[docs] Added actual go types

Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>

.github/workflows/pull-requests.yaml

@@ -6,8 +6,6 @@ env:
 on:
   pull_request:
     types: [opened, synchronize, reopened]
-    paths-ignore:
-      - 'docs/**/*'
 
 # Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
@@ -15,6 +13,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  detect-changes:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      code: ${{ steps.filter.outputs.code }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            code:
+              - '!docs/**'
+
   build:
     name: Build
     runs-on: [self-hosted]
@@ -22,9 +33,11 @@ jobs:
       contents: read
       packages: write
 
-    # Never run when the PR carries the "release" label.
+    needs: ["detect-changes"]
+    # Never run when the PR carries the "release" label or only docs changed.
     if: |
-      !contains(github.event.pull_request.labels.*.name, 'release')
+      needs.detect-changes.outputs.code == 'true'
+      && !contains(github.event.pull_request.labels.*.name, 'release')
 
     steps:
       - name: Checkout code

.github/workflows/tags.yaml

@@ -123,6 +123,20 @@ jobs:
           git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
           git push origin HEAD || true
 
+      # Tag the api/apps/v1alpha1 submodule for pkg.go.dev
+      - name: Tag API submodule
+        if: steps.check_release.outputs.skip == 'false'
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+        run: |
+          VTAG="${{ steps.tag.outputs.tag }}"
+          SUBTAG="api/apps/v1alpha1/${VTAG}"
+          git config user.name  "cozystack-bot"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
+          git tag "${SUBTAG}" "${VTAG}^{}" 2>/dev/null || git tag "${SUBTAG}" HEAD
+          git push origin "${SUBTAG}" || true
+
       # Create or reuse draft release
       - name: Create / reuse draft release
         if: steps.check_release.outputs.skip == 'false'
@@ -370,3 +384,74 @@ jobs:
               
               console.log(`Created PR #${pr.data.number} for changelog`);
             }
+
+  update-website-docs:
+    name: Update Website Docs
+    runs-on: [self-hosted]
+    needs: [generate-changelog]
+    if: needs.generate-changelog.result == 'success'
+    permissions:
+      contents: read
+    steps:
+      - name: Parse tag
+        id: tag
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const ref = context.ref.replace('refs/tags/', '');
+            const m = ref.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);
+            if (!m) {
+              core.setFailed(`❌ tag '${ref}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
+              return;
+            }
+            const version = m[1] + (m[2] ?? '');
+            core.setOutput('tag',     ref);      // v0.22.0
+            core.setOutput('version', version);  // 0.22.0
+
+      - name: Checkout website repo
+        uses: actions/checkout@v4
+        with:
+          repository: cozystack/website
+          token: ${{ secrets.GH_PAT }}
+          ref: main
+
+      - name: Update docs from release branch
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+        run: make update-all BRANCH=release-${{ steps.tag.outputs.version }} RELEASE_TAG=${{ steps.tag.outputs.tag }}
+
+      - name: Commit and push
+        id: commit
+        run: |
+          git config user.name  "cozystack-bot"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git add content
+          if git diff --cached --quiet; then
+            echo "No changes to commit"
+            echo "changed=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          BRANCH="update-docs-v${{ steps.tag.outputs.version }}"
+          git branch -D "$BRANCH" 2>/dev/null || true
+          git checkout -b "$BRANCH"
+          git commit --signoff -m "[docs] Update managed apps reference for v${{ steps.tag.outputs.version }}"
+          git push --force --set-upstream origin "$BRANCH"
+          echo "changed=true" >> $GITHUB_OUTPUT
+
+      - name: Open pull request
+        if: steps.commit.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+        run: |
+          BRANCH="update-docs-v${{ steps.tag.outputs.version }}"
+          pr_state=$(gh pr view "$BRANCH" --repo cozystack/website --json state --jq .state 2>/dev/null || echo "")
+          if [[ "$pr_state" == "OPEN" ]]; then
+            echo "PR already open, skipping creation."
+          else
+            gh pr create \
+              --repo cozystack/website \
+              --title "[docs] Update managed apps reference for v${{ steps.tag.outputs.version }}" \
+              --body "Automated docs update for release \`v${{ steps.tag.outputs.version }}\`." \
+              --head "update-docs-v${{ steps.tag.outputs.version }}" \
+              --base main
+          fi

Makefile

@@ -58,7 +58,11 @@ manifests:
 cozypkg:
 	go build -ldflags "-X github.com/cozystack/cozystack/cmd/cozypkg/cmd.Version=v$(COZYSTACK_VERSION)" -o _out/bin/cozypkg ./cmd/cozypkg
 
-assets: assets-talos assets-cozypkg
+assets: assets-talos assets-cozypkg openapi-json
+
+openapi-json:
+	mkdir -p _out/assets
+	VERSION=$(shell git describe --tags --always 2>/dev/null || echo dev) go run ./tools/openapi-gen/ > _out/assets/openapi.json
 
 assets-talos:
 	make -C packages/core/talos assets

api/apps/v1alpha1/bucket/types.go

@@ -0,0 +1,35 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package bucket
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Provisions bucket from the `-lock` BucketClass (with object lock enabled).
+	// +kubebuilder:default:=false
+	Locking bool `json:"locking"`
+	// Selects a specific BucketClass by storage pool name.
+	// +kubebuilder:default:=""
+	StoragePool string `json:"storagePool,omitempty"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type User struct {
+	// Whether the user has read-only access.
+	Readonly bool `json:"readonly,omitempty"`
+}

api/apps/v1alpha1/clickhouse/types.go

@@ -0,0 +1,114 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package clickhouse
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// ClickHouse Keeper configuration.
+	// +kubebuilder:default:={}
+	ClickhouseKeeper ClickHouseKeeper `json:"clickhouseKeeper"`
+	// Size of Persistent Volume for logs.
+	// +kubebuilder:default:="2Gi"
+	LogStorageSize resource.Quantity `json:"logStorageSize"`
+	// TTL (expiration time) for `query_log` and `query_thread_log`.
+	// +kubebuilder:default:=15
+	LogTTL int `json:"logTTL"`
+	// Number of ClickHouse replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each ClickHouse replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Number of ClickHouse shards.
+	// +kubebuilder:default:=1
+	Shards int `json:"shards"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type ClickHouseKeeper struct {
+	// Deploy ClickHouse Keeper for cluster coordination.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled,omitempty"`
+	// Number of Keeper replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas,omitempty"`
+	// Default sizing preset.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="1Gi"
+	Size resource.Quantity `json:"size,omitempty"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+	// User is readonly (default: false).
+	Readonly bool `json:"readonly,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Backup struct {
+	// Retention strategy for cleaning up old backups.
+	// +kubebuilder:default:="--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+	CleanupStrategy string `json:"cleanupStrategy"`
+	// Enable regular backups (default: false).
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Password for Restic backup encryption.
+	// +kubebuilder:default:="<password>"
+	ResticPassword string `json:"resticPassword"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:="<your-access-key>"
+	S3AccessKey string `json:"s3AccessKey"`
+	// S3 bucket used for storing backups.
+	// +kubebuilder:default:="s3.example.org/clickhouse-backups"
+	S3Bucket string `json:"s3Bucket"`
+	// AWS S3 region where backups are stored.
+	// +kubebuilder:default:="us-east-1"
+	S3Region string `json:"s3Region"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:="<your-secret-key>"
+	S3SecretKey string `json:"s3SecretKey"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * *"
+	Schedule string `json:"schedule"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/foundationdb/types.go

@@ -0,0 +1,164 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package foundationdb
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable automatic pod replacements.
+	// +kubebuilder:default:=true
+	AutomaticReplacements bool `json:"automaticReplacements"`
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Cluster configuration.
+	// +kubebuilder:default:={}
+	Cluster Cluster `json:"cluster"`
+	// Custom parameters to pass to FoundationDB.
+	// +kubebuilder:default:={}
+	CustomParameters []string `json:"customParameters,omitempty"`
+	// Container image deployment type.
+	// +kubebuilder:default:="unified"
+	ImageType ImageType `json:"imageType"`
+	// Monitoring configuration.
+	// +kubebuilder:default:={}
+	Monitoring Monitoring `json:"monitoring"`
+	// Explicit CPU and memory configuration for each FoundationDB instance. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="medium"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Security context for containers.
+	// +kubebuilder:default:={}
+	SecurityContext SecurityContext `json:"securityContext"`
+	// Storage configuration.
+	// +kubebuilder:default:={}
+	Storage Storage `json:"storage"`
+}
+
+type Cluster struct {
+	// Fault domain configuration.
+	// +kubebuilder:default:={}
+	FaultDomain ClusterFaultDomain `json:"faultDomain"`
+	// Process counts for different roles.
+	// +kubebuilder:default:={}
+	ProcessCounts ClusterProcessCounts `json:"processCounts"`
+	// Database redundancy mode (single, double, triple, three_datacenter, three_datacenter_fallback).
+	// +kubebuilder:default:="double"
+	RedundancyMode string `json:"redundancyMode"`
+	// Storage engine (ssd-2, ssd-redwood-v1, ssd-rocksdb-v1, memory).
+	// +kubebuilder:default:="ssd-2"
+	StorageEngine string `json:"storageEngine"`
+	// Version of FoundationDB to use.
+	// +kubebuilder:default:="7.3.63"
+	Version string `json:"version"`
+}
+
+type BackupS3Credentials struct {
+	// S3 access key ID.
+	// +kubebuilder:default:=""
+	AccessKeyId string `json:"accessKeyId"`
+	// S3 secret access key.
+	// +kubebuilder:default:=""
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type BackupS3 struct {
+	// S3 bucket name.
+	// +kubebuilder:default:=""
+	Bucket string `json:"bucket"`
+	// S3 credentials.
+	// +kubebuilder:default:={}
+	Credentials BackupS3Credentials `json:"credentials"`
+	// S3 endpoint URL.
+	// +kubebuilder:default:=""
+	Endpoint string `json:"endpoint"`
+	// S3 region.
+	// +kubebuilder:default:="us-east-1"
+	Region string `json:"region"`
+}
+
+type SecurityContext struct {
+	// Group ID to run the container.
+	// +kubebuilder:default:=4059
+	RunAsGroup int `json:"runAsGroup"`
+	// User ID to run the container.
+	// +kubebuilder:default:=4059
+	RunAsUser int `json:"runAsUser"`
+}
+
+type ClusterFaultDomain struct {
+	// Fault domain key.
+	// +kubebuilder:default:="kubernetes.io/hostname"
+	Key string `json:"key"`
+	// Fault domain value source.
+	// +kubebuilder:default:="spec.nodeName"
+	ValueFrom string `json:"valueFrom"`
+}
+
+type Storage struct {
+	// Size of persistent volumes for each instance.
+	// +kubebuilder:default:="16Gi"
+	Size resource.Quantity `json:"size"`
+	// Storage class (if not set, uses cluster default).
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Resources struct {
+	// CPU available to each instance.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each instance.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Backup struct {
+	// Enable backups.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Retention policy for backups.
+	// +kubebuilder:default:="7d"
+	RetentionPolicy string `json:"retentionPolicy"`
+	// S3 configuration for backups.
+	// +kubebuilder:default:={}
+	S3 BackupS3 `json:"s3"`
+}
+
+type ClusterProcessCounts struct {
+	// Number of cluster controller processes.
+	// +kubebuilder:default:=1
+	ClusterController int `json:"cluster_controller"`
+	// Number of stateless processes (-1 for automatic).
+	// +kubebuilder:default:=-1
+	Stateless int `json:"stateless"`
+	// Number of storage processes (determines cluster size).
+	// +kubebuilder:default:=3
+	Storage int `json:"storage"`
+}
+
+type Monitoring struct {
+	// Enable WorkloadMonitor integration.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled"`
+}
+
+// +kubebuilder:validation:Enum="unified";"split"
+type ImageType string
+
+// +kubebuilder:validation:Enum="small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/go.mod

@@ -0,0 +1,24 @@
+module github.com/cozystack/cozystack/api/apps/v1alpha1
+
+go 1.25.0
+
+require k8s.io/apimachinery v0.35.2
+
+require (
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+)

api/apps/v1alpha1/go.sum

@@ -0,0 +1,56 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=
+k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

api/apps/v1alpha1/harbor/types.go

@@ -0,0 +1,116 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package harbor
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Core API server configuration.
+	// +kubebuilder:default:={}
+	Core Core `json:"core"`
+	// PostgreSQL database configuration.
+	// +kubebuilder:default:={}
+	Database Database `json:"database"`
+	// Hostname for external access to Harbor (defaults to 'harbor' subdomain for the tenant host).
+	// +kubebuilder:default:=""
+	Host string `json:"host,omitempty"`
+	// Background job service configuration.
+	// +kubebuilder:default:={}
+	Jobservice Jobservice `json:"jobservice"`
+	// Redis cache configuration.
+	// +kubebuilder:default:={}
+	Redis Redis `json:"redis"`
+	// Container image registry configuration.
+	// +kubebuilder:default:={}
+	Registry Registry `json:"registry"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Trivy vulnerability scanner configuration.
+	// +kubebuilder:default:={}
+	Trivy Trivy `json:"trivy"`
+}
+
+type Trivy struct {
+	// Enable or disable the vulnerability scanner.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+	// Persistent Volume size for vulnerability database cache.
+	// +kubebuilder:default:="5Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type Jobservice struct {
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+}
+
+type Resources struct {
+	// Number of CPU cores allocated.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Amount of memory allocated.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Database struct {
+	// Number of database instances.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Persistent Volume size for database storage.
+	// +kubebuilder:default:="5Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type Redis struct {
+	// Number of Redis replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Persistent Volume size for cache storage.
+	// +kubebuilder:default:="1Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type Core struct {
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+}
+
+type Registry struct {
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/httpcache/types.go

@@ -0,0 +1,74 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package httpcache
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Endpoints configuration, as a list of <ip:port>.
+	// +kubebuilder:default:={}
+	Endpoints []string `json:"endpoints,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// HAProxy configuration.
+	// +kubebuilder:default:={}
+	Haproxy HAProxy `json:"haproxy"`
+	// Nginx configuration.
+	// +kubebuilder:default:={}
+	Nginx Nginx `json:"nginx"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type HAProxy struct {
+	// Number of HAProxy replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type Nginx struct {
+	// Number of Nginx replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/kafka/types.go

@@ -0,0 +1,92 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package kafka
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Kafka configuration.
+	// +kubebuilder:default:={}
+	Kafka Kafka `json:"kafka"`
+	// Topics configuration.
+	// +kubebuilder:default:={}
+	Topics []Topic `json:"topics,omitempty"`
+	// ZooKeeper configuration.
+	// +kubebuilder:default:={}
+	Zookeeper ZooKeeper `json:"zookeeper"`
+}
+
+type ZooKeeper struct {
+	// Number of ZooKeeper replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume size for ZooKeeper.
+	// +kubebuilder:default:="5Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the ZooKeeper data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Topic struct {
+	// Topic configuration.
+	Config k8sRuntime.RawExtension `json:"config"`
+	// Topic name.
+	Name string `json:"name"`
+	// Number of partitions.
+	Partitions int `json:"partitions"`
+	// Number of replicas.
+	Replicas int `json:"replicas"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Kafka struct {
+	// Number of Kafka replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume size for Kafka.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the Kafka data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/kubernetes/types.go

@@ -0,0 +1,260 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package kubernetes
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Cluster addons configuration.
+	// +kubebuilder:default:={}
+	Addons Addons `json:"addons"`
+	// Kubernetes control-plane configuration.
+	// +kubebuilder:default:={}
+	ControlPlane ControlPlane `json:"controlPlane"`
+	// External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.
+	// +kubebuilder:default:=""
+	Host string `json:"host"`
+	// Worker nodes configuration map.
+	// +kubebuilder:default:={"md0":{"ephemeralStorage":"20Gi","gpus":{},"instanceType":"u1.medium","maxReplicas":10,"minReplicas":0,"resources":{},"roles":{"ingress-nginx"}}}
+	NodeGroups map[string]NodeGroup `json:"nodeGroups,omitempty"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:="replicated"
+	StorageClass string `json:"storageClass"`
+	// Kubernetes major.minor version to deploy
+	// +kubebuilder:default:="v1.35"
+	Version Version `json:"version"`
+}
+
+type VeleroAddon struct {
+	// Enable Velero.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type KonnectivityServer struct {
+	// CPU and memory resources for Konnectivity.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type IngressNginxAddon struct {
+	// Enable the controller (requires nodes labeled `ingress-nginx`).
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Method to expose the controller. Allowed values: `Proxied`, `LoadBalancer`.
+	// +kubebuilder:default:="Proxied"
+	ExposeMethod IngressNginxExposeMethod `json:"exposeMethod"`
+	// Domains routed to this tenant cluster when `exposeMethod` is `Proxied`.
+	// +kubebuilder:default:={}
+	Hosts []string `json:"hosts,omitempty"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type FluxCDAddon struct {
+	// Enable FluxCD.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type APIServer struct {
+	// CPU and memory resources for API Server.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="large"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type Resources struct {
+	// CPU available.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type CoreDNSAddon struct {
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type Konnectivity struct {
+	// Konnectivity Server configuration.
+	// +kubebuilder:default:={}
+	Server KonnectivityServer `json:"server"`
+}
+
+type ControlPlane struct {
+	// API Server configuration.
+	// +kubebuilder:default:={}
+	ApiServer APIServer `json:"apiServer"`
+	// Controller Manager configuration.
+	// +kubebuilder:default:={}
+	ControllerManager ControllerManager `json:"controllerManager"`
+	// Konnectivity configuration.
+	// +kubebuilder:default:={}
+	Konnectivity Konnectivity `json:"konnectivity"`
+	// Number of control-plane replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Scheduler configuration.
+	// +kubebuilder:default:={}
+	Scheduler Scheduler `json:"scheduler"`
+}
+
+type GPUOperatorAddon struct {
+	// Enable GPU Operator.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type Addons struct {
+	// Cert-manager addon.
+	// +kubebuilder:default:={}
+	CertManager CertManagerAddon `json:"certManager"`
+	// Cilium CNI plugin.
+	// +kubebuilder:default:={}
+	Cilium CiliumAddon `json:"cilium"`
+	// CoreDNS addon.
+	// +kubebuilder:default:={}
+	Coredns CoreDNSAddon `json:"coredns"`
+	// FluxCD GitOps operator.
+	// +kubebuilder:default:={}
+	Fluxcd FluxCDAddon `json:"fluxcd"`
+	// Gateway API addon.
+	// +kubebuilder:default:={}
+	GatewayAPI GatewayAPIAddon `json:"gatewayAPI"`
+	// NVIDIA GPU Operator.
+	// +kubebuilder:default:={}
+	GpuOperator GPUOperatorAddon `json:"gpuOperator"`
+	// Ingress-NGINX controller.
+	// +kubebuilder:default:={}
+	IngressNginx IngressNginxAddon `json:"ingressNginx"`
+	// Monitoring agents.
+	// +kubebuilder:default:={}
+	MonitoringAgents MonitoringAgentsAddon `json:"monitoringAgents"`
+	// Velero backup/restore addon.
+	// +kubebuilder:default:={}
+	Velero VeleroAddon `json:"velero"`
+	// Vertical Pod Autoscaler.
+	// +kubebuilder:default:={}
+	VerticalPodAutoscaler VerticalPodAutoscalerAddon `json:"verticalPodAutoscaler"`
+}
+
+type Scheduler struct {
+	// CPU and memory resources for Scheduler.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type CertManagerAddon struct {
+	// Enable cert-manager.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type MonitoringAgentsAddon struct {
+	// Enable monitoring agents.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type GPU struct {
+	// Name of GPU, such as "nvidia.com/AD102GL_L40S".
+	Name string `json:"name"`
+}
+
+type GatewayAPIAddon struct {
+	// Enable Gateway API.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+}
+
+type VerticalPodAutoscalerAddon struct {
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+type ControllerManager struct {
+	// CPU and memory resources for Controller Manager.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources"`
+	// Preset if `resources` omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+}
+
+type NodeGroup struct {
+	// Ephemeral storage size.
+	// +kubebuilder:default:="20Gi"
+	EphemeralStorage resource.Quantity `json:"ephemeralStorage"`
+	// List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
+	Gpus []GPU `json:"gpus,omitempty"`
+	// Virtual machine instance type.
+	// +kubebuilder:default:="u1.medium"
+	InstanceType string `json:"instanceType"`
+	// Maximum number of replicas.
+	// +kubebuilder:default:=10
+	MaxReplicas int `json:"maxReplicas"`
+	// Minimum number of replicas.
+	// +kubebuilder:default:=0
+	MinReplicas int `json:"minReplicas"`
+	// CPU and memory resources for each worker node.
+	Resources Resources `json:"resources"`
+	// List of node roles.
+	Roles []string `json:"roles,omitempty"`
+}
+
+type CiliumAddon struct {
+	// Custom Helm values overrides.
+	// +kubebuilder:default:={}
+	ValuesOverride k8sRuntime.RawExtension `json:"valuesOverride"`
+}
+
+// +kubebuilder:validation:Enum="v1.35";"v1.34";"v1.33";"v1.32";"v1.31";"v1.30"
+type Version string
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="Proxied";"LoadBalancer"
+type IngressNginxExposeMethod string

api/apps/v1alpha1/mariadb/types.go

@@ -0,0 +1,111 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package mariadb
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Databases configuration map.
+	// +kubebuilder:default:={}
+	Databases map[string]Database `json:"databases,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of MariaDB replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each MariaDB replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// MariaDB major.minor version to deploy
+	// +kubebuilder:default:="v11.8"
+	Version Version `json:"version"`
+}
+
+type Backup struct {
+	// Retention strategy for cleaning up old backups.
+	// +kubebuilder:default:="--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+	CleanupStrategy string `json:"cleanupStrategy"`
+	// Enable regular backups (default: false).
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Password for Restic backup encryption.
+	// +kubebuilder:default:="<password>"
+	ResticPassword string `json:"resticPassword"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:="<your-access-key>"
+	S3AccessKey string `json:"s3AccessKey"`
+	// S3 bucket used for storing backups.
+	// +kubebuilder:default:="s3.example.org/mariadb-backups"
+	S3Bucket string `json:"s3Bucket"`
+	// AWS S3 region where backups are stored.
+	// +kubebuilder:default:="us-east-1"
+	S3Region string `json:"s3Region"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:="<your-secret-key>"
+	S3SecretKey string `json:"s3SecretKey"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * *"
+	Schedule string `json:"schedule"`
+}
+
+type Database struct {
+	// Roles assigned to users.
+	Roles DatabaseRoles `json:"roles,omitempty"`
+}
+
+type DatabaseRoles struct {
+	// List of users with admin privileges.
+	Admin []string `json:"admin,omitempty"`
+	// List of users with read-only privileges.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+type User struct {
+	// Maximum number of connections.
+	MaxUserConnections int `json:"maxUserConnections"`
+	// Password for the user.
+	Password string `json:"password"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v11.8";"v11.4";"v10.11";"v10.6"
+type Version string

api/apps/v1alpha1/mongodb/types.go

@@ -0,0 +1,151 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package mongodb
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Bootstrap configuration.
+	// +kubebuilder:default:={}
+	Bootstrap Bootstrap `json:"bootstrap"`
+	// Databases configuration map.
+	// +kubebuilder:default:={}
+	Databases map[string]Database `json:"databases,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of MongoDB replicas in replica set.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each MongoDB replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Enable sharded cluster mode. When disabled, deploys a replica set.
+	// +kubebuilder:default:=false
+	Sharding bool `json:"sharding"`
+	// Configuration for sharded cluster mode.
+	// +kubebuilder:default:={}
+	ShardingConfig ShardingConfig `json:"shardingConfig"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// MongoDB major version to deploy.
+	// +kubebuilder:default:="v8"
+	Version Version `json:"version"`
+}
+
+type Shard struct {
+	// Shard name.
+	Name string `json:"name"`
+	// Number of replicas in this shard.
+	Replicas int `json:"replicas"`
+	// PVC size for this shard.
+	Size resource.Quantity `json:"size"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type DatabaseRoles struct {
+	// List of users with admin privileges (readWrite + dbAdmin).
+	Admin []string `json:"admin,omitempty"`
+	// List of users with read-only privileges.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+type Backup struct {
+	// Destination path for backups (e.g. s3://bucket/path/).
+	// +kubebuilder:default:="s3://bucket/path/to/folder/"
+	DestinationPath string `json:"destinationPath,omitempty"`
+	// Enable regular backups.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// S3 endpoint URL for uploads.
+	// +kubebuilder:default:="http://minio-gateway-service:9000"
+	EndpointURL string `json:"endpointURL,omitempty"`
+	// Retention policy (e.g. "30d").
+	// +kubebuilder:default:="30d"
+	RetentionPolicy string `json:"retentionPolicy,omitempty"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:=""
+	S3AccessKey string `json:"s3AccessKey,omitempty"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:=""
+	S3SecretKey string `json:"s3SecretKey,omitempty"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * *"
+	Schedule string `json:"schedule,omitempty"`
+}
+
+type ShardingConfig struct {
+	// PVC size for config servers.
+	// +kubebuilder:default:="3Gi"
+	ConfigServerSize resource.Quantity `json:"configServerSize"`
+	// Number of config server replicas.
+	// +kubebuilder:default:=3
+	ConfigServers int `json:"configServers"`
+	// Number of mongos router replicas.
+	// +kubebuilder:default:=2
+	Mongos int `json:"mongos"`
+	// List of shard configurations.
+	// +kubebuilder:default:={{"name":"rs0","replicas":3,"size":"10Gi"}}
+	Shards []Shard `json:"shards,omitempty"`
+}
+
+type Bootstrap struct {
+	// Name of backup to restore from.
+	// +kubebuilder:default:=""
+	BackupName string `json:"backupName"`
+	// Whether to restore from a backup.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Timestamp for point-in-time recovery; empty means latest.
+	// +kubebuilder:default:=""
+	RecoveryTime string `json:"recoveryTime,omitempty"`
+}
+
+type User struct {
+	// Password for the user (auto-generated if omitted).
+	Password string `json:"password,omitempty"`
+}
+
+type Database struct {
+	// Roles assigned to users.
+	Roles DatabaseRoles `json:"roles,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="v8";"v7";"v6"
+type Version string
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/nats/types.go

@@ -0,0 +1,80 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package nats
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// NATS configuration.
+	// +kubebuilder:default:={}
+	Config ValuesConfig `json:"config"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Jetstream configuration.
+	// +kubebuilder:default:={}
+	Jetstream Jetstream `json:"jetstream"`
+	// Number of replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each NATS replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Jetstream struct {
+	// Enable or disable Jetstream for persistent messaging in NATS.
+	// +kubebuilder:default:=true
+	Enabled bool `json:"enabled"`
+	// Jetstream persistent storage size.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+}
+
+type ValuesConfig struct {
+	// Additional configuration to merge into NATS config.
+	// +kubebuilder:default:={}
+	Merge *k8sRuntime.RawExtension `json:"merge,omitempty"`
+	// Additional resolver configuration to merge into NATS config.
+	// +kubebuilder:default:={}
+	Resolver *k8sRuntime.RawExtension `json:"resolver,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/openbao/types.go

@@ -0,0 +1,53 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package openbao
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of OpenBAO replicas. HA with Raft is automatically enabled when replicas > 1. Switching between standalone (file storage) and HA (Raft storage) modes requires data migration.
+	// +kubebuilder:default:=1
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each OpenBAO replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size for data storage.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Enable the OpenBAO web UI.
+	// +kubebuilder:default:=true
+	Ui bool `json:"ui"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/postgresql/types.go

@@ -0,0 +1,152 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package postgresql
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Backup configuration.
+	// +kubebuilder:default:={}
+	Backup Backup `json:"backup"`
+	// Bootstrap configuration.
+	// +kubebuilder:default:={}
+	Bootstrap Bootstrap `json:"bootstrap"`
+	// Databases configuration map.
+	// +kubebuilder:default:={}
+	Databases map[string]Database `json:"databases,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// PostgreSQL server configuration.
+	// +kubebuilder:default:={}
+	Postgresql PostgreSQL `json:"postgresql"`
+	// Quorum configuration for synchronous replication.
+	// +kubebuilder:default:={}
+	Quorum Quorum `json:"quorum"`
+	// Number of Postgres replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each PostgreSQL replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="micro"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// PostgreSQL major version to deploy
+	// +kubebuilder:default:="v18"
+	Version Version `json:"version"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+	// Whether the user has replication privileges.
+	Replication bool `json:"replication,omitempty"`
+}
+
+type Bootstrap struct {
+	// Whether to restore from a backup.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Previous cluster name before deletion.
+	// +kubebuilder:default:=""
+	OldName string `json:"oldName"`
+	// Timestamp (RFC3339) for point-in-time recovery; empty means latest.
+	// +kubebuilder:default:=""
+	RecoveryTime string `json:"recoveryTime,omitempty"`
+}
+
+type Quorum struct {
+	// Maximum number of synchronous replicas allowed (must be less than total replicas).
+	// +kubebuilder:default:=0
+	MaxSyncReplicas int `json:"maxSyncReplicas"`
+	// Minimum number of synchronous replicas required for commit.
+	// +kubebuilder:default:=0
+	MinSyncReplicas int `json:"minSyncReplicas"`
+}
+
+type DatabaseRoles struct {
+	// List of users with admin privileges.
+	Admin []string `json:"admin,omitempty"`
+	// List of users with read-only privileges.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+type Database struct {
+	// List of enabled PostgreSQL extensions.
+	Extensions []string `json:"extensions,omitempty"`
+	// Roles assigned to users.
+	Roles DatabaseRoles `json:"roles,omitempty"`
+}
+
+type Backup struct {
+	// Destination path for backups (e.g. s3://bucket/path/).
+	// +kubebuilder:default:="s3://bucket/path/to/folder/"
+	DestinationPath string `json:"destinationPath,omitempty"`
+	// Enable regular backups.
+	// +kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// S3 endpoint URL for uploads.
+	// +kubebuilder:default:="http://minio-gateway-service:9000"
+	EndpointURL string `json:"endpointURL,omitempty"`
+	// Retention policy (e.g. "30d").
+	// +kubebuilder:default:="30d"
+	RetentionPolicy string `json:"retentionPolicy,omitempty"`
+	// Access key for S3 authentication.
+	// +kubebuilder:default:="<your-access-key>"
+	S3AccessKey string `json:"s3AccessKey,omitempty"`
+	// Secret key for S3 authentication.
+	// +kubebuilder:default:="<your-secret-key>"
+	S3SecretKey string `json:"s3SecretKey,omitempty"`
+	// Cron schedule for automated backups.
+	// +kubebuilder:default:="0 2 * * * *"
+	Schedule string `json:"schedule,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type PostgreSQLParameters struct {
+	// Maximum number of concurrent connections to the database server.
+	// +kubebuilder:default:=100
+	MaxConnections int `json:"max_connections,omitempty"`
+}
+
+type PostgreSQL struct {
+	// PostgreSQL server parameters.
+	// +kubebuilder:default:={}
+	Parameters PostgreSQLParameters `json:"parameters,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v18";"v17";"v16";"v15";"v14";"v13"
+type Version string

api/apps/v1alpha1/qdrant/types.go

@@ -0,0 +1,50 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package qdrant
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of Qdrant replicas. Cluster mode is automatically enabled when replicas > 1.
+	// +kubebuilder:default:=1
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each Qdrant replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="small"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for vector data storage.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

api/apps/v1alpha1/rabbitmq/types.go

@@ -0,0 +1,79 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package rabbitmq
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of RabbitMQ replicas.
+	// +kubebuilder:default:=3
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each RabbitMQ replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="10Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+	// RabbitMQ major.minor version to deploy
+	// +kubebuilder:default:="v4.2"
+	Version Version `json:"version"`
+	// Virtual hosts configuration map.
+	// +kubebuilder:default:={}
+	Vhosts map[string]Vhost `json:"vhosts,omitempty"`
+}
+
+type Vhost struct {
+	// Virtual host roles list.
+	Roles Roles `json:"roles"`
+}
+
+type User struct {
+	// Password for the user.
+	Password string `json:"password,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type Roles struct {
+	// List of admin users.
+	Admin []string `json:"admin,omitempty"`
+	// List of readonly users.
+	Readonly []string `json:"readonly,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v4.2";"v4.1";"v4.0";"v3.13"
+type Version string

api/apps/v1alpha1/redis/types.go

@@ -0,0 +1,59 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package redis
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable password generation.
+	// +kubebuilder:default:=true
+	AuthEnabled bool `json:"authEnabled"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Number of Redis replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each Redis replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Persistent Volume Claim size available for application data.
+	// +kubebuilder:default:="1Gi"
+	Size resource.Quantity `json:"size"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:=""
+	StorageClass string `json:"storageClass"`
+	// Redis major version to deploy
+	// +kubebuilder:default:="v8"
+	Version Version `json:"version"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="v8";"v7"
+type Version string

api/apps/v1alpha1/tcpbalancer/types.go

@@ -0,0 +1,77 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package tcpbalancer
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// HTTP and HTTPS configuration.
+	// +kubebuilder:default:={}
+	HttpAndHttps HttpAndHttps `json:"httpAndHttps"`
+	// Number of HAProxy replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each TCP Balancer replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// List of allowed client networks.
+	// +kubebuilder:default:={}
+	Whitelist []string `json:"whitelist,omitempty"`
+	// Secure HTTP by whitelisting client networks (default: false).
+	// +kubebuilder:default:=false
+	WhitelistHTTP bool `json:"whitelistHTTP"`
+}
+
+type TargetPorts struct {
+	// HTTP port number.
+	// +kubebuilder:default:=80
+	Http int `json:"http"`
+	// HTTPS port number.
+	// +kubebuilder:default:=443
+	Https int `json:"https"`
+}
+
+type HttpAndHttps struct {
+	// Endpoint addresses list.
+	// +kubebuilder:default:={}
+	Endpoints []string `json:"endpoints,omitempty"`
+	// Mode for balancer.
+	// +kubebuilder:default:="tcp"
+	Mode Mode `json:"mode"`
+	// Target ports configuration.
+	// +kubebuilder:default:={}
+	TargetPorts TargetPorts `json:"targetPorts"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string
+
+// +kubebuilder:validation:Enum="tcp";"tcp-with-proxy"
+type Mode string

api/apps/v1alpha1/tenant/types.go

@@ -0,0 +1,40 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package tenant
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Deploy own Etcd cluster.
+	// +kubebuilder:default:=false
+	Etcd bool `json:"etcd"`
+	// The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).
+	// +kubebuilder:default:=""
+	Host string `json:"host,omitempty"`
+	// Deploy own Ingress Controller.
+	// +kubebuilder:default:=false
+	Ingress bool `json:"ingress"`
+	// Deploy own Monitoring Stack.
+	// +kubebuilder:default:=false
+	Monitoring bool `json:"monitoring"`
+	// Define resource quotas for the tenant.
+	// +kubebuilder:default:={}
+	ResourceQuotas map[string]resource.Quantity `json:"resourceQuotas,omitempty"`
+	// Deploy own SeaweedFS.
+	// +kubebuilder:default:=false
+	Seaweedfs bool `json:"seaweedfs"`
+}

api/apps/v1alpha1/vmdisk/types.go

@@ -0,0 +1,53 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vmdisk
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Defines if disk should be considered optical.
+	// +kubebuilder:default:=false
+	Optical bool `json:"optical"`
+	// The source image location used to create a disk.
+	// +kubebuilder:default:={}
+	Source Source `json:"source"`
+	// The size of the disk allocated for the virtual machine.
+	// +kubebuilder:default:="5Gi"
+	Storage resource.Quantity `json:"storage"`
+	// StorageClass used to store the data.
+	// +kubebuilder:default:="replicated"
+	StorageClass string `json:"storageClass"`
+}
+
+type SourceImage struct {
+	// Name of the image to use (uploaded as "golden image" or from the list: `ubuntu`, `fedora`, `cirros`, `alpine`, `talos`).
+	Name string `json:"name"`
+}
+
+type SourceHTTP struct {
+	// URL to download the image.
+	Url string `json:"url"`
+}
+
+type Source struct {
+	// Download image from an HTTP source.
+	Http *SourceHTTP `json:"http,omitempty"`
+	// Use image by name.
+	Image *SourceImage `json:"image,omitempty"`
+	// Upload local image.
+	Upload *SourceUpload `json:"upload,omitempty"`
+}

api/apps/v1alpha1/vminstance/types.go

@@ -0,0 +1,96 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vminstance
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Cloud-init user data.
+	// +kubebuilder:default:=""
+	CloudInit string `json:"cloudInit"`
+	// Seed string to generate SMBIOS UUID for the VM.
+	// +kubebuilder:default:=""
+	CloudInitSeed string `json:"cloudInitSeed"`
+	// Model specifies the CPU model inside the VMI. List of available models https://github.com/libvirt/libvirt/tree/master/src/cpu_map
+	// +kubebuilder:default:=""
+	CpuModel string `json:"cpuModel"`
+	// List of disks to attach.
+	// +kubebuilder:default:={}
+	Disks []Disk `json:"disks,omitempty"`
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// Method to pass through traffic to the VM.
+	// +kubebuilder:default:="PortList"
+	ExternalMethod ExternalMethod `json:"externalMethod"`
+	// Ports to forward from outside the cluster.
+	// +kubebuilder:default:={22}
+	ExternalPorts []int `json:"externalPorts,omitempty"`
+	// List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
+	// +kubebuilder:default:={}
+	Gpus []GPU `json:"gpus,omitempty"`
+	// Virtual Machine preferences profile.
+	// +kubebuilder:default:="ubuntu"
+	InstanceProfile string `json:"instanceProfile"`
+	// Virtual Machine instance type.
+	// +kubebuilder:default:="u1.medium"
+	InstanceType string `json:"instanceType"`
+	// Resource configuration for the virtual machine.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Requested running state of the VirtualMachineInstance
+	// +kubebuilder:default:="Always"
+	RunStrategy RunStrategy `json:"runStrategy"`
+	// List of SSH public keys for authentication.
+	// +kubebuilder:default:={}
+	SshKeys []string `json:"sshKeys,omitempty"`
+	// Additional subnets
+	// +kubebuilder:default:={}
+	Subnets []Subnet `json:"subnets,omitempty"`
+}
+
+type Disk struct {
+	// Disk bus type (e.g. "sata").
+	Bus string `json:"bus,omitempty"`
+	// Disk name.
+	Name string `json:"name"`
+}
+
+type Subnet struct {
+	// Subnet name
+	Name string `json:"name,omitempty"`
+}
+
+type GPU struct {
+	// The name of the GPU resource to attach.
+	Name string `json:"name"`
+}
+
+type Resources struct {
+	// Number of CPU cores allocated.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Amount of memory allocated.
+	Memory resource.Quantity `json:"memory,omitempty"`
+	// Number of CPU sockets (vCPU topology).
+	Sockets resource.Quantity `json:"sockets,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="Always";"Halted";"Manual";"RerunOnFailure";"Once"
+type RunStrategy string
+
+// +kubebuilder:validation:Enum="PortList";"WholeIP"
+type ExternalMethod string

api/apps/v1alpha1/vpc/types.go

@@ -0,0 +1,31 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vpc
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Subnets of a VPC
+	// +kubebuilder:default:={}
+	Subnets []Subnet `json:"subnets,omitempty"`
+}
+
+type Subnet struct {
+	// IP address range
+	Cidr string `json:"cidr,omitempty"`
+	// Subnet name
+	Name string `json:"name"`
+}

api/apps/v1alpha1/vpn/types.go

@@ -0,0 +1,58 @@
+// +kubebuilder:object:generate=true
+// +kubebuilder:object:root=true
+// +groupName=values.helm.io
+
+// +versionName=v1alpha1
+
+// Code generated by values-gen. DO NOT EDIT.
+package vpn
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Config struct {
+	v1.TypeMeta   `json:",inline"`
+	v1.ObjectMeta `json:"metadata,omitempty"`
+	Spec          ConfigSpec `json:"spec,omitempty"`
+}
+
+type ConfigSpec struct {
+	// Enable external access from outside the cluster.
+	// +kubebuilder:default:=false
+	External bool `json:"external"`
+	// List of externalIPs for service. Optional. If not specified, will use LoadBalancer service by default.
+	// +kubebuilder:default:={}
+	ExternalIPs []string `json:"externalIPs,omitempty"`
+	// Host used to substitute into generated URLs.
+	// +kubebuilder:default:=""
+	Host string `json:"host"`
+	// Number of VPN server replicas.
+	// +kubebuilder:default:=2
+	Replicas int `json:"replicas"`
+	// Explicit CPU and memory configuration for each VPN server replica. When omitted, the preset defined in `resourcesPreset` is applied.
+	// +kubebuilder:default:={}
+	Resources Resources `json:"resources,omitempty"`
+	// Default sizing preset used when `resources` is omitted.
+	// +kubebuilder:default:="nano"
+	ResourcesPreset ResourcesPreset `json:"resourcesPreset"`
+	// Users configuration map.
+	// +kubebuilder:default:={}
+	Users map[string]User `json:"users,omitempty"`
+}
+
+type Resources struct {
+	// CPU available to each replica.
+	Cpu resource.Quantity `json:"cpu,omitempty"`
+	// Memory (RAM) available to each replica.
+	Memory resource.Quantity `json:"memory,omitempty"`
+}
+
+type User struct {
+	// Password for the user (autogenerated if not provided).
+	Password string `json:"password,omitempty"`
+}
+
+// +kubebuilder:validation:Enum="nano";"micro";"small";"medium";"large";"xlarge";"2xlarge"
+type ResourcesPreset string

docs/changelogs/v1.0.2.md

@@ -0,0 +1,19 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.2
+-->
+
+## Fixes
+
+* **[platform] Suspend cozy-proxy if it conflicts with installer release during migration**: Added a check in the v0.41→v1.0 migration script to detect and automatically suspend the `cozy-proxy` HelmRelease when its `releaseName` is set to `cozystack`, which conflicts with the installer release and would cause `cozystack-operator` deletion during the upgrade ([**@kvaps**](https://github.com/kvaps) in #2128, #2130).
+
+* **[platform] Fix off-by-one error in run-migrations script**: Fixed a bug in the migration runner where the first required migration was always skipped due to an off-by-one error in the migration range calculation, ensuring all upgrade steps execute correctly ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2126, #2132).
+
+* **[system] Fix Keycloak proxy configuration for v26.x**: Replaced the deprecated `KC_PROXY=edge` environment variable with `KC_PROXY_HEADERS=xforwarded` and `KC_HTTP_ENABLED=true` in the Keycloak StatefulSet template. `KC_PROXY` was removed in Keycloak 26.x, previously causing "Non-secure context detected" warnings and broken cookie handling when running behind a reverse proxy with TLS termination ([**@sircthulhu**](https://github.com/sircthulhu) in #2125, #2134).
+
+* **[dashboard] Allow clearing instanceType field and preserve newlines in secret copy**: Added `allowEmpty: true` to the `instanceType` field in the VMInstance form so users can explicitly clear it to use custom KubeVirt resources without a named instance type. Also fixed newline preservation when copying secrets with CMD+C ([**@sircthulhu**](https://github.com/sircthulhu) in #2135, #2137).
+
+* **[dashboard] Restore stock-instance sidebars for namespace-level pages**: Restored `stock-instance-api-form`, `stock-instance-api-table`, `stock-instance-builtin-form`, and `stock-instance-builtin-table` sidebar resources that were inadvertently removed in #2106. Without these sidebars, namespace-level pages such as Backup Plans rendered as empty pages with no interactive content ([**@sircthulhu**](https://github.com/sircthulhu) in #2136, #2138).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.1...v1.0.2

docs/changelogs/v1.0.3.md

@@ -0,0 +1,17 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.3
+-->
+
+## Fixes
+
+* **[platform] Fix package name conversion in migration script**: Fixed the `migrate-to-version-1.0.sh` script to correctly prepend the `cozystack.` prefix when converting `BUNDLE_DISABLE` and `BUNDLE_ENABLE` package name lists, ensuring packages are properly identified during the v0.41→v1.0 upgrade ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2144, #2148).
+
+## Documentation
+
+* **[website] Add white labeling guide**: Added a comprehensive guide for configuring white labeling (branding) in Cozystack v1, covering Dashboard fields (`titleText`, `footerText`, `tenantText`, `logoText`, `logoSvg`, `iconSvg`) and Keycloak fields (`brandName`, `brandHtmlName`). Includes SVG preparation workflow with theme-aware template variables, portable base64 encoding, and migration notes from the v0 ConfigMap approach ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#441).
+
+* **[website] Actualize backup and recovery documentation**: Reworked the backup and recovery docs to be user-focused, separating operator and tenant workflows. Added tenant-facing documentation for `BackupJob` and `Plan` resources and status inspection commands, and added a new Velero administration guide for operators covering storage credentials and backup storage configuration ([**@androndo**](https://github.com/androndo) in cozystack/website#434).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.2...v1.0.3

docs/changelogs/v1.0.4.md

@@ -0,0 +1,25 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.0.4
+-->
+
+## Fixes
+
+* **[system] Fix Keycloak probe crashloop with management port health endpoints**: Fixed a crashloop where Keycloak 26.x was endlessly restarting because liveness and readiness probes were sending HTTP requests to port 8080. Keycloak 26.x redirects all requests on port 8080 to `KC_HOSTNAME` (HTTPS), and since kubelet does not follow redirects, probes failed, eventually triggering container restarts. The fix switches probes to the dedicated management port 9000 (`/health/live`, `/health/ready`) enabled via `KC_HEALTH_ENABLED=true`, exposes management port 9000, and adds a `startupProbe` with appropriate failure thresholds for better startup tolerance ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #2162, #2178).
+
+* **[system] Fix etcd-operator deprecated kube-rbac-proxy image**: Replaced the deprecated `gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0` image with `quay.io/brancz/kube-rbac-proxy:v0.18.1` in the vendored etcd-operator chart. The GCR-hosted image became unavailable after March 18, 2025, causing etcd-operator pods to fail on image pull ([**@kvaps**](https://github.com/kvaps) in #2181, #2183).
+
+* **[platform] Fix VM MAC address not preserved during virtual-machine to vm-instance migration**: During the `virtual-machine` → `vm-instance` migration (script 29), VM MAC addresses were not preserved. Kube-OVN reads MAC addresses exclusively from the pod annotation `ovn.kubernetes.io/mac_address`, not from `spec.macAddress` of the IP resource. Without this annotation, migrated VMs received a new random MAC address, breaking OS-level network configuration that matches by MAC (e.g., netplan). The fix adds a Helm `lookup` in the vm-instance chart template to read the Kube-OVN IP resource and automatically inject the MAC and IP addresses as pod annotations ([**@sircthulhu**](https://github.com/sircthulhu) in #2169, #2191).
+
+* **[dashboard] Fix External IPs page showing empty rows**: Fixed the External IPs administration page displaying empty rows instead of service data. The `EnrichedTable` configuration in the `external-ips` factory was using incorrect property names — replaced `clusterNamePartOfUrl` with `cluster` and changed `pathToItems` from array format to dot-path string format, matching the convention used by all other `EnrichedTable` instances ([**@IvanHunters**](https://github.com/IvanHunters) in #2175, #2192).
+
+* **[dashboard] Fix disabled/hidden state reset on MarketplacePanel reconciliation**: Fixed a bug where the dashboard controller was hardcoding `disabled=false` and `hidden=false` on every reconcile loop, overwriting changes made through the dashboard UI. Services disabled or hidden via the marketplace panel now correctly retain their state after controller reconciliation ([**@IvanHunters**](https://github.com/IvanHunters) in #2176, #2202).
+
+* **[dashboard] Fix hidden MarketplacePanel resources appearing in sidebar menu**: Fixed the sidebar navigation showing all resources regardless of their MarketplacePanel `hidden` state. The controller now fetches MarketplacePanels during sidebar reconciliation and filters out resources where `hidden=true`, ensuring that hiding a resource from the marketplace also removes it from the sidebar navigation. Listing failures are non-fatal — if the configuration fetch fails, no hiding is applied and the dashboard remains functional ([**@IvanHunters**](https://github.com/IvanHunters) in #2177, #2204).
+
+## Documentation
+
+* **[website] Add OIDC self-signed certificates configuration guide**: Added a comprehensive guide for configuring OIDC authentication with Keycloak when using self-signed certificates (the default in Cozystack). Covers Talos machine configuration with certificate mounting and host entries, kubelogin setup instructions, and a troubleshooting section. The guide is available for both v0 and v1 versioned documentation paths ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#443).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.3...v1.0.4

docs/changelogs/v1.1.0.md

@@ -0,0 +1,126 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.1.0
+-->
+
+# Cozystack v1.1.0
+
+Cozystack v1.1.0 delivers a major expansion of the managed application catalog with **OpenBAO** (open-source HashiCorp Vault fork) for secrets management, comprehensive **tiered object storage** with SeaweedFS storage pools, a new bucket **user model** with per-user credentials and S3 login support, **RabbitMQ version selection**, and **MongoDB Grafana dashboards**. The dashboard gains storageClass dropdowns for all stateful apps. This release also incorporates all fixes from the v1.0.x patch series.
+
+## Feature Highlights
+
+### OpenBAO: Managed Secrets Management Service
+
+Cozystack now ships **OpenBAO** as a fully managed PaaS application — an open-source fork of HashiCorp Vault providing enterprise-grade secrets management. Users can deploy OpenBAO instances in standalone mode (single replica with file storage) or in high-availability Raft mode (multiple replicas with integrated Raft consensus), with the mode switching automatically based on the `replicas` field.
+
+Each OpenBAO instance gets TLS enabled by default via cert-manager self-signed certificates, with DNS SANs covering all service endpoints and pod addresses. The Vault injector and CSI provider are intentionally disabled (they are cluster-scoped components not safe for per-tenant use). OpenBAO requires manual initialization and unsealing by design — no auto-unseal is configured.
+
+A full end-to-end E2E test covers the complete lifecycle: deploy, wait for certificate and API readiness, init, unseal, verify, and cleanup. OpenBAO is available in the application catalog for tenant namespaces.
+
+### SeaweedFS Tiered Storage Pools
+
+SeaweedFS now supports **tiered storage pools** — operators can define separate storage pools per disk type (SSD, HDD, NVMe) in the `volume.pools` field (Simple topology) or `volume.zones[name].pools` (MultiZone topology). Each pool creates an additional Volume StatefulSet alongside the default one, with SeaweedFS distinguishing storage via the `-disk=<type>` flag on volume servers.
+
+Each pool automatically generates its own set of COSI resources: a standard `BucketClass`, a `-lock` BucketClass (COMPLIANCE mode, 365-day retention), a read-write `BucketAccessClass`, and a `-readonly` BucketAccessClass. This allows applications to place data on specific storage tiers and request appropriate access policies per pool.
+
+In MultiZone topology, pools are defined per zone and each zone × pool combination creates a dedicated StatefulSet (e.g., `us-east-ssd`, `us-west-hdd`), with nodes selected via `topology.kubernetes.io/zone` labels. Existing deployments with no pools defined produce output identical to previous versions — no migration is required.
+
+### Bucket User Model with S3 Login
+
+The bucket application introduces a new **user model** for access management. Instead of a single implicit BucketAccess resource, operators now define a `users` map where each entry creates a dedicated `BucketAccess` with its own credentials secret and an optional `readonly` flag. The S3 Manager UI has been updated with a login screen that uses per-session credentials from the user's own secret, replacing the previous basic-auth approach.
+
+Two new bucket parameters are available: `locking` provisions from the `-lock` BucketClass (COMPLIANCE mode, 365-day object lock retention) for write-once-read-many use cases, and `storagePool` selects a specific pool's BucketClass for tiered storage placement. The COSI driver has been updated to v0.3.0 to support the new `diskType` parameter.
+
+**⚠️ Breaking change**: The implicit default BucketAccess resource is no longer created. Existing buckets that relied on the single auto-generated BucketAccess will need to explicitly define users in the `users` map after upgrading.
+
+### RabbitMQ Version Selection
+
+RabbitMQ instances now support a configurable **version selector** (`version` field with values: `v4.2`, `v4.1`, `v4.0`, `v3.13`; default `v4.2`). The chart validates the selection at deploy time and uses it to pin the runtime image, giving operators control over the RabbitMQ release channel per instance. An automatic migration backfills the `version` field on all existing RabbitMQ resources to `v4.2`.
+
+## Major Features and Improvements
+
+* **[apps] Add OpenBAO as a managed secrets management service**: Deployed as a PaaS application with standalone (file storage) and HA Raft modes, TLS enabled by default via cert-manager, injector and CSI provider disabled for tenant safety, and a full E2E lifecycle test ([**@lexfrei**](https://github.com/lexfrei) in #2059).
+
+* **[seaweedfs] Add storage pools support for tiered storage**: Added `volume.pools` (Simple) and `volume.zones[name].pools` (MultiZone) for per-disk-type StatefulSets, zone overrides (`nodeSelector`, `storageClass`, `dataCenter`), per-pool COSI BucketClass and BucketAccessClass resources, and bumped seaweedfs-cosi-driver to v0.3.0 ([**@sircthulhu**](https://github.com/sircthulhu) in #2097).
+
+* **[apps][system] Add bucket user model with locking and storage pool selection**: Replaced implicit BucketAccess with per-user `users` map, added `locking` and `storagePool` parameters, renamed COSI BucketClass suffix from `-worm` to `-lock`, added `-readonly` BucketAccessClass for all topologies, and updated S3 Manager with login screen using per-user credentials ([**@IvanHunters**](https://github.com/IvanHunters) in #2119).
+
+* **[rabbitmq] Add version selection for RabbitMQ instances**: Added `version` field (`v4.2`, `v4.1`, `v4.0`, `v3.13`) with chart-level validation, default `v4.2`, and an automatic migration to backfill the field on existing instances ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2092).
+
+* **[system] Add MongoDB Overview and InMemory Details Grafana dashboards**: Added two comprehensive Grafana dashboards for MongoDB monitoring — Overview (command operations, connections, cursors, query efficiency, write time) and InMemory Details (WiredTiger cache, transactions, concurrency, eviction). Dashboards are registered in `dashboards.list` for automatic GrafanaDashboard CRD generation ([**@IvanHunters**](https://github.com/IvanHunters) in #2158).
+
+* **[dashboard] Add storageClass dropdown for all stateful apps**: Replaced the free-text `storageClass` input with an API-backed dropdown listing available StorageClasses from the cluster. Affects ClickHouse, Harbor, HTTPCache, Kubernetes, MariaDB, MongoDB, NATS, OpenBAO, Postgres, Qdrant, RabbitMQ, Redis, VMDisk (top-level `storageClass`), FoundationDB (`storage.storageClass`), and Kafka (`kafka.storageClass`, `zookeeper.storageClass`) ([**@sircthulhu**](https://github.com/sircthulhu) in #2131).
+
+* **[bucket] Add readonly S3 access credentials**: Added a readonly `BucketAccessClass` to the SeaweedFS COSI chart and updated the bucket application to automatically provision two sets of S3 credentials per bucket: read-write (for UI) and readonly ([**@IvanHunters**](https://github.com/IvanHunters) in #2105).
+
+* **[dashboard] Hide sidebar on cluster-level pages when no tenant selected**: Fixed broken URLs with double `//` on the main cluster page (before tenant selection) by clearing `CUSTOMIZATION_SIDEBAR_FALLBACK_ID` so no sidebar renders when no namespace is selected ([**@sircthulhu**](https://github.com/sircthulhu) in #2106).
+
+* **[cert-manager] Update cert-manager to v1.19.3**: Upgraded cert-manager with new CRDs moved into a dedicated CRD package, added global `nodeSelector` and `hostUsers` (pod user-namespace isolation), and renamed `ServiceMonitor` targetPort default to `http-metrics` ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2070).
+
+* **[dashboard] Add backupClasses dropdown to Plan/BackupJob forms**: Replaced free-text input for `backupClass` field with an API-backed dropdown populated with available BackupClass resources, making it easier to select the correct backup target ([**@androndo**](https://github.com/androndo) in #2104).
+
+## Fixes
+
+* **[platform] Fix package name conversion in migration script**: Fixed the `migrate-to-version-1.0.sh` script to correctly prepend the `cozystack.` prefix when converting `BUNDLE_DISABLE` and `BUNDLE_ENABLE` package name lists, ensuring packages are properly identified during the v0.41→v1.0 upgrade ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2144, #2148).
+
+* **[backups] Fix RBAC for backup controllers**: Updated RBAC permissions for the backup strategy controller to support enhanced backup and restore capabilities, including Velero integration and status management ([**@androndo**](https://github.com/androndo) in #2145).
+
+* **[kubernetes] Set explicit MTU for Cilium in tenant clusters**: Set explicit MTU 1350 for Cilium in KubeVirt-based tenant Kubernetes clusters to prevent packet drops caused by VXLAN encapsulation overhead. Cilium's auto-detection does not account for VXLAN overhead (50 bytes) when the VM interface inherits MTU 1400 from the parent OVN/Geneve overlay, causing intermittent connectivity issues and HTTP 499 errors under load ([**@IvanHunters**](https://github.com/IvanHunters) in #2147).
+
+* **[platform] Prevent cozystack-version ConfigMap from deletion**: Added resource protection annotations to prevent the `cozystack-version` ConfigMap from being accidentally deleted, improving platform stability ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2112, #2114).
+
+* **[installer] Add keep annotation to Namespace and update migration script**: Added `helm.sh/resource-policy: keep` annotation to the `cozy-system` Namespace in the installer Helm chart to prevent Helm from deleting the namespace and all HelmReleases within it when the installer release is removed. The v1.0 migration script is also updated to annotate the namespace and `cozystack-version` ConfigMap before migration ([**@kvaps**](https://github.com/kvaps) in #2122, #2123).
+
+* **[dashboard] Add FlowSchema to exempt BFF from API throttling**: Added a `cozy-dashboard-exempt` FlowSchema to exempt the dashboard Back-End-for-Frontend service account from Kubernetes API Priority and Fairness throttling, preventing 429 errors under load ([**@kvaps**](https://github.com/kvaps) in #2121, #2124).
+
+* **[platform] Suspend cozy-proxy if it conflicts with installer release during migration**: Added a check in the v0.41→v1.0 migration script to detect and suspend the `cozy-proxy` HelmRelease when its `releaseName` is set to `cozystack`, which conflicts with the installer release and would cause `cozystack-operator` deletion during the upgrade ([**@kvaps**](https://github.com/kvaps) in #2128, #2130).
+
+* **[platform] Fix off-by-one error in run-migrations script**: Fixed a bug in the migration runner where the first required migration was always skipped due to an off-by-one error in the migration range calculation ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2126, #2132).
+
+* **[system] Fix Keycloak proxy configuration for v26.x**: Replaced the deprecated `KC_PROXY=edge` environment variable with `KC_PROXY_HEADERS=xforwarded` and `KC_HTTP_ENABLED=true` in the Keycloak StatefulSet. `KC_PROXY` was removed in Keycloak 26.x, previously causing "Non-secure context detected" warnings and broken cookie handling behind a reverse proxy with TLS termination ([**@sircthulhu**](https://github.com/sircthulhu) in #2125, #2134).
+
+* **[dashboard] Allow clearing instanceType field and preserve newlines in secret copy**: Added `allowEmpty: true` to the `instanceType` field in the VMInstance form so users can explicitly clear it to use custom KubeVirt resources without a named instance type. Also fixed newline preservation when copying secrets with CMD+C ([**@sircthulhu**](https://github.com/sircthulhu) in #2135, #2137).
+
+* **[dashboard] Restore stock-instance sidebars for namespace-level pages**: Restored `stock-instance-api-form`, `stock-instance-api-table`, `stock-instance-builtin-form`, and `stock-instance-builtin-table` sidebar resources that were inadvertently removed in #2106. Without these sidebars, namespace-level pages such as Backup Plans rendered as empty pages ([**@sircthulhu**](https://github.com/sircthulhu) in #2136, #2138).
+
+## System Configuration
+
+* **[platform] Disable private key rotation in CA certs**: Set `rotationPolicy: Never` for all CA/root certificates used by system components (ingress-nginx, linstor, linstor-scheduler, seaweedfs, victoria-metrics-operator, kubeovn-webhook, lineage-controller-webhook, cozystack-api, etcd, linstor API/internal) to prevent trust chain problems when CA certificates are reissued ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2113).
+
+## Development, Testing, and CI/CD
+
+* **[ci] Add debug improvements for CI tests**: Added extra debug commands for Kubernetes startup diagnostics and improved error output in CI test runs ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2111).
+
+## Documentation
+
+* **[website] Add object storage guide (pools, buckets, users)**: Added a comprehensive guide covering SeaweedFS object storage configuration including storage pools for tiered storage, bucket creation with access classes, per-user credential management, and credential rotation procedures ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#438).
+
+* **[website] Add Build Your Own Platform (BYOP) guide**: Added a new "Build Your Own Platform" guide and split the installation documentation into platform installation and BYOP sub-pages, with cross-references throughout the documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website#437).
+
+* **[website] Add white labeling guide**: Added a comprehensive guide for configuring white labeling (branding) in Cozystack v1, covering Dashboard fields (`titleText`, `footerText`, `tenantText`, `logoText`, `logoSvg`, `iconSvg`) and Keycloak fields (`brandName`, `brandHtmlName`). Includes SVG preparation workflow with theme-aware template variables and portable base64 encoding ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#441).
+
+* **[website] Actualize backup and recovery documentation**: Reworked the backup and recovery docs to be user-focused, separating operator and tenant workflows. Added tenant-facing documentation for `BackupJob` and `Plan` resources and a new Velero administration guide for operators ([**@androndo**](https://github.com/androndo) in cozystack/website#434).
+
+* **[website] Add step to protect namespace before upgrading**: Updated the cluster upgrade guide and v0.41→v1.0 migration guide with a required step to annotate the `cozy-system` namespace and `cozystack-version` ConfigMap with `helm.sh/resource-policy=keep` before running `helm upgrade` ([**@kvaps**](https://github.com/kvaps) in cozystack/website#435).
+
+* **[website] Replace bundles documentation with variants**: Renamed the "Bundles" documentation section to "Variants" to match current Cozystack terminology. Removed deprecated variants and added new ones: `default` and `isp-full-generic` ([**@kvaps**](https://github.com/kvaps) in cozystack/website#433).
+
+* **[website] Fix component values override instructions**: Corrected the component values override documentation to reflect current configuration patterns ([**@kvaps**](https://github.com/kvaps) in cozystack/website#436).
+
+## Breaking Changes & Upgrade Notes
+
+* **[bucket] Bucket user model now requires explicit user definitions**: The implicit default `BucketAccess` resource is no longer created automatically. Existing buckets that relied on a single auto-generated credential secret will need to define users explicitly in the `users` map after upgrading. Each user entry creates its own `BucketAccess` resource and credential secret (optionally with `readonly: true`). The COSI BucketClass suffix has also been renamed from `-worm` to `-lock` ([**@IvanHunters**](https://github.com/IvanHunters) in #2119).
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@androndo**](https://github.com/androndo)
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
+* [**@sircthulhu**](https://github.com/sircthulhu)
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0...v1.1.0

docs/changelogs/v1.1.1.md

@@ -0,0 +1,23 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v1.1.1
+-->
+
+## Fixes
+
+* **[dashboard] Fix hidden MarketplacePanel resources appearing in sidebar menu**: The sidebar was generated independently from MarketplacePanels, always showing all resources regardless of their `hidden` state. Fixed by fetching MarketplacePanels during sidebar reconciliation and skipping resources where `hidden=true`, so hiding a resource from the marketplace also removes it from the sidebar navigation ([**@IvanHunters**](https://github.com/IvanHunters) in #2177, #2203).
+
+* **[dashboard] Fix disabled/hidden state overwritten on every MarketplacePanel reconciliation**: The controller was hardcoding `disabled=false` and `hidden=false` on every reconciliation, silently overwriting any user changes made through the dashboard UI. Fixed by reading and preserving the current `disabled`/`hidden` values from the existing resource before updating ([**@IvanHunters**](https://github.com/IvanHunters) in #2176, #2201).
+
+* **[dashboard] Fix External IPs factory EnrichedTable rendering**: The external-IPs table displayed empty rows because the factory used incorrect `EnrichedTable` properties. Replaced `clusterNamePartOfUrl` with `cluster` and changed `pathToItems` from array to dot-path string format, consistent with all other working `EnrichedTable` instances ([**@IvanHunters**](https://github.com/IvanHunters) in #2175, #2193).
+
+* **[platform] Fix VM MAC address not preserved during virtual-machine to vm-instance migration**: Kube-OVN reads MAC address exclusively from the pod annotation `ovn.kubernetes.io/mac_address`, not from the IP resource `spec.macAddress`. Without the annotation, migrated VMs received a new random MAC, breaking OS-level network configurations that match by MAC (e.g. netplan). Added a Helm `lookup` for the Kube-OVN IP resource in the vm-instance chart so that MAC and IP addresses are automatically injected as pod annotations when the resource exists ([**@sircthulhu**](https://github.com/sircthulhu) in #2169, #2190).
+
+* **[etcd-operator] Replace deprecated kube-rbac-proxy image**: The `gcr.io/kubebuilder/kube-rbac-proxy` image became unavailable after Google Container Registry was deprecated. Replaced it with `quay.io/brancz/kube-rbac-proxy` from the original upstream author, restoring etcd-operator functionality ([**@kvaps**](https://github.com/kvaps) in #2181, #2182).
+
+* **[migrations] Handle missing RabbitMQ CRD in migration 34**: Migration 34 failed with an error when the `rabbitmqs.apps.cozystack.io` CRD did not exist — which occurs on clusters where RabbitMQ was never installed. Added a CRD presence check before attempting to list resources so that migration 34 completes cleanly on such clusters ([**@IvanHunters**](https://github.com/IvanHunters) in #2168, #2180).
+
+* **[keycloak] Fix Keycloak crashloop due to misconfigured health probes**: Keycloak 26.x redirects all HTTP requests on port 8080 to the configured HTTPS hostname; since kubelet does not follow redirects, liveness and readiness probes failed causing a crashloop. Fixed by enabling `KC_HEALTH_ENABLED=true`, exposing management port 9000, and switching all probes to `/health/live` and `/health/ready` on port 9000. Also added a `startupProbe` for improved startup tolerance ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #2162, #2179).
+
+---
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.1.0...v1.1.1

hack/e2e-apps/bucket.bats

@@ -1,7 +1,7 @@
 #!/usr/bin/env bats
 
 @test "Create and Verify Seeweedfs Bucket" {
-  # Create the bucket resource
+  # Create the bucket resource with readwrite and readonly users
   name='test'
   kubectl apply -f - <<EOF
 apiVersion: apps.cozystack.io/v1alpha1
@@ -9,21 +9,29 @@ kind: Bucket
 metadata:
   name: ${name}
   namespace: tenant-test
-spec: {}
+spec:
+  users:
+    admin: {}
+    viewer:
+      readonly: true
 EOF
 
   # Wait for the bucket to be ready
   kubectl -n tenant-test wait hr bucket-${name} --timeout=100s --for=condition=ready
   kubectl -n tenant-test wait bucketclaims.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.bucketReady}'
-  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.accessGranted}'
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name}-admin --timeout=300s --for=jsonpath='{.status.accessGranted}'
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name}-viewer --timeout=300s --for=jsonpath='{.status.accessGranted}'
 
-  # Get and decode credentials
-  kubectl -n tenant-test get secret bucket-${name} -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-test-credentials.json
+  # Get admin (readwrite) credentials
+  kubectl -n tenant-test get secret bucket-${name}-admin -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-admin-credentials.json
+  ADMIN_ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-admin-credentials.json)
+  ADMIN_SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-admin-credentials.json)
+  BUCKET_NAME=$(jq -r '.spec.bucketName' bucket-admin-credentials.json)
 
-  # Get credentials from the secret
-  ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-test-credentials.json)
-  SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-test-credentials.json)
-  BUCKET_NAME=$(jq -r '.spec.bucketName' bucket-test-credentials.json)
+  # Get viewer (readonly) credentials
+  kubectl -n tenant-test get secret bucket-${name}-viewer -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-viewer-credentials.json
+  VIEWER_ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-viewer-credentials.json)
+  VIEWER_SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-viewer-credentials.json)
 
   # Start port-forwarding
   bash -c 'timeout 100s kubectl port-forward service/seaweedfs-s3 -n tenant-root 8333:8333 > /dev/null 2>&1 &'
@@ -31,17 +39,33 @@ EOF
   # Wait for port-forward to be ready
   timeout 30 sh -ec 'until nc -z localhost 8333; do sleep 1; done'
 
-  # Set up MinIO alias with error handling
-  mc alias set local https://localhost:8333 $ACCESS_KEY $SECRET_KEY --insecure
+  # --- Test readwrite user (admin) ---
+  mc alias set rw-user https://localhost:8333 $ADMIN_ACCESS_KEY $ADMIN_SECRET_KEY --insecure
 
-  # Upload file to bucket
-  mc cp bucket-test-credentials.json $BUCKET_NAME/bucket-test-credentials.json
+  # Admin can upload
+  echo "readwrite test" > /tmp/rw-test.txt
+  mc cp --insecure /tmp/rw-test.txt rw-user/$BUCKET_NAME/rw-test.txt
 
-  # Verify file was uploaded
-  mc ls $BUCKET_NAME/bucket-test-credentials.json
+  # Admin can list
+  mc ls --insecure rw-user/$BUCKET_NAME/rw-test.txt
 
-  # Clean up uploaded file
-  mc rm $BUCKET_NAME/bucket-test-credentials.json
+  # Admin can download
+  mc cp --insecure rw-user/$BUCKET_NAME/rw-test.txt /tmp/rw-test-download.txt
 
+  # --- Test readonly user (viewer) ---
+  mc alias set ro-user https://localhost:8333 $VIEWER_ACCESS_KEY $VIEWER_SECRET_KEY --insecure
+
+  # Viewer can list
+  mc ls --insecure ro-user/$BUCKET_NAME/rw-test.txt
+
+  # Viewer can download
+  mc cp --insecure ro-user/$BUCKET_NAME/rw-test.txt /tmp/ro-test-download.txt
+
+  # Viewer cannot upload (must fail with Access Denied)
+  echo "readonly test" > /tmp/ro-test.txt
+  ! mc cp --insecure /tmp/ro-test.txt ro-user/$BUCKET_NAME/ro-test.txt
+
+  # --- Cleanup ---
+  mc rm --insecure rw-user/$BUCKET_NAME/rw-test.txt
   kubectl -n tenant-test delete bucket.apps.cozystack.io ${name}
 }

hack/e2e-apps/external-dns.bats

@@ -0,0 +1,50 @@
+#!/usr/bin/env bats
+
+teardown() {
+  kubectl -n tenant-test delete externaldns.apps.cozystack.io --all --ignore-not-found 2>/dev/null || true
+}
+
+@test "Create and Verify ExternalDNS with inmemory provider" {
+  name='test'
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: ExternalDNS
+metadata:
+  name: ${name}
+  namespace: tenant-test
+spec:
+  provider: inmemory
+  domainFilters:
+    - example.com
+EOF
+
+  sleep 5
+  kubectl -n tenant-test wait hr ${name} --timeout=120s --for=condition=ready
+  kubectl -n tenant-test wait hr ${name}-system --timeout=120s --for=condition=ready
+  timeout 60 sh -ec "until kubectl -n tenant-test get deploy -l app.kubernetes.io/instance=${name}-system -o jsonpath='{.items[0].status.readyReplicas}' | grep -q '1'; do sleep 5; done"
+
+  kubectl -n tenant-test delete externaldns.apps.cozystack.io ${name}
+}
+
+@test "Create and Verify ExternalDNS with custom annotationPrefix" {
+  name='test-prefix'
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: ExternalDNS
+metadata:
+  name: ${name}
+  namespace: tenant-test
+spec:
+  provider: inmemory
+  annotationPrefix: custom-dns/
+  domainFilters:
+    - example.org
+EOF
+
+  sleep 5
+  kubectl -n tenant-test wait hr ${name} --timeout=120s --for=condition=ready
+  kubectl -n tenant-test wait hr ${name}-system --timeout=120s --for=condition=ready
+  timeout 60 sh -ec "until kubectl -n tenant-test get deploy -l app.kubernetes.io/instance=${name}-system -o jsonpath='{.items[0].status.readyReplicas}' | grep -q '1'; do sleep 5; done"
+
+  kubectl -n tenant-test delete externaldns.apps.cozystack.io ${name}
+}

hack/e2e-install-cozystack.bats

@@ -46,6 +46,9 @@ spec:
         publishing:
           host: "example.org"
           apiServerEndpoint: "https://192.168.123.10:6443"
+        bundles:
+          enabledPackages:
+            - cozystack.external-dns-application
 EOF
 
   # Wait until HelmReleases appear & reconcile them
@@ -175,8 +178,8 @@ EOF
 
   # VictoriaMetrics components
   kubectl wait vmalert/vmalert-shortterm vmalertmanager/alertmanager -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=15m
-  kubectl wait vlogs/generic -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
-  kubectl wait vmcluster/shortterm vmcluster/longterm -n tenant-root --for=jsonpath='{.status.clusterStatus}'=operational --timeout=5m
+  kubectl wait vlclusters/generic -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
+  kubectl wait vmcluster/shortterm vmcluster/longterm -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
 
   # Grafana
   kubectl wait clusters.postgresql.cnpg.io/grafana-db -n tenant-root --for=condition=ready --timeout=5m

hack/migrate-to-version-1.0.sh

@@ -39,7 +39,6 @@ echo "The following resources will be annotated with helm.sh/resource-policy=kee
 echo "to prevent Helm from deleting them when the installer release is removed:"
 echo "  - Namespace: $NAMESPACE"
 echo "  - ConfigMap: $NAMESPACE/cozystack-version"
-echo "  - Namespace: cozy-keycloak"
 echo ""
 read -p "Do you want to annotate these resources? (y/N) " -n 1 -r
 echo ""
@@ -49,14 +48,6 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then
     kubectl annotate namespace "$NAMESPACE" helm.sh/resource-policy=keep --overwrite
     echo "Annotating ConfigMap cozystack-version..."
     kubectl annotate configmap -n "$NAMESPACE" cozystack-version helm.sh/resource-policy=keep --overwrite 2>/dev/null || echo "  ConfigMap cozystack-version not found, skipping."
-
-    echo "Annotating namespace cozy-keycloak..."
-    if kubectl get namespace cozy-keycloak >/dev/null 2>&1; then
-        kubectl annotate namespace cozy-keycloak helm.sh/resource-policy=keep --overwrite
-    else
-        echo "  Namespace cozy-keycloak not found, skipping."
-    fi
-
     echo ""
     echo "Resources annotated successfully."
 else
@@ -65,45 +56,29 @@ else
 fi
 echo ""
 
-# Step 0.5: Delete keycloak helm release secrets to prevent FluxCD from running helm uninstall
-# When the Package operator recreates keycloak HelmReleases with spec.chartRef
-# (replacing spec.chart), FluxCD sees an incompatible change and runs helm uninstall,
-# destroying all keycloak data. Without helm secrets, FluxCD has nothing to uninstall
-# and performs helm install instead, adopting existing resources.
-echo "Step 0.5: Protect keycloak data from destruction"
-echo ""
-echo "This will delete Helm release secrets for keycloak releases in cozy-keycloak"
-echo "namespace. Without these secrets, FluxCD cannot run helm uninstall and will"
-echo "adopt existing resources instead of recreating them."
-echo ""
-
-if kubectl get namespace cozy-keycloak >/dev/null 2>&1; then
-    read -p "Do you want to delete keycloak helm release secrets? (y/N) " -n 1 -r
+# Step 1: Check for cozy-proxy HelmRelease with conflicting releaseName
+# In v0.41.x, cozy-proxy was incorrectly configured with releaseName "cozystack",
+# which conflicts with the installer helm release name. If not suspended, cozy-proxy
+# HelmRelease will overwrite the installer release and delete cozystack-operator.
+COZY_PROXY_RELEASE_NAME=$(kubectl get hr -n "$NAMESPACE" cozy-proxy -o jsonpath='{.spec.releaseName}' 2>/dev/null || true)
+if [ "$COZY_PROXY_RELEASE_NAME" = "cozystack" ]; then
+    echo "WARNING: HelmRelease cozy-proxy has releaseName 'cozystack', which conflicts"
+    echo "with the installer release. It must be suspended before proceeding, otherwise"
+    echo "it will overwrite the installer and delete cozystack-operator."
+    echo ""
+    read -p "Suspend HelmRelease cozy-proxy? (y/N) " -n 1 -r
     echo ""
-
     if [[ $REPLY =~ ^[Yy]$ ]]; then
-        for release in keycloak keycloak-operator keycloak-configure; do
-            echo "  Deleting helm release secrets for ${release}..."
-            kubectl delete secrets -n cozy-keycloak -l "name=${release},owner=helm" --ignore-not-found
-            # Fallback: delete by name pattern
-            remaining=$(kubectl get secrets -n cozy-keycloak -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
-            if [ -n "$remaining" ]; then
-                echo "$remaining" | while IFS= read -r secret; do
-                    echo "    Deleting $secret"
-                    kubectl delete -n cozy-keycloak "$secret" --ignore-not-found
-                done
-            fi
-        done
-        echo ""
-        echo "Keycloak helm release secrets deleted."
+        kubectl -n "$NAMESPACE" patch hr cozy-proxy --type=merge --field-manager=flux-client-side-apply -p '{"spec":{"suspend":true}}'
+        echo "HelmRelease cozy-proxy suspended."
     else
-        echo "WARNING: Skipping. Keycloak data may be lost during upgrade if FluxCD"
-        echo "runs helm uninstall due to chart source change."
+        echo "ERROR: Cannot proceed with conflicting cozy-proxy HelmRelease active."
+        echo "Please suspend it manually:"
+        echo "  kubectl -n $NAMESPACE patch hr cozy-proxy --type=merge -p '{\"spec\":{\"suspend\":true}}'"
+        exit 1
     fi
-else
-    echo "  Namespace cozy-keycloak does not exist, keycloak not deployed — skipping."
+    echo ""
 fi
-echo ""
 
 # Read ConfigMap cozystack
 echo "Reading ConfigMap cozystack..."
@@ -180,13 +155,13 @@ fi
 if [ -z "$BUNDLE_DISABLE" ]; then
     DISABLED_PACKAGES="[]"
 else
-    DISABLED_PACKAGES=$(echo "$BUNDLE_DISABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
+    DISABLED_PACKAGES=$(echo "$BUNDLE_DISABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - cozystack."$0}')
 fi
 
 if [ -z "$BUNDLE_ENABLE" ]; then
     ENABLED_PACKAGES="[]"
 else
-    ENABLED_PACKAGES=$(echo "$BUNDLE_ENABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - "$0}')
+    ENABLED_PACKAGES=$(echo "$BUNDLE_ENABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print "          - cozystack."$0}')
 fi
 
 if [ -z "$EXPOSE_SERVICES" ]; then
@@ -200,7 +175,7 @@ BUNDLE_NAME=$(echo "$BUNDLE_NAME" | sed 's/paas/isp/')
 
 # Extract branding if available
 BRANDING=$(echo "$BRANDING_CM" | jq -r '.data // {} | to_entries[] | "\(.key): \"\(.value)\""')
-if [ -z "$BRANDING" ]; then 
+if [ -z "$BRANDING" ]; then
     BRANDING="{}"
 else
     BRANDING=$(echo "$BRANDING" | awk 'BEGIN{print}{print "          " $0}')

hack/update-codegen.sh

@@ -68,7 +68,7 @@ kube::codegen::gen_client \
     "${SCRIPT_ROOT}/pkg/apis"
 
 $CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR} 
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR}
 
 mv ${TMPDIR}/cozystack.io_packages.yaml ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml
 mv ${TMPDIR}/cozystack.io_packagesources.yaml ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml
@@ -80,3 +80,6 @@ mv ${TMPDIR}/backups.cozystack.io*.yaml ${BACKUPS_CORE_CRDDIR}/
 mv ${TMPDIR}/strategy.backups.cozystack.io*.yaml ${BACKUPSTRATEGY_CRDDIR}/
 
 mv ${TMPDIR}/*.yaml ${COZY_CONTROLLER_CRDDIR}/
+
+# Tidy dependencies for standalone api/apps/v1alpha1 submodule
+(cd "${SCRIPT_ROOT}/api/apps/v1alpha1" && go mod tidy)

hack/upload-assets.sh

@@ -14,3 +14,4 @@ gh release upload --clobber $version _out/assets/kernel-amd64
 gh release upload --clobber $version _out/assets/initramfs-metal-amd64.xz
 gh release upload --clobber $version _out/assets/cozypkg-*.tar.gz
 gh release upload --clobber $version _out/assets/cozypkg-checksums.txt
+gh release upload --clobber $version _out/assets/openapi.json

internal/controller/dashboard/customformsoverride.go

@@ -195,6 +195,7 @@ func applyListInputOverrides(schema map[string]any, kind string, openAPIProps ma
 				"valueUri":    "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes",
 				"keysToValue": []any{"metadata", "name"},
 				"keysToLabel": []any{"metadata", "name"},
+				"allowEmpty":  true,
 			},
 		}
 		if prop, _ := openAPIProps["instanceType"].(map[string]any); prop != nil {
@@ -214,6 +215,34 @@ func applyListInputOverrides(schema map[string]any, kind string, openAPIProps ma
 				"keysToLabel": []any{"metadata", "name"},
 			},
 		}
+
+	case "ClickHouse", "Harbor", "HTTPCache", "Kubernetes", "MariaDB", "MongoDB",
+		"NATS", "OpenBAO", "Postgres", "Qdrant", "RabbitMQ", "Redis", "VMDisk":
+		specProps := ensureSchemaPath(schema, "spec")
+		specProps["storageClass"] = storageClassListInput()
+
+	case "FoundationDB":
+		storageProps := ensureSchemaPath(schema, "spec", "storage")
+		storageProps["storageClass"] = storageClassListInput()
+
+	case "Kafka":
+		kafkaProps := ensureSchemaPath(schema, "spec", "kafka")
+		kafkaProps["storageClass"] = storageClassListInput()
+		zkProps := ensureSchemaPath(schema, "spec", "zookeeper")
+		zkProps["storageClass"] = storageClassListInput()
+	}
+}
+
+// storageClassListInput returns a listInput field config for a storageClass dropdown
+// backed by the cluster's available StorageClasses.
+func storageClassListInput() map[string]any {
+	return map[string]any{
+		"type": "listInput",
+		"customProps": map[string]any{
+			"valueUri":    "/api/clusters/{cluster}/k8s/apis/storage.k8s.io/v1/storageclasses",
+			"keysToValue": []any{"metadata", "name"},
+			"keysToLabel": []any{"metadata", "name"},
+		},
 	}
 }
 

internal/controller/dashboard/customformsoverride_test.go

@@ -202,6 +202,10 @@ func TestApplyListInputOverrides_VMInstance(t *testing.T) {
 		t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
 	}
 
+	if customProps["allowEmpty"] != true {
+		t.Errorf("expected allowEmpty true, got %v", customProps["allowEmpty"])
+	}
+
 	// Check disks[].name is a listInput
 	disks, ok := specProps["disks"].(map[string]any)
 	if !ok {
@@ -232,6 +236,72 @@ func TestApplyListInputOverrides_VMInstance(t *testing.T) {
 	}
 }
 
+func TestApplyListInputOverrides_StorageClassSimple(t *testing.T) {
+	for _, kind := range []string{
+		"ClickHouse", "Harbor", "HTTPCache", "Kubernetes", "MariaDB", "MongoDB",
+		"NATS", "OpenBAO", "Postgres", "Qdrant", "RabbitMQ", "Redis", "VMDisk",
+	} {
+		t.Run(kind, func(t *testing.T) {
+			schema := map[string]any{}
+			applyListInputOverrides(schema, kind, map[string]any{})
+
+			specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+			sc, ok := specProps["storageClass"].(map[string]any)
+			if !ok {
+				t.Fatalf("storageClass not found in spec.properties for kind %s", kind)
+			}
+			assertStorageClassListInput(t, sc)
+		})
+	}
+}
+
+func TestApplyListInputOverrides_StorageClassFoundationDB(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "FoundationDB", map[string]any{})
+
+	storageProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["storage"].(map[string]any)["properties"].(map[string]any)
+	sc, ok := storageProps["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.storage.properties")
+	}
+	assertStorageClassListInput(t, sc)
+}
+
+func TestApplyListInputOverrides_StorageClassKafka(t *testing.T) {
+	schema := map[string]any{}
+	applyListInputOverrides(schema, "Kafka", map[string]any{})
+
+	specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
+
+	kafkaSC, ok := specProps["kafka"].(map[string]any)["properties"].(map[string]any)["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.kafka.properties")
+	}
+	assertStorageClassListInput(t, kafkaSC)
+
+	zkSC, ok := specProps["zookeeper"].(map[string]any)["properties"].(map[string]any)["storageClass"].(map[string]any)
+	if !ok {
+		t.Fatal("storageClass not found in spec.zookeeper.properties")
+	}
+	assertStorageClassListInput(t, zkSC)
+}
+
+// assertStorageClassListInput verifies that a field is a correctly configured storageClass listInput.
+func assertStorageClassListInput(t *testing.T, field map[string]any) {
+	t.Helper()
+	if field["type"] != "listInput" {
+		t.Errorf("expected type listInput, got %v", field["type"])
+	}
+	customProps, ok := field["customProps"].(map[string]any)
+	if !ok {
+		t.Fatal("customProps not found")
+	}
+	expectedURI := "/api/clusters/{cluster}/k8s/apis/storage.k8s.io/v1/storageclasses"
+	if customProps["valueUri"] != expectedURI {
+		t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
+	}
+}
+
 func TestApplyListInputOverrides_UnknownKind(t *testing.T) {
 	schema := map[string]any{}
 	applyListInputOverrides(schema, "SomeOtherKind", map[string]any{})

internal/controller/dashboard/manager.go

@@ -307,6 +307,10 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
 			"stock-project-builtin-table",
 			"stock-project-crd-form",
 			"stock-project-crd-table",
+			"stock-instance-api-form",
+			"stock-instance-api-table",
+			"stock-instance-builtin-form",
+			"stock-instance-builtin-table",
 		}
 		for _, sidebarID := range stockSidebars {
 			expected["Sidebar"][sidebarID] = true

internal/controller/dashboard/marketplacepanel.go

@@ -68,31 +68,46 @@ func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.
 		tags[i] = t
 	}
 
-	specMap := map[string]any{
-		"description": d.Description,
-		"name":        displayName,
-		"type":        "nonCrd",
-		"apiGroup":    "apps.cozystack.io",
-		"apiVersion":  "v1alpha1",
-		"plural":      app.Plural, // e.g., "buckets"
-		"disabled":    false,
-		"hidden":      false,
-		"tags":        tags,
-		"icon":        d.Icon,
-	}
-
-	specBytes, err := json.Marshal(specMap)
-	if err != nil {
-		return reconcile.Result{}, err
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
 		if err := controllerutil.SetOwnerReference(crd, mp, m.Scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources
 		m.addDashboardLabels(mp, crd, ResourceTypeDynamic)
 
+		// Preserve user-set disabled/hidden values from existing resource
+		disabled := false
+		hidden := false
+		if mp.Spec.Raw != nil {
+			var existing map[string]any
+			if err := json.Unmarshal(mp.Spec.Raw, &existing); err == nil {
+				if v, ok := existing["disabled"].(bool); ok {
+					disabled = v
+				}
+				if v, ok := existing["hidden"].(bool); ok {
+					hidden = v
+				}
+			}
+		}
+
+		specMap := map[string]any{
+			"description": d.Description,
+			"name":        displayName,
+			"type":        "nonCrd",
+			"apiGroup":    "apps.cozystack.io",
+			"apiVersion":  "v1alpha1",
+			"plural":      app.Plural, // e.g., "buckets"
+			"disabled":    disabled,
+			"hidden":      hidden,
+			"tags":        tags,
+			"icon":        d.Icon,
+		}
+
+		specBytes, err := json.Marshal(specMap)
+		if err != nil {
+			return err
+		}
+
 		// Only update spec if it's different to avoid unnecessary updates
 		newSpec := dashv1alpha1.ArbitrarySpec{
 			JSON: apiextv1.JSON{Raw: specBytes},

internal/controller/dashboard/sidebar.go

@@ -38,6 +38,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 	}
 	all = crdList.Items
 
+	// 1b) Fetch all MarketplacePanels to determine which resources are hidden
+	hiddenResources := map[string]bool{}
+	var mpList dashv1alpha1.MarketplacePanelList
+	if err := m.List(ctx, &mpList, &client.ListOptions{}); err == nil {
+		for i := range mpList.Items {
+			mp := &mpList.Items[i]
+			if mp.Spec.Raw != nil {
+				var spec map[string]any
+				if err := json.Unmarshal(mp.Spec.Raw, &spec); err == nil {
+					if hidden, ok := spec["hidden"].(bool); ok && hidden {
+						hiddenResources[mp.Name] = true
+					}
+				}
+			}
+		}
+	}
+
 	// 2) Build category -> []item map (only for CRDs with spec.dashboard != nil)
 	type item struct {
 		Key    string
@@ -63,6 +80,11 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 		plural := pickPlural(kind, def)
 		lowerKind := strings.ToLower(kind)
 
+		// Skip resources hidden via MarketplacePanel
+		if hiddenResources[def.Name] {
+			continue
+		}
+
 		// Check if this resource is a module
 		if def.Spec.Dashboard.Module {
 			// Special case: info should have its own keysAndTags, not be in modules
@@ -243,6 +265,11 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 		"stock-project-builtin-table",
 		"stock-project-crd-form",
 		"stock-project-crd-table",
+		// stock-instance sidebars (namespace-level pages after namespace is selected)
+		"stock-instance-api-form",
+		"stock-instance-api-table",
+		"stock-instance-builtin-form",
+		"stock-instance-builtin-table",
 	}
 
 	// Add details sidebars for all CRDs with dashboard config

internal/controller/dashboard/static_refactored.go

@@ -1924,12 +1924,12 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "external-ips-table",
-						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
-						"clusterNamePartOfUrl": "{2}",
-						"baseprefix":           "/openapi-ui",
-						"customizationId":      "factory-details-v1.services",
-						"pathToItems":          []any{"items"},
+						"id":              "external-ips-table",
+						"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
+						"cluster":         "{2}",
+						"baseprefix":      "/openapi-ui",
+						"customizationId": "factory-details-v1.services",
+						"pathToItems":     ".items",
 						"fieldSelector": map[string]any{
 							"spec.type": "LoadBalancer",
 						},

packages/apps/bucket/Makefile

@@ -1,6 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
-	yq -o json -i '.properties = {}' values.schema.json
+	cozyvalues-gen -m 'bucket' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/bucket/types.go
 	../../../hack/update-crd.sh

packages/apps/bucket/README.md

@@ -1,3 +1,13 @@
 # S3 bucket
 
 ## Parameters
+
+### Parameters
+
+| Name                   | Description                                                                | Type                | Value   |
+| ---------------------- | -------------------------------------------------------------------------- | ------------------- | ------- |
+| `locking`              | Provisions bucket from the `-lock` BucketClass (with object lock enabled). | `bool`              | `false` |
+| `storagePool`          | Selects a specific BucketClass by storage pool name.                       | `string`            | `""`    |
+| `users`                | Users configuration map.                                                   | `map[string]object` | `{}`    |
+| `users[name].readonly` | Whether the user has read-only access.                                     | `bool`              | `false` |
+

packages/apps/bucket/templates/bucketclaim.yaml

@@ -1,29 +1,22 @@
 {{- $seaweedfs := .Values._namespace.seaweedfs }}
+{{- $pool := .Values.storagePool }}
 apiVersion: objectstorage.k8s.io/v1alpha1
 kind: BucketClaim
 metadata:
   name: {{ .Release.Name }}
 spec:
-  bucketClassName: {{ $seaweedfs }}
+  bucketClassName: {{ $seaweedfs }}{{- if $pool }}-{{ $pool }}{{- end }}{{- if .Values.locking }}-lock{{- end }}
   protocols:
     - s3
+{{- range $name, $user := .Values.users }}
 ---
 apiVersion: objectstorage.k8s.io/v1alpha1
 kind: BucketAccess
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ $.Release.Name }}-{{ $name }}
 spec:
-  bucketAccessClassName: {{ $seaweedfs }}
-  bucketClaimName: {{ .Release.Name }}
-  credentialsSecretName: {{ .Release.Name }}
-  protocol: s3
----
-apiVersion: objectstorage.k8s.io/v1alpha1
-kind: BucketAccess
-metadata:
-  name: {{ .Release.Name }}-readonly
-spec:
-  bucketAccessClassName: {{ $seaweedfs }}-readonly
-  bucketClaimName: {{ .Release.Name }}
-  credentialsSecretName: {{ .Release.Name }}-readonly
+  bucketAccessClassName: {{ $seaweedfs }}{{- if $pool }}-{{ $pool }}{{- end }}{{- if $user.readonly }}-readonly{{- end }}
+  bucketClaimName: {{ $.Release.Name }}
+  credentialsSecretName: {{ $.Release.Name }}-{{ $name }}
   protocol: s3
+{{- end }}

packages/apps/bucket/templates/dashboard-resourcemap.yaml

@@ -8,9 +8,9 @@ rules:
   resources:
   - secrets
   resourceNames:
-  - {{ .Release.Name }}
-  - {{ .Release.Name }}-credentials
-  - {{ .Release.Name }}-readonly
+  {{- range $name, $user := .Values.users }}
+  - {{ $.Release.Name }}-{{ $name }}-credentials
+  {{- end }}
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - networking.k8s.io

packages/apps/bucket/templates/helmrelease.yaml

@@ -23,3 +23,4 @@ spec:
     name: cozystack-values
   values:
     bucketName: {{ .Release.Name }}
+    users: {{ .Values.users | toJson }}

packages/apps/bucket/values.schema.json

@@ -1,5 +1,30 @@
 {
   "title": "Chart Values",
   "type": "object",
-  "properties": {}
-}
+  "properties": {
+    "locking": {
+      "description": "Provisions bucket from the `-lock` BucketClass (with object lock enabled).",
+      "type": "boolean",
+      "default": false
+    },
+    "storagePool": {
+      "description": "Selects a specific BucketClass by storage pool name.",
+      "type": "string",
+      "default": ""
+    },
+    "users": {
+      "description": "Users configuration map.",
+      "type": "object",
+      "default": {},
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "readonly": {
+            "description": "Whether the user has read-only access.",
+            "type": "boolean"
+          }
+        }
+      }
+    }
+  }
+}

packages/apps/bucket/values.yaml

@@ -1 +1,11 @@
-{}
+## @param {bool} locking=false - Provisions bucket from the `-lock` BucketClass (with object lock enabled).
+locking: false
+
+## @param {string} [storagePool] - Selects a specific BucketClass by storage pool name.
+storagePool: ""
+
+## @typedef {struct} User - Bucket user configuration.
+## @field {bool} [readonly] - Whether the user has read-only access.
+
+## @param {map[string]User} users - Users configuration map.
+users: {}

packages/apps/clickhouse/Makefile

@@ -4,7 +4,7 @@ include ../../../hack/common-envs.mk
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'clickhouse' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/clickhouse/types.go
 	../../../hack/update-crd.sh
 
 image:

packages/apps/foundationdb/Makefile

@@ -1,4 +1,4 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'foundationdb' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/foundationdb/types.go

packages/apps/foundationdb/README.md

@@ -1,4 +1,4 @@
-# FoundationDB
+# Managed FoundationDB Service
 
 A managed FoundationDB service for Cozystack.
 

packages/apps/harbor/Makefile

@@ -3,5 +3,5 @@ NAME=harbor
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'harbor' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/harbor/types.go
 	../../../hack/update-crd.sh

packages/apps/harbor/README.md

@@ -1,6 +1,6 @@
 # Managed Harbor Container Registry
 
-Harbor is an open source trusted cloud native registry project that stores, signs, and scans content.
+Harbor is an open-source trusted cloud-native registry project that stores, signs, and scans content.
 
 ## Parameters
 

packages/apps/http-cache/Makefile

@@ -17,7 +17,7 @@ image-nginx:
 	rm -f images/nginx-cache.json
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'httpcache' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/httpcache/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/kafka/Makefile

@@ -2,5 +2,5 @@ include ../../../hack/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'kafka' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/kafka/types.go
 	../../../hack/update-crd.sh

packages/apps/kubernetes/Makefile

@@ -5,7 +5,7 @@ include ../../../hack/common-envs.mk
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'kubernetes' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/kubernetes/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:434aa3b8e2a3cbf6681426b174e1c4fde23bafd12a6cccd046b5cb1749092ec4
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:faaa6bcdb68196edb4baafe643679bd7d2ef35f910c639b71e06a4ecc034f232

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -3,6 +3,7 @@ cilium:
   k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
   k8sServicePort: 6443
   routingMode: tunnel
+  MTU: 1350
   enableIPv4Masquerade: true
   ipv4NativeRoutingCIDR: ""
   {{- if $.Values.addons.gatewayAPI.enabled }}

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

@@ -73,8 +73,8 @@ spec:
           [OUTPUT]
               Name http
               Match kube.*
-              Host vlogs-generic.{{ $targetTenant }}.svc.{{ $clusterDomain }}
-              port 9428
+              Host vlinsert-generic.{{ $targetTenant }}.svc.{{ $clusterDomain }}
+              port 9481
               compress gzip
               uri /insert/jsonline?_stream_fields=stream,kubernetes_pod_name,kubernetes_container_name,kubernetes_namespace_name&_msg_field=log&_time_field=date
               format json_lines

packages/apps/mariadb/Makefile

@@ -4,7 +4,7 @@ include ../../../hack/common-envs.mk
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'mariadb' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/mariadb/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/mariadb/README.md

@@ -15,7 +15,7 @@ This managed service is controlled by mariadb-operator, ensuring efficient manag
 ### How to switch master/slave replica
 
 ```bash
-kubectl edit mariadb <instnace>
+kubectl edit mariadb <instance>
 ```
 update:
 
@@ -54,11 +54,11 @@ more details:
 - **Replication can't be finished with various errors**
 - **Replication can't be finished in case if `binlog` purged**
 
-  Until `mariadbbackup` is not used to bootstrap a node by mariadb-operator (this feature is not inmplemented yet), follow these manual steps to fix it:
+  Until `mariadbbackup` is not used to bootstrap a node by mariadb-operator (this feature is not implemented yet), follow these manual steps to fix it:
   https://github.com/mariadb-operator/mariadb-operator/issues/141#issuecomment-1804760231
 
-- **Corrupted indicies**
-  Sometimes some indecies can be corrupted on master replica, you can recover them from slave:
+- **Corrupted indices**
+  Sometimes some indices can be corrupted on master replica, you can recover them from slave:
 
   ```bash
   mysqldump -h <slave> -P 3306 -u<user> -p<password> --column-statistics=0 <database> <table> ~/tmp/fix-table.sql

packages/apps/mongodb/Makefile

@@ -3,7 +3,7 @@ include ../../../hack/package.mk
 .PHONY: generate update
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'mongodb' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/mongodb/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/nats/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'nats' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/nats/types.go
 	../../../hack/update-crd.sh

packages/apps/openbao/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'openbao' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/openbao/types.go
 	../../../hack/update-crd.sh

packages/apps/postgres/Makefile

@@ -1,7 +1,7 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'postgresql' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/postgresql/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/qdrant/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'qdrant' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/qdrant/types.go
 	../../../hack/update-crd.sh

packages/apps/rabbitmq/Chart.yaml

@@ -4,4 +4,4 @@ description: Managed RabbitMQ service
 icon: /logos/rabbitmq.svg
 type: application
 version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
-appVersion: "3.13.2"
+appVersion: "4.2.4"

packages/apps/rabbitmq/Makefile

@@ -1,5 +1,9 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'rabbitmq' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/rabbitmq/types.go
 	../../../hack/update-crd.sh
+
+update:
+	hack/update-versions.sh
+	make generate

packages/apps/rabbitmq/README.md

@@ -23,6 +23,7 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 | `size`             | Persistent Volume Claim size available for application data.                                                                       | `quantity` | `10Gi`  |
 | `storageClass`     | StorageClass used to store the data.                                                                                               | `string`   | `""`    |
 | `external`         | Enable external access from outside the cluster.                                                                                   | `bool`     | `false` |
+| `version`          | RabbitMQ major.minor version to deploy                                                                                             | `string`   | `v4.2`  |
 
 
 ### Application-specific parameters

packages/apps/rabbitmq/files/versions.yaml

@@ -0,0 +1,4 @@
+"v4.2": "4.2.4"
+"v4.1": "4.1.8"
+"v4.0": "4.0.9"
+"v3.13": "3.13.7"

packages/apps/rabbitmq/hack/update-versions.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RABBITMQ_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${RABBITMQ_DIR}/values.yaml"
+VERSIONS_FILE="${RABBITMQ_DIR}/files/versions.yaml"
+GITHUB_API_URL="https://api.github.com/repos/rabbitmq/rabbitmq-server/releases"
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Fetch releases from GitHub API
+echo "Fetching releases from GitHub API..."
+RELEASES_JSON=$(curl -sSL "${GITHUB_API_URL}?per_page=100")
+
+if [ -z "$RELEASES_JSON" ]; then
+    echo "Error: Could not fetch releases from GitHub API" >&2
+    exit 1
+fi
+
+# Extract stable release tags (format: v3.13.7, v4.0.3, etc.)
+# Filter out pre-releases and draft releases
+RELEASE_TAGS=$(echo "$RELEASES_JSON" | jq -r '.[] | select(.prerelease == false) | select(.draft == false) | .tag_name' | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V)
+
+if [ -z "$RELEASE_TAGS" ]; then
+    echo "Error: Could not find any stable release tags" >&2
+    exit 1
+fi
+
+echo "Found release tags: $(echo "$RELEASE_TAGS" | tr '\n' ' ')"
+
+# Supported major.minor versions (newest first)
+# We support the last few minor releases of each active major
+SUPPORTED_MAJORS=("4.2" "4.1" "4.0" "3.13")
+
+# Build versions map: major.minor -> latest patch version
+declare -A VERSION_MAP
+MAJOR_VERSIONS=()
+
+for major_minor in "${SUPPORTED_MAJORS[@]}"; do
+    # Find the latest patch version for this major.minor
+    MATCHING=$(echo "$RELEASE_TAGS" | grep -E "^v${major_minor//./\\.}\.[0-9]+$" | tail -n1)
+
+    if [ -n "$MATCHING" ]; then
+        # Strip the 'v' prefix for the value (Docker tag format is e.g. 3.13.7)
+        TAG_VERSION="${MATCHING#v}"
+        VERSION_MAP["v${major_minor}"]="${TAG_VERSION}"
+        MAJOR_VERSIONS+=("v${major_minor}")
+        echo "Found version: v${major_minor} -> ${TAG_VERSION}"
+    else
+        echo "Warning: No stable releases found for ${major_minor}, skipping..." >&2
+    fi
+done
+
+if [ ${#MAJOR_VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+echo "Major versions to add: ${MAJOR_VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for major_ver in "${MAJOR_VERSIONS[@]}"; do
+        echo "\"${major_ver}\": \"${VERSION_MAP[$major_ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major.minor versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for major_ver in "${MAJOR_VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $major_ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - RabbitMQ major.minor version to deploy
+version: ${MAJOR_VERSIONS[0]}"
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with major.minor versions: ${MAJOR_VERSIONS[*]}"

packages/apps/rabbitmq/templates/_versions.tpl

@@ -0,0 +1,8 @@
+{{- define "rabbitmq.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `RabbitMQ version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}
+

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -7,6 +7,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
   replicas: {{ .Values.replicas }}
+  image: 'rabbitmq:{{ include "rabbitmq.versionMap" $ }}-management'
   {{- if .Values.external }}
   service:
     type: LoadBalancer

packages/apps/rabbitmq/values.schema.json

@@ -92,6 +92,17 @@
         }
       }
     },
+    "version": {
+      "description": "RabbitMQ major.minor version to deploy",
+      "type": "string",
+      "default": "v4.2",
+      "enum": [
+        "v4.2",
+        "v4.1",
+        "v4.0",
+        "v3.13"
+      ]
+    },
     "vhosts": {
       "description": "Virtual hosts configuration map.",
       "type": "object",

packages/apps/rabbitmq/values.yaml

@@ -34,6 +34,15 @@ storageClass: ""
 external: false
 
 ##
+## @enum {string} Version
+## @value v4.2
+## @value v4.1
+## @value v4.0
+## @value v3.13
+
+## @param {Version} version - RabbitMQ major.minor version to deploy
+version: v4.2
+
 ## @section Application-specific parameters
 ##
 

packages/apps/redis/Makefile

@@ -1,7 +1,7 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'redis' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/redis/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/tcp-balancer/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'tcpbalancer' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/tcpbalancer/types.go
 	../../../hack/update-crd.sh

packages/apps/tenant/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'tenant' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/tenant/types.go
 	../../../hack/update-crd.sh

packages/apps/tenant/templates/networkpolicy.yaml

@@ -207,6 +207,27 @@ spec:
   - toEndpoints:
       - matchLabels:
           "k8s:io.kubernetes.pod.namespace": cozy-kubevirt-cdi
+{{- if .Values.monitoring }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "tenant.name" . }}-egress-virt-handler
+spec:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+      "k8s:app.kubernetes.io/name": "vmagent"
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        "k8s:kubevirt.io": "virt-handler"
+        "k8s:io.kubernetes.pod.namespace": "cozy-kubevirt"
+    toPorts:
+    - ports:
+      - port: "8443"
+        protocol: TCP
+{{- end }}
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy

packages/apps/vm-disk/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'vmdisk' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/vmdisk/types.go
 	../../../hack/update-crd.sh

packages/apps/vm-instance/Makefile

@@ -1,7 +1,7 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'vminstance' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/vminstance/types.go
 	#INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
 	#  && yq -i -o json ".properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
 	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \

packages/apps/vm-instance/templates/vm.yaml

@@ -34,6 +34,12 @@ spec:
     metadata:
       annotations:
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
+        {{- $ovnIPName := printf "%s.%s" (include "virtual-machine.fullname" .) .Release.Namespace }}
+        {{- $ovnIP := lookup "kubeovn.io/v1" "IP" "" $ovnIPName }}
+        {{- if $ovnIP }}
+        ovn.kubernetes.io/mac_address: {{ $ovnIP.spec.macAddress | quote }}
+        ovn.kubernetes.io/ip_address: {{ $ovnIP.spec.ipAddress | quote }}
+        {{- end }}
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}
     spec:

packages/apps/vpc/Makefile

@@ -1,7 +1,7 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json
+	cozyvalues-gen -m 'vpc' -v values.yaml -s values.schema.json -g ../../../api/apps/v1alpha1/vpc/types.go
 	../../../hack/update-crd.sh
 
 update:

packages/apps/vpn/Makefile

@@ -1,5 +1,5 @@
 include ../../../hack/package.mk
 
 generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	cozyvalues-gen -m 'vpn' -v values.yaml -s values.schema.json -r README.md -g ../../../api/apps/v1alpha1/vpn/types.go
 	../../../hack/update-crd.sh

packages/core/installer/values.yaml

@@ -1,9 +1,9 @@
 cozystackOperator:
   # Deployment variant: talos, generic, hosted
   variant: talos
-  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.0@sha256:9e5229764b6077809a1c16566881a524c33e8986e36597e6833f8857a7e6a335
+  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.1.0@sha256:9367001a8d1d2dcf08ae74a42ac234eaa6af18f1af64ac28ce8a5946af9c5d3f
   platformSourceUrl: 'oci://ghcr.io/cozystack/cozystack/cozystack-packages'
-  platformSourceRef: 'digest=sha256:ef3e4ba7d21572a61794d8be594805f063aa04f4a8c3753351fc89c7804d337e'
+  platformSourceRef: 'digest=sha256:7c6da38e7b99ec80d35ba2cef721ea1579f8a0824989454544fa85318bb7bf15'
 # Generic variant configuration (only used when cozystackOperator.variant=generic)
 cozystack:
   # Kubernetes API server host (IP only, no protocol/port)

packages/core/platform/images/migrations/migrations/34

@@ -1,89 +1,45 @@
 #!/bin/sh
 # Migration 34 --> 35
-# Protect keycloak data from destruction during v1.0 upgrade.
+# Backfill spec.version on rabbitmq.apps.cozystack.io resources.
 #
-# Problem:
-# In v0.41.x keycloak HelmReleases (keycloak, keycloak-operator, keycloak-configure)
-# were created via platform chart template (helmreleases.yaml) with spec.chart
-# pointing to a HelmRepository. In v1.0 the Package operator recreates these
-# HelmReleases with spec.chartRef pointing to an ExternalArtifact.
-# FluxCD sees an incompatible chart source change and runs helm uninstall,
-# destroying all keycloak resources (PVCs, PostgreSQL databases, credentials,
-# realm configuration) before doing a fresh helm install.
+# Before this migration RabbitMQ had no user-selectable version; the
+# operator always used its built-in default image (v3.x).  A version field
+# was added in this release.  Without this migration every existing cluster
+# would be upgraded to the new default (v4.2) on the next reconcile.
 #
-# Solution:
-# Delete Helm release secrets (sh.helm.release.v1.<name>.*) BEFORE the chart
-# source change happens. Without these secrets FluxCD has no release to uninstall,
-# so it performs helm install directly. Existing resources with correct
-# meta.helm.sh/release-name annotations are adopted by the new release.
-#
-# Pattern from migration 26 (monitoring migration).
+# Set spec.version to "v3.13" for any rabbitmq app resource that does not
+# already have it set.
 
 set -euo pipefail
 
-NAMESPACE="cozy-keycloak"
+DEFAULT_VERSION="v3.13"
 
-# Delete all helm release secrets for a given release name in a namespace.
-# Uses both label selector and name-pattern matching to ensure complete cleanup.
-delete_helm_secrets() {
-  local ns="$1"
-  local release="$2"
-
-  # Primary: delete by label selector
-  kubectl delete secrets -n "$ns" -l "name=${release},owner=helm" --ignore-not-found
-
-  # Fallback: find and delete by name pattern (in case labels were modified)
-  local remaining
-  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
-  if [ -n "$remaining" ]; then
-    echo "    Found secrets not matched by label selector, deleting by name..."
-    echo "$remaining" | while IFS= read -r secret; do
-      echo "      Deleting $secret"
-      kubectl delete -n "$ns" "$secret" --ignore-not-found
-    done
-  fi
-
-  # Verify all secrets are gone
-  remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
-  if [ -n "$remaining" ]; then
-    echo "    ERROR: Failed to delete helm release secrets:"
-    echo "$remaining"
-    return 1
-  fi
-}
-
-echo "=== Protecting keycloak data from destruction during upgrade ==="
-
-# Check if namespace exists; if not, keycloak was never deployed — skip
-if ! kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
-  echo "  Namespace $NAMESPACE does not exist, keycloak not deployed — skipping"
+# Skip if the CRD does not exist (rabbitmq was never installed)
+if ! kubectl api-resources --api-group=apps.cozystack.io -o name 2>/dev/null | grep -q '^rabbitmqs\.'; then
+  echo "CRD rabbitmqs.apps.cozystack.io not found, skipping migration"
   kubectl create configmap -n cozy-system cozystack-version \
     --from-literal=version=35 --dry-run=client -o yaml | kubectl apply -f-
   exit 0
 fi
 
-for release in keycloak keycloak-operator keycloak-configure; do
-  # Check if HelmRelease exists (handle missing CRD gracefully)
-  out=$(kubectl get helmrelease "$release" -n "$NAMESPACE" -o name 2>&1) && found=true || found=false
+RABBITMQS=$(kubectl get rabbitmqs.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}{"\n"}{end}')
+for resource in $RABBITMQS; do
+  NS="${resource%%/*}"
+  APP_NAME="${resource##*/}"
 
-  if [ "$found" = "true" ]; then
-    echo "  [DELETE SECRETS] Removing helm release secrets for ${release} in ${NAMESPACE}"
-    delete_helm_secrets "$NAMESPACE" "$release"
-  else
-    # Distinguish "not found" from real errors
-    case "$out" in
-      *"NotFound"*|*"not found"*|*"the server doesn't have a resource type"*|*"no matches for kind"*)
-        echo "  [SKIP] hr/${release} not found in ${NAMESPACE}"
-        ;;
-      *)
-        echo "  [ERROR] Failed to query hr/${release}: $out" >&2
-        exit 1
-        ;;
-    esac
+  # Skip if spec.version is already set
+  CURRENT_VER=$(kubectl get rabbitmqs.apps.cozystack.io -n "$NS" "$APP_NAME" \
+    -o jsonpath='{.spec.version}')
+  if [ -n "$CURRENT_VER" ]; then
+    echo "SKIP $NS/$APP_NAME: spec.version already set to '$CURRENT_VER'"
+    continue
   fi
-done
 
-echo "=== Done ==="
+  echo "Patching rabbitmq/$APP_NAME in $NS: setting version=$DEFAULT_VERSION"
+
+  kubectl patch rabbitmqs.apps.cozystack.io -n "$NS" "$APP_NAME" --type=merge \
+    --patch "{\"spec\":{\"version\":\"${DEFAULT_VERSION}\"}}"
+done
 
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \

packages/core/platform/images/migrations/migrations/35

@@ -0,0 +1,21 @@
+#!/bin/sh
+# Migration 35 --> 36
+# Add helm.sh/resource-policy=keep annotation to existing VLogs resources
+# so they are preserved when the monitoring helm release upgrades to VLCluster.
+# Users will need to manually verify the new cluster is working, then optionally
+# migrate historical data and delete old VLogs resources.
+
+set -euo pipefail
+
+VLOGS=$(kubectl get vlogs.operator.victoriametrics.com --all-namespaces --output jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}{"\n"}{end}' 2>/dev/null || true)
+for resource in $VLOGS; do
+  NS="${resource%%/*}"
+  NAME="${resource##*/}"
+  echo "Adding keep annotation to VLogs/$NAME in $NS"
+  kubectl annotate vlogs.operator.victoriametrics.com --namespace "$NS" "$NAME" \
+    helm.sh/resource-policy=keep \
+    --overwrite
+done
+
+kubectl create configmap --namespace cozy-system cozystack-version \
+  --from-literal=version=36 --dry-run=client --output yaml | kubectl apply --filename -

packages/core/platform/images/migrations/run-migrations.sh

@@ -24,7 +24,7 @@ if [ "$CURRENT_VERSION" -ge "$TARGET_VERSION" ]; then
 fi
 
 # Run migrations sequentially from current version to target version
-for i in $(seq $((CURRENT_VERSION + 1)) $TARGET_VERSION); do
+for i in $(seq $CURRENT_VERSION $((TARGET_VERSION - 1))); do
   if [ -f "/migrations/$i" ]; then
     echo "Running migration $i"
     chmod +x /migrations/$i

packages/core/platform/sources/external-dns-application.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: PackageSource
+metadata:
+  name: cozystack.external-dns-application
+spec:
+  sourceRef:
+    kind: OCIRepository
+    name: cozystack-packages
+    namespace: cozy-system
+    path: /
+  variants:
+    - name: default
+      dependsOn:
+        - cozystack.networking
+      libraries:
+        - name: cozy-lib
+          path: library/cozy-lib
+      components:
+        - name: external-dns-system
+          path: system/external-dns
+        - name: external-dns
+          path: extra/external-dns
+          libraries: ["cozy-lib"]
+        - name: external-dns-rd
+          path: system/external-dns-rd
+          install:
+            namespace: cozy-system
+            releaseName: external-dns-rd

packages/core/platform/templates/bundles/system.yaml

@@ -149,6 +149,7 @@
 {{include "cozystack.platform.package.optional.default" (list "cozystack.nfs-driver" $) }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.telepresence" $) }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.external-dns" $) }}
+{{include "cozystack.platform.package.optional.default" (list "cozystack.external-dns-application" $) }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.external-secrets-operator" $) }}
 {{- if has "cozystack.bootbox" (default (list) .Values.bundles.enabledPackages) }}
 {{include "cozystack.platform.package.default" (list "cozystack.bootbox-application" $) }}

packages/core/platform/values.yaml

@@ -5,8 +5,8 @@ sourceRef:
   path: /
 migrations:
   enabled: false
-  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.0@sha256:68dabdebc38ac439228ae07031cc70e0fa184a24bd4e5b3b22c17466b2a55201
-  targetVersion: 35
+  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.1.0@sha256:d7e8955c1ad8c8fbd4ce42b014c0f849d73d0c3faf0cedaac8e15d647fb2f663
+  targetVersion: 36
 # Bundle deployment configuration
 bundles:
   system:

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.0@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.1.0@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v1.0.0@sha256:c48eb7b23f01a8ff58d409fdb51c88e771f819cb914eee03da89471e62302f33
+ghcr.io/cozystack/cozystack/matchbox:v1.1.0@sha256:e4c872f6dadc2bbcb9200d04a1d9878f62502f74e979b4eae6c7203abc6d8fa6

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -104,6 +104,7 @@ spec:
       - {{ .Release.Name }}
   secretName: etcd-peer-ca-tls
   privateKey:
+    rotationPolicy: Never
     algorithm: RSA
     size: 4096
   issuerRef:
@@ -130,6 +131,7 @@ spec:
       - {{ .Release.Name }}
   secretName: etcd-ca-tls
   privateKey:
+    rotationPolicy: Never
     algorithm: RSA
     size: 4096
   issuerRef:

packages/extra/external-dns/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: external-dns
+description: External DNS for automatic DNS record management
+icon: /logos/external-dns.svg
+type: application
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/extra/external-dns/Makefile

@@ -0,0 +1,7 @@
+NAME=external-dns
+
+include ../../../hack/package.mk
+
+generate:
+	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
+	../../../hack/update-crd.sh