[securitygroups] WIP

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>

go.mod

@@ -2,15 +2,21 @@
 
 module github.com/cozystack/cozystack
 
-go 1.23.0
+go 1.24.0
+
+toolchain go1.24.5
 
 require (
+	github.com/cilium/cilium v1.16.16
 	github.com/fluxcd/helm-controller/api v1.1.0
-	github.com/google/gofuzz v1.2.0
+	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/zapr v1.3.0
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
+	github.com/prometheus/client_golang v1.19.1
 	github.com/spf13/cobra v1.8.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
+	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
@@ -28,28 +34,35 @@ require (
 require (
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cilium/ebpf v0.15.0 // indirect
+	github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219 // indirect
+	github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -57,61 +70,88 @@ require (
 	github.com/google/cel-go v0.21.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
-	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mackerelio/go-osstat v0.2.5 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sasha-s/go-deadlock v0.3.5 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.16 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.uber.org/dig v1.17.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
+	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
+	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.26.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
-	google.golang.org/grpc v1.65.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
+	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/kms v0.31.2 // indirect

go.sum

@@ -1,11 +1,15 @@
+cel.dev/expr v0.20.0 h1:OunBvVCfvpWlt4dN7zg3FM6TDkzOePe1+foGJ9AXeeI=
+cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@@ -14,6 +18,16 @@ github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK3
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cilium/cilium v1.16.16 h1:to8vEEmipowDNqz1/F5J+9qSIiDTAzgb9v+Ohs3Pk9Y=
+github.com/cilium/cilium v1.16.16/go.mod h1:MsrhykzaUeRF39p3YBhv8semoI3PZKdaHT/7rJ6cD3k=
+github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
+github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
+github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219 h1:iX4v9lg63iTv8x8MWUMVbeWqtAGcV6yh/w3Zp9sP3ME=
+github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219/go.mod h1:6tW1eCwSq8Wz8IVtpZE0MemoCWSrEOUa8aLKotmBRCo=
+github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a h1:5pJ6eaVk/y1C8cBMpfUWMuHa+qTefq2jqcNf0et0mGk=
+github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a/go.mod h1:Bs5kHQ+FYHLrAkEaTQpbwblJIv6NfU2Tsuo+wCkN+9s=
+github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
+github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
@@ -26,10 +40,15 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
-github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
-github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
+github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
+github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
+github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
+github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -40,6 +59,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.6.1 h1:22FJc69Mq4i8aCxnKPlddHhSMyI4UPkQk
 github.com/fluxcd/pkg/apis/kustomize v1.6.1/go.mod h1:5dvQ4IZwz0hMGmuj8tTWGtarsuxW0rWsxJOwC6i+0V8=
 github.com/fluxcd/pkg/apis/meta v1.6.1 h1:maLhcRJ3P/70ArLCY/LF/YovkxXbX+6sTWZwZQBeNq0=
 github.com/fluxcd/pkg/apis/meta v1.6.1/go.mod h1:YndB/gxgGZmKfqpAfFxyCDNFJFP0ikpeJzs66jwq280=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -51,21 +72,35 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
+github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
+github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w=
+github.com/go-openapi/errors v0.22.0/go.mod h1:J3DmZScxCDufmIMsdOuDHxJbdOGC0xtUynjIx092vXE=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
+github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
+github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=
+github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc=
+github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
+github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
+github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
+github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
+github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -82,22 +117,26 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k=
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
-github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
-github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
+github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
+github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
@@ -108,15 +147,18 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mackerelio/go-osstat v0.2.5 h1:+MqTbZUhoIt4m8qzkVoXUJg1EuifwlAJSk4Yl2GXh+o=
+github.com/mackerelio/go-osstat v0.2.5/go.mod h1:atxwWF+POUZcdtR1wnsUcQxTytoHG4uhl2AKKzrOajY=
+github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
+github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8=
 github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -128,12 +170,23 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
+github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
+github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
+github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 h1:Dx7Ovyv/SFnMFw3fD4oEoeorXc6saIiQ23LrGLth0Gw=
+github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -145,30 +198,56 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
+github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
+github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
+github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
+github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
+github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
+github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
+github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
+github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace h1:9PNP1jnUjRhfmGMlkXHjYPishpcw4jpSt/V/xYY3FMA=
+github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
+github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
+github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 h1:9fkQcQYvtTr9ayFXuMfDMVuDt4+BYG9FwsGLnrBde0M=
+github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
@@ -191,87 +270,103 @@ go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA=
 go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw=
 go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok=
 go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ=
+go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
+go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
-go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
-go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/dig v1.17.1 h1:Tga8Lz8PcYNsWsyHMZ1Vm0OQOUaJNDyvPImgbAu9YSc=
+go.uber.org/dig v1.17.1/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
-google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
-google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
-google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -279,6 +374,8 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

internal/controller/dashboard/customformsoverride.go

@@ -11,6 +11,7 @@ import (
 
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // ensureCustomFormsOverride creates or updates a CustomFormsOverride resource for the given CRD
@@ -45,15 +46,24 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		}
 	}
 
+	// Build schema with multilineString for string fields without enum
+	l := log.FromContext(ctx)
+	schema, err := buildMultilineStringSchema(crd.Spec.Application.OpenAPISchema)
+	if err != nil {
+		// If schema parsing fails, log the error and use an empty schema
+		l.Error(err, "failed to build multiline string schema, using empty schema", "crd", crd.Name)
+		schema = map[string]any{}
+	}
+
 	spec := map[string]any{
 		"customizationId": customizationID,
 		"hidden":          hidden,
 		"sort":            sort,
-		"schema":          map[string]any{}, // {}
+		"schema":          schema,
 		"strategy":        "merge",
 	}
 
-	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
+	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
 		if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
 			return err
 		}
@@ -73,3 +83,94 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 	})
 	return err
 }
+
+// buildMultilineStringSchema parses OpenAPI schema and creates schema with multilineString
+// for all string fields inside spec that don't have enum
+func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
+	if openAPISchema == "" {
+		return map[string]any{}, nil
+	}
+
+	var root map[string]any
+	if err := json.Unmarshal([]byte(openAPISchema), &root); err != nil {
+		return nil, fmt.Errorf("cannot parse openAPISchema: %w", err)
+	}
+
+	props, _ := root["properties"].(map[string]any)
+	if props == nil {
+		return map[string]any{}, nil
+	}
+
+	schema := map[string]any{
+		"properties": map[string]any{},
+	}
+
+	// Process spec properties recursively
+	processSpecProperties(props, schema["properties"].(map[string]any))
+
+	return schema, nil
+}
+
+// processSpecProperties recursively processes spec properties and adds multilineString type
+// for string fields without enum
+func processSpecProperties(props map[string]any, schemaProps map[string]any) {
+	for pname, raw := range props {
+		sub, ok := raw.(map[string]any)
+		if !ok {
+			continue
+		}
+
+		typ, _ := sub["type"].(string)
+
+		switch typ {
+		case "string":
+			// Check if this string field has enum
+			if !hasEnum(sub) {
+				// Add multilineString type for this field
+				if schemaProps[pname] == nil {
+					schemaProps[pname] = map[string]any{}
+				}
+				fieldSchema := schemaProps[pname].(map[string]any)
+				fieldSchema["type"] = "multilineString"
+			}
+		case "object":
+			// Recursively process nested objects
+			if childProps, ok := sub["properties"].(map[string]any); ok {
+				fieldSchema, ok := schemaProps[pname].(map[string]any)
+				if !ok {
+					fieldSchema = map[string]any{}
+					schemaProps[pname] = fieldSchema
+				}
+				nestedSchemaProps, ok := fieldSchema["properties"].(map[string]any)
+				if !ok {
+					nestedSchemaProps = map[string]any{}
+					fieldSchema["properties"] = nestedSchemaProps
+				}
+				processSpecProperties(childProps, nestedSchemaProps)
+			}
+		case "array":
+			// Check if array items are objects with properties
+			if items, ok := sub["items"].(map[string]any); ok {
+				if itemProps, ok := items["properties"].(map[string]any); ok {
+					// Create array item schema
+					fieldSchema, ok := schemaProps[pname].(map[string]any)
+					if !ok {
+						fieldSchema = map[string]any{}
+						schemaProps[pname] = fieldSchema
+					}
+					itemSchema, ok := fieldSchema["items"].(map[string]any)
+					if !ok {
+						itemSchema = map[string]any{}
+						fieldSchema["items"] = itemSchema
+					}
+					itemSchemaProps, ok := itemSchema["properties"].(map[string]any)
+					if !ok {
+						itemSchemaProps = map[string]any{}
+						itemSchema["properties"] = itemSchemaProps
+					}
+					processSpecProperties(itemProps, itemSchemaProps)
+				}
+			}
+		}
+	}
+}

internal/controller/dashboard/customformsoverride_test.go

@@ -0,0 +1,155 @@
+package dashboard
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestBuildMultilineStringSchema(t *testing.T) {
+	// Test OpenAPI schema with various field types
+	openAPISchema := `{
+		"properties": {
+			"simpleString": {
+				"type": "string",
+				"description": "A simple string field"
+			},
+			"stringWithEnum": {
+				"type": "string",
+				"enum": ["option1", "option2"],
+				"description": "String with enum should be skipped"
+			},
+			"numberField": {
+				"type": "number",
+				"description": "Number field should be skipped"
+			},
+			"nestedObject": {
+				"type": "object",
+				"properties": {
+					"nestedString": {
+						"type": "string",
+						"description": "Nested string should get multilineString"
+					},
+					"nestedStringWithEnum": {
+						"type": "string",
+						"enum": ["a", "b"],
+						"description": "Nested string with enum should be skipped"
+					}
+				}
+			},
+			"arrayOfObjects": {
+				"type": "array",
+				"items": {
+					"type": "object",
+					"properties": {
+						"itemString": {
+							"type": "string",
+							"description": "String in array item"
+						}
+					}
+				}
+			}
+		}
+	}`
+
+	schema, err := buildMultilineStringSchema(openAPISchema)
+	if err != nil {
+		t.Fatalf("buildMultilineStringSchema failed: %v", err)
+	}
+
+	// Marshal to JSON for easier inspection
+	schemaJSON, err := json.MarshalIndent(schema, "", "  ")
+	if err != nil {
+		t.Fatalf("Failed to marshal schema: %v", err)
+	}
+
+	t.Logf("Generated schema:\n%s", schemaJSON)
+
+	// Verify that simpleString has multilineString type
+	props, ok := schema["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("schema.properties is not a map")
+	}
+
+	// Check simpleString
+	simpleString, ok := props["simpleString"].(map[string]any)
+	if !ok {
+		t.Fatal("simpleString not found in properties")
+	}
+	if simpleString["type"] != "multilineString" {
+		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
+	}
+
+	// Check stringWithEnum should not be present (or should not have multilineString)
+	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
+		if stringWithEnum["type"] == "multilineString" {
+			t.Error("stringWithEnum should not have multilineString type")
+		}
+	}
+
+	// Check numberField should not be present
+	if numberField, ok := props["numberField"].(map[string]any); ok {
+		if numberField["type"] != nil {
+			t.Error("numberField should not have any type override")
+		}
+	}
+
+	// Check nested object
+	nestedObject, ok := props["nestedObject"].(map[string]any)
+	if !ok {
+		t.Fatal("nestedObject not found in properties")
+	}
+	nestedProps, ok := nestedObject["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("nestedObject.properties is not a map")
+	}
+
+	// Check nestedString
+	nestedString, ok := nestedProps["nestedString"].(map[string]any)
+	if !ok {
+		t.Fatal("nestedString not found in nestedObject.properties")
+	}
+	if nestedString["type"] != "multilineString" {
+		t.Errorf("nestedString should have type multilineString, got %v", nestedString["type"])
+	}
+
+	// Check array of objects
+	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
+	if !ok {
+		t.Fatal("arrayOfObjects not found in properties")
+	}
+	items, ok := arrayOfObjects["items"].(map[string]any)
+	if !ok {
+		t.Fatal("arrayOfObjects.items is not a map")
+	}
+	itemProps, ok := items["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("arrayOfObjects.items.properties is not a map")
+	}
+	itemString, ok := itemProps["itemString"].(map[string]any)
+	if !ok {
+		t.Fatal("itemString not found in arrayOfObjects.items.properties")
+	}
+	if itemString["type"] != "multilineString" {
+		t.Errorf("itemString should have type multilineString, got %v", itemString["type"])
+	}
+}
+
+func TestBuildMultilineStringSchemaEmpty(t *testing.T) {
+	schema, err := buildMultilineStringSchema("")
+	if err != nil {
+		t.Fatalf("buildMultilineStringSchema failed on empty string: %v", err)
+	}
+	if len(schema) != 0 {
+		t.Errorf("Expected empty schema for empty input, got %v", schema)
+	}
+}
+
+func TestBuildMultilineStringSchemaInvalidJSON(t *testing.T) {
+	schema, err := buildMultilineStringSchema("{invalid json")
+	if err == nil {
+		t.Error("Expected error for invalid JSON")
+	}
+	if schema != nil {
+		t.Errorf("Expected nil schema for invalid JSON, got %v", schema)
+	}
+}

internal/controller/dashboard/factory.go

@@ -221,7 +221,7 @@ func workloadsTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-v1alpha1.cozystack.io.workloadmonitors",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
 						"apps.cozystack.io/application.name":  "{reqs[0]['metadata','name']}",
@@ -246,7 +246,7 @@ func servicesTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-v1.services",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
 						"apps.cozystack.io/application.name":   "{reqs[0]['metadata','name']}",
@@ -272,7 +272,7 @@ func ingressesTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-networking.k8s.io.v1.ingresses",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
 						"apps.cozystack.io/application.name":   "{reqs[0]['metadata','name']}",
@@ -293,12 +293,12 @@ func secretsTab(kind string) map[string]any {
 				"type": "EnrichedTable",
 				"data": map[string]any{
 					"id":                   "secrets-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecretstables",
+					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecrets",
 					"clusterNamePartOfUrl": "{2}",
 					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecretstables",
+					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecrets",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
 						"apps.cozystack.io/application.name":  "{reqs[0]['metadata','name']}",

internal/controller/dashboard/static_helpers.go

@@ -122,7 +122,7 @@ func createCustomColumnsOverride(id string, additionalPrinterColumns []any) *das
 		}
 	}
 
-	if name == "factory-details-v1alpha1.core.cozystack.io.tenantsecretstables" {
+	if name == "factory-details-v1alpha1.core.cozystack.io.tenantsecrets" {
 		data["additionalPrinterColumnsTrimLengths"] = []any{
 			map[string]any{
 				"key":   "Name",
@@ -1046,6 +1046,15 @@ func createConverterBytesColumn(name, jsonPath string) map[string]any {
 	}
 }
 
+// createFlatMapColumn creates a flatMap column that expands a map into separate rows
+func createFlatMapColumn(name, jsonPath string) map[string]any {
+	return map[string]any{
+		"name":     name,
+		"type":     "flatMap",
+		"jsonPath": jsonPath,
+	}
+}
+
 // ---------------- Factory UI helper functions ----------------
 
 // labelsEditor creates a Labels editor component

internal/controller/dashboard/static_refactored.go

@@ -173,11 +173,12 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 			createStringColumn("OBSERVED", ".status.observedReplicas"),
 		}),
 
-		// Factory details v1alpha1 core cozystack io tenantsecretstables
-		createCustomColumnsOverride("factory-details-v1alpha1.core.cozystack.io.tenantsecretstables", []any{
+		// Factory details v1alpha1 core cozystack io tenantsecrets
+		createCustomColumnsOverride("factory-details-v1alpha1.core.cozystack.io.tenantsecrets", []any{
 			createCustomColumnWithJsonPath("Name", ".metadata.name", "Secret", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createStringColumn("Key", ".data.key"),
-			createSecretBase64Column("Value", ".data.value"),
+			createFlatMapColumn("Data", ".data"),
+			createStringColumn("Key", "_flatMapData_Key"),
+			createSecretBase64Column("Value", "_flatMapData_Value"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 
@@ -1055,7 +1056,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 													"clusterNamePartOfUrl": "{2}",
 													"customizationId":      "factory-kube-service-details-endpointslice",
 													"fetchUrl":             "/api/clusters/{2}/k8s/apis/discovery.k8s.io/v1/namespaces/{3}/endpointslices",
-													"labelsSelector": map[string]any{
+													"labelSelector": map[string]any{
 														"kubernetes.io/service-name": "{reqsJsonPath[0]['.metadata.name']['-']}",
 													},
 													"pathToItems":     ".items[*].endpoints",
@@ -1396,7 +1397,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"clusterNamePartOfUrl": "{2}",
 						"customizationId":      "factory-details-v1alpha1.cozystack.io.workloads",
 						"fetchUrl":             "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloads",
-						"labelsSelector": map[string]any{
+						"labelSelector": map[string]any{
 							"workloads.cozystack.io/monitor": "{reqs[0]['metadata','name']}",
 						},
 						"pathToItems": []any{"items"},

packages/apps/kubernetes/templates/csi/delete.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+  name: {{ .Release.Name }}-datavolume-cleanup
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ .Release.Name }}-datavolume-cleanup
+      restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
+      containers:
+        - name: kubectl
+          image: docker.io/clastix/kubectl:v1.32
+          command:
+            - /bin/sh
+            - -c
+            - kubectl -n {{ .Release.Namespace }} delete datavolumes
+              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
+              --ignore-not-found=true
+
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-datavolume-cleanup
+  annotations:
+    helm.sh/hook: post-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook-weight: "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-datavolume-cleanup
+rules:
+  - apiGroups:
+      - "cdi.kubevirt.io"
+    resources:
+      - datavolumes
+    verbs:
+      - get
+      - list
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-datavolume-cleanup
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-datavolume-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-datavolume-cleanup
+    namespace: {{ .Release.Namespace }}
+

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -24,26 +24,26 @@ spec:
           command:
             - /bin/sh
             - -c
-            - |
-                kubectl
-                --namespace={{ .Release.Namespace }}
-                patch
-                helmrelease
-                {{ .Release.Name }}-cilium
-                {{ .Release.Name }}-gateway-api-crds
-                {{ .Release.Name }}-csi
-                {{ .Release.Name }}-cert-manager
-                {{ .Release.Name }}-cert-manager-crds
-                {{ .Release.Name }}-vertical-pod-autoscaler
-                {{ .Release.Name }}-vertical-pod-autoscaler-crds
-                {{ .Release.Name }}-ingress-nginx
-                {{ .Release.Name }}-fluxcd-operator
-                {{ .Release.Name }}-fluxcd
-                {{ .Release.Name }}-gpu-operator
-                {{ .Release.Name }}-velero
-                {{ .Release.Name }}-coredns
-                -p '{"spec": {"suspend": true}}'
-                --type=merge --field-manager=flux-client-side-apply || true
+            - >-
+              kubectl
+              --namespace={{ .Release.Namespace }}
+              patch
+              helmrelease
+              {{ .Release.Name }}-cilium
+              {{ .Release.Name }}-gateway-api-crds
+              {{ .Release.Name }}-csi
+              {{ .Release.Name }}-cert-manager
+              {{ .Release.Name }}-cert-manager-crds
+              {{ .Release.Name }}-vertical-pod-autoscaler
+              {{ .Release.Name }}-vertical-pod-autoscaler-crds
+              {{ .Release.Name }}-ingress-nginx
+              {{ .Release.Name }}-fluxcd-operator
+              {{ .Release.Name }}-fluxcd
+              {{ .Release.Name }}-gpu-operator
+              {{ .Release.Name }}-velero
+              {{ .Release.Name }}-coredns
+              -p '{"spec": {"suspend": true}}'
+              --type=merge --field-manager=flux-client-side-apply || true
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -51,7 +51,7 @@ metadata:
   name: {{ .Release.Name }}-flux-teardown
   annotations:
     helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
     helm.sh/hook-weight: "0"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -75,6 +75,7 @@ rules:
       - {{ .Release.Name }}-csi
       - {{ .Release.Name }}-cert-manager
       - {{ .Release.Name }}-cert-manager-crds
+      - {{ .Release.Name }}-gateway-api-crds
       - {{ .Release.Name }}-vertical-pod-autoscaler
       - {{ .Release.Name }}-vertical-pod-autoscaler-crds
       - {{ .Release.Name }}-ingress-nginx

packages/apps/nats/templates/nats.yaml

@@ -1,6 +1,14 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
+
+{{- with (dig "data" (dict) $existingSecret) }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
 {{- range $user, $u := .Values.users }}
   {{- if $u.password }}
     {{- $_ := set $passwords $user $u.password }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -20,11 +20,7 @@ metadata:
   name: allow-external-communication
   namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector:
-    matchExpressions:
-    - key: policy.cozystack.io/allow-external-communication
-      operator: NotIn
-      values: ["false"]
+  endpointSelector: {}
   ingress:
   - fromEntities:
       - world

packages/apps/tenant/templates/tenant.yaml

@@ -35,7 +35,6 @@ rules:
   resources:
   - tenantmodules
   - tenantsecrets
-  - tenantsecretstables
   verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -193,7 +192,6 @@ rules:
     resources:
     - tenantmodules
     - tenantsecrets
-    - tenantsecretstables
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -293,7 +291,6 @@ rules:
     resources:
     - tenantmodules
     - tenantsecrets
-    - tenantsecretstables
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -368,7 +365,6 @@ rules:
     resources:
     - tenantmodules
     - tenantsecrets
-    - tenantsecretstables
     verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding

packages/apps/virtual-machine/templates/service.yaml

@@ -28,27 +28,3 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: {{ include "virtual-machine.fullname" . }}
-spec:
-  endpointSelector:
-    matchLabels:
-      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
-  ingress:
-  - fromEntities:
-      - cluster
-  - fromEntities:
-      - world
-    {{- if eq .Values.externalMethod "PortList" }}
-    toPorts:
-      - ports:
-          {{- range .Values.externalPorts }}
-          - port: {{ quote . }}
-          {{- end }}
-    {{- end }}
-  egress:
-  - toEntities:
-      - world

packages/apps/virtual-machine/templates/vm.yaml

@@ -62,7 +62,6 @@ spec:
   template:
     metadata:
       annotations:
-        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}

packages/apps/vm-instance/templates/service.yaml

@@ -28,27 +28,3 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: {{ include "virtual-machine.fullname" . }}
-spec:
-  endpointSelector:
-    matchLabels:
-      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
-  ingress:
-  - fromEntities:
-      - cluster
-  - fromEntities:
-      - world
-    {{- if eq .Values.externalMethod "PortList" }}
-    toPorts:
-      - ports:
-        {{- range .Values.externalPorts }}
-        - port: {{ quote . }}
-        {{- end }}
-    {{- end }}
-  egress:
-  - toEntities:
-      - world

packages/apps/vm-instance/templates/vm.yaml

@@ -26,7 +26,6 @@ spec:
   template:
     metadata:
       annotations:
-        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}

packages/apps/vpc/README.md

@@ -5,12 +5,12 @@ As the service evolves, it will provide more ways to isolate your workloads.
 
 ## Service details
 
-The service utilizes kube-ovn VPC and Subnet resources, which use ovn logical routers and logical switches under the hood.
-Currently every workload will have a connection to a default management network which will also have a default gateway, and the majority of traffic will be going through it.
-VPC subnets are for now an additional dedicated networking spaces.
+To function, the service requires kube-ovn and multus CNI to be present, so by default it will only work on `paas-full` bundle.
+Kube-ovn provides VPC and Subnet resources and performs isolation and networking maintenance such as DHCP. Under the hood it uses ovn virtual routers and virtual switches.
+Multus enables a multi-nic capability, so a pod or a VM could have two or more network interfaces.
 
-A VM or a pod may be connected to multiple secondary Subnets at once.
-Each secondary connection will be represented as an additional network interface.
+Currently every workload will have a connection to a default management network which will also have a default gateway, and the majority of traffic will go through it.
+VPC subnets are for now an additional dedicated networking spaces.
 
 ## Deployment notes
 
@@ -21,6 +21,8 @@ Currently there are no fail-safe checks, however they are planned for the future
 
 Different VPCs may have subnets with ovelapping ip address ranges.
 
+A VM or a pod may be connected to multiple secondary Subnets at once. Each secondary connection will be represented as an additional network interface.
+
 ## Parameters
 
 ### Common parameters

packages/apps/vpc/templates/vpc.yaml

@@ -63,10 +63,10 @@ metadata:
     cozystack.io/vpcId: {{ $vpcId }}
     cozystack.io/tenantName: {{ $.Release.Namespace }}
 data:
-  subnets: |
-    {{- range $subnetName, $subnetConfig := .Values.subnets }}
-    - subnetName: {{ $subnetName }}
-      subnetId: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
-      subnetCIDR: {{ $subnetConfig.cidr }}
-    {{- end }}
+  {{- range $subnetName, $subnetConfig := .Values.subnets }}
+  {{ $subnetName }}: |-
+    subnetName: {{ $subnetName }}
+    subnetId: {{ print "subnet-" (print $.Release.Namespace "/" $vpcId "/" $subnetName | sha256sum | trunc 8) }}
+    subnetCIDR: {{ $subnetConfig.cidr }}
+  {{- end }}
 

packages/library/cozy-lib/templates/_resources.tpl

@@ -154,7 +154,7 @@
 {{-   $resources := index . 1 }}
 {{-   $global := index . 2 }}
 {{-   $presetMap := include "cozy-lib.resources.unsanitizedPreset" $preset | fromYaml }}
-{{-   $mergedMap := deepCopy $resources | mergeOverwrite $presetMap }}
+{{-   $mergedMap := deepCopy (default (dict) $resources) | mergeOverwrite $presetMap }}
 {{-   include "cozy-lib.resources.sanitize" (list $mergedMap $global) }}
 {{- end }}
 

packages/system/dashboard/images/openapi-ui-k8s-bff/Dockerfile

@@ -3,7 +3,7 @@ ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS builder
 WORKDIR /src
 
-ARG COMMIT_REF=92906a7f21050cfb8e352f98d36b209c57844f63
+ARG COMMIT_REF=ba56271739505284aee569f914fc90e6a9c670da
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui-k8s-bff/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 
 ENV PATH=/src/node_modules/.bin:$PATH

packages/system/dashboard/images/openapi-ui/Dockerfile

@@ -5,7 +5,7 @@ ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS openapi-k8s-toolkit-builder
 RUN apk add git
 WORKDIR /src
-ARG COMMIT=7086a2d8a07dcf6a94bb4276433db5d84acfcf3b
+ARG COMMIT=7bd5380c6c4606640dd3bac68bf9dce469470518
 RUN wget -O- https://github.com/cozystack/openapi-k8s-toolkit/archive/${COMMIT}.tar.gz | tar -xzvf- --strip-components=1
 
 COPY openapi-k8s-toolkit/patches /patches
@@ -19,14 +19,14 @@ RUN npm run build
 # openapi-ui
 # imported from https://github.com/cozystack/openapi-ui
 FROM node:${NODE_VERSION}-alpine AS builder
-RUN apk add git
+#RUN apk add git
 WORKDIR /src
 
-ARG COMMIT_REF=fe237518348e94cead6d4f3283b2fce27f26aa12
+ARG COMMIT_REF=0c3629b2ce8545e81f7ece4d65372a188c802dfc
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 
-COPY openapi-ui/patches /patches
-RUN git apply /patches/*.diff
+#COPY openapi-ui/patches /patches
+#RUN git apply /patches/*.diff
 
 ENV PATH=/src/node_modules/.bin:$PATH
 

packages/system/dashboard/images/openapi-ui/openapi-k8s-toolkit/patches/additional-properties-types.diff

@@ -1,230 +0,0 @@
-diff --git a/src/components/molecules/BlackholeForm/molecules/FormObjectFromSwagger/FormObjectFromSwagger.tsx b/src/components/molecules/BlackholeForm/molecules/FormObjectFromSwagger/FormObjectFromSwagger.tsx
-index a7135d4..2fea0bb 100644
---- a/src/components/molecules/BlackholeForm/molecules/FormObjectFromSwagger/FormObjectFromSwagger.tsx
-+++ b/src/components/molecules/BlackholeForm/molecules/FormObjectFromSwagger/FormObjectFromSwagger.tsx
-@@ -68,13 +68,60 @@ export const FormObjectFromSwagger: FC<TFormObjectFromSwaggerProps> = ({
-         properties?: OpenAPIV2.SchemaObject['properties']
-         required?: string
-       }
-+      
-+      // Check if the field name exists in additionalProperties.properties
-+      // If so, use the type from that property definition
-+      const nestedProp = addProps?.properties?.[additionalPropValue] as OpenAPIV2.SchemaObject | undefined
-+      let fieldType: string = addProps.type
-+      let fieldItems: { type: string } | undefined = addProps.items
-+      let fieldNestedProperties = addProps.properties || {}
-+      let fieldRequired: string | undefined = addProps.required
-+      
-+      if (nestedProp) {
-+        // Use the nested property definition if it exists
-+        // Handle type - it can be string or string[] in OpenAPI v2
-+        if (nestedProp.type) {
-+          if (Array.isArray(nestedProp.type)) {
-+            fieldType = nestedProp.type[0] || addProps.type
-+          } else if (typeof nestedProp.type === 'string') {
-+            fieldType = nestedProp.type
-+          } else {
-+            fieldType = addProps.type
-+          }
-+        } else {
-+          fieldType = addProps.type
-+        }
-+        
-+        // Handle items - it can be ItemsObject or ReferenceObject
-+        if (nestedProp.items) {
-+          // Check if it's a valid ItemsObject with type property
-+          if ('type' in nestedProp.items && typeof nestedProp.items.type === 'string') {
-+            fieldItems = { type: nestedProp.items.type }
-+          } else {
-+            fieldItems = addProps.items
-+          }
-+        } else {
-+          fieldItems = addProps.items
-+        }
-+        
-+        fieldNestedProperties = nestedProp.properties || {}
-+        // Handle required field - it can be string[] in OpenAPI schema
-+        if (Array.isArray(nestedProp.required)) {
-+          fieldRequired = nestedProp.required.join(',')
-+        } else if (typeof nestedProp.required === 'string') {
-+          fieldRequired = nestedProp.required
-+        } else {
-+          fieldRequired = addProps.required
-+        }
-+      }
-+      
-       inputProps?.addField({
-         path: Array.isArray(name) ? [...name, String(collapseTitle)] : [name, String(collapseTitle)],
-         name: additionalPropValue,
--        type: addProps.type,
--        items: addProps.items,
--        nestedProperties: addProps.properties || {},
--        required: addProps.required,
-+        type: fieldType,
-+        items: fieldItems,
-+        nestedProperties: fieldNestedProperties,
-+        required: fieldRequired,
-       })
-       setAddditionalPropValue(undefined)
-     }
-diff --git a/src/components/molecules/BlackholeForm/molecules/FormStringInput/FormStringInput.tsx b/src/components/molecules/BlackholeForm/molecules/FormStringInput/FormStringInput.tsx
-index 487d480..3ca46c1 100644
---- a/src/components/molecules/BlackholeForm/molecules/FormStringInput/FormStringInput.tsx
-+++ b/src/components/molecules/BlackholeForm/molecules/FormStringInput/FormStringInput.tsx
-@@ -42,7 +42,11 @@ export const FormStringInput: FC<TFormStringInputProps> = ({
-   const formValue = Form.useWatch(formFieldName)
- 
-   // Derive multiline based on current local value
--  const isMultiline = useMemo(() => isMultilineString(formValue), [formValue])
-+  const isMultiline = useMemo(() => {
-+    // Normalize value for multiline check
-+    const value = typeof formValue === 'string' ? formValue : (formValue === null || formValue === undefined ? '' : String(formValue))
-+    return isMultilineString(value)
-+  }, [formValue])
- 
-   const title = (
-     <>
-@@ -77,6 +81,23 @@ export const FormStringInput: FC<TFormStringInputProps> = ({
-         rules={[{ required: forceNonRequired === false && required?.includes(getStringByName(name)) }]}
-         validateTrigger="onBlur"
-         hasFeedback={designNewLayout ? { icons: feedbackIcons } : true}
-+        normalize={(value) => {
-+          // Normalize value to string - prevent "[object Object]" display
-+          if (value === undefined || value === null) {
-+            return ''
-+          }
-+          if (typeof value === 'string') {
-+            return value
-+          }
-+          if (typeof value === 'number' || typeof value === 'boolean') {
-+            return String(value)
-+          }
-+          // If it's an object or array, it shouldn't be in a string field - return empty string
-+          if (typeof value === 'object') {
-+            return ''
-+          }
-+          return String(value)
-+        }}
-       >
-         <Input.TextArea
-           placeholder={getStringByName(name)}
-diff --git a/src/components/molecules/BlackholeForm/organisms/BlackholeForm/helpers/casts.ts b/src/components/molecules/BlackholeForm/organisms/BlackholeForm/helpers/casts.ts
-index 6f9eb39..835224c 100644
---- a/src/components/molecules/BlackholeForm/organisms/BlackholeForm/helpers/casts.ts
-+++ b/src/components/molecules/BlackholeForm/organisms/BlackholeForm/helpers/casts.ts
-@@ -124,8 +124,26 @@ export const materializeAdditionalFromValues = (
-    *
-    * This is used when a new field appears in the data but doesn't yet exist in the schema.
-    */
--  const makeChildFromAP = (ap: any): OpenAPIV2.SchemaObject => {
--    const t = ap?.type ?? 'object'
-+  const makeChildFromAP = (ap: any, value?: unknown): OpenAPIV2.SchemaObject => {
-+    // Determine type based on actual value if not explicitly defined in additionalProperties
-+    let t = ap?.type
-+    if (!t && value !== undefined && value !== null) {
-+      if (Array.isArray(value)) {
-+        t = 'array'
-+      } else if (typeof value === 'object') {
-+        t = 'object'
-+      } else if (typeof value === 'string') {
-+        t = 'string'
-+      } else if (typeof value === 'number') {
-+        t = 'number'
-+      } else if (typeof value === 'boolean') {
-+        t = 'boolean'
-+      } else {
-+        t = 'object'
-+      }
-+    }
-+    t = t ?? 'object'
-+    
-     const child: OpenAPIV2.SchemaObject = { type: t } as any
- 
-     // Copy common schema details (if present)
-@@ -134,6 +152,20 @@ export const materializeAdditionalFromValues = (
-     if (ap?.required)
-       (child as any).required = _.cloneDeep(ap.required)
- 
-+    // If value is an array and items type is not defined, infer it from the first item
-+    if (t === 'array' && Array.isArray(value) && value.length > 0 && !ap?.items) {
-+      const firstItem = value[0]
-+      if (typeof firstItem === 'string') {
-+        ;(child as any).items = { type: 'string' }
-+      } else if (typeof firstItem === 'number') {
-+        ;(child as any).items = { type: 'number' }
-+      } else if (typeof firstItem === 'boolean') {
-+        ;(child as any).items = { type: 'boolean' }
-+      } else if (typeof firstItem === 'object') {
-+        ;(child as any).items = { type: 'object' }
-+      }
-+    }
-+
-       // Mark as originating from `additionalProperties`
-     ;(child as any).isAdditionalProperties = true
-     return child
-@@ -177,7 +209,16 @@ export const materializeAdditionalFromValues = (
- 
-           // If the key doesn't exist in schema, create it from `additionalProperties`
-           if (!schemaNode.properties![k]) {
--            schemaNode.properties![k] = makeChildFromAP(ap)
-+            // Check if there's a nested property definition in additionalProperties
-+            const nestedProp = ap?.properties?.[k]
-+            if (nestedProp) {
-+              // Use the nested property definition from additionalProperties
-+              schemaNode.properties![k] = _.cloneDeep(nestedProp) as any
-+              ;(schemaNode.properties![k] as any).isAdditionalProperties = true
-+            } else {
-+              // Create from additionalProperties with value-based type inference
-+              schemaNode.properties![k] = makeChildFromAP(ap, vo[k])
-+            }
-             // If it's an existing additional property, merge any nested structure
-           } else if ((schemaNode.properties![k] as any).isAdditionalProperties && ap?.properties) {
-             ;(schemaNode.properties![k] as any).properties ??= _.cloneDeep(ap.properties)
-diff --git a/src/components/molecules/BlackholeForm/organisms/BlackholeForm/utils.tsx b/src/components/molecules/BlackholeForm/organisms/BlackholeForm/utils.tsx
-index 2d887c7..d69d711 100644
---- a/src/components/molecules/BlackholeForm/organisms/BlackholeForm/utils.tsx
-+++ b/src/components/molecules/BlackholeForm/organisms/BlackholeForm/utils.tsx
-@@ -394,9 +394,11 @@ export const getArrayFormItemFromSwagger = ({
-           {(fields, { add, remove }, { errors }) => (
-             <>
-               {fields.map(field => {
--                const fieldType = (
-+                const rawFieldType = (
-                   schema.items as (OpenAPIV2.ItemsObject & { properties?: OpenAPIV2.SchemaObject }) | undefined
-                 )?.type
-+                // Handle type as string or string[] (OpenAPI v2 allows both)
-+                const fieldType = Array.isArray(rawFieldType) ? rawFieldType[0] : rawFieldType
-                 const description = (schema.items as (OpenAPIV2.ItemsObject & { description?: string }) | undefined)
-                   ?.description
-                 const entry = schema.items as
-@@ -577,7 +579,29 @@ export const getArrayFormItemFromSwagger = ({
-                   type="text"
-                   size="small"
-                   onClick={() => {
--                    add()
-+                    // Determine initial value based on item type
-+                    const fieldType = (
-+                      schema.items as (OpenAPIV2.ItemsObject & { properties?: OpenAPIV2.SchemaObject }) | undefined
-+                    )?.type
-+                    
-+                    let initialValue: unknown
-+                    // Handle type as string or string[] (OpenAPI v2 allows both)
-+                    const typeStr = Array.isArray(fieldType) ? fieldType[0] : fieldType
-+                    if (typeStr === 'string') {
-+                      initialValue = ''
-+                    } else if (typeStr === 'number' || typeStr === 'integer') {
-+                      initialValue = 0
-+                    } else if (typeStr === 'boolean') {
-+                      initialValue = false
-+                    } else if (typeStr === 'array') {
-+                      initialValue = []
-+                    } else if (typeStr === 'object') {
-+                      initialValue = {}
-+                    } else {
-+                      initialValue = ''
-+                    }
-+                    
-+                    add(initialValue)
-                   }}
-                 >
-                   <PlusIcon />

packages/system/dashboard/images/openapi-ui/openapi-ui/patches/namespaces.diff

@@ -1,91 +0,0 @@
-diff --git a/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx b/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx
-index ac56e5f..c6e2350 100644
---- a/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx
-+++ b/src/components/organisms/ListInsideClusterAndNs/ListInsideClusterAndNs.tsx
-@@ -1,6 +1,6 @@
- import React, { FC, useState } from 'react'
- import { Button, Alert, Spin, Typography } from 'antd'
--import { filterSelectOptions, Spacer, useBuiltinResources, useApiResources } from '@prorobotech/openapi-k8s-toolkit'
-+import { filterSelectOptions, Spacer, useApiResources } from '@prorobotech/openapi-k8s-toolkit'
- import { useNavigate } from 'react-router-dom'
- import { useSelector, useDispatch } from 'react-redux'
- import { RootState } from 'store/store'
-@@ -11,6 +11,11 @@ import {
-   CUSTOM_NAMESPACE_API_RESOURCE_RESOURCE_NAME,
- } from 'constants/customizationApiGroupAndVersion'
- import { Styled } from './styled'
-+import {
-+  BASE_PROJECTS_API_GROUP,
-+  BASE_PROJECTS_VERSION,
-+  BASE_PROJECTS_RESOURCE_NAME,
-+} from 'constants/customizationApiGroupAndVersion'
- 
- export const ListInsideClusterAndNs: FC = () => {
-   const clusterList = useSelector((state: RootState) => state.clusterList.clusterList)
-@@ -33,9 +38,11 @@ export const ListInsideClusterAndNs: FC = () => {
-     typeof CUSTOM_NAMESPACE_API_RESOURCE_RESOURCE_NAME === 'string' &&
-     CUSTOM_NAMESPACE_API_RESOURCE_RESOURCE_NAME.length > 0
- 
--  const namespacesData = useBuiltinResources({
-+  const namespacesData = useApiResources({
-     clusterName: selectedCluster || '',
--    typeName: 'namespaces',
-+    apiGroup: BASE_PROJECTS_API_GROUP,
-+    apiVersion: BASE_PROJECTS_VERSION,
-+    typeName: BASE_PROJECTS_RESOURCE_NAME,
-     limit: null,
-     isEnabled: selectedCluster !== undefined && !isCustomNamespaceResource,
-   })
-diff --git a/src/hooks/useNavSelectorInside.ts b/src/hooks/useNavSelectorInside.ts
-index 5736e2b..1ec0f71 100644
---- a/src/hooks/useNavSelectorInside.ts
-+++ b/src/hooks/useNavSelectorInside.ts
-@@ -1,6 +1,11 @@
--import { TClusterList, TSingleResource, useBuiltinResources } from '@prorobotech/openapi-k8s-toolkit'
-+import { TClusterList, TSingleResource, useApiResources } from '@prorobotech/openapi-k8s-toolkit'
- import { useSelector } from 'react-redux'
- import { RootState } from 'store/store'
-+import {
-+  BASE_PROJECTS_API_GROUP,
-+  BASE_PROJECTS_VERSION,
-+  BASE_PROJECTS_RESOURCE_NAME,
-+} from 'constants/customizationApiGroupAndVersion'
- 
- const mappedClusterToOptionInSidebar = ({ name }: TClusterList[number]): { value: string; label: string } => ({
-   value: name,
-@@ -15,9 +20,11 @@ const mappedNamespaceToOptionInSidebar = ({ metadata }: TSingleResource): { valu
- export const useNavSelectorInside = (clusterName?: string) => {
-   const clusterList = useSelector((state: RootState) => state.clusterList.clusterList)
- 
--  const { data: namespaces } = useBuiltinResources({
-+  const { data: namespaces } = useApiResources({
-     clusterName: clusterName || '',
--    typeName: 'namespaces',
-+    apiGroup: BASE_PROJECTS_API_GROUP,
-+    apiVersion: BASE_PROJECTS_VERSION,
-+    typeName: BASE_PROJECTS_RESOURCE_NAME,
-     limit: null,
-     isEnabled: Boolean(clusterName),
-   })
-diff --git a/src/utils/getBacklink.ts b/src/utils/getBacklink.ts
-index a862354..f24e2bc 100644
---- a/src/utils/getBacklink.ts
-+++ b/src/utils/getBacklink.ts
-@@ -28,7 +28,7 @@ export const getFormsBackLink = ({
-   }
- 
-   if (namespacesMode) {
--    return `${baseprefix}/${clusterName}/builtin-table/namespaces`
-+    return `${baseprefix}/${clusterName}/api-table/core.cozystack.io/v1alpha1/tenantnamespaces`
-   }
- 
-   if (possibleProject) {
-@@ -64,7 +64,7 @@ export const getTablesBackLink = ({
-   }
- 
-   if (namespacesMode) {
--    return `${baseprefix}/${clusterName}/builtin-table/namespaces`
-+    return `${baseprefix}/${clusterName}/api-table/core.cozystack.io/v1alpha1/tenantnamespaces`
-   }
- 
-   if (possibleProject) {

packages/system/dashboard/images/openapi-ui/openapi-ui/patches/remove-inside-link.diff

@@ -1,15 +0,0 @@
-diff --git a/src/components/organisms/Header/organisms/User/User.tsx b/src/components/organisms/Header/organisms/User/User.tsx
-index efe7ac3..80b715c 100644
---- a/src/components/organisms/Header/organisms/User/User.tsx
-+++ b/src/components/organisms/Header/organisms/User/User.tsx
-@@ -23,10 +23,6 @@ export const User: FC = () => {
-           //   key: '1',
-           //   label: <ThemeSelector />,
-           // },
--          {
--            key: '2',
--            label: <div onClick={() => navigate(`${baseprefix}/inside/clusters`)}>Inside</div>,
--          },
-           {
-             key: '3',
-             label: (

packages/system/dashboard/templates/web.yaml

@@ -45,9 +45,9 @@ spec:
             - name: BASE_NAMESPACE_FULL_PATH
               value: "/apis/core.cozystack.io/v1alpha1/tenantnamespaces"
             - name: LOGGER
-              value: "TRUE"
+              value: "true"
             - name: LOGGER_WITH_HEADERS
-              value: "TRUE"
+              value: "false"
             - name: PORT
               value: "64231"
           image: {{ .Values.openapiUIK8sBff.image | quote }}
@@ -94,6 +94,8 @@ spec:
         - env:
             - name: BASEPREFIX
               value: /openapi-ui
+            - name: HIDE_INSIDE
+              value: "true"
             - name: CUSTOMIZATION_API_GROUP
               value: dashboard.cozystack.io
             - name: CUSTOMIZATION_API_VERSION

packages/system/dashboard/values.yaml

@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:latest@sha256:b942d98ff0ea36e3c6e864b6459b404d37ed68bc2b0ebc5d3007a1be4faf60c5
+  image: ghcr.io/cozystack/cozystack/openapi-ui:latest@sha256:77991f2482c0026d082582b22a8ffb191f3ba6fc948b2f125ef9b1081538f865
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:latest@sha256:5ddc6546baf3acdb8e0572536665fe73053a7f985b05e51366454efa11c201d2
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:latest@sha256:8386f0747266726afb2b30db662092d66b0af0370e3becd8bee9684125fa9cc9
 tokenProxy:
   image: ghcr.io/cozystack/cozystack/token-proxy:latest@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b

packages/system/kubevirt/templates/kubevirt-cr.yaml

@@ -22,7 +22,13 @@ spec:
       - GPU
       - VMExport
     evictionStrategy: LiveMigrate
+    vmRolloutStrategy: LiveUpdate
+  workloadUpdateStrategy:
+    workloadUpdateMethods:
+    - LiveMigrate
+    - Evict
+    batchEvictionInterval: 1m
+    batchEvictionSize: 10
   customizeComponents: {}
   imagePullPolicy: IfNotPresent
   monitorNamespace: tenant-root
-  workloadUpdateStrategy: {}

pkg/apis/apps/fuzzer/fuzzer.go

@@ -17,17 +17,10 @@ limitations under the License.
 package fuzzer
 
 import (
-	"github.com/cozystack/cozystack/pkg/apis/apps"
-	fuzz "github.com/google/gofuzz"
-
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 )
 
 // Funcs returns the fuzzer functions for the apps api group.
 var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
-	return []interface{}{
-		func(s *apps.ApplicationSpec, c fuzz.Continue) {
-			c.FuzzNoCustom(s) // fuzz self without calling this function again
-		},
-	}
+	return []interface{}{}
 }

pkg/apis/core/fuzzer/fuzzer.go

@@ -17,17 +17,10 @@ limitations under the License.
 package fuzzer
 
 import (
-	"github.com/cozystack/cozystack/pkg/apis/core"
-	fuzz "github.com/google/gofuzz"
-
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 )
 
 // Funcs returns the fuzzer functions for the core api group.
 var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
-	return []interface{}{
-		func(s *core.TenantNamespaceSpec, c fuzz.Continue) {
-			c.FuzzNoCustom(s) // fuzz self without calling this function again
-		},
-	}
+	return []interface{}{}
 }

pkg/apis/core/v1alpha1/register.go

@@ -59,11 +59,9 @@ func RegisterStaticTypes(scheme *runtime.Scheme) {
 		&TenantNamespaceList{},
 		&TenantSecret{},
 		&TenantSecretList{},
-		&TenantSecretsTable{},
-		&TenantSecretsTableList{},
 		&TenantModule{},
 		&TenantModuleList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	klog.V(1).Info("Registered static kinds: TenantNamespace, TenantSecret, TenantSecretsTable, TenantModule")
+	klog.V(1).Info("Registered static kinds: TenantNamespace, TenantSecret, TenantModule")
 }

pkg/apis/core/v1alpha1/tenantsecretstable_types.go

@@ -1,34 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-package v1alpha1
-
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-// TenantSecretEntry represents a single key from a Secret's data.
-type TenantSecretEntry struct {
-	Name  string `json:"name,omitempty"`
-	Key   string `json:"key,omitempty"`
-	Value string `json:"value,omitempty"`
-}
-
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// TenantSecretsTable is a virtual, namespaced resource that exposes every key
-// of Secrets labelled cozystack.io/ui=true as a separate object.
-type TenantSecretsTable struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Data TenantSecretEntry `json:"data,omitempty"`
-}
-
-// DeepCopy methods are generated by deepcopy-gen
-
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-type TenantSecretsTableList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []TenantSecretsTable `json:"items"`
-}
-
-// DeepCopy methods are generated by deepcopy-gen

pkg/apis/core/v1alpha1/zz_generated.deepcopy.go

@@ -216,22 +216,6 @@ func (in *TenantSecret) DeepCopyObject() runtime.Object {
 	return nil
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TenantSecretEntry) DeepCopyInto(out *TenantSecretEntry) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSecretEntry.
-func (in *TenantSecretEntry) DeepCopy() *TenantSecretEntry {
-	if in == nil {
-		return nil
-	}
-	out := new(TenantSecretEntry)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TenantSecretList) DeepCopyInto(out *TenantSecretList) {
 	*out = *in
@@ -264,63 +248,3 @@ func (in *TenantSecretList) DeepCopyObject() runtime.Object {
 	}
 	return nil
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TenantSecretsTable) DeepCopyInto(out *TenantSecretsTable) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Data = in.Data
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSecretsTable.
-func (in *TenantSecretsTable) DeepCopy() *TenantSecretsTable {
-	if in == nil {
-		return nil
-	}
-	out := new(TenantSecretsTable)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *TenantSecretsTable) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TenantSecretsTableList) DeepCopyInto(out *TenantSecretsTableList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]TenantSecretsTable, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSecretsTableList.
-func (in *TenantSecretsTableList) DeepCopy() *TenantSecretsTableList {
-	if in == nil {
-		return nil
-	}
-	out := new(TenantSecretsTableList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *TenantSecretsTableList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}

pkg/apis/core/validation/validation.go

@@ -1,40 +0,0 @@
-/*
-Copyright 2024 The Cozystack Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package validation
-
-import (
-	"github.com/cozystack/cozystack/pkg/apis/core"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-// ValidateTenantNamespace validates a TenantNamespace.
-func ValidateTenantNamespace(f *core.TenantNamespace) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	allErrs = append(allErrs, ValidateTenantNamespaceSpec(&f.Spec, field.NewPath("spec"))...)
-
-	return allErrs
-}
-
-// ValidateTenantNamespaceSpec validates a TenantNamespaceSpec.
-func ValidateTenantNamespaceSpec(s *core.TenantNamespaceSpec, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	// TODO validation
-
-	return allErrs
-}

pkg/apis/sdn/DESIGN.md

@@ -0,0 +1,243 @@
+# Cozystack Security Groups (Model A) — Design v0.1
+
+**Status:** Draft (decisions captured; open questions intentionally deferred)
+
+## 1) Summary
+
+Cozystack introduces **Security Groups (SGs)** that map 1:1 to Cilium (Clusterwide)NetworkPolicies. Users attach SGs to managed applications; under the hood, the controller labels the application’s pods with a presence label `securitygroups.cozystack.io/sg-<id>: ""`. Each SG is reconciled into a **single** Cilium policy whose `endpointSelector` matches that label. This yields AWS-like semantics (attach/detach) with minimal object fan‑out.
+
+## 2) Goals / Non‑Goals
+
+**Goals**
+
+- Provide a stable, AWS‑style abstractions for traffic control (attach/detach SGs to managed apps).
+- Keep policy count ≈ number of SGs (not attachments).
+- Avoid disruptive changes to clusters that do not opt into SGs.
+
+**Non‑Goals**
+
+- We do not redesign tenant isolation here; existing isolation policies remain.
+- We do not introduce per‑attachment bespoke policy logic (that would be Model B).
+
+## 3) Terminology
+
+- **SG** — SecurityGroup (Cozystack CRD), user‑facing construct.
+- **CNP/CCNP** — CiliumNetworkPolicy / CiliumClusterwideNetworkPolicy (backend object).
+- **Attachment** — association between a managed application and one or more SGs; implemented via pod labels.
+
+## 4) High‑Level Architecture
+
+1. User creates **SecurityGroup** (`cozystack.io/v1alpha1`), defining ingress/egress rules.
+2. SG controller reconciles SG → a **single** CNP/CCNP named `cozy-sg-<id>` with:
+   - `endpointSelector`: `matchExpressions: [{ key: securitygroups.cozystack.io/sg-<id>, operator: Exists }]`.
+   - Rules translated from SG spec.
+3. User attaches SG(s) to a managed application via either:
+   - Application subresource: `/<apigroup>/<kind>/<name>/securitygroupattachments`, or
+   - SG subresource: `/securitygroups/<name>/attach`.
+4. Attachment controller resolves the target → applies/maintains pod template labels so new pods inherit; best‑effort patches existing pods; removes labels on detach.
+
+## 5) CRDs (user‑facing)
+
+### 5.1 SecurityGroup
+
+```yaml
+apiVersion: cozystack.io/v1alpha1
+kind: SecurityGroup
+metadata:
+  name: sg-db
+  namespace: tenant-a           # optional; cluster scope supported (see spec.scope)
+spec:
+  scope: Cluster                 # Cluster | Namespace
+  description: "DB access group"
+  selectorLabelKey: securitygroups.cozystack.io/sg-db  # controller defaults to this if unset
+  egress:
+    - toSecurityGroups: [ sg-web ]
+      toPorts:
+        - protocol: TCP
+          port: 5432
+    - toFQDNs: [ "*.apt.example.org" ]
+    - toCIDRs: [ "10.0.0.0/8" ]
+  ingress:
+    - fromSecurityGroups: [ sg-web ]
+      toPorts:
+        - protocol: TCP
+          port: 5432
+```
+
+**Notes**
+
+- `scope: Cluster` → controller renders a **CiliumClusterwideNetworkPolicy**; otherwise **namespaced CNP**.
+- `selectorLabelKey` is the authoritative label for attachments. Presence semantics (`""` value) are used.
+
+### 5.2 SecurityGroupAttachment
+
+```yaml
+apiVersion: cozystack.io/v1alpha1
+kind: SecurityGroupAttachment
+metadata:
+  name: sga-postgres-foo
+  namespace: tenant-a
+spec:
+  subjectRef:                    # ONE of subjectRef | selectorRef (subjectRef preferred for managed apps)
+    group: postgresql.cnpg.io
+    kind: Cluster
+    name: foo
+  securityGroups:
+    - sg-db
+    - sg-monitoring
+```
+
+**Notes**
+
+- This is the **source of truth** the controller watches; subresources (below) create/update these objects.
+
+## 6) Subresources (user entry points)
+
+Subresources provide ergonomic, RBAC‑friendly ways to manage attachments without exposing internal wiring.
+
+### 6.1 Managed application subresource — `/securitygroupattachments`
+
+- **Path (example):** `/apis/postgresql.cnpg.io/v1/namespaces/<ns>/clusters/<name>/securitygroupattachments`
+- **POST/PATCH body:** `{ securityGroups: ["sg-db", "sg-monitoring"] }`
+- **Semantics:** Create or upsert a `SecurityGroupAttachment` bound to this subject.
+- **RBAC intent:** Tenant admins with rights on the app can manage its attachments.
+
+### 6.2 Security group subresource — `/attach`
+
+- **Path:** `/apis/cozystack.io/v1/namespaces/<ns>/securitygroups/<name>/attach`
+- **POST body:**
+
+```yaml
+subjects:
+  - group: postgresql.cnpg.io
+    kind: Cluster
+    name: foo
+    namespace: tenant-a
+```
+
+- **Semantics:** Append or reconcile `SecurityGroupAttachment` objects for the listed subjects.
+- **RBAC intent:** Platform admins (or delegated roles) can attach SGs to many resources.
+
+> Both subresources are symmetric and operate by creating/updating `SecurityGroupAttachment` objects. They are idempotent.
+
+## 7) Labeling Conventions (authoritative)
+
+- **Attachment label (presence):** `securitygroups.cozystack.io/<sg-id>: ""`
+- **Optional marker label:** `securitygroups.cozystack.io/enabled: "true"` (used to exclude SG‑managed pods from legacy namespace policies during migration).
+- Controllers ensure pod **templates** carry the labels; existing pods are patched best‑effort.
+
+## 8) Controller Responsibilities
+
+### 8.1 SG Controller
+
+- Reconcile SG → CNP/CCNP `cozy-sg-<id>` with the `endpointSelector` above.
+- Translate SG `ingress/egress` to Cilium spec (toEndpoints/fromEndpoints using other SGs’ label keys; toFQDNs; toCIDRs; toPorts).
+- Ensure ownerRefs/labels for traceability; emit Events; expose Prometheus metrics.
+
+### 8.2 Attachment Controller
+
+- Resolve `subjectRef` to the managed application → identify pod template(s) (e.g., StatefulSet, Deployment, KubeVirt VM pods).
+- Apply/remove attachment labels on templates; patch live pods where feasible.
+- Maintain a projection status on `SecurityGroupAttachment.status` (attached pod count, last reconcile time).
+- Garbage‑collect labels when attachments are deleted; use finalizers for cleanup.
+
+## 9) Backend Cilium Objects (rendered)
+
+### 9.1 Example generated CCNP for `sg-db`
+
+```yaml
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: cozy-sg-db
+spec:
+  endpointSelector:
+    matchExpressions:
+      - key: securitygroups.cozystack.io/sg-db
+        operator: Exists
+  ingress:
+    - fromEndpoints:
+        - matchExpressions:
+            - key: securitygroups.cozystack.io/sg-web
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP
+  egress:
+    - toFQDNs:
+        - matchPattern: "*.apt.example.org"
+```
+
+## 10) RBAC Model (concise)
+
+- \*\*ClusterRole: \*\*\`\` — full CRUD on `SecurityGroup` and `/attach`, cluster‑wide.
+- \*\*Role: \*\*\`\` — can use app `/securitygroupattachments` within their namespaces; read SGs cluster‑wide.
+- Controllers need write access to: CNP/CCNP, workload templates in target namespaces, and pods (patch labels best‑effort).
+
+## 11) Safety & Interactions (decisions baked in)
+
+- **Scoping:** Policies only apply to pods carrying the SG label; other pods remain unaffected.
+- **Union of allows:** SG rules are additive with existing policies; to avoid accidental widening, legacy namespace policies should be updated to **exclude** pods with `securitygroups.cozystack.io/enabled=true`.
+- **No host‑policy changes:** Host networking (nodeSelector) is out of scope for SGs.
+
+## 12) Migration (minimal, non‑disruptive)
+
+1. Deploy controllers (no attachments yet).
+2. Create tenant‑specific **baseline SG(s)** if desired (DNS, metrics, etc.).
+3. Update legacy namespace policies to **not select** SG‑managed pods (e.g., `DoesNotExist` match on `securitygroups.cozystack.io/enabled`).
+4. Attach SGs to a canary app; verify datapath; roll out.
+5. Optionally deprecate legacy namespace egress‑only policies after adoption.
+
+## 13) Observability
+
+- `SecurityGroupAttachment.status` summarizes effective attachments.
+- Pods receive an annotation `securitygroups.cozystack.io/attached: "sg-a,sg-b,..."` for quick inspection.
+- Events on SG and Attachment objects for attach/detach and reconciliation failures.
+
+## 14) Examples
+
+### 14.1 User defines an SG and attaches it to a Postgres cluster
+
+```yaml
+apiVersion: cozystack.io/v1alpha1
+kind: SecurityGroup
+metadata:
+  name: sg-db
+spec:
+  scope: Cluster
+  ingress:
+    - fromSecurityGroups: [ sg-web ]
+      toPorts:
+        - protocol: TCP
+          port: 5432
+```
+
+```yaml
+apiVersion: cozystack.io/v1alpha1
+kind: SecurityGroupAttachment
+metadata:
+  name: sga-postgres-foo
+  namespace: tenant-a
+spec:
+  subjectRef:
+    group: postgresql.cnpg.io
+    kind: Cluster
+    name: foo
+  securityGroups:
+    - sg-db
+```
+
+### 14.2 Resulting pod labels (applied by controller)
+
+```yaml
+metadata:
+  labels:
+    securitygroups.cozystack.io/enabled: "true"
+    securitygroups.cozystack.io/sg-db: ""
+```
+
+---
+
+**This document intentionally focuses on the decided mechanics (Model A, label‑based attachments, SG→Cilium one‑to‑one). Extensions (e.g., reusable CIDR/FQDN groups, per‑attachment overrides, policy linting) can be added later without changing the core model.**
+

pkg/apis/sdn/fuzzer/fuzzer.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fuzzer
+
+import (
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Funcs returns the fuzzer functions for the core api group.
+var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
+	return []interface{}{}
+}

pkg/apis/sdn/install/install.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2024 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package install
+
+import (
+	sdnv1alpha1 "github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// Install registers the API group and adds types to a scheme
+func Install(scheme *runtime.Scheme) {
+	utilruntime.Must(sdnv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(sdnv1alpha1.SchemeGroupVersion))
+}

pkg/apis/sdn/install/roundtrip_test.go

@@ -14,27 +14,17 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package validation
+package install
 
 import (
-	"github.com/cozystack/cozystack/pkg/apis/apps"
-	"k8s.io/apimachinery/pkg/util/validation/field"
+	"testing"
+
+	sdnfuzzer "github.com/cozystack/cozystack/pkg/apis/sdn/fuzzer"
+	"k8s.io/apimachinery/pkg/api/apitesting/roundtrip"
 )
 
-// ValidateApplication validates a Application.
-func ValidateApplication(f *apps.Application) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	allErrs = append(allErrs, ValidateApplicationSpec(&f.Spec, field.NewPath("spec"))...)
-
-	return allErrs
-}
-
-// ValidateApplicationSpec validates a ApplicationSpec.
-func ValidateApplicationSpec(s *apps.ApplicationSpec, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	// TODO validation
-
-	return allErrs
+func TestRoundTripTypes(t *testing.T) {
+	roundtrip.RoundTripTestForAPIGroup(t, Install, sdnfuzzer.Funcs)
+	// TODO: enable protobuf generation for the sample-apiserver
+	// roundtrip.RoundTripProtobufTestForAPIGroup(t, Install, corefuzzer.Funcs)
 }

pkg/apis/sdn/register.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sdn
+
+// GroupName is the group name used in this package
+const (
+	GroupName = "sdn.cozystack.io"
+)

pkg/apis/sdn/v1alpha1/doc.go

@@ -0,0 +1,25 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=github.com/cozystack/cozystack/pkg/apis/sdn
+// +k8s:conversion-gen=k8s.io/apiextensions-apiserver/pkg/apis/apiextensions
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=sdn.cozystack.io
+
+// Package v1alpha1 is the v1alpha1 version of the API.
+package v1alpha1 // import "github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1"

pkg/apis/sdn/v1alpha1/register.go

@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2025 The Cozystack Authors.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/klog/v2"
+)
+
+// -----------------------------------------------------------------------------
+// Group / version boiler-plate
+// -----------------------------------------------------------------------------
+
+// GroupName is the API group for every resource in this package.
+const GroupName = "sdn.cozystack.io"
+
+// SchemeGroupVersion is the canonical {group,version} for v1alpha1.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// -----------------------------------------------------------------------------
+// Scheme registration helpers
+// -----------------------------------------------------------------------------
+
+var (
+	// SchemeBuilder is used by generated deepcopy code.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// Manually-written types go here.  Generated deepcopy code is wired in
+	// via `zz_generated.deepcopy.go`.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// addKnownTypes is called from init().
+func addKnownTypes(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource turns an unqualified resource name into a fully-qualified one.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+// -----------------------------------------------------------------------------
+// Public helpers consumed by the apiserver wiring
+// -----------------------------------------------------------------------------
+
+// RegisterStaticTypes adds *compile-time* resources such as TenantNamespace.
+func RegisterStaticTypes(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	klog.V(1).Info("Registered static kinds: SecurityGroups")
+}

pkg/apis/sdn/v1alpha1/securitygroup_types.go

@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: Apache-2.0
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+const (
+	SecurityGroupKind         = "SecurityGroup"
+	SecurityGroupListKind     = "SecurityGroupList"
+	SecurityGroupSingularName = "securitygroup"
+	SecurityGroupPluralName   = "securitygroups"
+)
+
+type SecurityGroup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type SecurityGroupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecurityGroup `json:"items"`
+}

pkg/apis/sdn/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,36 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	return nil
+}

pkg/apis/sdn/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,77 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecurityGroup) DeepCopyInto(out *SecurityGroup) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityGroup.
+func (in *SecurityGroup) DeepCopy() *SecurityGroup {
+	if in == nil {
+		return nil
+	}
+	out := new(SecurityGroup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecurityGroupList) DeepCopyInto(out *SecurityGroupList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecurityGroup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityGroupList.
+func (in *SecurityGroupList) DeepCopy() *SecurityGroupList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecurityGroupList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecurityGroupList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}

pkg/apis/sdn/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

pkg/apiserver/apiserver.go

@@ -44,7 +44,6 @@ import (
 	tenantmodulestorage "github.com/cozystack/cozystack/pkg/registry/core/tenantmodule"
 	tenantnamespacestorage "github.com/cozystack/cozystack/pkg/registry/core/tenantnamespace"
 	tenantsecretstorage "github.com/cozystack/cozystack/pkg/registry/core/tenantsecret"
-	tenantsecretstablestorage "github.com/cozystack/cozystack/pkg/registry/core/tenantsecretstable"
 )
 
 var (
@@ -177,9 +176,6 @@ func (c completedConfig) New() (*CozyServer, error) {
 	coreV1alpha1Storage["tenantsecrets"] = cozyregistry.RESTInPeace(
 		tenantsecretstorage.NewREST(cli, watchCli),
 	)
-	coreV1alpha1Storage["tenantsecretstables"] = cozyregistry.RESTInPeace(
-		tenantsecretstablestorage.NewREST(cli, watchCli),
-	)
 	coreV1alpha1Storage["tenantmodules"] = cozyregistry.RESTInPeace(
 		tenantmodulestorage.NewREST(cli, watchCli),
 	)

pkg/generated/openapi/zz_generated.openapi.go

@@ -39,10 +39,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantNamespace":                      schema_pkg_apis_core_v1alpha1_TenantNamespace(ref),
 		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantNamespaceList":                  schema_pkg_apis_core_v1alpha1_TenantNamespaceList(ref),
 		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecret":                         schema_pkg_apis_core_v1alpha1_TenantSecret(ref),
-		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretEntry":                    schema_pkg_apis_core_v1alpha1_TenantSecretEntry(ref),
 		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretList":                     schema_pkg_apis_core_v1alpha1_TenantSecretList(ref),
-		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretsTable":                   schema_pkg_apis_core_v1alpha1_TenantSecretsTable(ref),
-		"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretsTableList":               schema_pkg_apis_core_v1alpha1_TenantSecretsTableList(ref),
+		"github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1.SecurityGroup":                         schema_pkg_apis_sdn_v1alpha1_SecurityGroup(ref),
+		"github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1.SecurityGroupList":                     schema_pkg_apis_sdn_v1alpha1_SecurityGroupList(ref),
 		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest":                 schema_pkg_apis_apiextensions_v1_ConversionRequest(ref),
 		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse":                schema_pkg_apis_apiextensions_v1_ConversionResponse(ref),
 		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionReview":                  schema_pkg_apis_apiextensions_v1_ConversionReview(ref),
@@ -557,37 +556,6 @@ func schema_pkg_apis_core_v1alpha1_TenantSecret(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_pkg_apis_core_v1alpha1_TenantSecretEntry(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "TenantSecretEntry represents a single key from a Secret's data.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"name": {
-						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
-						},
-					},
-					"key": {
-						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
-						},
-					},
-					"value": {
-						SchemaProps: spec.SchemaProps{
-							Type:   []string{"string"},
-							Format: "",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
 func schema_pkg_apis_core_v1alpha1_TenantSecretList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -636,12 +604,11 @@ func schema_pkg_apis_core_v1alpha1_TenantSecretList(ref common.ReferenceCallback
 	}
 }
 
-func schema_pkg_apis_core_v1alpha1_TenantSecretsTable(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_pkg_apis_sdn_v1alpha1_SecurityGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "TenantSecretsTable is a virtual, namespaced resource that exposes every key of Secrets labelled cozystack.io/ui=true as a separate object.",
-				Type:        []string{"object"},
+				Type: []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
@@ -663,21 +630,15 @@ func schema_pkg_apis_core_v1alpha1_TenantSecretsTable(ref common.ReferenceCallba
 							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
 						},
 					},
-					"data": {
-						SchemaProps: spec.SchemaProps{
-							Default: map[string]interface{}{},
-							Ref:     ref("github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretEntry"),
-						},
-					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretEntry", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_pkg_apis_core_v1alpha1_TenantSecretsTableList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_pkg_apis_sdn_v1alpha1_SecurityGroupList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -710,7 +671,7 @@ func schema_pkg_apis_core_v1alpha1_TenantSecretsTableList(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretsTable"),
+										Ref:     ref("github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1.SecurityGroup"),
 									},
 								},
 							},
@@ -721,7 +682,7 @@ func schema_pkg_apis_core_v1alpha1_TenantSecretsTableList(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"github.com/cozystack/cozystack/pkg/apis/core/v1alpha1.TenantSecretsTable", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1.SecurityGroup", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 

pkg/registry/core/tenantsecret/rest.go

@@ -9,7 +9,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
-	"sort"
+	"slices"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -226,6 +226,9 @@ func (r *REST) Get(
 	if err != nil {
 		return nil, err
 	}
+	if sec.Labels == nil || sec.Labels[tsLabelKey] != tsLabelValue {
+		return nil, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+	}
 	return secretToTenant(sec), nil
 }
 
@@ -253,11 +256,13 @@ func (r *REST) List(ctx context.Context, opts *metainternal.ListOptions) (runtim
 	list := &corev1.SecretList{}
 	err = r.c.List(ctx, list,
 		&client.ListOptions{
-			Namespace: ns,
+			Namespace:     ns,
+			LabelSelector: ls,
 			Raw: &metav1.ListOptions{
 				LabelSelector: ls.String(),
 				FieldSelector: fieldSel,
-			}})
+			},
+		})
 	if err != nil {
 		return nil, err
 	}
@@ -273,7 +278,17 @@ func (r *REST) List(ctx context.Context, opts *metainternal.ListOptions) (runtim
 	for i := range list.Items {
 		out.Items = append(out.Items, *secretToTenant(&list.Items[i]))
 	}
-	sort.Slice(out.Items, func(i, j int) bool { return out.Items[i].Name < out.Items[j].Name })
+	slices.SortFunc(out.Items, func(a, b corev1alpha1.TenantSecret) int {
+		aKey := fmt.Sprintf("%s/%s", a.Namespace, a.Name)
+		bKey := fmt.Sprintf("%s/%s", b.Namespace, b.Name)
+		switch {
+		case aKey < bKey:
+			return -1
+		case aKey > bKey:
+			return 1
+		}
+		return 0
+	})
 	return out, nil
 }
 
@@ -291,10 +306,17 @@ func (r *REST) Update(
 		return nil, false, err
 	}
 
-	cur := &corev1.Secret{}
-	err = r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, cur, &client.GetOptions{Raw: &metav1.GetOptions{}})
-	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, false, err
+	var cur *corev1.Secret
+	previous := &corev1.Secret{}
+	if err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, previous, &client.GetOptions{Raw: &metav1.GetOptions{}}); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return nil, false, err
+		}
+	} else {
+		if previous.Labels == nil || previous.Labels[tsLabelKey] != tsLabelValue {
+			return nil, false, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+		}
+		cur = previous
 	}
 
 	newObj, err := objInfo.UpdatedObject(ctx, nil)
@@ -306,7 +328,7 @@ func (r *REST) Update(
 	newSec := tenantToSecret(in, cur)
 	newSec.Namespace = ns
 	if cur == nil {
-		if !forceCreate && err == nil {
+		if !forceCreate {
 			return nil, false, apierrors.NewNotFound(r.gvr.GroupResource(), name)
 		}
 		err := r.c.Create(ctx, newSec, &client.CreateOptions{Raw: &metav1.CreateOptions{}})
@@ -328,6 +350,13 @@ func (r *REST) Delete(
 	if err != nil {
 		return nil, false, err
 	}
+	current := &corev1.Secret{}
+	if err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, current, &client.GetOptions{Raw: &metav1.GetOptions{}}); err != nil {
+		return nil, false, err
+	}
+	if current.Labels == nil || current.Labels[tsLabelKey] != tsLabelValue {
+		return nil, false, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+	}
 	err = r.c.Delete(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: name}}, &client.DeleteOptions{Raw: opts})
 	return nil, err == nil, err
 }
@@ -347,6 +376,13 @@ func (r *REST) Patch(
 	if err != nil {
 		return nil, err
 	}
+	current := &corev1.Secret{}
+	if err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, current, &client.GetOptions{Raw: &metav1.GetOptions{}}); err != nil {
+		return nil, err
+	}
+	if current.Labels == nil || current.Labels[tsLabelKey] != tsLabelValue {
+		return nil, apierrors.NewNotFound(r.gvr.GroupResource(), name)
+	}
 	out := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: ns,
@@ -383,12 +419,16 @@ func (r *REST) Watch(ctx context.Context, opts *metainternal.ListOptions) (watch
 	}
 
 	secList := &corev1.SecretList{}
-	ls := labels.Set{tsLabelKey: tsLabelValue}.AsSelector().String()
-	base, err := r.w.Watch(ctx, secList, &client.ListOptions{Namespace: ns, Raw: &metav1.ListOptions{
-		Watch:           true,
-		LabelSelector:   ls,
-		ResourceVersion: opts.ResourceVersion,
-	}})
+	ls := labels.Set{tsLabelKey: tsLabelValue}.AsSelector()
+	base, err := r.w.Watch(ctx, secList, &client.ListOptions{
+		Namespace:     ns,
+		LabelSelector: ls,
+		Raw: &metav1.ListOptions{
+			Watch:           true,
+			LabelSelector:   ls.String(),
+			ResourceVersion: opts.ResourceVersion,
+		},
+	})
 	if err != nil {
 		return nil, err
 	}

pkg/registry/core/tenantsecretstable/rest.go

@@ -1,335 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// TenantSecretsTable registry – namespaced, read-only flattened view over
-// Secrets labelled "internal.cozystack.io/tenantresource=true". Each data key is a separate object.
-
-package tenantsecretstable
-
-import (
-	"context"
-	"encoding/base64"
-	"fmt"
-	"net/http"
-	"sort"
-	"time"
-
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/selection"
-	"k8s.io/apimachinery/pkg/watch"
-	"k8s.io/apiserver/pkg/endpoints/request"
-	"k8s.io/apiserver/pkg/registry/rest"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	corev1alpha1 "github.com/cozystack/cozystack/pkg/apis/core/v1alpha1"
-)
-
-const (
-	tsLabelKey     = corev1alpha1.TenantResourceLabelKey
-	tsLabelValue   = corev1alpha1.TenantResourceLabelValue
-	kindObj        = "TenantSecretsTable"
-	kindObjList    = "TenantSecretsTableList"
-	singularName   = "tenantsecretstable"
-	resourcePlural = "tenantsecretstables"
-)
-
-type REST struct {
-	c   client.Client
-	w   client.WithWatch
-	gvr schema.GroupVersionResource
-}
-
-func NewREST(c client.Client, w client.WithWatch) *REST {
-	return &REST{
-		c: c,
-		w: w,
-		gvr: schema.GroupVersionResource{
-			Group:    corev1alpha1.GroupName,
-			Version:  "v1alpha1",
-			Resource: resourcePlural,
-		},
-	}
-}
-
-var (
-	_ rest.Getter               = &REST{}
-	_ rest.Lister               = &REST{}
-	_ rest.Watcher              = &REST{}
-	_ rest.TableConvertor       = &REST{}
-	_ rest.Scoper               = &REST{}
-	_ rest.SingularNameProvider = &REST{}
-	_ rest.Storage              = &REST{}
-)
-
-func (*REST) NamespaceScoped() bool { return true }
-func (*REST) New() runtime.Object   { return &corev1alpha1.TenantSecretsTable{} }
-func (*REST) NewList() runtime.Object {
-	return &corev1alpha1.TenantSecretsTableList{}
-}
-func (*REST) Kind() string { return kindObj }
-func (r *REST) GroupVersionKind(_ schema.GroupVersion) schema.GroupVersionKind {
-	return r.gvr.GroupVersion().WithKind(kindObj)
-}
-func (*REST) GetSingularName() string { return singularName }
-func (*REST) Destroy()                {}
-
-func nsFrom(ctx context.Context) (string, error) {
-	ns, ok := request.NamespaceFrom(ctx)
-	if !ok {
-		return "", fmt.Errorf("namespace required")
-	}
-	return ns, nil
-}
-
-// -----------------------
-// Get/List
-// -----------------------
-
-func (r *REST) Get(ctx context.Context, name string, opts *metav1.GetOptions) (runtime.Object, error) {
-	ns, err := nsFrom(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	// We need to identify secret name and key. Iterate secrets in namespace with tenant secret label
-	// and return the matching composed object.
-	list := &corev1.SecretList{}
-	err = r.c.List(ctx, list,
-		&client.ListOptions{
-			Namespace: ns,
-			Raw: &metav1.ListOptions{
-				LabelSelector: labels.Set{tsLabelKey: tsLabelValue}.AsSelector().String(),
-			},
-		})
-	if err != nil {
-		return nil, err
-	}
-	for i := range list.Items {
-		sec := &list.Items[i]
-		for k, v := range sec.Data {
-			composed := composedName(sec.Name, k)
-			if composed == name {
-				return secretKeyToObj(sec, k, v), nil
-			}
-		}
-	}
-	return nil, apierrors.NewNotFound(r.gvr.GroupResource(), name)
-}
-
-func (r *REST) List(ctx context.Context, opts *metainternal.ListOptions) (runtime.Object, error) {
-	ns, err := nsFrom(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	sel := labels.NewSelector()
-	req, _ := labels.NewRequirement(tsLabelKey, selection.Equals, []string{tsLabelValue})
-	sel = sel.Add(*req)
-	if opts.LabelSelector != nil {
-		if reqs, _ := opts.LabelSelector.Requirements(); len(reqs) > 0 {
-			sel = sel.Add(reqs...)
-		}
-	}
-	fieldSel := ""
-	if opts.FieldSelector != nil {
-		fieldSel = opts.FieldSelector.String()
-	}
-
-	list := &corev1.SecretList{}
-	err = r.c.List(ctx, list,
-		&client.ListOptions{
-			Namespace: ns,
-			Raw: &metav1.ListOptions{
-				LabelSelector: labels.Set{tsLabelKey: tsLabelValue}.AsSelector().String(),
-				FieldSelector: fieldSel,
-			},
-		})
-	if err != nil {
-		return nil, err
-	}
-
-	out := &corev1alpha1.TenantSecretsTableList{
-		TypeMeta: metav1.TypeMeta{APIVersion: corev1alpha1.SchemeGroupVersion.String(), Kind: kindObjList},
-		ListMeta: list.ListMeta,
-	}
-
-	for i := range list.Items {
-		sec := &list.Items[i]
-		// Ensure stable ordering of keys
-		keys := make([]string, 0, len(sec.Data))
-		for k := range sec.Data {
-			keys = append(keys, k)
-		}
-		sort.Strings(keys)
-		for _, k := range keys {
-			v := sec.Data[k]
-			o := secretKeyToObj(sec, k, v)
-			out.Items = append(out.Items, *o)
-		}
-	}
-
-	sort.Slice(out.Items, func(i, j int) bool { return out.Items[i].Name < out.Items[j].Name })
-	return out, nil
-}
-
-// -----------------------
-// Watch
-// -----------------------
-
-func (r *REST) Watch(ctx context.Context, opts *metainternal.ListOptions) (watch.Interface, error) {
-	ns, err := nsFrom(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	secList := &corev1.SecretList{}
-	ls := labels.Set{tsLabelKey: tsLabelValue}.AsSelector().String()
-	base, err := r.w.Watch(ctx, secList, &client.ListOptions{Namespace: ns, Raw: &metav1.ListOptions{
-		Watch:           true,
-		LabelSelector:   ls,
-		ResourceVersion: opts.ResourceVersion,
-	}})
-	if err != nil {
-		return nil, err
-	}
-
-	ch := make(chan watch.Event)
-	proxy := watch.NewProxyWatcher(ch)
-
-	go func() {
-		defer proxy.Stop()
-		for ev := range base.ResultChan() {
-			sec, ok := ev.Object.(*corev1.Secret)
-			if !ok || sec == nil {
-				continue
-			}
-			// Emit an event per key
-			for k, v := range sec.Data {
-				obj := secretKeyToObj(sec, k, v)
-				ch <- watch.Event{Type: ev.Type, Object: obj}
-			}
-		}
-	}()
-
-	return proxy, nil
-}
-
-// -----------------------
-// TableConvertor
-// -----------------------
-
-func (r *REST) ConvertToTable(_ context.Context, obj runtime.Object, _ runtime.Object) (*metav1.Table, error) {
-	now := time.Now()
-	row := func(o *corev1alpha1.TenantSecretsTable) metav1.TableRow {
-		return metav1.TableRow{
-			Cells:  []interface{}{o.Name, o.Data.Name, o.Data.Key, humanAge(o.CreationTimestamp.Time, now)},
-			Object: runtime.RawExtension{Object: o},
-		}
-	}
-	tbl := &metav1.Table{
-		TypeMeta: metav1.TypeMeta{APIVersion: "meta.k8s.io/v1", Kind: "Table"},
-		ColumnDefinitions: []metav1.TableColumnDefinition{
-			{Name: "NAME", Type: "string"},
-			{Name: "SECRET", Type: "string"},
-			{Name: "KEY", Type: "string"},
-			{Name: "AGE", Type: "string"},
-		},
-	}
-	switch v := obj.(type) {
-	case *corev1alpha1.TenantSecretsTableList:
-		for i := range v.Items {
-			tbl.Rows = append(tbl.Rows, row(&v.Items[i]))
-		}
-		tbl.ListMeta.ResourceVersion = v.ListMeta.ResourceVersion
-	case *corev1alpha1.TenantSecretsTable:
-		tbl.Rows = append(tbl.Rows, row(v))
-		tbl.ListMeta.ResourceVersion = v.ResourceVersion
-	default:
-		return nil, notAcceptable{r.gvr.GroupResource(), fmt.Sprintf("unexpected %T", obj)}
-	}
-	return tbl, nil
-}
-
-// -----------------------
-// Helpers
-// -----------------------
-
-func composedName(secretName, key string) string {
-	return secretName + "-" + key
-}
-
-func humanAge(t time.Time, now time.Time) string {
-	d := now.Sub(t)
-	// simple human duration
-	if d.Hours() >= 24 {
-		return fmt.Sprintf("%dd", int(d.Hours()/24))
-	}
-	if d.Hours() >= 1 {
-		return fmt.Sprintf("%dh", int(d.Hours()))
-	}
-	if d.Minutes() >= 1 {
-		return fmt.Sprintf("%dm", int(d.Minutes()))
-	}
-	return fmt.Sprintf("%ds", int(d.Seconds()))
-}
-
-func secretKeyToObj(sec *corev1.Secret, key string, val []byte) *corev1alpha1.TenantSecretsTable {
-	return &corev1alpha1.TenantSecretsTable{
-		TypeMeta: metav1.TypeMeta{APIVersion: corev1alpha1.SchemeGroupVersion.String(), Kind: kindObj},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:              sec.Name,
-			Namespace:         sec.Namespace,
-			UID:               sec.UID,
-			ResourceVersion:   sec.ResourceVersion,
-			CreationTimestamp: sec.CreationTimestamp,
-			Labels:            filterUserLabels(sec.Labels),
-			Annotations:       sec.Annotations,
-		},
-		Data: corev1alpha1.TenantSecretEntry{
-			Name:  sec.Name,
-			Key:   key,
-			Value: toBase64String(val),
-		},
-	}
-}
-
-func filterUserLabels(m map[string]string) map[string]string {
-	if m == nil {
-		return nil
-	}
-	out := make(map[string]string, len(m))
-	for k, v := range m {
-		if k == tsLabelKey {
-			continue
-		}
-		out[k] = v
-	}
-	return out
-}
-
-func toBase64String(b []byte) string {
-	const enc = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
-	// Minimal base64 encoder to avoid extra deps; for readability we could use stdlib encoding/base64
-	// but keeping inline is fine; however using stdlib is clearer.
-	// Using stdlib:
-	return base64.StdEncoding.EncodeToString(b)
-}
-
-type notAcceptable struct {
-	resource schema.GroupResource
-	message  string
-}
-
-func (e notAcceptable) Error() string { return e.message }
-func (e notAcceptable) Status() metav1.Status {
-	return metav1.Status{
-		Status:  metav1.StatusFailure,
-		Code:    http.StatusNotAcceptable,
-		Reason:  metav1.StatusReason("NotAcceptable"),
-		Message: e.message,
-	}
-}

pkg/registry/sdn/securitygroup/rest.go

@@ -0,0 +1,372 @@
+// SPDX-License-Identifier: Apache-2.0
+// TenantSecret registry – namespaced view over Secrets labelled
+// "internal.cozystack.io/tenantresource=true".  Internal tenant secret labels are hidden.
+
+package securitygroup
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/duration"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	sdnv1alpha1 "github.com/cozystack/cozystack/pkg/apis/sdn/v1alpha1"
+)
+
+// -----------------------------------------------------------------------------
+// Constants & helpers
+// -----------------------------------------------------------------------------
+
+func fromCiliumNetworkPolicy(np ciliumv2.CiliumNetworkPolicy) *sdnv1alpha1.SecurityGroup {
+	return &sdnv1alpha1.SecurityGroup{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: sdnv1alpha1.SchemeGroupVersion.String(),
+			Kind:       sdnv1alpha1.SecurityGroupKind,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:              np.Name,
+			Namespace:         np.Namespace,
+			UID:               np.UID,
+			ResourceVersion:   np.ResourceVersion,
+			CreationTimestamp: np.CreationTimestamp,
+			Labels:            np.Labels,
+			Annotations:       np.Annotations,
+		},
+	}
+}
+
+func toCiliumNetworkPolicy(sg *sdnv1alpha1.SecurityGroup, np *ciliumv2.CiliumNetworkPolicy) *ciliumv2.CiliumNetworkPolicy {
+	var out ciliumv2.CiliumNetworkPolicy
+	if np != nil {
+		out = *np.DeepCopy()
+	}
+	out.TypeMeta = metav1.TypeMeta{
+		APIVersion: ciliumv2.SchemeGroupVersion.String(),
+		Kind:       ciliumv2.CNPKindDefinition,
+	}
+	out.Name, out.Namespace = np.Name, np.Namespace
+
+	if out.Labels == nil {
+		out.Labels = map[string]string{}
+	}
+	for k, v := range sg.Labels {
+		out.Labels[k] = v
+	}
+
+	if out.Annotations == nil {
+		out.Annotations = map[string]string{}
+	}
+	for k, v := range sg.Annotations {
+		out.Annotations[k] = v
+	}
+
+	return &out
+}
+
+// -----------------------------------------------------------------------------
+// REST storage
+// -----------------------------------------------------------------------------
+
+var (
+	_ rest.Creater              = &REST{}
+	_ rest.Getter               = &REST{}
+	_ rest.Lister               = &REST{}
+	_ rest.Updater              = &REST{}
+	_ rest.Patcher              = &REST{}
+	_ rest.GracefulDeleter      = &REST{}
+	_ rest.Watcher              = &REST{}
+	_ rest.TableConvertor       = &REST{}
+	_ rest.Scoper               = &REST{}
+	_ rest.SingularNameProvider = &REST{}
+)
+
+type REST struct {
+	c client.Client
+	w client.WithWatch
+}
+
+func NewREST(c client.Client, w client.WithWatch) *REST {
+	return &REST{
+		c: c,
+		w: w,
+	}
+}
+
+// -----------------------------------------------------------------------------
+// Basic meta
+// -----------------------------------------------------------------------------
+
+func (*REST) NamespaceScoped() bool   { return true }
+func (*REST) New() runtime.Object     { return &sdnv1alpha1.SecurityGroup{} }
+func (*REST) NewList() runtime.Object { return &sdnv1alpha1.SecurityGroupList{} }
+func (*REST) Kind() string            { return singularKind }
+func (r *REST) GroupVersionKind(_ schema.GroupVersion) schema.GroupVersionKind {
+	return sdnv1alpha1.SchemeGroupVersion.WithKind(sdnv1alpha1.SecurityGroupKind)
+}
+func (*REST) GetSingularName() string { return sdnv1alpha1.SecurityGroupSingularName }
+
+// -----------------------------------------------------------------------------
+// CRUD
+// -----------------------------------------------------------------------------
+
+func (r *REST) Create(
+	ctx context.Context,
+	obj runtime.Object,
+	_ rest.ValidateObjectFunc,
+	opts *metav1.CreateOptions,
+) (runtime.Object, error) {
+	in, ok := obj.(*sdnv1alpha1.SecurityGroup)
+	if !ok {
+		return nil, fmt.Errorf("expected SecurityGroup, got %T", obj)
+	}
+
+	np := toCiliumNetworkPolicy(in, nil)
+	err := r.c.Create(ctx, np, &client.CreateOptions{Raw: opts})
+	if err != nil {
+		return nil, err
+	}
+	return fromCiliumNetworkPolicy(np), nil
+}
+
+func (r *REST) Get(
+	ctx context.Context,
+	name string,
+	opts *metav1.GetOptions,
+) (runtime.Object, error) {
+	ns, ok := request.NamespaceFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("namespace required")
+	}
+	np := &ciliumv2.CiliumNetworkPolicy{}
+	err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, np, &client.GetOptions{Raw: opts})
+	if err != nil {
+		return nil, err
+	}
+	return fromCiliumNetworkPolicy(np), nil
+}
+
+func (r *REST) List(ctx context.Context, opts *metainternal.ListOptions) (runtime.Object, error) {
+	ns, ok := request.NamespaceFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("namespace required")
+	}
+
+	list := &ciliumv2.CiliumNetworkPolicyList{}
+	err := r.c.List(ctx, list,
+		&client.ListOptions{
+			Namespace: ns,
+			Raw:       &metav1.ListOptions{},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	out := &sdnv1alpha1.SecurityGroupList{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: sdnv1alpha1.SchemeGroupVersion.String(),
+			Kind:       sdnv1alpha1.SecurityGroupListKind,
+		},
+		ListMeta: list.ListMeta,
+	}
+
+	for i := range list.Items {
+		out.Items = append(out.Items, *fromCiliumNetworkPolicy(&list.Items[i]))
+	}
+	return out, nil
+}
+
+func (r *REST) Update(
+	ctx context.Context,
+	name string,
+	objInfo rest.UpdatedObjectInfo,
+	_ rest.ValidateObjectFunc,
+	_ rest.ValidateObjectUpdateFunc,
+	forceCreate bool,
+	opts *metav1.UpdateOptions,
+) (runtime.Object, bool, error) {
+	ns, ok := request.NamespaceFrom(ctx)
+	if !ok {
+		return nil, false, apierrors.NewBadRequest("namespace required")
+	}
+
+	cur := &ciliumv2.CiliumNetworkPolicy{}
+	err := r.c.Get(ctx, types.NamespacedName{Namespace: ns, Name: name}, cur, &client.GetOptions{Raw: &metav1.GetOptions{}})
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, false, err
+	}
+
+	newObj, err := objInfo.UpdatedObject(ctx, nil)
+	if err != nil {
+		return nil, false, err
+	}
+	in := newObj.(*sdnv1alpha1.SecurityGroup)
+
+	newNp := toCiliumNetworkPolicy(in, cur)
+	newNp.Namespace = ns
+	if cur == nil {
+		if !forceCreate && err == nil {
+			return nil, false, apierrors.NewNotFound(sdnv1alpha1.Resource(sdnv1alpha1.SecurityGroupPluralName), name)
+		}
+		err := r.c.Create(ctx, newNp, &client.CreateOptions{Raw: &metav1.CreateOptions{}})
+		return fromCiliumNetworkPolicy(newNp), true, err
+	}
+
+	newNp.ResourceVersion = cur.ResourceVersion
+	err = r.c.Update(ctx, newNp, &client.UpdateOptions{Raw: opts})
+	return fromCiliumNetworkPolicy(newNp), false, err
+}
+
+func (r *REST) Delete(
+	ctx context.Context,
+	name string,
+	_ rest.ValidateObjectFunc,
+	opts *metav1.DeleteOptions,
+) (runtime.Object, bool, error) {
+	ns, ok := request.NamespaceFrom(ctx)
+	if !ok {
+		return nil, false, apierrors.NewBadRequest("namespace required")
+	}
+	err := r.c.Delete(ctx, &ciliumv2.CiliumNetworkPolicy{ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: name}}, &client.DeleteOptions{Raw: opts})
+	return nil, err == nil, err
+}
+
+func (r *REST) Patch(
+	ctx context.Context,
+	name string,
+	pt types.PatchType,
+	data []byte,
+	opts *metav1.PatchOptions,
+	subresources ...string,
+) (runtime.Object, error) {
+	if len(subresources) > 0 {
+		return nil, fmt.Errorf("SecurityGroup does not have subresources")
+	}
+	ns, ok := request.NamespaceFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("namespace required")
+	}
+	out := &ciliumv2.CiliumNetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      name,
+		},
+	}
+	patch := client.RawPatch(pt, data)
+	err := r.c.Patch(ctx, out, patch, &client.PatchOptions{Raw: opts})
+	if err != nil {
+		return nil, err
+	}
+
+	return fromCiliumNetworkPolicy(out), nil
+}
+
+// -----------------------------------------------------------------------------
+// Watcher
+// -----------------------------------------------------------------------------
+
+func (r *REST) Watch(ctx context.Context, opts *metainternal.ListOptions) (watch.Interface, error) {
+	ns, ok := request.NamespaceFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("namespace required")
+	}
+
+	npList := &ciliumv2.CiliumNetworkPolicyList{}
+	base, err := r.w.Watch(ctx, npList, &client.ListOptions{Namespace: ns, Raw: &metav1.ListOptions{
+		Watch:           true,
+		ResourceVersion: opts.ResourceVersion,
+	}})
+	if err != nil {
+		return nil, err
+	}
+
+	ch := make(chan watch.Event)
+	proxy := watch.NewProxyWatcher(ch)
+
+	go func() {
+		defer proxy.Stop()
+		for ev := range base.ResultChan() {
+			np, ok := ev.Object.(*ciliumv2.CiliumNetworkPolicy)
+			if !ok || sec == nil {
+				continue
+			}
+			sg := fromCiliumNetworkPolicy(np)
+			ch <- watch.Event{
+				Type:   ev.Type,
+				Object: sg,
+			}
+		}
+	}()
+
+	return proxy, nil
+}
+
+// -----------------------------------------------------------------------------
+// TableConvertor
+// -----------------------------------------------------------------------------
+
+func (r *REST) ConvertToTable(_ context.Context, obj runtime.Object, _ runtime.Object) (*metav1.Table, error) {
+	now := time.Now()
+	row := func(o *sdnv1alpha1.SecurityGroup) metav1.TableRow {
+		return metav1.TableRow{
+			Cells:  []interface{}{o.Name, duration.HumanDuration(now.Sub(o.CreationTimestamp.Time))},
+			Object: runtime.RawExtension{Object: o},
+		}
+	}
+
+	tbl := &metav1.Table{
+		TypeMeta: metav1.TypeMeta{APIVersion: "meta.k8s.io/v1", Kind: "Table"},
+		ColumnDefinitions: []metav1.TableColumnDefinition{
+			{Name: "NAME", Type: "string"},
+			{Name: "AGE", Type: "string"},
+		},
+	}
+
+	switch v := obj.(type) {
+	case *sdnv1alpha1.SecurityGroupList:
+		for i := range v.Items {
+			tbl.Rows = append(tbl.Rows, row(&v.Items[i]))
+		}
+		tbl.ListMeta.ResourceVersion = v.ListMeta.ResourceVersion
+	case *sdnv1alpha1.SecurityGroup:
+		tbl.Rows = append(tbl.Rows, row(v))
+		tbl.ListMeta.ResourceVersion = v.ResourceVersion
+	default:
+		return nil, notAcceptable{sdnv1alpha1.Resource(sdnv1alpha1.SecurityGroupPluralName), fmt.Sprintf("unexpected %T", obj)}
+	}
+	return tbl, nil
+}
+
+// -----------------------------------------------------------------------------
+// Boiler-plate
+// -----------------------------------------------------------------------------
+
+func (*REST) Destroy() {}
+
+type notAcceptable struct {
+	resource schema.GroupResource
+	message  string
+}
+
+func (e notAcceptable) Error() string { return e.message }
+func (e notAcceptable) Status() metav1.Status {
+	return metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusNotAcceptable,
+		Reason:  metav1.StatusReason("NotAcceptable"),
+		Message: e.message,
+	}
+}