema
-					fieldSchema, ok := schemaProps[pname].(map[string]any)
-					if !ok {
-						fieldSchema = map[string]any{}
-						schemaProps[pname] = fieldSchema
-					}
-					itemSchema, ok := fieldSchema["items"].(map[string]any)
-					if !ok {
-						itemSchema = map[string]any{}
-						fieldSchema["items"] = itemSchema
-					}
-					itemSchemaProps, ok := itemSchema["properties"].(map[string]any)
-					if !ok {
-						itemSchemaProps = map[string]any{}
-						itemSchema["properties"] = itemSchemaProps
-					}
-					processSpecProperties(itemProps, itemSchemaProps)
-				}
-			}
-		}
-	}
-}

internal/controller/dashboard/customformsoverride_test.go

@@ -1,155 +0,0 @@
-package dashboard
-
-import (
-	"encoding/json"
-	"testing"
-)
-
-func TestBuildMultilineStringSchema(t *testing.T) {
-	// Test OpenAPI schema with various field types
-	openAPISchema := `{
-		"properties": {
-			"simpleString": {
-				"type": "string",
-				"description": "A simple string field"
-			},
-			"stringWithEnum": {
-				"type": "string",
-				"enum": ["option1", "option2"],
-				"description": "String with enum should be skipped"
-			},
-			"numberField": {
-				"type": "number",
-				"description": "Number field should be skipped"
-			},
-			"nestedObject": {
-				"type": "object",
-				"properties": {
-					"nestedString": {
-						"type": "string",
-						"description": "Nested string should get multilineString"
-					},
-					"nestedStringWithEnum": {
-						"type": "string",
-						"enum": ["a", "b"],
-						"description": "Nested string with enum should be skipped"
-					}
-				}
-			},
-			"arrayOfObjects": {
-				"type": "array",
-				"items": {
-					"type": "object",
-					"properties": {
-						"itemString": {
-							"type": "string",
-							"description": "String in array item"
-						}
-					}
-				}
-			}
-		}
-	}`
-
-	schema, err := buildMultilineStringSchema(openAPISchema)
-	if err != nil {
-		t.Fatalf("buildMultilineStringSchema failed: %v", err)
-	}
-
-	// Marshal to JSON for easier inspection
-	schemaJSON, err := json.MarshalIndent(schema, "", "  ")
-	if err != nil {
-		t.Fatalf("Failed to marshal schema: %v", err)
-	}
-
-	t.Logf("Generated schema:\n%s", schemaJSON)
-
-	// Verify that simpleString has multilineString type
-	props, ok := schema["properties"].(map[string]any)
-	if !ok {
-		t.Fatal("schema.properties is not a map")
-	}
-
-	// Check simpleString
-	simpleString, ok := props["simpleString"].(map[string]any)
-	if !ok {
-		t.Fatal("simpleString not found in properties")
-	}
-	if simpleString["type"] != "multilineString" {
-		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
-	}
-
-	// Check stringWithEnum should not be present (or should not have multilineString)
-	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
-		if stringWithEnum["type"] == "multilineString" {
-			t.Error("stringWithEnum should not have multilineString type")
-		}
-	}
-
-	// Check numberField should not be present
-	if numberField, ok := props["numberField"].(map[string]any); ok {
-		if numberField["type"] != nil {
-			t.Error("numberField should not have any type override")
-		}
-	}
-
-	// Check nested object
-	nestedObject, ok := props["nestedObject"].(map[string]any)
-	if !ok {
-		t.Fatal("nestedObject not found in properties")
-	}
-	nestedProps, ok := nestedObject["properties"].(map[string]any)
-	if !ok {
-		t.Fatal("nestedObject.properties is not a map")
-	}
-
-	// Check nestedString
-	nestedString, ok := nestedProps["nestedString"].(map[string]any)
-	if !ok {
-		t.Fatal("nestedString not found in nestedObject.properties")
-	}
-	if nestedString["type"] != "multilineString" {
-		t.Errorf("nestedString should have type multilineString, got %v", nestedString["type"])
-	}
-
-	// Check array of objects
-	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
-	if !ok {
-		t.Fatal("arrayOfObjects not found in properties")
-	}
-	items, ok := arrayOfObjects["items"].(map[string]any)
-	if !ok {
-		t.Fatal("arrayOfObjects.items is not a map")
-	}
-	itemProps, ok := items["properties"].(map[string]any)
-	if !ok {
-		t.Fatal("arrayOfObjects.items.properties is not a map")
-	}
-	itemString, ok := itemProps["itemString"].(map[string]any)
-	if !ok {
-		t.Fatal("itemString not found in arrayOfObjects.items.properties")
-	}
-	if itemString["type"] != "multilineString" {
-		t.Errorf("itemString should have type multilineString, got %v", itemString["type"])
-	}
-}
-
-func TestBuildMultilineStringSchemaEmpty(t *testing.T) {
-	schema, err := buildMultilineStringSchema("")
-	if err != nil {
-		t.Fatalf("buildMultilineStringSchema failed on empty string: %v", err)
-	}
-	if len(schema) != 0 {
-		t.Errorf("Expected empty schema for empty input, got %v", schema)
-	}
-}
-
-func TestBuildMultilineStringSchemaInvalidJSON(t *testing.T) {
-	schema, err := buildMultilineStringSchema("{invalid json")
-	if err == nil {
-		t.Error("Expected error for invalid JSON")
-	}
-	if schema != nil {
-		t.Errorf("Expected nil schema for invalid JSON, got %v", schema)
-	}
-}

internal/controller/dashboard/customformsprefill.go

@@ -56,8 +56,8 @@ func (m *Manager) ensureCustomFormsPrefill(ctx context.Context, crd *cozyv1alpha
 		return reconcile.Result{}, err
 	}
 
-	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, cfp, func() error {
-		if err := controllerutil.SetOwnerReference(crd, cfp, m.Scheme); err != nil {
+	_, err = controllerutil.CreateOrUpdate(ctx, m.client, cfp, func() error {
+		if err := controllerutil.SetOwnerReference(crd, cfp, m.scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources

internal/controller/dashboard/factory.go

@@ -53,6 +53,7 @@ func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.Cozystack
 		Kind:         kind,
 		Plural:       plural,
 		Title:        strings.ToLower(plural),
+		Size:         BadgeSizeLarge,
 	}
 
 	spec := createUnifiedFactory(config, tabs, []any{resourceFetch})
@@ -60,8 +61,8 @@ func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.Cozystack
 	obj := &dashv1alpha1.Factory{}
 	obj.SetName(factoryName)
 
-	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
-		if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.client, obj, func() error {
+		if err := controllerutil.SetOwnerReference(crd, obj, m.scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources
@@ -114,7 +115,7 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 					"gap":   float64(6),
 				},
 				"children": []any{
-					createUnifiedBadgeFromKind("ns-badge", "Namespace"),
+					createUnifiedBadgeFromKind("ns-badge", "Namespace", "namespace", BadgeSizeMedium),
 					antdLink("namespace-link",
 						"{reqsJsonPath[0]['.metadata.namespace']['-']}",
 						"/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace",
@@ -221,7 +222,7 @@ func workloadsTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-v1alpha1.cozystack.io.workloadmonitors",
 					"pathToItems":          []any{"items"},
-					"labelSelector": map[string]any{
+					"labelsSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
 						"apps.cozystack.io/application.name":  "{reqs[0]['metadata','name']}",
@@ -246,7 +247,7 @@ func servicesTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-v1.services",
 					"pathToItems":          []any{"items"},
-					"labelSelector": map[string]any{
+					"labelsSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
 						"apps.cozystack.io/application.name":   "{reqs[0]['metadata','name']}",
@@ -272,7 +273,7 @@ func ingressesTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-networking.k8s.io.v1.ingresses",
 					"pathToItems":          []any{"items"},
-					"labelSelector": map[string]any{
+					"labelsSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
 						"apps.cozystack.io/application.name":   "{reqs[0]['metadata','name']}",
@@ -293,12 +294,12 @@ func secretsTab(kind string) map[string]any {
 				"type": "EnrichedTable",
 				"data": map[string]any{
 					"id":                   "secrets-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecrets",
+					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecretstables",
 					"clusterNamePartOfUrl": "{2}",
 					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecrets",
+					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecretstables",
 					"pathToItems":          []any{"items"},
-					"labelSelector": map[string]any{
+					"labelsSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
 						"apps.cozystack.io/application.name":  "{reqs[0]['metadata','name']}",
@@ -323,7 +324,6 @@ func yamlTab(plural string) map[string]any {
 					"type":                      "builtin",
 					"typeName":                  plural,
 					"prefillValuesRequestIndex": float64(0),
-					"readOnly":                  true,
 					"substractHeight":           float64(400),
 				},
 			},

internal/controller/dashboard/helpers.go

@@ -1,9 +1,12 @@
 package dashboard
 
 import (
+	"crypto/sha1"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"regexp"
 	"sort"
 	"strings"
 
@@ -54,6 +57,97 @@ func pickPlural(kind string, crd *cozyv1alpha1.CozystackResourceDefinition) stri
 	return k + "s"
 }
 
+// initialsFromKind splits CamelCase and returns the first letters in upper case.
+// "VirtualMachine" -> "VM"; "Bucket" -> "B".
+func initialsFromKind(kind string) string {
+	parts := splitCamel(kind)
+	if len(parts) == 0 {
+		return strings.ToUpper(kind)
+	}
+	var b strings.Builder
+	for _, p := range parts {
+		if p == "" {
+			continue
+		}
+		b.WriteString(strings.ToUpper(string(p[0])))
+		// Limit to 3 chars to keep the badge compact (VM, PVC, etc.)
+		if b.Len() >= 3 {
+			break
+		}
+	}
+	return b.String()
+}
+
+// hexColorForKind returns a dark, saturated color (hex) derived from a stable hash of the kind.
+// We map the hash to an HSL hue; fix S/L for consistent readability with white text.
+func hexColorForKind(kind string) string {
+	// Stable short hash (sha1 → bytes → hue)
+	sum := sha1.Sum([]byte(kind))
+	// Use first two bytes for hue [0..359]
+	hue := int(sum[0])<<8 | int(sum[1])
+	hue = hue % 360
+
+	// Fixed S/L chosen to contrast with white text:
+	// S = 80%, L = 35% (dark enough so #fff is readable)
+	r, g, b := hslToRGB(float64(hue), 0.80, 0.35)
+
+	return fmt.Sprintf("#%02x%02x%02x", r, g, b)
+}
+
+// hslToRGB converts HSL (0..360, 0..1, 0..1) to sRGB (0..255).
+func hslToRGB(h float64, s float64, l float64) (uint8, uint8, uint8) {
+	c := (1 - absFloat(2*l-1)) * s
+	hp := h / 60.0
+	x := c * (1 - absFloat(modFloat(hp, 2)-1))
+	var r1, g1, b1 float64
+	switch {
+	case 0 <= hp && hp < 1:
+		r1, g1, b1 = c, x, 0
+	case 1 <= hp && hp < 2:
+		r1, g1, b1 = x, c, 0
+	case 2 <= hp && hp < 3:
+		r1, g1, b1 = 0, c, x
+	case 3 <= hp && hp < 4:
+		r1, g1, b1 = 0, x, c
+	case 4 <= hp && hp < 5:
+		r1, g1, b1 = x, 0, c
+	default:
+		r1, g1, b1 = c, 0, x
+	}
+	m := l - c/2
+	r := uint8(clamp01(r1+m) * 255.0)
+	g := uint8(clamp01(g1+m) * 255.0)
+	b := uint8(clamp01(b1+m) * 255.0)
+	return r, g, b
+}
+
+func absFloat(v float64) float64 {
+	if v < 0 {
+		return -v
+	}
+	return v
+}
+
+func modFloat(a, b float64) float64 {
+	return a - b*float64(int(a/b))
+}
+
+func clamp01(v float64) float64 {
+	if v < 0 {
+		return 0
+	}
+	if v > 1 {
+		return 1
+	}
+	return v
+}
+
+// optional: tiny helper to expose the compact color hash (useful for debugging)
+func shortHashHex(s string) string {
+	sum := sha1.Sum([]byte(s))
+	return hex.EncodeToString(sum[:4])
+}
+
 // ----------------------- Helpers (OpenAPI → values) -----------------------
 
 // defaultOrZero returns the schema default if present; otherwise a reasonable zero value.
@@ -201,6 +295,12 @@ func normalizeJSON(v any) any {
 	}
 }
 
+var camelSplitter = regexp.MustCompile(`(?m)([A-Z]+[a-z0-9]*|[a-z0-9]+)`)
+
+func splitCamel(s string) []string {
+	return camelSplitter.FindAllString(s, -1)
+}
+
 // --- helpers for schema inspection ---
 
 func isScalarType(n map[string]any) bool {

internal/controller/dashboard/manager.go

@@ -10,9 +10,7 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 
-	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -42,40 +40,26 @@ func AddToScheme(s *runtime.Scheme) error {
 // Manager owns logic for creating/updating dashboard resources derived from CRDs.
 // It’s easy to extend: add new ensure* methods and wire them into EnsureForCRD.
 type Manager struct {
-	client.Client
-	Scheme *runtime.Scheme
+	client    client.Client
+	scheme    *runtime.Scheme
+	crdListFn func(context.Context) ([]cozyv1alpha1.CozystackResourceDefinition, error)
+}
+
+// Option pattern so callers can inject a custom lister.
+type Option func(*Manager)
+
+// WithCRDListFunc overrides how Manager lists all CozystackResourceDefinitions.
+func WithCRDListFunc(fn func(context.Context) ([]cozyv1alpha1.CozystackResourceDefinition, error)) Option {
+	return func(m *Manager) { m.crdListFn = fn }
 }
 
 // NewManager constructs a dashboard Manager.
-func NewManager(c client.Client, scheme *runtime.Scheme) *Manager {
-	m := &Manager{Client: c, Scheme: scheme}
-	return m
-}
-
-func (m *Manager) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("dashboard-reconciler").
-		For(&cozyv1alpha1.CozystackResourceDefinition{}).
-		Complete(m)
-}
-
-func (m *Manager) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	l := log.FromContext(ctx)
-
-	crd := &cozyv1alpha1.CozystackResourceDefinition{}
-
-	err := m.Get(ctx, types.NamespacedName{Name: req.Name}, crd)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			if err := m.CleanupOrphanedResources(ctx); err != nil {
-				l.Error(err, "Failed to cleanup orphaned dashboard resources")
-			}
-			return ctrl.Result{}, nil // no point in requeuing here
-		}
-		return ctrl.Result{}, err
+func NewManager(c client.Client, scheme *runtime.Scheme, opts ...Option) *Manager {
+	m := &Manager{client: c, scheme: scheme}
+	for _, o := range opts {
+		o(m)
 	}
-
-	return m.EnsureForCRD(ctx, crd)
+	return m
 }
 
 // EnsureForCRD is the single entry-point used by the controller.
@@ -187,11 +171,21 @@ func (m *Manager) getStaticResourceSelector() client.MatchingLabels {
 // CleanupOrphanedResources removes dashboard resources that are no longer needed
 // This should be called after cache warming to ensure all current resources are known
 func (m *Manager) CleanupOrphanedResources(ctx context.Context) error {
-	var crdList cozyv1alpha1.CozystackResourceDefinitionList
-	if err := m.List(ctx, &crdList, &client.ListOptions{}); err != nil {
-		return err
+	// Get all current CRDs to determine which resources should exist
+	var allCRDs []cozyv1alpha1.CozystackResourceDefinition
+	if m.crdListFn != nil {
+		s, err := m.crdListFn(ctx)
+		if err != nil {
+			return err
+		}
+		allCRDs = s
+	} else {
+		var crdList cozyv1alpha1.CozystackResourceDefinitionList
+		if err := m.client.List(ctx, &crdList, &client.ListOptions{}); err != nil {
+			return err
+		}
+		allCRDs = crdList.Items
 	}
-	allCRDs := crdList.Items
 
 	// Build a set of expected resource names for each type
 	expectedResources := m.buildExpectedResourceSet(allCRDs)
@@ -355,7 +349,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	}
 
 	// List with dashboard labels
-	if err := m.List(ctx, list, m.getDashboardResourceSelector()); err != nil {
+	if err := m.client.List(ctx, list, m.getDashboardResourceSelector()); err != nil {
 		return err
 	}
 
@@ -364,7 +358,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	case *dashv1alpha1.CustomColumnsOverrideList:
 		for _, item := range l.Items {
 			if !expected[item.Name] {
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -375,7 +369,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	case *dashv1alpha1.CustomFormsOverrideList:
 		for _, item := range l.Items {
 			if !expected[item.Name] {
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -386,7 +380,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	case *dashv1alpha1.CustomFormsPrefillList:
 		for _, item := range l.Items {
 			if !expected[item.Name] {
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -397,7 +391,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	case *dashv1alpha1.MarketplacePanelList:
 		for _, item := range l.Items {
 			if !expected[item.Name] {
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -408,7 +402,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	case *dashv1alpha1.SidebarList:
 		for _, item := range l.Items {
 			if !expected[item.Name] {
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -419,7 +413,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 	case *dashv1alpha1.TableUriMappingList:
 		for _, item := range l.Items {
 			if !expected[item.Name] {
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -432,7 +426,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 			if !expected[item.Name] {
 				logger := log.FromContext(ctx)
 				logger.Info("Deleting orphaned Breadcrumb resource", "name", item.Name)
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}
@@ -444,7 +438,7 @@ func (m *Manager) cleanupResourceType(ctx context.Context, resourceType client.O
 			if !expected[item.Name] {
 				logger := log.FromContext(ctx)
 				logger.Info("Deleting orphaned Factory resource", "name", item.Name)
-				if err := m.Delete(ctx, &item); err != nil {
+				if err := m.client.Delete(ctx, &item); err != nil {
 					if !apierrors.IsNotFound(err) {
 						return err
 					}

internal/controller/dashboard/marketplacepanel.go

@@ -24,14 +24,14 @@ func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.
 
 	// If dashboard is not set, delete the panel if it exists.
 	if crd.Spec.Dashboard == nil {
-		err := m.Get(ctx, client.ObjectKey{Name: mp.Name}, mp)
+		err := m.client.Get(ctx, client.ObjectKey{Name: mp.Name}, mp)
 		if apierrors.IsNotFound(err) {
 			return reconcile.Result{}, nil
 		}
 		if err != nil {
 			return reconcile.Result{}, err
 		}
-		if err := m.Delete(ctx, mp); err != nil && !apierrors.IsNotFound(err) {
+		if err := m.client.Delete(ctx, mp); err != nil && !apierrors.IsNotFound(err) {
 			return reconcile.Result{}, err
 		}
 		logger.Info("Deleted MarketplacePanel because dashboard is not set", "name", mp.Name)
@@ -40,14 +40,14 @@ func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.
 
 	// Skip module and tenant resources (they don't need MarketplacePanel)
 	if crd.Spec.Dashboard.Module || crd.Spec.Application.Kind == "Tenant" {
-		err := m.Get(ctx, client.ObjectKey{Name: mp.Name}, mp)
+		err := m.client.Get(ctx, client.ObjectKey{Name: mp.Name}, mp)
 		if apierrors.IsNotFound(err) {
 			return reconcile.Result{}, nil
 		}
 		if err != nil {
 			return reconcile.Result{}, err
 		}
-		if err := m.Delete(ctx, mp); err != nil && !apierrors.IsNotFound(err) {
+		if err := m.client.Delete(ctx, mp); err != nil && !apierrors.IsNotFound(err) {
 			return reconcile.Result{}, err
 		}
 		logger.Info("Deleted MarketplacePanel because resource is a module", "name", mp.Name)
@@ -86,8 +86,8 @@ func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.
 		return reconcile.Result{}, err
 	}
 
-	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
-		if err := controllerutil.SetOwnerReference(crd, mp, m.Scheme); err != nil {
+	_, err = controllerutil.CreateOrUpdate(ctx, m.client, mp, func() error {
+		if err := controllerutil.SetOwnerReference(crd, mp, m.scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources

internal/controller/dashboard/sidebar.go

@@ -33,11 +33,19 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Cozystack
 
 	// 1) Fetch all CRDs
 	var all []cozyv1alpha1.CozystackResourceDefinition
-	var crdList cozyv1alpha1.CozystackResourceDefinitionList
-	if err := m.List(ctx, &crdList, &client.ListOptions{}); err != nil {
-		return err
+	if m.crdListFn != nil {
+		s, err := m.crdListFn(ctx)
+		if err != nil {
+			return err
+		}
+		all = s
+	} else {
+		var crdList cozyv1alpha1.CozystackResourceDefinitionList
+		if err := m.client.List(ctx, &crdList, &client.ListOptions{}); err != nil {
+			return err
+		}
+		all = crdList.Items
 	}
-	all = crdList.Items
 
 	// 2) Build category -> []item map (only for CRDs with spec.dashboard != nil)
 	type item struct {
@@ -243,7 +251,7 @@ func (m *Manager) upsertMultipleSidebars(
 		obj := &dashv1alpha1.Sidebar{}
 		obj.SetName(id)
 
-		if _, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
+		if _, err := controllerutil.CreateOrUpdate(ctx, m.client, obj, func() error {
 			// Only set owner reference for dynamic sidebars (stock-project-factory-{kind}-details)
 			// Static sidebars (stock-instance-*, stock-project-*) should not have owner references
 			if strings.HasPrefix(id, "stock-project-factory-") && strings.HasSuffix(id, "-details") {
@@ -252,7 +260,7 @@ func (m *Manager) upsertMultipleSidebars(
 				lowerKind := strings.ToLower(kind)
 				expectedID := fmt.Sprintf("stock-project-factory-%s-details", lowerKind)
 				if id == expectedID {
-					if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
+					if err := controllerutil.SetOwnerReference(crd, obj, m.scheme); err != nil {
 						return err
 					}
 					// Add dashboard labels to dynamic resources

internal/controller/dashboard/static_helpers.go

@@ -122,7 +122,7 @@ func createCustomColumnsOverride(id string, additionalPrinterColumns []any) *das
 		}
 	}
 
-	if name == "factory-details-v1alpha1.core.cozystack.io.tenantsecrets" {
+	if name == "factory-details-v1alpha1.core.cozystack.io.tenantsecretstables" {
 		data["additionalPrinterColumnsTrimLengths"] = []any{
 			map[string]any{
 				"key":   "Name",
@@ -531,6 +531,7 @@ func createBreadcrumbItem(key, label string, link ...string) map[string]any {
 
 // createCustomColumn creates a custom column with factory type and badge
 func createCustomColumn(name, kind, plural, href string) map[string]any {
+	badge := createUnifiedBadgeFromKind("header-badge", kind, plural, BadgeSizeMedium)
 	link := antdLink("name-link", "{reqsJsonPath[0]['.metadata.name']['-']}", href)
 
 	return map[string]any{
@@ -540,18 +541,8 @@ func createCustomColumn(name, kind, plural, href string) map[string]any {
 			"disableEventBubbling": true,
 			"items": []any{
 				map[string]any{
-					"children": []any{
-						map[string]any{
-							"type": "ResourceBadge",
-							"data": map[string]any{
-								"id":    "header-badge",
-								"value": kind,
-								// abbreviation auto-generated by ResourceBadge from value
-							},
-						},
-						link,
-					},
-					"type": "antdFlex",
+					"children": []any{badge, link},
+					"type":     "antdFlex",
 					"data": map[string]any{
 						"align": "center",
 						"gap":   float64(6),
@@ -563,15 +554,15 @@ func createCustomColumn(name, kind, plural, href string) map[string]any {
 }
 
 // createCustomColumnWithBadge creates a custom column with a specific badge
-// badgeValue should be the kind in PascalCase (e.g., "Service", "Pod")
-// abbreviation is auto-generated by ResourceBadge from badgeValue
-func createCustomColumnWithBadge(name, badgeValue, href string) map[string]any {
-	link := antdLink("name-link", "{reqsJsonPath[0]['.metadata.name']['-']}", href)
-
-	badgeData := map[string]any{
-		"id":    "header-badge",
-		"value": badgeValue,
+func createCustomColumnWithBadge(name, badgeText, badgeColor, title, href string) map[string]any {
+	config := BadgeConfig{
+		Text:  badgeText,
+		Color: badgeColor,
+		Title: title,
+		Size:  BadgeSizeMedium,
 	}
+	badge := createUnifiedBadge("header-badge", config)
+	link := antdLink("name-link", "{reqsJsonPath[0]['.metadata.name']['-']}", href)
 
 	return map[string]any{
 		"name": name,
@@ -580,14 +571,8 @@ func createCustomColumnWithBadge(name, badgeValue, href string) map[string]any {
 			"disableEventBubbling": true,
 			"items": []any{
 				map[string]any{
-					"children": []any{
-						map[string]any{
-							"type": "ResourceBadge",
-							"data": badgeData,
-						},
-						link,
-					},
-					"type": "antdFlex",
+					"children": []any{badge, link},
+					"type":     "antdFlex",
 					"data": map[string]any{
 						"align": "center",
 						"gap":   float64(6),
@@ -598,22 +583,17 @@ func createCustomColumnWithBadge(name, badgeValue, href string) map[string]any {
 	}
 }
 
-// createCustomColumnWithSpecificColor creates a custom column with a specific kind and optional color
-// badgeValue should be the kind in PascalCase (e.g., "Service", "Pod")
-func createCustomColumnWithSpecificColor(name, kind, color, href string) map[string]any {
+// createCustomColumnWithSpecificColor creates a custom column with a specific color
+func createCustomColumnWithSpecificColor(name, kind, title, color, href string) map[string]any {
+	config := BadgeConfig{
+		Text:  initialsFromKind(kind),
+		Color: color,
+		Title: title,
+		Size:  BadgeSizeMedium,
+	}
+	badge := createUnifiedBadge("header-badge", config)
 	link := antdLink("name-link", "{reqsJsonPath[0]['.metadata.name']['-']}", href)
 
-	badgeData := map[string]any{
-		"id":    "header-badge",
-		"value": kind,
-	}
-	// Add custom color if specified
-	if color != "" {
-		badgeData["style"] = map[string]any{
-			"backgroundColor": color,
-		}
-	}
-
 	return map[string]any{
 		"name":     name,
 		"type":     "factory",
@@ -622,14 +602,8 @@ func createCustomColumnWithSpecificColor(name, kind, color, href string) map[str
 			"disableEventBubbling": true,
 			"items": []any{
 				map[string]any{
-					"children": []any{
-						map[string]any{
-							"type": "ResourceBadge",
-							"data": badgeData,
-						},
-						link,
-					},
-					"type": "antdFlex",
+					"children": []any{badge, link},
+					"type":     "antdFlex",
 					"data": map[string]any{
 						"align": "center",
 						"gap":   float64(6),
@@ -694,7 +668,7 @@ func createTimestampColumn(name, jsonPath string) map[string]any {
 // createFactoryHeader creates a header for factory resources
 func createFactoryHeader(kind, plural string) map[string]any {
 	lowerKind := strings.ToLower(kind)
-	badge := createUnifiedBadgeFromKind("badge-"+lowerKind, kind)
+	badge := createUnifiedBadgeFromKind("badge-"+lowerKind, kind, plural, BadgeSizeLarge)
 	nameText := parsedText(lowerKind+"-name", "{reqsJsonPath[0]['.metadata.name']['-']}", map[string]any{
 		"fontFamily": "RedHatDisplay, Overpass, overpass, helvetica, arial, sans-serif",
 		"fontSize":   float64(20),
@@ -744,26 +718,13 @@ func createFactorySpec(key string, sidebarTags []any, urlsToFetch []any, header
 }
 
 // createCustomColumnWithJsonPath creates a column with a custom badge and link using jsonPath
-// badgeValue should be the kind in PascalCase (e.g., "Service", "VirtualMachine")
-// abbreviation is auto-generated by ResourceBadge from badgeValue
-func createCustomColumnWithJsonPath(name, jsonPath, badgeValue, badgeColor, linkHref string) map[string]any {
+func createCustomColumnWithJsonPath(name, jsonPath, badgeText, badgeTitle, badgeColor, linkHref string) map[string]any {
 	// Determine link ID based on jsonPath
 	linkId := "name-link"
 	if jsonPath == ".metadata.namespace" {
 		linkId = "namespace-link"
 	}
 
-	badgeData := map[string]any{
-		"id":    "header-badge",
-		"value": badgeValue,
-	}
-	// Add custom color if specified
-	if badgeColor != "" {
-		badgeData["style"] = map[string]any{
-			"backgroundColor": badgeColor,
-		}
-	}
-
 	return map[string]any{
 		"name":     name,
 		"type":     "factory",
@@ -780,8 +741,26 @@ func createCustomColumnWithJsonPath(name, jsonPath, badgeValue, badgeColor, link
 					},
 					"children": []any{
 						map[string]any{
-							"type": "ResourceBadge",
-							"data": badgeData,
+							"type": "antdText",
+							"data": map[string]any{
+								"id":    "header-badge",
+								"text":  badgeText,
+								"title": badgeTitle,
+								"style": map[string]any{
+									"backgroundColor": badgeColor,
+									"borderRadius":    "20px",
+									"color":           "#fff",
+									"display":         "inline-block",
+									"fontFamily":      "RedHatDisplay, Overpass, overpass, helvetica, arial, sans-serif",
+									"fontSize":        "15px",
+									"fontWeight":      400,
+									"lineHeight":      "24px",
+									"minWidth":        24,
+									"padding":         "0 9px",
+									"textAlign":       "center",
+									"whiteSpace":      "nowrap",
+								},
+							},
 						},
 						map[string]any{
 							"type": "antdLink",
@@ -799,20 +778,7 @@ func createCustomColumnWithJsonPath(name, jsonPath, badgeValue, badgeColor, link
 }
 
 // createCustomColumnWithoutJsonPath creates a column with a custom badge and link without jsonPath
-// badgeValue should be the kind in PascalCase (e.g., "Node", "Pod")
-// abbreviation is auto-generated by ResourceBadge from badgeValue
-func createCustomColumnWithoutJsonPath(name, badgeValue, badgeColor, linkHref string) map[string]any {
-	badgeData := map[string]any{
-		"id":    "header-badge",
-		"value": badgeValue,
-	}
-	// Add custom color if specified
-	if badgeColor != "" {
-		badgeData["style"] = map[string]any{
-			"backgroundColor": badgeColor,
-		}
-	}
-
+func createCustomColumnWithoutJsonPath(name, badgeText, badgeTitle, badgeColor, linkHref string) map[string]any {
 	return map[string]any{
 		"name": name,
 		"type": "factory",
@@ -828,8 +794,26 @@ func createCustomColumnWithoutJsonPath(name, badgeValue, badgeColor, linkHref st
 					},
 					"children": []any{
 						map[string]any{
-							"type": "ResourceBadge",
-							"data": badgeData,
+							"type": "antdText",
+							"data": map[string]any{
+								"id":    "header-badge",
+								"text":  badgeText,
+								"title": badgeTitle,
+								"style": map[string]any{
+									"backgroundColor": badgeColor,
+									"borderRadius":    "20px",
+									"color":           "#fff",
+									"display":         "inline-block",
+									"fontFamily":      "RedHatDisplay, Overpass, overpass, helvetica, arial, sans-serif",
+									"fontSize":        "15px",
+									"fontWeight":      400,
+									"lineHeight":      "24px",
+									"minWidth":        24,
+									"padding":         "0 9px",
+									"textAlign":       "center",
+									"whiteSpace":      "nowrap",
+								},
+							},
 						},
 						map[string]any{
 							"type": "antdLink",
@@ -1046,15 +1030,6 @@ func createConverterBytesColumn(name, jsonPath string) map[string]any {
 	}
 }
 
-// createFlatMapColumn creates a flatMap column that expands a map into separate rows
-func createFlatMapColumn(name, jsonPath string) map[string]any {
-	return map[string]any{
-		"name":     name,
-		"type":     "flatMap",
-		"jsonPath": jsonPath,
-	}
-}
-
 // ---------------- Factory UI helper functions ----------------
 
 // labelsEditor creates a Labels editor component

internal/controller/dashboard/static_processor.go

@@ -32,7 +32,7 @@ func (m *Manager) ensureStaticResource(ctx context.Context, obj client.Object) e
 	// Add dashboard labels to static resources
 	m.addDashboardLabels(resource, nil, ResourceTypeStatic)
 
-	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, resource, func() error {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.client, resource, func() error {
 		// For static resources, we don't need to set owner references
 		// as they are meant to be persistent across CRD changes
 		// Copy Spec from the original object to the live object

internal/controller/dashboard/static_refactored.go

@@ -132,7 +132,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 	return []*dashboardv1alpha1.CustomColumnsOverride{
 		// Factory details v1 services
 		createCustomColumnsOverride("factory-details-v1.services", []any{
-			createCustomColumnWithSpecificColor("Name", "Service", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithSpecificColor("Name", "Service", "service", getColorForType("service"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("ClusterIP", ".spec.clusterIP"),
 			createStringColumn("LoadbalancerIP", ".spec.loadBalancerIP"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
@@ -140,7 +140,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock namespace v1 services
 		createCustomColumnsOverride("stock-namespace-/v1/services", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Service", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "S", "service", getColorForType("service"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("ClusterIP", ".spec.clusterIP"),
 			createStringColumn("LoadbalancerIP", ".status.loadBalancer.ingress[0].ip"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
@@ -148,7 +148,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock namespace core cozystack io v1alpha1 tenantmodules
 		createCustomColumnsOverride("stock-namespace-/core.cozystack.io/v1alpha1/tenantmodules", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Module", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/{reqsJsonPath[0]['.metadata.name']['-']}-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "M", "module", getColorForType("module"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/{reqsJsonPath[0]['.metadata.name']['-']}-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createReadyColumn(),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 			createStringColumn("Version", ".status.version"),
@@ -164,7 +164,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Factory details v1alpha1 cozystack io workloadmonitors
 		createCustomColumnsOverride("factory-details-v1alpha1.cozystack.io.workloadmonitors", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "WorkloadMonitor", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/workloadmonitor-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "W", "workloadmonitor", getColorForType("workloadmonitor"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/workloadmonitor-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("TYPE", ".spec.type"),
 			createStringColumn("VERSION", ".spec.version"),
 			createStringColumn("REPLICAS", ".spec.replicas"),
@@ -173,19 +173,18 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 			createStringColumn("OBSERVED", ".status.observedReplicas"),
 		}),
 
-		// Factory details v1alpha1 core cozystack io tenantsecrets
-		createCustomColumnsOverride("factory-details-v1alpha1.core.cozystack.io.tenantsecrets", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Secret", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createFlatMapColumn("Data", ".data"),
-			createStringColumn("Key", "_flatMapData_Key"),
-			createSecretBase64Column("Value", "_flatMapData_Value"),
+		// Factory details v1alpha1 core cozystack io tenantsecretstables
+		createCustomColumnsOverride("factory-details-v1alpha1.core.cozystack.io.tenantsecretstables", []any{
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "S", "secret", getColorForType("secret"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createStringColumn("Key", ".data.key"),
+			createSecretBase64Column("Value", ".data.value"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
 		// Factory ingress details rules
 		createCustomColumnsOverride("factory-kube-ingress-details-rules", []any{
 			createStringColumn("Host", ".host"),
-			createCustomColumnWithJsonPath("Service", ".http.paths[0].backend.service.name", "Service", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.http.paths[0].backend.service.name']['-']}"),
+			createCustomColumnWithJsonPath("Service", ".http.paths[0].backend.service.name", "S", "service", getColorForType("service"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.http.paths[0].backend.service.name']['-']}"),
 			createStringColumn("Port", ".http.paths[0].backend.service.port.number"),
 			createStringColumn("Path", ".http.paths[0].path"),
 		}),
@@ -251,7 +250,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Factory details networking k8s io v1 ingresses
 		createCustomColumnsOverride("factory-details-networking.k8s.io.v1.ingresses", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Ingress", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-ingress-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "I", "ingress", getColorForType("ingress"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-ingress-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("Hosts", ".spec.rules[*].host"),
 			createStringColumn("Address", ".status.loadBalancer.ingress[0].ip"),
 			createStringColumn("Port", ".spec.defaultBackend.service.port.number"),
@@ -260,7 +259,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock namespace networking k8s io v1 ingresses
 		createCustomColumnsOverride("stock-namespace-/networking.k8s.io/v1/ingresses", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Ingress", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-ingress-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "I", "ingress", getColorForType("ingress"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-ingress-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("Hosts", ".spec.rules[*].host"),
 			createStringColumn("Address", ".status.loadBalancer.ingress[0].ip"),
 			createStringColumn("Port", ".spec.defaultBackend.service.port.number"),
@@ -269,34 +268,34 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock cluster v1 configmaps
 		createCustomColumnsOverride("stock-cluster-/v1/configmaps", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "ConfigMap", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/configmap-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "Namespace", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "CM", "configmap", getColorForType("configmap"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/configmap-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "NS", "namespace", getColorForType("namespace"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
 		// Stock namespace v1 configmaps
 		createCustomColumnsOverride("stock-namespace-/v1/configmaps", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "ConfigMap", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/configmap-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "CM", "configmap", getColorForType("configmap"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/configmap-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
 		// Cluster v1 configmaps
 		createCustomColumnsOverride("cluster-/v1/configmaps", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "ConfigMap", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/configmap-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "Namespace", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "CM", "configmap", getColorForType("configmap"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/configmap-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "NS", "namespace", getColorForType("namespace"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
 		// Stock cluster v1 nodes
 		createCustomColumnsOverride("stock-cluster-/v1/nodes", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Node", "", "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "N", "node", getColorForType("node"), "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createSimpleStatusColumn("Status", "node-status"),
 		}),
 
 		// Factory node details v1 pods
 		createCustomColumnsOverride("factory-node-details-v1.pods", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Pod", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "Namespace", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "P", "pod", getColorForType("pod"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "NS", "namespace", getColorForType("namespace"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace"),
 			createStringColumn("Restart Policy", ".spec.restartPolicy"),
 			createStringColumn("Pod IP", ".status.podIP"),
 			createStringColumn("QOS", ".status.qosClass"),
@@ -305,8 +304,8 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Factory v1 pods
 		createCustomColumnsOverride("factory-v1.pods", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Pod", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithoutJsonPath("Node", "Node", "", "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.spec.nodeName']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "P", "pod", getColorForType("pod"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithoutJsonPath("Node", "N", "node", getColorForType("node"), "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.spec.nodeName']['-']}"),
 			createStringColumn("Restart Policy", ".spec.restartPolicy"),
 			createStringColumn("Pod IP", ".status.podIP"),
 			createStringColumn("QOS", ".status.qosClass"),
@@ -315,9 +314,9 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock cluster v1 pods
 		createCustomColumnsOverride("stock-cluster-/v1/pods", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Pod", "#009596", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "Namespace", "#a25792ff", "/openapi-ui/{2}/factory/tenantnamespace/{reqsJsonPath[0]['.metadata.namespace']['-']}"),
-			createCustomColumnWithJsonPath("Node", ".spec.nodeName", "Node", "#8476d1", "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.spec.nodeName']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "P", "pod", "#009596", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "NS", "namespace", "#a25792ff", "/openapi-ui/{2}/factory/tenantnamespace/{reqsJsonPath[0]['.metadata.namespace']['-']}"),
+			createCustomColumnWithJsonPath("Node", ".spec.nodeName", "N", "node", "#8476d1", "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.spec.nodeName']['-']}"),
 			createStringColumn("Restart Policy", ".spec.restartPolicy"),
 			createStringColumn("Pod IP", ".status.podIP"),
 			createStringColumn("QOS", ".status.qosClass"),
@@ -326,8 +325,8 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock namespace v1 pods
 		createCustomColumnsOverride("stock-namespace-/v1/pods", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Pod", "#009596", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithoutJsonPath("Node", "Node", "#8476d1", "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.spec.nodeName']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "P", "pod", "#009596", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/pod-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithoutJsonPath("Node", "N", "node", "#8476d1", "/openapi-ui/{2}/factory/node-details/{reqsJsonPath[0]['.spec.nodeName']['-']}"),
 			createStringColumn("Restart Policy", ".spec.restartPolicy"),
 			createStringColumn("Pod IP", ".status.podIP"),
 			createStringColumn("QOS", ".status.qosClass"),
@@ -336,15 +335,15 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock cluster v1 secrets
 		createCustomColumnsOverride("stock-cluster-/v1/secrets", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Secret", "#c46100", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "Namespace", "#a25792ff", "/openapi-ui/{2}/factory/tenantnamespace/{reqsJsonPath[0]['.metadata.namespace']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "S", "secret", "#c46100", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Namespace", ".metadata.namespace", "NS", "namespace", "#a25792ff", "/openapi-ui/{2}/factory/tenantnamespace/{reqsJsonPath[0]['.metadata.namespace']['-']}"),
 			createStringColumn("Type", ".type"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
 		// Stock namespace v1 secrets
 		createCustomColumnsOverride("stock-namespace-/v1/secrets", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "Secret", "#c46100", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "S", "secret", "#c46100", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("Type", ".type"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
@@ -361,7 +360,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 
 		// Stock cluster core cozystack io v1alpha1 tenantnamespaces
 		createCustomColumnsOverride("stock-cluster-/core.cozystack.io/v1alpha1/tenantnamespaces", []any{
-			createCustomColumnWithJsonPath("Name", ".metadata.name", "TenantNamespace", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.name']['-']}/factory/marketplace"),
+			createCustomColumnWithJsonPath("Name", ".metadata.name", "TN", "tenantnamespace", getColorForType("tenantnamespace"), "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.name']['-']}/factory/marketplace"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 	}
@@ -497,6 +496,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 		Kind:         "Namespace",
 		Plural:       "namespaces",
 		Title:        "namespace",
+		Size:         BadgeSizeLarge,
 	}
 	namespaceSpec := createUnifiedFactory(namespaceConfig, nil, []any{"/api/clusters/{2}/k8s/api/v1/namespaces/{5}"})
 
@@ -796,7 +796,6 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"substractHeight":           float64(400),
 						"type":                      "builtin",
 						"typeName":                  "secrets",
-						"readOnly":                  true,
 					},
 				},
 			},
@@ -1056,7 +1055,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 													"clusterNamePartOfUrl": "{2}",
 													"customizationId":      "factory-kube-service-details-endpointslice",
 													"fetchUrl":             "/api/clusters/{2}/k8s/apis/discovery.k8s.io/v1/namespaces/{3}/endpointslices",
-													"labelSelector": map[string]any{
+													"labelsSelector": map[string]any{
 														"kubernetes.io/service-name": "{reqsJsonPath[0]['.metadata.name']['-']}",
 													},
 													"pathToItems":     ".items[*].endpoints",
@@ -1202,7 +1201,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 											"gap":   6,
 										},
 										"children": []any{
-											createUnifiedBadgeFromKind("ns-badge", "Namespace"),
+											createUnifiedBadgeFromKind("ns-badge", "Namespace", "namespace", BadgeSizeMedium),
 											antdLink("namespace-link",
 												"{reqsJsonPath[0]['.metadata.namespace']['-']}",
 												"/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/marketplace",
@@ -1397,7 +1396,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"clusterNamePartOfUrl": "{2}",
 						"customizationId":      "factory-details-v1alpha1.cozystack.io.workloads",
 						"fetchUrl":             "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloads",
-						"labelSelector": map[string]any{
+						"labelsSelector": map[string]any{
 							"workloads.cozystack.io/monitor": "{reqs[0]['metadata','name']}",
 						},
 						"pathToItems": []any{"items"},

internal/controller/dashboard/ui_helpers.go

@@ -1,5 +1,7 @@
 package dashboard
 
+import "strings"
+
 // ---------------- UI helpers (use float64 for numeric fields) ----------------
 
 func contentCard(id string, style map[string]any, children []any) map[string]any {
@@ -198,10 +200,10 @@ func createBadge(id, text, color, title string) map[string]any {
 
 // createBadgeFromKind creates a badge using the existing badge generation functions
 func createBadgeFromKind(id, kind, title string) map[string]any {
-	return createUnifiedBadgeFromKind(id, kind)
+	return createUnifiedBadgeFromKind(id, kind, title, BadgeSizeMedium)
 }
 
 // createHeaderBadge creates a badge specifically for headers with consistent styling
 func createHeaderBadge(id, kind, plural string) map[string]any {
-	return createUnifiedBadgeFromKind(id, kind)
+	return createUnifiedBadgeFromKind(id, kind, strings.ToLower(plural), BadgeSizeLarge)
 }

internal/controller/dashboard/unified_helpers.go

@@ -81,49 +81,88 @@ func isAlphanumeric(c byte) bool {
 
 // BadgeConfig holds configuration for badge generation
 type BadgeConfig struct {
-	Kind  string // Resource kind in PascalCase (e.g., "VirtualMachine") - used for value and auto-generation
-	Text  string // Optional abbreviation override (if empty, ResourceBadge auto-generates from Kind)
-	Color string // Optional custom backgroundColor override
+	Text  string
+	Color string
+	Title string
+	Size  BadgeSize
 }
 
-// createUnifiedBadge creates a badge using the unified BadgeConfig with ResourceBadge component
+// BadgeSize represents the size of the badge
+type BadgeSize int
+
+const (
+	BadgeSizeSmall BadgeSize = iota
+	BadgeSizeMedium
+	BadgeSizeLarge
+)
+
+// generateBadgeConfig creates a BadgeConfig from kind and optional custom values
+func generateBadgeConfig(kind string, customText, customColor, customTitle string) BadgeConfig {
+	config := BadgeConfig{
+		Text:  initialsFromKind(kind),
+		Color: hexColorForKind(kind),
+		Title: strings.ToLower(kind),
+		Size:  BadgeSizeMedium,
+	}
+
+	// Override with custom values if provided
+	if customText != "" {
+		config.Text = customText
+	}
+	if customColor != "" {
+		config.Color = customColor
+	}
+	if customTitle != "" {
+		config.Title = customTitle
+	}
+
+	return config
+}
+
+// createUnifiedBadge creates a badge using the unified BadgeConfig
 func createUnifiedBadge(id string, config BadgeConfig) map[string]any {
-	data := map[string]any{
-		"id":    id,
-		"value": config.Kind,
-	}
-
-	// Add abbreviation override if specified (otherwise ResourceBadge auto-generates from Kind)
-	if config.Text != "" {
-		data["abbreviation"] = config.Text
-	}
-
-	// Add custom color if specified
-	if config.Color != "" {
-		data["style"] = map[string]any{
-			"backgroundColor": config.Color,
-		}
+	fontSize := "15px"
+	if config.Size == BadgeSizeLarge {
+		fontSize = "20px"
+	} else if config.Size == BadgeSizeSmall {
+		fontSize = "12px"
 	}
 
 	return map[string]any{
-		"type": "ResourceBadge",
-		"data": data,
-	}
-}
-
-// createUnifiedBadgeFromKind creates a badge from kind with ResourceBadge component
-// Abbreviation is auto-generated by ResourceBadge from kind, but can be customized if needed
-func createUnifiedBadgeFromKind(id, kind string) map[string]any {
-	return map[string]any{
-		"type": "ResourceBadge",
+		"type": "antdText",
 		"data": map[string]any{
 			"id":    id,
-			"value": kind,
-			// abbreviation is optional - ResourceBadge auto-generates from value
+			"text":  config.Text,
+			"title": config.Title,
+			"style": map[string]any{
+				"backgroundColor": config.Color,
+				"borderRadius":    "20px",
+				"color":           "#fff",
+				"display":         "inline-block",
+				"fontFamily":      "RedHatDisplay, Overpass, overpass, helvetica, arial, sans-serif",
+				"fontSize":        fontSize,
+				"fontWeight":      float64(400),
+				"lineHeight":      "24px",
+				"minWidth":        float64(24),
+				"padding":         "0 9px",
+				"textAlign":       "center",
+				"whiteSpace":      "nowrap",
+			},
 		},
 	}
 }
 
+// createUnifiedBadgeFromKind creates a badge from kind with automatic color generation
+func createUnifiedBadgeFromKind(id, kind, title string, size BadgeSize) map[string]any {
+	config := BadgeConfig{
+		Text:  initialsFromKind(kind),
+		Color: hexColorForKind(kind),
+		Title: title,
+		Size:  size,
+	}
+	return createUnifiedBadge(id, config)
+}
+
 // ---------------- Resource creation helpers with unified approach ----------------
 
 // ResourceConfig holds configuration for resource creation
@@ -144,9 +183,7 @@ func createResourceConfig(components []string, kind, title string) ResourceConfi
 	metadataName := generateMetadataName(specID)
 
 	// Generate badge config
-	badgeConfig := BadgeConfig{
-		Kind: kind,
-	}
+	badgeConfig := generateBadgeConfig(kind, "", "", title)
 
 	return ResourceConfig{
 		SpecID:       specID,
@@ -159,6 +196,35 @@ func createResourceConfig(components []string, kind, title string) ResourceConfi
 
 // ---------------- Enhanced color generation ----------------
 
+// getColorForKind returns a color for a specific kind with improved distribution
+func getColorForKind(kind string) string {
+	// Use existing hexColorForKind function
+	return hexColorForKind(kind)
+}
+
+// getColorForType returns a color for a specific type (like "namespace", "service", etc.)
+func getColorForType(typeName string) string {
+	// Map common types to specific colors for consistency
+	colorMap := map[string]string{
+		"namespace":       "#a25792ff",
+		"service":         "#6ca100",
+		"pod":             "#009596",
+		"node":            "#8476d1",
+		"secret":          "#c46100",
+		"configmap":       "#b48c78ff",
+		"ingress":         "#2e7dff",
+		"workloadmonitor": "#c46100",
+		"module":          "#8b5cf6",
+	}
+
+	if color, exists := colorMap[strings.ToLower(typeName)]; exists {
+		return color
+	}
+
+	// Fall back to hash-based color generation
+	return hexColorForKind(typeName)
+}
+
 // ---------------- Automatic ID generation for UI elements ----------------
 
 // generateElementID creates an ID for UI elements based on context and type
@@ -216,6 +282,7 @@ type UnifiedResourceConfig struct {
 	Title        string
 	Color        string
 	BadgeText    string
+	Size         BadgeSize
 }
 
 // createUnifiedFactory creates a factory using unified approach
@@ -225,9 +292,16 @@ func createUnifiedFactory(config UnifiedResourceConfig, tabs []any, urlsToFetch
 
 	// Create header with unified badge
 	badgeConfig := BadgeConfig{
-		Kind:  config.Kind,
 		Text:  config.BadgeText,
 		Color: config.Color,
+		Title: config.Title,
+		Size:  config.Size,
+	}
+	if badgeConfig.Text == "" {
+		badgeConfig.Text = initialsFromKind(config.Kind)
+	}
+	if badgeConfig.Color == "" {
+		badgeConfig.Color = getColorForKind(config.Kind)
 	}
 
 	badge := createUnifiedBadge(generateBadgeID("header", config.Kind), badgeConfig)
@@ -274,9 +348,7 @@ func createUnifiedFactory(config UnifiedResourceConfig, tabs []any, urlsToFetch
 
 // createUnifiedCustomColumn creates a custom column using unified approach
 func createUnifiedCustomColumn(name, jsonPath, kind, title, href string) map[string]any {
-	badgeConfig := BadgeConfig{
-		Kind: kind,
-	}
+	badgeConfig := generateBadgeConfig(kind, "", "", title)
 	badge := createUnifiedBadge(generateBadgeID("column", kind), badgeConfig)
 
 	linkID := generateLinkID("column", "name")

packages/apps/kubernetes/templates/csi/delete.yaml

@@ -1,76 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-datavolume-cleanup
-spec:
-  template:
-    spec:
-      serviceAccountName: {{ .Release.Name }}-datavolume-cleanup
-      restartPolicy: Never
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
-      containers:
-        - name: kubectl
-          image: docker.io/clastix/kubectl:v1.32
-          command:
-            - /bin/sh
-            - -c
-            - kubectl -n {{ .Release.Namespace }} delete datavolumes
-              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
-              --ignore-not-found=true
-
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-datavolume-cleanup
-  annotations:
-    helm.sh/hook: post-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
-    helm.sh/hook-weight: "0"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-datavolume-cleanup
-rules:
-  - apiGroups:
-      - "cdi.kubevirt.io"
-    resources:
-      - datavolumes
-    verbs:
-      - get
-      - list
-      - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-datavolume-cleanup
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-datavolume-cleanup
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-datavolume-cleanup
-    namespace: {{ .Release.Namespace }}
-

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -24,26 +24,26 @@ spec:
           command:
             - /bin/sh
             - -c
-            - >-
-              kubectl
-              --namespace={{ .Release.Namespace }}
-              patch
-              helmrelease
-              {{ .Release.Name }}-cilium
-              {{ .Release.Name }}-gateway-api-crds
-              {{ .Release.Name }}-csi
-              {{ .Release.Name }}-cert-manager
-              {{ .Release.Name }}-cert-manager-crds
-              {{ .Release.Name }}-vertical-pod-autoscaler
-              {{ .Release.Name }}-vertical-pod-autoscaler-crds
-              {{ .Release.Name }}-ingress-nginx
-              {{ .Release.Name }}-fluxcd-operator
-              {{ .Release.Name }}-fluxcd
-              {{ .Release.Name }}-gpu-operator
-              {{ .Release.Name }}-velero
-              {{ .Release.Name }}-coredns
-              -p '{"spec": {"suspend": true}}'
-              --type=merge --field-manager=flux-client-side-apply || true
+            - |
+                kubectl
+                --namespace={{ .Release.Namespace }}
+                patch
+                helmrelease
+                {{ .Release.Name }}-cilium
+                {{ .Release.Name }}-gateway-api-crds
+                {{ .Release.Name }}-csi
+                {{ .Release.Name }}-cert-manager
+                {{ .Release.Name }}-cert-manager-crds
+                {{ .Release.Name }}-vertical-pod-autoscaler
+                {{ .Release.Name }}-vertical-pod-autoscaler-crds
+                {{ .Release.Name }}-ingress-nginx
+                {{ .Release.Name }}-fluxcd-operator
+                {{ .Release.Name }}-fluxcd
+                {{ .Release.Name }}-gpu-operator
+                {{ .Release.Name }}-velero
+                {{ .Release.Name }}-coredns
+                -p '{"spec": {"suspend": true}}'
+                --type=merge --field-manager=flux-client-side-apply || true
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -51,7 +51,7 @@ metadata:
   name: {{ .Release.Name }}-flux-teardown
   annotations:
     helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed
     helm.sh/hook-weight: "0"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -75,7 +75,6 @@ rules:
       - {{ .Release.Name }}-csi
       - {{ .Release.Name }}-cert-manager
       - {{ .Release.Name }}-cert-manager-crds
-      - {{ .Release.Name }}-gateway-api-crds
       - {{ .Release.Name }}-vertical-pod-autoscaler
       - {{ .Release.Name }}-vertical-pod-autoscaler-crds
       - {{ .Release.Name }}-ingress-nginx

packages/apps/mysql/templates/hooks/cleanup-pvc.yaml

@@ -1,74 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        policy.cozystack.io/allow-to-apiserver: "true"
-    spec:
-      serviceAccountName: {{ .Release.Name }}-cleanup
-      restartPolicy: Never
-      containers:
-        - name: cleanup
-          image: docker.io/clastix/kubectl:v1.32
-          command:
-            - /bin/sh
-            - -c
-            - |
-              echo "Deleting orphaned PVCs for {{ .Release.Name }}..."
-              kubectl delete pvc -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} || true
-              echo "PVC cleanup complete."
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-  annotations:
-    "helm.sh/hook": post-delete
-    helm.sh/hook-weight: "0"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-  annotations:
-    "helm.sh/hook": post-delete
-    "helm.sh/hook-weight": "5"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-rules:
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-  annotations:
-    "helm.sh/hook": post-delete
-    helm.sh/hook-weight: "5"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-cleanup
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-cleanup

packages/apps/nats/templates/nats.yaml

@@ -1,14 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
-
-{{- with (dig "data" (dict) $existingSecret) }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
 {{- range $user, $u := .Values.users }}
   {{- if $u.password }}
     {{- $_ := set $passwords $user $u.password }}
@@ -55,14 +47,18 @@ spec:
       retries: -1
   values:
     nats:
-      container:
+      podTemplate:
         merge:
-          resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 12 }}
+          spec:
+            containers:
+              - name: nats
+                image: nats:2.10.17-alpine
+                resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 22 }}
       fullnameOverride: {{ .Release.Name }}
       config:
-        {{- if or $passwords .Values.config.merge }}
+        {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
         merge:
-          {{- if $passwords }}
+          {{- if gt (len $passwords) 0 }}
           accounts:
             A:
               users:
@@ -71,13 +67,13 @@ spec:
                   password: "{{ $password }}"
                 {{- end }}
           {{- end }}
-          {{- with .Values.config.merge }}
-          {{- toYaml . | nindent 10 }}
+          {{- if and .Values.config (hasKey .Values.config "merge") }}
+          {{ toYaml .Values.config.merge | nindent 12 }}
           {{- end }}
         {{- end }}
-        {{- with .Values.config.resolver }}
+        {{- if and .Values.config (hasKey .Values.config "resolver") }}
         resolver:
-          {{- toYaml . | nindent 10 }}
+          {{ toYaml .Values.config.resolver | nindent 12 }}
         {{- end }}
         cluster:
           enabled: true

packages/apps/redis/templates/redisfailover.yaml

@@ -27,7 +27,6 @@ spec:
     replicas: 3
     resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 6 }}
   redis:
-    image: "redis:8.2.0"
     resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 6 }}
     replicas: {{ .Values.replicas }}
     {{- with .Values.size }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -20,7 +20,11 @@ metadata:
   name: allow-external-communication
   namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector: {}
+  endpointSelector:
+    matchExpressions:
+    - key: policy.cozystack.io/allow-external-communication
+      operator: NotIn
+      values: ["false"]
   ingress:
   - fromEntities:
       - world

packages/apps/tenant/templates/tenant.yaml

@@ -28,13 +28,13 @@ rules:
   - cozystack.io
   resources:
   - workloadmonitors
-  - workloads
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - core.cozystack.io
   resources:
   - tenantmodules
   - tenantsecrets
+  - tenantsecretstables
   verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -113,7 +113,6 @@ rules:
     - cozystack.io
     resources:
     - workloadmonitors
-    - workloads
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -185,13 +184,13 @@ rules:
     - cozystack.io
     resources:
     - workloadmonitors
-    - workloads
     verbs: ["get", "list", "watch"]
   - apiGroups:
     - core.cozystack.io
     resources:
     - tenantmodules
     - tenantsecrets
+    - tenantsecretstables
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -284,13 +283,13 @@ rules:
     - cozystack.io
     resources:
     - workloadmonitors
-    - workloads
     verbs: ["get", "list", "watch"]
   - apiGroups:
     - core.cozystack.io
     resources:
     - tenantmodules
     - tenantsecrets
+    - tenantsecretstables
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -358,13 +357,13 @@ rules:
     - cozystack.io
     resources:
     - workloadmonitors
-    - workloads
     verbs: ["get", "list", "watch"]
   - apiGroups:
     - core.cozystack.io
     resources:
     - tenantmodules
     - tenantsecrets
+    - tenantsecretstables
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding

packages/apps/virtual-machine/README.md

@@ -36,29 +36,29 @@ virtctl ssh <user>@<vm>
 
 ### Common parameters
 
-| Name                      | Description                                             | Type       | Value        |
-| ------------------------- | ------------------------------------------------------- | ---------- | ------------ |
-| `external`                | Enable external access from outside the cluster.        | `bool`     | `false`      |
-| `externalMethod`          | Method to pass through traffic to the VM.               | `string`   | `PortList`   |
-| `externalPorts`           | Ports to forward from outside the cluster.              | `[]int`    | `[22]`       |
-| `running`                 | Whether the virtual machine should be running.          | `bool`     | `true`       |
-| `instanceType`            | Virtual Machine instance type.                          | `string`   | `u1.medium`  |
-| `instanceProfile`         | Virtual Machine preferences profile.                    | `string`   | `ubuntu`     |
-| `systemDisk`              | System disk configuration.                              | `object`   | `{}`         |
-| `systemDisk.image`        | The base image for the virtual machine.                 | `string`   | `ubuntu`     |
-| `systemDisk.storage`      | The size of the disk allocated for the virtual machine. | `string`   | `5Gi`        |
-| `systemDisk.storageClass` | StorageClass used to store the data.                    | `string`   | `replicated` |
-| `subnets`                 | Additional subnets                                      | `[]object` | `[]`         |
-| `subnets[i].name`         | Subnet name                                             | `string`   | `""`         |
-| `gpus`                    | List of GPUs to attach.                                 | `[]object` | `[]`         |
-| `gpus[i].name`            | The name of the GPU resource to attach.                 | `string`   | `""`         |
-| `resources`               | Resource configuration for the virtual machine.         | `object`   | `{}`         |
-| `resources.cpu`           | Number of CPU cores allocated.                          | `quantity` | `""`         |
-| `resources.sockets`       | Number of CPU sockets (vCPU topology).                  | `quantity` | `""`         |
-| `resources.memory`        | Amount of memory allocated.                             | `quantity` | `""`         |
-| `sshKeys`                 | List of SSH public keys for authentication.             | `[]string` | `[]`         |
-| `cloudInit`               | Cloud-init user data.                                   | `string`   | `""`         |
-| `cloudInitSeed`           | Seed string to generate SMBIOS UUID for the VM.         | `string`   | `""`         |
+| Name                      | Description                                                        | Type       | Value        |
+| ------------------------- | ------------------------------------------------------------------ | ---------- | ------------ |
+| `external`                | Enable external access from outside the cluster.                   | `bool`     | `false`      |
+| `externalMethod`          | Method to pass through traffic to the VM.                          | `string`   | `PortList`   |
+| `externalPorts`           | Ports to forward from outside the cluster.                         | `[]int`    | `[22]`       |
+| `running`                 | Whether the virtual machine should be running.                     | `bool`     | `true`       |
+| `instanceType`            | Virtual Machine instance type.                                     | `string`   | `u1.medium`  |
+| `instanceProfile`         | Virtual Machine preferences profile.                               | `string`   | `ubuntu`     |
+| `systemDisk`              | System disk configuration.                                         | `object`   | `{}`         |
+| `systemDisk.image`        | The base image for the virtual machine.                            | `string`   | `ubuntu`     |
+| `systemDisk.storage`      | The size of the disk allocated for the virtual machine.            | `string`   | `5Gi`        |
+| `systemDisk.storageClass` | StorageClass used to store the data.                               | `string`   | `replicated` |
+| `subnets`                 | Additional subnets (management subnet will be attached by default) | `[]object` | `[]`         |
+| `subnets[i].name`         | Name of the subnet to attach                                       | `string`   | `""`         |
+| `gpus`                    | List of GPUs to attach.                                            | `[]object` | `[]`         |
+| `gpus[i].name`            | The name of the GPU resource to attach.                            | `string`   | `""`         |
+| `resources`               | Resource configuration for the virtual machine.                    | `object`   | `{}`         |
+| `resources.cpu`           | Number of CPU cores allocated.                                     | `quantity` | `""`         |
+| `resources.sockets`       | Number of CPU sockets (vCPU topology).                             | `quantity` | `""`         |
+| `resources.memory`        | Amount of memory allocated.                                        | `quantity` | `""`         |
+| `sshKeys`                 | List of SSH public keys for authentication.                        | `[]string` | `[]`         |
+| `cloudInit`               | Cloud-init user data.                                              | `string`   | `""`         |
+| `cloudInitSeed`           | Seed string to generate SMBIOS UUID for the VM.                    | `string`   | `""`         |
 
 
 ## U Series

packages/apps/virtual-machine/templates/service.yaml

@@ -28,3 +28,27 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+          {{- range .Values.externalPorts }}
+          - port: {{ quote . }}
+          {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world

packages/apps/virtual-machine/templates/vm.yaml

@@ -62,6 +62,7 @@ spec:
   template:
     metadata:
       annotations:
+        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}

packages/apps/virtual-machine/values.schema.json

@@ -168,14 +168,17 @@
       }
     },
     "subnets": {
-      "description": "Additional subnets",
+      "description": "Additional subnets (management subnet will be attached by default)",
       "type": "array",
       "default": [],
       "items": {
         "type": "object",
+        "required": [
+          "name"
+        ],
         "properties": {
           "name": {
-            "description": "Subnet name",
+            "description": "Name of the subnet to attach",
             "type": "string"
           }
         }

packages/apps/virtual-machine/values.yaml

@@ -18,9 +18,6 @@
 ## @field {string} storage - The size of the disk allocated for the virtual machine.
 ## @field {string} [storageClass] - StorageClass used to store the data.
 
-## @typedef {struct} Subnet - Additional subnets
-## @field {string} [name] - Subnet name
-
 ## @typedef {struct} GPU - GPU device configuration.
 ## @field {string} name - The name of the GPU resource to attach.
 
@@ -29,6 +26,9 @@
 ## @field {quantity} [sockets] - Number of CPU sockets (vCPU topology).
 ## @field {quantity} [memory] - Amount of memory allocated.
 
+## @typedef {struct} Subnet - Additional subnet to attach to
+## @field {string} name - Name of the subnet to attach
+
 ## @param {bool} external - Enable external access from outside the cluster.
 external: false
 
@@ -53,7 +53,7 @@ systemDisk:
   storage: 5Gi
   storageClass: replicated
 
-## @param {[]Subnet} subnets - Additional subnets
+## @param {[]Subnet} subnets - Additional subnets (management subnet will be attached by default)
 subnets: []
 ## Example:
 ## subnets:

packages/apps/vm-instance/README.md

@@ -47,10 +47,10 @@ virtctl ssh <user>@<vm>
 | `disks`             | List of disks to attach.                                            | `[]object` | `[]`        |
 | `disks[i].name`     | Disk name.                                                          | `string`   | `""`        |
 | `disks[i].bus`      | Disk bus type (e.g. "sata").                                        | `string`   | `""`        |
-| `subnets`           | Additional subnets                                                  | `[]object` | `[]`        |
-| `subnets[i].name`   | Subnet name                                                         | `string`   | `""`        |
 | `gpus`              | List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM). | `[]object` | `[]`        |
 | `gpus[i].name`      | The name of the GPU resource to attach.                             | `string`   | `""`        |
+| `subnets`           | Additional subnets (management subnet will be attached by default)  | `[]object` | `[]`        |
+| `subnets[i].name`   | Name of the subnet to attach                                        | `string`   | `""`        |
 | `resources`         | Resource configuration for the virtual machine.                     | `object`   | `{}`        |
 | `resources.cpu`     | Number of CPU cores allocated.                                      | `quantity` | `""`        |
 | `resources.memory`  | Amount of memory allocated.                                         | `quantity` | `""`        |

packages/apps/vm-instance/templates/service.yaml

@@ -28,3 +28,27 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+        {{- range .Values.externalPorts }}
+        - port: {{ quote . }}
+        {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world

packages/apps/vm-instance/templates/vm.yaml

@@ -26,6 +26,7 @@ spec:
   template:
     metadata:
       annotations:
+        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}

packages/apps/vm-instance/values.schema.json

@@ -189,14 +189,17 @@
       }
     },
     "subnets": {
-      "description": "Additional subnets",
+      "description": "Additional subnets (management subnet will be attached by default)",
       "type": "array",
       "default": [],
       "items": {
         "type": "object",
+        "required": [
+          "name"
+        ],
         "properties": {
           "name": {
-            "description": "Subnet name",
+            "description": "Name of the subnet to attach",
             "type": "string"
           }
         }

packages/apps/vm-instance/values.yaml

@@ -10,9 +10,6 @@
 ## @field {string} name - Disk name.
 ## @field {string} [bus] - Disk bus type (e.g. "sata").
 
-## @typedef {struct} Subnet - Additional subnets
-## @field {string} [name] - Subnet name
-
 ## @typedef {struct} GPU - GPU device configuration.
 ## @field {string} name - The name of the GPU resource to attach.
 
@@ -21,6 +18,9 @@
 ## @field {quantity} [memory] - Amount of memory allocated.
 ## @field {quantity} [sockets] - Number of CPU sockets (vCPU topology).
 
+## @typedef {struct} Subnet - Additional subnet to attach to
+## @field {string} name - Name of the subnet to attach
+
 ## @param {bool} external - Enable external access from outside the cluster.
 external: false
 
@@ -48,7 +48,13 @@ disks: []
 ## - name: example-data
 ##   bus: sata
 
-## @param {[]Subnet} subnets - Additional subnets
+## @param {[]GPU} gpus - List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
+gpus: []
+## Example:
+## gpus:
+## - name: nvidia.com/GA102GL_A10
+
+## @param {[]Subnet} subnets - Additional subnets (management subnet will be attached by default)
 subnets: []
 ## Example:
 ## subnets:
@@ -56,14 +62,13 @@ subnets: []
 ##   - name: subnet-aa8896b5
 ##   - name: subnet-e9b97196
 
-## @param {[]GPU} gpus - List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
-gpus: []
-## Example:
-## gpus:
-## - name: nvidia.com/GA102GL_A10
-
 ## @param {Resources} [resources] - Resource configuration for the virtual machine.
 resources: {}
+## Example:
+## resources:
+##   cpu: "4"
+##   sockets: "1"
+##   memory: "8Gi"
 
 ## @param {[]string} sshKeys - List of SSH public keys for authentication.
 sshKeys: []

packages/apps/vpc/README.md

@@ -1,50 +0,0 @@
-# VPC
-
-VPC offers a subset of dedicated subnets with networking services related to it.
-As the service evolves, it will provide more ways to isolate your workloads.
-
-## Service details
-
-To function, the service requires kube-ovn and multus CNI to be present, so by default it will only work on `paas-full` bundle.
-Kube-ovn provides VPC and Subnet resources and performs isolation and networking maintenance such as DHCP. Under the hood it uses ovn virtual routers and virtual switches.
-Multus enables a multi-nic capability, so a pod or a VM could have two or more network interfaces.
-
-Currently every workload will have a connection to a default management network which will also have a default gateway, and the majority of traffic will go through it.
-VPC subnets are for now an additional dedicated networking spaces.
-
-## Deployment notes
-
-VPC name must be unique within a tenant.
-Subnet name and ip address range must be unique within a VPC.
-Subnet ip address space must not overlap with the default management network ip address range, subsets of 172.16.0.0/12 are recommended.
-Currently there are no fail-safe checks, however they are planned for the future.
-
-Different VPCs may have subnets with ovelapping ip address ranges.
-
-A VM or a pod may be connected to multiple secondary Subnets at once. Each secondary connection will be represented as an additional network interface.
-
-## Parameters
-
-### Common parameters
-
-| Name                 | Description                      | Type                | Value   |
-| -------------------- | -------------------------------- | ------------------- | ------- |
-| `subnets`            | Subnets of a VPC                 | `map[string]object` | `{...}` |
-| `subnets[name].cidr` | Subnet CIDR, e.g. 192.168.0.0/24 | `cidr`              | `{}`    |
-
-
-## Examples
-```yaml
-apiVersion: apps.cozystack.io/v1alpha1
-kind: VirtualPrivateCloud
-metadata:
-  name: vpc00
-spec:
-  subnets:
-    sub00:
-      cidr: 172.16.0.0/24
-    sub01:
-      cidr: 172.16.1.0/24
-    sub02:
-      cidr: 172.16.2.0/24
-```

packages/apps/vpc/templates/vpc.yaml

@@ -58,15 +58,15 @@ spec:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Release.Name }}-subnets
+  name: {{ $vpcId }}-subnets
   labels:
-    cozystack.io/vpcId: {{ $vpcId }}
+    cozystack.io/vpcName: {{ $.Release.Name }}
     cozystack.io/tenantName: {{ $.Release.Namespace }}
 data:
-  {{- range $subnetName, $subnetConfig := .Values.subnets }}
-  {{ $subnetName }}: |-
-    subnetName: {{ $subnetName }}
-    subnetId: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
-    subnetCIDR: {{ $subnetConfig.cidr }}
-  {{- end }}
+  subnets: |
+    {{- range $subnetName, $subnetConfig := .Values.subnets }}
+    - subnetName: {{ $subnetName }}
+      subnetId: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
+      subnetCIDR: {{ $subnetConfig.cidr }}
+    {{- end }}
 

packages/apps/vpc/values.schema.json

@@ -8,9 +8,12 @@
       "default": {},
       "additionalProperties": {
         "type": "object",
+        "required": [
+          "cidr"
+        ],
         "properties": {
           "cidr": {
-            "description": "IP address range",
+            "description": "Subnet CIDR, e.g. 192.168.0.0/24",
             "type": "string"
           }
         }

packages/apps/vpc/values.yaml

@@ -1,15 +1,14 @@
-##
 ## @section Common parameters
-##
 
 ## @typedef {struct} Subnet - Subnet of a VPC
-## @field {string} [cidr] - IP address range
+## @field {string} cidr - Subnet CIDR, e.g. 192.168.0.0/24
 
 ## @param {map[string]Subnet} subnets - Subnets of a VPC
-subnets: {}
+##
 ## Example:
 ## subnets:
 ##   mysubnet0:
-##     cidr: "172.16.0.0/24"
+##     cidr: "172.16.0.0/16"
 ##   mysubnet1:
-##     cidr: "172.16.1.0/24"
+##     cidr: "172.17.0.0/16"
+subnets: {}

packages/core/installer/hack/gen-profiles.sh

@@ -5,7 +5,7 @@ set -u
 TMPDIR=$(mktemp -d)
 PROFILES="initramfs kernel iso installer nocloud metal"
 FIRMWARES="amd-ucode amdgpu bnx2-bnx2x i915 intel-ice-firmware intel-ucode qlogic-firmware"
-EXTENSIONS="drbd zfs"
+EXTENSIONS="drbd zfs lldpd"
 
 mkdir -p images/talos/profiles
 
@@ -90,6 +90,7 @@ input:
     - imageRef: ${QLOGIC_FIRMWARE_IMAGE}
     - imageRef: ${DRBD_IMAGE}
     - imageRef: ${ZFS_IMAGE}
+    - imageRef: ${LLDPD_IMAGE}
 output:
   kind: ${kind}
   imageOptions: ${image_options}

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -21,6 +21,7 @@ input:
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250917@sha256:7094e5db6931a1b68240416b65ddc0f3b546bd9b8520e3cfb1ddebcbfc83e890
     - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.11.3@sha256:4393756875751e2664a04e96c1ccff84c99958ca819dd93b46b82ad8f3b4be67
     - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.11.3@sha256:3c0b34a760914980ac234e66f130d829e428018e46420b7bca33219b1cc2dd87
+    - imageRef: ghcr.io/siderolabs/lldpd:1.0.20@sha256:4c6370518f5b2e1f03214a6ed54778eaea663fda8850e3f4da174ed69b636172
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -21,6 +21,7 @@ input:
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250917@sha256:7094e5db6931a1b68240416b65ddc0f3b546bd9b8520e3cfb1ddebcbfc83e890
     - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.11.3@sha256:4393756875751e2664a04e96c1ccff84c99958ca819dd93b46b82ad8f3b4be67
     - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.11.3@sha256:3c0b34a760914980ac234e66f130d829e428018e46420b7bca33219b1cc2dd87
+    - imageRef: ghcr.io/siderolabs/lldpd:1.0.20@sha256:4c6370518f5b2e1f03214a6ed54778eaea663fda8850e3f4da174ed69b636172
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -21,6 +21,7 @@ input:
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250917@sha256:7094e5db6931a1b68240416b65ddc0f3b546bd9b8520e3cfb1ddebcbfc83e890
     - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.11.3@sha256:4393756875751e2664a04e96c1ccff84c99958ca819dd93b46b82ad8f3b4be67
     - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.11.3@sha256:3c0b34a760914980ac234e66f130d829e428018e46420b7bca33219b1cc2dd87
+    - imageRef: ghcr.io/siderolabs/lldpd:1.0.20@sha256:4c6370518f5b2e1f03214a6ed54778eaea663fda8850e3f4da174ed69b636172
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -21,6 +21,7 @@ input:
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250917@sha256:7094e5db6931a1b68240416b65ddc0f3b546bd9b8520e3cfb1ddebcbfc83e890
     - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.11.3@sha256:4393756875751e2664a04e96c1ccff84c99958ca819dd93b46b82ad8f3b4be67
     - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.11.3@sha256:3c0b34a760914980ac234e66f130d829e428018e46420b7bca33219b1cc2dd87
+    - imageRef: ghcr.io/siderolabs/lldpd:1.0.20@sha256:4c6370518f5b2e1f03214a6ed54778eaea663fda8850e3f4da174ed69b636172
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -21,6 +21,7 @@ input:
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250917@sha256:7094e5db6931a1b68240416b65ddc0f3b546bd9b8520e3cfb1ddebcbfc83e890
     - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.11.3@sha256:4393756875751e2664a04e96c1ccff84c99958ca819dd93b46b82ad8f3b4be67
     - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.11.3@sha256:3c0b34a760914980ac234e66f130d829e428018e46420b7bca33219b1cc2dd87
+    - imageRef: ghcr.io/siderolabs/lldpd:1.0.20@sha256:4c6370518f5b2e1f03214a6ed54778eaea663fda8850e3f4da174ed69b636172
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -21,6 +21,7 @@ input:
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250917@sha256:7094e5db6931a1b68240416b65ddc0f3b546bd9b8520e3cfb1ddebcbfc83e890
     - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.11.3@sha256:4393756875751e2664a04e96c1ccff84c99958ca819dd93b46b82ad8f3b4be67
     - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.11.3@sha256:3c0b34a760914980ac234e66f130d829e428018e46420b7bca33219b1cc2dd87
+    - imageRef: ghcr.io/siderolabs/lldpd:1.0.20@sha256:4c6370518f5b2e1f03214a6ed54778eaea663fda8850e3f4da174ed69b636172
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/platform/bundles/paas-full.yaml

@@ -76,13 +76,6 @@ releases:
   namespace: cozy-kubeovn
   dependsOn: [cilium,kubeovn]
 
-- name: multus
-  releaseName: multus
-  chart: cozy-multus
-  namespace: cozy-multus
-  privileged: true
-  dependsOn: [cilium,kubeovn]
-
 - name: cozy-proxy
   releaseName: cozystack
   chart: cozy-cozy-proxy

packages/core/platform/bundles/paas-hosted.yaml

@@ -40,10 +40,6 @@ releases:
   chart: cozy-cozystack-api
   namespace: cozy-system
   dependsOn: [cozystack-controller]
-  values:
-    cozystackAPI:
-      localK8sAPIEndpoint:
-        enabled: false
 
 - name: cozystack-controller
   releaseName: cozystack-controller

packages/library/cozy-lib/templates/_resources.tpl

@@ -154,7 +154,7 @@
 {{-   $resources := index . 1 }}
 {{-   $global := index . 2 }}
 {{-   $presetMap := include "cozy-lib.resources.unsanitizedPreset" $preset | fromYaml }}
-{{-   $mergedMap := deepCopy (default (dict) $resources) | mergeOverwrite $presetMap }}
+{{-   $mergedMap := deepCopy $resources | mergeOverwrite $presetMap }}
 {{-   include "cozy-lib.resources.sanitize" (list $mergedMap $global) }}
 {{- end }}
 

packages/system/cozystack-api/templates/api-ingress.yaml

@@ -10,7 +10,6 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
   name: kubernetes
   namespace: default
 spec:

packages/system/cozystack-api/templates/hook.yaml

@@ -1,87 +0,0 @@
-{{- $shouldRunUpdateHook := false }}
-{{- $previousKind := "Deployment" }}
-{{- $previousKindPlural := "deployments" }}
-{{- if not .Values.cozystackAPI.localK8sAPIEndpoint.enabled }}
-  {{- $previousKind = "DaemonSet" }}
-  {{- $previousKindPlural = "daemonsets" }}
-{{- end }}
-{{- $previous := lookup "apps/v1" $previousKind .Release.Namespace "cozystack-api" }}
-{{- if $previous }}
-  {{- $shouldRunUpdateHook = true }}
-{{- end }}
-
-{{- if $shouldRunUpdateHook }}
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "cozystack-api-hook"
-  annotations:
-    helm.sh/hook: post-upgrade
-    helm.sh/hook-weight: "1"
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-spec:
-  template:
-    metadata:
-      labels:
-        policy.cozystack.io/allow-to-apiserver: "true"
-    spec:
-      serviceAccountName: "cozystack-api-hook"
-      containers:
-        - name: kubectl
-          image: docker.io/alpine/k8s:1.33.4
-          command:
-          - sh
-          args:
-            - -exc
-            - |-
-              kubectl --namespace={{ .Release.Namespace }} delete --ignore-not-found \
-                {{ $previousKindPlural }}.apps cozystack-api
-      restartPolicy: Never
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  annotations:
-    helm.sh/hook: post-upgrade
-    helm.sh/hook-weight: "1"
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-  name: "cozystack-api-hook"
-rules:
-- apiGroups:
-  - "apps"
-  resources:
-  - "{{ $previousKindPlural }}"
-  verbs:
-  - get
-  - delete
-  resourceNames:
-  - "cozystack-api"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: "cozystack-api-hook"
-  annotations:
-    helm.sh/hook: post-upgrade
-    helm.sh/hook-weight: "1"
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: "cozystack-api-hook"
-subjects:
-  - kind: ServiceAccount
-    name: "cozystack-api-hook"
-    namespace: "{{ .Release.Namespace }}"
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: "cozystack-api-hook"
-  annotations:
-    helm.sh/hook: post-upgrade
-    helm.sh/hook-weight: "1"
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-{{- end }}
-

packages/system/cozystack-resource-definitions/cozyrds/virtual-machine.yaml

@@ -8,7 +8,7 @@ spec:
     plural: virtualmachines
     singular: virtualmachine
     openAPISchema: |-
-      {"title":"Chart Values","type":"object","properties":{"cloudInit":{"description":"Cloud-init user data.","type":"string","default":""},"cloudInitSeed":{"description":"Seed string to generate SMBIOS UUID for the VM.","type":"string","default":""},"external":{"description":"Enable external access from outside the cluster.","type":"boolean","default":false},"externalMethod":{"description":"Method to pass through traffic to the VM.","type":"string","default":"PortList","enum":["PortList","WholeIP"]},"externalPorts":{"description":"Ports to forward from outside the cluster.","type":"array","default":[22],"items":{"type":"integer"}},"gpus":{"description":"List of GPUs to attach.","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"name":{"description":"The name of the GPU resource to attach.","type":"string"}}}},"instanceProfile":{"description":"Virtual Machine preferences profile.","type":"string","default":"ubuntu","enum":["alpine","centos.7","centos.7.desktop","centos.stream10","centos.stream10.desktop","centos.stream8","centos.stream8.desktop","centos.stream8.dpdk","centos.stream9","centos.stream9.desktop","centos.stream9.dpdk","cirros","fedora","fedora.arm64","opensuse.leap","opensuse.tumbleweed","rhel.10","rhel.10.arm64","rhel.7","rhel.7.desktop","rhel.8","rhel.8.desktop","rhel.8.dpdk","rhel.9","rhel.9.arm64","rhel.9.desktop","rhel.9.dpdk","rhel.9.realtime","sles","ubuntu","windows.10","windows.10.virtio","windows.11","windows.11.virtio","windows.2k16","windows.2k16.virtio","windows.2k19","windows.2k19.virtio","windows.2k22","windows.2k22.virtio","windows.2k25","windows.2k25.virtio",""]},"instanceType":{"description":"Virtual Machine instance type.","type":"string","default":"u1.medium"},"resources":{"description":"Resource configuration for the virtual machine.","type":"object","default":{},"properties":{"cpu":{"description":"Number of CPU cores allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"memory":{"description":"Amount of memory allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"sockets":{"description":"Number of CPU sockets (vCPU topology).","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true}}},"running":{"description":"Whether the virtual machine should be running.","type":"boolean","default":true},"sshKeys":{"description":"List of SSH public keys for authentication.","type":"array","default":[],"items":{"type":"string"}},"subnets":{"description":"Additional subnets","type":"array","default":[],"items":{"type":"object","properties":{"name":{"description":"Subnet name","type":"string"}}}},"systemDisk":{"description":"System disk configuration.","type":"object","default":{},"required":["image","storage"],"properties":{"image":{"description":"The base image for the virtual machine.","type":"string","default":"ubuntu","enum":["ubuntu","cirros","alpine","fedora","talos"]},"storage":{"description":"The size of the disk allocated for the virtual machine.","type":"string","default":"5Gi"},"storageClass":{"description":"StorageClass used to store the data.","type":"string","default":"replicated"}}}}}
+      {"title":"Chart Values","type":"object","properties":{"cloudInit":{"description":"Cloud-init user data.","type":"string","default":""},"cloudInitSeed":{"description":"Seed string to generate SMBIOS UUID for the VM.","type":"string","default":""},"external":{"description":"Enable external access from outside the cluster.","type":"boolean","default":false},"externalMethod":{"description":"Method to pass through traffic to the VM.","type":"string","default":"PortList","enum":["PortList","WholeIP"]},"externalPorts":{"description":"Ports to forward from outside the cluster.","type":"array","default":[22],"items":{"type":"integer"}},"gpus":{"description":"List of GPUs to attach.","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"name":{"description":"The name of the GPU resource to attach.","type":"string"}}}},"instanceProfile":{"description":"Virtual Machine preferences profile.","type":"string","default":"ubuntu","enum":["alpine","centos.7","centos.7.desktop","centos.stream10","centos.stream10.desktop","centos.stream8","centos.stream8.desktop","centos.stream8.dpdk","centos.stream9","centos.stream9.desktop","centos.stream9.dpdk","cirros","fedora","fedora.arm64","opensuse.leap","opensuse.tumbleweed","rhel.10","rhel.10.arm64","rhel.7","rhel.7.desktop","rhel.8","rhel.8.desktop","rhel.8.dpdk","rhel.9","rhel.9.arm64","rhel.9.desktop","rhel.9.dpdk","rhel.9.realtime","sles","ubuntu","windows.10","windows.10.virtio","windows.11","windows.11.virtio","windows.2k16","windows.2k16.virtio","windows.2k19","windows.2k19.virtio","windows.2k22","windows.2k22.virtio","windows.2k25","windows.2k25.virtio",""]},"instanceType":{"description":"Virtual Machine instance type.","type":"string","default":"u1.medium"},"resources":{"description":"Resource configuration for the virtual machine.","type":"object","default":{},"properties":{"cpu":{"description":"Number of CPU cores allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"memory":{"description":"Amount of memory allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"sockets":{"description":"Number of CPU sockets (vCPU topology).","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true}}},"running":{"description":"Whether the virtual machine should be running.","type":"boolean","default":true},"sshKeys":{"description":"List of SSH public keys for authentication.","type":"array","default":[],"items":{"type":"string"}},"subnets":{"description":"Additional subnets (management subnet will be attached by default)","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"name":{"description":"Name of the subnet to attach","type":"string"}}}},"systemDisk":{"description":"System disk configuration.","type":"object","default":{},"required":["image","storage"],"properties":{"image":{"description":"The base image for the virtual machine.","type":"string","default":"ubuntu","enum":["ubuntu","cirros","alpine","fedora","talos"]},"storage":{"description":"The size of the disk allocated for the virtual machine.","type":"string","default":"5Gi"},"storageClass":{"description":"StorageClass used to store the data.","type":"string","default":"replicated"}}}}}
   release:
     prefix: virtual-machine-
     labels:

packages/system/cozystack-resource-definitions/cozyrds/virtualprivatecloud.yaml

@@ -8,7 +8,7 @@ spec:
     plural: virtualprivateclouds
     singular: virtualprivatecloud
     openAPISchema: |-
-      {"title":"Chart Values","type":"object","properties":{"subnets":{"description":"Subnets of a VPC","type":"object","default":{},"additionalProperties":{"type":"object","properties":{"cidr":{"description":"IP address range","type":"string"}}}}}}
+      {"title":"Chart Values","type":"object","properties":{"subnets":{"description":"Subnets of a VPC","type":"object","default":{},"additionalProperties":{"type":"object","required":["cidr"],"properties":{"cidr":{"description":"Subnet CIDR, e.g. 192.168.0.0/24","type":"string"}}}}}}
   release:
     prefix: "virtualprivatecloud-"
     labels:

packages/system/cozystack-resource-definitions/cozyrds/vm-instance.yaml

@@ -8,7 +8,7 @@ spec:
     singular: vminstance
     plural: vminstances
     openAPISchema: |-
-      {"title":"Chart Values","type":"object","properties":{"cloudInit":{"description":"Cloud-init user data.","type":"string","default":""},"cloudInitSeed":{"description":"Seed string to generate SMBIOS UUID for the VM.","type":"string","default":""},"disks":{"description":"List of disks to attach.","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"bus":{"description":"Disk bus type (e.g. \"sata\").","type":"string"},"name":{"description":"Disk name.","type":"string"}}}},"external":{"description":"Enable external access from outside the cluster.","type":"boolean","default":false},"externalMethod":{"description":"Method to pass through traffic to the VM.","type":"string","default":"PortList","enum":["PortList","WholeIP"]},"externalPorts":{"description":"Ports to forward from outside the cluster.","type":"array","default":[22],"items":{"type":"integer"}},"gpus":{"description":"List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"name":{"description":"The name of the GPU resource to attach.","type":"string"}}}},"instanceProfile":{"description":"Virtual Machine preferences profile.","type":"string","default":"ubuntu","enum":["alpine","centos.7","centos.7.desktop","centos.stream10","centos.stream10.desktop","centos.stream8","centos.stream8.desktop","centos.stream8.dpdk","centos.stream9","centos.stream9.desktop","centos.stream9.dpdk","cirros","fedora","fedora.arm64","opensuse.leap","opensuse.tumbleweed","rhel.10","rhel.10.arm64","rhel.7","rhel.7.desktop","rhel.8","rhel.8.desktop","rhel.8.dpdk","rhel.9","rhel.9.arm64","rhel.9.desktop","rhel.9.dpdk","rhel.9.realtime","sles","ubuntu","windows.10","windows.10.virtio","windows.11","windows.11.virtio","windows.2k16","windows.2k16.virtio","windows.2k19","windows.2k19.virtio","windows.2k22","windows.2k22.virtio","windows.2k25","windows.2k25.virtio",""]},"instanceType":{"description":"Virtual Machine instance type.","type":"string","default":"u1.medium"},"resources":{"description":"Resource configuration for the virtual machine.","type":"object","default":{},"properties":{"cpu":{"description":"Number of CPU cores allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"memory":{"description":"Amount of memory allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"sockets":{"description":"Number of CPU sockets (vCPU topology).","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true}}},"running":{"description":"Determines if the virtual machine should be running.","type":"boolean","default":true},"sshKeys":{"description":"List of SSH public keys for authentication.","type":"array","default":[],"items":{"type":"string"}},"subnets":{"description":"Additional subnets","type":"array","default":[],"items":{"type":"object","properties":{"name":{"description":"Subnet name","type":"string"}}}}}}
+      {"title":"Chart Values","type":"object","properties":{"cloudInit":{"description":"Cloud-init user data.","type":"string","default":""},"cloudInitSeed":{"description":"Seed string to generate SMBIOS UUID for the VM.","type":"string","default":""},"disks":{"description":"List of disks to attach.","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"bus":{"description":"Disk bus type (e.g. \"sata\").","type":"string"},"name":{"description":"Disk name.","type":"string"}}}},"external":{"description":"Enable external access from outside the cluster.","type":"boolean","default":false},"externalMethod":{"description":"Method to pass through traffic to the VM.","type":"string","default":"PortList","enum":["PortList","WholeIP"]},"externalPorts":{"description":"Ports to forward from outside the cluster.","type":"array","default":[22],"items":{"type":"integer"}},"gpus":{"description":"List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"name":{"description":"The name of the GPU resource to attach.","type":"string"}}}},"instanceProfile":{"description":"Virtual Machine preferences profile.","type":"string","default":"ubuntu","enum":["alpine","centos.7","centos.7.desktop","centos.stream10","centos.stream10.desktop","centos.stream8","centos.stream8.desktop","centos.stream8.dpdk","centos.stream9","centos.stream9.desktop","centos.stream9.dpdk","cirros","fedora","fedora.arm64","opensuse.leap","opensuse.tumbleweed","rhel.10","rhel.10.arm64","rhel.7","rhel.7.desktop","rhel.8","rhel.8.desktop","rhel.8.dpdk","rhel.9","rhel.9.arm64","rhel.9.desktop","rhel.9.dpdk","rhel.9.realtime","sles","ubuntu","windows.10","windows.10.virtio","windows.11","windows.11.virtio","windows.2k16","windows.2k16.virtio","windows.2k19","windows.2k19.virtio","windows.2k22","windows.2k22.virtio","windows.2k25","windows.2k25.virtio",""]},"instanceType":{"description":"Virtual Machine instance type.","type":"string","default":"u1.medium"},"resources":{"description":"Resource configuration for the virtual machine.","type":"object","default":{},"properties":{"cpu":{"description":"Number of CPU cores allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"memory":{"description":"Amount of memory allocated.","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true},"sockets":{"description":"Number of CPU sockets (vCPU topology).","pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true}}},"running":{"description":"Determines if the virtual machine should be running.","type":"boolean","default":true},"sshKeys":{"description":"List of SSH public keys for authentication.","type":"array","default":[],"items":{"type":"string"}},"subnets":{"description":"Additional subnets (management subnet will be attached by default)","type":"array","default":[],"items":{"type":"object","required":["name"],"properties":{"name":{"description":"Name of the subnet to attach","type":"string"}}}}}}
   release:
     prefix: vm-instance-
     labels:
@@ -28,7 +28,7 @@ spec:
     tags:
       - compute
     icon: PHN2ZyB3aWR0aD0iMTQ0IiBoZWlnaHQ9IjE0NCIgdmlld0JveD0iMCAwIDE0NCAxNDQiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CjxyZWN0IHdpZHRoPSIxNDQiIGhlaWdodD0iMTQ0IiByeD0iMjQiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl82ODdfMzQ1NCkiLz4KPGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzY4N18zNDU0KSI+CjxwYXRoIGQ9Ik04OS41MDM5IDExMS43MDdINTQuNDk3QzU0LjE3MjcgMTExLjcwNyA1NC4wMTA4IDExMS4yMjEgNTQuMzM0OSAxMTEuMDU5TDU3LjI1MjIgMTA4Ljk1MkM2MC4zMzE0IDEwNi42ODMgNjEuOTUyMiAxMDIuNjMxIDYwLjk3OTcgOTguNzQxMkg4My4wMjFDODIuMDQ4NSAxMDIuNjMxIDgzLjY2OTMgMTA2LjY4MyA4Ni43NDg1IDEwOC45NTJMODkuNjY1OCAxMTEuMDU5Qzg5Ljk5IDExMS4yMjEgODkuODI3OSAxMTEuNzA3IDg5LjUwMzkgMTExLjcwN1oiIGZpbGw9IiNCMEI2QkIiLz4KPHBhdGggZD0iTTExMy4zMjggOTguNzQxSDMwLjY3MjVDMjcuNTkzMSA5OC43NDEgMjUgOTYuMTQ4IDI1IDkzLjA2ODdWMzMuMTAzMkMyNSAzMC4wMjM5IDI3LjU5MzEgMjcuNDMwNyAzMC42NzI1IDI3LjQzMDdIMTEzLjMyOEMxMTYuNDA3IDI3LjQzMDcgMTE5IDMwLjAyMzcgMTE5IDMzLjEwMzJWOTMuMDY4N0MxMTkgOTYuMTQ4IDExNi40MDcgOTguNzQxIDExMy4zMjggOTguNzQxWiIgZmlsbD0iI0U4RURFRSIvPgo8cGF0aCBkPSJNMTE5IDg0LjE1NDlIMjVWMzMuMTAzMkMyNSAzMC4wMjM5IDI3LjU5MzEgMjcuNDMwNyAzMC42NzI1IDI3LjQzMDdIMTEzLjMyOEMxMTYuNDA3IDI3LjQzMDcgMTE5IDMwLjAyMzcgMTE5IDMzLjEwMzJMMTE5IDg0LjE1NDlaIiBmaWxsPSIjMDBCM0ZGIi8+CjxwYXRoIGQ9Ik05MC42Mzc0IDExNi41NjlINTMuMzYxNkM1Mi4wNjUxIDExNi41NjkgNTAuOTMwNyAxMTUuNDM1IDUwLjkzMDcgMTE0LjEzOEM1MC45MzA3IDExMi44NDEgNTIuMDY1MSAxMTEuNzA3IDUzLjM2MTYgMTExLjcwN0g5MC42Mzc0QzkxLjkzMzkgMTExLjcwNyA5My4wNjg0IDExMi44NDEgOTMuMDY4NCAxMTQuMTM4QzkzLjA2ODQgMTE1LjQzNSA5MS45MzM5IDExNi41NjkgOTAuNjM3NCAxMTYuNTY5WiIgZmlsbD0iI0U4RURFRSIvPgo8L2c+CjxwYXRoIGQ9Ik03Mi41Mjc1IDUzLjgzNjdDNzIuNDQzMSA1My44MzUxIDcyLjM2MDUgNTMuODEyMiA3Mi4yODczIDUzLjc3MDFMNTYuNDY5OSA0NC43OTM0QzU2LjM5ODMgNDQuNzUxOSA1Ni4zMzg4IDQ0LjY5MjMgNTYuMjk3MyA0NC42MjA3QzU2LjI1NTkgNDQuNTQ5IDU2LjIzMzggNDQuNDY3OCA1Ni4yMzM0IDQ0LjM4NUM1Ni4yMzM0IDQ0LjIxNjkgNTYuMzI1OCA0NC4wNjE3IDU2LjQ2OTkgNDMuOTc4NUw3Mi4xOTEyIDM1LjA2MDlDNzIuMjYzNyAzNS4wMjEgNzIuMzQ1IDM1IDcyLjQyNzcgMzVDNzIuNTEwNSAzNSA3Mi41OTE4IDM1LjAyMSA3Mi42NjQzIDM1LjA2MDlMODguNDg3MiA0NC4wMzk1Qzg4LjU1OTEgNDQuMDgwMSA4OC42MTg4IDQ0LjEzOTIgODguNjYgNDQuMjEwN0M4OC43MDEzIDQ0LjI4MjIgODguNzIyNyA0NC4zNjM1IDg4LjcyMTkgNDQuNDQ2Qzg4LjcyMjUgNDQuNTI4NSA4OC43MDEgNDQuNjA5NyA4OC42NTk4IDQ0LjY4MTJDODguNjE4NSA0NC43NTI2IDg4LjU1ODkgNDQuODExOCA4OC40ODcyIDQ0Ljg1MjVMNzIuNzcxNCA1My43NjgzQzcyLjY5NzIgNTMuODExNCA3Mi42MTMzIDUzLjgzNDkgNzIuNTI3NSA1My44MzY3IiBmaWxsPSJ3aGl0ZSIvPgo8cGF0aCBvcGFjaXR5PSIwLjciIGQ9Ik03MC4yNTUzIDc1LjY1MTdDNzAuMTcxIDc1LjY1MzUgNzAuMDg3OCA3NS42MzE3IDcwLjAxNTEgNzUuNTg4OEw1NC4yNDU4IDY2LjY0MTdDNTQuMTcxNSA2Ni42MDI0IDU0LjEwOTUgNjYuNTQzNiA1NC4wNjYxIDY2LjQ3MTZDNTQuMDIyOCA2Ni4zOTk3IDU0IDY2LjMxNzMgNTQgNjYuMjMzM1Y0OC4yNzhDNTQgNDguMTA4IDU0LjA5MjQgNDcuOTU0NiA1NC4yNDM5IDQ3Ljg2OTZDNTQuMzE3MiA0Ny44MjcxIDU0LjQwMDQgNDcuODA0NyA1NC40ODUxIDQ3LjgwNDdDNTQuNTY5NyA0Ny44MDQ3IDU0LjY1MjkgNDcuODI3MSA1NC43MjYyIDQ3Ljg2OTZMNzAuNDkzNyA1Ni44MTMxQzcwLjU2NDIgNTYuODU2NSA3MC42MjI1IDU2LjkxNyA3MC42NjMyIDU2Ljk4OTFDNzAuNzAzOSA1Ny4wNjEyIDcwLjcyNTcgNTcuMTQyNCA3MC43MjY1IDU3LjIyNTFWNzUuMTgwNUM3MC43MjU5IDc1LjI2MjggNzAuNzA0MiA3NS4zNDM2IDcwLjY2MzUgNzUuNDE1MUM3MC42MjI3IDc1LjQ4NjYgNzAuNTY0MiA3NS41NDY0IDcwLjQ5MzcgNzUuNTg4OEM3MC40MjA2IDc1LjYyOTEgNzAuMzM4NyA3NS42NTA3IDcwLjI1NTMgNzUuNjUxNyIgZmlsbD0id2hpdGUiLz4KPHBhdGggb3BhY2l0eT0iMC40IiBkPSJNNzQuNzE5OCA3NS42NTExQzc0LjYzMzMgNzUuNjUxMiA3NC41NDgyIDc1LjYyOTYgNzQuNDcyMiA3NS41ODgzQzc0LjQwMTYgNzUuNTQ2MSA3NC4zNDMyIDc1LjQ4NjIgNzQuMzAyNyA3NS40MTQ3Qzc0LjI2MjMgNzUuMzQzMSA3NC4yNDExIDc1LjI2MjIgNzQuMjQxMiA3NS4xOFY1Ny4zMzczQzc0LjI0MTIgNTcuMTcxIDc0LjMzMzYgNTcuMDE1OCA3NC40NzIyIDU2LjkyOUw5MC4yMzk3IDQ3Ljk4NTVDOTAuMzExOSA0Ny45NDM4IDkwLjM5MzggNDcuOTIxOSA5MC40NzcxIDQ3LjkyMTlDOTAuNTYwNSA0Ny45MjE5IDkwLjY0MjQgNDcuOTQzOCA5MC43MTQ2IDQ3Ljk4NTVDOTAuNzg3NiA0OC4wMjU1IDkwLjg0ODUgNDguMDg0MiA5MC44OTExIDQ4LjE1NTdDOTAuOTMzNyA0OC4yMjcyIDkwLjk1NjMgNDguMzA4OCA5MC45NTY2IDQ4LjM5MlY2Ni4yMzI4QzkwLjk1NyA2Ni4zMTY0IDkwLjkzNDcgNjYuMzk4NSA5MC44OTIxIDY2LjQ3MDRDOTAuODQ5NSA2Ni41NDI0IDkwLjc4ODEgNjYuNjAxNCA5MC43MTQ2IDY2LjY0MTFMNzQuOTUyNiA3NS41ODgzQzc0Ljg4MjUgNzUuNjMwNyA3NC44MDE4IDc1LjY1MjUgNzQuNzE5OCA3NS42NTExIiBmaWxsPSJ3aGl0ZSIvPgo8ZGVmcz4KPGxpbmVhckdyYWRpZW50IGlkPSJwYWludDBfbGluZWFyXzY4N18zNDU0IiB4MT0iMTYxIiB5MT0iMTgwIiB4Mj0iMy41OTI4NGUtMDciIHkyPSI0Ljk5OTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CjxzdG9wLz4KPHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjNTk1NjU2Ii8+CjwvbGluZWFyR3JhZGllbnQ+CjxjbGlwUGF0aCBpZD0iY2xpcDBfNjg3XzM0NTQiPgo8cmVjdCB3aWR0aD0iOTQiIGhlaWdodD0iOTQiIGZpbGw9IndoaXRlIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgyNSAyNSkiLz4KPC9jbGlwUGF0aD4KPC9kZWZzPgo8L3N2Zz4K
-    keysOrder: [["apiVersion"], ["appVersion"], ["kind"], ["metadata"], ["metadata", "name"], ["spec", "external"], ["spec", "externalMethod"], ["spec", "externalPorts"], ["spec", "running"], ["spec", "instanceType"], ["spec", "instanceProfile"], ["spec", "disks"], ["spec", "subnets"], ["spec", "gpus"], ["spec", "resources"], ["spec", "sshKeys"], ["spec", "cloudInit"], ["spec", "cloudInitSeed"]]
+    keysOrder: [["apiVersion"], ["appVersion"], ["kind"], ["metadata"], ["metadata", "name"], ["spec", "external"], ["spec", "externalMethod"], ["spec", "externalPorts"], ["spec", "running"], ["spec", "instanceType"], ["spec", "instanceProfile"], ["spec", "disks"], ["spec", "gpus"], ["spec", "subnets"], ["spec", "resources"], ["spec", "sshKeys"], ["spec", "cloudInit"], ["spec", "cloudInitSeed"]]
   secrets:
     exclude: []
     include: []

packages/system/dashboard/images/openapi-ui-k8s-bff/Dockerfile

@@ -1,11 +1,15 @@
 # imported from https://github.com/cozystack/openapi-ui-k8s-bff
 ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS builder
+RUN apk add git
 WORKDIR /src
 
-ARG COMMIT_REF=ba56271739505284aee569f914fc90e6a9c670da
+ARG COMMIT_REF=22f9143f5109fb90332651c857d70b51bffccd9b
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui-k8s-bff/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 
+COPY patches /patches
+RUN git apply /patches/*.diff
+
 ENV PATH=/src/node_modules/.bin:$PATH
 RUN npm install
 RUN npm run build

packages/system/dashboard/images/openapi-ui-k8s-bff/patches/namespaces.diff

@@ -0,0 +1,21 @@
+diff --git a/src/endpoints/forms/formPrepare/formPrepare.ts b/src/endpoints/forms/formPrepare/formPrepare.ts
+index 7e437db..90c40f6 100644
+--- a/src/endpoints/forms/formPrepare/formPrepare.ts
++++ b/src/endpoints/forms/formPrepare/formPrepare.ts
+@@ -15,6 +15,7 @@ export const prepareFormProps: RequestHandler = async (req: TPrepareFormReq, res
+ 
+     const filteredHeaders = { ...req.headers }
+     delete filteredHeaders['host'] // Avoid passing internal host header
++    delete filteredHeaders['content-length'] // This header causes "stream has been aborted"
+ 
+     const { data: formsOverridesData } = await userKubeApi.get<TFormsOverridesData>(
+       `/apis/${BASE_API_GROUP}/${BASE_API_VERSION}/customformsoverrides`,
+@@ -40,7 +41,7 @@ export const prepareFormProps: RequestHandler = async (req: TPrepareFormReq, res
+       },
+     )
+ 
+-    const { data: namespacesData } = await userKubeApi.get<TBuiltinResources>(`/api/v1/namespaces`, {
++    const { data: namespacesData } = await userKubeApi.get<TBuiltinResources>(`/apis/core.cozystack.io/v1alpha1/tenantnamespaces`, {
+       headers: {
+         // Authorization: `Bearer ${bearerToken}`,
+         // Cookie: cookies,

packages/system/dashboard/images/openapi-ui/Dockerfile

@@ -3,14 +3,9 @@ ARG NODE_VERSION=20.18.1
 # openapi-k8s-toolkit
 # imported from https://github.com/cozystack/openapi-k8s-toolkit
 FROM node:${NODE_VERSION}-alpine AS openapi-k8s-toolkit-builder
-RUN apk add git
 WORKDIR /src
-ARG COMMIT=7bd5380c6c4606640dd3bac68bf9dce469470518
+ARG COMMIT=4f57ab295b2a886eb294b0b987554194fbe67dcd
 RUN wget -O- https://github.com/cozystack/openapi-k8s-toolkit/archive/${COMMIT}.tar.gz | tar -xzvf- --strip-components=1
-
-COPY openapi-k8s-toolkit/patches /patches
-RUN git apply /patches/*.diff
-
 RUN npm install
 RUN npm install --build-from-source @swc/core
 RUN npm run build
@@ -19,14 +14,14 @@ RUN npm run build
 # openapi-ui
 # imported from https://github.com/cozystack/openapi-ui
 FROM node:${NODE_VERSION}-alpine AS builder
-#RUN apk add git
+RUN apk add git
 WORKDIR /src
 
-ARG COMMIT_REF=0c3629b2ce8545e81f7ece4d65372a188c802dfc
+ARG COMMIT_REF=65e7fa8b3dc530a36e94c8435622bb09961aef97
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 
-#COPY openapi-ui/patches /patches
-#RUN git apply /patches/*.diff
+COPY patches /patches
+RUN git apply /patches/*.diff
 
 ENV PATH=/src/node_modules/.bin:$PATH
 

packages/system/dashboard/images/openapi-ui/openapi-k8s-toolkit/patches/tenantmodules.diff

@@ -1,50 +0,0 @@
-diff --git a/src/components/molecules/EnrichedTable/organisms/EnrichedTable/utils.tsx b/src/components/molecules/EnrichedTable/organisms/EnrichedTable/utils.tsx
-index 8bcef4d..2551e92 100644
---- a/src/components/molecules/EnrichedTable/organisms/EnrichedTable/utils.tsx
-+++ b/src/components/molecules/EnrichedTable/organisms/EnrichedTable/utils.tsx
-@@ -22,6 +22,15 @@ import { TableFactory } from '../../molecules'
- import { ShortenedTextWithTooltip, FilterDropdown, TrimmedTags, TextAlignContainer, TinyButton } from './atoms'
- import { TInternalDataForControls } from './types'
- 
-+const getPluralForm = (singular: string): string => {
-+  // If already ends with 's', add 'es'
-+  if (singular.endsWith('s')) {
-+    return `${singular}es`
-+  }
-+  // Otherwise just add 's'
-+  return `${singular}s`
-+}
-+
- export const getCellRender = ({
-   value,
-   record,
-@@ -255,7 +264,7 @@ export const getEnrichedColumnsWithControls = ({
-       key: 'controls',
-       className: 'controls',
-       width: 60,
--      render: (value: TInternalDataForControls) => {
-+      render: (value: TInternalDataForControls, record: unknown) => {
-         return (
-           // <TextAlignContainer $align="right" className="hideable">
-           <TextAlignContainer $align="center">
-@@ -279,10 +288,19 @@ export const getEnrichedColumnsWithControls = ({
-                   domEvent.stopPropagation()
-                   domEvent.preventDefault()
-                   if (key === 'edit') {
-+                    // Special case: redirect tenantmodules from core.cozystack.io to apps.cozystack.io with plural form
-+                    let apiGroupAndVersion = value.apiGroupAndVersion
-+                    let typeName = value.typeName
-+                    if (apiGroupAndVersion?.startsWith('core.cozystack.io/') && typeName === 'tenantmodules') {
-+                      const appsApiVersion = apiGroupAndVersion.replace('core.cozystack.io/', 'apps.cozystack.io/')
-+                      const pluralTypeName = getPluralForm(value.entryName)
-+                      apiGroupAndVersion = appsApiVersion
-+                      typeName = pluralTypeName
-+                    }
-                     navigate(
-                       `${baseprefix}/${value.cluster}${value.namespace ? `/${value.namespace}` : ''}${
-                         value.syntheticProject ? `/${value.syntheticProject}` : ''
--                      }/${value.pathPrefix}/${value.apiGroupAndVersion}/${value.typeName}/${value.entryName}?backlink=${
-+                      }/${value.pathPrefix}/${apiGroupAndVersion}/${typeName}/${value.entryName}?backlink=${
-                         value.backlink
-                       }`,
-                     )

packages/system/dashboard/images/openapi-ui/patches/namespaces.diff

@@ -0,0 +1,89 @@
+diff --git a/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx b/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx
+index 577ba0f..018df9c 100644
+--- a/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx
++++ b/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx
+@@ -1,11 +1,16 @@
+ import React, { FC, useState } from 'react'
+ import { Button, Alert, Spin, Typography } from 'antd'
+-import { filterSelectOptions, Spacer, useBuiltinResources } from '@prorobotech/openapi-k8s-toolkit'
++import { filterSelectOptions, Spacer, useApiResources } from '@prorobotech/openapi-k8s-toolkit'
+ import { useNavigate } from 'react-router-dom'
+ import { useSelector, useDispatch } from 'react-redux'
+ import { RootState } from 'store/store'
+ import { setCluster } from 'store/cluster/cluster/cluster'
+ import { Styled } from './styled'
++import {
++  BASE_PROJECTS_API_GROUP,
++  BASE_PROJECTS_VERSION,
++  BASE_PROJECTS_RESOURCE_NAME,
++} from 'constants/customizationApiGroupAndVersion'
+ 
+ export const ListInsideClusterAndNs: FC = () => {
+   const clusterList = useSelector((state: RootState) => state.clusterList.clusterList)
+@@ -17,9 +22,11 @@ export const ListInsideClusterAndNs: FC = () => {
+   const [selectedCluster, setSelectedCluster] = useState<string>()
+   const [selectedNamespace, setSelectedNamespace] = useState<string>()
+ 
+-  const namespacesData = useBuiltinResources({
++  const namespacesData = useApiResources({
+     clusterName: cluster,
+-    typeName: 'namespaces',
++    apiGroup: BASE_PROJECTS_API_GROUP,
++    apiVersion: BASE_PROJECTS_VERSION,
++    typeName: BASE_PROJECTS_RESOURCE_NAME,
+     limit: null,
+   })
+ 
+diff --git a/src/hooks/useNavSelectorInside.ts b/src/hooks/useNavSelectorInside.ts
+index d69405e..5adbd5d 100644
+--- a/src/hooks/useNavSelectorInside.ts
++++ b/src/hooks/useNavSelectorInside.ts
+@@ -1,6 +1,11 @@
+-import { TClusterList, TSingleResource, useBuiltinResources } from '@prorobotech/openapi-k8s-toolkit'
++import { TClusterList, TSingleResource, useApiResources } from '@prorobotech/openapi-k8s-toolkit'
+ import { useSelector } from 'react-redux'
+ import { RootState } from 'store/store'
++import {
++  BASE_PROJECTS_API_GROUP,
++  BASE_PROJECTS_VERSION,
++  BASE_PROJECTS_RESOURCE_NAME,
++} from 'constants/customizationApiGroupAndVersion'
+ 
+ const mappedClusterToOptionInSidebar = ({ name }: TClusterList[number]): { value: string; label: string } => ({
+   value: name,
+@@ -15,9 +20,11 @@ const mappedNamespaceToOptionInSidebar = ({ metadata }: TSingleResource): { valu
+ export const useNavSelectorInside = (clusterName?: string) => {
+   const clusterList = useSelector((state: RootState) => state.clusterList.clusterList)
+ 
+-  const { data: namespaces } = useBuiltinResources({
++  const { data: namespaces } = useApiResources({
+     clusterName: clusterName || '',
+-    typeName: 'namespaces',
++    apiGroup: BASE_PROJECTS_API_GROUP,
++    apiVersion: BASE_PROJECTS_VERSION,
++    typeName: BASE_PROJECTS_RESOURCE_NAME,
+     limit: null,
+   })
+ 
+diff --git a/src/utils/getBacklink.ts b/src/utils/getBacklink.ts
+index a862354..f24e2bc 100644
+--- a/src/utils/getBacklink.ts
++++ b/src/utils/getBacklink.ts
+@@ -28,7 +28,7 @@ export const getFormsBackLink = ({
+   }
+ 
+   if (namespacesMode) {
+-    return `${baseprefix}/${clusterName}/builtin-table/namespaces`
++    return `${baseprefix}/${clusterName}/api-table/core.cozystack.io/v1alpha1/tenantnamespaces`
+   }
+ 
+   if (possibleProject) {
+@@ -64,7 +64,7 @@ export const getTablesBackLink = ({
+   }
+ 
+   if (namespacesMode) {
+-    return `${baseprefix}/${clusterName}/builtin-table/namespaces`
++    return `${baseprefix}/${clusterName}/api-table/core.cozystack.io/v1alpha1/tenantnamespaces`
+   }
+ 
+   if (possibleProject) {

packages/system/dashboard/templates/web.yaml

@@ -42,12 +42,10 @@ spec:
               value: dashboard.cozystack.io
             - name: BASE_API_VERSION
               value: v1alpha1
-            - name: BASE_NAMESPACE_FULL_PATH
-              value: "/apis/core.cozystack.io/v1alpha1/tenantnamespaces"
             - name: LOGGER
-              value: "true"
+              value: "TRUE"
             - name: LOGGER_WITH_HEADERS
-              value: "false"
+              value: "TRUE"
             - name: PORT
               value: "64231"
           image: {{ .Values.openapiUIK8sBff.image | quote }}
@@ -94,8 +92,6 @@ spec:
         - env:
             - name: BASEPREFIX
               value: /openapi-ui
-            - name: HIDE_INSIDE
-              value: "true"
             - name: CUSTOMIZATION_API_GROUP
               value: dashboard.cozystack.io
             - name: CUSTOMIZATION_API_VERSION
@@ -126,12 +122,6 @@ spec:
               value: tenantnamespaces
             - name: PROJECTS_VERSION
               value: v1alpha1
-            - name: CUSTOM_NAMESPACE_API_RESOURCE_API_GROUP
-              value: core.cozystack.io
-            - name: CUSTOM_NAMESPACE_API_RESOURCE_API_VERSION
-              value: v1alpha1
-            - name: CUSTOM_NAMESPACE_API_RESOURCE_RESOURCE_NAME
-              value: tenantnamespaces
             - name: USE_NAMESPACE_NAV
               value: "true"
             - name: LOGIN_URL
@@ -150,21 +140,21 @@ spec:
                 configMapKeyRef:
                   name: incloud-web-dashboard-config
                   key: TITLE_TEXT
-            - name: CUSTOM_TENANT_TEXT
+            - name: TENANT_TEXT
               valueFrom:
                 configMapKeyRef:
                   name: incloud-web-dashboard-config
-                  key: CUSTOM_TENANT_TEXT
+                  key: TENANT_TEXT
             - name: LOGO_TEXT
               valueFrom:
                 configMapKeyRef:
                   name: incloud-web-dashboard-config
                   key: LOGO_TEXT
-            - name: CUSTOM_LOGO_SVG
+            - name: LOGO_SVG
               valueFrom:
                 configMapKeyRef:
                   name: incloud-web-dashboard-config
-                  key: CUSTOM_LOGO_SVG
+                  key: LOGO_SVG
             - name: ICON_SVG
               valueFrom:
                 configMapKeyRef:

packages/system/dashboard/values.yaml

@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:latest@sha256:77991f2482c0026d082582b22a8ffb191f3ba6fc948b2f125ef9b1081538f865
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.37.0@sha256:13f38cf56830e899eb5e3d9dc8184965dd8dba9f8cd3c5ca10df0970355842d6
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:latest@sha256:8386f0747266726afb2b30db662092d66b0af0370e3becd8bee9684125fa9cc9
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.37.0@sha256:2b626dbbf87241e8621ac5b0285f402edbc2c2069ba254ca2ace2dd5c9248ac8
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:latest@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b
+  image: ghcr.io/cozystack/cozystack/token-proxy:v0.37.0@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b

packages/system/fluxcd-operator/Makefile

@@ -10,4 +10,3 @@ update:
 	rm -rf charts
 	helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts
 	patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff
-	patch --no-backup-if-mismatch -p1 < patches/networkPolicy.diff

packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml

@@ -1,21 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: {{ include "flux-operator.fullname" . }}-restrict
-spec:
-  nodeSelector: {}
-  ingressDeny:
-    - fromEntities:
-        - world
-      toPorts:
-        - ports:
-            - port: "8080"
-              protocol: TCP
-            - port: "8081"
-              protocol: TCP
-  ingress:
-    - fromEntities:
-        - cluster
-{{- end }}

packages/system/fluxcd-operator/patches/networkPolicy.diff

@@ -1,25 +0,0 @@
-diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
-new file mode 100644
---- /dev/null	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
-+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
-@@ -0,0 +1,18 @@
-+{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
-+apiVersion: cilium.io/v2
-+kind: CiliumClusterwideNetworkPolicy
-+metadata:
-+  name: {{ include "flux-operator.fullname" . }}-restrict
-+spec:
-+  nodeSelector: {}
-+  ingressDeny:
-+    - fromEntities:
-+        - world
-+      toPorts:
-+        - ports:
-+            - port: "8080"
-+              protocol: TCP
-+            - port: "8081"
-+              protocol: TCP
-+  ingress:
-+    - fromEntities:
-+        - cluster
-+{{- end }}

packages/system/kubevirt-operator/alerts/PrometheusRule.yaml

@@ -10,7 +10,7 @@ spec:
       expr: |
         max_over_time(
           kubevirt_vm_info{
-            status!="running",
+            status!="Running",
             exported_namespace=~".+",
             name=~".+"
           }[10m]
@@ -27,7 +27,7 @@ spec:
       expr: |
         max_over_time(
           kubevirt_vmi_info{
-            phase!="Running",
+            phase!="running",
             exported_namespace=~".+",
             name=~".+"
           }[10m]

packages/system/kubevirt/templates/kubevirt-cr.yaml

@@ -22,13 +22,7 @@ spec:
       - GPU
       - VMExport
     evictionStrategy: LiveMigrate
-    vmRolloutStrategy: LiveUpdate
-  workloadUpdateStrategy:
-    workloadUpdateMethods:
-    - LiveMigrate
-    - Evict
-    batchEvictionInterval: 1m
-    batchEvictionSize: 10
   customizeComponents: {}
   imagePullPolicy: IfNotPresent
   monitorNamespace: tenant-root
+  workloadUpdateStrategy: {}

packages/system/piraeus-operator/charts/piraeus/Chart.yaml

@@ -3,8 +3,8 @@ name: piraeus
 description: |
   The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.9.1
-appVersion: "v2.9.1"
+version: 2.9.0
+appVersion: "v2.9.0"
 maintainers:
   - name: Piraeus Datastore
     url: https://piraeus.io

packages/system/piraeus-operator/charts/piraeus/templates/config.yaml

@@ -1,4 +1,4 @@
-# DO NOT EDIT; Automatically created by tools/copy-image-config-to-chart.sh
+# DO NOT EDIT; Automatically created by hack/copy-image-config-to-chart.sh
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -17,16 +17,16 @@ data:
     #   quay.io/piraeusdatastore/piraeus-server:v1.24.2
     components:
       linstor-controller:
-        tag: v1.32.3
+        tag: v1.31.3
         image: piraeus-server
       linstor-satellite:
-        tag: v1.32.3
+        tag: v1.31.3
         image: piraeus-server
       linstor-csi:
-        tag: v1.9.0
+        tag: v1.8.0
         image: piraeus-csi
       drbd-reactor:
-        tag: v1.9.0
+        tag: v1.8.0
         image: drbd-reactor
       ha-controller:
         tag: v1.3.0
@@ -35,45 +35,45 @@ data:
         tag: v1.0.0
         image: drbd-shutdown-guard
       ktls-utils:
-        tag: v1.2.1
+        tag: v1.1.0
         image: ktls-utils
       drbd-module-loader:
-        tag: v9.2.15
+        tag: v9.2.14
         # The special "match" attribute is used to select an image based on the node's reported OS.
         # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
         # here. If one matches, that specific image name will be used instead of the fallback image.
         image: drbd9-noble # Fallback image: chose a recent kernel, which can hopefully compile whatever config is actually in use
         match:
+          - osImage: Red Hat Enterprise Linux Server 7\.
+            image: drbd9-centos7
           - osImage: Red Hat Enterprise Linux 8\.
             image: drbd9-almalinux8
           - osImage: Red Hat Enterprise Linux 9\.
             image: drbd9-almalinux9
-          - osImage: Red Hat Enterprise Linux 10\.
-            image: drbd9-almalinux10
           - osImage: "Red Hat Enterprise Linux CoreOS 41[3-9]"
             image: drbd9-almalinux9
           - osImage: Red Hat Enterprise Linux CoreOS
             image: drbd9-almalinux8
+          - osImage: CentOS Linux 7
+            image: drbd9-centos7
           - osImage: CentOS Linux 8
             image: drbd9-almalinux8
           - osImage: AlmaLinux 8
             image: drbd9-almalinux8
           - osImage: AlmaLinux 9
             image: drbd9-almalinux9
-          - osImage: AlmaLinux 10
-            image: drbd9-almalinux10
           - osImage: Oracle Linux Server 8\.
             image: drbd9-almalinux8
           - osImage: Oracle Linux Server 9\.
             image: drbd9-almalinux9
-          - osImage: Oracle Linux Server 10\.
-            image: drbd9-almalinux10
           - osImage: Rocky Linux 8
             image: drbd9-almalinux8
           - osImage: Rocky Linux 9
             image: drbd9-almalinux9
-          - osImage: Rocky Linux 10
-            image: drbd9-almalinux10
+          - osImage: Ubuntu 18\.04
+            image: drbd9-bionic
+          - osImage: Ubuntu 20\.04
+            image: drbd9-focal
           - osImage: Ubuntu 22\.04
             image: drbd9-jammy
           - osImage: Ubuntu 24\.04
@@ -82,30 +82,32 @@ data:
             image: drbd9-bookworm
           - osImage: Debian GNU/Linux 11
             image: drbd9-bullseye
+          - osImage: Debian GNU/Linux 10
+            image: drbd9-buster
   0_sig_storage_images.yaml: |
     ---
     base: registry.k8s.io/sig-storage
     components:
       csi-attacher:
-        tag: v4.10.0
+        tag: v4.9.0
         image: csi-attacher
       csi-livenessprobe:
-        tag: v2.17.0
+        tag: v2.16.0
         image: livenessprobe
       csi-provisioner:
         tag: v5.3.0
         image: csi-provisioner
       csi-snapshotter:
-        tag: v8.3.0
+        tag: v8.2.1
         image: csi-snapshotter
       csi-resizer:
-        tag: v1.14.0
+        tag: v1.13.2
         image: csi-resizer
       csi-external-health-monitor-controller:
-        tag: v0.16.0
+        tag: v0.15.0
         image: csi-external-health-monitor-controller
       csi-node-driver-registrar:
-        tag: v2.15.0
+        tag: v2.14.0
         image: csi-node-driver-registrar
   {{- range $idx, $value := .Values.imageConfigOverride }}
   {{ add $idx 1 }}_helm_override.yaml: |

packages/system/piraeus-operator/charts/piraeus/templates/rbac.yaml

@@ -1,5 +1,11 @@
-# DO NOT EDIT; Automatically created by tools/copy-rbac-config-to-chart.sh
-{{ if .Values.rbac.create }}
+{{ if .Values.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "piraeus-operator.serviceAccountName" . }}
+  labels:
+  {{- include "piraeus-operator.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -8,288 +14,448 @@ metadata:
   labels:
     {{- include "piraeus-operator.labels" . | nindent 4 }}
 rules:
-- apiGroups:
-    - ""
-  resources:
-    - configmaps
-    - events
-    - persistentvolumes
-    - pods
-    - secrets
-    - serviceaccounts
-    - services
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - ""
-  resources:
-    - nodes
-    - persistentvolumeclaims
-  verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - ""
-  resources:
-    - persistentvolumeclaims/status
-  verbs:
-    - patch
-- apiGroups:
-    - ""
-  resources:
-    - pods/eviction
-  verbs:
-    - create
-- apiGroups:
-    - apiextensions.k8s.io
-  resources:
-    - customresourcedefinitions
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - apps
-  resources:
-    - daemonsets
-    - deployments
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - apps
-  resources:
-    - replicasets
-  verbs:
-    - get
-- apiGroups:
-    - cert-manager.io
-  resources:
-    - certificates
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - events.k8s.io
-  resources:
-    - events
-  verbs:
-    - create
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - internal.linstor.linbit.com
-  resources:
-    - '*'
-  verbs:
-    - create
-    - delete
-    - deletecollection
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - piraeus.io
-  resources:
-    - linstorclusters
-    - linstornodeconnections
-    - linstorsatellites
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - piraeus.io
-  resources:
-    - linstorclusters/finalizers
-    - linstornodeconnections/finalizers
-    - linstorsatellites/finalizers
-  verbs:
-    - update
-- apiGroups:
-    - piraeus.io
-  resources:
-    - linstorclusters/status
-    - linstornodeconnections/status
-    - linstorsatelliteconfigurations/status
-    - linstorsatellites/status
-  verbs:
-    - get
-    - patch
-    - update
-- apiGroups:
-    - piraeus.io
-  resources:
-    - linstorsatelliteconfigurations
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - rbac.authorization.k8s.io
-  resources:
-    - clusterrolebindings
-    - clusterroles
-    - rolebindings
-    - roles
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - security.openshift.io
-  resourceNames:
-    - privileged
-  resources:
-    - securitycontextconstraints
-  verbs:
-    - use
-- apiGroups:
-    - snapshot.storage.k8s.io
-  resources:
-    - volumesnapshotclasses
-    - volumesnapshots
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - snapshot.storage.k8s.io
-  resources:
-    - volumesnapshotcontents
-  verbs:
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - snapshot.storage.k8s.io
-  resources:
-    - volumesnapshotcontents/status
-  verbs:
-    - patch
-    - update
-- apiGroups:
-    - storage.k8s.io
-  resources:
-    - csidrivers
-    - csistoragecapacities
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - storage.k8s.io
-  resources:
-    - csinodes
-  verbs:
-    - get
-    - list
-    - patch
-    - watch
-- apiGroups:
-    - storage.k8s.io
-  resources:
-    - storageclasses
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - storage.k8s.io
-  resources:
-    - volumeattachments
-  verbs:
-    - delete
-    - get
-    - list
-    - patch
-    - watch
-- apiGroups:
-    - storage.k8s.io
-  resources:
-    - volumeattachments/status
-  verbs:
-    - patch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - events
+      - persistentvolumes
+      - secrets
+      - serviceaccounts
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims/status
+    verbs:
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/eviction
+    verbs:
+      - create
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificates
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - internal.linstor.linbit.com
+    resources:
+      - '*'
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorclusters
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorclusters/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorclusters/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstornodeconnections
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstornodeconnections/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstornodeconnections/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorsatelliteconfigurations
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorsatelliteconfigurations/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorsatellites
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorsatellites/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - piraeus.io
+    resources:
+      - linstorsatellites/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - rolebindings
+      - roles
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  - apiGroups:
+      - snapshot.storage.k8s.io
+    resources:
+      - volumesnapshotclasses
+      - volumesnapshots
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - snapshot.storage.k8s.io
+    resources:
+      - volumesnapshotcontents
+    verbs:
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - snapshot.storage.k8s.io
+    resources:
+      - volumesnapshotcontents/status
+    verbs:
+      - patch
+      - update
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - csidrivers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - csinodes
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - csistoragecapacities
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - volumeattachments
+    verbs:
+      - delete
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - volumeattachments/status
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "piraeus-operator.fullname" . }}-manager-rolebinding
+  labels:
+    {{- include "piraeus-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "piraeus-operator.fullname" . }}-controller-manager'
+subjects:
+  - kind: ServiceAccount
+    name: '{{ include "piraeus-operator.serviceAccountName" . }}'
+    namespace: '{{ .Release.Namespace }}'
+{{ end }}
+{{ if.Values.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "piraeus-operator.fullname" . }}-proxy-role
+  labels:
+    {{- include "piraeus-operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "piraeus-operator.fullname" . }}-proxy-rolebinding
+  labels:
+    {{- include "piraeus-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "piraeus-operator.fullname" . }}-proxy-role'
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "piraeus-operator.serviceAccountName" . }}
+    namespace: '{{ .Release.Namespace }}'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "piraeus-operator.fullname" . }}-leader-election
+  name: {{ include "piraeus-operator.fullname" . }}-leader-election-role
   labels:
     {{- include "piraeus-operator.labels" . | nindent 4 }}
 rules:
-- apiGroups:
-    - ""
-  resources:
-    - configmaps
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - patch
-    - delete
-- apiGroups:
-    - coordination.k8s.io
-  resources:
-    - leases
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - patch
-    - delete
-- apiGroups:
-    - ""
-  resources:
-    - events
-  verbs:
-    - create
-    - patch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "piraeus-operator.fullname" . }}-leader-election-rolebinding
+  labels:
+    {{- include "piraeus-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ include "piraeus-operator.fullname" . }}-leader-election-role'
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "piraeus-operator.serviceAccountName" . }}
+    namespace: '{{ .Release.Namespace }}'
 {{ end }}

packages/system/piraeus-operator/charts/piraeus/templates/rolebindings.yaml

@@ -1,33 +0,0 @@
-{{ if .Values.rbac.create }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "piraeus-operator.fullname" . }}-leader-election
-  namespace: {{ .Release.Namespace }}
-  labels:
-      {{- include "piraeus-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "piraeus-operator.fullname" . }}-leader-election
-subjects:
-- kind: ServiceAccount
-  name: {{ include "piraeus-operator.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "piraeus-operator.fullname" . }}-controller-manager
-  labels:
-    {{- include "piraeus-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "piraeus-operator.fullname" . }}-controller-manager
-subjects:
-- kind: ServiceAccount
-  name: {{ include "piraeus-operator.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
-{{ end }}

packages/system/piraeus-operator/charts/piraeus/templates/serviceaccount.yaml

@@ -1,9 +0,0 @@
-{{ if .Values.serviceAccount.create }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "piraeus-operator.serviceAccountName" . }}
-  labels:
-    {{- include "piraeus-operator.labels" . | nindent 4 }}
-{{ end }}

packages/system/seaweedfs/Makefile

@@ -1,29 +1,12 @@
-export NAME=seaweedfs-system
+NAME=seaweedfs-system
 
-include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 update:
 	rm -rf charts
 	mkdir -p charts
-	version=$$(git ls-remote --tags --sort="v:refname" https://github.com/seaweedfs/seaweedfs | grep -v '\^{}' | grep 'refs/tags/[0-9]' | awk -F'/' 'END{print $$3}') && \
-	curl -sSL https://github.com/seaweedfs/seaweedfs/archive/refs/tags/$${version}.tar.gz | \
-	tar xzvf - --strip 3 -C charts seaweedfs-$${version}/k8s/charts/seaweedfs && \
-	sed -i.bak "/ARG VERSION/ s|=.*|=$${version}|g" images/seaweedfs/Dockerfile && \
-	rm -f images/seaweedfs/Dockerfile.bak
+	curl -sSL https://github.com/seaweedfs/seaweedfs/archive/refs/heads/master.tar.gz | \
+	tar xzvf - --strip 3 -C charts seaweedfs-master/k8s/charts/seaweedfs
 	patch --no-backup-if-mismatch -p4 < patches/resize-api-server-annotation.diff
+	patch --no-backup-if-mismatch -p4 < patches/fix-volume-servicemonitor.patch
 	#patch --no-backup-if-mismatch -p4 < patches/retention-policy-delete.yaml
-
-image:
-	docker buildx build images/seaweedfs \
-		--tag $(REGISTRY)/seaweedfs:$(call settag,$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/seaweedfs:latest \
-		--cache-to type=inline \
-		--metadata-file images/seaweedfs.json \
-		$(BUILDX_ARGS)
-	REGISTRY="$(REGISTRY)" \
-		yq -i '.seaweedfs.image.registry = strenv(REGISTRY)' values.yaml
-	TAG=$(TAG)@$$(yq e '."containerimage.digest"' images/seaweedfs.json -o json -r) \
-		yq -i '.seaweedfs.image.tag = strenv(TAG)' values.yaml
-	yq -i '.global.imageName = "seaweedfs"' values.yaml
-	rm -f images/seaweedfs.json

packages/system/seaweedfs/charts/seaweedfs/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 description: SeaweedFS
 name: seaweedfs
-appVersion: "3.99"
+appVersion: "3.97"
 # Dev note: Trigger a helm chart release by `git tag -a helm-<version>`
-version: 4.0.399
+version: 4.0.397

packages/system/seaweedfs/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml

@@ -79,12 +79,6 @@ spec:
           image: {{ template "master.image" . }}
           imagePullPolicy: {{ default "IfNotPresent" .Values.global.imagePullPolicy }}
           env:
-            {{- /* Determine default cluster alias and the corresponding env var keys to avoid conflicts */}}
-            {{- $envMerged := merge (.Values.global.extraEnvironmentVars | default dict) (.Values.allInOne.extraEnvironmentVars | default dict) }}
-            {{- $clusterDefault := default "sw" (index $envMerged "WEED_CLUSTER_DEFAULT") }}
-            {{- $clusterUpper := upper $clusterDefault }}
-            {{- $clusterMasterKey := printf "WEED_CLUSTER_%s_MASTER" $clusterUpper }}
-            {{- $clusterFilerKey := printf "WEED_CLUSTER_%s_FILER" $clusterUpper }}
             - name: POD_IP
               valueFrom:
                 fieldRef:
@@ -101,7 +95,6 @@ spec:
               value: "{{ template "seaweedfs.name" . }}"
             {{- if .Values.allInOne.extraEnvironmentVars }}
             {{- range $key, $value := .Values.allInOne.extraEnvironmentVars }}
-            {{- if and (ne $key $clusterMasterKey) (ne $key $clusterFilerKey) }}
             - name: {{ $key }}
               {{- if kindIs "string" $value }}
               value: {{ $value | quote }}
@@ -111,10 +104,8 @@ spec:
               {{- end }}
             {{- end }}
             {{- end }}
-            {{- end }}
             {{- if .Values.global.extraEnvironmentVars }}
             {{- range $key, $value := .Values.global.extraEnvironmentVars }}
-            {{- if and (ne $key $clusterMasterKey) (ne $key $clusterFilerKey) }}
             - name: {{ $key }}
               {{- if kindIs "string" $value }}
               value: {{ $value | quote }}
@@ -124,12 +115,6 @@ spec:
               {{- end }}
             {{- end }}
             {{- end }}
-            {{- end }}
-            # Inject computed cluster endpoints for the default cluster
-            - name: {{ $clusterMasterKey }}
-              value: {{ include "seaweedfs.cluster.masterAddress" . | quote }}
-            - name: {{ $clusterFilerKey }}
-              value: {{ include "seaweedfs.cluster.filerAddress" . | quote }}
           command:
             - "/bin/sh"
             - "-ec"

packages/system/seaweedfs/charts/seaweedfs/templates/cosi/cosi-deployment.yaml

@@ -15,6 +15,7 @@ spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+      helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: objectstorage-provisioner
   template:

packages/system/seaweedfs/charts/seaweedfs/templates/filer/filer-ingress.yaml

@@ -28,8 +28,8 @@ spec:
   rules:
   - http:
       paths:
-      - path: {{ .Values.filer.ingress.path | quote }}
-        pathType: {{ .Values.filer.ingress.pathType | quote }}
+      - path: /sw-filer/?(.*)
+        pathType: ImplementationSpecific
         backend:
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
           service:

packages/system/seaweedfs/charts/seaweedfs/templates/master/master-ingress.yaml

@@ -28,8 +28,8 @@ spec:
   rules:
     - http:
         paths:
-          - path: {{ .Values.master.ingress.path | quote }}
-            pathType: {{ .Values.master.ingress.pathType | quote }}
+          - path: /sw-master/?(.*)
+            pathType: ImplementationSpecific
             backend:
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
               service:

packages/system/seaweedfs/charts/seaweedfs/templates/s3/s3-ingress.yaml

@@ -27,8 +27,8 @@ spec:
   rules:
   - http:
       paths:
-      - path: {{ .Values.s3.ingress.path | quote }}
-        pathType: {{ .Values.s3.ingress.pathType | quote }}
+      - path: /
+        pathType: ImplementationSpecific
         backend:
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
           service:

packages/system/seaweedfs/charts/seaweedfs/templates/shared/_helpers.tpl

@@ -96,16 +96,13 @@ Inject extra environment vars in the format key:value, if populated
 {{/* Computes the container image name for all components (if they are not overridden) */}}
 {{- define "common.image" -}}
 {{- $registryName := default .Values.image.registry .Values.global.registry | toString -}}
-{{- $repositoryName := default .Values.image.repository .Values.global.repository | toString -}}
+{{- $repositoryName := .Values.image.repository | toString -}}
 {{- $name := .Values.global.imageName | toString -}}
 {{- $tag := default .Chart.AppVersion .Values.image.tag  | toString -}}
-{{- if $repositoryName -}}
-{{-   $name = printf "%s/%s" (trimSuffix "/" $repositoryName) (base $name) -}}
-{{- end -}}
 {{- if $registryName -}}
-{{-   printf "%s/%s:%s" $registryName $name $tag -}}
+{{- printf "%s/%s%s:%s" $registryName $repositoryName $name $tag -}}
 {{- else -}}
-{{-   printf "%s:%s" $name $tag -}}
+{{- printf "%s%s:%s" $repositoryName $name $tag -}}
 {{- end -}}
 {{- end -}}
 
@@ -222,27 +219,3 @@ or generate a new random password if it doesn't exist.
   {{- randAlphaNum $length -}}
 {{- end -}}
 {{- end -}}
-
-{{/*
-Compute the master service address to be used in cluster env vars.
-If allInOne is enabled, point to the all-in-one service; otherwise, point to the master service.
-*/}}
-{{- define "seaweedfs.cluster.masterAddress" -}}
-{{- $serviceNameSuffix := "-master" -}}
-{{- if .Values.allInOne.enabled -}}
-{{-   $serviceNameSuffix = "-all-in-one" -}}
-{{- end -}}
-{{- printf "%s%s.%s:%d" (include "seaweedfs.name" .) $serviceNameSuffix .Release.Namespace (int .Values.master.port) -}}
-{{- end -}}
-
-{{/*
-Compute the filer service address to be used in cluster env vars.
-If allInOne is enabled, point to the all-in-one service; otherwise, point to the filer-client service.
-*/}}
-{{- define "seaweedfs.cluster.filerAddress" -}}
-{{- $serviceNameSuffix := "-filer-client" -}}
-{{- if .Values.allInOne.enabled -}}
-{{-   $serviceNameSuffix = "-all-in-one" -}}
-{{- end -}}
-{{- printf "%s%s.%s:%d" (include "seaweedfs.name" .) $serviceNameSuffix .Release.Namespace (int .Values.filer.port) -}}
-{{- end -}}

packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml

@@ -21,9 +21,9 @@ metadata:
     {{- with $.Values.global.monitoring.additionalLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-{{- with $volume.annotations }}
+{{- if $.Values.volume.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- toYaml $.Values.volume.annotations | nindent 4 }}
 {{- end }}
 spec:
   endpoints:

packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-statefulset.yaml

@@ -88,9 +88,6 @@ spec:
             - name: {{ $dir.name }}
               mountPath: /{{ $dir.name }}
           {{- end }}
-          {{- if $volume.containerSecurityContext.enabled }}
-          securityContext: {{- omit $volume.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
         {{- end }}
         {{- if $volume.initContainers }}
         {{ tpl (printf "{{ $volumeName := \"%s\" }}%s" $volumeName $volume.initContainers) $ | indent 8 | trim }}

packages/system/seaweedfs/charts/seaweedfs/values.yaml

@@ -3,7 +3,6 @@
 global:
   createClusterRole: true
   registry: ""
-  # if repository is set, it overrides the namespace part of imageName
   repository: ""
   imageName: chrislusf/seaweedfs
   imagePullPolicy: IfNotPresent
@@ -202,7 +201,8 @@ master:
   # nodeSelector labels for master pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   # Example:
-  nodeSelector: ""
+  nodeSelector: |
+    kubernetes.io/arch: amd64
   # nodeSelector: |
   #   sw-backend: "true"
 
@@ -238,8 +238,6 @@ master:
     className: "nginx"
     # host: false for "*" hostname
     host: "master.seaweedfs.local"
-    path: "/sw-master/?(.*)"
-    pathType: ImplementationSpecific
     annotations:
       nginx.ingress.kubernetes.io/auth-type: "basic"
       nginx.ingress.kubernetes.io/auth-secret: "default/ingress-basic-auth-secret"
@@ -480,7 +478,8 @@ volume:
   # nodeSelector labels for server pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   # Example:
-  nodeSelector: ""
+  nodeSelector: |
+   kubernetes.io/arch: amd64
   # nodeSelector: |
   #   sw-volume: "true"
 
@@ -736,7 +735,8 @@ filer:
   # nodeSelector labels for server pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   # Example:
-  nodeSelector: ""
+  nodeSelector: |
+    kubernetes.io/arch: amd64
   # nodeSelector: |
   #   sw-backend: "true"
 
@@ -772,8 +772,6 @@ filer:
     className: "nginx"
     # host: false for "*" hostname
     host: "seaweedfs.cluster.local"
-    path: "/sw-filer/?(.*)"
-    pathType: ImplementationSpecific
     annotations:
       nginx.ingress.kubernetes.io/backend-protocol: GRPC
       nginx.ingress.kubernetes.io/auth-type: "basic"
@@ -873,7 +871,7 @@ filer:
     #     anonymousRead: false
 
 s3:
-  enabled: true
+  enabled: false
   imageOverride: null
   restartPolicy: null
   replicas: 1
@@ -934,7 +932,8 @@ s3:
   # nodeSelector labels for server pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   # Example:
-  nodeSelector: ""
+  nodeSelector: |
+    kubernetes.io/arch: amd64
   # nodeSelector: |
   #   sw-backend: "true"
 
@@ -976,11 +975,6 @@ s3:
 
   extraEnvironmentVars:
 
-  # Custom command line arguments to add to the s3 command
-  # Example to fix connection idle seconds:
-  extraArgs: ["-idleTimeout=30"]
-  # extraArgs: []
-
   # used to configure livenessProbe on s3 containers
   #
   livenessProbe:
@@ -1012,8 +1006,6 @@ s3:
     className: "nginx"
     # host: false for "*" hostname
     host: "seaweedfs.cluster.local"
-    path: "/"
-    pathType: Prefix
     # additional ingress annotations for the s3 endpoint
     annotations: {}
     tls: []
@@ -1059,7 +1051,8 @@ sftp:
   annotations: {}
   resources: {}
   tolerations: ""
-  nodeSelector: ""
+  nodeSelector: |
+    kubernetes.io/arch: amd64
   priorityClassName: ""
   serviceAccountName: ""
   podSecurityContext: {}
@@ -1186,7 +1179,8 @@ allInOne:
 
   # nodeSelector labels for master pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
-  nodeSelector: ""
+  nodeSelector: |
+    kubernetes.io/arch: amd64
 
   # Used to assign priority to master pods
   # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/

packages/system/seaweedfs/images/seaweedfs/Dockerfile

@@ -1,2 +0,0 @@
-ARG VERSION=3.99
-FROM chrislusf/seaweedfs:${VERSION}

packages/system/seaweedfs/patches/fix-volume-servicemonitor.patch

@@ -0,0 +1,15 @@
+diff --git a/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml b/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml
+--- a/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml	(revision 8951bc13d7d02b5e6982a239570ed58ed7cb025a)
++++ b/packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-servicemonitor.yaml	(revision fa4fff2292c4b79a92db5cd654a3c6bf590252a6)
+@@ -21,9 +21,9 @@
+     {{- with $.Values.global.monitoring.additionalLabels }}
+     {{- toYaml . | nindent 4 }}
+     {{- end }}
+-{{- if .Values.volume.annotations }}
++{{- if $.Values.volume.annotations }}
+   annotations:
+-    {{- toYaml .Values.volume.annotations | nindent 4 }}
++    {{- toYaml $.Values.volume.annotations | nindent 4 }}
+ {{- end }}
+ spec:
+   endpoints:

packages/system/seaweedfs/templates/hook.yaml

@@ -2,7 +2,7 @@
 {{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace "seaweedfs-deployed-version" }}
 {{- if $configMap }}
   {{- $deployedVersion := dig "data" "version" "0" $configMap }}
-  {{- if ge $deployedVersion "3" }}
+  {{- if ge $deployedVersion "2" }}
     {{- $shouldRunUpdateHook = false }}
   {{- end }}
 {{- end }}

packages/system/seaweedfs/templates/version.yaml

@@ -3,4 +3,4 @@ kind: ConfigMap
 metadata:
   name: seaweedfs-deployed-version
 data:
-  version: "3"
+  version: "2"

packages/system/seaweedfs/values.yaml

@@ -1,16 +1,12 @@
 global:
   enableSecurity: true
   serviceAccountName: "tenant-foo-seaweedfs"
-  imageName: "seaweedfs"
   extraEnvironmentVars:
     WEED_CLUSTER_SW_MASTER: "seaweedfs-master:9333"
     WEED_CLUSTER_SW_FILER: "seaweedfs-filer-client:8888"
   monitoring:
     enabled: true
 seaweedfs:
-  image:
-    tag: "latest@sha256:944e9bff98b088773847270238b63ce57dc5291054814d08e0226a139b3affb2"
-    registry: ghcr.io/cozystack/cozystack
   master:
     volumeSizeLimitMB: 30000
     replicas: 3
@@ -87,7 +83,7 @@ seaweedfs:
       existingConfigSecret: null
       auditLogConfig: {}
   s3:
-    enabled: false
+    enabled: true
     extraArgs:
       - -idleTimeout=60
     enableAuth: false

pkg/apis/apps/fuzzer/fuzzer.go

@@ -17,10 +17,17 @@ limitations under the License.
 package fuzzer
 
 import (
+	"github.com/cozystack/cozystack/pkg/apis/apps"
+	fuzz "github.com/google/gofuzz"
+
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 )
 
 // Funcs returns the fuzzer functions for the apps api group.
 var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
-	return []interface{}{}
+	return []interface{}{
+		func(s *apps.ApplicationSpec, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+	}
 }

pkg/apis/apps/validation/validation.go

@@ -14,17 +14,27 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package install
+package validation
 
 import (
-	"testing"
-
-	sdnfuzzer "github.com/cozystack/cozystack/pkg/apis/sdn/fuzzer"
-	"k8s.io/apimachinery/pkg/api/apitesting/roundtrip"
+	"github.com/cozystack/cozystack/pkg/apis/apps"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-func TestRoundTripTypes(t *testing.T) {
-	roundtrip.RoundTripTestForAPIGroup(t, Install, sdnfuzzer.Funcs)
-	// TODO: enable protobuf generation for the sample-apiserver
-	// roundtrip.RoundTripProtobufTestForAPIGroup(t, Install, corefuzzer.Funcs)
+// ValidateApplication validates a Application.
+func ValidateApplication(f *apps.Application) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	allErrs = append(allErrs, ValidateApplicationSpec(&f.Spec, field.NewPath("spec"))...)
+
+	return allErrs
+}
+
+// ValidateApplicationSpec validates a ApplicationSpec.
+func ValidateApplicationSpec(s *apps.ApplicationSpec, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	// TODO validation
+
+	return allErrs
 }

pkg/apis/core/fuzzer/fuzzer.go

@@ -17,10 +17,17 @@ limitations under the License.
 package fuzzer
 
 import (
+	"github.com/cozystack/cozystack/pkg/apis/core"
+	fuzz "github.com/google/gofuzz"
+
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 )
 
 // Funcs returns the fuzzer functions for the core api group.
 var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
-	return []interface{}{}
+	return []interface{}{
+		func(s *core.TenantNamespaceSpec, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+	}
 }

pkg/apis/core/v1alpha1/register.go

@@ -59,9 +59,11 @@ func RegisterStaticTypes(scheme *runtime.Scheme) {
 		&TenantNamespaceList{},
 		&TenantSecret{},
 		&TenantSecretList{},
+		&TenantSecretsTable{},
+		&TenantSecretsTableList{},
 		&TenantModule{},
 		&TenantModuleList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	klog.V(1).Info("Registered static kinds: TenantNamespace, TenantSecret, TenantModule")
+	klog.V(1).Info("Registered static kinds: TenantNamespace, TenantSecret, TenantSecretsTable, TenantModule")
 }

pkg/apis/core/v1alpha1/tenantsecretstable_types.go

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: Apache-2.0
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// TenantSecretEntry represents a single key from a Secret's data.
+type TenantSecretEntry struct {
+	Name  string `json:"name,omitempty"`
+	Key   string `json:"key,omitempty"`
+	Value string `json:"value,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TenantSecretsTable is a virtual, namespaced resource that exposes every key
+// of Secrets labelled cozystack.io/ui=true as a separate object.
+type TenantSecretsTable struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Data TenantSecretEntry `json:"data,omitempty"`
+}
+
+// DeepCopy methods are generated by deepcopy-gen
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type TenantSecretsTableList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []TenantSecretsTable `json:"items"`
+}
+
+// DeepCopy methods are generated by deepcopy-gen

pkg/apis/core/v1alpha1/zz_generated.deepcopy.go

@@ -216,6 +216,22 @@ func (in *TenantSecret) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantSecretEntry) DeepCopyInto(out *TenantSecretEntry) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSecretEntry.
+func (in *TenantSecretEntry) DeepCopy() *TenantSecretEntry {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantSecretEntry)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantSecretList) DeepCopyInto(out *TenantSecretList) {
 	*out = *in
@@ -248,3 +264,63 @@ func (in *TenantSecretList) DeepCopyObject() runtime.Object {
 	}
 	return nil
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantSecretsTable) DeepCopyInto(out *TenantSecretsTable) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Data = in.Data
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSecretsTable.
+func (in *TenantSecretsTable) DeepCopy() *TenantSecretsTable {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantSecretsTable)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TenantSecretsTable) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantSecretsTableList) DeepCopyInto(out *TenantSecretsTableList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TenantSecretsTable, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSecretsTableList.
+func (in *TenantSecretsTableList) DeepCopy() *TenantSecretsTableList {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantSecretsTableList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TenantSecretsTableList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}

pkg/apis/core/validation/validation.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2024 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"github.com/cozystack/cozystack/pkg/apis/core"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// ValidateTenantNamespace validates a TenantNamespace.
+func ValidateTenantNamespace(f *core.TenantNamespace) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	allErrs = append(allErrs, ValidateTenantNamespaceSpec(&f.Spec, field.NewPath("spec"))...)
+
+	return allErrs
+}
+
+// ValidateTenantNamespaceSpec validates a TenantNamespaceSpec.
+func ValidateTenantNamespaceSpec(s *core.TenantNamespaceSpec, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	// TODO validation
+
+	return allErrs
+}

pkg/apis/sdn/DESIGN.md

@@ -1,243 +0,0 @@
-# Cozystack Security Groups (Model A) — Design v0.1
-
-**Status:** Draft (decisions captured; open questions intentionally deferred)
-
-## 1) Summary
-
-Cozystack introduces **Security Groups (SGs)** that map 1:1 to Cilium (Clusterwide)NetworkPolicies. Users attach SGs to managed applications; under the hood, the controller labels the application’s pods with a presence label `securitygroups.cozystack.io/sg-<id>: ""`. Each SG is reconciled into a **single** Cilium policy whose `endpointSelector` matches that label. This yields AWS-like semantics (attach/detach) with minimal object fan‑out.
-
-## 2) Goals / Non‑Goals
-
-**Goals**
-
-- Provide a stable, AWS‑style abstractions for traffic control (attach/detach SGs to managed apps).
-- Keep policy count ≈ number of SGs (not attachments).
-- Avoid disruptive changes to clusters that do not opt into SGs.
-
-**Non‑Goals**
-
-- We do not redesign tenant isolation here; existing isolation policies remain.
-- We do not introduce per‑attachment bespoke policy logic (that would be Model B).
-
-## 3) Terminology
-
-- **SG** — SecurityGroup (Cozystack CRD), user‑facing construct.
-- **CNP/CCNP** — CiliumNetworkPolicy / CiliumClusterwideNetworkPolicy (backend object).
-- **Attachment** — association between a managed application and one or more SGs; implemented via pod labels.
-
-## 4) High‑Level Architecture
-
-1. User creates **SecurityGroup** (`cozystack.io/v1alpha1`), defining ingress/egress rules.
-2. SG controller reconciles SG → a **single** CNP/CCNP named `cozy-sg-<id>` with:
-   - `endpointSelector`: `matchExpressions: [{ key: securitygroups.cozystack.io/sg-<id>, operator: Exists }]`.
-   - Rules translated from SG spec.
-3. User attaches SG(s) to a managed application via either:
-   - Application subresource: `/<apigroup>/<kind>/<name>/securitygroupattachments`, or
-   - SG subresource: `/securitygroups/<name>/attach`.
-4. Attachment controller resolves the target → applies/maintains pod template labels so new pods inherit; best‑effort patches existing pods; removes labels on detach.
-
-## 5) CRDs (user‑facing)
-
-### 5.1 SecurityGroup
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: SecurityGroup
-metadata:
-  name: sg-db
-  namespace: tenant-a           # optional; cluster scope supported (see spec.scope)
-spec:
-  scope: Cluster                 # Cluster | Namespace
-  description: "DB access group"
-  selectorLabelKey: securitygroups.cozystack.io/sg-db  # controller defaults to this if unset
-  egress:
-    - toSecurityGroups: [ sg-web ]
-      toPorts:
-        - protocol: TCP
-          port: 5432
-    - toFQDNs: [ "*.apt.example.org" ]
-    - toCIDRs: [ "10.0.0.0/8" ]
-  ingress:
-    - fromSecurityGroups: [ sg-web ]
-      toPorts:
-        - protocol: TCP
-          port: 5432
-```
-
-**Notes**
-
-- `scope: Cluster` → controller renders a **CiliumClusterwideNetworkPolicy**; otherwise **namespaced CNP**.
-- `selectorLabelKey` is the authoritative label for attachments. Presence semantics (`""` value) are used.
-
-### 5.2 SecurityGroupAttachment
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: SecurityGroupAttachment
-metadata:
-  name: sga-postgres-foo
-  namespace: tenant-a
-spec:
-  subjectRef:                    # ONE of subjectRef | selectorRef (subjectRef preferred for managed apps)
-    group: postgresql.cnpg.io
-    kind: Cluster
-    name: foo
-  securityGroups:
-    - sg-db
-    - sg-monitoring
-```
-
-**Notes**
-
-- This is the **source of truth** the controller watches; subresources (below) create/update these objects.
-
-## 6) Subresources (user entry points)
-
-Subresources provide ergonomic, RBAC‑friendly ways to manage attachments without exposing internal wiring.
-
-### 6.1 Managed application subresource — `/securitygroupattachments`
-
-- **Path (example):** `/apis/postgresql.cnpg.io/v1/namespaces/<ns>/clusters/<name>/securitygroupattachments`
-- **POST/PATCH body:** `{ securityGroups: ["sg-db", "sg-monitoring"] }`
-- **Semantics:** Create or upsert a `SecurityGroupAttachment` bound to this subject.
-- **RBAC intent:** Tenant admins with rights on the app can manage its attachments.
-
-### 6.2 Security group subresource — `/attach`
-
-- **Path:** `/apis/cozystack.io/v1/namespaces/<ns>/securitygroups/<name>/attach`
-- **POST body:**
-
-```yaml
-subjects:
-  - group: postgresql.cnpg.io
-    kind: Cluster
-    name: foo
-    namespace: tenant-a
-```
-
-- **Semantics:** Append or reconcile `SecurityGroupAttachment` objects for the listed subjects.
-- **RBAC intent:** Platform admins (or delegated roles) can attach SGs to many resources.
-
-> Both subresources are symmetric and operate by creating/updating `SecurityGroupAttachment` objects. They are idempotent.
-
-## 7) Labeling Conventions (authoritative)
-
-- **Attachment label (presence):** `securitygroups.cozystack.io/<sg-id>: ""`
-- **Optional marker label:** `securitygroups.cozystack.io/enabled: "true"` (used to exclude SG‑managed pods from legacy namespace policies during migration).
-- Controllers ensure pod **templates** carry the labels; existing pods are patched best‑effort.
-
-## 8) Controller Responsibilities
-
-### 8.1 SG Controller
-
-- Reconcile SG → CNP/CCNP `cozy-sg-<id>` with the `endpointSelector` above.
-- Translate SG `ingress/egress` to Cilium spec (toEndpoints/fromEndpoints using other SGs’ label keys; toFQDNs; toCIDRs; toPorts).
-- Ensure ownerRefs/labels for traceability; emit Events; expose Prometheus metrics.
-
-### 8.2 Attachment Controller
-
-- Resolve `subjectRef` to the managed application → identify pod template(s) (e.g., StatefulSet, Deployment, KubeVirt VM pods).
-- Apply/remove attachment labels on templates; patch live pods where feasible.
-- Maintain a projection status on `SecurityGroupAttachment.status` (attached pod count, last reconcile time).
-- Garbage‑collect labels when attachments are deleted; use finalizers for cleanup.
-
-## 9) Backend Cilium Objects (rendered)
-
-### 9.1 Example generated CCNP for `sg-db`
-
-```yaml
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: cozy-sg-db
-spec:
-  endpointSelector:
-    matchExpressions:
-      - key: securitygroups.cozystack.io/sg-db
-        operator: Exists
-  ingress:
-    - fromEndpoints:
-        - matchExpressions:
-            - key: securitygroups.cozystack.io/sg-web
-              operator: Exists
-      toPorts:
-        - ports:
-            - port: "5432"
-              protocol: TCP
-  egress:
-    - toFQDNs:
-        - matchPattern: "*.apt.example.org"
-```
-
-## 10) RBAC Model (concise)
-
-- \*\*ClusterRole: \*\*\`\` — full CRUD on `SecurityGroup` and `/attach`, cluster‑wide.
-- \*\*Role: \*\*\`\` — can use app `/securitygroupattachments` within their namespaces; read SGs cluster‑wide.
-- Controllers need write access to: CNP/CCNP, workload templates in target namespaces, and pods (patch labels best‑effort).
-
-## 11) Safety & Interactions (decisions baked in)
-
-- **Scoping:** Policies only apply to pods carrying the SG label; other pods remain unaffected.
-- **Union of allows:** SG rules are additive with existing policies; to avoid accidental widening, legacy namespace policies should be updated to **exclude** pods with `securitygroups.cozystack.io/enabled=true`.
-- **No host‑policy changes:** Host networking (nodeSelector) is out of scope for SGs.
-
-## 12) Migration (minimal, non‑disruptive)
-
-1. Deploy controllers (no attachments yet).
-2. Create tenant‑specific **baseline SG(s)** if desired (DNS, metrics, etc.).
-3. Update legacy namespace policies to **not select** SG‑managed pods (e.g., `DoesNotExist` match on `securitygroups.cozystack.io/enabled`).
-4. Attach SGs to a canary app; verify datapath; roll out.
-5. Optionally deprecate legacy namespace egress‑only policies after adoption.
-
-## 13) Observability
-
-- `SecurityGroupAttachment.status` summarizes effective attachments.
-- Pods receive an annotation `securitygroups.cozystack.io/attached: "sg-a,sg-b,..."` for quick inspection.
-- Events on SG and Attachment objects for attach/detach and reconciliation failures.
-
-## 14) Examples
-
-### 14.1 User defines an SG and attaches it to a Postgres cluster
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: SecurityGroup
-metadata:
-  name: sg-db
-spec:
-  scope: Cluster
-  ingress:
-    - fromSecurityGroups: [ sg-web ]
-      toPorts:
-        - protocol: TCP
-          port: 5432
-```
-
-```yaml
-apiVersion: cozystack.io/v1alpha1
-kind: SecurityGroupAttachment
-metadata:
-  name: sga-postgres-foo
-  namespace: tenant-a
-spec:
-  subjectRef:
-    group: postgresql.cnpg.io
-    kind: Cluster
-    name: foo
-  securityGroups:
-    - sg-db
-```
-
-### 14.2 Resulting pod labels (applied by controller)
-
-```yaml
-metadata:
-  labels:
-    securitygroups.cozystack.io/enabled: "true"
-    securitygroups.cozystack.io/sg-db: ""
-```
-
----
-
-**This document intentionally focuses on the decided mechanics (Model A, label‑based attachments, SG→Cilium one‑to‑one). Extensions (e.g., reusable CIDR/FQDN groups, per‑attachment overrides, policy linting) can be added later without changing the core model.**
-

pkg/apis/sdn/fuzzer/fuzzer.go

@@ -1,26 +0,0 @@
-/*
-Copyright 2024 The Cozystack Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package fuzzer
-
-import (
-	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
-)
-
-// Funcs returns the fuzzer functions for the core api group.
-var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
-	return []interface{}{}
-}