Add AI-agent for changelogs generation

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/pull-requests.yaml

@@ -33,6 +33,9 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
+      - name: Run unit tests
+        run: make unit-tests
+
       - name: Set up Docker config
         run: |
           if [ -d ~/.docker ]; then

.gitignore

@@ -1,4 +1,5 @@
 _out
+_repos
 .git
 .idea
 .vscode

AGENTS.md

@@ -0,0 +1,38 @@
+# AI Agents Overview
+
+This file provides structured guidance for AI coding assistants and agents
+working with the **Cozystack** project.
+
+## Agent Documentation
+
+| Agent | Purpose |
+|-------|---------|
+| [overview.md](./docs/agents/overview.md) | Project structure and conventions |
+| [contributing.md](./docs/agents/contributing.md) | Commits, pull requests, and git workflow |
+| [changelog.md](./docs/agents/changelog.md) | Changelog generation instructions |
+| [releasing.md](./docs/agents/releasing.md) | Release process and workflow |
+
+## Project Overview
+
+**Cozystack** is a Kubernetes-based platform for building cloud infrastructure with managed services (databases, VMs, K8s clusters), multi-tenancy, and GitOps delivery.
+
+## Quick Reference
+
+### Code Structure
+- `packages/core/` - Core platform charts (installer, platform)
+- `packages/system/` - System components (CSI, CNI, operators)
+- `packages/apps/` - User-facing applications in catalog
+- `packages/extra/` - Tenant-specific modules
+- `cmd/`, `internal/`, `pkg/` - Go code
+- `api/` - Kubernetes CRDs
+
+### Conventions
+- **Helm Charts**: Umbrella pattern, vendored upstream charts in `charts/`
+- **Go Code**: Controller-runtime patterns, kubebuilder style
+- **Git Commits**: `[component] Description` format with `--signoff`
+
+### What NOT to Do
+- ❌ Edit `/vendor/`, `zz_generated.*.go`, upstream charts directly
+- ❌ Modify `go.mod`/`go.sum` manually (use `go get`)
+- ❌ Force push to main/master
+- ❌ Commit built artifacts from `_out`

Makefile

@@ -1,4 +1,4 @@
-.PHONY: manifests repos assets
+.PHONY: manifests repos assets unit-tests helm-unit-tests
 
 build-deps:
 	@command -V find docker skopeo jq gh helm > /dev/null
@@ -46,6 +46,11 @@ test:
 	make -C packages/core/testing apply
 	make -C packages/core/testing test
 
+unit-tests: helm-unit-tests
+
+helm-unit-tests:
+	hack/helm-unit-tests.sh
+
 prepare-env:
 	make -C packages/core/testing apply
 	make -C packages/core/testing prepare-cluster

docs/agents/changelog.md

@@ -0,0 +1,666 @@
+# Changelog Generation Instructions
+
+This file contains detailed instructions for AI-powered IDE on how to generate changelogs for Cozystack releases.
+
+## When to use these instructions
+
+Follow these instructions when the user explicitly asks to generate a changelog.
+
+## Required Tools
+
+Before generating changelogs, ensure you have access to `gh` (GitHub CLI) tool, which is used to fetch commit and PR author information. The GitHub CLI is used to correctly identify PR authors from commits and pull requests.
+
+## Changelog Generation Process
+
+When the user asks to generate a changelog, follow these steps in the specified order:
+
+**CHECKLIST - All actions that must be completed:**
+- [ ] Step 1: Update information from remote (git fetch)
+- [ ] Step 2: Check current branch (must be main)
+- [ ] Step 3: Determine release type and previous version (minor vs patch release)
+- [ ] Step 4: Determine versions and analyze existing changelogs
+- [ ] Step 5: Get the list of commits for the release period
+- [ ] Step 6: Check additional repositories (website is REQUIRED, optional repos if tags exist)
+  - [ ] **MANDATORY**: Check website repository for documentation changes WITH authors and PR links via GitHub CLI
+  - [ ] **MANDATORY**: Check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy) for tags during release period
+  - [ ] **MANDATORY**: For ALL commits from additional repos, get GitHub username via CLI, prioritizing PR author over commit author.
+- [ ] Step 7: Analyze commits (extract PR numbers, authors, user impact)
+  - [ ] **MANDATORY**: For EVERY PR in main repo, get PR author via `gh pr view <PR_NUMBER> --json author --jq .author.login` (do NOT skip this step)
+  - [ ] **MANDATORY**: Extract PR numbers from commit messages, then use `gh pr view` for each PR to get the PR author. Do NOT use commit author. Only for commits without PR numbers (rare), fall back to `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
+- [ ] Step 8: Form new changelog (structure, format, generate contributors list)
+- [ ] Step 9: Verify completeness and save
+
+### 1. Updating information from remote
+
+```bash
+git fetch --tags --force --prune
+```
+
+This is necessary to get up-to-date information about tags and commits from the remote repository.
+
+### 2. Checking current branch
+
+Make sure we are on the `main` branch:
+
+```bash
+git branch --show-current
+```
+
+### 3. Determining release type and previous version
+
+**Important**: Determine if you're generating a changelog for a **minor release** (vX.Y.0) or a **patch release** (vX.Y.Z where Z > 0).
+
+**For minor releases (vX.Y.0):**
+- Each minor version lives and evolves in its own branch (`release-X.Y`)
+- You MUST compare with the **previous minor version** (v(X-1).Y.0), not the last patch release
+- This ensures you capture all changes from the entire minor version cycle, including all patch releases
+- Example: For v0.38.0, compare with v0.37.0 (not v0.37.8)
+- Run a separate cycle to check the diff with the zero version of the previous minor release
+
+**For patch releases (vX.Y.Z where Z > 0):**
+- Compare with the previous patch version (vX.Y.(Z-1))
+- Example: For v0.37.2, compare with v0.37.1
+
+### 4. Determining versions and analyzing existing changelogs
+
+**Determine the last published version:**
+1. Get the list of version tags:
+   ```bash
+   git tag -l 'v[0-9]*.[0-9]*.[0-9]*' | sort -V
+   ```
+
+2. Get the last tag:
+   ```bash
+   git tag -l 'v[0-9]*.[0-9]*.[0-9]*' | sort -V | tail -1
+   ```
+
+3. Compare tags with existing changelog files in `docs/changelogs/` to determine the last published version (the newest file `vX.Y.Z.md`)
+
+**Study existing changelog format:**
+- Review recent changelog files to understand the format and structure
+- Pay attention to:
+  - **Feature Highlights format** (for minor releases): Use `## Feature Highlights` with `### Feature Name` subsections containing detailed descriptions (2-4 paragraphs each). See v0.35.0 and v0.36.0 for examples.
+  - Section structure (Major Features and Improvements, Security, Fixes, Dependencies, etc.)
+  - PR link format (e.g., `[**@username**](https://github.com/username) in #1234`)
+  - Change description style
+  - Presence of Breaking changes sections, etc.
+
+### 5. Getting the list of commits
+
+**Important**: Determine if you're generating a changelog for a **minor release** (vX.Y.0) or a **patch release** (vX.Y.Z where Z > 0).
+
+**For patch releases (vX.Y.Z where Z > 0):**
+Get the list of commits starting from the previous patch version to HEAD:
+
+**⚠️ CRITICAL: Do NOT use --first-parent flag! It will skip merge commits including backports!**
+
+```bash
+# Get all commits including merge commits (backports)
+git log <previous_version>..HEAD --pretty=format:"%h - %s (%an, %ar)"
+```
+
+For example, if generating changelog for `v0.37.2`:
+```bash
+git log v0.37.1..HEAD --pretty=format:"%h - %s (%an, %ar)"
+```
+
+**⚠️ IMPORTANT: Check for backports:**
+- Look for commits with "[Backport release-X.Y]" in the commit message
+- For backport PRs, find the original PR number mentioned in the backport commit message or PR description
+- Use the original PR author (not the backport PR author) when creating changelog entries
+- Include both the original PR number and backport PR number in the changelog entry (e.g., `#1606, #1609`)
+
+**For minor releases (vX.Y.0):**
+Minor releases must include **all changes** from patch releases of the previous minor version. Get commits from the previous minor release:
+
+**⚠️ CRITICAL: Do NOT use --first-parent flag! It will skip merge commits including backports!**
+
+```bash
+# For v0.38.0, get all commits since v0.37.0 (including all patch releases v0.37.1, v0.37.2, etc.)
+git log v<previous_minor_version>..HEAD --pretty=format:"%h - %s (%an, %ar)"
+```
+
+For example, if generating changelog for `v0.38.0`:
+```bash
+git log v0.37.0..HEAD --pretty=format:"%h - %s (%an, %ar)"
+```
+
+This will include all commits from v0.37.1, v0.37.2, v0.37.3, etc., up to v0.38.0.
+
+**⚠️ IMPORTANT: Always check merge commits:**
+- Merge commits may contain backports that need to be included
+- Check all commits in the range, including merge commits
+- For backports, always find and reference the original PR
+
+### 6. Analyzing additional repositories
+
+**⚠️ CRITICAL: This step is MANDATORY and must NOT be skipped!**
+
+Cozystack release may include changes from related repositories. Check and include commits from these repositories if tags were released during the release period:
+
+**Required repositories:**
+- **Documentation**: https://github.com/cozystack/website
+  - **MANDATORY**: Always check this repository for documentation changes during the release period
+  - **MANDATORY**: Get GitHub username for EVERY commit. Extract PR number from commit message, then use `gh pr view <PR_NUMBER> --repo cozystack/website --json author --jq .author.login` to get PR author. Only if no PR number, fall back to `gh api repos/cozystack/website/commits/<hash> --jq '.author.login'`
+
+**Optional repositories (MUST check ALL of them for tags during release period):**
+- https://github.com/cozystack/talm
+- https://github.com/cozystack/boot-to-talos
+- https://github.com/cozystack/cozypkg
+- https://github.com/cozystack/cozy-proxy
+
+**⚠️ IMPORTANT**: You MUST check ALL optional repositories for tags created during the release period. Do NOT skip this step even if you think there might not be any tags. Use the process below to verify.
+
+**Process for each repository:**
+
+1. **Get release period dates:**
+   ```bash
+   # Get dates for the release period
+   cd /path/to/cozystack
+   RELEASE_START=$(git log -1 --format=%ai v<previous_version>)
+   RELEASE_END=$(git log -1 --format=%ai HEAD)
+   ```
+
+2. **Check for commits in website repository (always required):**
+   ```bash
+   # Ensure website repository is cloned and up-to-date
+   mkdir -p _repos
+   if [ ! -d "_repos/website" ]; then
+     cd _repos && git clone https://github.com/cozystack/website.git && cd ..
+   fi
+   cd _repos/website
+   git fetch --all --tags --force
+   git checkout main 2>/dev/null || git checkout master
+   git pull
+   
+   # Get commits between release dates (with some buffer)
+   git log --since="$RELEASE_START" --until="$RELEASE_END" --format="%H|%s|%an" | while IFS='|' read -r commit_hash subject author_name; do
+     # Extract PR number from commit message
+     PR_NUMBER=$(git log -1 --format="%B" "$commit_hash" | grep -oE '#[0-9]+' | head -1 | tr -d '#')
+     
+     # ALWAYS use PR author if PR number found, not commit author
+     if [ -n "$PR_NUMBER" ]; then
+       GITHUB_USERNAME=$(gh pr view "$PR_NUMBER" --repo cozystack/website --json author --jq '.author.login // empty' 2>/dev/null)
+       echo "$commit_hash|$subject|$author_name|$GITHUB_USERNAME|cozystack/website#$PR_NUMBER"
+     else
+       # Only fallback to commit author if no PR number found (rare)
+       GITHUB_USERNAME=$(gh api repos/cozystack/website/commits/$commit_hash --jq '.author.login // empty')
+       echo "$commit_hash|$subject|$author_name|$GITHUB_USERNAME|cozystack/website@${commit_hash:0:7}"
+     fi
+   done
+   
+   # Look for documentation updates, new pages, or significant content changes
+   # Include these in the "Documentation" section of the changelog WITH authors and PR links
+   ```
+
+3. **For optional repositories, check if tags exist during release period:**
+
+   **⚠️ MANDATORY: You MUST check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy). Do NOT skip any repository!**
+
+   **Use the helper script:**
+   ```bash
+   # Get release period dates
+   RELEASE_START=$(git log -1 --format=%ai v<previous_version>)
+   RELEASE_END=$(git log -1 --format=%ai HEAD)
+   
+   # Run the script to check all optional repositories
+   ./docs/changelogs/hack/check-optional-repos.sh "$RELEASE_START" "$RELEASE_END"
+   ```
+   
+   The script will:
+   - Check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy)
+   - Look for tags created during the release period
+   - Get commits between tags (if tags exist) or by date range (if no tags)
+   - Extract PR numbers from commit messages
+   - For EVERY commit with PR number, get PR author via CLI: `gh pr view <PR_NUMBER> --repo cozystack/<repo> --json author --jq .author.login` (ALWAYS use PR author, not commit author)
+   - For commits without PR numbers (rare), fallback to: `gh api repos/cozystack/<repo>/commits/<hash> --jq '.author.login'`
+   - Output results in format: `commit_hash|subject|author_name|github_username|cozystack/repo#PR_NUMBER` or `cozystack/repo@commit_hash`
+
+4. **Extract PR numbers and authors using GitHub CLI:**
+   - **ALWAYS use PR author, not commit author** for commits from additional repositories
+   - For each commit, extract PR number from commit message first: Extract `#123` pattern from commit message
+   - If PR number found, use `gh pr view <PR_NUMBER> --repo cozystack/<repo> --json author --jq .author.login` to get PR author (the person who wrote the code)
+   - Only if no PR number found (rare), fallback to commit author: `gh api repos/cozystack/<repo>/commits/<hash> --jq '.author.login'`
+   - **Prefer PR numbers**: Use format `cozystack/website#123` if PR number found in commit message
+   - **Fallback to commit hash**: Use format `cozystack/website@abc1234` if no PR number
+   - **ALWAYS include author**: Every entry from additional repositories MUST include author in format `([**@username**](https://github.com/username) in cozystack/repo#123)`
+   - Determine user impact and categorize appropriately
+   - Format entries with repository prefix: `[website]`, `[talm]`, etc.
+
+**Example entry format for additional repositories:**
+```markdown
+# If PR number found in commit message (REQUIRED format):
+* **[website] Update installation documentation**: Improved installation guide with new examples ([**@username**](https://github.com/username) in cozystack/website#123).
+
+# If no PR number (fallback, use commit hash):
+* **[website] Update installation documentation**: Improved installation guide with new examples ([**@username**](https://github.com/username) in cozystack/website@abc1234).
+
+# For optional repositories:
+* **[talm] Add new feature**: Description of the change ([**@username**](https://github.com/username) in cozystack/talm#456).
+```
+
+**CRITICAL**: 
+- **ALWAYS include author** for every entry from additional repositories
+- **ALWAYS include PR link or commit hash** for every entry
+- Never add entries without author and PR/commit reference
+- **ALWAYS use PR author, not commit author**: Extract PR number from commit message, then use `gh pr view <PR_NUMBER> --repo cozystack/<repo> --json author --jq .author.login` to get the PR author (the person who wrote the code)
+- Only if no PR number found (rare), fallback to commit author: `gh api repos/cozystack/<repo>/commits/<hash> --jq '.author.login'`
+- The commit author (especially for squash/merge commits) is usually the person who merged the PR, not the person who wrote the code
+
+### 7. Analyzing commits and PRs
+
+**⚠️ CRITICAL: You MUST get the author from PR, not from commit! Always use `gh pr view` to get the PR author. Do NOT use commit author!**
+
+**Get all PR numbers from commits:**
+**⚠️ CRITICAL: Do NOT use --no-merges flag! It will skip merge commits including backports!**
+
+```bash
+# Extract all PR numbers from commit messages in the release range (including merge commits)
+git log <previous_version>..<new_version> --format="%s%n%b" | grep -oE '#[0-9]+' | sort -u | tr -d '#'
+```
+
+**⚠️ IMPORTANT: Handle backports correctly:**
+- Backport PRs have format: `[Backport release-X.Y] <original title> (#BACKPORT_PR_NUMBER)`
+- The backport commit message or PR description usually mentions the original PR number
+- For backport entries in changelog, use the original PR author (not the backport PR author)
+- Include both original and backport PR numbers in the changelog entry (e.g., `#1606, #1609`)
+- To find original PR from backport: Check the backport PR description or commit message for "Backport of #ORIGINAL_PR"
+
+**For each PR number, get the author:**
+   
+   **CRITICAL**: The commit author (especially for squash/merge commits) is usually the person who merged the PR (or GitHub bot), NOT the person who wrote the code. **ALWAYS use the PR author**, not the commit author.
+   
+   **⚠️ MANDATORY: ALWAYS use `gh pr view` to get the PR author. Do NOT use commit author!**
+   
+   **ALWAYS use GitHub CLI** to get the PR author:
+   
+   ```bash
+   # Usage: Get PR author - MANDATORY for EVERY PR
+   # Loop through ALL PR numbers and get PR author (including backports)
+   git log <previous_version>..<new_version> --format="%s%n%b" | grep -oE '#[0-9]+' | sort -u | tr -d '#' | while read PR_NUMBER; do
+     # Check if this is a backport PR
+     BACKPORT_INFO=$(gh pr view "$PR_NUMBER" --json body --jq '.body' 2>/dev/null | grep -i "backport of #" || echo "")
+     if [ -n "$BACKPORT_INFO" ]; then
+       # Extract original PR number from backport description
+       ORIGINAL_PR=$(echo "$BACKPORT_INFO" | grep -oE 'backport of #([0-9]+)' | grep -oE '[0-9]+' | head -1)
+       if [ -n "$ORIGINAL_PR" ]; then
+         # Use original PR author
+         GITHUB_USERNAME=$(gh pr view "$ORIGINAL_PR" --json author --jq '.author.login // empty')
+         PR_TITLE=$(gh pr view "$ORIGINAL_PR" --json title --jq '.title // empty')
+         echo "$PR_NUMBER|$ORIGINAL_PR|$GITHUB_USERNAME|$PR_TITLE|BACKPORT"
+       else
+         # Fallback to backport PR author if original not found
+         GITHUB_USERNAME=$(gh pr view "$PR_NUMBER" --json author --jq '.author.login // empty')
+         PR_TITLE=$(gh pr view "$PR_NUMBER" --json title --jq '.title // empty')
+         echo "$PR_NUMBER||$GITHUB_USERNAME|$PR_TITLE|BACKPORT"
+       fi
+     else
+       # Regular PR
+       GITHUB_USERNAME=$(gh pr view "$PR_NUMBER" --json author --jq '.author.login // empty')
+       PR_TITLE=$(gh pr view "$PR_NUMBER" --json title --jq '.title // empty')
+       echo "$PR_NUMBER||$GITHUB_USERNAME|$PR_TITLE|REGULAR"
+     fi
+   done
+   ```
+   
+   **⚠️ IMPORTANT**: You must run this for EVERY PR in the release period. Do NOT skip any PRs or assume the GitHub username based on the git author name.
+   
+   **CRITICAL**: Always use `gh pr view <PR_NUMBER> --json author --jq .author.login` to get the PR author. This correctly identifies the person who wrote the code, not the person who merged it (which is especially important for squash merges).
+   
+   **Why this matters**: Using the wrong author in changelogs gives incorrect credit and can confuse contributors. The merge/squash commit is created by the person who clicks "Merge" in GitHub, not the PR author.
+   
+   **For commits without PR numbers (rare):**
+   - Only if a commit has no PR number, fall back to commit author: `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
+   - But this should be very rare - most commits should have PR numbers
+
+**Extract PR number from commit messages:**
+   - Check commit message subject (`%s`) and body (`%b`) for PR references: `#1234` or `(#1234)`
+   - **Primary method**: Extract from commit message format `(#PR_NUMBER)` or `in #PR_NUMBER` or `Merge pull request #1234`
+   - Use regex: `grep -oE '#[0-9]+'` to find all PR numbers
+   
+   **⚠️ CRITICAL: Verify PR numbers match commit messages!**
+   - Always verify that the PR number in the changelog matches the PR number in the commit message
+   - Common mistake: Using wrong PR number (e.g., #1614 instead of #1617) when multiple similar commits exist
+   - To verify: Check the actual commit message: `git log <commit_hash> -1 --format="%s%n%b" | grep -oE '#[0-9]+'`
+   - If multiple PR numbers appear in a commit, use the one that matches the PR title/description
+   - For merge commits, check the merged branch commits, not just the merge commit message
+
+3. **Understand the change:**
+   ```bash
+   # Get PR details (preferred method)
+   gh pr view <PR_NUMBER> --json title,body,url
+   
+   # Or get commit details if no PR number
+   git show <commit_hash> --stat
+   git show <commit_hash>
+   ```
+   - Review PR description and changed files
+   - Understand functionality added/changed/fixed
+   - **Determine user impact**: What can users do now? What problems are fixed? What improvements do users experience?
+
+4. **For release branches (backports):**
+   - If commit is from `release-X.Y` branch, check if it's a backport
+   - Find original commit in `main` to get correct PR number:
+     ```bash
+     git log origin/main --grep="<part of commit message>" --oneline
+     ```
+
+### 8. Forming a new changelog
+
+Create a new changelog file in the format matching previous versions:
+
+1. **Determine the release type:**
+   - **Minor release (vX.Y.0)** - use full format with **Feature Highlights** section. **Must include all changes from patch releases of the previous minor version** (e.g., v0.38.0 should include changes from v0.37.1, v0.37.2, v0.37.3, etc.)
+   - **Patch release (vX.Y.Z, where Z > 0)** - use more compact format, includes only changes since the previous patch release
+
+   **Feature Highlights format for minor releases:**
+   - Use section header: `## Feature Highlights`
+   - Include 3-6 major features as subsections with `### Feature Name` headers
+   - Each feature subsection should contain:
+     - **Detailed description** (2-4 paragraphs) explaining:
+       - What the feature is and what problem it solves
+       - How it works and what users can do with it
+       - How to use it (if applicable)
+       - Benefits and impact for users
+     - **Links to documentation** when available (use markdown links)
+     - **Code examples or configuration snippets** if helpful
+   - Focus on user value and practical implications, not just technical details
+   - Each feature should be substantial enough to warrant its own subsection
+   - Order features by importance/impact (most important first)
+   - Example format:
+     ```markdown
+     ## Feature Highlights
+     
+     ### Feature Name
+     
+     Detailed description paragraph explaining what the feature is...
+     
+     Another paragraph explaining how it works and what users can do...
+     
+     Learn more in the [documentation](https://cozystack.io/docs/...).
+     ```
+
+   **Important for minor releases**: After collecting all commits, **systematically verify** that all PRs from patch releases are included:
+   ```bash
+   # Extract all PR numbers from patch release changelogs
+   grep -h "#[0-9]\+" docs/changelogs/v<previous_minor>.*.md | sort -u
+   
+   # Extract all PR numbers from the new minor release changelog
+   grep -h "#[0-9]\+" docs/changelogs/v<new_minor>.0.md | sort -u
+   
+   # Compare and identify missing PRs
+   # Ensure every PR from patch releases appears in the minor release changelog
+   ```
+
+2. **Structure changes by categories:**
+   
+   **For minor releases (vX.Y.0):**
+   - **Feature Highlights** (required) - see format above
+   - **Major Features and Improvements** - detailed list of all major features and improvements
+   - **Improvements (minor)** - smaller improvements and enhancements
+   - **Bug fixes** - all bug fixes
+   - **Security** - security-related changes
+   - **Dependencies & version updates** - dependency updates
+   - **System Configuration** - system-level configuration changes
+   - **Development, Testing, and CI/CD** - development and testing improvements
+   - **Documentation** (include changes from website repository here - **MUST include authors and PR links for all entries**)
+   - **Breaking changes & upgrade notes** (if any)
+   - **Refactors & chores** (if any)
+   
+   **For patch releases (vX.Y.Z where Z > 0):**
+   - **Features and Improvements** - new features and improvements
+   - **Fixes** - bug fixes
+   - **Security** - security-related changes
+   - **Dependencies** - dependency updates
+   - **System Configuration** - system-level configuration changes
+   - **Development, Testing, and CI/CD** - development and testing improvements
+   - **Documentation** (include changes from website repository here - **MUST include authors and PR links for all entries**)
+   - **Migration and Upgrades** (if applicable)
+   
+   **Note**: When including changes from additional repositories, group them logically with main repository changes, or create separate subsections if there are many changes from a specific repository.
+
+3. **Entry format:**
+   - Use the format: `* **Brief description**: detailed description ([**@username**](https://github.com/username) in #PR_NUMBER)`
+   - **CRITICAL - Get authorship correctly**: 
+     - **ALWAYS use PR author, not commit author**: Extract PR number from commit message, then use `gh pr view` to get the PR author. The commit author (especially for squash/merge commits) is usually the person who merged the PR (or GitHub bot), NOT the person who wrote the code.
+       ```bash
+       # Get PR author from GitHub CLI (correct method)
+       # Step 1: Extract PR number from commit message
+       PR_NUMBER=$(git log <commit_hash> -1 --format="%s%n%b" | grep -oE '#[0-9]+' | head -1 | tr -d '#')
+       
+       # Step 2: Get PR author (the person who wrote the code)
+       if [ -n "$PR_NUMBER" ]; then
+         GITHUB_USERNAME=$(gh pr view "$PR_NUMBER" --json author --jq '.author.login')
+       else
+         # Only fallback to commit author if no PR number found (rare)
+         GITHUB_USERNAME=$(gh api repos/cozystack/cozystack/commits/<commit_hash> --jq '.author.login')
+       fi
+       ```
+       **Example**: For PR #1507, the squash commit has author "kvaps" (who merged), but the PR author is "lllamnyp" (who wrote the code). Using `gh pr view 1507 --json author --jq .author.login` correctly returns "lllamnyp".
+     - **For regular commits**: Use the commit author directly:
+       ```bash
+       git log <commit_hash> -1 --format="%an|%ae"
+       ```
+     - **Validation**: Before adding to changelog, verify the author by checking:
+       - For merge commits: Compare merge commit author vs PR author (they should be different)
+       - Check existing changelogs for author name to GitHub username mappings
+       - Verify with: `git log <merge_commit>^1..<merge_commit>^2 --format="%an" --no-merges`
+   - **Map author name to GitHub username**: Check existing changelogs for author name mappings, or extract from PR links in commit messages
+   - **Always include user impact**: Each entry must explain how the change affects users
+     - For new features: explain what users can now do
+     - For bug fixes: explain what problem is solved for users
+     - For improvements: explain what users will experience better
+     - For breaking changes: clearly state what users need to do
+   - Group related changes
+   - Use bold font for important components/modules
+   - Focus on user value, not just technical details
+
+4. **Add a link to the full changelog:**
+   
+   **For patch releases (vX.Y.Z where Z > 0):**
+   ```markdown
+   **Full Changelog**: https://github.com/cozystack/cozystack/compare/v<previous_patch_version>...v<new_version>
+   ```
+   Example: For v0.37.2, use `v0.37.1...v0.37.2`
+   
+   **For minor releases (vX.Y.0):**
+   ```markdown
+   **Full Changelog**: https://github.com/cozystack/cozystack/compare/v<previous_minor_version>...v<new_version>
+   ```
+   Example: For v0.38.0, use `v0.37.0...v0.38.0` (NOT `v0.37.8...v0.38.0`)
+   
+   **Important**: Minor releases must reference the previous minor release (vX.Y.0), not the last patch release, to include all changes from the entire minor version cycle.
+
+5. **Generate contributors list:**
+
+   **⚠️ SIMPLIFIED APPROACH: Extract contributors from the generated changelog itself!**
+   
+   Since you've already generated the changelog with all PR authors correctly identified, simply extract GitHub usernames from the changelog entries:
+   
+   ```bash
+   # Extract all GitHub usernames from the current release changelog
+   # This method is simpler and more reliable than extracting from git history
+   
+   # For patch releases: extract from the current changelog file
+   grep -oE '\[@[a-zA-Z0-9_-]+\]' docs/changelogs/v<version>.md | \
+     sed 's/\[@/@/' | sed 's/\]//' | \
+     sort -u
+   
+   # For minor releases: extract from the current changelog file
+   grep -oE '\[@[a-zA-Z0-9_-]+\]' docs/changelogs/v<version>.md | \
+     sed 's/\[@/@/' | sed 's/\]//' | \
+     sort -u
+   ```
+   
+   **Get all previous contributors (to identify new ones):**
+   ```bash
+   # Extract GitHub usernames from all previous changelogs
+   grep -hE '\[@[a-zA-Z0-9_-]+\]' docs/changelogs/v*.md | \
+     grep -oE '@[a-zA-Z0-9_-]+' | \
+     sort -u > /tmp/previous_contributors.txt
+   ```
+   
+   **Identify new contributors (first-time contributors):**
+   ```bash
+   # Get current release contributors from the changelog
+   grep -oE '@[a-zA-Z0-9_-]+' docs/changelogs/v<version>.md | \
+     sort -u > /tmp/current_contributors.txt
+   
+   # Get all previous contributors
+   grep -hE '@[a-zA-Z0-9_-]+' docs/changelogs/v*.md | \
+     grep -oE '@[a-zA-Z0-9_-]+' | \
+     sort -u > /tmp/all_previous_contributors.txt
+   
+   # Find new contributors (those in current but not in previous)
+   comm -23 <(sort /tmp/current_contributors.txt) <(sort /tmp/all_previous_contributors.txt)
+   ```
+   
+   **Why this approach is better:**
+   - ✅ Uses the already-verified PR authors from the changelog (no need to query GitHub API again)
+   - ✅ Automatically handles backports correctly (original PR authors are already in the changelog)
+   - ✅ Simpler and faster (no git log parsing or API calls)
+   - ✅ More reliable (matches exactly what's in the changelog)
+   - ✅ Works for both patch and minor releases
+   
+   **Add contributors section to changelog:**
+   
+   Place the contributors section at the end of the changelog, before the "Full Changelog" link:
+   ```markdown
+   ## Contributors
+   
+   We'd like to thank all contributors who made this release possible:
+   
+   * [**@username1**](https://github.com/username1)
+   * [**@username2**](https://github.com/username2)
+   * [**@username3**](https://github.com/username3)
+   * ...
+   
+   ### New Contributors
+   
+   We're excited to welcome our first-time contributors:
+   
+   * [**@newuser1**](https://github.com/newuser1) - First contribution!
+   * [**@newuser2**](https://github.com/newuser2) - First contribution!
+   ```
+   
+   **Formatting guidelines:**
+   - List contributors in alphabetical order by GitHub username
+   - Use the format: `* [**@username**](https://github.com/username)`
+   - For new contributors, add " - First contribution!" note
+   - If GitHub username cannot be determined, you can skip that contributor or use their git author name
+   
+   **When to include:**
+   - **For patch releases**: Contributors section is optional, but can be included for significant releases
+   - **For minor releases (vX.Y.0)**: Contributors section is required - you must generate and include the contributors list
+   - Always verify GitHub usernames by checking commit messages, PR links in changelog entries, or by examining PR details
+
+6. **Add a comment with a link to the GitHub release:**
+   ```markdown
+   <!--
+   https://github.com/cozystack/cozystack/releases/tag/v<new_version>
+   -->
+   ```
+
+### 9. Verification and saving
+
+**Before saving, verify completeness:**
+
+**For ALL releases:**
+- [ ] Step 5 completed: **ALL commits included** (including merge commits and backports) - do not skip any commits
+- [ ] Step 5 completed: **Backports identified and handled correctly** - original PR author used, both original and backport PR numbers included
+- [ ] Step 6 completed: Website repository checked for documentation changes WITH authors and PR links via GitHub CLI
+- [ ] Step 6 completed: **ALL** optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy) checked for tags during release period
+- [ ] Step 6 completed: For ALL commits from additional repos, GitHub username obtained via GitHub CLI (not skipped). For commits with PR numbers, PR author used via `gh pr view` (not commit author)
+- [ ] Step 7 completed: For EVERY PR in main repo (including backports), PR author obtained via `gh pr view <PR_NUMBER> --json author --jq .author.login` (not skipped or assumed). Commit author NOT used - always use PR author
+- [ ] Step 7 completed: **Backports verified** - for each backport PR, original PR found and original PR author used in changelog
+- [ ] Step 8 completed: Contributors list generated
+- [ ] All commits from main repository included (including merge commits)
+- [ ] User impact described for each change
+- [ ] Format matches existing changelogs
+
+**For patch releases:**
+- [ ] All commits from the release period are included (including merge commits with backports)
+- [ ] PR numbers match commit messages
+- [ ] Backports are properly identified and linked to original PRs
+
+**For minor releases (vX.Y.0):**
+- [ ] All changes from patch releases (vX.Y.1, vX.Y.2, etc.) are included
+- [ ] Contributors section is present and complete
+- [ ] Full Changelog link references previous minor version (vX.Y.0), not last patch
+- [ ] Verify all PRs from patch releases are included:
+  ```bash
+  # Extract and compare PR numbers
+  PATCH_PRS=$(grep -hE "#[0-9]+" docs/changelogs/v<previous_minor>.*.md | grep -oE "#[0-9]+" | sort -u)
+  MINOR_PRS=$(grep -hE "#[0-9]+" docs/changelogs/v<new_minor>.0.md | grep -oE "#[0-9]+" | sort -u)
+  MISSING=$(comm -23 <(echo "$PATCH_PRS") <(echo "$MINOR_PRS"))
+  
+  if [ -n "$MISSING" ]; then
+    echo "Missing PRs from patch releases:"
+    echo "$MISSING"
+    # For each missing PR, check if it's a backport and verify change is included by description
+  fi
+  ```
+
+**Only proceed to save after all checkboxes are verified!**
+
+**Save the changelog:**
+Save the changelog to file `docs/changelogs/v<version>.md` according to the version for which the changelog is being generated.
+
+### Important notes
+
+- **After fetch with --force** local tags are up-to-date, use them for work
+- **For release branches** always check original commits in `main` to get correct PR numbers
+- **Preserve the format** of existing changelog files
+- **Group related changes** logically
+- **Be accurate** in describing changes, based on actual commit diffs
+- **Check for PR numbers** and commit authors
+- **CRITICAL - Get authorship from PR, not from commit**: 
+  - **ALWAYS use PR author**: Extract PR number from commit message, then use `gh pr view <PR_NUMBER> --json author --jq .author.login` to get the PR author
+  - Do NOT use commit author - the commit author (especially for squash/merge commits) is usually the person who merged the PR, not the person who wrote the code
+  - For commits without PR numbers (rare), fall back to commit author: `gh api repos/cozystack/cozystack/commits/<commit_hash> --jq '.author.login'`
+  - **Workflow**: Extract PR numbers from commits → Use `gh pr view` for each PR → Get PR author (the person who wrote the code)
+  - Example: For PR #1507, the commit author is `@kvaps` (who merged), but `gh pr view 1507 --json author --jq .author.login` correctly returns `@lllamnyp` (who wrote the code)
+  - Check existing changelogs for author name to GitHub username mappings
+  - **Validation**: Before adding to changelog, always verify the author using `gh pr view` - never use commit author for PRs
+-  **MANDATORY**: Always describe user impact: Every changelog entry must explain how the change affects end users, not just what was changed technically. Focus on user value and practical implications.
+
+**Required steps:**
+
+- **Additional repositories (Step 6) - MANDATORY**: 
+  - **⚠️ CRITICAL**: Always check the **website** repository for documentation changes during the release period. This is a required step and MUST NOT be skipped.
+  - **⚠️ CRITICAL**: You MUST check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy) for tags during the release period. Do NOT skip any repository even if you think there might not be tags.
+  - **CRITICAL**: For ALL entries from additional repositories (website and optional), you MUST:
+    - **MANDATORY**: Extract PR number from commit message first
+    - **MANDATORY**: For commits with PR numbers, ALWAYS use `gh pr view <PR_NUMBER> --repo cozystack/<repo> --json author --jq .author.login` to get PR author (not commit author)
+    - **MANDATORY**: Only for commits without PR numbers (rare), fallback to: `gh api repos/cozystack/<repo>/commits/<hash> --jq '.author.login'`
+    - **MANDATORY**: Do NOT skip getting GitHub username via CLI - do this for EVERY commit
+    - **MANDATORY**: Do NOT use commit author for PRs - always use PR author
+    - Include PR link or commit hash reference
+    - Format: `* **[repo] Description**: details ([**@username**](https://github.com/username) in cozystack/repo#123)`
+  - For **optional repositories** (talm, boot-to-talos, cozypkg, cozy-proxy), you MUST check ALL of them for tags during the release period. Use the loop provided in Step 6 to check each repository systematically.
+  - When including changes from additional repositories, use the format: `[repo-name] Description` and link to the repository's PR/issue if available
+  - **Prefer PR numbers over commit hashes**: For commits from additional repositories, extract PR number from commit message using GitHub API. Use PR format (`cozystack/website#123`) instead of commit hash (`cozystack/website@abc1234`) when available
+  - **Never add entries without author and PR/commit reference**: Every entry from additional repositories must have both author and link
+  - Group changes from additional repositories with main repository changes, or create separate subsections if there are many changes from a specific repository
+
+- **PR author verification (Step 7) - MANDATORY**:
+  - **⚠️ CRITICAL**: You MUST get the author from PR using `gh pr view`, NOT from commit
+  - **⚠️ CRITICAL**: Extract PR numbers from commit messages, then use `gh pr view <PR_NUMBER> --json author --jq .author.login` for each PR
+  - **⚠️ CRITICAL**: Do NOT use commit author - commit author is usually the person who merged, not the person who wrote the code
+  - **⚠️ CRITICAL**: Do NOT skip this step for any PR, even if the author seems obvious
+  - For commits without PR numbers (rare), fall back to: `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
+  - This ensures correct attribution and prevents errors in changelog entries (especially important for squash/merge commits)
+
+- **Contributors list (Step 8)**: 
+  - For minor releases (vX.Y.0): You must generate a list of all contributors and identify first-time contributors.
+  - For patch releases: Contributors section is optional, but recommended for significant releases
+  - Extract GitHub usernames from PR links in commit messages or changelog entries
+  - This helps recognize community contributions and welcome new contributors
+- **Minor releases (vX.Y.0)**:
+  - Must include **all changes** from patch releases of the previous minor version (e.g., v0.38.0 includes all changes from v0.37.1, v0.37.2, v0.37.3, etc.)
+  - The "Full Changelog" link must reference the previous minor release (v0.37.0...v0.38.0), NOT the last patch release (v0.37.8...v0.38.0)
+  - This ensures users can see the complete set of changes for the entire minor version cycle
+  - **Verification step**: After creating the changelog, extract all PR numbers from patch release changelogs and verify they all appear in the minor release changelog to prevent missing entries
+  - **Backport handling**: Patch releases may contain backports with different PR numbers (e.g., #1624 in patch release vs #1622 in main). For minor releases, use original PR numbers from main when available, but verify that all changes from patch releases are included regardless of PR number differences
+  - **Content verification**: Don't rely solely on PR number matching - verify that change descriptions from patch releases appear in the minor release changelog, as backports may have different PR numbers
+

docs/agents/contributing.md

@@ -0,0 +1,113 @@
+# Instructions for AI Agents
+
+Guidelines for AI agents contributing to Cozystack.
+
+## Checklist for Creating a Pull Request
+
+- [ ] Changes are made and tested
+- [ ] Commit message uses correct `[component]` prefix
+- [ ] Commit is signed off with `--signoff`
+- [ ] Branch is rebased on `upstream/main` (no extra commits)
+- [ ] PR body includes description and release note
+- [ ] PR is pushed and created with `gh pr create`
+
+## How to Commit and Create Pull Requests
+
+### 1. Make Your Changes
+
+Edit the necessary files in the codebase.
+
+### 2. Commit with Proper Format
+
+Use the `[component]` prefix and `--signoff` flag:
+
+```bash
+git commit --signoff -m "[component] Brief description of changes"
+```
+
+**Component prefixes:**
+- System: `[dashboard]`, `[platform]`, `[cilium]`, `[kube-ovn]`, `[linstor]`, `[fluxcd]`, `[cluster-api]`
+- Apps: `[postgres]`, `[mysql]`, `[redis]`, `[kafka]`, `[clickhouse]`, `[virtual-machine]`, `[kubernetes]`
+- Other: `[tests]`, `[ci]`, `[docs]`, `[maintenance]`
+
+**Examples:**
+```bash
+git commit --signoff -m "[dashboard] Add config hash annotations to restart pods on config changes"
+git commit --signoff -m "[postgres] Update operator to version 1.2.3"
+git commit --signoff -m "[docs] Add installation guide"
+```
+
+### 3. Rebase on upstream/main (if needed)
+
+If your branch has extra commits, clean it up:
+
+```bash
+# Fetch latest
+git fetch upstream
+
+# Create clean branch from upstream/main
+git checkout -b my-feature upstream/main
+
+# Cherry-pick only your commit
+git cherry-pick <your-commit-hash>
+
+# Force push to your branch
+git push -f origin my-feature:my-branch-name
+```
+
+### 4. Push Your Branch
+
+```bash
+git push origin <branch-name>
+```
+
+### 5. Create Pull Request
+
+Write the PR body to a temporary file:
+
+```bash
+cat > /tmp/pr_body.md << 'EOF'
+## What this PR does
+
+Brief description of the changes.
+
+Changes:
+- Change 1
+- Change 2
+
+### Release note
+
+```release-note
+[component] Description for changelog
+```
+EOF
+```
+
+Create the PR:
+
+```bash
+gh pr create --title "[component] Brief description" --body-file /tmp/pr_body.md
+```
+
+Clean up:
+
+```bash
+rm /tmp/pr_body.md
+```
+
+## Git Permissions
+
+Request these permissions when needed:
+- `git_write` - For commit, rebase, cherry-pick, branch operations
+- `network` - For push, fetch, pull operations
+
+## Common Issues
+
+**PR has extra commits?**  
+→ Rebase on `upstream/main` and cherry-pick only your commits
+
+**Wrong commit message?**  
+→ `git commit --amend --signoff -m "[correct] message"` then `git push -f`
+
+**Need to update PR?**  
+→ `gh pr edit <number> --body "new description"`

docs/agents/overview.md

@@ -0,0 +1,115 @@
+# Cozystack Project Overview
+
+This document provides detailed information about Cozystack project structure and conventions for AI agents.
+
+## About Cozystack
+
+Cozystack is an open-source Kubernetes-based platform and framework for building cloud infrastructure. It provides:
+
+- **Managed Services**: Databases, VMs, Kubernetes clusters, object storage, and more
+- **Multi-tenancy**: Full isolation and self-service for tenants
+- **GitOps-driven**: FluxCD-based continuous delivery
+- **Modular Architecture**: Extensible with custom packages and services
+- **Developer Experience**: Simplified local development with cozypkg tool
+
+The platform exposes infrastructure services via the Kubernetes API with ready-made configs, built-in monitoring, and alerts.
+
+## Code Layout
+
+```
+.
+├── packages/               # Main directory for cozystack packages
+│   ├── core/              # Core platform logic charts (installer, platform)
+│   ├── system/            # System charts (CSI, CNI, operators, etc.)
+│   ├── apps/              # User-facing charts shown in dashboard catalog
+│   └── extra/             # Tenant-specific modules, singleton charts which are used as dependencies
+├── dashboards/            # Grafana dashboards for monitoring
+├── hack/                  # Helper scripts for local development
+│   └── e2e-apps/         # End-to-end application tests
+├── scripts/               # Scripts used by cozystack container
+│   └── migrations/       # Version migration scripts
+├── docs/                  # Documentation
+│   ├── agents/           # AI agent instructions
+│   └── changelogs/       # Release changelogs
+├── cmd/                   # Go command entry points
+│   ├── cozystack-api/
+│   ├── cozystack-controller/
+│   └── cozystack-assets-server/
+├── internal/              # Internal Go packages
+│   ├── controller/       # Controller implementations
+│   └── lineagecontrollerwebhook/
+├── pkg/                   # Public Go packages
+│   ├── apis/
+│   ├── apiserver/
+│   └── registry/
+└── api/                   # Kubernetes API definitions (CRDs)
+    └── v1alpha1/
+```
+
+## Package Structure
+
+Every package is a Helm chart following the umbrella chart pattern:
+
+```
+packages/<category>/<package-name>/
+├── Chart.yaml                           # Chart definition and parameter docs
+├── Makefile                             # Development workflow targets
+├── charts/                              # Vendored upstream charts
+├── images/                              # Dockerfiles and image build context
+├── patches/                             # Optional upstream chart patches
+├── templates/                           # Additional manifests
+├── templates/dashboard-resourcemap.yaml # Dashboard resource mapping
+├── values.yaml                          # Override values for upstream
+└── values.schema.json                   # JSON schema for validation and UI
+```
+
+## Conventions
+
+### Helm Charts
+- Follow **umbrella chart** pattern for system components
+- Include upstream charts in `charts/` directory (vendored, not referenced)
+- Override configuration in root `values.yaml`
+- Use `values.schema.json` for input validation and dashboard UI rendering
+
+### Go Code
+- Follow standard **Go conventions** and idioms
+- Use **controller-runtime** patterns for Kubernetes controllers
+- Prefer **kubebuilder** for API definitions and controllers
+- Add proper error handling and structured logging
+
+### Git Commits
+- Use format: `[component] Description`
+- Always use `--signoff` flag
+- Reference PR numbers when available
+- Keep commits atomic and focused
+- Follow conventional commit format for changelogs
+
+### Documentation
+
+Documentation is organized as follows:
+- `docs/` - General documentation
+- `docs/agents/` - Instructions for AI agents
+- `docs/changelogs/` - Release changelogs
+- Main website: https://github.com/cozystack/website
+
+## Things Agents Should Not Do
+
+### Never Edit These
+- Do not modify files in `/vendor/` (Go dependencies)
+- Do not edit generated files: `zz_generated.*.go`
+- Do not change `go.mod`/`go.sum` manually (use `go get`)
+- Do not edit upstream charts in `packages/*/charts/` directly (use patches)
+- Do not modify image digests in `values.yaml` (generated by build)
+
+### Version Control
+- Do not commit built artifacts from `_out`
+- Do not commit test artifacts or temporary files
+
+### Git Operations
+- Do not force push to main/master
+- Do not update git config
+- Do not perform destructive operations without explicit request
+
+### Core Components
+- Do not modify `packages/core/platform/` without understanding migration impact
+

docs/agents/releasing.md

@@ -0,0 +1,29 @@
+# Release Process
+
+This document provides instructions for AI agents on how to handle release-related tasks.
+
+## When to Use
+
+Follow these instructions when the user asks to:
+- Create a new release
+- Prepare a release
+- Tag a release
+- Perform release-related tasks
+
+## Instructions
+
+For detailed release process instructions, follow the steps documented in:
+
+**[docs/release.md](../release.md)**
+
+## Quick Reference
+
+The release process typically involves:
+1. Preparing the release branch
+2. Generating changelog
+3. Updating version numbers
+4. Creating git tags
+5. Building and publishing artifacts
+
+All detailed steps are documented in `docs/release.md`.
+

docs/changelogs/unreleased.md

@@ -1,3 +0,0 @@
-# Changes after v0.37.0
-
-* [lineage] Break webhook out into a separate daemonset. Reduce unnecessary webhook calls by marking handled resources and excluding them from consideration by the webhook's object selector (@lllamnyp in #1515). 

hack/check-optional-repos.sh

@@ -0,0 +1,145 @@
+#!/bin/sh
+###############################################################################
+# check-optional-repos.sh - Check optional repositories for tags and commits #
+# during a release period                                                     #
+###############################################################################
+set -eu
+
+# Function to ensure repository is cloned and up-to-date
+update_repo() {
+  local repo_name=$1
+  local repo_url="https://github.com/cozystack/${repo_name}.git"
+  
+  mkdir -p _repos
+  cd _repos
+  
+  if [ -d "$repo_name" ]; then
+    cd "$repo_name"
+    git fetch --all --tags --force
+    git checkout main 2>/dev/null || git checkout master
+    git pull
+  else
+    git clone "$repo_url"
+    cd "$repo_name"
+  fi
+  
+  cd ../..
+}
+
+# Check if required parameters are provided
+if [ $# -lt 2 ]; then
+  echo "Usage: $0 <RELEASE_START> <RELEASE_END>"
+  echo "Example: $0 '2025-10-10 12:27:31 +0400' '2025-10-13 16:04:33 +0200'"
+  exit 1
+fi
+
+RELEASE_START="$1"
+RELEASE_END="$2"
+
+# Get the script directory to return to it later
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+COZYSTACK_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+cd "$COZYSTACK_ROOT"
+
+echo "Checking optional repositories for tags and commits between:"
+echo "  Start: $RELEASE_START"
+echo "  End: $RELEASE_END"
+echo ""
+
+# Loop through ALL optional repositories
+for repo_name in talm boot-to-talos cozypkg cozy-proxy; do
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  echo "Checking repository: $repo_name"
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  
+  # Update/clone repository
+  update_repo "$repo_name"
+  
+  cd "_repos/$repo_name"
+  REPO_NAME=$(basename "$(pwd)")
+  git fetch --all --tags --force
+  
+  # Check for tags matching release version pattern or created during release period
+  TAGS=$(git for-each-ref --format='%(refname:short) %(creatordate)' refs/tags 2>/dev/null | \
+    awk -v start="$RELEASE_START" -v end="$RELEASE_END" '$2 >= start && $2 <= end {print $1}' || true)
+  
+  if [ -n "$TAGS" ]; then
+    echo "Found tags in $repo_name: $TAGS"
+    PREV_TAG=$(echo "$TAGS" | head -1)
+    NEW_TAG=$(echo "$TAGS" | tail -1)
+    
+    echo ""
+    echo "Commits between $PREV_TAG and $NEW_TAG:"
+    # Include merge commits to capture backports
+    git log "$PREV_TAG..$NEW_TAG" --format="%H|%s|%an" 2>/dev/null | while IFS='|' read -r commit_hash subject author_name; do
+      if [ -z "$commit_hash" ]; then
+        continue
+      fi
+      
+      # Get PR number from commit message
+      COMMIT_MSG=$(git log -1 --format=%B "$commit_hash" 2>/dev/null || echo "")
+      PR_NUMBER=$(echo "$COMMIT_MSG" | grep -oE '#[0-9]+' | head -1 | tr -d '#' || echo "")
+      
+      # Get author: prioritize PR author, fallback to commit author
+      GITHUB_USERNAME=""
+      if [ -n "$PR_NUMBER" ]; then
+        GITHUB_USERNAME=$(gh pr view "$PR_NUMBER" --repo "cozystack/$REPO_NAME" --json author --jq '.author.login // empty' 2>/dev/null || echo "")
+      fi
+      if [ -z "$GITHUB_USERNAME" ]; then
+        GITHUB_USERNAME=$(gh api "repos/cozystack/$REPO_NAME/commits/$commit_hash" --jq '.author.login // empty' 2>/dev/null || echo "")
+      fi
+      
+      if [ -n "$PR_NUMBER" ]; then
+        echo "  $commit_hash|$subject|$author_name|$GITHUB_USERNAME|cozystack/$REPO_NAME#$PR_NUMBER"
+      else
+        echo "  $commit_hash|$subject|$author_name|$GITHUB_USERNAME|cozystack/$REPO_NAME@${commit_hash:0:7}"
+      fi
+    done
+  else
+    echo "No tags found in $repo_name during release period"
+    
+    # Check for commits by dates if no exact version tags
+    # Include merge commits to capture backports
+    COMMITS=$(git log --since="$RELEASE_START" --until="$RELEASE_END" --format="%H|%s|%an" 2>/dev/null || true)
+    
+    if [ -n "$COMMITS" ]; then
+      echo ""
+      echo "Commits found by date range:"
+      echo "$COMMITS" | while IFS='|' read -r commit_hash subject author_name; do
+        if [ -z "$commit_hash" ]; then
+          continue
+        fi
+        
+        # Get PR number from commit message
+        COMMIT_MSG=$(git log -1 --format=%B "$commit_hash" 2>/dev/null || echo "")
+        PR_NUMBER=$(echo "$COMMIT_MSG" | grep -oE '#[0-9]+' | head -1 | tr -d '#' || echo "")
+        
+        # Get author: prioritize PR author, fallback to commit author
+        GITHUB_USERNAME=""
+        if [ -n "$PR_NUMBER" ]; then
+          GITHUB_USERNAME=$(gh pr view "$PR_NUMBER" --repo "cozystack/$REPO_NAME" --json author --jq '.author.login // empty' 2>/dev/null || echo "")
+        fi
+        if [ -z "$GITHUB_USERNAME" ]; then
+          GITHUB_USERNAME=$(gh api "repos/cozystack/$REPO_NAME/commits/$commit_hash" --jq '.author.login // empty' 2>/dev/null || echo "")
+        fi
+        
+        if [ -n "$PR_NUMBER" ]; then
+          echo "  $commit_hash|$subject|$author_name|$GITHUB_USERNAME|cozystack/$REPO_NAME#$PR_NUMBER"
+        else
+          echo "  $commit_hash|$subject|$author_name|$GITHUB_USERNAME|cozystack/$REPO_NAME@${commit_hash:0:7}"
+        fi
+      done
+    else
+      echo "No commits found in $repo_name during release period"
+    fi
+  fi
+  
+  echo ""
+  cd "$COZYSTACK_ROOT"
+done
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "Finished checking all optional repositories"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+

hack/e2e-apps/run-kubernetes.sh

@@ -80,58 +80,41 @@ EOF
   # Wait for the machine deployment to scale to 2 replicas (timeout after 1 minute)
   kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
   # Get the admin kubeconfig and save it to a file
-  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig
+  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig-${test_name}
 
   # Update the kubeconfig to use localhost for the API server
-  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig
+  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig-${test_name}
 
 
   # Set up port forwarding to the Kubernetes API server for a 200 second timeout
   bash -c 'timeout 300s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
   # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
-  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
+  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
 
   # Wait for the nodes to be ready (timeout after 2 minutes)
   timeout 3m bash -c '
-    until [ "$(kubectl --kubeconfig tenantkubeconfig get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
+    until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
       sleep 2
     done
   '
   # Verify the nodes are ready
-  kubectl --kubeconfig tenantkubeconfig wait node --all --timeout=2m --for=condition=Ready
-  kubectl --kubeconfig tenantkubeconfig get nodes -o wide
+  kubectl --kubeconfig tenantkubeconfig-${test_name} wait node --all --timeout=2m --for=condition=Ready
+  kubectl --kubeconfig tenantkubeconfig-${test_name} get nodes -o wide
 
   # Verify the kubelet version matches what we expect
-  versions=$(kubectl --kubeconfig tenantkubeconfig get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
+  versions=$(kubectl --kubeconfig "tenantkubeconfig-${test_name}" \
+    get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}')
+  
   node_ok=true
-
-  case "$k8s_version" in
-    v1.32*)
-      echo "⚠️  TODO: Temporary stub — allowing nodes with v1.33 while k8s_version is v1.32"
-      ;;
-  esac
-
+  
   for v in $versions; do
-    case "$k8s_version" in
-      v1.32|v1.32.*)
-        case "$v" in
-          v1.32 | v1.32.* | v1.32-* | v1.33 | v1.33.* | v1.33-*)
-            ;;
-          *)
-            node_ok=false
-            break
-            ;;
-        esac
+    case "$v" in
+      "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
+        # acceptable
         ;;
       *)
-        case "$v" in
-          "${k8s_version}" | "${k8s_version}".* | "${k8s_version}"-*)
-            ;;
-          *)
-            node_ok=false
-            break
-            ;;
-        esac
+        node_ok=false
+        break
         ;;
     esac
   done

hack/helm-unit-tests.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+set -eu
+
+# Script to run unit tests for all Helm charts.
+# It iterates through directories in packages/apps, packages/extra,
+# packages/system, and packages/library and runs the 'test' Makefile
+# target if it exists.
+
+FAILED_DIRS_FILE="$(mktemp)"
+trap 'rm -f "$FAILED_DIRS_FILE"' EXIT
+
+tests_found=0
+
+check_and_run_test() {
+    dir="$1"
+    makefile="$dir/Makefile"
+
+    if [ ! -f "$makefile" ]; then
+        return 0
+    fi
+
+    if make -C "$dir" -n test >/dev/null 2>&1; then
+        echo "Running tests in $dir"
+        tests_found=$((tests_found + 1))
+        if ! make -C "$dir" test; then
+            printf '%s\n' "$dir" >> "$FAILED_DIRS_FILE"
+            return 1
+        fi
+    fi
+
+    return 0
+}
+
+for package_dir in packages/apps packages/extra packages/system packages/library; do
+    if [ ! -d "$package_dir" ]; then
+        echo "Warning: Directory $package_dir does not exist, skipping..." >&2
+        continue
+    fi
+
+    for dir in "$package_dir"/*; do
+        [ -d "$dir" ] || continue
+        check_and_run_test "$dir" || true
+    done
+done
+
+if [ "$tests_found" -eq 0 ]; then
+    echo "No directories with 'test' Makefile targets found."
+    exit 0
+fi
+
+if [ -s "$FAILED_DIRS_FILE" ]; then
+    echo "ERROR: Tests failed in the following directories:" >&2
+    while IFS= read -r dir; do
+        echo "  - $dir" >&2
+    done < "$FAILED_DIRS_FILE"
+    exit 1
+fi
+
+echo "All Helm unit tests passed."

hack/upload-releasenotes.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <version>"
+  echo "Example: 0.37.*"
+  exit 1
+fi
+
+VERSION_PATTERN="$1"
+
+# Collect matching files first
+FILES=$(find docs/changelogs -name "v${VERSION_PATTERN}.md" 2>/dev/null || true)
+
+if [ -z "$FILES" ]; then
+  echo "No changelog files found matching pattern: v${VERSION_PATTERN}.md"
+  exit 1
+fi
+
+# Process each file
+echo "$FILES" | while IFS= read -r file; do
+  if [ -z "$file" ]; then
+    continue
+  fi
+  
+  # Extract version from filename safely (basename without extension)
+  version=$(basename "$file" .md)
+  
+  if [ -z "$version" ]; then
+    echo "Warning: Could not extract version from file: $file"
+    continue
+  fi
+  
+  echo "Uploading release notes for version: $version"
+  
+  # Check exit status of gh release edit
+  if ! gh release edit "$version" --notes-file "docs/changelogs/${version}.md"; then
+    echo "Error: Failed to upload release notes for version: $version"
+    exit 1
+  fi
+done

internal/controller/dashboard/factory.go

@@ -44,6 +44,9 @@ func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.Cozystack
 	if flags.Secrets {
 		tabs = append(tabs, secretsTab(kind))
 	}
+	if prefix, ok := vncTabPrefix(kind); ok {
+		tabs = append(tabs, vncTab(prefix))
+	}
 	tabs = append(tabs, yamlTab(plural))
 
 	// Use unified factory creation
@@ -150,6 +153,27 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 		}),
 		paramsList,
 	}
+	if kind == "VirtualPrivateCloud" {
+		rightColStack = append(rightColStack,
+			antdFlexVertical("vpc-subnets-block", 4, []any{
+				antdText("vpc-subnets-label", true, "Subnets", nil),
+				map[string]any{
+					"type": "EnrichedTable",
+					"data": map[string]any{
+						"id":                   "vpc-subnets-table",
+						"baseprefix":           "/openapi-ui",
+						"clusterNamePartOfUrl": "{2}",
+						"customizationId":      "virtualprivatecloud-subnets",
+						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/configmaps",
+						"fieldSelector": map[string]any{
+							"metadata.name": "virtualprivatecloud-{6}-subnets",
+						},
+						"pathToItems": []any{"items"},
+					},
+				},
+			}),
+		)
+	}
 
 	return map[string]any{
 		"key":   "details",
@@ -331,6 +355,36 @@ func yamlTab(plural string) map[string]any {
 	}
 }
 
+func vncTabPrefix(kind string) (string, bool) {
+	switch kind {
+	case "VirtualMachine":
+		return "virtual-machine", true
+	case "VMInstance":
+		return "vm-instance", true
+	default:
+		return "", false
+	}
+}
+
+func vncTab(prefix string) map[string]any {
+	return map[string]any{
+		"key":   "vnc",
+		"label": "VNC",
+		"children": []any{
+			map[string]any{
+				"type": "VMVNC",
+				"data": map[string]any{
+					"id":              "vm-vnc",
+					"cluster":         "{2}",
+					"namespace":       "{reqsJsonPath[0]['.metadata.namespace']['-']}",
+					"substractHeight": float64(400),
+					"vmName":          fmt.Sprintf("%s-{reqsJsonPath[0]['.metadata.name']['-']}", prefix),
+				},
+			},
+		},
+	}
+}
+
 // ---------------- OpenAPI → Right column ----------------
 
 func buildOpenAPIParamsBlocks(schemaJSON string, keysOrder [][]string) []any {

internal/controller/dashboard/static_refactored.go

@@ -182,6 +182,13 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
+		// Virtual private cloud subnets
+		createCustomColumnsOverride("virtualprivatecloud-subnets", []any{
+			createFlatMapColumn("Data", ".data"),
+			createStringColumn("Subnet Parameters", "_flatMapData_Key"),
+			createStringColumn("Values", "_flatMapData_Value"),
+		}),
+
 		// Factory ingress details rules
 		createCustomColumnsOverride("factory-kube-ingress-details-rules", []any{
 			createStringColumn("Host", ".host"),

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:c8b08084a86251cdd18e237de89b695bca0e4f7eb1f1f6ddc2b903b4d74ea5ff
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb

packages/apps/kubernetes/templates/cluster.yaml

@@ -182,6 +182,33 @@ metadata:
 spec:
   template:
     spec:
+      files:
+      - path: /usr/bin/update-k8s.sh
+        owner: root:root
+        permissions: "0755"
+        content: |
+          #!/usr/bin/env bash
+          set -euo pipefail
+
+          # Expected to be passed in via preKubeadmCommands
+          : "${KUBELET_VERSION:?KUBELET_VERSION must be set, e.g. v1.31.0}"
+
+          ARCH="$(uname -m)"
+          case "${ARCH}" in
+            x86_64) ARCH=amd64 ;;
+            aarch64) ARCH=arm64 ;;
+          esac
+
+          # Use your internal mirror here for real-world use.
+          BASE_URL="https://dl.k8s.io/release/${KUBELET_VERSION}/bin/linux/${ARCH}"
+
+          echo "Installing kubelet and kubeadm  ${KUBELET_VERSION} for ${ARCH}..."
+          curl -fsSL "${BASE_URL}/kubelet" -o /root/kubelet
+          curl -fsSL "${BASE_URL}/kubeadm" -o /root/kubeadm
+          chmod 0755 /root/kubelet
+          chmod 0755 /root/kubeadm
+          if /root/kubelet --version ; then mv /root/kubelet /usr/bin/kubelet ; fi
+          if /root/kubeadm version ; then mv /root/kubeadm /usr/bin/kubeadm ; fi
       diskSetup:
         filesystems:
         - device: /dev/vdb
@@ -205,6 +232,7 @@ spec:
         {{- end }}
       {{- end }}
       preKubeadmCommands:
+      - KUBELET_VERSION={{ include "kubernetes.versionMap" $}} /usr/bin/update-k8s.sh || true
       - sed -i 's|root:x:|root::|' /etc/passwd
       - systemctl stop containerd.service
       - mkdir -p /ephemeral/kubelet /ephemeral/containerd

packages/apps/kubernetes/templates/delete.yaml

@@ -6,11 +6,11 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "10"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-datavolume-cleanup
+  name: {{ .Release.Name }}-cleanup
 spec:
   template:
     spec:
-      serviceAccountName: {{ .Release.Name }}-datavolume-cleanup
+      serviceAccountName: {{ .Release.Name }}-cleanup
       restartPolicy: Never
       tolerations:
         - key: CriticalAddonsOnly
@@ -28,12 +28,17 @@ spec:
               -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
               --ignore-not-found=true
 
+              kubectl -n {{ .Release.Namespace }} delete services
+              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
+              --field-selector spec.type=LoadBalancer
+              --ignore-not-found=true
+
 
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}-datavolume-cleanup
+  name: {{ .Release.Name }}-cleanup
   annotations:
     helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
@@ -46,7 +51,7 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
     "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-datavolume-cleanup
+  name: {{ .Release.Name }}-cleanup
 rules:
   - apiGroups:
       - "cdi.kubevirt.io"
@@ -56,6 +61,14 @@ rules:
       - get
       - list
       - delete
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -64,13 +77,13 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
     "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-datavolume-cleanup
+  name: {{ .Release.Name }}-cleanup
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ .Release.Name }}-datavolume-cleanup
+  name: {{ .Release.Name }}-cleanup
 subjects:
   - kind: ServiceAccount
-    name: {{ .Release.Name }}-datavolume-cleanup
+    name: {{ .Release.Name }}-cleanup
     namespace: {{ .Release.Namespace }}
 

packages/apps/mysql/templates/mariadb.yaml

@@ -37,6 +37,10 @@ spec:
     #  automaticFailover: true
   {{- end }}
 
+  podMetadata:
+    labels:
+      "policy.cozystack.io/allow-to-apiserver": "true"
+
   metrics:
     enabled: true
     exporter:

packages/apps/tenant/templates/tenant.yaml

@@ -122,7 +122,7 @@ metadata:
   name: {{ include "tenant.name" . }}-view
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-view
@@ -200,7 +200,7 @@ metadata:
   name: {{ include "tenant.name" . }}-use
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "use" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-use
@@ -299,7 +299,7 @@ metadata:
   name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "admin" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
@@ -373,7 +373,7 @@ metadata:
   name: {{ include "tenant.name" . }}-super-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-super-admin

packages/apps/vpc/README.md

@@ -19,7 +19,7 @@ Subnet name and ip address range must be unique within a VPC.
 Subnet ip address space must not overlap with the default management network ip address range, subsets of 172.16.0.0/12 are recommended.
 Currently there are no fail-safe checks, however they are planned for the future.
 
-Different VPCs may have subnets with ovelapping ip address ranges.
+Different VPCs may have subnets with overlapping ip address ranges.
 
 A VM or a pod may be connected to multiple secondary Subnets at once. Each secondary connection will be represented as an additional network interface.
 

packages/apps/vpc/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/vpc/templates/vpc.yaml

@@ -60,13 +60,33 @@ kind: ConfigMap
 metadata:
   name: {{ $.Release.Name }}-subnets
   labels:
+    apps.cozystack.io/application.group: apps.cozystack.io
+    apps.cozystack.io/application.kind: VirtualPrivateCloud
+    apps.cozystack.io/application.name: {{ trimPrefix "virtualprivatecloud-" .Release.Name }}
     cozystack.io/vpcId: {{ $vpcId }}
     cozystack.io/tenantName: {{ $.Release.Namespace }}
 data:
   {{- range $subnetName, $subnetConfig := .Values.subnets }}
-  {{ $subnetName }}: |-
-    subnetName: {{ $subnetName }}
-    subnetId: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
-    subnetCIDR: {{ $subnetConfig.cidr }}
+  {{ $subnetName }}.ID: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
+  {{ $subnetName }}.CIDR: {{ $subnetConfig.cidr }}
   {{- end }}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ .Release.Name }}-subnets"
+subjects: {{- include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" .Release.Namespace ) | nindent 2 }}
+roleRef:
+  kind: Role
+  name: "{{ .Release.Name }}-subnets"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "{{ .Release.Name }}-subnets"
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get","list","watch"]
+  resourceNames: ["{{ .Release.Name }}-subnets"]

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.37.0@sha256:256c5a0f0ae2fc3ad6865b9fda74c42945b38a5384240fa29554617185b60556
+  image: ghcr.io/cozystack/cozystack/installer:v0.38.0@sha256:1a902ebd15fe375079098c088dd5b40475926c8d9576faf6348433f0fd86a963

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.37.0@sha256:10afd0a6c39248ec41d0e59ff1bc6c29bd0075b7cc9a512b01cf603ef39c33ea
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.38.0@sha256:cb17739b46eca263b2a31c714a3cb211da6f9de259b1641c2fc72c91bdfc93bb

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.37.0@sha256:5cca5f56b755285aefa11b1052fe55e1aa83b25bae34aef80cdb77ff63091044
+ghcr.io/cozystack/cozystack/matchbox:v0.38.0@sha256:9ff2bdcf802445f6c1cabdf0e6fc32ee10043b1067945232a91088abad63f583

packages/extra/ingress/templates/nginx-ingress.yaml

@@ -1,6 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
-{{- $exposeExternalIPs := (index $cozyConfig.data "expose-external-ips") | default "" }}
+{{- $exposeExternalIPs := (index $cozyConfig.data "expose-external-ips") | default "" | nospace }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.37.0@sha256:f166f09cdc9cdbb758209883819ab8261a3793bc1d7a6b6685efd5a2b2930847
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.0@sha256:4548d85e7e69150aaf52fbb17fb9487e9714bdd8407aff49762cf39b9d0ab29c

packages/library/cozy-lib/Makefile

@@ -4,3 +4,5 @@ include ../../../scripts/package.mk
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
 
+test:
+	$(MAKE) -C ../../tests/cozy-lib-tests/ test

packages/library/cozy-lib/templates/_resources.tpl

@@ -174,15 +174,46 @@
 {{- end }}
 
 {{- define "cozy-lib.resources.flatten" -}}
-{{- $out := dict -}}
-{{- $res := include "cozy-lib.resources.sanitize" . | fromYaml -}}
-{{- range $section, $values := $res }}
-  {{- range $k, $v := $values }}
-    {{- $key := printf "%s.%s" $section $k }}
-    {{- if ne $key "limits.storage" }}
-        {{- $_ := set $out $key $v }}
-    {{- end }}
-  {{- end }}
+{{-   $out := dict -}}
+{{-   $res := include "cozy-lib.resources.sanitize" . | fromYaml -}}
+{{-   range $section, $values := $res }}
+{{-     range $k, $v := $values }}
+{{-       with include "cozy-lib.resources.flattenResource" (list $section $k) }}
+{{-         $_ := set $out . $v }}
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{-   $out | toYaml }}
 {{- end }}
-{{- $out | toYaml }}
+
+{{/*
+  This is a helper function that takes an argument like `list "limits" "services.loadbalancers"`
+  or `list "limits" "storage"` or `list "requests" "cpu"` and returns "services.loadbalancers",
+  "", and "requests.cpu", respectively, thus transforming them to an acceptable format for k8s
+  ResourceQuotas objects.
+*/}}
+{{- define "cozy-lib.resources.flattenResource" }}
+{{-   $rawQuotaKeys := list
+        "pods"
+        "services"
+        "services.loadbalancers"
+        "services.nodeports"
+        "services.clusterip"
+        "configmaps"
+        "secrets"
+        "persistentvolumeclaims"
+        "replicationcontrollers"
+        "resourcequotas"
+-}}
+{{-   $section := index . 0 }}
+{{-   $type := index . 1 }}
+{{-   $out := "" }}
+{{-   if and (eq $section "limits") (eq $type "storage") }}
+{{-     $out = "" }}
+{{-   else if and (eq $section "limits") (has $type $rawQuotaKeys) }}
+{{-     $out = $type }}
+{{-   else if not (has $type $rawQuotaKeys) }}
+{{-     $out = printf "%s.%s" $section $type }}
+{{-   end }}
+{{-   $out -}}
 {{- end }}

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:7348bec610f08bd902c88c9a9f28fdd644727e2728a1e4103f88f0c99febd5e7
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:f21b1c37872221323cee0490f9c58e04fa360c2b8c68700ab0455bc39f3ad160

packages/system/cozystack-api/.gitignore

@@ -0,0 +1 @@
+apiserver.local.config/

packages/system/cozystack-api/Makefile

@@ -4,6 +4,18 @@ NAMESPACE=cozy-system
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
+run-local:
+	openssl req -nodes -new -x509 -keyout /tmp/ca.key -out /tmp/ca.crt -subj "/CN=kube-ca"
+	openssl req -out /tmp/client.csr -new -newkey rsa:2048 -nodes -keyout /tmp/client.key -subj "/C=US/ST=SomeState/L=L/OU=Dev/CN=development/O=system:masters"
+	openssl x509 -req -days 365 -in /tmp/client.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -set_serial 01 -sha256 -out /tmp/client.crt
+	openssl req -out /tmp/apiserver.csr -new -newkey rsa:2048 -nodes -keyout /tmp/apiserver.key -subj "/CN=cozystack-api" -config cozystack-api-openssl.cnf
+	openssl x509 -req -days 365 -in /tmp/apiserver.csr -CA /tmp/ca.crt -CAkey /tmp/ca.key -set_serial 01 -sha256 -out /tmp/apiserver.crt -extensions v3_req -extfile cozystack-api-openssl.cnf
+	CGO_ENABLED=0 go build -o /tmp/cozystack-api ../../../cmd/cozystack-api/main.go
+	/tmp/cozystack-api --client-ca-file /tmp/ca.crt --tls-cert-file /tmp/apiserver.crt --tls-private-key-file /tmp/apiserver.key --secure-port 6443 --kubeconfig $(KUBECONFIG) --authorization-kubeconfig $(KUBECONFIG) --authentication-kubeconfig $(KUBECONFIG)
+
+debug:
+	dlv debug ../../../cmd/cozystack-api/main.go -- --client-ca-file /tmp/ca.crt --tls-cert-file /tmp/apiserver.crt --tls-private-key-file /tmp/apiserver.key --secure-port 6443 --kubeconfig $(KUBECONFIG) --authorization-kubeconfig $(KUBECONFIG) --authentication-kubeconfig $(KUBECONFIG)
+
 image: image-cozystack-api
 
 image-cozystack-api:

packages/system/cozystack-api/cozystack-api-openssl.cnf

@@ -0,0 +1,13 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions     = v3_req
+prompt             = no
+
+[ req_distinguished_name ]
+CN = cozystack-api
+
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1 = 127.0.0.1

packages/system/cozystack-api/values.yaml

@@ -1,5 +1,5 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.37.0@sha256:19d89e8afb90ce38ab7e42ecedfc28402f7c0b56f30957db957c5415132ff6ca
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.38.0@sha256:5eb5d6369c7c7ba0fa6b34b7c5022faa15c860b72e441b5fbde3eceda94efc88
   localK8sAPIEndpoint:
     enabled: true
   replicas: 2

packages/system/cozystack-controller/values.yaml

@@ -1,6 +1,6 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.37.0@sha256:845b8e68cbc277c2303080bcd55597e4334610d396dad258ad56fd906530acc3
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.38.0@sha256:4628a3711b6a6fc2e446255ee172cd268b28b07c65e98c302ea8897574dcbf22
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.37.0"
+  cozystackVersion: "v0.38.0"
   cozystackAPIKind: "DaemonSet"

packages/system/dashboard/images/openapi-ui/Dockerfile

@@ -5,7 +5,7 @@ ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS openapi-k8s-toolkit-builder
 RUN apk add git
 WORKDIR /src
-ARG COMMIT=7bd5380c6c4606640dd3bac68bf9dce469470518
+ARG COMMIT=cb2f122caafaa2fd5455750213d9e633017ec555
 RUN wget -O- https://github.com/cozystack/openapi-k8s-toolkit/archive/${COMMIT}.tar.gz | tar -xzvf- --strip-components=1
 
 COPY openapi-k8s-toolkit/patches /patches
@@ -22,7 +22,7 @@ FROM node:${NODE_VERSION}-alpine AS builder
 #RUN apk add git
 WORKDIR /src
 
-ARG COMMIT_REF=0c3629b2ce8545e81f7ece4d65372a188c802dfc
+ARG COMMIT_REF=3cfbbf2156b6a5e4a1f283a032019530c0c2d37d
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 
 #COPY openapi-ui/patches /patches

packages/system/dashboard/templates/configmap.yaml

@@ -1,6 +1,6 @@
 {{- $brandingConfig:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
 
-{{- $tenantText := "latest" }}
+{{- $tenantText := "v0.38.0" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}

packages/system/dashboard/templates/nginx-config.yaml

@@ -34,6 +34,14 @@ data:
       }
 
       location /k8s {
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+          proxy_read_timeout 86400s;
+          proxy_send_timeout 86400s;
+          
           rewrite /k8s/(.*) /$1  break;
           proxy_pass https://kubernetes.default.svc:443;
       }

packages/system/dashboard/values.yaml

@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:latest@sha256:77991f2482c0026d082582b22a8ffb191f3ba6fc948b2f125ef9b1081538f865
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.38.0@sha256:78570edb9f4e329ffed0f8da3942acee1536323169d56324e57360df66044c28
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:latest@sha256:8386f0747266726afb2b30db662092d66b0af0370e3becd8bee9684125fa9cc9
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.38.0@sha256:b7f18b86913d94338f1ceb93fca6409d19f565e35d6d6e683ca93441920fec71
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:latest@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b
+  image: ghcr.io/cozystack/cozystack/token-proxy:v0.38.0@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b

packages/system/kafka-operator/values.yaml

@@ -1,4 +1,7 @@
 strimzi-kafka-operator:
   watchAnyNamespace: true
   generateNetworkPolicy: false
-  kubernetesServiceDnsDomain: cozy.local
+  kubernetesServiceDnsDomain: cozy.local
+  resources:
+    limits:
+      memory: 512Mi

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.37.0@sha256:9f4fd5045ede2909fbaf2572e4138fcbd8921071ecf8f08446257fddd0e6f655
+    tag: v0.38.0@sha256:125e4e6a8b86418e891416d29353053ab8b65182b7e443f221b557c11a385280
     repository: ghcr.io/cozystack/cozystack/kamaji
   resources:
     limits:
@@ -13,4 +13,4 @@ kamaji:
       cpu: 100m
       memory: 100Mi
   extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.37.0@sha256:9f4fd5045ede2909fbaf2572e4138fcbd8921071ecf8f08446257fddd0e6f655
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.38.0@sha256:125e4e6a8b86418e891416d29353053ab8b65182b7e443f221b557c11a385280

packages/system/kubeovn-plunger/values.yaml

@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.37.0@sha256:9950614571ea77a55925eba0839b6b12c8e5a7a30b8858031a8c6050f261af1a
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.38.0@sha256:a140bdcc300bcfb63a5d64884d02d802d7669ba96dc65292a06f3b200ff627f8
 ovnCentralName: ovn-central

packages/system/kubeovn-webhook/values.yaml

@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.37.0@sha256:7e63205708e607ce2cedfe2a2cafd323ca51e3ebc71244a21ff6f9016c6c87bc
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.38.0@sha256:7bfd458299a507f2cf82cddb65941ded6991fd4ba92fd46010cbc8c363126085

packages/system/kubeovn/values.yaml

@@ -44,7 +44,7 @@ kube-ovn:
       memory: "50Mi"
     limits:
       cpu: "1000m"
-      memory: "1Gi"
+      memory: "2Gi"
   kube-ovn-pinger:
     requests:
       cpu: "10m"
@@ -65,4 +65,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.14.5@sha256:af10da442a0c6dc7df47a0ef752e2eb5c247bb0b43069fdfcb2aa51511185ea2
+      tag: v1.14.11@sha256:1b0f472cf30d5806e3afd10439ce8f9cfe8a004322dbd1911f7d69171fe936e5

packages/system/kubevirt-csi-node/values.yaml

@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:c8b08084a86251cdd18e237de89b695bca0e4f7eb1f1f6ddc2b903b4d74ea5ff
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb

packages/system/lineage-controller-webhook/values.yaml

@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.37.0@sha256:845b8e68cbc277c2303080bcd55597e4334610d396dad258ad56fd906530acc3
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.38.0@sha256:fc2b04f59757904ec1557a39529b84b595114b040ef95d677fd7f21ac3958e0a
   debug: false
   localK8sAPIEndpoint:
     enabled: true

packages/system/mariadb-operator/charts/mariadb-operator/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: mariadb-operator-crds
   repository: file://../mariadb-operator-crds
-  version: 0.38.1
-digest: sha256:0f2ff90b83955a060f581b7db4a0c746338ae3a50d9766877c346c7f61d74cde
-generated: "2025-04-15T16:54:07.813989419Z"
+  version: 25.10.2
+digest: sha256:01b102dbdb92970e38346df382ed3e5cd93d02a3b642029e94320256c9bfad42
+generated: "2025-10-28T11:29:04.951947063Z"

packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: 0.38.1
+appVersion: 25.10.2
 dependencies:
 - condition: crds.enabled
   name: mariadb-operator-crds
   repository: file://../mariadb-operator-crds
-  version: 0.38.1
+  version: 25.10.2
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
 icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
@@ -21,4 +21,4 @@ maintainers:
   name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.38.1
+version: 25.10.2

packages/system/mariadb-operator/charts/mariadb-operator/README.md

@@ -2,7 +2,7 @@
 
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.38.1](https://img.shields.io/badge/Version-0.38.1-informational?style=flat-square) ![AppVersion: 0.38.1](https://img.shields.io/badge/AppVersion-0.38.1-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 25.10.2](https://img.shields.io/badge/Version-25.10.2-informational?style=flat-square) ![AppVersion: 25.10.2](https://img.shields.io/badge/AppVersion-25.10.2-informational?style=flat-square)
 
 Run and operate MariaDB in a cloud native way
 
@@ -16,7 +16,7 @@ helm install mariadb-operator-crds mariadb-operator/mariadb-operator-crds
 helm install mariadb-operator mariadb-operator/mariadb-operator
 ```
 
-Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/HELM.md) for further detail.
+Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/helm.md) for further detail.
 
 ## Values
 
@@ -60,14 +60,15 @@ Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-op
 | certController.tolerations | list | `[]` | Tolerations to add to cert-controller container |
 | certController.topologySpreadConstraints | list | `[]` | topologySpreadConstraints to add to cert-controller container |
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
-| config | object | `{"exporterImage":"prom/mysqld-exporter:v0.15.1","exporterMaxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1","galeraLibPath":"/usr/lib/galera/libgalera_smm.so","mariadbDefaultVersion":"11.4","mariadbImage":"docker-registry1.mariadb.com/library/mariadb:11.4.5","maxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale:23.08.5"}` | Operator configuration |
+| config | object | `{"exporterImage":"prom/mysqld-exporter:v0.15.1","exporterMaxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1","galeraLibPath":"/usr/lib/galera/libgalera_smm.so","mariadbDefaultVersion":"11.8","mariadbImage":"docker-registry1.mariadb.com/library/mariadb:11.8.2","mariadbImageName":"docker-registry1.mariadb.com/library/mariadb","maxscaleImage":"docker-registry2.mariadb.com/mariadb/maxscale:23.08.5"}` | Operator configuration |
 | config.exporterImage | string | `"prom/mysqld-exporter:v0.15.1"` | Default MariaDB exporter image |
 | config.exporterMaxscaleImage | string | `"docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1"` | Default MaxScale exporter image |
 | config.galeraLibPath | string | `"/usr/lib/galera/libgalera_smm.so"` | Galera library path to be used with MariaDB Galera |
-| config.mariadbDefaultVersion | string | `"11.4"` | Default MariaDB version to be used when unable to infer it via image tag |
-| config.mariadbImage | string | `"docker-registry1.mariadb.com/library/mariadb:11.4.5"` | Default MariaDB image |
+| config.mariadbDefaultVersion | string | `"11.8"` | Default MariaDB version to be used when unable to infer it via image tag |
+| config.mariadbImage | string | `"docker-registry1.mariadb.com/library/mariadb:11.8.2"` | Default MariaDB image |
+| config.mariadbImageName | string | `"docker-registry1.mariadb.com/library/mariadb"` | Default MariaDB image name |
 | config.maxscaleImage | string | `"docker-registry2.mariadb.com/mariadb/maxscale:23.08.5"` | Default MaxScale image |
-| crds | object | `{"enabled":false}` | - CRDs |
+| crds | object | `{"enabled":false}` | CRDs |
 | crds.enabled | bool | `false` | Whether the helm chart should create and update the CRDs. It is false by default, which implies that the CRDs must be managed independently with the mariadb-operator-crds helm chart. **WARNING** This should only be set to true during the initial deployment. If this chart manages the CRDs and is later uninstalled, all MariaDB instances will be DELETED. |
 | currentNamespaceOnly | bool | `false` | Whether the operator should watch CRDs only in its own namespace or not. |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |

packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl

@@ -17,6 +17,6 @@ helm install mariadb-operator-crds mariadb-operator/mariadb-operator-crds
 helm install mariadb-operator mariadb-operator/mariadb-operator
 ```
 
-Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/HELM.md) for further detail.
+Refer to the [helm documentation](https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/helm.md) for further detail.
 
 {{ template "chart.valuesSection" . }}

packages/system/mariadb-operator/charts/mariadb-operator/charts/mariadb-operator-crds/Chart.yaml

@@ -16,4 +16,4 @@ maintainers:
   name: mmontes11
 name: mariadb-operator-crds
 type: application
-version: 0.38.1
+version: 25.10.2

packages/system/mariadb-operator/charts/mariadb-operator/templates/NOTES.txt

@@ -1,4 +1,4 @@
 mariadb-operator has been successfully deployed! 🦭
 
 Not sure what to do next? 😅 Check out:
-https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/QUICKSTART.md
+https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/quickstart.md

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml

@@ -51,10 +51,10 @@ rules:
   - patch
   - watch
 - apiGroups:
-  - ""
+  - discovery.k8s.io
   resources:
-  - endpoints
-  - endpoints/restricted
+  - endpointslices
+  - endpointslices/restricted
   verbs:
   - get
   - list

packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/configmap.yaml

@@ -4,6 +4,7 @@ data:
   MARIADB_GALERA_LIB_PATH: "{{ .Values.config.galeraLibPath }}"
   MARIADB_DEFAULT_VERSION: "{{ .Values.config.mariadbDefaultVersion }}"
   RELATED_IMAGE_MARIADB: "{{ .Values.config.mariadbImage }}"
+  RELATED_IMAGE_MARIADB_NAME: "{{ .Values.config.mariadbImageName }}"
   RELATED_IMAGE_MAXSCALE: "{{ .Values.config.maxscaleImage }}"
   RELATED_IMAGE_EXPORTER: "{{ .Values.config.exporterImage }}"
   RELATED_IMAGE_EXPORTER_MAXSCALE: "{{ .Values.config.exporterMaxscaleImage }}"

packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/rbac-namespace.yaml

@@ -36,17 +36,6 @@ rules:
   verbs:
   - create
   - patch
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - endpoints/restricted
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -65,6 +54,7 @@ rules:
   - persistentvolumeclaims
   verbs:
   - create
+  - delete
   - deletecollection
   - list
   - patch
@@ -121,6 +111,7 @@ rules:
   verbs:
   - create
   - delete
+  - get
   - list
   - patch
   - watch
@@ -133,6 +124,17 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  - endpointslices/restricted
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
   - k8s.mariadb.com
   resources:
@@ -141,7 +143,9 @@ rules:
   - databases
   - grants
   - mariadbs
+  - externalmariadbs
   - maxscales
+  - physicalbackups
   - restores
   - sqljobs
   - users
@@ -161,7 +165,9 @@ rules:
   - databases/finalizers
   - grants/finalizers
   - mariadbs/finalizers
+  - externalmariadbs/finalizers
   - maxscales/finalizers
+  - physicalbackups/finalizers
   - restores/finalizers
   - sqljobs/finalizers
   - users/finalizers
@@ -175,7 +181,9 @@ rules:
   - databases/status
   - grants/status
   - mariadbs/status
+  - externalmariadbs/status
   - maxscales/status
+  - physicalbackups/status
   - restores/status
   - sqljobs/status
   - users/status
@@ -220,6 +228,17 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/system/mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml

@@ -53,17 +53,6 @@ rules:
   - list
   - patch
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - endpoints/restricted
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -82,6 +71,7 @@ rules:
   - persistentvolumeclaims
   verbs:
   - create
+  - delete
   - deletecollection
   - list
   - patch
@@ -150,6 +140,7 @@ rules:
   verbs:
   - create
   - delete
+  - get
   - list
   - patch
   - watch
@@ -162,6 +153,17 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  - endpointslices/restricted
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
   - k8s.mariadb.com
   resources:
@@ -170,7 +172,9 @@ rules:
   - databases
   - grants
   - mariadbs
+  - externalmariadbs
   - maxscales
+  - physicalbackups
   - restores
   - sqljobs
   - users
@@ -190,7 +194,9 @@ rules:
   - databases/finalizers
   - grants/finalizers
   - mariadbs/finalizers
+  - externalmariadbs/finalizers
   - maxscales/finalizers
+  - physicalbackups/finalizers
   - restores/finalizers
   - sqljobs/finalizers
   - users/finalizers
@@ -204,7 +210,9 @@ rules:
   - databases/status
   - grants/status
   - mariadbs/status
+  - externalmariadbs/status
   - maxscales/status
+  - physicalbackups/status
   - restores/status
   - sqljobs/status
   - users/status
@@ -250,6 +258,17 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook/config.yaml

@@ -1,41 +1,5 @@
 {{ if and (not .Values.currentNamespaceOnly) .Values.webhook.enabled }}
 {{ $fullName := include "mariadb-operator.fullname" . }}
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: {{ $fullName }}-webhook
-  labels:
-    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
-  annotations:
-    {{- if .Values.webhook.cert.certManager.enabled }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{- else }}
-    k8s.mariadb.com/webhook: ""
-    {{- end }}
-    {{- with .Values.webhook.annotations }}
-    {{ toYaml . | indent 4 }}
-    {{- end }}
-webhooks:
-- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: {{ $fullName }}-webhook
-      namespace: {{ .Release.Namespace }}
-      path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
-  failurePolicy: Fail
-  name: mmariadb-v1alpha1.kb.io
-  rules:
-  - apiGroups:
-    - k8s.mariadb.com
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - mariadbs
-  sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -73,6 +37,26 @@ webhooks:
         resources:
           - backups
     sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: {{ $fullName }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate-k8s-mariadb-com-v1alpha1-physicalbackup
+    failurePolicy: Fail
+    name: vphysicalbackup-v1alpha1.kb.io
+    rules:
+      - apiGroups:
+          - k8s.mariadb.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - physicalbackups
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig:
@@ -233,4 +217,4 @@ webhooks:
         resources:
           - users
     sideEffects: None
-{{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/values.yaml

@@ -1,6 +1,6 @@
 nameOverride: ""
 fullnameOverride: ""
-# --- CRDs
+# -- CRDs
 crds:
   # -- Whether the helm chart should create and update the CRDs. It is false by default, which implies that the CRDs must be
   # managed independently with the mariadb-operator-crds helm chart.
@@ -310,9 +310,11 @@ config:
   # -- Galera library path to be used with MariaDB Galera
   galeraLibPath: /usr/lib/galera/libgalera_smm.so
   # -- Default MariaDB version to be used when unable to infer it via image tag
-  mariadbDefaultVersion: "11.4"
+  mariadbDefaultVersion: "11.8"
   # -- Default MariaDB image
-  mariadbImage: docker-registry1.mariadb.com/library/mariadb:11.4.5
+  mariadbImage: docker-registry1.mariadb.com/library/mariadb:11.8.2
+  # -- Default MariaDB image name
+  mariadbImageName: docker-registry1.mariadb.com/library/mariadb
   # -- Default MaxScale image
   maxscaleImage: docker-registry2.mariadb.com/mariadb/maxscale:23.08.5
   # -- Default MariaDB exporter image

packages/system/multus/templates/multus-daemonset-thick.yml

@@ -154,7 +154,7 @@ spec:
       serviceAccountName: multus
       containers:
         - name: kube-multus
-          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.2-thick
+          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.3-thick
           command: [ "/usr/src/multus-cni/bin/multus-daemon" ]
           resources:
             requests:
@@ -162,7 +162,7 @@ spec:
               memory: "100Mi"
             limits:
               cpu: "100m"
-              memory: "100Mi"
+              memory: "300Mi"
           securityContext:
             privileged: true
           terminationMessagePolicy: FallbackToLogsOnError
@@ -201,11 +201,13 @@ spec:
                   fieldPath: spec.nodeName
       initContainers:
         - name: install-multus-binary
-          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.2-thick
+          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.3-thick
           command:
-            - "sh"
-            - "-c"
-            - "cp /usr/src/multus-cni/bin/multus-shim /host/opt/cni/bin/multus-shim && cp /usr/src/multus-cni/bin/passthru /host/opt/cni/bin/passthru"
+            - "/usr/src/multus-cni/bin/install_multus"
+            - "-d"
+            - "/host/opt/cni/bin"
+            - "-t"
+            - "thick"
           resources:
             requests:
               cpu: "10m"

packages/system/objectstorage-controller/values.yaml

@@ -1,3 +1,3 @@
 objectstorage:
   controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.37.0@sha256:5f2eed05d19ba971806374834cb16ca49282aac76130194c00b213c79ce3e10d"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.38.0@sha256:7d37495cce46d30d4613ecfacaa7b7f140e7ea8f3dbcc3e8c976e271de6cc71b"

packages/system/piraeus-operator/charts/piraeus/Chart.yaml

@@ -3,8 +3,8 @@ name: piraeus
 description: |
   The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.9.1
-appVersion: "v2.9.1"
+version: 2.10.1
+appVersion: "v2.10.1"
 maintainers:
   - name: Piraeus Datastore
     url: https://piraeus.io

packages/system/piraeus-operator/charts/piraeus/README.md

@@ -3,33 +3,8 @@
 Deploys the [Piraeus Operator](https://github.com/piraeusdatastore/piraeus-operator) which deploys and manages a simple
 and resilient storage solution for Kubernetes.
 
-The main deployment method for Piraeus Operator switched to [`kustomize`](../../docs/tutorial)
+The main deployment method for Piraeus Operator switched to [`kustomize`](https://piraeus.io/docs/stable/tutorial/get-started/)
 in release `v2.0.0`. This chart is intended for users who want to continue using Helm.
 
 This chart **only** configures the Operator, but does not create the `LinstorCluster` resource creating the actual
-storage system. Refer to the existing [tutorials](../../docs/tutorial)
-and [how-to guides](../../docs/how-to).
-
-## Deploying Piraeus Operator
-
-To deploy Piraeus Operator with Helm, clone this repository and deploy the chart:
-
-```
-$ git clone --branch v2 https://github.com/piraeusdatastore/piraeus-operator
-$ cd piraeus-operator
-$ helm install piraeus-operator charts/piraeus-operator --create-namespace -n piraeus-datastore
-```
-
-Follow the instructions printed by Helm to create your storage cluster:
-
-```
-$ kubectl apply -f - <<EOF
-apiVersion: piraeus.io/v1
-kind: LinstorCluster
-metadata:
-  name: linstorcluster
-spec: {}
-EOF
-```
-
-Check out our [documentation](../../docs) for more information.
+storage system. Refer to the [how-to guide](https://piraeus.io/docs/stable/how-to/helm/).

packages/system/piraeus-operator/charts/piraeus/templates/NOTES.txt

@@ -14,7 +14,7 @@ Piraeus Operator installed.
 ` }}
 {{- end }}
 
-{{- if not (.Capabilities.APIVersions.Has "piraeus.io/v1/LinstorCluster") }}
+{{- if and (not (.Capabilities.APIVersions.Has "piraeus.io/v1/LinstorCluster")) (not .Values.installCRDs) }}
 It looks like the necessary CRDs for Piraeus Operator are still missing.
 
 To apply them via helm now use:
@@ -23,18 +23,12 @@ To apply them via helm now use:
 
 Alternatively, you can manage them manually:
 
-  kubectl apply --server-side -k "https://github.com/piraeusdatastore/piraeus-operator//config/crd?ref=v2"
+  kubectl apply --server-side -k "https://github.com/piraeusdatastore/piraeus-operator//config/crd?ref={{ .Chart.AppVersion }}"
 
 {{- end }}
 
-To get started with Piraeus, simply run:
+To get started with Piraeus Datastore deploy the "linstor-cluster" chart:
 
-$ kubectl apply -f - <<EOF
-apiVersion: piraeus.io/v1
-kind: LinstorCluster
-metadata:
-  name: linstorcluster
-spec: {}
-EOF
+$ helm upgrade --install --namespace {{ .Release.Namespace }} linstor-cluster oci://ghcr.io/piraeusdatastore/helm-charts/linstor-cluster
 
-For next steps, check out our documentation at https://github.com/piraeusdatastore/piraeus-operator/tree/v2/docs
+For next steps, check out our documentation at https://piraeus.io/docs/{{ .Chart.AppVersion }}

packages/system/piraeus-operator/charts/piraeus/templates/config.yaml

@@ -23,20 +23,26 @@ data:
         tag: v1.32.3
         image: piraeus-server
       linstor-csi:
-        tag: v1.9.0
+        tag: v1.10.2
         image: piraeus-csi
+      nfs-server:
+        tag: v1.10.2
+        image: piraeus-csi-nfs-server
       drbd-reactor:
-        tag: v1.9.0
+        tag: v1.10.0
         image: drbd-reactor
       ha-controller:
-        tag: v1.3.0
+        tag: v1.3.1
         image: piraeus-ha-controller
       drbd-shutdown-guard:
-        tag: v1.0.0
+        tag: v1.1.1
         image: drbd-shutdown-guard
       ktls-utils:
         tag: v1.2.1
         image: ktls-utils
+      linstor-affinity-controller:
+        tag: v1.3.0
+        image: linstor-affinity-controller
       drbd-module-loader:
         tag: v9.2.15
         # The special "match" attribute is used to select an image based on the node's reported OS.
@@ -93,13 +99,13 @@ data:
         tag: v2.17.0
         image: livenessprobe
       csi-provisioner:
-        tag: v5.3.0
+        tag: v6.0.0
         image: csi-provisioner
       csi-snapshotter:
-        tag: v8.3.0
+        tag: v8.4.0
         image: csi-snapshotter
       csi-resizer:
-        tag: v1.14.0
+        tag: v2.0.0
         image: csi-resizer
       csi-external-health-monitor-controller:
         tag: v0.16.0

packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml

@@ -15,7 +15,41 @@ spec:
     singular: linstorcluster
   scope: Cluster
   versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: If the LINSTOR Cluster is available
+      jsonPath: .status.conditions[?(@.type=='Available')].status
+      name: Available
+      type: string
+    - description: If the LINSTOR Cluster is fully configured
+      jsonPath: .status.conditions[?(@.type=='Configured')].status
+      name: Configured
+      type: string
+    - description: The version of the LINSTOR Cluster
+      jsonPath: .status.version
+      name: Version
+      priority: 10
+      type: string
+    - description: The number of running/expected Satellites
+      jsonPath: .status.satellites
+      name: Satellites
+      type: string
+    - description: The used capacity in all storage pools
+      jsonPath: .status.capacity
+      name: Used Capacity
+      type: string
+    - description: The number of volumes in the cluster
+      jsonPath: .status.numberOfVolumes
+      name: Volumes
+      type: integer
+    - description: The number of snapshots in the cluster
+      jsonPath: .status.numberOfSnapshots
+      name: Snapshots
+      priority: 10
+      type: integer
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
     schema:
       openAPIV3Schema:
         description: LinstorCluster is the Schema for the linstorclusters API
@@ -40,6 +74,30 @@ spec:
           spec:
             description: LinstorClusterSpec defines the desired state of LinstorCluster
             properties:
+              affinityController:
+                description: AffinityController controls the deployment of the Affinity
+                  Controller Deployment.
+                properties:
+                  enabled:
+                    default: true
+                    description: Enable the component.
+                    type: boolean
+                  podTemplate:
+                    description: |-
+                      Template to apply to Pods of the component.
+
+                      The template is applied as a patch to the default deployment, so it can be "sparse", not listing any
+                      containers or volumes that should remain unchanged.
+                      See https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates
+                    type: object
+                    x-kubernetes-map-type: atomic
+                    x-kubernetes-preserve-unknown-fields: true
+                  replicas:
+                    description: Number of desired pods. Defaults to 1.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                type: object
               apiTLS:
                 description: |-
                   ApiTLS secures the LINSTOR API.
@@ -47,6 +105,11 @@ spec:
                   This configures the TLS key and certificate used to secure the LINSTOR API.
                 nullable: true
                 properties:
+                  affinityControllerSecretName:
+                    description: |-
+                      AffinityControllerSecretName references a secret holding the TLS key and certificate used by the Affinity
+                      Controller to monitor volume state. Defaults to "linstor-affinity-controller-tls".
+                    type: string
                   apiSecretName:
                     description: |-
                       ApiSecretName references a secret holding the TLS key and certificate used to protect the API.
@@ -114,6 +177,11 @@ spec:
                       CsiNodeSecretName references a secret holding the TLS key and certificate used by the CSI Nodes to query
                       the volume state. Defaults to "linstor-csi-node-tls".
                     type: string
+                  nfsServerSecretName:
+                    description: |-
+                      NFSServerSecretName references a secret holding the TLS key and certificate used by the NFS Server to query
+                      the cluster state. Defaults to "linstor-csi-nfs-server-tls".
+                    type: string
                 type: object
               controller:
                 description: Controller controls the deployment of the LINSTOR Controller
@@ -152,6 +220,11 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                     x-kubernetes-preserve-unknown-fields: true
+                  replicas:
+                    description: Number of desired pods. Defaults to 1.
+                    format: int32
+                    minimum: 0
+                    type: integer
                 type: object
               csiNode:
                 description: CSINode controls the deployment of the CSI Node DaemonSet.
@@ -272,6 +345,25 @@ spec:
                   * Store credentials for accessing remotes for backups.
                   See https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/#s-encrypt_commands for more information.
                 type: string
+              nfsServer:
+                description: NFSServer controls the deployment of the LINSTOR CSI
+                  NFS Server DaemonSet.
+                properties:
+                  enabled:
+                    default: true
+                    description: Enable the component.
+                    type: boolean
+                  podTemplate:
+                    description: |-
+                      Template to apply to Pods of the component.
+
+                      The template is applied as a patch to the default deployment, so it can be "sparse", not listing any
+                      containers or volumes that should remain unchanged.
+                      See https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates
+                    type: object
+                    x-kubernetes-map-type: atomic
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
               nodeAffinity:
                 description: |-
                   NodeAffinity selects the nodes on which LINSTOR Satellites will be deployed.
@@ -379,9 +471,16 @@ spec:
                     JSON patch and its targets.
                   properties:
                     options:
-                      additionalProperties:
-                        type: boolean
                       description: Options is a list of options for the patch
+                      properties:
+                        allowKindChange:
+                          description: AllowKindChange allows kind changes to the
+                            resource.
+                          type: boolean
+                        allowNameChange:
+                          description: AllowNameChange allows name changes to the
+                            resource.
+                          type: boolean
                       type: object
                     patch:
                       description: Patch is the content of a patch.
@@ -493,6 +592,15 @@ spec:
           status:
             description: LinstorClusterStatus defines the observed state of LinstorCluster
             properties:
+              availableCapacityBytes:
+                description: The number of bytes in total in all storage pools in
+                  the LINSTOR Cluster.
+                format: int64
+                type: integer
+              capacity:
+                description: Capacity mirrors the information from TotalCapacityBytes
+                  and FreeCapacityBytes in a human-readable string
+                type: string
               conditions:
                 description: Current LINSTOR Cluster state
                 items:
@@ -553,6 +661,35 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              freeCapacityBytes:
+                description: The number of bytes free in all storage pools in the
+                  LINSTOR Cluster.
+                format: int64
+                type: integer
+              numberOfSnapshots:
+                description: The number of snapshots in the LINSTOR Cluster.
+                format: int32
+                type: integer
+              numberOfVolumes:
+                description: The number of volumes in the LINSTOR Cluster.
+                format: int32
+                type: integer
+              runningSatellites:
+                description: The number of LINSTOR Satellites currently running.
+                format: int32
+                type: integer
+              satellites:
+                description: Satellites mirrors the information from ScheduledSatellites
+                  and RunningSatellites in a human-readable string
+                type: string
+              scheduledSatellites:
+                description: The number of LINSTOR Satellites that are expected to
+                  run.
+                format: int32
+                type: integer
+              version:
+                description: The Version of the LINSTOR Cluster.
+                type: string
             type: object
         type: object
     served: true
@@ -575,7 +712,15 @@ spec:
     singular: linstornodeconnection
   scope: Cluster
   versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: If the LINSTOR Node Connection is fully configured
+      jsonPath: .status.conditions[?(@.type=='Configured')].status
+      name: Configured
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
     schema:
       openAPIV3Schema:
         description: LinstorNodeConnection is the Schema for the linstornodeconnections
@@ -777,7 +922,28 @@ spec:
     singular: linstorsatelliteconfiguration
   scope: Cluster
   versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: The node selector used
+      jsonPath: .spec.nodeSelector
+      name: Selector
+      type: string
+    - description: If the Configuration was applied
+      jsonPath: .status.conditions[?(@.type=='Applied')].status
+      name: Applied
+      type: string
+    - description: Number of Satellites this Configuration has been applied to
+      jsonPath: .status.matched
+      name: Matched
+      type: integer
+    - description: Satellites this Configuration has been applied to
+      jsonPath: .status.appliedTo
+      name: Satellites
+      priority: 10
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
     schema:
       openAPIV3Schema:
         description: LinstorSatelliteConfiguration is the Schema for the linstorsatelliteconfigurations
@@ -1013,9 +1179,16 @@ spec:
                     JSON patch and its targets.
                   properties:
                     options:
-                      additionalProperties:
-                        type: boolean
                       description: Options is a list of options for the patch
+                      properties:
+                        allowKindChange:
+                          description: AllowKindChange allows kind changes to the
+                            resource.
+                          type: boolean
+                        allowNameChange:
+                          description: AllowNameChange allows name changes to the
+                            resource.
+                          type: boolean
                       type: object
                     patch:
                       description: Patch is the content of a patch.
@@ -1274,6 +1447,12 @@ spec:
             description: LinstorSatelliteConfigurationStatus defines the observed
               state of LinstorSatelliteConfiguration
             properties:
+              appliedTo:
+                description: AppliedTo lists the LinstorSatellite resource this configuration
+                  was applied to
+                items:
+                  type: string
+                type: array
               conditions:
                 description: Current LINSTOR Satellite Config state
                 items:
@@ -1334,6 +1513,10 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              matched:
+                description: Number of configured LinstorSatellite resource.
+                format: int64
+                type: integer
             type: object
         type: object
     served: true
@@ -1356,7 +1539,51 @@ spec:
     singular: linstorsatellite
   scope: Cluster
   versions:
-  - name: v1
+  - additionalPrinterColumns:
+    - description: If the LINSTOR Satellite is connected
+      jsonPath: .status.conditions[?(@.type=='Available')].status
+      name: Connected
+      type: string
+    - description: If the LINSTOR Satellite is fully configured
+      jsonPath: .status.conditions[?(@.type=='Configured')].status
+      name: Configured
+      type: string
+    - description: The Satellite Configurations applied to this Satellite
+      jsonPath: .metadata.annotations.piraeus\.io/applied-configurations
+      name: Applied Configurations
+      priority: 10
+      type: string
+    - description: The deletion policy of the Satellite
+      jsonPath: .spec.deletionPolicy
+      name: Deletion Policy
+      type: string
+    - description: The used capacity on the node
+      jsonPath: .status.capacity
+      name: Used Capacity
+      type: string
+    - description: The number of volumes on the node
+      jsonPath: .status.numberOfVolumes
+      name: Volumes
+      type: integer
+    - description: The number of snapshots on the node
+      jsonPath: .status.numberOfSnapshots
+      name: Snapshots
+      priority: 10
+      type: integer
+    - description: The storage providers supported by the node
+      jsonPath: .status.storageProviders
+      name: Storage Providers
+      priority: 10
+      type: string
+    - description: The device layers supported by the node
+      jsonPath: .status.deviceLayers
+      name: Device Layers
+      priority: 10
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
     schema:
       openAPIV3Schema:
         description: LinstorSatellite is the Schema for the linstorsatellites API
@@ -1546,9 +1773,16 @@ spec:
                     JSON patch and its targets.
                   properties:
                     options:
-                      additionalProperties:
-                        type: boolean
                       description: Options is a list of options for the patch
+                      properties:
+                        allowKindChange:
+                          description: AllowKindChange allows kind changes to the
+                            resource.
+                          type: boolean
+                        allowNameChange:
+                          description: AllowNameChange allows name changes to the
+                            resource.
+                          type: boolean
                       type: object
                     patch:
                       description: Patch is the content of a patch.
@@ -1801,6 +2035,15 @@ spec:
           status:
             description: LinstorSatelliteStatus defines the observed state of LinstorSatellite
             properties:
+              availableCapacityBytes:
+                description: The number of bytes in total in all storage pools on
+                  this Satellite.
+                format: int64
+                type: integer
+              capacity:
+                description: Capacity mirrors the information from TotalCapacityBytes
+                  and FreeCapacityBytes in a human-readable string.
+                type: string
               conditions:
                 description: Current LINSTOR Satellite state
                 items:
@@ -1861,6 +2104,31 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              deviceLayers:
+                description: DeviceLayers lists the device layers (LUKS, CACHE, etc...)
+                  this Satellite supports.
+                items:
+                  type: string
+                type: array
+              freeCapacityBytes:
+                description: The number of bytes free in all storage pools on this
+                  Satellite.
+                format: int64
+                type: integer
+              numberOfSnapshots:
+                description: The number of snapshots on this Satellite.
+                format: int32
+                type: integer
+              numberOfVolumes:
+                description: The number of volumes on this Satellite.
+                format: int32
+                type: integer
+              storageProviders:
+                description: StorageProviders lists the storage providers (LVM, ZFS,
+                  etc...) this Satellite supports.
+                items:
+                  type: string
+                type: array
             type: object
         type: object
     served: true

packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml

@@ -13,9 +13,15 @@ spec:
   template:
     metadata:
       labels:
-      {{- include "piraeus-operator.selectorLabels" . | nindent 8 }}
+        {{- include "piraeus-operator.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       annotations:
         kubectl.kubernetes.io/default-container: manager
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       containers:
       - args:
@@ -90,6 +96,9 @@ spec:
       {{- end }}
       securityContext:
         runAsNonRoot: true
+        {{- with .Values.podSecurityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
       serviceAccountName: {{ include "piraeus-operator.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
       priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }}

packages/system/piraeus-operator/charts/piraeus/templates/rbac.yaml

@@ -30,8 +30,18 @@ rules:
     - ""
   resources:
     - nodes
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - ""
+  resources:
     - persistentvolumeclaims
   verbs:
+    - delete
     - get
     - list
     - patch
@@ -92,6 +102,21 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - cluster.x-k8s.io
+  resources:
+    - machines
+  verbs:
+    - get
+    - update
+- apiGroups:
+    - discovery.k8s.io
+  resources:
+    - endpointslices
+    - endpointslices/restricted
+  verbs:
+    - create
+    - delete
 - apiGroups:
     - events.k8s.io
   resources:
@@ -103,6 +128,32 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - groupsnapshot.storage.k8s.io
+  resources:
+    - volumegroupsnapshotclasses
+    - volumesnapshots
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - groupsnapshot.storage.k8s.io
+  resources:
+    - volumegroupsnapshotcontents
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - groupsnapshot.storage.k8s.io
+  resources:
+    - volumegroupsnapshotcontents/status
+  verbs:
+    - patch
+    - update
 - apiGroups:
     - internal.linstor.linbit.com
   resources:
@@ -194,7 +245,6 @@ rules:
   resources:
     - volumesnapshotcontents
   verbs:
-    - delete
     - get
     - list
     - patch

packages/system/piraeus-operator/charts/piraeus/values.yaml

@@ -1,3 +1,4 @@
+---
 replicaCount: 1
 
 installCRDs: false
@@ -18,6 +19,7 @@ operator:
 
   options:
     leaderElect: true
+    #clusterApiKubeconfig: "" # set to "<none>" to disable ClusterAPI integration
 
   resources: { }
     # limits:
@@ -80,6 +82,7 @@ rbac:
   create: true
 
 podAnnotations: { }
+podLabels: {}
 
 podSecurityContext: {}
   # fsGroup: 2000

packages/system/seaweedfs/values.yaml

@@ -124,7 +124,7 @@ seaweedfs:
     bucketClassName: "seaweedfs"
     region: ""
     sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:latest@sha256:f4ec2b5ec8183870e710b32fa11b3af5d97fa664572df5edcff4b593b00f9a7b"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.0@sha256:4548d85e7e69150aaf52fbb17fb9487e9714bdd8407aff49762cf39b9d0ab29c"
   certificates:
     commonName: "SeaweedFS CA"
     ipAddresses: []

packages/tests/cozy-lib-tests/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/tests/cozy-lib-tests/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: quota
+description: Testing chart for cozy-lib
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

packages/tests/cozy-lib-tests/Makefile

@@ -0,0 +1,2 @@
+test:
+	helm unittest .

packages/tests/cozy-lib-tests/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/tests/cozy-lib-tests/templates/tests/quota.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ .Release.Name }}
+spec:
+{{- with .Values.quota }}
+  hard: {{- include "cozy-lib.resources.flatten" (list . $) | nindent 4 }}
+{{- end }}

packages/tests/cozy-lib-tests/tests/quota_test.yaml

@@ -0,0 +1,50 @@
+# ./tests/quota_test.yaml
+suite: quota helper
+
+templates:
+  - templates/tests/quota.yaml
+
+tests:
+  - it: correctly interprets special kubernetes quota types
+    values:
+      - quota_values.yaml
+
+    release:
+      name: myrelease
+      namespace: default
+      revision: 1
+      isUpgrade: false
+
+    asserts:
+      - equal:
+          path: spec.hard["limits.cpu"]
+          value: "20"
+
+      - equal:
+          path: spec.hard["requests.cpu"]
+          value: "2"
+
+      - equal:
+          path: spec.hard["limits.foobar"]
+          value: "3"
+
+      - equal:
+          path: spec.hard["requests.foobar"]
+          value: "3"
+
+      - equal:
+          path: spec.hard["services.loadbalancers"]
+          value: "2"
+
+      - equal:
+          path: spec.hard["requests.storage"]
+          value: "5Gi"
+
+      - notExists:
+          path: spec.hard["limits.storage"]
+
+      - notExists:
+          path: spec.hard["limits.services.loadbalancers"]
+
+      - notExists:
+          path: spec.hard["requests.services.loadbalancers"]

packages/tests/cozy-lib-tests/tests/quota_values.yaml

@@ -0,0 +1,5 @@
+quota:
+  services.loadbalancers: "2"
+  cpu: "20"
+  storage: "5Gi"
+  foobar: "3"

pkg/apiserver/apiserver.go

@@ -30,14 +30,16 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	"github.com/cozystack/cozystack/pkg/apis/apps"
 	appsinstall "github.com/cozystack/cozystack/pkg/apis/apps/install"
-	coreinstall "github.com/cozystack/cozystack/pkg/apis/apps/install"
 	"github.com/cozystack/cozystack/pkg/apis/core"
+	coreinstall "github.com/cozystack/cozystack/pkg/apis/core/install"
 	"github.com/cozystack/cozystack/pkg/config"
 	cozyregistry "github.com/cozystack/cozystack/pkg/registry"
 	applicationstorage "github.com/cozystack/cozystack/pkg/registry/apps/application"
@@ -48,7 +50,8 @@ import (
 
 var (
 	// Scheme defines methods for serializing and deserializing API objects.
-	Scheme = runtime.NewScheme()
+	Scheme    = runtime.NewScheme()
+	mgrScheme = runtime.NewScheme()
 	// Codecs provides methods for retrieving codecs and serializers for specific
 	// versions and content types.
 	Codecs            = serializer.NewCodecFactory(Scheme)
@@ -57,18 +60,23 @@ var (
 )
 
 func init() {
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&zap.Options{
+		Development: true,
+		// any other zap.Options tweaks
+	})))
+	klog.SetLogger(ctrl.Log.WithName("klog"))
 	appsinstall.Install(Scheme)
 	coreinstall.Install(Scheme)
 
 	// Register HelmRelease types.
-	if err := helmv2.AddToScheme(Scheme); err != nil {
+	if err := helmv2.AddToScheme(mgrScheme); err != nil {
 		panic(fmt.Errorf("Failed to add HelmRelease types to scheme: %w", err))
 	}
 
-	if err := corev1.AddToScheme(Scheme); err != nil {
+	if err := corev1.AddToScheme(mgrScheme); err != nil {
 		panic(fmt.Errorf("Failed to add core types to scheme: %w", err))
 	}
-	if err := rbacv1.AddToScheme(Scheme); err != nil {
+	if err := rbacv1.AddToScheme(mgrScheme); err != nil {
 		panic(fmt.Errorf("Failed to add RBAC types to scheme: %w", err))
 	}
 	// Add unversioned types.
@@ -134,7 +142,7 @@ func (c completedConfig) New() (*CozyServer, error) {
 	}
 
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
-		Scheme: Scheme,
+		Scheme: mgrScheme,
 		Cache:  cache.Options{SyncPeriod: &syncPeriod},
 	})
 	if err != nil {
@@ -164,7 +172,7 @@ func (c completedConfig) New() (*CozyServer, error) {
 	}
 
 	cli := mgr.GetClient()
-	watchCli, err := client.NewWithWatch(cfg, client.Options{Scheme: Scheme})
+	watchCli, err := client.NewWithWatch(cfg, client.Options{Scheme: mgrScheme})
 	if err != nil {
 		return nil, fmt.Errorf("failed to build watch client: %w", err)
 	}

pkg/cmd/server/start.go

@@ -42,11 +42,11 @@ import (
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	utilversionpkg "k8s.io/apiserver/pkg/util/version"
-	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/component-base/featuregate"
 	baseversion "k8s.io/component-base/version"
 	netutils "k8s.io/utils/net"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	k8sconfig "sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
 // CozyServerOptions holds the state for the Cozy API server
@@ -150,7 +150,7 @@ func (o *CozyServerOptions) Complete() error {
 		return fmt.Errorf("failed to register types: %w", err)
 	}
 
-	cfg, err := clientcmd.BuildConfigFromFlags("", "")
+	cfg, err := k8sconfig.GetConfig()
 	if err != nil {
 		return fmt.Errorf("failed to get kubeconfig: %w", err)
 	}

pkg/registry/apps/application/rest.go

@@ -142,9 +142,17 @@ func (r *REST) GetSingularName() string {
 // Create handles the creation of a new Application by converting it to a HelmRelease
 func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
 	// Assert the object is of type Application
-	app, ok := obj.(*appsv1alpha1.Application)
+	us, ok := obj.(*unstructured.Unstructured)
 	if !ok {
-		return nil, fmt.Errorf("expected Application object, got %T", obj)
+		return nil, fmt.Errorf("expected unstructured.Unstructured object, got %T", obj)
+	}
+
+	app := &appsv1alpha1.Application{}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
+		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
+		klog.Errorf(errMsg)
+		return nil, fmt.Errorf(errMsg)
 	}
 
 	// Convert Application to HelmRelease
@@ -389,11 +397,9 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 	}
 
 	// Explicitly set apiVersion and kind in unstructured object
-	appList := &unstructured.UnstructuredList{}
-	appList.SetAPIVersion("apps.cozystack.io/v1alpha1")
-	appList.SetKind(r.kindName + "List")
+	appList := r.NewList().(*unstructured.Unstructured)
 	appList.SetResourceVersion(hrList.GetResourceVersion())
-	appList.Items = items
+	appList.Object["items"] = items
 
 	klog.V(6).Infof("Successfully listed %d Application resources in namespace %s", len(items), namespace)
 	return appList, nil
@@ -441,9 +447,16 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 	}
 
 	// Assert the new object is of type Application
-	app, ok := newObj.(*appsv1alpha1.Application)
+	us, ok := newObj.(*unstructured.Unstructured)
 	if !ok {
-		errMsg := fmt.Sprintf("expected Application object, got %T", newObj)
+		errMsg := fmt.Sprintf("expected unstructured.Unstructured object, got %T", newObj)
+		klog.Errorf(errMsg)
+		return nil, false, fmt.Errorf(errMsg)
+	}
+	app := &appsv1alpha1.Application{}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
+		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
 		klog.Errorf(errMsg)
 		return nil, false, fmt.Errorf(errMsg)
 	}
@@ -516,14 +529,12 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", convertedApp.GetName(), err)
 		return nil, false, fmt.Errorf("failed to convert Application to unstructured: %v", err)
 	}
-
-	// Explicitly set apiVersion and kind in unstructured object
-	unstructuredApp["apiVersion"] = "apps.cozystack.io/v1alpha1"
-	unstructuredApp["kind"] = r.kindName
+	obj := &unstructured.Unstructured{Object: unstructuredApp}
+	obj.SetGroupVersionKind(r.gvk)
 
 	klog.V(6).Infof("Returning patched Application object: %+v", unstructuredApp)
 
-	return &unstructured.Unstructured{Object: unstructuredApp}, false, nil
+	return obj, false, nil
 }
 
 // Delete removes an Application by deleting the corresponding HelmRelease
@@ -723,11 +734,13 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 					klog.Errorf("Failed to convert Application to unstructured: %v", err)
 					continue
 				}
+				obj := &unstructured.Unstructured{Object: unstructuredApp}
+				obj.SetGroupVersionKind(r.gvk)
 
 				// Create watch event with Application object
 				appEvent := watch.Event{
 					Type:   event.Type,
-					Object: &unstructured.Unstructured{Object: unstructuredApp},
+					Object: obj,
 				}
 
 				// Send event to custom watcher
@@ -1060,6 +1073,34 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO
 		table = r.buildTableFromApplications(apps)
 		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
 	case *unstructured.Unstructured:
+		var apps []appsv1alpha1.Application
+		for {
+			var items interface{}
+			var ok bool
+			var objects []unstructured.Unstructured
+			if items, ok = obj.Object["items"]; !ok {
+				break
+			}
+			if objects, ok = items.([]unstructured.Unstructured); !ok {
+				break
+			}
+			apps = make([]appsv1alpha1.Application, 0, len(objects))
+			var a appsv1alpha1.Application
+			for i := range objects {
+				err := runtime.DefaultUnstructuredConverter.FromUnstructured(objects[i].Object, &a)
+				if err != nil {
+					klog.Errorf("Failed to convert Unstructured to Application: %v", err)
+					continue
+				}
+				apps = append(apps, a)
+			}
+			break
+		}
+		if apps != nil {
+			table = r.buildTableFromApplications(apps)
+			table.ListMeta.ResourceVersion = obj.GetResourceVersion()
+			break
+		}
 		var app appsv1alpha1.Application
 		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &app)
 		if err != nil {
@@ -1196,18 +1237,17 @@ func (r *REST) Destroy() {
 
 // New creates a new instance of Application
 func (r *REST) New() runtime.Object {
-	app := &unstructured.UnstructuredList{}
-	app.SetAPIVersion("apps.cozystack.io/v1alpha1")
-	app.SetKind(r.kindName)
-	return app
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(r.gvk)
+	return obj
 }
 
 // NewList returns an empty list of Application objects
 func (r *REST) NewList() runtime.Object {
-	appList := &unstructured.UnstructuredList{}
-	appList.SetAPIVersion("apps.cozystack.io/v1alpha1")
-	appList.SetKind(r.kindName + "List")
-	return appList
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(r.gvk.GroupVersion().WithKind(r.kindName + "List"))
+	obj.Object["items"] = make([]interface{}, 0)
+	return obj
 }
 
 // Kind returns the resource kind used for API discovery

scripts/migrations/20

@@ -25,10 +25,24 @@ sleep 5
 cozypkg -n cozy-system -C packages/system/cozystack-resource-definition-crd apply cozystack-resource-definition-crd --plain
 cozypkg -n cozy-system -C packages/system/cozystack-resource-definitions apply cozystack-resource-definitions --plain
 cozypkg -n cozy-system -C packages/system/cozystack-api apply cozystack-api --plain
+if kubectl get ds cozystack-api -n cozy-system >/dev/null 2>&1; then
+  echo "Waiting for cozystack-api daemonset"
+  kubectl rollout status ds/cozystack-api -n cozy-system --timeout=5m || exit 1
+else
+  echo "Waiting for cozystack-api deployment"
+  kubectl rollout status deploy/cozystack-api -n cozy-system --timeout=5m || exit 1
+fi
+
 helm upgrade --install -n cozy-system cozystack-controller ./packages/system/cozystack-controller/ --take-ownership
+echo "Waiting for cozystack-controller"
+kubectl rollout status deploy/cozystack-controller -n cozy-system --timeout=5m || exit 1
+
 helm upgrade --install -n cozy-system lineage-controller-webhook ./packages/system/lineage-controller-webhook/ --take-ownership
+echo "Waiting for lineage-webhook"
+kubectl rollout status ds/lineage-controller-webhook -n cozy-system --timeout=5m || exit 1
 
 sleep 5
+echo "Running lineage-webhook test"
 kubectl delete ns cozy-lineage-webhook-test --ignore-not-found && kubectl create ns cozy-lineage-webhook-test
 cleanup_test_ns() {
   kubectl delete ns cozy-lineage-webhook-test --ignore-not-found
@@ -37,9 +51,6 @@ trap cleanup_test_ns ERR
 timeout 60 sh -c 'until kubectl -n cozy-lineage-webhook-test create service clusterip lineage-webhook-test --clusterip="None" --dry-run=server; do sleep 1; done'
 cleanup_test_ns
 
-kubectl wait deployment/cozystack-api -n cozy-system --timeout=4m --for=condition=available || exit 1
-kubectl wait deployment/cozystack-controller -n cozy-system --timeout=4m --for=condition=available || exit 1
-
 timestamp=$(date --rfc-3339=ns || date)
 kubectl get namespace -o custom-columns=NAME:.metadata.name --no-headers |
   grep '^tenant-' |
@@ -50,6 +61,7 @@ kubectl get namespace -o custom-columns=NAME:.metadata.name --no-headers |
       -n "$namespace" --all \
       migration.cozystack.io="$timestamp" --overwrite || true)
   done
+
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
   --from-literal=version=21 --dry-run=client -o yaml | kubectl apply -f-