Release v0.37.9 (#1667 )

This PR prepares the release `v0.37.9`.
Prepare release v0.37.9
2026-03-06 06:58:52 +00:00 · 2025-11-27 15:52:56 +01:00 · 2025-11-27 13:47:48 +00:00 · 2025-11-27 14:43:23 +01:00 · 2025-11-27 14:40:22 +01:00 · 2025-11-27 14:36:35 +01:00
243 changed files with 3252 additions and 15438 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1 @@
-* @kvaps @lllamnyp @nbykov0
+* @kvaps @lllamnyp @klinch0
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -28,7 +28,7 @@ jobs:

      - name: Install generate
        run: |
-          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v1.0.5/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen
+          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v0.9.0/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen

      - name: Run pre-commit hooks
        run: |
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -1,8 +1,7 @@
 name: Pull Request

 env:
-  # TODO: unhardcode this
-  REGISTRY: iad.ocir.io/idyksih5sir9/cozystack
+  REGISTRY: ${{ vars.OCIR_REPO }}
 on:
  pull_request:
    types: [opened, synchronize, reopened]
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -31,5 +31,4 @@ This list is sorted in chronological order, based on the submission date.
 | [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01 | Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management. |
 | [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |
 | [Hidora](https://hikube.cloud) | @matthieu-robin | 2025-09-17 | Hidora is a Swiss cloud provider delivering managed services and infrastructure solutions through datacenters located in Switzerland, ensuring data sovereignty and reliability. Its sovereign cloud platform, Hikube, is designed to run workloads with high availability across multiple datacenters, providing enterprises with a secure and scalable foundation for their applications based on Cozystack. |
-| [QOSI](https://qosi.kz) | @tabu-a | 2025-10-04 | QOSI is a non-profit organization driving open-source adoption and digital sovereignty across Kazakhstan and Central Asia. We use Cozystack as a platform for deploying sovereign, GPU-enabled clouds and educational environments under the National AI Program. Our goal is to accelerate the region’s transition toward open, self-hosted cloud-native technologies |
-|
+| 
--- a/api/v1alpha1/cozystackresourcedefinitions_types.go
+++ b/api/v1alpha1/cozystackresourcedefinitions_types.go
@@ -110,18 +110,17 @@ type CozystackResourceDefinitionRelease struct {
 // - {{ .namespace }}: The namespace of the resource being processed
 //
 // Example YAML:
-//
-//	secrets:
-//	  include:
-//	  - matchExpressions:
-//	    - key: badlabel
-//	      operator: DoesNotExist
-//	    matchLabels:
-//	      goodlabel: goodvalue
-//	    resourceNames:
-//	    - "{{ .name }}-secret"
-//	    - "{{ .kind }}-{{ .name }}-tls"
-//	    - "specificname"
+//   secrets:
+//     include:
+//     - matchExpressions:
+//       - key: badlabel
+//         operator: DoesNotExist
+//       matchLabels:
+//         goodlabel: goodvalue
+//       resourceNames:
+//       - "{{ .name }}-secret"
+//       - "{{ .kind }}-{{ .name }}-tls"
+//       - "specificname"
 type CozystackResourceDefinitionResourceSelector struct {
 	metav1.LabelSelector `json:",inline"`
 	// ResourceNames is a list of resource names to match
--- a/cmd/cozystack-controller/main.go
+++ b/cmd/cozystack-controller/main.go
@@ -192,14 +192,6 @@ func main() {
 		os.Exit(1)
 	}

-	if err = (&controller.DashboardResourcesReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "DashboardResources")
-		os.Exit(1)
-	}
-
 	if err = (&controller.WorkloadReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
--- a/docs/changelogs/patch-template.md
+++ b/docs/changelogs/patch-template.md
@@ -1,18 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0..
-->
-
-## Features and Improvements
-
-## Security
-
-## Fixes
-
-## Dependencies
-
-## Development, Testing, and CI/CD
-
---
-
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.36.0...main
--- a/docs/changelogs/template.md
+++ b/docs/changelogs/template.md
@@ -17,4 +17,4 @@ https://github.com/cozystack/cozystack/releases/tag/v0..

 ---

-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.34.0...v0.35.0
+**Full Changelog**: **Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.34.0...v0.35.0
--- a/docs/changelogs/v0.35.3.md
+++ b/docs/changelogs/v0.35.3.md
@@ -1,10 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.35.3
-->
-
-## Fixes
-
-* [seaweedfs] Add a liveness check for the SeaweedFS S3 endpoint to improve health monitoring and enable automatic recovery. (@IvanHunters in https://github.com/cozystack/cozystack/pull/1368)
-
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.35.2...v0.35.3
--- a/docs/changelogs/v0.35.4.md
+++ b/docs/changelogs/v0.35.4.md
@@ -1,14 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.35.4
-->
-
-## Fixes
-
-* [virtual-machine] Fix the regression in VM update hook introduced in https://github.com/cozystack/cozystack/pull/1169 by targeting the correct API resource and avoiding conflicts with KubeVirt resources. (@kvaps in https://github.com/cozystack/cozystack/pull/1376, backported in https://github.com/cozystack/cozystack/pull/1377)
-* [cozy-lib] Add the missing template `cozy-lib.resources.flatten`. (@kvaps in https://github.com/cozystack/cozystack/pull/1372, backported in https://github.com/cozystack/cozystack/pull/1375)
-* [platform] Fix a boolean override bug in Helm merge. ConfigMap values now correctly take precedence over bundle defaults. (@dyudin0821 in https://github.com/cozystack/cozystack/pull/1385, backported in https://github.com/cozystack/cozystack/pull/1388)
-* [seaweedfs] Resolve connectivity issues in SeaweedFS. Increase Nginx ingress timeouts for SeaweedFS S3 endpoint. (@kvaps in https://github.com/cozystack/cozystack/pull/1386, backported in https://github.com/cozystack/cozystack/pull/1390)
-* [dx] Remove the BUILDER and PLATFORM autodetect logic in Makefiles. (@kvaps in https://github.com/cozystack/cozystack/pull/1391, backported in https://github.com/cozystack/cozystack/pull/1392)
-
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.35.3...v0.35.4
--- a/docs/changelogs/v0.35.5.md
+++ b/docs/changelogs/v0.35.5.md
@@ -1,11 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.35.5
-->
-
-## Fixes
-
-* [etcd] Ensure that TopologySpreadConstraints consistently target etcd pods. (@kvaps in https://github.com/cozystack/cozystack/pull/1405, backported in https://github.com/cozystack/cozystack/pull/1406)
-* [tests] Add resource quota for testing namespaces. (@IvanHunters in https://github.com/cozystack/cozystack/commit/4982cdf5024c8bb9aa794b91d55545ea6b105d17)
-
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.35.4...v0.35.5
--- a/docs/changelogs/v0.36.0.md
+++ b/docs/changelogs/v0.36.0.md
@@ -1,117 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.36.0
-->
-
-
-## Feature Highlights
-
-Release v0.36.0 focuses on the stability, observability, and flexible configuration of managed applications.
-
-### Per-Namespace Resource Limits for Tenants
-
-Resource management for Cozystack tenants has received a final patch and is now graduated to a stable feature.
-Platform administrators can define explicit CPU, memory, and storage limits for each tenant's namespace 
-via the tenant specification.
-This prevents any single tenant from consuming more than their share of cluster resources,
-ensuring cluster stability and a guaranteed service level for each tenant.
-
-### Kube-OVN Cluster Health Monitor
-
-A new component called the Kube-OVN Plunger continuously monitors the health of the Kube-OVN network's central control cluster.
-This external agent gathers OVN cluster status and consensus information, exposing Prometheus metrics and live events stream via SSE.
-As a result, it provides much better visibility of the virtual network layer and helps maintain a reliable and observable network in Cozystack.
-This change opens the road to automated Kube-OVN database operations and recovery in specific corner cases.
-
-### Configurable CoreDNS Addon for Kubernetes
-
-Cozystack introduces a dedicated CoreDNS addon for managing cluster DNS with greater flexibility.
-CoreDNS is now deployed via a Helm chart and can be tuned through custom values in the cluster specification,
-including autoscaling, replica count, and adjusting service IP.
-CoreDNS can now be configured in the dashboard and using Cozystack API.
-
-### Granular SeaweedFS Service Configuration
-
-The SeaweedFS S3 storage service in Cozystack is now far more configurable at a component level.
-The Helm chart for SeaweedFS now includes independent configuration for each component and its resources.
-It includes the master nodes, volume servers with support for multiple zones, filers, the backing database, and the S3 gateway.
-Administrators can set per-component parameters such as the number of replicas, available CPU, memory, and storage size.
-
-### Server-side Encryption for S3
-
-Cozystack v0.36.0 includes SeaweedFS 3.97, bringing support for server-side encryption of S3 buckets (SSE-C, SSE-KMS, and SSE-S3).
-
-**Breaking change:** upon updating Cozystack, SeaweedFS will be updated to a newer version, and the services specification
-will be converted to the new format.
-
-### Custom Resource Profiles for Ingress Controller
-
-NGINX controller is now configurable on a per-replica basis.
-Configurations include the ingress controller pods' CPU and memory requests/limits, either with direct values or using one of the available presets.
-
-### Cozystack REST API Documentation
-
-[Cozystack REST API reference](https://cozystack.io/docs/cozystack-api/rest/) is now published on the website.
-It includes endpoints and methods for listing, creating, updating, and removing each managed application, defined as Cozystack CRD.
-
-
-### Built-in LLDP-Based Neighbor Discovery in Talos
-
-Cozystack now includes the LLDPD extension in its Talos OS image, enabling Link Layer Discovery Protocol (LLDP) out of the box.
-This means each node can automatically discover and advertise its network neighbors and topology without any manual setup.
-
-### Use external IP for Egress Traffic in VMs
-
-When a virtual machine has an external IP assigned to it, it will now always use it for egress traffic, independently of the external method used.
-
-## Major Features and Improvements
-
-* [talos] Add LLDPD (`ghcr.io/siderolabs/lldpd`) as a built-in system extension, enabling LLDP-based neighbor discovery out of the box. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1351 and https://github.com/cozystack/cozystack/pull/1360)
-* [kubernetes] Add a configurable CoreDNS addon with valuesOverride, packaged chart, and managed deployment (metrics, autoscaling, HPA, customizable Service). (@klinch0 in https://github.com/cozystack/cozystack/pull/1362)
-* [kube-ovn] Implement the Kube-OVN plunger, an external monitoring agent for the ovn-central cluster. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1380, patched in https://github.com/cozystack/cozystack/pull/1414 and https://github.com/cozystack/cozystack/pull/1418)
-* [tenant] Enable per-namespace resource quota settings in tenants, with explicit cpu, memory, and storage values. (@IvanHunters in https://github.com/cozystack/cozystack/pull/1389)
-* [seaweedfs] Add detailed resource configuration for each component of the SeaweedFS service. (@klinch0 and @kvaps in https://github.com/cozystack/cozystack/pull/1415)
-* [ingress] Enable per-replica resource configuration to the ingress controller. (@kvaps in https://github.com/cozystack/cozystack/pull/1416)
-* [virtual-machine] Use external IP for egress traffic with `PortList` method. (@kvaps in https://github.com/cozystack/cozystack/pull/1349)
-
-
-## Fixes
-
-* [cozy-lib] Fix malformed retrieval of `cozyConfig` in the cozy-lib template. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1348)
-* [cozy-lib] Add the missing template `cozy-lib.resources.flatten`. (@kvaps in https://github.com/cozystack/cozystack/pull/1372)
-* [cozystack-api] Sanitize the OpenAPI v2 schema. (@kvaps in https://github.com/cozystack/cozystack/pull/1353)
-* [kube-ovn] Improve northd leader detection. Patch the northd leader check to test against all endpoints instead of just the first one marked as ready. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1363)
-* [seaweedfs] Add a liveness check for the SeaweedFS S3 endpoint to improve health monitoring and enable automatic recovery. (@IvanHunters in https://github.com/cozystack/cozystack/pull/1368)
-* [seaweedfs] Resolve race conditions in SeaweedFS. Increase deployment timeouts and set install/upgrade remediation to unlimited retries to improve deployment resilience. (@IvanHunters in https://github.com/cozystack/cozystack/pull/1371)
-* [seaweedfs] Resolve connectivity issues in SeaweedFS. Increase Nginx ingress timeouts for SeaweedFS S3 endpoint. (@kvaps in https://github.com/cozystack/cozystack/pull/1386)
-* [virtual-machine] Fix the reg ression in VM update hook introduced in https://github.com/cozystack/cozystack/pull/1169. Target the correct API resource and avoid conflicts with KubeVirt resources. (@kvaps in https://github.com/cozystack/cozystack/pull/1376)
-* [virtual-machine] Correct app version references in `virtual-machine` and `vm-instance`, ensuring accurate versioning during migrations. (@kvaps in https://github.com/cozystack/cozystack/pull/1378).
-* [cozyreport] Fix an error where cozyreport tried to parse non-existent objects and generated garbage output in CI debug logs. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1383)
-* [platform] Fix a boolean override bug in Helm merge. ConfigMap values now correctly take precedence over bundle defaults. (@dyudin0821 in https://github.com/cozystack/cozystack/pull/1385)
-* [kubernetes] CoreDNS release now installs and stores state in the `kube-system` namespace. (@kvaps in https://github.com/cozystack/cozystack/pull/1395)
-* [kubernetes] Expose configuration for CoreDNS, enabling setting the image repository and replica count via `values.yaml`. (@kvaps in https://github.com/cozystack/cozystack/pull/1410)
-* [etcd] Ensure that TopologySpreadConstraints consistently target etcd pods. (@kvaps in https://github.com/cozystack/cozystack/pull/1405)
-* [tenant] Use force-upgrade for ingress controller charts. (@klinch0 in https://github.com/cozystack/cozystack/pull/1404)
-* [cozystack-controller] Fix an RBAC error that prevented the workload labelling feature from working. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1419)
-* [seaweedfs] Remove VerticalPodAutoscaler for SeaweedFS. (@kvaps in https://github.com/cozystack/cozystack/pull/1421)
-
-
-## Dependencies
-
-* Update LINSTOR to v1.31.3. (@kvaps in https://github.com/cozystack/cozystack/pull/1358)
-* Update SeaweedFS to v3.97. (@kvaps in https://github.com/cozystack/cozystack/pull/1361 and https://github.com/cozystack/cozystack/pull/1373)
-* Update Kube-OVN to 1.14.5. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1363)
-* Replace Bitnami images with alternatives in all charts. (@kvaps in https://github.com/cozystack/cozystack/pull/1374)
-
-## Documentation
-
-## Development, Testing, and CI/CD
-
-* [dx] Remove the BUILDER and PLATFORM autodetect logic in Makefiles. (@kvaps in https://github.com/cozystack/cozystack/pull/1391)
-* [ci] Use the host buildx config in CI. (@kvaps in https://github.com/cozystack/cozystack/pull/1015)
-* [ci] Add `jq` and `git` to the installer image. (@kvaps in https://github.com/cozystack/cozystack/pull/1417)
-* [ci] Source the `REGISTRY` environment variable from actions' variables, not secrets, so external pull requests can work. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1423)
-
---
-
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.35.0...v0.36.0
--- a/docs/changelogs/v0.36.1.md
+++ b/docs/changelogs/v0.36.1.md
@@ -1,22 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.36.1
-->
-
-## Major Features and Improvements
-
-* [cozystack-api] Implement recursive, Kubernetes-like defaulting for applications: missing fields in nested objects and arrays are auto-populated safely without mutating shared defaults. (@kvaps in https://github.com/cozystack/cozystack/pull/1432)
-
-## Fixes
-
-* [cozystack-api] Update defaulting API schemas. (@kvaps in https://github.com/cozystack/cozystack/pull/1433)
-* [dashboard] Fix Bitnami dependencies. (@kvaps in https://github.com/cozystack/cozystack/pull/1431)
-* [seaweedfs] Fix SeaweedFS migration. (@kvaps in https://github.com/cozystack/cozystack/pull/1430)
-
-## Development, Testing, and CI/CD
-
-* [adopters] Add [Hidora](https://hikube.cloud) to the Cozystack adopters list. (@matthieu-robin in https://github.com/cozystack/cozystack/pull/1429)
-
---
-
-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.36.0...v0.36.1
--- a/docs/changelogs/v0.36.2.md
+++ b/docs/changelogs/v0.36.2.md
@@ -1,18 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.36.2
-->
-
-## Features and Improvements
-
-## Security
-
-## Fixes
-
-## Dependencies
-
-## Development, Testing, and CI/CD
-
---
-
-**Full Changelog**: [v0.36.1...v0.36.2](https://github.com/cozystack/cozystack/compare/v0.36.1...v0.36.2)
--- a/docs/changelogs/v0.37.0.md
+++ b/docs/changelogs/v0.37.0.md
@@ -1,117 +0,0 @@
-# Cozystack v0.37 — “OpenAPI Dashboard & Lineage Everywhere”
-
-We’ve shipped a big usability push this cycle: a brand-new **OpenAPI-driven dashboard**, lineage labeling across core resource types, and several reliability improvements to smooth upgrades from 0.36→ 0.37. Below are the highlights and the full categorized lists.
-
-## Highlights
-
-* **New OpenAPI-based Dashboard** replaces the old UI, adds module-aware navigation, dynamic branding, and richer Kubernetes resource views ([**@kvaps**](https://github.com/kvaps) in #1269, #1463, #1460).
-* **Lineage Webhook** tags Pods, PVCs, Services, Ingresses, and Secrets, adding labels referencing the managing Cozystack application ([**@lllamnyp**](https://github.com/lllamnyp) in #1448, #1452, #1477, #1486, #1497; [**@kvaps**](https://github.com/kvaps) in #1454).
-* **Smoother upgrades** with installer and migration hardening, decoupled CRDs vs. API server ([**@lllamnyp**](https://github.com/lllamnyp) in #1494, #1498; [**@kvaps**](https://github.com/kvaps) in #1506).
-* **Operations quality**: Kubernetes tests with smarter waits/readiness checks ([**@IvanHunters**](https://github.com/IvanHunters) in #1485).
-
---
-
-## New features
-
-### Dashboard
-
-* Introduce the OpenAPI-based dashboard and controller; implement TenantNamespace, TenantModules, TenantSecret/SecretsTable resources ([**@kvaps**](https://github.com/kvaps) in #1269).
-* Module-aware navigation, richer detail views (Services/Secrets/Ingresses), improved sidebars; “Tenant Modules” grouping ([**@kvaps**](https://github.com/kvaps) in #1463).
-* Dynamic branding via cluster config (tenant name, footer/title, logo/icon SVGs) ([**@kvaps**](https://github.com/kvaps) in #1460).
-* Dashboard: fix namespace listing for unprivileged users and stabilize streamed requests; build-time patching ([**@kvaps**](https://github.com/kvaps) in #1456).
-* Dashboard UX set: marketplace hides module resources; consistent navigation/links; prefill “name” in forms; ingress factory; formatted TenantNamespaces tables ([**@kvaps**](https://github.com/kvaps) in #1463).
-* **Dashboard**: list modules reliably; remove Tenant from Marketplace; fix field override while typing ([**@kvaps**](https://github.com/kvaps) in #1501, #1503).
-* **Dashboard**: correct API group for applications; sidebars; disable auto-expand; fix `/docs` redirect ([**@kvaps**](https://github.com/kvaps) in #1463, #1465, #1462).
-* **Dashboard**: show Secrets with empty values correctly ([**@kvaps**](https://github.com/kvaps) in #1480).
-* Dashboard configuration refactor: generate static resources at startup; auto-cleanup stale objects; higher controller client throughput ([**@kvaps**](https://github.com/kvaps) in #1457).
-
-### Migration to v0.37
-* **Installer/Migrations**: prevent unintended deletion of platform resource definitions; resilient timestamping; tolerant annotations; stronger migrate-then-reconcile flow ([**@kvaps**](https://github.com/kvaps) in #1475; Andrei Kvapil & [**@lllamnyp**](https://github.com/lllamnyp) in #1498).
-* Installer hardening for **migration #20**: packaged apply, ordered waits/readiness checks, RFC3339(nano) stamping; Helm in installer image (Andrei Kvapil & [**@lllamnyp**](https://github.com/lllamnyp) in #1498).
-* **Decoupled API & CozyRDs**: You can now upgrade the Cozystack API server independently of CRDs/CozyRD instances, easing 0.36 → 0.37 migrations ([**@lllamnyp**](https://github.com/lllamnyp) in #1494).
-* **Migration #20**: The installer runs migration from packaged Helm charts with ordered waits/readiness checks; annotations are tolerant; timestamps are environment-robust (Andrei Kvapil & [**@lllamnyp**](https://github.com/lllamnyp) in #1498; [**@kvaps**](https://github.com/kvaps) in #1475).
-
-### Webhook / Lineage
-
-* Add a lineage mutating webhook to auto-label Pods/Secrets/PVCs/Ingresses/WorkloadMonitors with owning app ([**@lllamnyp**](https://github.com/lllamnyp) in #1448, #1497, [**@kvaps**](https://github.com/kvaps) in #1454).
-* **Name-based** selectors for Secret visibility (templates supported) ([**@lllamnyp**](https://github.com/lllamnyp) in #1477).
-* Select **Services** and **Ingresses** in CRDs/API; treat them as user-facing when configured ([**@lllamnyp**](https://github.com/lllamnyp) in #1486).
-* **VictoriaMetrics integration**: Lineage labels are explicitly set on VM resources; `managedMetadata` is configured to avoid controller “fights” over labels ([**@lllamnyp**](https://github.com/lllamnyp) in #1452).
-* Webhook **excludes** `default` and `kube-system` to avoid unintended mutations (part of the installer/migration hardening by Andrei Kvapil & [**@lllamnyp**](https://github.com/lllamnyp) in #1498).
-
-### API / Platform
-
-* Decouple the Cozystack API from Cozystack Resource Definitions to allow independent upgrades ([**@lllamnyp**](https://github.com/lllamnyp) in #1494).
-* Add **label selectors** to app definitions for Secret include/exclude ([**@lllamnyp**](https://github.com/lllamnyp) in #1447).
-
-### Monitoring & Ops
-
-* Reduce node labelsets in target relabeling configs on cadvisor/kubelet metrics to reduce cardinality while keeping useful CPU metrics ([**@IvanHunters**](https://github.com/IvanHunters) in #1455).
-
-### Storage & Backups
-
-* PVC expansion in tenant clusters via KubeVirt CSI resizer; RBAC updates (Klinch0 in #1438).
-* Velero upgraded to **v1.17.0**; node agent enabled by default and a raft of usability features ([**@kvaps**](https://github.com/kvaps) in #1484).
-
-### Kubernetes/tests & Tooling
-
-* Smarter Kubernetes test flows: node readiness checks, kubelet version validation, longer rollout waits, per-component readiness ([**@IvanHunters**](https://github.com/IvanHunters) in #1485).
-
-### UI/Icons
-
-* New **VM-Disk** SVG icon ([**@kvapsova**](https://github.com/kvapsova) in #1435).
-
---
-
-## Improvements (minor)
-
-* Make the **Info** app deploy irrespective of OIDC settings ([**klinch0**](https://github.com/klinch0) in #1474).
-* Move SA token Secret creation to **Info** app ([**@lllamnyp**](https://github.com/lllamnyp) in #1446).
-* Explicitly set lineage labels for VictoriaMetrics resources ([**@lllamnyp**](https://github.com/lllamnyp) in #1452).
-
---
-
-## Bug fixes
-
-* **Kubernetes**: fix MachineDeployment `spec.selector` mismatch to ensure proper targeting ([**@kvaps**](https://github.com/kvaps) in #1502).
-* **Old dashboard**: FerretDB spec typo prevented deploy/display ([**@lllamnyp**](https://github.com/lllamnyp) in #1440).
-* **SeaweedFS**: fix per-zone size fallback for multi-DC volumes; make migrations more robust ([**@kvaps**](https://github.com/kvaps) in #1476, #1430).
-* **CoreDNS**: pin tag to v1.12.4 ([**@kvaps**](https://github.com/kvaps) in #1469).
-* **OIDC**: avoid creating KeycloakRealmGroup before operator API is available ([**@lllamnyp**](https://github.com/lllamnyp) in #1495).
-* **Kafka**: disable noisy alerts when Kafka isn’t deployed ([**@lllamnyp**](https://github.com/lllamnyp) in #1488).
-
---
-
-## Dependency & version updates
-
-* **Velero → v1.17.0**; Helm chart v11; node agent default-on ([**@kvaps**](https://github.com/kvaps) in #1484).
-* **Cilium → v1.17.8** ([**@kvaps**](https://github.com/kvaps) in #1473).
-* **Flux Operator → v0.29.0** (Kingdon Barrett in #1466).
-
---
-
-## Refactors & chores
-
-* Remove legacy `versions_map`; unify packaging targets; tighten HelmRelease defaults; replace many chart versions with build-time placeholders ([**@kvaps**](https://github.com/kvaps) in #1453).
-* Pin CoreDNS image and refresh numerous images ([**@kvaps**](https://github.com/kvaps) in #1469; related image refreshes across #1448 work).
-
---
-
-## Documentation & governance
-
-* **Contributor Ladder** created and later updated (Timur Tukaev in #1224; Andrei Kvapil & Timur Tukaev in #1492).
-* **Code of Conduct** updated with a Vendor Neutrality Manifesto (Timur Tukaev in #1493).
-* **Adopters**: add Hidora (Matthieu Robin in #1429).
-* **MAINTAINERS**: add/remove entries (Nikita Bykov in #1487; Timur Tukaev in #1491).
-* **Issue templates**: new bug-report template and tweaks (Moriarti).
-* **README**: updated dark-theme screenshot ([**@kvaps**](https://github.com/kvaps) in #1459).
-
---
-
-## Breaking changes & upgrade notes
-
-
---
-
-## Security & stability
-
--- a/hack/e2e-apps/ferretdb.bats
+++ b/hack/e2e-apps/ferretdb.bats
@@ -1,44 +0,0 @@
-#!/usr/bin/env bats
-
-@test "Create DB FerretDB" {
-  name='test'
-  kubectl apply -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: FerretDB
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  backup:
-    destinationPath: "s3://bucket/path/to/folder/"
-    enabled: false
-    endpointURL: "http://minio-gateway-service:9000"
-    retentionPolicy: "30d"
-    s3AccessKey: "<your-access-key>"
-    s3SecretKey: "<your-secret-key>"
-    schedule: "0 2 * * * *"
-  bootstrap:
-    enabled: false
-  external: false
-  quorum:
-    maxSyncReplicas: 0
-    minSyncReplicas: 0
-  replicas: 2
-  resources: {}
-  resourcesPreset: "micro"
-  size: "10Gi"
-  users:
-    testuser:
-      password: xai7Wepo
-EOF
-  sleep 5
-  kubectl -n tenant-test wait hr ferretdb-$name --timeout=100s --for=condition=ready
-  timeout 40 sh -ec "until kubectl -n tenant-test get svc ferretdb-$name-postgres-r -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
-  timeout 40 sh -ec "until kubectl -n tenant-test get svc ferretdb-$name-postgres-ro -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
-  timeout 40 sh -ec "until kubectl -n tenant-test get svc ferretdb-$name-postgres-rw -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
-  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints ferretdb-$name-postgres-r -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  # for some reason it takes longer for the read-only endpoint to be ready
-  #timeout 120 sh -ec "until kubectl -n tenant-test get endpoints ferretdb-$name-postgres-ro -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints ferretdb-$name-postgres-rw -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  kubectl -n tenant-test delete ferretdb.apps.cozystack.io $name
-}
--- a/hack/e2e-apps/foundationdb.bats
+++ b/hack/e2e-apps/foundationdb.bats
@@ -1,121 +0,0 @@
-#!/usr/bin/env bats
-
-@test "Create DB FoundationDB" {
-  name='test'
-  kubectl apply -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: FoundationDB
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  cluster:
-    version: "7.3.63"
-    processCounts:
-      storage: 3
-      stateless: -1
-      cluster_controller: 1
-    redundancyMode: "double"
-    storageEngine: "ssd-2"
-    faultDomain:
-      key: "foundationdb.org/none"
-      valueFrom: "\$FDB_ZONE_ID"
-  storage:
-    size: "1Gi"
-    storageClass: ""
-  resourcesPreset: "small"
-  backup:
-    enabled: false
-    s3:
-      bucket: ""
-      endpoint: ""
-      region: ""
-      credentials:
-        accessKeyId: ""
-        secretAccessKey: ""
-    retentionPolicy: "7d"
-  monitoring:
-    enabled: true
-  customParameters:
-    - "knob_disable_posix_kernel_aio=1"
-  imageType: "unified"
-  automaticReplacements: true
-EOF
-  sleep 15
-
-  # Wait for HelmRelease to be ready
-  kubectl -n tenant-test wait hr foundationdb-$name --timeout=300s --for=condition=ready
-
-  # Wait for FoundationDBCluster to be created (name has foundationdb- prefix)
-  timeout 300 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name; do sleep 15; done"
-
-  # Wait for cluster to become available (initial reconciliation takes time - allow 5 minutes)
-  timeout 300 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.usable_regions}' | grep -q '1'; do sleep 30; done"
-
-  # Check that storage processes are running
-  timeout 300 sh -ec "until [ \$(kubectl -n tenant-test get pods -l foundationdb.org/fdb-cluster-name=foundationdb-$name,foundationdb.org/fdb-process-class=storage --field-selector=status.phase=Running --no-headers | wc -l) -eq 3 ]; do sleep 15; done"
-
-  # Check that log processes are running (these are the stateless processes)
-  timeout 300 sh -ec "until [ \$(kubectl -n tenant-test get pods -l foundationdb.org/fdb-cluster-name=foundationdb-$name,foundationdb.org/fdb-process-class=log --field-selector=status.phase=Running --no-headers | wc -l) -ge 1 ]; do sleep 15; done"
-
-  # Check that cluster controller is running
-  timeout 300 sh -ec "until [ \$(kubectl -n tenant-test get pods -l foundationdb.org/fdb-cluster-name=foundationdb-$name,foundationdb.org/fdb-process-class=cluster_controller --field-selector=status.phase=Running --no-headers | wc -l) -eq 1 ]; do sleep 15; done"
-
-  # Check WorkloadMonitor is created and configured
-  timeout 120 sh -ec "until kubectl -n tenant-test get workloadmonitor foundationdb-$name; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get workloadmonitor foundationdb-$name -o jsonpath='{.spec.replicas}' | grep -q '3'; do sleep 5; done"
-
-  # Check dashboard resource map is created
-  kubectl -n tenant-test get configmap foundationdb-$name-resourcemap
-
-  # Verify cluster is healthy (check cluster status) - allow extra time for initial setup
-  timeout 300 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.health.available}' | grep -q 'true'; do sleep 20; done"
-
-  # Validate status.configured field
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.configured}' | grep -q 'true'; do sleep 10; done"
-
-  # Validate status.connectionString field exists and contains expected format
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.connectionString}' | grep -q '@.*\.svc\.cozy\.local'; do sleep 10; done"
-
-  # Validate comprehensive status.databaseConfiguration fields
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.logs}' | grep -q '3'; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.proxies}' | grep -q '3'; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.redundancy_mode}' | grep -q 'double'; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.resolvers}' | grep -q '1'; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.storage_engine}' | grep -q 'ssd-2'; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.databaseConfiguration.usable_regions}' | grep -q '1'; do sleep 10; done"
-
-  # Validate status.desiredProcessGroups field
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.desiredProcessGroups}' | grep -q '^[0-9][0-9]*$'; do sleep 10; done"
-
-  # Validate status.generations.reconciled field
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.generations.reconciled}' | grep -q '^[0-9][0-9]*$'; do sleep 10; done"
-
-  # Validate status.hasListenIPsForAllPods field
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.hasListenIPsForAllPods}' | grep -q 'true'; do sleep 10; done"
-
-  # Validate comprehensive status.health fields
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.health.fullReplication}' | grep -q 'true'; do sleep 10; done"
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.status.health.healthy}' | grep -q 'true'; do sleep 10; done"
-
-  # Verify security context is applied correctly (non-root user)
-  storage_pod=$(kubectl -n tenant-test get pods -l foundationdb.org/fdb-cluster-name=foundationdb-$name,foundationdb.org/fdb-process-class=storage --no-headers | head -n1 | awk '{print $1}')
-  kubectl -n tenant-test get pod "$storage_pod" -o jsonpath='{.spec.containers[0].securityContext.runAsUser}' | grep -q '4059'
-  kubectl -n tenant-test get pod "$storage_pod" -o jsonpath='{.spec.containers[0].securityContext.runAsGroup}' | grep -q '4059'
-
-  # Verify volumeClaimTemplate is properly configured in FoundationDBCluster CRD
-  timeout 60 sh -ec "until kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name -o jsonpath='{.spec.processes.general.volumeClaimTemplate.spec.resources.requests.storage}' | grep -q '1Gi'; do sleep 10; done"
-
-  # Verify PVCs are created with correct storage size (1Gi as specified in test)
-  timeout 120 sh -ec "until [ \$(kubectl -n tenant-test get pvc -l foundationdb.org/fdb-cluster-name=foundationdb-$name --no-headers | wc -l) -ge 3 ]; do sleep 10; done"
-  kubectl -n tenant-test get pvc -l foundationdb.org/fdb-cluster-name=foundationdb-$name -o jsonpath='{.items[*].spec.resources.requests.storage}' | grep -q '1Gi'
-
-  # Verify actual PVC storage capacity matches requested size
-  kubectl -n tenant-test get pvc -l foundationdb.org/fdb-cluster-name=foundationdb-$name -o jsonpath='{.items[*].status.capacity.storage}' | grep -q '1Gi'
-
-  # Clean up
-  kubectl -n tenant-test delete foundationdb $name
-
-  # Wait for cleanup to complete
-  timeout 120 sh -ec "while kubectl -n tenant-test get foundationdbclusters.apps.foundationdb.org foundationdb-$name 2>/dev/null; do sleep 10; done"
-}
--- a/hack/e2e-install-cozystack.bats
+++ b/hack/e2e-install-cozystack.bats
@@ -118,7 +118,7 @@ EOF
 }

@test "Check Cozystack API service" {
-  kubectl wait --for=condition=Available apiservices/v1alpha1.apps.cozystack.io --timeout=2m
+  kubectl wait --for=condition=Available apiservices/v1alpha1.apps.cozystack.io apiservices/v1alpha1.core.cozystack.io --timeout=2m
 }

@test "Configure Tenant and wait for applications" {
--- a/hack/e2e-test-openapi.bats
+++ b/hack/e2e-test-openapi.bats
@@ -9,6 +9,7 @@

@test "Test OpenAPI v3 endpoint" {
  kubectl get -v7 --raw '/openapi/v3/apis/apps.cozystack.io/v1alpha1' > /dev/null
+  kubectl get -v7 --raw '/openapi/v3/apis/core.cozystack.io/v1alpha1' > /dev/null
 }

@test "Test OpenAPI v2 endpoint (protobuf)" {
--- a/internal/controller/dashboard/customformsoverride.go
+++ b/internal/controller/dashboard/customformsoverride.go
@@ -11,6 +11,7 @@ import (

 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )

 // ensureCustomFormsOverride creates or updates a CustomFormsOverride resource for the given CRD
@@ -45,15 +46,24 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 		}
 	}

+	// Build schema with multilineString for string fields without enum
+	l := log.FromContext(ctx)
+	schema, err := buildMultilineStringSchema(crd.Spec.Application.OpenAPISchema)
+	if err != nil {
+		// If schema parsing fails, log the error and use an empty schema
+		l.Error(err, "failed to build multiline string schema, using empty schema", "crd", crd.Name)
+		schema = map[string]any{}
+	}
+
 	spec := map[string]any{
 		"customizationId": customizationID,
 		"hidden":          hidden,
 		"sort":            sort,
-		"schema":          map[string]any{}, // {}
+		"schema":          schema,
 		"strategy":        "merge",
 	}

-	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
+	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, obj, func() error {
 		if err := controllerutil.SetOwnerReference(crd, obj, m.Scheme); err != nil {
 			return err
 		}
@@ -73,3 +83,94 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
 	})
 	return err
 }
+
+// buildMultilineStringSchema parses OpenAPI schema and creates schema with multilineString
+// for all string fields inside spec that don't have enum
+func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
+	if openAPISchema == "" {
+		return map[string]any{}, nil
+	}
+
+	var root map[string]any
+	if err := json.Unmarshal([]byte(openAPISchema), &root); err != nil {
+		return nil, fmt.Errorf("cannot parse openAPISchema: %w", err)
+	}
+
+	props, _ := root["properties"].(map[string]any)
+	if props == nil {
+		return map[string]any{}, nil
+	}
+
+	schema := map[string]any{
+		"properties": map[string]any{},
+	}
+
+	// Process spec properties recursively
+	processSpecProperties(props, schema["properties"].(map[string]any))
+
+	return schema, nil
+}
+
+// processSpecProperties recursively processes spec properties and adds multilineString type
+// for string fields without enum
+func processSpecProperties(props map[string]any, schemaProps map[string]any) {
+	for pname, raw := range props {
+		sub, ok := raw.(map[string]any)
+		if !ok {
+			continue
+		}
+
+		typ, _ := sub["type"].(string)
+
+		switch typ {
+		case "string":
+			// Check if this string field has enum
+			if !hasEnum(sub) {
+				// Add multilineString type for this field
+				if schemaProps[pname] == nil {
+					schemaProps[pname] = map[string]any{}
+				}
+				fieldSchema := schemaProps[pname].(map[string]any)
+				fieldSchema["type"] = "multilineString"
+			}
+		case "object":
+			// Recursively process nested objects
+			if childProps, ok := sub["properties"].(map[string]any); ok {
+				fieldSchema, ok := schemaProps[pname].(map[string]any)
+				if !ok {
+					fieldSchema = map[string]any{}
+					schemaProps[pname] = fieldSchema
+				}
+				nestedSchemaProps, ok := fieldSchema["properties"].(map[string]any)
+				if !ok {
+					nestedSchemaProps = map[string]any{}
+					fieldSchema["properties"] = nestedSchemaProps
+				}
+				processSpecProperties(childProps, nestedSchemaProps)
+			}
+		case "array":
+			// Check if array items are objects with properties
+			if items, ok := sub["items"].(map[string]any); ok {
+				if itemProps, ok := items["properties"].(map[string]any); ok {
+					// Create array item schema
+					fieldSchema, ok := schemaProps[pname].(map[string]any)
+					if !ok {
+						fieldSchema = map[string]any{}
+						schemaProps[pname] = fieldSchema
+					}
+					itemSchema, ok := fieldSchema["items"].(map[string]any)
+					if !ok {
+						itemSchema = map[string]any{}
+						fieldSchema["items"] = itemSchema
+					}
+					itemSchemaProps, ok := itemSchema["properties"].(map[string]any)
+					if !ok {
+						itemSchemaProps = map[string]any{}
+						itemSchema["properties"] = itemSchemaProps
+					}
+					processSpecProperties(itemProps, itemSchemaProps)
+				}
+			}
+		}
+	}
+}
--- a/internal/controller/dashboard/customformsoverride_test.go
+++ b/internal/controller/dashboard/customformsoverride_test.go
@@ -0,0 +1,155 @@
+package dashboard
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestBuildMultilineStringSchema(t *testing.T) {
+	// Test OpenAPI schema with various field types
+	openAPISchema := `{
+		"properties": {
+			"simpleString": {
+				"type": "string",
+				"description": "A simple string field"
+			},
+			"stringWithEnum": {
+				"type": "string",
+				"enum": ["option1", "option2"],
+				"description": "String with enum should be skipped"
+			},
+			"numberField": {
+				"type": "number",
+				"description": "Number field should be skipped"
+			},
+			"nestedObject": {
+				"type": "object",
+				"properties": {
+					"nestedString": {
+						"type": "string",
+						"description": "Nested string should get multilineString"
+					},
+					"nestedStringWithEnum": {
+						"type": "string",
+						"enum": ["a", "b"],
+						"description": "Nested string with enum should be skipped"
+					}
+				}
+			},
+			"arrayOfObjects": {
+				"type": "array",
+				"items": {
+					"type": "object",
+					"properties": {
+						"itemString": {
+							"type": "string",
+							"description": "String in array item"
+						}
+					}
+				}
+			}
+		}
+	}`
+
+	schema, err := buildMultilineStringSchema(openAPISchema)
+	if err != nil {
+		t.Fatalf("buildMultilineStringSchema failed: %v", err)
+	}
+
+	// Marshal to JSON for easier inspection
+	schemaJSON, err := json.MarshalIndent(schema, "", "  ")
+	if err != nil {
+		t.Fatalf("Failed to marshal schema: %v", err)
+	}
+
+	t.Logf("Generated schema:\n%s", schemaJSON)
+
+	// Verify that simpleString has multilineString type
+	props, ok := schema["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("schema.properties is not a map")
+	}
+
+	// Check simpleString
+	simpleString, ok := props["simpleString"].(map[string]any)
+	if !ok {
+		t.Fatal("simpleString not found in properties")
+	}
+	if simpleString["type"] != "multilineString" {
+		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
+	}
+
+	// Check stringWithEnum should not be present (or should not have multilineString)
+	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
+		if stringWithEnum["type"] == "multilineString" {
+			t.Error("stringWithEnum should not have multilineString type")
+		}
+	}
+
+	// Check numberField should not be present
+	if numberField, ok := props["numberField"].(map[string]any); ok {
+		if numberField["type"] != nil {
+			t.Error("numberField should not have any type override")
+		}
+	}
+
+	// Check nested object
+	nestedObject, ok := props["nestedObject"].(map[string]any)
+	if !ok {
+		t.Fatal("nestedObject not found in properties")
+	}
+	nestedProps, ok := nestedObject["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("nestedObject.properties is not a map")
+	}
+
+	// Check nestedString
+	nestedString, ok := nestedProps["nestedString"].(map[string]any)
+	if !ok {
+		t.Fatal("nestedString not found in nestedObject.properties")
+	}
+	if nestedString["type"] != "multilineString" {
+		t.Errorf("nestedString should have type multilineString, got %v", nestedString["type"])
+	}
+
+	// Check array of objects
+	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
+	if !ok {
+		t.Fatal("arrayOfObjects not found in properties")
+	}
+	items, ok := arrayOfObjects["items"].(map[string]any)
+	if !ok {
+		t.Fatal("arrayOfObjects.items is not a map")
+	}
+	itemProps, ok := items["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("arrayOfObjects.items.properties is not a map")
+	}
+	itemString, ok := itemProps["itemString"].(map[string]any)
+	if !ok {
+		t.Fatal("itemString not found in arrayOfObjects.items.properties")
+	}
+	if itemString["type"] != "multilineString" {
+		t.Errorf("itemString should have type multilineString, got %v", itemString["type"])
+	}
+}
+
+func TestBuildMultilineStringSchemaEmpty(t *testing.T) {
+	schema, err := buildMultilineStringSchema("")
+	if err != nil {
+		t.Fatalf("buildMultilineStringSchema failed on empty string: %v", err)
+	}
+	if len(schema) != 0 {
+		t.Errorf("Expected empty schema for empty input, got %v", schema)
+	}
+}
+
+func TestBuildMultilineStringSchemaInvalidJSON(t *testing.T) {
+	schema, err := buildMultilineStringSchema("{invalid json")
+	if err == nil {
+		t.Error("Expected error for invalid JSON")
+	}
+	if schema != nil {
+		t.Errorf("Expected nil schema for invalid JSON, got %v", schema)
+	}
+}
--- a/internal/controller/dashboard/factory.go
+++ b/internal/controller/dashboard/factory.go
@@ -221,7 +221,7 @@ func workloadsTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-v1alpha1.cozystack.io.workloadmonitors",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
 						"apps.cozystack.io/application.name":  "{reqs[0]['metadata','name']}",
@@ -246,7 +246,7 @@ func servicesTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-v1.services",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
 						"apps.cozystack.io/application.name":   "{reqs[0]['metadata','name']}",
@@ -272,7 +272,7 @@ func ingressesTab(kind string) map[string]any {
 					"baseprefix":           "/openapi-ui",
 					"customizationId":      "factory-details-networking.k8s.io.v1.ingresses",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group":  "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":   kind,
 						"apps.cozystack.io/application.name":   "{reqs[0]['metadata','name']}",
@@ -293,12 +293,12 @@ func secretsTab(kind string) map[string]any {
 				"type": "EnrichedTable",
 				"data": map[string]any{
 					"id":                   "secrets-table",
-					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecretstables",
+					"fetchUrl":             "/api/clusters/{2}/k8s/apis/core.cozystack.io/v1alpha1/namespaces/{3}/tenantsecrets",
 					"clusterNamePartOfUrl": "{2}",
 					"baseprefix":           "/openapi-ui",
-					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecretstables",
+					"customizationId":      "factory-details-v1alpha1.core.cozystack.io.tenantsecrets",
 					"pathToItems":          []any{"items"},
-					"labelsSelector": map[string]any{
+					"labelSelector": map[string]any{
 						"apps.cozystack.io/application.group": "apps.cozystack.io",
 						"apps.cozystack.io/application.kind":  kind,
 						"apps.cozystack.io/application.name":  "{reqs[0]['metadata','name']}",
--- a/internal/controller/dashboard/manager.go
+++ b/internal/controller/dashboard/manager.go
@@ -15,6 +15,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	managerpkg "sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )

@@ -53,10 +54,19 @@ func NewManager(c client.Client, scheme *runtime.Scheme) *Manager {
 }

 func (m *Manager) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
+	if err := ctrl.NewControllerManagedBy(mgr).
 		Named("dashboard-reconciler").
 		For(&cozyv1alpha1.CozystackResourceDefinition{}).
-		Complete(m)
+		Complete(m); err != nil {
+		return err
+	}
+
+	return mgr.Add(managerpkg.RunnableFunc(func(ctx context.Context) error {
+		if !mgr.GetCache().WaitForCacheSync(ctx) {
+			return fmt.Errorf("dashboard static resources cache sync failed")
+		}
+		return m.ensureStaticResources(ctx)
+	}))
 }

 func (m *Manager) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
--- a/internal/controller/dashboard/static_helpers.go
+++ b/internal/controller/dashboard/static_helpers.go
@@ -122,7 +122,7 @@ func createCustomColumnsOverride(id string, additionalPrinterColumns []any) *das
 		}
 	}

-	if name == "factory-details-v1alpha1.core.cozystack.io.tenantsecretstables" {
+	if name == "factory-details-v1alpha1.core.cozystack.io.tenantsecrets" {
 		data["additionalPrinterColumnsTrimLengths"] = []any{
 			map[string]any{
 				"key":   "Name",
@@ -1046,6 +1046,15 @@ func createConverterBytesColumn(name, jsonPath string) map[string]any {
 	}
 }

+// createFlatMapColumn creates a flatMap column that expands a map into separate rows
+func createFlatMapColumn(name, jsonPath string) map[string]any {
+	return map[string]any{
+		"name":     name,
+		"type":     "flatMap",
+		"jsonPath": jsonPath,
+	}
+}
+
 // ---------------- Factory UI helper functions ----------------

 // labelsEditor creates a Labels editor component
--- a/internal/controller/dashboard/static_refactored.go
+++ b/internal/controller/dashboard/static_refactored.go
@@ -173,11 +173,12 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 			createStringColumn("OBSERVED", ".status.observedReplicas"),
 		}),

-		// Factory details v1alpha1 core cozystack io tenantsecretstables
-		createCustomColumnsOverride("factory-details-v1alpha1.core.cozystack.io.tenantsecretstables", []any{
+		// Factory details v1alpha1 core cozystack io tenantsecrets
+		createCustomColumnsOverride("factory-details-v1alpha1.core.cozystack.io.tenantsecrets", []any{
 			createCustomColumnWithJsonPath("Name", ".metadata.name", "Secret", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-secret-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
-			createStringColumn("Key", ".data.key"),
-			createSecretBase64Column("Value", ".data.value"),
+			createFlatMapColumn("Data", ".data"),
+			createStringColumn("Key", "_flatMapData_Key"),
+			createSecretBase64Column("Value", "._flatMapData_Value"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),

@@ -1055,7 +1056,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 													"clusterNamePartOfUrl": "{2}",
 													"customizationId":      "factory-kube-service-details-endpointslice",
 													"fetchUrl":             "/api/clusters/{2}/k8s/apis/discovery.k8s.io/v1/namespaces/{3}/endpointslices",
-													"labelsSelector": map[string]any{
+													"labelSelector": map[string]any{
 														"kubernetes.io/service-name": "{reqsJsonPath[0]['.metadata.name']['-']}",
 													},
 													"pathToItems":     ".items[*].endpoints",
@@ -1396,7 +1397,7 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 						"clusterNamePartOfUrl": "{2}",
 						"customizationId":      "factory-details-v1alpha1.cozystack.io.workloads",
 						"fetchUrl":             "/api/clusters/{2}/k8s/apis/cozystack.io/v1alpha1/namespaces/{3}/workloads",
-						"labelsSelector": map[string]any{
+						"labelSelector": map[string]any{
 							"workloads.cozystack.io/monitor": "{reqs[0]['metadata','name']}",
 						},
 						"pathToItems": []any{"items"},
--- a/internal/controller/dashboardresources_reconciler.go
+++ b/internal/controller/dashboardresources_reconciler.go
@@ -1,469 +0,0 @@
-package controller
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"text/template"
-
-	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/types"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-)
-
-// DashboardResourcesReconciler reconciles HelmReleases and creates Role/RoleBinding
-// for dashboard access based on CozystackResourceDefinition
-type DashboardResourcesReconciler struct {
-	client.Client
-	Scheme *runtime.Scheme
-}
-
-// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch
-// +kubebuilder:rbac:groups=cozystack.io,resources=cozystackresourcedefinitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
-
-const (
-	DashboardResourcesRoleName         = "-dashboard-resources"
-	DashboardResourcesOwnerLabel       = "dashboardresources.cozystack.io/owned-by-crd"
-	DashboardResourcesHelmReleaseLabel = "dashboardresources.cozystack.io/helm-release"
-)
-
-// Reconcile processes HelmRelease resources and creates corresponding Role/RoleBinding
-func (r *DashboardResourcesReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-
-	// Get the HelmRelease
-	hr := &helmv2.HelmRelease{}
-	if err := r.Get(ctx, req.NamespacedName, hr); err != nil {
-		if errors.IsNotFound(err) {
-			// HelmRelease deleted - cleanup will be handled by owner references
-			return ctrl.Result{}, nil
-		}
-		logger.Error(err, "unable to fetch HelmRelease")
-		return ctrl.Result{}, err
-	}
-
-	// Skip tenant HelmReleases
-	if strings.HasPrefix(hr.Name, "tenant-") {
-		return ctrl.Result{}, nil
-	}
-
-	// Find the matching CozystackResourceDefinition
-	crd, err := r.findCRDForHelmRelease(ctx, hr)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			// No CRD found for this HelmRelease - skip
-			logger.V(1).Info("No CozystackResourceDefinition found for HelmRelease", "name", hr.Name)
-			return ctrl.Result{}, nil
-		}
-		logger.Error(err, "unable to find CozystackResourceDefinition")
-		return ctrl.Result{}, err
-	}
-
-	// Check if we need to create dashboard resources
-	if !r.shouldCreateDashboardResources(crd) {
-		// Cleanup any existing resources we created
-		if err := r.cleanupDashboardResources(ctx, hr); err != nil {
-			logger.Error(err, "failed to cleanup dashboard resources")
-			return ctrl.Result{}, err
-		}
-		return ctrl.Result{}, nil
-	}
-
-	// Create/update Role and RoleBinding
-	if err := r.reconcileDashboardResources(ctx, hr, crd); err != nil {
-		logger.Error(err, "failed to reconcile dashboard resources")
-		return ctrl.Result{}, err
-	}
-
-	return ctrl.Result{}, nil
-}
-
-// findCRDForHelmRelease finds the CozystackResourceDefinition for a given HelmRelease
-func (r *DashboardResourcesReconciler) findCRDForHelmRelease(ctx context.Context, hr *helmv2.HelmRelease) (*cozyv1alpha1.CozystackResourceDefinition, error) {
-	// List all CozystackResourceDefinitions
-	var crdList cozyv1alpha1.CozystackResourceDefinitionList
-	if err := r.List(ctx, &crdList); err != nil {
-		return nil, err
-	}
-
-	// Match by chart name and prefix
-	for i := range crdList.Items {
-		crd := &crdList.Items[i]
-		if crd.Spec.Release.Chart.Name == hr.Spec.Chart.Spec.Chart {
-			// Check if HelmRelease name matches the prefix
-			if strings.HasPrefix(hr.Name, crd.Spec.Release.Prefix) {
-				return crd, nil
-			}
-		}
-	}
-
-	return nil, errors.NewNotFound(schema.GroupResource{Group: "cozystack.io", Resource: "cozystackresourcedefinitions"}, "")
-}
-
-// shouldCreateDashboardResources checks if we should create dashboard resources
-func (r *DashboardResourcesReconciler) shouldCreateDashboardResources(crd *cozyv1alpha1.CozystackResourceDefinition) bool {
-	// Create if we have any resources defined (secrets, services, or ingresses)
-	return len(crd.Spec.Secrets.Include) > 0 ||
-		len(crd.Spec.Services.Include) > 0 ||
-		len(crd.Spec.Ingresses.Include) > 0
-}
-
-// reconcileDashboardResources creates or updates Role and RoleBinding
-func (r *DashboardResourcesReconciler) reconcileDashboardResources(
-	ctx context.Context,
-	hr *helmv2.HelmRelease,
-	crd *cozyv1alpha1.CozystackResourceDefinition,
-) error {
-	logger := log.FromContext(ctx)
-
-	// Template data for rendering resource names
-	templateData := map[string]interface{}{
-		"name":      strings.TrimPrefix(hr.Name, crd.Spec.Release.Prefix),
-		"kind":      strings.ToLower(crd.Spec.Application.Kind),
-		"namespace": hr.Namespace,
-	}
-
-	// Build policy rules
-	rules := []rbacv1.PolicyRule{}
-
-	// Add secrets rules
-	secretNames, err := r.renderResourceNames(crd.Spec.Secrets.Include, templateData)
-	if err != nil {
-		logger.Error(err, "failed to render secret names")
-	} else if len(secretNames) > 0 {
-		rules = append(rules, rbacv1.PolicyRule{
-			APIGroups:     []string{""},
-			Resources:     []string{"secrets"},
-			ResourceNames: secretNames,
-			Verbs:         []string{"get", "list", "watch"},
-		})
-	}
-
-	// Add services rules
-	serviceNames, err := r.renderResourceNames(crd.Spec.Services.Include, templateData)
-	if err != nil {
-		logger.Error(err, "failed to render service names")
-	} else if len(serviceNames) > 0 {
-		rules = append(rules, rbacv1.PolicyRule{
-			APIGroups:     []string{""},
-			Resources:     []string{"services"},
-			ResourceNames: serviceNames,
-			Verbs:         []string{"get", "list", "watch"},
-		})
-	}
-
-	// Add ingresses rules
-	ingressNames, err := r.renderResourceNames(crd.Spec.Ingresses.Include, templateData)
-	if err != nil {
-		logger.Error(err, "failed to render ingress names")
-	} else if len(ingressNames) > 0 {
-		rules = append(rules, rbacv1.PolicyRule{
-			APIGroups:     []string{"networking.k8s.io"},
-			Resources:     []string{"ingresses"},
-			ResourceNames: ingressNames,
-			Verbs:         []string{"get", "list", "watch"},
-		})
-	}
-
-	// Add WorkloadMonitors rule (always include for the release)
-	rules = append(rules, rbacv1.PolicyRule{
-		APIGroups:     []string{"cozystack.io"},
-		Resources:     []string{"workloadmonitors"},
-		ResourceNames: []string{hr.Name},
-		Verbs:         []string{"get", "list", "watch"},
-	})
-
-	// Create or update Role
-	roleName := hr.Name + DashboardResourcesRoleName
-	role := &rbacv1.Role{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      roleName,
-			Namespace: hr.Namespace,
-		},
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, role, func() error {
-		// Set labels
-		if role.Labels == nil {
-			role.Labels = make(map[string]string)
-		}
-		role.Labels[DashboardResourcesOwnerLabel] = "true"
-		role.Labels[DashboardResourcesHelmReleaseLabel] = hr.Name
-
-		// Set owner reference to HelmRelease for automatic cleanup
-		if err := controllerutil.SetControllerReference(hr, role, r.Scheme); err != nil {
-			return err
-		}
-
-		// Update rules
-		role.Rules = rules
-
-		return nil
-	})
-
-	if err != nil {
-		logger.Error(err, "failed to create/update Role", "name", roleName)
-		return err
-	}
-
-	// Create or update RoleBinding
-	roleBindingName := hr.Name + DashboardResourcesRoleName
-	roleBinding := &rbacv1.RoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      roleBindingName,
-			Namespace: hr.Namespace,
-		},
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, roleBinding, func() error {
-		// Set labels
-		if roleBinding.Labels == nil {
-			roleBinding.Labels = make(map[string]string)
-		}
-		roleBinding.Labels[DashboardResourcesOwnerLabel] = "true"
-		roleBinding.Labels[DashboardResourcesHelmReleaseLabel] = hr.Name
-
-		// Set owner reference to HelmRelease for automatic cleanup
-		if err := controllerutil.SetControllerReference(hr, roleBinding, r.Scheme); err != nil {
-			return err
-		}
-
-		// Update subjects - generate based on tenant namespace
-		roleBinding.Subjects = r.generateSubjects(hr.Namespace)
-
-		// Update role reference
-		roleBinding.RoleRef = rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "Role",
-			Name:     roleName,
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		logger.Error(err, "failed to create/update RoleBinding", "name", roleBindingName)
-		return err
-	}
-
-	logger.V(1).Info("Dashboard resources reconciled", "role", roleName, "roleBinding", roleBindingName)
-	return nil
-}
-
-// renderResourceNames renders resource names from selectors
-func (r *DashboardResourcesReconciler) renderResourceNames(
-	selectors []*cozyv1alpha1.CozystackResourceDefinitionResourceSelector,
-	templateData map[string]interface{},
-) ([]string, error) {
-	var names []string
-	seen := make(map[string]bool)
-
-	for _, selector := range selectors {
-		if selector == nil {
-			continue
-		}
-		for _, nameTemplate := range selector.ResourceNames {
-			// Render the template
-			rendered, err := renderTemplate(nameTemplate, templateData)
-			if err != nil {
-				return nil, fmt.Errorf("failed to render template %q: %w", nameTemplate, err)
-			}
-			// Add only unique names
-			if !seen[rendered] {
-				names = append(names, rendered)
-				seen[rendered] = true
-			}
-		}
-	}
-
-	return names, nil
-}
-
-// generateSubjects generates RBAC subjects for a tenant namespace
-// This mimics the behavior of cozy-lib.rbac.subjectsForTenantAndAccessLevel
-func (r *DashboardResourcesReconciler) generateSubjects(namespace string) []rbacv1.Subject {
-	// Get all parent tenants and this tenant
-	tenants := r.getAllParentTenantsAndThis(namespace)
-
-	// Access levels at or above "use"
-	accessLevels := []string{"use", "admin", "super-admin"}
-
-	var subjects []rbacv1.Subject
-
-	for _, tenant := range tenants {
-		// Add ServiceAccount subject
-		subjects = append(subjects, rbacv1.Subject{
-			Kind:      "ServiceAccount",
-			Name:      tenant,
-			Namespace: tenant,
-		})
-
-		// Add Group subjects for each access level
-		for _, level := range accessLevels {
-			subjects = append(subjects, rbacv1.Subject{
-				Kind:     "Group",
-				Name:     fmt.Sprintf("%s-%s", tenant, level),
-				APIGroup: "rbac.authorization.k8s.io",
-			})
-		}
-	}
-
-	return subjects
-}
-
-// getAllParentTenantsAndThis returns all parent tenants and the current tenant
-func (r *DashboardResourcesReconciler) getAllParentTenantsAndThis(namespace string) []string {
-	if !strings.HasPrefix(namespace, "tenant-") {
-		return []string{}
-	}
-
-	parts := strings.Split(namespace, "-")
-	var tenants []string
-
-	// Build all parent tenant names
-	for i := 2; i <= len(parts); i++ {
-		tenant := strings.Join(parts[:i], "-")
-		tenants = append(tenants, tenant)
-	}
-
-	// Always include tenant-root if not already present
-	if namespace != "tenant-root" {
-		found := false
-		for _, t := range tenants {
-			if t == "tenant-root" {
-				found = true
-				break
-			}
-		}
-		if !found {
-			tenants = append(tenants, "tenant-root")
-		}
-	}
-
-	return tenants
-}
-
-// cleanupDashboardResources removes Role and RoleBinding created for a HelmRelease
-func (r *DashboardResourcesReconciler) cleanupDashboardResources(ctx context.Context, hr *helmv2.HelmRelease) error {
-	logger := log.FromContext(ctx)
-
-	roleName := hr.Name + DashboardResourcesRoleName
-
-	// Delete Role
-	role := &rbacv1.Role{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      roleName,
-			Namespace: hr.Namespace,
-		},
-	}
-	if err := r.Delete(ctx, role); err != nil && !errors.IsNotFound(err) {
-		logger.Error(err, "failed to delete Role", "name", roleName)
-	}
-
-	// Delete RoleBinding
-	roleBinding := &rbacv1.RoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      roleName,
-			Namespace: hr.Namespace,
-		},
-	}
-	if err := r.Delete(ctx, roleBinding); err != nil && !errors.IsNotFound(err) {
-		logger.Error(err, "failed to delete RoleBinding", "name", roleName)
-	}
-
-	return nil
-}
-
-// renderTemplate renders a Go template string with the given data
-// Reusing the same function from workloadmonitor_reconciler.go
-func renderTemplate(tmplStr string, data interface{}) (string, error) {
-	// Check if it's already a simple value (no template markers)
-	if !strings.Contains(tmplStr, "{{") {
-		return tmplStr, nil
-	}
-
-	// Add basic template functions
-	funcMap := template.FuncMap{
-		"slice": func(s string, start int) string {
-			if start >= len(s) {
-				return ""
-			}
-			return s[start:]
-		},
-	}
-
-	tmpl, err := template.New("").Funcs(funcMap).Parse(tmplStr)
-	if err != nil {
-		return "", fmt.Errorf("failed to parse template: %w", err)
-	}
-
-	var buf strings.Builder
-	if err := tmpl.Execute(&buf, data); err != nil {
-		return "", fmt.Errorf("failed to execute template: %w", err)
-	}
-
-	return strings.TrimSpace(buf.String()), nil
-}
-
-// SetupWithManager sets up the controller with the Manager
-func (r *DashboardResourcesReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("dashboardresources-controller").
-		For(&helmv2.HelmRelease{}).
-		Owns(&rbacv1.Role{}).
-		Owns(&rbacv1.RoleBinding{}).
-		Watches(
-			&cozyv1alpha1.CozystackResourceDefinition{},
-			handler.EnqueueRequestsFromMapFunc(r.mapCRDToHelmReleases),
-		).
-		Complete(r)
-}
-
-// mapCRDToHelmReleases maps CRD changes to HelmRelease reconcile requests
-func (r *DashboardResourcesReconciler) mapCRDToHelmReleases(ctx context.Context, obj client.Object) []reconcile.Request {
-	crd, ok := obj.(*cozyv1alpha1.CozystackResourceDefinition)
-	if !ok {
-		return nil
-	}
-
-	// List all HelmReleases
-	var hrList helmv2.HelmReleaseList
-	if err := r.List(ctx, &hrList); err != nil {
-		return nil
-	}
-
-	var requests []reconcile.Request
-	for i := range hrList.Items {
-		hr := &hrList.Items[i]
-		// Skip tenant HelmReleases
-		if strings.HasPrefix(hr.Name, "tenant-") {
-			continue
-		}
-		// Match by chart name and prefix
-		if crd.Spec.Release.Chart.Name == hr.Spec.Chart.Spec.Chart {
-			if strings.HasPrefix(hr.Name, crd.Spec.Release.Prefix) {
-				requests = append(requests, reconcile.Request{
-					NamespacedName: types.NamespacedName{
-						Name:      hr.Name,
-						Namespace: hr.Namespace,
-					},
-				})
-			}
-		}
-	}
-
-	return requests
-}
--- a/packages/apps/bucket/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/bucket/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - {{ .Release.Name }}-ui
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/clickhouse/README.md
+++ b/packages/apps/clickhouse/README.md
@@ -23,53 +23,53 @@ For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.

 ### Common parameters

-| Name               | Description                                                                                                                          | Type       | Value   |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ---------- | ------- |
-| `replicas`         | Number of ClickHouse replicas.                                                                                                       | `int`      | `2`     |
-| `shards`           | Number of ClickHouse shards.                                                                                                         | `int`      | `1`     |
-| `resources`        | Explicit CPU and memory configuration for each ClickHouse replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                       | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                              | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                              | `string`   | `small` |
-| `size`             | Persistent Volume Claim size available for application data.                                                                         | `quantity` | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                                 | `string`   | `""`    |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of Clickhouse replicas                                                                                                             | `int`       | `2`     |
+| `shards`           | Number of Clickhouse shards                                                                                                               | `int`       | `1`     |
+| `resources`        | Explicit CPU and memory configuration for each Clickhouse replica. When left empty, the preset defined in `resourcesPreset` is applied.   | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `small` |
+| `size`             | Persistent Volume Claim size, available for application data                                                                              | `quantity`  | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |


 ### Application-specific parameters

-| Name                   | Description                                                   | Type                | Value   |
-| ---------------------- | ------------------------------------------------------------- | ------------------- | ------- |
-| `logStorageSize`       | Size of Persistent Volume for logs.                           | `quantity`          | `2Gi`   |
-| `logTTL`               | TTL (expiration time) for `query_log` and `query_thread_log`. | `int`               | `15`    |
-| `users`                | Users configuration map.                                      | `map[string]object` | `{}`    |
-| `users[name].password` | Password for the user.                                        | `string`            | `""`    |
-| `users[name].readonly` | User is readonly (default: false).                            | `bool`              | `false` |
+| Name                   | Description                                                  | Type                | Value   |
+| ---------------------- | ------------------------------------------------------------ | ------------------- | ------- |
+| `logStorageSize`       | Size of Persistent Volume for logs                           | `quantity`          | `2Gi`   |
+| `logTTL`               | TTL (expiration time) for `query_log` and `query_thread_log` | `int`               | `15`    |
+| `users`                | Users configuration                                          | `map[string]object` | `{...}` |
+| `users[name].password` | Password for the user                                        | `*string`           | `null`  |
+| `users[name].readonly` | User is `readonly`, default is `false`.                      | `*bool`             | `null`  |


 ### Backup parameters

-| Name                     | Description                                     | Type     | Value                                                  |
-| ------------------------ | ----------------------------------------------- | -------- | ------------------------------------------------------ |
-| `backup`                 | Backup configuration.                           | `object` | `{}`                                                   |
-| `backup.enabled`         | Enable regular backups (default: false).        | `bool`   | `false`                                                |
-| `backup.s3Region`        | AWS S3 region where backups are stored.         | `string` | `us-east-1`                                            |
-| `backup.s3Bucket`        | S3 bucket used for storing backups.             | `string` | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups.            | `string` | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups. | `string` | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | Access key for S3 authentication.               | `string` | `<your-access-key>`                                    |
-| `backup.s3SecretKey`     | Secret key for S3 authentication.               | `string` | `<your-secret-key>`                                    |
-| `backup.resticPassword`  | Password for Restic backup encryption.          | `string` | `<password>`                                           |
+| Name                     | Description                                    | Type     | Value                                                  |
+| ------------------------ | ---------------------------------------------- | -------- | ------------------------------------------------------ |
+| `backup`                 | Backup configuration                           | `object` | `{}`                                                   |
+| `backup.enabled`         | Enable regular backups, default is `false`     | `bool`   | `false`                                                |
+| `backup.s3Region`        | AWS S3 region where backups are stored         | `string` | `us-east-1`                                            |
+| `backup.s3Bucket`        | S3 bucket used for storing backups             | `string` | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups            | `string` | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups | `string` | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication     | `string` | `<your-access-key>`                                    |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication     | `string` | `<your-secret-key>`                                    |
+| `backup.resticPassword`  | Password for Restic backup encryption          | `string` | `<password>`                                           |


-### ClickHouse Keeper parameters
+### Clickhouse Keeper parameters

-| Name                               | Description                                                  | Type       | Value   |
-| ---------------------------------- | ------------------------------------------------------------ | ---------- | ------- |
-| `clickhouseKeeper`                 | ClickHouse Keeper configuration.                             | `object`   | `{}`    |
-| `clickhouseKeeper.enabled`         | Deploy ClickHouse Keeper for cluster coordination.           | `bool`     | `true`  |
-| `clickhouseKeeper.size`            | Persistent Volume Claim size available for application data. | `quantity` | `1Gi`   |
-| `clickhouseKeeper.resourcesPreset` | Default sizing preset.                                       | `string`   | `micro` |
-| `clickhouseKeeper.replicas`        | Number of Keeper replicas.                                   | `int`      | `3`     |
+| Name                               | Description                                                                                                                               | Type        | Value   |
+| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `clickhouseKeeper`                 | Clickhouse Keeper configuration                                                                                                           | `*object`   | `null`  |
+| `clickhouseKeeper.enabled`         | Deploy ClickHouse Keeper for cluster coordination                                                                                         | `*bool`     | `true`  |
+| `clickhouseKeeper.size`            | Persistent Volume Claim size, available for application data                                                                              | `*quantity` | `1Gi`   |
+| `clickhouseKeeper.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `micro` |
+| `clickhouseKeeper.replicas`        | Number of Keeper replicas                                                                                                                 | `*int`      | `3`     |


 ## Parameter examples and reference
--- a/packages/apps/clickhouse/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/clickhouse/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - chendpoint-{{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  {{- if .Values.clickhouseKeeper.enabled }}
+  - {{ .Release.Name }}-keeper
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/clickhouse/values.schema.json
+++ b/packages/apps/clickhouse/values.schema.json
@@ -3,7 +3,7 @@
  "type": "object",
  "properties": {
    "backup": {
-      "description": "Backup configuration.",
+      "description": "Backup configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -18,64 +18,67 @@
      ],
      "properties": {
        "cleanupStrategy": {
-          "description": "Retention strategy for cleaning up old backups.",
+          "description": "Retention strategy for cleaning up old backups",
          "type": "string",
          "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
        },
        "enabled": {
-          "description": "Enable regular backups (default: false).",
+          "description": "Enable regular backups, default is `false`",
          "type": "boolean",
          "default": false
        },
        "resticPassword": {
-          "description": "Password for Restic backup encryption.",
+          "description": "Password for Restic backup encryption",
          "type": "string",
          "default": "\u003cpassword\u003e"
        },
        "s3AccessKey": {
-          "description": "Access key for S3 authentication.",
+          "description": "Access key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-access-key\u003e"
        },
        "s3Bucket": {
-          "description": "S3 bucket used for storing backups.",
+          "description": "S3 bucket used for storing backups",
          "type": "string",
          "default": "s3.example.org/clickhouse-backups"
        },
        "s3Region": {
-          "description": "AWS S3 region where backups are stored.",
+          "description": "AWS S3 region where backups are stored",
          "type": "string",
          "default": "us-east-1"
        },
        "s3SecretKey": {
-          "description": "Secret key for S3 authentication.",
+          "description": "Secret key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-secret-key\u003e"
        },
        "schedule": {
-          "description": "Cron schedule for automated backups.",
+          "description": "Cron schedule for automated backups",
          "type": "string",
          "default": "0 2 * * *"
        }
      }
    },
    "clickhouseKeeper": {
-      "description": "ClickHouse Keeper configuration.",
+      "description": "Clickhouse Keeper configuration",
      "type": "object",
      "default": {},
+      "required": [
+        "resourcesPreset"
+      ],
      "properties": {
        "enabled": {
-          "description": "Deploy ClickHouse Keeper for cluster coordination.",
+          "description": "Deploy ClickHouse Keeper for cluster coordination",
          "type": "boolean",
          "default": true
        },
        "replicas": {
-          "description": "Number of Keeper replicas.",
+          "description": "Number of Keeper replicas",
          "type": "integer",
          "default": 3
        },
        "resourcesPreset": {
-          "description": "Default sizing preset.",
+          "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
          "type": "string",
          "default": "micro",
          "enum": [
@@ -89,7 +92,7 @@
          ]
        },
        "size": {
-          "description": "Persistent Volume Claim size available for application data.",
+          "description": "Persistent Volume Claim size, available for application data",
          "default": "1Gi",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
@@ -105,7 +108,7 @@
      }
    },
    "logStorageSize": {
-      "description": "Size of Persistent Volume for logs.",
+      "description": "Size of Persistent Volume for logs",
      "default": "2Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -119,22 +122,22 @@
      "x-kubernetes-int-or-string": true
    },
    "logTTL": {
-      "description": "TTL (expiration time) for `query_log` and `query_thread_log`.",
+      "description": "TTL (expiration time) for `query_log` and `query_thread_log`",
      "type": "integer",
      "default": 15
    },
    "replicas": {
-      "description": "Number of ClickHouse replicas.",
+      "description": "Number of Clickhouse replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each ClickHouse replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each Clickhouse replica. When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -147,7 +150,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -162,7 +165,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "small",
      "enum": [
@@ -176,12 +179,12 @@
      ]
    },
    "shards": {
-      "description": "Number of ClickHouse shards.",
+      "description": "Number of Clickhouse shards",
      "type": "integer",
      "default": 1
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "10Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -195,23 +198,22 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    },
    "users": {
-      "description": "Users configuration map.",
+      "description": "Users configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "password": {
-            "description": "Password for the user.",
+            "description": "Password for the user",
            "type": "string"
          },
          "readonly": {
-            "description": "User is readonly (default: false).",
+            "description": "User is `readonly`, default is `false`.",
            "type": "boolean"
          }
        }
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -1,54 +1,36 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each ClickHouse replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of ClickHouse replicas.
+## @param replicas {int} Number of Clickhouse replicas
 replicas: 2
-
-## @param {int} shards - Number of ClickHouse shards.
+## @param shards {int} Number of Clickhouse shards
 shards: 1
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each ClickHouse replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each Clickhouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
 resources: {}

-## @param {ResourcesPreset} resourcesPreset="small" - Default sizing preset used when `resources` is omitted.
+
+
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "small"
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 10Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""

-##
+
 ## @section Application-specific parameters
 ##
-
-## @param {quantity} logStorageSize - Size of Persistent Volume for logs.
+## @param logStorageSize {quantity} Size of Persistent Volume for logs
 logStorageSize: 2Gi
-
-## @param {int} logTTL - TTL (expiration time) for `query_log` and `query_thread_log`.
+## @param logTTL {int} TTL (expiration time) for `query_log` and `query_thread_log`
 logTTL: 15
-
-## @typedef {struct} User - User configuration.
-## @field {string} [password] - Password for the user.
-## @field {bool} [readonly] - User is readonly (default: false).
-
-## @param {map[string]User} users - Users configuration map.
-users: {}
+## @param users {map[string]user} Users configuration
+## @field user.password {*string} Password for the user
+## @field user.readonly {*bool} User is `readonly`, default is `false`.
 ## Example:
 ## users:
 ##   user1:
@@ -57,22 +39,20 @@ users: {}
 ##     readonly: true
 ##     password: hackme
 ##
+users: {}
+

-##
 ## @section Backup parameters
-##

-## @typedef {struct} Backup - Backup configuration.
-## @field {bool} enabled - Enable regular backups (default: false).
-## @field {string} s3Region - AWS S3 region where backups are stored.
-## @field {string} s3Bucket - S3 bucket used for storing backups.
-## @field {string} schedule - Cron schedule for automated backups.
-## @field {string} cleanupStrategy - Retention strategy for cleaning up old backups.
-## @field {string} s3AccessKey - Access key for S3 authentication.
-## @field {string} s3SecretKey - Secret key for S3 authentication.
-## @field {string} resticPassword - Password for Restic backup encryption.
-
-## @param {Backup} backup - Backup configuration.
+## @param backup {backup} Backup configuration
+## @field backup.enabled {bool} Enable regular backups, default is `false`
+## @field backup.s3Region {string} AWS S3 region where backups are stored
+## @field backup.s3Bucket {string} S3 bucket used for storing backups
+## @field backup.schedule {string} Cron schedule for automated backups
+## @field backup.cleanupStrategy {string} Retention strategy for cleaning up old backups
+## @field backup.s3AccessKey {string} Access key for S3, used for authentication
+## @field backup.s3SecretKey {string} Secret key for S3, used for authentication
+## @field backup.resticPassword {string} Password for Restic backup encryption
 backup:
  enabled: false
  s3Region: us-east-1
@@ -83,17 +63,13 @@ backup:
  s3SecretKey: "<your-secret-key>"
  resticPassword: "<password>"

-##
-## @section ClickHouse Keeper parameters
-##

-## @typedef {struct} ClickHouseKeeper - ClickHouse Keeper configuration.
-## @field {bool} [enabled] - Deploy ClickHouse Keeper for cluster coordination.
-## @field {quantity} [size] - Persistent Volume Claim size available for application data.
-## @field {ResourcesPreset} [resourcesPreset] - Default sizing preset.
-## @field {int} [replicas] - Number of Keeper replicas.
-
-## @param {ClickHouseKeeper} clickhouseKeeper - ClickHouse Keeper configuration.
+## @section Clickhouse Keeper parameters
+## @param clickhouseKeeper {*clickhouseKeeper} Clickhouse Keeper configuration
+## @field clickhouseKeeper.enabled {*bool} Deploy ClickHouse Keeper for cluster coordination
+## @field clickhouseKeeper.size {*quantity} Persistent Volume Claim size, available for application data
+## @field clickhouseKeeper.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
+## @field clickhouseKeeper.replicas {*int} Number of Keeper replicas
 clickhouseKeeper:
  enabled: true
  size: 1Gi
--- a/packages/apps/ferretdb/README.md
+++ b/packages/apps/ferretdb/README.md
@@ -8,51 +8,51 @@ Internally, FerretDB service is backed by Postgres.

 ### Common parameters

-| Name               | Description                                                                                                                        | Type       | Value   |
-| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `replicas`         | Number of replicas.                                                                                                                | `int`      | `2`     |
-| `resources`        | Explicit CPU and memory configuration for each FerretDB replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                     | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                            | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                            | `string`   | `micro` |
-| `size`             | Persistent Volume Claim size available for application data.                                                                       | `quantity` | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                               | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                                   | `bool`     | `false` |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of replicas                                                                                                                        | `int`       | `2`     |
+| `resources`        | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.     | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `micro` |
+| `size`             | Persistent Volume Claim size, available for application data                                                                              | `quantity`  | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |
+| `external`         | Enable external access from outside the cluster                                                                                           | `bool`      | `false` |


 ### Application-specific parameters

-| Name                     | Description                                                                        | Type                | Value |
-| ------------------------ | ---------------------------------------------------------------------------------- | ------------------- | ----- |
-| `quorum`                 | Configuration for quorum-based synchronous replication.                            | `object`            | `{}`  |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas required for commit.                        | `int`               | `0`   |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas allowed (must be less than total replicas). | `int`               | `0`   |
-| `users`                  | Users configuration map.                                                           | `map[string]object` | `{}`  |
-| `users[name].password`   | Password for the user.                                                             | `string`            | `""`  |
+| Name                     | Description                                                                                                                 | Type                | Value   |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ------------------- | ------- |
+| `quorum`                 | Configuration for the quorum-based synchronous replication                                                                  | `object`            | `{}`    |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `int`               | `0`     |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `int`               | `0`     |
+| `users`                  | Users configuration                                                                                                         | `map[string]object` | `{...}` |
+| `users[name].password`   | Password for the user                                                                                                       | `*string`           | `null`  |


 ### Backup parameters

-| Name                     | Description                                                  | Type     | Value                               |
-| ------------------------ | ------------------------------------------------------------ | -------- | ----------------------------------- |
-| `backup`                 | Backup configuration.                                        | `object` | `{}`                                |
-| `backup.enabled`         | Enable regular backups (default: false).                     | `bool`   | `false`                             |
-| `backup.schedule`        | Cron schedule for automated backups.                         | `string` | `0 2 * * * *`                       |
-| `backup.retentionPolicy` | Retention policy.                                            | `string` | `30d`                               |
-| `backup.endpointURL`     | S3 endpoint URL for uploads.                                 | `string` | `http://minio-gateway-service:9000` |
-| `backup.destinationPath` | Path to store the backup (e.g. s3://bucket/path/to/folder/). | `string` | `s3://bucket/path/to/folder/`       |
-| `backup.s3AccessKey`     | Access key for S3 authentication.                            | `string` | `<your-access-key>`                 |
-| `backup.s3SecretKey`     | Secret key for S3 authentication.                            | `string` | `<your-secret-key>`                 |
+| Name                     | Description                                                | Type     | Value                               |
+| ------------------------ | ---------------------------------------------------------- | -------- | ----------------------------------- |
+| `backup`                 | Backup configuration                                       | `object` | `{}`                                |
+| `backup.enabled`         | Enable regular backups, default is `false`.                | `bool`   | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                        | `string` | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | Retention policy                                           | `string` | `30d`                               |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `string` | `http://minio-gateway-service:9000` |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `string` | `s3://bucket/path/to/folder/`       |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `string` | `<your-access-key>`                 |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `string` | `<your-secret-key>`                 |


 ### Bootstrap (recovery) parameters

-| Name                     | Description                                                         | Type     | Value   |
-| ------------------------ | ------------------------------------------------------------------- | -------- | ------- |
-| `bootstrap`              | Bootstrap configuration.                                            | `object` | `{}`    |
-| `bootstrap.enabled`      | Restore database cluster from a backup.                             | `bool`   | `false` |
-| `bootstrap.recoveryTime` | Timestamp (RFC3339) for point-in-time recovery; empty means latest. | `string` | `""`    |
-| `bootstrap.oldName`      | Name of database cluster before deletion.                           | `string` | `""`    |
+| Name                     | Description                                                                                                           | Type      | Value   |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------- | --------- | ------- |
+| `bootstrap`              | Bootstrap (recovery) configuration                                                                                    | `object`  | `{}`    |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                                | `*bool`   | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest. | `*string` | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                              | `*string` | `""`    |


 ## Parameter examples and reference
--- a/packages/apps/ferretdb/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/ferretdb/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/ferretdb/values.schema.json
+++ b/packages/apps/ferretdb/values.schema.json
@@ -3,7 +3,7 @@
  "type": "object",
  "properties": {
    "backup": {
-      "description": "Backup configuration.",
+      "description": "Backup configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -17,71 +17,69 @@
      ],
      "properties": {
        "destinationPath": {
-          "description": "Path to store the backup (e.g. s3://bucket/path/to/folder/).",
+          "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
          "type": "string",
          "default": "s3://bucket/path/to/folder/"
        },
        "enabled": {
-          "description": "Enable regular backups (default: false).",
+          "description": "Enable regular backups, default is `false`.",
          "type": "boolean",
          "default": false
        },
        "endpointURL": {
-          "description": "S3 endpoint URL for uploads.",
+          "description": "S3 Endpoint used to upload data to the cloud",
          "type": "string",
          "default": "http://minio-gateway-service:9000"
        },
        "retentionPolicy": {
-          "description": "Retention policy.",
+          "description": "Retention policy",
          "type": "string",
          "default": "30d"
        },
        "s3AccessKey": {
-          "description": "Access key for S3 authentication.",
+          "description": "Access key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-access-key\u003e"
        },
        "s3SecretKey": {
-          "description": "Secret key for S3 authentication.",
+          "description": "Secret key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-secret-key\u003e"
        },
        "schedule": {
-          "description": "Cron schedule for automated backups.",
+          "description": "Cron schedule for automated backups",
          "type": "string",
          "default": "0 2 * * * *"
        }
      }
    },
    "bootstrap": {
-      "description": "Bootstrap configuration.",
+      "description": "Bootstrap (recovery) configuration",
      "type": "object",
      "default": {},
      "properties": {
        "enabled": {
-          "description": "Restore database cluster from a backup.",
+          "description": "Restore database cluster from a backup",
          "type": "boolean",
          "default": false
        },
        "oldName": {
-          "description": "Name of database cluster before deletion.",
-          "type": "string",
-          "default": ""
+          "description": "Name of database cluster before deleting",
+          "type": "string"
        },
        "recoveryTime": {
-          "description": "Timestamp (RFC3339) for point-in-time recovery; empty means latest.",
-          "type": "string",
-          "default": ""
+          "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest.",
+          "type": "string"
        }
      }
    },
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "quorum": {
-      "description": "Configuration for quorum-based synchronous replication.",
+      "description": "Configuration for the quorum-based synchronous replication",
      "type": "object",
      "default": {},
      "required": [
@@ -90,29 +88,29 @@
      ],
      "properties": {
        "maxSyncReplicas": {
-          "description": "Maximum number of synchronous replicas allowed (must be less than total replicas).",
+          "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
          "type": "integer",
          "default": 0
        },
        "minSyncReplicas": {
-          "description": "Minimum number of synchronous replicas required for commit.",
+          "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
          "type": "integer",
          "default": 0
        }
      }
    },
    "replicas": {
-      "description": "Number of replicas.",
+      "description": "Number of replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each FerretDB replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -125,7 +123,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -140,7 +138,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "micro",
      "enum": [
@@ -154,7 +152,7 @@
      ]
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "10Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -168,19 +166,18 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    },
    "users": {
-      "description": "Users configuration map.",
+      "description": "Users configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "password": {
-            "description": "Password for the user.",
+            "description": "Password for the user",
            "type": "string"
          }
        }
--- a/packages/apps/ferretdb/values.yaml
+++ b/packages/apps/ferretdb/values.yaml
@@ -1,56 +1,35 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each FerretDB replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of replicas.
+## @param replicas {int} Number of replicas
 replicas: 2
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each FerretDB replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
 resources: {}

-## @param {ResourcesPreset} resourcesPreset="micro" - Default sizing preset used when `resources` is omitted.
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "micro"
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 10Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
 ## @section Application-specific parameters
 ##
-
-## @typedef {struct} Quorum - Configuration for quorum-based synchronous replication.
-## @field {int} minSyncReplicas - Minimum number of synchronous replicas required for commit.
-## @field {int} maxSyncReplicas - Maximum number of synchronous replicas allowed (must be less than total replicas).
-
-## @param {Quorum} quorum - Configuration for quorum-based synchronous replication.
+## @param quorum {quorum} Configuration for the quorum-based synchronous replication
+## @field quorum.minSyncReplicas {int} Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed
+## @field quorum.maxSyncReplicas {int} Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)
 quorum:
  minSyncReplicas: 0
  maxSyncReplicas: 0

-## @typedef {struct} User - User configuration.
-## @field {string} [password] - Password for the user.
-
-## @param {map[string]User} users - Users configuration map.
-users: {}
+## @param users {map[string]user} Users configuration
+## @field user.password {*string} Password for the user
 ## Example:
 ## users:
 ##   user1:
@@ -58,21 +37,21 @@ users: {}
 ##   user2:
 ##     password: hackme
 ##
+users: {}
+
+

-##
 ## @section Backup parameters
 ##

-## @typedef {struct} Backup - Backup configuration.
-## @field {bool} enabled - Enable regular backups (default: false).
-## @field {string} schedule - Cron schedule for automated backups.
-## @field {string} retentionPolicy - Retention policy.
-## @field {string} endpointURL - S3 endpoint URL for uploads.
-## @field {string} destinationPath - Path to store the backup (e.g. s3://bucket/path/to/folder/).
-## @field {string} s3AccessKey - Access key for S3 authentication.
-## @field {string} s3SecretKey - Secret key for S3 authentication.
-
-## @param {Backup} backup - Backup configuration.
+## @param backup {backup} Backup configuration
+## @field backup.enabled {bool} Enable regular backups, default is `false`.
+## @field backup.schedule {string} Cron schedule for automated backups
+## @field backup.retentionPolicy {string} Retention policy
+## @field backup.endpointURL {string} S3 Endpoint used to upload data to the cloud
+## @field backup.destinationPath {string} Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @field backup.s3AccessKey {string} Access key for S3, used for authentication
+## @field backup.s3SecretKey {string} Secret key for S3, used for authentication
 backup:
  enabled: false
  schedule: "0 2 * * * *"
@@ -82,17 +61,18 @@ backup:
  s3AccessKey: "<your-access-key>"
  s3SecretKey: "<your-secret-key>"

-##
+
 ## @section Bootstrap (recovery) parameters
 ##
-
-## @typedef {struct} Bootstrap - Bootstrap configuration for restoring a database cluster from a backup.
-## @field {bool} [enabled] - Restore database cluster from a backup.
-## @field {string} [recoveryTime] - Timestamp (RFC3339) for point-in-time recovery; empty means latest.
-## @field {string} [oldName] - Name of database cluster before deletion.
-
-## @param {Bootstrap} bootstrap - Bootstrap configuration.
+## @param bootstrap {bootstrap} Bootstrap (recovery) configuration
+## @field bootstrap.enabled {*bool} Restore database cluster from a backup
+## @field bootstrap.recoveryTime {*string} Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest.
+## @field bootstrap.oldName {*string} Name of database cluster before deleting
+##
 bootstrap:
  enabled: false
+  # example: 2020-11-26 15:22:00.00000+00
  recoveryTime: ""
  oldName: ""
+
+
--- a/packages/apps/foundationdb/.helmignore
+++ b/packages/apps/foundationdb/.helmignore
@@ -1 +0,0 @@
-Makefile
--- a/packages/apps/foundationdb/Chart.yaml
+++ b/packages/apps/foundationdb/Chart.yaml
@@ -1,25 +0,0 @@
-apiVersion: v2
-name: foundationdb
-description: Managed FoundationDB service
-icon: /logos/foundationdb.svg
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "7.3.63"
--- a/packages/apps/foundationdb/Makefile
+++ b/packages/apps/foundationdb/Makefile
@@ -1,4 +0,0 @@
-include ../../../scripts/package.mk
-
-generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
--- a/packages/apps/foundationdb/README.md
+++ b/packages/apps/foundationdb/README.md
@@ -1,195 +0,0 @@
-# FoundationDB
-
-A managed FoundationDB service for Cozystack.
-
-## Overview
-
-FoundationDB is a distributed database designed to handle large volumes of structured data across clusters of commodity servers. It organizes data as an ordered key-value store and employs ACID transactions for all operations.
-
-This package provides a managed FoundationDB cluster deployment using the FoundationDB Kubernetes Operator.
-
-## Features
-
- **High Availability**: Multi-instance deployment with automatic failover
- **ACID Transactions**: Full ACID transaction support across the cluster
- **Scalable**: Easily scale storage and compute resources
- **Backup Integration**: Optional S3-compatible backup storage
- **Monitoring**: Built-in monitoring and alerting through WorkloadMonitor
- **Flexible Configuration**: Support for custom FoundationDB parameters
-
-## Configuration
-
-### Basic Configuration
-
-```yaml
-# Cluster process configuration
-cluster:
-  version: "7.3.63"
-  processCounts:
-    storage: 3           # Number of storage processes (determines cluster size)
-    stateless: -1        # Automatically calculated
-    cluster_controller: 1
-  faultDomain:
-    key: "kubernetes.io/hostname"
-    valueFrom: "spec.nodeName"
-```
-
-### Storage
-
-```yaml
-storage:
-  size: "16Gi"           # Storage size per instance
-  storageClass: ""       # Storage class (optional)
-```
-
-### Resources
-
-```yaml
-# Use preset sizing
-resourcesPreset: "medium"  # small, medium, large, xlarge, 2xlarge
-
-# Or custom resource configuration
-resources:
-  cpu: "2000m"
-  memory: "4Gi"
-```
-
-### Backup (Optional)
-
-```yaml
-backup:
-  enabled: true
-  s3:
-    bucket: "my-fdb-backups"
-    endpoint: "https://s3.amazonaws.com"
-    region: "us-east-1"
-    credentials:
-      accessKeyId: "AKIA..."
-      secretAccessKey: "..."
-  retentionPolicy: "7d"
-```
-
-### Advanced Configuration
-
-```yaml
-# Custom FoundationDB parameters
-customParameters:
-  - "knob_disable_posix_kernel_aio=1"
-
-# Image type (unified is default and recommended for new deployments)
-imageType: "unified"
-
-# Enable automatic pod replacements
-automaticReplacements: true
-
-# Security context configuration
-securityContext:
-  runAsUser: 4059
-  runAsGroup: 4059
-```
-
-## Prerequisites
-
- FoundationDB Operator must be installed in the cluster
- Sufficient storage and compute resources
- For backups: S3-compatible storage credentials
-
-## Deployment
-
-1. Install the FoundationDB operator (system package)
-2. Deploy this application package with your desired configuration
-3. The cluster will be automatically provisioned and configured
-
-## Monitoring
-
-This package includes WorkloadMonitor integration for cluster health monitoring and resource tracking. Monitoring can be disabled by setting:
-
-```yaml
-monitoring:
-  enabled: false
-```
-
-## Security
-
- All containers run with restricted security contexts
- No privilege escalation allowed
- Read-only root filesystem where possible
- Custom security context configurations supported
-
-## Fault Tolerance
-
-FoundationDB is designed for high availability:
- Automatic failure detection and recovery
- Data replication across instances
- Configurable fault domains for rack/zone awareness
- Transaction log redundancy
-
-The included `WorkloadMonitor` is automatically configured based on the `cluster.redundancyMode` value. It sets the `minReplicas` property on the `WorkloadMonitor` resource to ensure the cluster's health status accurately reflects its fault tolerance level. The number of tolerated failures is as follows:
- `single`: 0 failures
- `double`: 1 failure
- `triple` and datacenter-aware modes: 2 failures
-
-For example, with the default configuration (`redundancyMode: double` and 3 storage pods), `minReplicas` will be set to 2.
-
-## Performance Considerations
-
- Use SSD storage for better performance
- Consider dedicating nodes for storage processes
- Monitor cluster metrics for optimization opportunities
- Scale storage and stateless processes based on workload
-
-## Support
-
-For issues related to FoundationDB itself, refer to the [FoundationDB documentation](https://apple.github.io/foundationdb/).
-
-For Cozystack-specific issues, consult the Cozystack documentation or support channels.
-
-## Parameters
-
-### Common parameters
-
-| Name                                       | Description                                                                                                                             | Type       | Value                    |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------------------------ |
-| `cluster`                                  | Cluster configuration.                                                                                                                  | `object`   | `{}`                     |
-| `cluster.processCounts`                    | Process counts for different roles.                                                                                                     | `object`   | `{}`                     |
-| `cluster.processCounts.stateless`          | Number of stateless processes (-1 for automatic).                                                                                       | `int`      | `-1`                     |
-| `cluster.processCounts.storage`            | Number of storage processes (determines cluster size).                                                                                  | `int`      | `3`                      |
-| `cluster.processCounts.cluster_controller` | Number of cluster controller processes.                                                                                                 | `int`      | `1`                      |
-| `cluster.version`                          | Version of FoundationDB to use.                                                                                                         | `string`   | `7.3.63`                 |
-| `cluster.redundancyMode`                   | Database redundancy mode (single, double, triple, three_datacenter, three_datacenter_fallback).                                         | `string`   | `double`                 |
-| `cluster.storageEngine`                    | Storage engine (ssd-2, ssd-redwood-v1, ssd-rocksdb-v1, memory).                                                                         | `string`   | `ssd-2`                  |
-| `cluster.faultDomain`                      | Fault domain configuration.                                                                                                             | `object`   | `{}`                     |
-| `cluster.faultDomain.key`                  | Fault domain key.                                                                                                                       | `string`   | `kubernetes.io/hostname` |
-| `cluster.faultDomain.valueFrom`            | Fault domain value source.                                                                                                              | `string`   | `spec.nodeName`          |
-| `storage`                                  | Storage configuration.                                                                                                                  | `object`   | `{}`                     |
-| `storage.size`                             | Size of persistent volumes for each instance.                                                                                           | `quantity` | `16Gi`                   |
-| `storage.storageClass`                     | Storage class (if not set, uses cluster default).                                                                                       | `string`   | `""`                     |
-| `resources`                                | Explicit CPU and memory configuration for each FoundationDB instance. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`                     |
-| `resources.cpu`                            | CPU available to each instance.                                                                                                         | `quantity` | `""`                     |
-| `resources.memory`                         | Memory (RAM) available to each instance.                                                                                                | `quantity` | `""`                     |
-| `resourcesPreset`                          | Default sizing preset used when `resources` is omitted.                                                                                 | `string`   | `medium`                 |
-| `backup`                                   | Backup configuration.                                                                                                                   | `object`   | `{}`                     |
-| `backup.enabled`                           | Enable backups.                                                                                                                         | `bool`     | `false`                  |
-| `backup.s3`                                | S3 configuration for backups.                                                                                                           | `object`   | `{}`                     |
-| `backup.s3.bucket`                         | S3 bucket name.                                                                                                                         | `string`   | `""`                     |
-| `backup.s3.endpoint`                       | S3 endpoint URL.                                                                                                                        | `string`   | `""`                     |
-| `backup.s3.region`                         | S3 region.                                                                                                                              | `string`   | `us-east-1`              |
-| `backup.s3.credentials`                    | S3 credentials.                                                                                                                         | `object`   | `{}`                     |
-| `backup.s3.credentials.accessKeyId`        | S3 access key ID.                                                                                                                       | `string`   | `""`                     |
-| `backup.s3.credentials.secretAccessKey`    | S3 secret access key.                                                                                                                   | `string`   | `""`                     |
-| `backup.retentionPolicy`                   | Retention policy for backups.                                                                                                           | `string`   | `7d`                     |
-| `monitoring`                               | Monitoring configuration.                                                                                                               | `object`   | `{}`                     |
-| `monitoring.enabled`                       | Enable WorkloadMonitor integration.                                                                                                     | `bool`     | `true`                   |
-
-
-### FoundationDB configuration
-
-| Name                         | Description                                | Type       | Value     |
-| ---------------------------- | ------------------------------------------ | ---------- | --------- |
-| `customParameters`           | Custom parameters to pass to FoundationDB. | `[]string` | `[]`      |
-| `imageType`                  | Container image deployment type.           | `string`   | `unified` |
-| `securityContext`            | Security context for containers.           | `object`   | `{}`      |
-| `securityContext.runAsUser`  | User ID to run the container.              | `int`      | `4059`    |
-| `securityContext.runAsGroup` | Group ID to run the container.             | `int`      | `4059`    |
-| `automaticReplacements`      | Enable automatic pod replacements.         | `bool`     | `true`    |
-
--- a/packages/apps/foundationdb/charts/cozy-lib
+++ b/packages/apps/foundationdb/charts/cozy-lib
@@ -1 +0,0 @@
-../../../library/cozy-lib
--- a/packages/apps/foundationdb/logos/foundationdb.svg
+++ b/packages/apps/foundationdb/logos/foundationdb.svg
@@ -1,106 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   width="144"
-   height="144"
-   viewBox="0 0 144 144"
-   fill="none"
-   version="1.1"
-   id="svg4"
-   sodipodi:docname="foundationdb.svg"
-   inkscape:version="1.4.2 (unknown)"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview
-     id="namedview4"
-     pagecolor="#ffffff"
-     bordercolor="#000000"
-     borderopacity="0.25"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     inkscape:zoom="6.0902778"
-     inkscape:cx="72"
-     inkscape:cy="72.492588"
-     inkscape:window-width="1920"
-     inkscape:window-height="1128"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="svg4" />
-  <rect
-     width="144"
-     height="144"
-     rx="24"
-     fill="url(#paint0_linear_fdb)"
-     id="rect1"
-     style="fill:#ffffff" />
-  <!-- FoundationDB Icon (scaled and positioned) -->
-  <!-- FoundationDB Text -->
-  <defs
-     id="defs4">
-    <linearGradient
-       id="paint0_linear_fdb"
-       x1="140"
-       y1="130.5"
-       x2="4"
-       y2="9.49999"
-       gradientUnits="userSpaceOnUse">
-      <stop
-         stop-color="#047BFE"
-         id="stop3" />
-      <stop
-         offset="1"
-         stop-color="#3F9AFB"
-         id="stop4" />
-    </linearGradient>
-  </defs>
-  <g
-     id="g1134"
-     transform="matrix(3.132791,0,0,3.132791,-115.98385,6.9294227)">
-    <g
-       transform="matrix(0.08541251,0,0,0.08541251,8.7615159,9.5962543)"
-       id="g10">
-		<polygon
-   style="fill:#3f9afb"
-   class="st0"
-   points="457.2,150.5 457.2,98.6 561.4,124 561.6,164.8 666.6,150.9 666.3,98.7 845.8,143 846.4,189.9 667.4,165.8 560.6,177.3 457.1,165.4 354.2,177.6 354.1,165.7 "
-   id="polygon4" />
-
-		<path
-   style="fill:#0b70e0"
-   inkscape:connector-curvature="0"
-   class="st1"
-   d="m 666.6,183.2 179.6,18.6 v 46 H 353.8 l -0.5,-12.2 h 103.5 c 0,0 0,-34.2 0,-52.3 34.8,3.4 103.8,10.2 103.8,10.2 v 40.9 h 106 z"
-   id="path6" />
-
-		<path
-   style="fill:#9eccfd"
-   inkscape:connector-curvature="0"
-   class="st2"
-   d="m 561.4,109.1 -0.3,-12.6 c 0,0 68.1,-20.4 103.3,-30.8 0,-16.9 0,-33.2 0,-52.9 61.8,24.8 121.2,48.8 181.2,72.9 0,15 0,29.4 0,45.4 -61.5,-16.9 -121.7,-33.5 -180.2,-49.6 -35.6,9.5 -104,27.6 -104,27.6 z"
-   id="path8" />
-
-	</g>
-    <polygon
-       transform="matrix(0.08541251,0,0,0.08541251,8.7795597,9.6869671)"
-       style="fill:#3f9afb"
-       class="st0"
-       points="666.6,150.9 666.3,98.7 845.8,143 846.4,189.9 667.4,165.8 560.6,177.3 457.1,165.4 354.2,177.6 354.1,165.7 457.2,150.5 457.2,98.6 561.4,124 561.6,164.8 "
-       id="polygon856" />
-    <path
-       style="fill:#0b70e0;stroke-width:0.0854125"
-       inkscape:connector-curvature="0"
-       class="st1"
-       d="m 65.715539,25.334539 15.340087,1.588673 v 3.928975 h -42.05712 l -0.04271,-1.042033 h 8.840195 c 0,0 0,-2.921107 0,-4.467074 2.972356,0.290403 8.865819,0.871208 8.865819,0.871208 v 3.493371 h 9.053726 z"
-       id="path858" />
-    <path
-       style="fill:#9eccfd;stroke-width:0.0854125"
-       inkscape:connector-curvature="0"
-       class="st2"
-       d="m 56.730143,19.005472 -0.02562,-1.076198 c 0,0 5.816592,-1.742415 8.823112,-2.630705 0,-1.443471 0,-2.835695 0,-4.518322 5.278493,2.11823 10.351997,4.168131 15.476747,6.226572 0,1.281188 0,2.511128 0,3.877728 -5.252869,-1.443471 -10.394702,-2.861319 -15.391334,-4.23646 -3.040686,0.811419 -8.882901,2.357385 -8.882901,2.357385 z"
-       id="path860" />
-  </g>
-</svg>
--- a/packages/apps/foundationdb/templates/_resources.tpl
+++ b/packages/apps/foundationdb/templates/_resources.tpl
@@ -1,47 +0,0 @@
-{{/*
-Common resource definitions
-*/}}
-{{- define "foundationdb.resources" -}}
-{{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resources.preset .Values.resources $) }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "foundationdb.labels" -}}
-helm.sh/chart: {{ include "foundationdb.chart" . }}
-{{ include "foundationdb.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "foundationdb.selectorLabels" -}}
-app.kubernetes.io/name: foundationdb
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Chart name and version
-*/}}
-{{- define "foundationdb.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Calculate minReplicas for WorkloadMonitor based on redundancyMode
-*/}}
-{{- define "foundationdb.minReplicas" -}}
-{{- $replicas := .Values.cluster.processCounts.storage -}}
-{{- if or (eq .Values.cluster.redundancyMode "triple") (eq .Values.cluster.redundancyMode "three_data_hall") (eq .Values.cluster.redundancyMode "three_datacenter") (eq .Values.cluster.redundancyMode "three_datacenter_fallback") (eq .Values.cluster.redundancyMode "three_data_hall_fallback") }}
-{{- print (max 1 (sub $replicas 2)) -}}
-{{- else if eq .Values.cluster.redundancyMode "double" }}
-{{- print (max 1 (sub $replicas 1)) -}}
-{{- else }}
-{{- print $replicas -}}
-{{- end -}}
-{{- end -}}
--- a/packages/apps/foundationdb/templates/backup.yaml
+++ b/packages/apps/foundationdb/templates/backup.yaml
@@ -1,65 +0,0 @@
-{{- if .Values.backup.enabled }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-s3-creds
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-type: Opaque
-data:
-  AWS_ACCESS_KEY_ID: {{ .Values.backup.s3.credentials.accessKeyId | b64enc }}
-  AWS_SECRET_ACCESS_KEY: {{ .Values.backup.s3.credentials.secretAccessKey | b64enc }}
-
---
-apiVersion: apps.foundationdb.org/v1beta2
-kind: FoundationDBBackup
-metadata:
-  name: {{ .Release.Name }}-backup
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  clusterName: {{ .Release.Name }}
-  
-  backupState: Running
-  
-  backupDeploymentSpec:
-    podTemplateSpec:
-      spec:
-        containers:
-          - name: foundationdb
-            resources:
-              limits:
-                cpu: 100m
-                memory: 128Mi
-              requests:
-                cpu: 100m
-                memory: 128Mi
-            securityContext:
-              runAsUser: 0
-  
-  customParameters:
-    - backup_agent_snapshot_mode=0
-  
-  snapshotPeriodSeconds: 3600
-  
-  blobStoreConfiguration:
-    accountName: {{ .Values.backup.s3.bucket }}
-    bucket: {{ .Values.backup.s3.bucket }}
-    {{- if .Values.backup.s3.endpoint }}
-    endpoint: {{ .Values.backup.s3.endpoint }}
-    {{- end }}
-    credentials:
-      AWS_ACCESS_KEY_ID:
-        secretKeyRef:
-          name: {{ .Release.Name }}-s3-creds
-          key: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        secretKeyRef:
-          name: {{ .Release.Name }}-s3-creds
-          key: AWS_SECRET_ACCESS_KEY
-{{- end }}
--- a/packages/apps/foundationdb/templates/cluster.yaml
+++ b/packages/apps/foundationdb/templates/cluster.yaml
@@ -1,98 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" | default (dict "data" (dict)) }}
-{{- $clusterDomain := index $cozyConfig.data "cluster-domain" | default "cozy.local" }}
---
-apiVersion: apps.foundationdb.org/v1beta2
-kind: FoundationDBCluster
-metadata:
-  name: {{ .Release.Name }}
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  version: {{ .Values.cluster.version | quote }}
-
-  databaseConfiguration:
-    redundancy_mode: {{ .Values.cluster.redundancyMode }}
-    storage_engine: {{ .Values.cluster.storageEngine }}
-
-  processCounts:
-    {{- toYaml .Values.cluster.processCounts | nindent 4 }}
-  
-  automationOptions:
-    replacements:
-      enabled: {{ .Values.automaticReplacements }}
-    faultDomain:
-      key: {{ .Values.cluster.faultDomain.key }}
-      {{- if .Values.cluster.faultDomain.valueFrom }}
-      valueFrom: {{ .Values.cluster.faultDomain.valueFrom }}
-      {{- end }}
-    imageType: {{ .Values.imageType }}
-    labels:
-      filterOnOwnerReference: false
-      matchLabels:
-        foundationdb.org/fdb-cluster-name: {{ .Release.Name }}
-      processClassLabels:
-        - foundationdb.org/fdb-process-class
-      processGroupIDLabels:
-        - foundationdb.org/fdb-process-group-id
-    minimumUptimeSecondsForBounce: 60
-  
-  processes:
-    general:
-      {{- if .Values.customParameters }}
-      customParameters:
-        {{- range .Values.customParameters }}
-        - {{ . }}
-        {{- end }}
-      {{- end }}
-      podTemplate:
-        metadata:
-          labels:
-            policy.cozystack.io/allow-to-apiserver: "true"
-        spec:
-          serviceAccountName: {{ .Release.Name }}-foundationdb
-          securityContext:
-            fsGroup: {{ .Values.securityContext.runAsGroup }}
-          containers:
-            - name: foundationdb
-              resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 16 }}
-              securityContext:
-                {{- toYaml .Values.securityContext | nindent 16 }}
-            - name: foundationdb-kubernetes-sidecar
-              resources:
-                limits:
-                  cpu: 100m
-                  memory: 128Mi
-                requests:
-                  cpu: 100m
-                  memory: 128Mi
-              securityContext:
-                {{- toYaml .Values.securityContext | nindent 16 }}
-          initContainers:
-            - name: foundationdb-kubernetes-init
-              resources:
-                limits:
-                  cpu: 100m
-                  memory: 128Mi
-                requests:
-                  cpu: 100m
-                  memory: 128Mi
-              securityContext:
-                {{- toYaml .Values.securityContext | nindent 16 }}
-      volumeClaimTemplate:
-        spec:
-          {{- if .Values.storage.storageClass }}
-          storageClassName: {{ .Values.storage.storageClass }}
-          {{- end }}
-          resources:
-            requests:
-              storage: {{ .Values.storage.size }}
-  
-  routing:
-    dnsDomain: {{ $clusterDomain }}
-    defineDNSLocalityFields: true
-  
-  sidecarContainer:
-    enableLivenessProbe: true
-    enableReadinessProbe: true
--- a/packages/apps/foundationdb/templates/role.yaml
+++ b/packages/apps/foundationdb/templates/role.yaml
@@ -1,22 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}-foundationdb
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
--- a/packages/apps/foundationdb/templates/rolebinding.yaml
+++ b/packages/apps/foundationdb/templates/rolebinding.yaml
@@ -1,17 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ .Release.Name }}-foundationdb
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-foundationdb
-subjects:
- kind: ServiceAccount
-  name: {{ .Release.Name }}-foundationdb
-  namespace: {{ .Release.Namespace }}
--- a/packages/apps/foundationdb/templates/serviceaccount.yaml
+++ b/packages/apps/foundationdb/templates/serviceaccount.yaml
@@ -1,9 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-foundationdb
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
--- a/packages/apps/foundationdb/templates/workloadmonitor.yaml
+++ b/packages/apps/foundationdb/templates/workloadmonitor.yaml
@@ -1,20 +0,0 @@
-{{- if .Values.monitoring.enabled }}
---
-apiVersion: cozystack.io/v1alpha1
-kind: WorkloadMonitor
-metadata:
-  name: {{ .Release.Name }}
-  labels:
-    app.kubernetes.io/name: foundationdb
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.cluster.processCounts.storage }}
-  minReplicas: {{ include "foundationdb.minReplicas" . }}
-  kind: foundationdb
-  type: foundationdb
-  selector:
-    foundationdb.org/fdb-cluster-name: {{ .Release.Name }}
-    foundationdb.org/fdb-process-class: storage
-  version: {{ .Chart.Version }}
-{{- end }}
--- a/packages/apps/foundationdb/values.schema.json
+++ b/packages/apps/foundationdb/values.schema.json
@@ -1,287 +0,0 @@
-{
-  "title": "Chart Values",
-  "type": "object",
-  "properties": {
-    "automaticReplacements": {
-      "description": "Enable automatic pod replacements.",
-      "type": "boolean",
-      "default": true
-    },
-    "backup": {
-      "description": "Backup configuration.",
-      "type": "object",
-      "default": {},
-      "required": [
-        "enabled",
-        "retentionPolicy",
-        "s3"
-      ],
-      "properties": {
-        "enabled": {
-          "description": "Enable backups.",
-          "type": "boolean",
-          "default": false
-        },
-        "retentionPolicy": {
-          "description": "Retention policy for backups.",
-          "type": "string",
-          "default": "7d"
-        },
-        "s3": {
-          "description": "S3 configuration for backups.",
-          "type": "object",
-          "default": {},
-          "required": [
-            "bucket",
-            "credentials",
-            "endpoint",
-            "region"
-          ],
-          "properties": {
-            "bucket": {
-              "description": "S3 bucket name.",
-              "type": "string",
-              "default": ""
-            },
-            "credentials": {
-              "description": "S3 credentials.",
-              "type": "object",
-              "default": {},
-              "required": [
-                "accessKeyId",
-                "secretAccessKey"
-              ],
-              "properties": {
-                "accessKeyId": {
-                  "description": "S3 access key ID.",
-                  "type": "string",
-                  "default": ""
-                },
-                "secretAccessKey": {
-                  "description": "S3 secret access key.",
-                  "type": "string",
-                  "default": ""
-                }
-              }
-            },
-            "endpoint": {
-              "description": "S3 endpoint URL.",
-              "type": "string",
-              "default": ""
-            },
-            "region": {
-              "description": "S3 region.",
-              "type": "string",
-              "default": "us-east-1"
-            }
-          }
-        }
-      }
-    },
-    "cluster": {
-      "description": "Cluster configuration.",
-      "type": "object",
-      "default": {},
-      "required": [
-        "faultDomain",
-        "processCounts",
-        "redundancyMode",
-        "storageEngine",
-        "version"
-      ],
-      "properties": {
-        "faultDomain": {
-          "description": "Fault domain configuration.",
-          "type": "object",
-          "default": {},
-          "required": [
-            "key",
-            "valueFrom"
-          ],
-          "properties": {
-            "key": {
-              "description": "Fault domain key.",
-              "type": "string",
-              "default": "kubernetes.io/hostname"
-            },
-            "valueFrom": {
-              "description": "Fault domain value source.",
-              "type": "string",
-              "default": "spec.nodeName"
-            }
-          }
-        },
-        "processCounts": {
-          "description": "Process counts for different roles.",
-          "type": "object",
-          "default": {},
-          "required": [
-            "cluster_controller",
-            "stateless",
-            "storage"
-          ],
-          "properties": {
-            "cluster_controller": {
-              "description": "Number of cluster controller processes.",
-              "type": "integer",
-              "default": 1
-            },
-            "stateless": {
-              "description": "Number of stateless processes (-1 for automatic).",
-              "type": "integer",
-              "default": -1
-            },
-            "storage": {
-              "description": "Number of storage processes (determines cluster size).",
-              "type": "integer",
-              "default": 3
-            }
-          }
-        },
-        "redundancyMode": {
-          "description": "Database redundancy mode (single, double, triple, three_datacenter, three_datacenter_fallback).",
-          "type": "string",
-          "default": "double"
-        },
-        "storageEngine": {
-          "description": "Storage engine (ssd-2, ssd-redwood-v1, ssd-rocksdb-v1, memory).",
-          "type": "string",
-          "default": "ssd-2"
-        },
-        "version": {
-          "description": "Version of FoundationDB to use.",
-          "type": "string",
-          "default": "7.3.63"
-        }
-      }
-    },
-    "customParameters": {
-      "description": "Custom parameters to pass to FoundationDB.",
-      "type": "array",
-      "default": [],
-      "items": {
-        "type": "string"
-      }
-    },
-    "imageType": {
-      "description": "Container image deployment type.",
-      "type": "string",
-      "default": "unified",
-      "enum": [
-        "unified",
-        "split"
-      ]
-    },
-    "monitoring": {
-      "description": "Monitoring configuration.",
-      "type": "object",
-      "default": {},
-      "required": [
-        "enabled"
-      ],
-      "properties": {
-        "enabled": {
-          "description": "Enable WorkloadMonitor integration.",
-          "type": "boolean",
-          "default": true
-        }
-      }
-    },
-    "resources": {
-      "description": "Explicit CPU and memory configuration for each FoundationDB instance. When omitted, the preset defined in `resourcesPreset` is applied.",
-      "type": "object",
-      "default": {},
-      "properties": {
-        "cpu": {
-          "description": "CPU available to each instance.",
-          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
-          "anyOf": [
-            {
-              "type": "integer"
-            },
-            {
-              "type": "string"
-            }
-          ],
-          "x-kubernetes-int-or-string": true
-        },
-        "memory": {
-          "description": "Memory (RAM) available to each instance.",
-          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
-          "anyOf": [
-            {
-              "type": "integer"
-            },
-            {
-              "type": "string"
-            }
-          ],
-          "x-kubernetes-int-or-string": true
-        }
-      }
-    },
-    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
-      "type": "string",
-      "default": "medium",
-      "enum": [
-        "small",
-        "medium",
-        "large",
-        "xlarge",
-        "2xlarge"
-      ]
-    },
-    "securityContext": {
-      "description": "Security context for containers.",
-      "type": "object",
-      "default": {},
-      "required": [
-        "runAsGroup",
-        "runAsUser"
-      ],
-      "properties": {
-        "runAsGroup": {
-          "description": "Group ID to run the container.",
-          "type": "integer",
-          "default": 4059
-        },
-        "runAsUser": {
-          "description": "User ID to run the container.",
-          "type": "integer",
-          "default": 4059
-        }
-      }
-    },
-    "storage": {
-      "description": "Storage configuration.",
-      "type": "object",
-      "default": {},
-      "required": [
-        "size",
-        "storageClass"
-      ],
-      "properties": {
-        "size": {
-          "description": "Size of persistent volumes for each instance.",
-          "default": "16Gi",
-          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
-          "anyOf": [
-            {
-              "type": "integer"
-            },
-            {
-              "type": "string"
-            }
-          ],
-          "x-kubernetes-int-or-string": true
-        },
-        "storageClass": {
-          "description": "Storage class (if not set, uses cluster default).",
-          "type": "string",
-          "default": ""
-        }
-      }
-    }
-  }
-}
--- a/packages/apps/foundationdb/values.yaml
+++ b/packages/apps/foundationdb/values.yaml
@@ -1,120 +0,0 @@
-##
-## @section Common parameters
-##
-
-## @typedef {struct} ClusterProcessCounts - Process counts for different roles.
-## @field {int} stateless - Number of stateless processes (-1 for automatic).
-## @field {int} storage - Number of storage processes (determines cluster size).
-## @field {int} cluster_controller - Number of cluster controller processes.
-
-## @typedef {struct} ClusterFaultDomain - Fault domain configuration.
-## @field {string} key - Fault domain key.
-## @field {string} valueFrom - Fault domain value source.
-
-## @typedef {struct} Cluster - Cluster configuration.
-## @field {ClusterProcessCounts} processCounts - Process counts for different roles.
-## @field {string} version - Version of FoundationDB to use.
-## @field {string} redundancyMode - Database redundancy mode (single, double, triple, three_datacenter, three_datacenter_fallback).
-## @field {string} storageEngine - Storage engine (ssd-2, ssd-redwood-v1, ssd-rocksdb-v1, memory).
-## @field {ClusterFaultDomain} faultDomain - Fault domain configuration.
-
-## @param {Cluster} cluster - Cluster configuration.
-cluster:
-  processCounts:
-    stateless: -1
-    storage: 3
-    cluster_controller: 1
-
-  version: "7.3.63"
-  redundancyMode: "double"
-  storageEngine: "ssd-2"
-
-  faultDomain:
-    key: "kubernetes.io/hostname"
-    valueFrom: "spec.nodeName"
-
-## @typedef {struct} Storage - Storage configuration.
-## @field {quantity} size - Size of persistent volumes for each instance.
-## @field {string} storageClass - Storage class (if not set, uses cluster default).
-
-## @param {Storage} storage - Storage configuration.
-storage:
-  size: "16Gi"
-  storageClass: ""
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each FoundationDB instance.
-## @field {quantity} [cpu] - CPU available to each instance.
-## @field {quantity} [memory] - Memory (RAM) available to each instance.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each FoundationDB instance. When omitted, the preset defined in `resourcesPreset` is applied.
-resources: {}
-
-## @param {ResourcesPreset} resourcesPreset="medium" - Default sizing preset used when `resources` is omitted.
-resourcesPreset: "medium"
-
-## @typedef {struct} BackupS3Credentials - S3 credentials.
-## @field {string} accessKeyId - S3 access key ID.
-## @field {string} secretAccessKey - S3 secret access key.
-
-## @typedef {struct} BackupS3 - S3 configuration for backups.
-## @field {string} bucket - S3 bucket name.
-## @field {string} endpoint - S3 endpoint URL.
-## @field {string} region - S3 region.
-## @field {BackupS3Credentials} credentials - S3 credentials.
-
-## @typedef {struct} Backup - Backup configuration.
-## @field {bool} enabled - Enable backups.
-## @field {BackupS3} s3 - S3 configuration for backups.
-## @field {string} retentionPolicy - Retention policy for backups.
-
-## @param {Backup} backup - Backup configuration.
-backup:
-  enabled: false
-  s3:
-    bucket: ""
-    endpoint: ""
-    region: "us-east-1"
-    credentials:
-      accessKeyId: ""
-      secretAccessKey: ""
-  retentionPolicy: "7d"
-
-## @typedef {struct} Monitoring - Monitoring configuration.
-## @field {bool} enabled - Enable WorkloadMonitor integration.
-
-## @param {Monitoring} monitoring - Monitoring configuration.
-monitoring:
-  enabled: true
-
-##
-## @section FoundationDB configuration
-##
-
-## @param {[]string} customParameters - Custom parameters to pass to FoundationDB.
-customParameters: []
-
-## @enum {string} ImageType - Container image deployment type.
-## @value unified
-## @value split
-
-## @param {ImageType} imageType="unified" - Container image deployment type.
-imageType: "unified"
-
-## @typedef {struct} SecurityContext - Security context for containers.
-## @field {int} runAsUser - User ID to run the container.
-## @field {int} runAsGroup - Group ID to run the container.
-
-## @param {SecurityContext} securityContext - Security context for containers.
-securityContext:
-  runAsUser: 4059
-  runAsGroup: 4059
-
-## @param {bool} automaticReplacements - Enable automatic pod replacements.
-automaticReplacements: true
--- a/packages/apps/http-cache/README.md
+++ b/packages/apps/http-cache/README.md
@@ -62,40 +62,40 @@ The deployment architecture is illustrated in the diagram below:

 | Name           | Description                                                  | Type       | Value   |
 | -------------- | ------------------------------------------------------------ | ---------- | ------- |
-| `size`         | Persistent Volume Claim size available for application data. | `quantity` | `10Gi`  |
-| `storageClass` | StorageClass used to store the data.                         | `string`   | `""`    |
-| `external`     | Enable external access from outside the cluster.             | `bool`     | `false` |
+| `size`         | Persistent Volume Claim size, available for application data | `quantity` | `10Gi`  |
+| `storageClass` | StorageClass used to store the data                          | `string`   | `""`    |
+| `external`     | Enable external access from outside the cluster              | `bool`     | `false` |


 ### Application-specific parameters

-| Name        | Description                                      | Type       | Value |
-| ----------- | ------------------------------------------------ | ---------- | ----- |
-| `endpoints` | Endpoints configuration, as a list of <ip:port>. | `[]string` | `[]`  |
+| Name        | Description                                     | Type       | Value |
+| ----------- | ----------------------------------------------- | ---------- | ----- |
+| `endpoints` | Endpoints configuration, as a list of <ip:port> | `[]string` | `[]`  |


 ### HAProxy parameters

-| Name                       | Description                                                                                              | Type       | Value  |
-| -------------------------- | -------------------------------------------------------------------------------------------------------- | ---------- | ------ |
-| `haproxy`                  | HAProxy configuration.                                                                                   | `object`   | `{}`   |
-| `haproxy.replicas`         | Number of HAProxy replicas.                                                                              | `int`      | `2`    |
-| `haproxy.resources`        | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`   |
-| `haproxy.resources.cpu`    | CPU available to each replica.                                                                           | `quantity` | `""`   |
-| `haproxy.resources.memory` | Memory (RAM) available to each replica.                                                                  | `quantity` | `""`   |
-| `haproxy.resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                  | `string`   | `nano` |
+| Name                       | Description                                                                                                                               | Type        | Value  |
+| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------ |
+| `haproxy`                  | HAProxy configuration                                                                                                                     | `object`    | `{}`   |
+| `haproxy.replicas`         | Number of HAProxy replicas                                                                                                                | `int`       | `2`    |
+| `haproxy.resources`        | Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.              | `object`    | `{}`   |
+| `haproxy.resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null` |
+| `haproxy.resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null` |
+| `haproxy.resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `nano` |


 ### Nginx parameters

-| Name                     | Description                                                                                              | Type       | Value  |
-| ------------------------ | -------------------------------------------------------------------------------------------------------- | ---------- | ------ |
-| `nginx`                  | Nginx configuration.                                                                                     | `object`   | `{}`   |
-| `nginx.replicas`         | Number of Nginx replicas.                                                                                | `int`      | `2`    |
-| `nginx.resources`        | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`   |
-| `nginx.resources.cpu`    | CPU available to each replica.                                                                           | `quantity` | `""`   |
-| `nginx.resources.memory` | Memory (RAM) available to each replica.                                                                  | `quantity` | `""`   |
-| `nginx.resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                  | `string`   | `nano` |
+| Name                     | Description                                                                                                                               | Type        | Value  |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------ |
+| `nginx`                  | Nginx configuration                                                                                                                       | `object`    | `{}`   |
+| `nginx.replicas`         | Number of Nginx replicas                                                                                                                  | `int`       | `2`    |
+| `nginx.resources`        | Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.              | `*object`   | `null` |
+| `nginx.resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null` |
+| `nginx.resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null` |
+| `nginx.resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `nano` |


 ## Parameter examples and reference
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5
--- a/packages/apps/http-cache/values.schema.json
+++ b/packages/apps/http-cache/values.schema.json
@@ -3,7 +3,7 @@
  "type": "object",
  "properties": {
    "endpoints": {
-      "description": "Endpoints configuration, as a list of \u003cip:port\u003e.",
+      "description": "Endpoints configuration, as a list of \u003cip:port\u003e",
      "type": "array",
      "default": [],
      "items": {
@@ -11,31 +11,32 @@
      }
    },
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "haproxy": {
-      "description": "HAProxy configuration.",
+      "description": "HAProxy configuration",
      "type": "object",
      "default": {},
      "required": [
        "replicas",
+        "resources",
        "resourcesPreset"
      ],
      "properties": {
        "replicas": {
-          "description": "Number of HAProxy replicas.",
+          "description": "Number of HAProxy replicas",
          "type": "integer",
          "default": 2
        },
        "resources": {
-          "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+          "description": "Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.",
          "type": "object",
          "default": {},
          "properties": {
            "cpu": {
-              "description": "CPU available to each replica.",
+              "description": "CPU available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -48,7 +49,7 @@
              "x-kubernetes-int-or-string": true
            },
            "memory": {
-              "description": "Memory (RAM) available to each replica.",
+              "description": "Memory (RAM) available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -63,7 +64,7 @@
          }
        },
        "resourcesPreset": {
-          "description": "Default sizing preset used when `resources` is omitted.",
+          "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
          "type": "string",
          "default": "nano",
          "enum": [
@@ -79,7 +80,7 @@
      }
    },
    "nginx": {
-      "description": "Nginx configuration.",
+      "description": "Nginx configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -88,17 +89,17 @@
      ],
      "properties": {
        "replicas": {
-          "description": "Number of Nginx replicas.",
+          "description": "Number of Nginx replicas",
          "type": "integer",
          "default": 2
        },
        "resources": {
-          "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+          "description": "Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.",
          "type": "object",
          "default": {},
          "properties": {
            "cpu": {
-              "description": "CPU available to each replica.",
+              "description": "CPU available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -111,7 +112,7 @@
              "x-kubernetes-int-or-string": true
            },
            "memory": {
-              "description": "Memory (RAM) available to each replica.",
+              "description": "Memory (RAM) available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -126,7 +127,7 @@
          }
        },
        "resourcesPreset": {
-          "description": "Default sizing preset used when `resources` is omitted.",
+          "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
          "type": "string",
          "default": "nano",
          "enum": [
@@ -142,7 +143,7 @@
      }
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "10Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -156,9 +157,8 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    }
  }
 }
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -1,22 +1,14 @@
-##
 ## @section Common parameters
 ##
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 10Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false
-
-##
 ## @section Application-specific parameters
-##

-## @param {[]string} endpoints - Endpoints configuration, as a list of <ip:port>.
-endpoints: []
+## @param endpoints {[]string} Endpoints configuration, as a list of <ip:port>
 ## Example:
 ## endpoints:
 ##   - 10.100.3.1:80
@@ -25,46 +17,37 @@ endpoints: []
 ##   - 10.100.3.12:80
 ##   - 10.100.3.3:80
 ##   - 10.100.3.13:80
-
 ##
+endpoints: []
+
+
 ## @section HAProxy parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @typedef {struct} HAProxy - HAProxy configuration.
-## @field {int} replicas - Number of HAProxy replicas.
-## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
-## @field {ResourcesPreset} resourcesPreset - Default sizing preset used when `resources` is omitted.
-
-## @param {HAProxy} haproxy - HAProxy configuration.
+## @param haproxy {haproxy} HAProxy configuration
 haproxy:
+  ## @field haproxy.replicas {int} Number of HAProxy replicas
  replicas: 2
+  ## @field haproxy.resources {resources} Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  ## @field resources.cpu {*quantity} CPU available to each replica
+  ## @field resources.memory {*quantity} Memory (RAM) available to each replica
  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @field haproxy.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
  resourcesPreset: "nano"

-##
 ## @section Nginx parameters
 ##
-
-## @typedef {struct} Nginx - Nginx configuration.
-## @field {int} replicas - Number of Nginx replicas.
-## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
-## @field {ResourcesPreset} resourcesPreset - Default sizing preset used when `resources` is omitted.
-
-## @param {Nginx} nginx - Nginx configuration.
+## @param nginx {nginx} Nginx configuration
 nginx:
+  ## @field nginx.replicas {int} Number of Nginx replicas
  replicas: 2
+  ## @field nginx.resources {*resources} Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
  resources: {}
+
+  ## @field nginx.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
  resourcesPreset: "nano"
--- a/packages/apps/kafka/README.md
+++ b/packages/apps/kafka/README.md
@@ -4,48 +4,48 @@

 ### Common parameters

-| Name       | Description                                      | Type   | Value   |
-| ---------- | ------------------------------------------------ | ------ | ------- |
-| `external` | Enable external access from outside the cluster. | `bool` | `false` |
+| Name       | Description                                     | Type   | Value   |
+| ---------- | ----------------------------------------------- | ------ | ------- |
+| `external` | Enable external access from outside the cluster | `bool` | `false` |


 ### Application-specific parameters

-| Name                   | Description           | Type       | Value |
-| ---------------------- | --------------------- | ---------- | ----- |
-| `topics`               | Topics configuration. | `[]object` | `[]`  |
-| `topics[i].name`       | Topic name.           | `string`   | `""`  |
-| `topics[i].partitions` | Number of partitions. | `int`      | `0`   |
-| `topics[i].replicas`   | Number of replicas.   | `int`      | `0`   |
-| `topics[i].config`     | Topic configuration.  | `object`   | `{}`  |
+| Name                   | Description          | Type       | Value |
+| ---------------------- | -------------------- | ---------- | ----- |
+| `topics`               | Topics configuration | `[]object` | `[]`  |
+| `topics[i].name`       | Topic name           | `string`   | `""`  |
+| `topics[i].partitions` | Number of partitions | `int`      | `0`   |
+| `topics[i].replicas`   | Number of replicas   | `int`      | `0`   |
+| `topics[i].config`     | Topic configuration  | `object`   | `{}`  |


 ### Kafka configuration

-| Name                     | Description                                                                                              | Type       | Value   |
-| ------------------------ | -------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `kafka`                  | Kafka configuration.                                                                                     | `object`   | `{}`    |
-| `kafka.replicas`         | Number of Kafka replicas.                                                                                | `int`      | `3`     |
-| `kafka.resources`        | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `kafka.resources.cpu`    | CPU available to each replica.                                                                           | `quantity` | `""`    |
-| `kafka.resources.memory` | Memory (RAM) available to each replica.                                                                  | `quantity` | `""`    |
-| `kafka.resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                  | `string`   | `small` |
-| `kafka.size`             | Persistent Volume size for Kafka.                                                                        | `quantity` | `10Gi`  |
-| `kafka.storageClass`     | StorageClass used to store the Kafka data.                                                               | `string`   | `""`    |
+| Name                     | Description                                                                                                                               | Type        | Value   |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `kafka`                  | Kafka configuration                                                                                                                       | `object`    | `{}`    |
+| `kafka.replicas`         | Number of Kafka replicas                                                                                                                  | `int`       | `3`     |
+| `kafka.resources`        | Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.              | `*object`   | `null`  |
+| `kafka.resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `kafka.resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `kafka.resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `small` |
+| `kafka.size`             | Persistent Volume size for Kafka                                                                                                          | `quantity`  | `10Gi`  |
+| `kafka.storageClass`     | StorageClass used to store the Kafka data                                                                                                 | `string`    | `""`    |


-### ZooKeeper configuration
+### Zookeeper configuration

-| Name                         | Description                                                                                              | Type       | Value   |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `zookeeper`                  | ZooKeeper configuration.                                                                                 | `object`   | `{}`    |
-| `zookeeper.replicas`         | Number of ZooKeeper replicas.                                                                            | `int`      | `3`     |
-| `zookeeper.resources`        | Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `zookeeper.resources.cpu`    | CPU available to each replica.                                                                           | `quantity` | `""`    |
-| `zookeeper.resources.memory` | Memory (RAM) available to each replica.                                                                  | `quantity` | `""`    |
-| `zookeeper.resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                  | `string`   | `small` |
-| `zookeeper.size`             | Persistent Volume size for ZooKeeper.                                                                    | `quantity` | `5Gi`   |
-| `zookeeper.storageClass`     | StorageClass used to store the ZooKeeper data.                                                           | `string`   | `""`    |
+| Name                         | Description                                                                                                                               | Type        | Value   |
+| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `zookeeper`                  | Zookeeper configuration                                                                                                                   | `object`    | `{}`    |
+| `zookeeper.replicas`         | Number of ZooKeeper replicas                                                                                                              | `int`       | `3`     |
+| `zookeeper.resources`        | Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.              | `*object`   | `null`  |
+| `zookeeper.resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `zookeeper.resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `zookeeper.resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `small` |
+| `zookeeper.size`             | Persistent Volume size for ZooKeeper                                                                                                      | `quantity`  | `5Gi`   |
+| `zookeeper.storageClass`     | StorageClass used to store the ZooKeeper data                                                                                             | `string`    | `""`    |


 ## Parameter examples and reference
--- a/packages/apps/kafka/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/kafka/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-kafka-bootstrap
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-clients-ca
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  - {{ $.Release.Name }}-zookeeper
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/kafka/values.schema.json
+++ b/packages/apps/kafka/values.schema.json
@@ -3,12 +3,12 @@
  "type": "object",
  "properties": {
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "kafka": {
-      "description": "Kafka configuration.",
+      "description": "Kafka configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -19,17 +19,17 @@
      ],
      "properties": {
        "replicas": {
-          "description": "Number of Kafka replicas.",
+          "description": "Number of Kafka replicas",
          "type": "integer",
          "default": 3
        },
        "resources": {
-          "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+          "description": "Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.",
          "type": "object",
          "default": {},
          "properties": {
            "cpu": {
-              "description": "CPU available to each replica.",
+              "description": "CPU available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -42,7 +42,7 @@
              "x-kubernetes-int-or-string": true
            },
            "memory": {
-              "description": "Memory (RAM) available to each replica.",
+              "description": "Memory (RAM) available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -57,7 +57,7 @@
          }
        },
        "resourcesPreset": {
-          "description": "Default sizing preset used when `resources` is omitted.",
+          "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
          "type": "string",
          "default": "small",
          "enum": [
@@ -71,7 +71,7 @@
          ]
        },
        "size": {
-          "description": "Persistent Volume size for Kafka.",
+          "description": "Persistent Volume size for Kafka",
          "default": "10Gi",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
@@ -85,14 +85,13 @@
          "x-kubernetes-int-or-string": true
        },
        "storageClass": {
-          "description": "StorageClass used to store the Kafka data.",
-          "type": "string",
-          "default": ""
+          "description": "StorageClass used to store the Kafka data",
+          "type": "string"
        }
      }
    },
    "topics": {
-      "description": "Topics configuration.",
+      "description": "Topics configuration",
      "type": "array",
      "default": [],
      "items": {
@@ -105,27 +104,27 @@
        ],
        "properties": {
          "config": {
-            "description": "Topic configuration.",
+            "description": "Topic configuration",
            "type": "object",
            "x-kubernetes-preserve-unknown-fields": true
          },
          "name": {
-            "description": "Topic name.",
+            "description": "Topic name",
            "type": "string"
          },
          "partitions": {
-            "description": "Number of partitions.",
+            "description": "Number of partitions",
            "type": "integer"
          },
          "replicas": {
-            "description": "Number of replicas.",
+            "description": "Number of replicas",
            "type": "integer"
          }
        }
      }
    },
    "zookeeper": {
-      "description": "ZooKeeper configuration.",
+      "description": "Zookeeper configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -136,17 +135,17 @@
      ],
      "properties": {
        "replicas": {
-          "description": "Number of ZooKeeper replicas.",
+          "description": "Number of ZooKeeper replicas",
          "type": "integer",
          "default": 3
        },
        "resources": {
-          "description": "Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.",
+          "description": "Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.",
          "type": "object",
          "default": {},
          "properties": {
            "cpu": {
-              "description": "CPU available to each replica.",
+              "description": "CPU available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -159,7 +158,7 @@
              "x-kubernetes-int-or-string": true
            },
            "memory": {
-              "description": "Memory (RAM) available to each replica.",
+              "description": "Memory (RAM) available to each replica",
              "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
              "anyOf": [
                {
@@ -174,7 +173,7 @@
          }
        },
        "resourcesPreset": {
-          "description": "Default sizing preset used when `resources` is omitted.",
+          "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
          "type": "string",
          "default": "small",
          "enum": [
@@ -188,7 +187,7 @@
          ]
        },
        "size": {
-          "description": "Persistent Volume size for ZooKeeper.",
+          "description": "Persistent Volume size for ZooKeeper",
          "default": "5Gi",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
@@ -202,9 +201,8 @@
          "x-kubernetes-int-or-string": true
        },
        "storageClass": {
-          "description": "StorageClass used to store the ZooKeeper data.",
-          "type": "string",
-          "default": ""
+          "description": "StorageClass used to store the ZooKeeper data",
+          "type": "string"
        }
      }
    }
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -1,22 +1,17 @@
-##
 ## @section Common parameters
 ##
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
+
 ## @section Application-specific parameters
 ##
-
-## @typedef {struct} Topic - Topic configuration.
-## @field {string} name - Topic name.
-## @field {int} partitions - Number of partitions.
-## @field {int} replicas - Number of replicas.
-## @field {object} config - Topic configuration.
-
-## @param {[]Topic} topics - Topics configuration.
-topics: []
+## @param topics {[]topic} Topics configuration
+## @field topic {topic} Topic
+## @field topic.name {string} Topic name
+## @field topic.partitions {int} Number of partitions
+## @field topic.replicas {int} Number of replicas
+## @field topic.config {object} Topic configuration
 ## Example:
 ## topics:
 ##   - name: Results
@@ -32,54 +27,46 @@ topics: []
 ##       min.insync.replicas: 2
 ##     partitions: 1
 ##     replicas: 3
-
 ##
+topics: []
+
 ## @section Kafka configuration
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @typedef {struct} Kafka - Kafka configuration.
-## @field {int} replicas - Number of Kafka replicas.
-## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
-## @field {ResourcesPreset} resourcesPreset - Default sizing preset used when `resources` is omitted.
-## @field {quantity} size - Persistent Volume size for Kafka.
-## @field {string} storageClass - StorageClass used to store the Kafka data.
-
-## @param {Kafka} kafka - Kafka configuration.
+## @param kafka {kafka} Kafka configuration
 kafka:
+  ## @field kafka.replicas {int} Number of Kafka replicas
  replicas: 3
+  ## @field kafka.resources {*resources} Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  ## @field resources.cpu {*quantity} CPU available to each replica
+  ## @field resources.memory {*quantity} Memory (RAM) available to each replica
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
  resources: {}
+  ## @field kafka.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
  resourcesPreset: "small"
+  ## @field kafka.size {quantity} Persistent Volume size for Kafka
  size: 10Gi
+  ## @field kafka.storageClass {string} StorageClass used to store the Kafka data
  storageClass: ""

-##
-## @section ZooKeeper configuration
-##

-## @typedef {struct} ZooKeeper - ZooKeeper configuration.
-## @field {int} replicas - Number of ZooKeeper replicas.
-## @field {Resources} [resources] - Explicit CPU and memory configuration. When omitted, the preset defined in `resourcesPreset` is applied.
-## @field {ResourcesPreset} resourcesPreset - Default sizing preset used when `resources` is omitted.
-## @field {quantity} size - Persistent Volume size for ZooKeeper.
-## @field {string} storageClass - StorageClass used to store the ZooKeeper data.
-
-## @param {ZooKeeper} zookeeper - ZooKeeper configuration.
+## @section Zookeeper configuration
+##
+## @param zookeeper {zookeeper} Zookeeper configuration
 zookeeper:
+  ## @field zookeeper.replicas {int} Number of ZooKeeper replicas
  replicas: 3
+  ## @field zookeeper.resources {*resources} Explicit CPU and memory configuration for each replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
  resources: {}
+
+  ## @field zookeeper.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
  resourcesPreset: "small"
+  ## @field zookeeper.size {quantity} Persistent Volume size for ZooKeeper
  size: 5Gi
+  ## @field zookeeper.storageClass {string} StorageClass used to store the ZooKeeper data
  storageClass: ""
+
--- a/packages/apps/kubernetes/README.md
+++ b/packages/apps/kubernetes/README.md
@@ -84,92 +84,92 @@ See the reference for components utilized in this service:

 ### Common Parameters

-| Name           | Description                          | Type     | Value        |
-| -------------- | ------------------------------------ | -------- | ------------ |
-| `storageClass` | StorageClass used to store the data. | `string` | `replicated` |
+| Name           | Description                         | Type     | Value        |
+| -------------- | ----------------------------------- | -------- | ------------ |
+| `storageClass` | StorageClass used to store the data | `string` | `replicated` |


-### Application-specific Parameters
+### Application-specific parameters

-| Name                                | Description                                                                                    | Type                | Value       |
-| ----------------------------------- | ---------------------------------------------------------------------------------------------- | ------------------- | ----------- |
-| `nodeGroups`                        | Worker nodes configuration map.                                                                | `map[string]object` | `{...}`     |
-| `nodeGroups[name].minReplicas`      | Minimum number of replicas.                                                                    | `int`               | `0`         |
-| `nodeGroups[name].maxReplicas`      | Maximum number of replicas.                                                                    | `int`               | `10`        |
-| `nodeGroups[name].instanceType`     | Virtual machine instance type.                                                                 | `string`            | `u1.medium` |
-| `nodeGroups[name].ephemeralStorage` | Ephemeral storage size.                                                                        | `quantity`          | `20Gi`      |
-| `nodeGroups[name].roles`            | List of node roles.                                                                            | `[]string`          | `[]`        |
-| `nodeGroups[name].resources`        | CPU and memory resources for each worker node.                                                 | `object`            | `{}`        |
-| `nodeGroups[name].resources.cpu`    | CPU available.                                                                                 | `quantity`          | `""`        |
-| `nodeGroups[name].resources.memory` | Memory (RAM) available.                                                                        | `quantity`          | `""`        |
-| `nodeGroups[name].gpus`             | List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).                            | `[]object`          | `[]`        |
-| `nodeGroups[name].gpus[i].name`     | Name of GPU, such as "nvidia.com/AD102GL_L40S".                                                | `string`            | `""`        |
-| `version`                           | Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.                                     | `string`            | `v1.33`     |
-| `host`                              | External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty. | `string`            | `""`        |
+| Name                                | Description                                                                                                       | Type                | Value       |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------- | ----------- |
+| `version`                           | Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.                               | `string`            | `v1.33`     |
+| `host`                              | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `string`            | `""`        |
+| `nodeGroups`                        | Worker nodes configuration                                                                                        | `map[string]object` | `{...}`     |
+| `nodeGroups[name].minReplicas`      | Minimum amount of replicas                                                                                        | `int`               | `0`         |
+| `nodeGroups[name].maxReplicas`      | Maximum amount of replicas                                                                                        | `int`               | `10`        |
+| `nodeGroups[name].instanceType`     | Virtual machine instance type                                                                                     | `string`            | `u1.medium` |
+| `nodeGroups[name].ephemeralStorage` | Ephemeral storage size                                                                                            | `quantity`          | `20Gi`      |
+| `nodeGroups[name].roles`            | List of node's roles                                                                                              | `[]string`          | `[]`        |
+| `nodeGroups[name].resources`        | Resources available to each worker node                                                                           | `object`            | `{}`        |
+| `nodeGroups[name].resources.cpu`    | CPU available to each worker node                                                                                 | `*quantity`         | `null`      |
+| `nodeGroups[name].resources.memory` | Memory (RAM) available to each worker node                                                                        | `*quantity`         | `null`      |
+| `nodeGroups[name].gpus`             | List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)                                       | `[]object`          | `{}`        |
+| `nodeGroups[name].gpus[i].name`     | Name of GPU, such as "nvidia.com/AD102GL_L40S"                                                                    | `string`            | `""`        |


 ### Cluster Addons

-| Name                                          | Description                                                                 | Type       | Value     |
-| --------------------------------------------- | --------------------------------------------------------------------------- | ---------- | --------- |
-| `addons`                                      | Cluster addons configuration.                                               | `object`   | `{}`      |
-| `addons.certManager`                          | Cert-manager addon.                                                         | `object`   | `{}`      |
-| `addons.certManager.enabled`                  | Enable cert-manager.                                                        | `bool`     | `false`   |
-| `addons.certManager.valuesOverride`           | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.cilium`                               | Cilium CNI plugin.                                                          | `object`   | `{}`      |
-| `addons.cilium.valuesOverride`                | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.gatewayAPI`                           | Gateway API addon.                                                          | `object`   | `{}`      |
-| `addons.gatewayAPI.enabled`                   | Enable Gateway API.                                                         | `bool`     | `false`   |
-| `addons.ingressNginx`                         | Ingress-NGINX controller.                                                   | `object`   | `{}`      |
-| `addons.ingressNginx.enabled`                 | Enable the controller (requires nodes labeled `ingress-nginx`).             | `bool`     | `false`   |
-| `addons.ingressNginx.exposeMethod`            | Method to expose the controller. Allowed values: `Proxied`, `LoadBalancer`. | `string`   | `Proxied` |
-| `addons.ingressNginx.hosts`                   | Domains routed to this tenant cluster when `exposeMethod` is `Proxied`.     | `[]string` | `[]`      |
-| `addons.ingressNginx.valuesOverride`          | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.gpuOperator`                          | NVIDIA GPU Operator.                                                        | `object`   | `{}`      |
-| `addons.gpuOperator.enabled`                  | Enable GPU Operator.                                                        | `bool`     | `false`   |
-| `addons.gpuOperator.valuesOverride`           | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.fluxcd`                               | FluxCD GitOps operator.                                                     | `object`   | `{}`      |
-| `addons.fluxcd.enabled`                       | Enable FluxCD.                                                              | `bool`     | `false`   |
-| `addons.fluxcd.valuesOverride`                | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.monitoringAgents`                     | Monitoring agents.                                                          | `object`   | `{}`      |
-| `addons.monitoringAgents.enabled`             | Enable monitoring agents.                                                   | `bool`     | `false`   |
-| `addons.monitoringAgents.valuesOverride`      | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.verticalPodAutoscaler`                | Vertical Pod Autoscaler.                                                    | `object`   | `{}`      |
-| `addons.verticalPodAutoscaler.valuesOverride` | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.velero`                               | Velero backup/restore addon.                                                | `object`   | `{}`      |
-| `addons.velero.enabled`                       | Enable Velero.                                                              | `bool`     | `false`   |
-| `addons.velero.valuesOverride`                | Custom Helm values overrides.                                               | `object`   | `{}`      |
-| `addons.coredns`                              | CoreDNS addon.                                                              | `object`   | `{}`      |
-| `addons.coredns.valuesOverride`               | Custom Helm values overrides.                                               | `object`   | `{}`      |
+| Name                                          | Description                                                                                                                                                                       | Type       | Value     |
+| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | --------- |
+| `addons`                                      | Cluster addons configuration                                                                                                                                                      | `object`   | `{}`      |
+| `addons.certManager`                          | Cert-manager: automatically creates and manages SSL/TLS certificate                                                                                                               | `object`   | `{}`      |
+| `addons.certManager.enabled`                  | Enable cert-manager, which automatically creates and manages SSL/TLS certificates.                                                                                                | `bool`     | `false`   |
+| `addons.certManager.valuesOverride`           | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.cilium`                               | Cilium CNI plugin                                                                                                                                                                 | `object`   | `{}`      |
+| `addons.cilium.valuesOverride`                | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.gatewayAPI`                           | Gateway API                                                                                                                                                                       | `object`   | `{}`      |
+| `addons.gatewayAPI.enabled`                   | Enable the Gateway API                                                                                                                                                            | `bool`     | `false`   |
+| `addons.ingressNginx`                         | Ingress-NGINX Controller                                                                                                                                                          | `object`   | `{}`      |
+| `addons.ingressNginx.enabled`                 | Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).                                                                                       | `bool`     | `false`   |
+| `addons.ingressNginx.exposeMethod`            | Method to expose the Ingress-NGINX controller. Allowed values: `Proxied`, `LoadBalancer`.                                                                                         | `string`   | `Proxied` |
+| `addons.ingressNginx.hosts`                   | List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.                                | `[]string` | `[]`      |
+| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.gpuOperator`                          | GPU-operator: NVIDIA GPU Operator                                                                                                                                                 | `object`   | `{}`      |
+| `addons.gpuOperator.enabled`                  | Enable the GPU-operator                                                                                                                                                           | `bool`     | `false`   |
+| `addons.gpuOperator.valuesOverride`           | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.fluxcd`                               | Flux CD                                                                                                                                                                           | `object`   | `{}`      |
+| `addons.fluxcd.enabled`                       | Enable FluxCD                                                                                                                                                                     | `bool`     | `false`   |
+| `addons.fluxcd.valuesOverride`                | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.monitoringAgents`                     | MonitoringAgents                                                                                                                                                                  | `object`   | `{}`      |
+| `addons.monitoringAgents.enabled`             | Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage. | `bool`     | `false`   |
+| `addons.monitoringAgents.valuesOverride`      | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.verticalPodAutoscaler`                | VerticalPodAutoscaler                                                                                                                                                             | `object`   | `{}`      |
+| `addons.verticalPodAutoscaler.valuesOverride` | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.velero`                               | Velero                                                                                                                                                                            | `object`   | `{}`      |
+| `addons.velero.enabled`                       | Enable Velero for backup and recovery of a tenant Kubernetes cluster.                                                                                                             | `bool`     | `false`   |
+| `addons.velero.valuesOverride`                | Custom values to override                                                                                                                                                         | `object`   | `{}`      |
+| `addons.coredns`                              | Coredns                                                                                                                                                                           | `object`   | `{}`      |
+| `addons.coredns.valuesOverride`               | Custom values to override                                                                                                                                                         | `object`   | `{}`      |


 ### Kubernetes Control Plane Configuration

-| Name                                                | Description                                      | Type       | Value    |
-| --------------------------------------------------- | ------------------------------------------------ | ---------- | -------- |
-| `controlPlane`                                      | Kubernetes control-plane configuration.          | `object`   | `{}`     |
-| `controlPlane.replicas`                             | Number of control-plane replicas.                | `int`      | `2`      |
-| `controlPlane.apiServer`                            | API Server configuration.                        | `object`   | `{}`     |
-| `controlPlane.apiServer.resources`                  | CPU and memory resources for API Server.         | `object`   | `{}`     |
-| `controlPlane.apiServer.resources.cpu`              | CPU available.                                   | `quantity` | `""`     |
-| `controlPlane.apiServer.resources.memory`           | Memory (RAM) available.                          | `quantity` | `""`     |
-| `controlPlane.apiServer.resourcesPreset`            | Preset if `resources` omitted.                   | `string`   | `medium` |
-| `controlPlane.controllerManager`                    | Controller Manager configuration.                | `object`   | `{}`     |
-| `controlPlane.controllerManager.resources`          | CPU and memory resources for Controller Manager. | `object`   | `{}`     |
-| `controlPlane.controllerManager.resources.cpu`      | CPU available.                                   | `quantity` | `""`     |
-| `controlPlane.controllerManager.resources.memory`   | Memory (RAM) available.                          | `quantity` | `""`     |
-| `controlPlane.controllerManager.resourcesPreset`    | Preset if `resources` omitted.                   | `string`   | `micro`  |
-| `controlPlane.scheduler`                            | Scheduler configuration.                         | `object`   | `{}`     |
-| `controlPlane.scheduler.resources`                  | CPU and memory resources for Scheduler.          | `object`   | `{}`     |
-| `controlPlane.scheduler.resources.cpu`              | CPU available.                                   | `quantity` | `""`     |
-| `controlPlane.scheduler.resources.memory`           | Memory (RAM) available.                          | `quantity` | `""`     |
-| `controlPlane.scheduler.resourcesPreset`            | Preset if `resources` omitted.                   | `string`   | `micro`  |
-| `controlPlane.konnectivity`                         | Konnectivity configuration.                      | `object`   | `{}`     |
-| `controlPlane.konnectivity.server`                  | Konnectivity Server configuration.               | `object`   | `{}`     |
-| `controlPlane.konnectivity.server.resources`        | CPU and memory resources for Konnectivity.       | `object`   | `{}`     |
-| `controlPlane.konnectivity.server.resources.cpu`    | CPU available.                                   | `quantity` | `""`     |
-| `controlPlane.konnectivity.server.resources.memory` | Memory (RAM) available.                          | `quantity` | `""`     |
-| `controlPlane.konnectivity.server.resourcesPreset`  | Preset if `resources` omitted.                   | `string`   | `micro`  |
+| Name                                                | Description                                                                                                                               | Type        | Value    |
+| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -------- |
+| `controlPlane`                                      | Control Plane Configuration                                                                                                               | `object`    | `{}`     |
+| `controlPlane.replicas`                             | Number of replicas for Kubernetes control plane components.                                                                               | `int`       | `2`      |
+| `controlPlane.apiServer`                            | Control plane API server configuration.                                                                                                   | `object`    | `{}`     |
+| `controlPlane.apiServer.resources`                  | Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.            | `object`    | `{}`     |
+| `controlPlane.apiServer.resources.cpu`              | CPU available to each worker node                                                                                                         | `*quantity` | `null`   |
+| `controlPlane.apiServer.resources.memory`           | Memory (RAM) available to each worker node                                                                                                | `*quantity` | `null`   |
+| `controlPlane.apiServer.resourcesPreset`            | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `medium` |
+| `controlPlane.controllerManager`                    | Controller Manager configuration.                                                                                                         | `object`    | `{}`     |
+| `controlPlane.controllerManager.resources`          | Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.    | `object`    | `{}`     |
+| `controlPlane.controllerManager.resources.cpu`      | CPU available to each worker node                                                                                                         | `*quantity` | `null`   |
+| `controlPlane.controllerManager.resources.memory`   | Memory (RAM) available to each worker node                                                                                                | `*quantity` | `null`   |
+| `controlPlane.controllerManager.resourcesPreset`    | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `micro`  |
+| `controlPlane.scheduler`                            | Scheduler configuration.                                                                                                                  | `object`    | `{}`     |
+| `controlPlane.scheduler.resources`                  | Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.             | `object`    | `{}`     |
+| `controlPlane.scheduler.resources.cpu`              | CPU available to each worker node                                                                                                         | `*quantity` | `null`   |
+| `controlPlane.scheduler.resources.memory`           | Memory (RAM) available to each worker node                                                                                                | `*quantity` | `null`   |
+| `controlPlane.scheduler.resourcesPreset`            | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `micro`  |
+| `controlPlane.konnectivity`                         | Konnectivity configuration.                                                                                                               | `object`    | `{}`     |
+| `controlPlane.konnectivity.server`                  | Konnectivity server configuration.                                                                                                        | `object`    | `{}`     |
+| `controlPlane.konnectivity.server.resources`        | Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.              | `object`    | `{}`     |
+| `controlPlane.konnectivity.server.resources.cpu`    | CPU available to each worker node                                                                                                         | `*quantity` | `null`   |
+| `controlPlane.konnectivity.server.resources.memory` | Memory (RAM) available to each worker node                                                                                                | `*quantity` | `null`   |
+| `controlPlane.konnectivity.server.resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `micro`  |


 ## Parameter examples and reference
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:c8b08084a86251cdd18e237de89b695bca0e4f7eb1f1f6ddc2b903b4d74ea5ff
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb
--- a/packages/apps/kubernetes/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/kubernetes/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-admin-kubeconfig
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  {{- range $groupName, $group := .Values.nodeGroups }}
+  - {{ $.Release.Name }}-{{ $groupName }}
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/kubernetes/templates/delete.yaml
+++ b/packages/apps/kubernetes/templates/delete.yaml
@@ -0,0 +1,150 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+  name: {{ .Release.Name }}-cleanup
+spec:
+  template:
+    metadata:
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ .Release.Name }}-cleanup
+      restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
+      containers:
+        - name: kubectl
+          image: docker.io/clastix/kubectl:v1.32
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+              echo "Step 1: Suspending all HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
+              for hr in $(kubectl -n {{ .Release.Namespace }} get helmreleases.helm.toolkit.fluxcd.io -l "cozystack.io/target-cluster-name={{ .Release.Name }}" -o name 2>/dev/null || true); do
+                if [ -n "$hr" ]; then           
+                  echo "  Suspending $hr"
+                  kubectl -n {{ .Release.Namespace }} patch "$hr" \
+                    -p '{"spec": {"suspend": true}}' \
+                    --type=merge --field-manager=flux-client-side-apply
+                fi
+              done
+
+              echo "Step 2: Deleting HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete helmreleases.helm.toolkit.fluxcd.io \
+                -l "cozystack.io/target-cluster-name={{ .Release.Name }}" \
+                --ignore-not-found=true --wait=true
+
+              echo "Step 3: Deleting KamajiControlPlane {{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete kamajicontrolplanes.controlplane.cluster.x-k8s.io {{ .Release.Name }} \
+                --ignore-not-found=true
+
+              echo "Step 4: Deleting TenantControlPlane {{ .Release.Name }}"
+              kubectl -n {{ .Release.Namespace }} delete tenantcontrolplanes.kamaji.clastix.io {{ .Release.Name }} \
+                --ignore-not-found=true
+
+              echo "Step 5: Cleaning up DataVolumes"
+              kubectl -n {{ .Release.Namespace }} delete datavolumes \
+                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
+                --ignore-not-found=true
+
+              echo "Step 6: Cleaning up LoadBalancer Services"
+              kubectl -n {{ .Release.Namespace }} delete services \
+                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
+                --field-selector spec.type=LoadBalancer \
+                --ignore-not-found=true
+
+              echo "Cleanup completed successfully"
+
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-cleanup
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook-weight: "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-cleanup
+rules:
+  - apiGroups:
+      - "helm.toolkit.fluxcd.io"
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - delete
+  - apiGroups:
+      - "controlplane.cluster.x-k8s.io"
+    resources:
+      - kamajicontrolplanes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - "kamaji.clastix.io"
+    resources:
+      - tenantcontrolplanes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - "cdi.kubevirt.io"
+    resources:
+      - datavolumes
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-cleanup
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-cleanup
+    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml
@@ -1,103 +0,0 @@
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-flux-teardown
-spec:
-  template:
-    spec:
-      serviceAccountName: {{ .Release.Name }}-flux-teardown
-      restartPolicy: Never
-      tolerations:
-        - key: CriticalAddonsOnly
-          operator: Exists
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: "NoSchedule"
-      containers:
-        - name: kubectl
-          image: docker.io/clastix/kubectl:v1.32
-          command:
-            - /bin/sh
-            - -c
-            - |
-                kubectl
-                --namespace={{ .Release.Namespace }}
-                patch
-                helmrelease
-                {{ .Release.Name }}-cilium
-                {{ .Release.Name }}-gateway-api-crds
-                {{ .Release.Name }}-csi
-                {{ .Release.Name }}-cert-manager
-                {{ .Release.Name }}-cert-manager-crds
-                {{ .Release.Name }}-vertical-pod-autoscaler
-                {{ .Release.Name }}-vertical-pod-autoscaler-crds
-                {{ .Release.Name }}-ingress-nginx
-                {{ .Release.Name }}-fluxcd-operator
-                {{ .Release.Name }}-fluxcd
-                {{ .Release.Name }}-gpu-operator
-                {{ .Release.Name }}-velero
-                {{ .Release.Name }}-coredns
-                -p '{"spec": {"suspend": true}}'
-                --type=merge --field-manager=flux-client-side-apply || true
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-flux-teardown
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed
-    helm.sh/hook-weight: "0"
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  annotations:
-    "helm.sh/hook": pre-install,post-install,pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-    "helm.sh/hook-weight": "5"
-  name: {{ .Release.Name }}-flux-teardown
-rules:
-  - apiGroups:
-      - "helm.toolkit.fluxcd.io"
-    resources:
-      - helmreleases
-    verbs:
-      - get
-      - patch
-    resourceNames:
-      - {{ .Release.Name }}-cilium
-      - {{ .Release.Name }}-csi
-      - {{ .Release.Name }}-cert-manager
-      - {{ .Release.Name }}-cert-manager-crds
-      - {{ .Release.Name }}-vertical-pod-autoscaler
-      - {{ .Release.Name }}-vertical-pod-autoscaler-crds
-      - {{ .Release.Name }}-ingress-nginx
-      - {{ .Release.Name }}-fluxcd-operator
-      - {{ .Release.Name }}-fluxcd
-      - {{ .Release.Name }}-gpu-operator
-      - {{ .Release.Name }}-velero
-      - {{ .Release.Name }}-coredns
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
-    helm.sh/hook-weight: "5"
-  name: {{ .Release.Name }}-flux-teardown
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Release.Name }}-flux-teardown
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-flux-teardown
-    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -3,7 +3,7 @@
  "type": "object",
  "properties": {
    "addons": {
-      "description": "Cluster addons configuration.",
+      "description": "Cluster addons configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -20,7 +20,7 @@
      ],
      "properties": {
        "certManager": {
-          "description": "Cert-manager addon.",
+          "description": "Cert-manager: automatically creates and manages SSL/TLS certificate",
          "type": "object",
          "default": {},
          "required": [
@@ -29,12 +29,12 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable cert-manager.",
+              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
              "type": "boolean",
              "default": false
            },
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -42,7 +42,7 @@
          }
        },
        "cilium": {
-          "description": "Cilium CNI plugin.",
+          "description": "Cilium CNI plugin",
          "type": "object",
          "default": {},
          "required": [
@@ -50,7 +50,7 @@
          ],
          "properties": {
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -58,7 +58,7 @@
          }
        },
        "coredns": {
-          "description": "CoreDNS addon.",
+          "description": "Coredns",
          "type": "object",
          "default": {},
          "required": [
@@ -66,7 +66,7 @@
          ],
          "properties": {
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -74,7 +74,7 @@
          }
        },
        "fluxcd": {
-          "description": "FluxCD GitOps operator.",
+          "description": "Flux CD",
          "type": "object",
          "default": {},
          "required": [
@@ -83,12 +83,12 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable FluxCD.",
+              "description": "Enable FluxCD",
              "type": "boolean",
              "default": false
            },
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -96,7 +96,7 @@
          }
        },
        "gatewayAPI": {
-          "description": "Gateway API addon.",
+          "description": "Gateway API",
          "type": "object",
          "default": {},
          "required": [
@@ -104,14 +104,14 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable Gateway API.",
+              "description": "Enable the Gateway API",
              "type": "boolean",
              "default": false
            }
          }
        },
        "gpuOperator": {
-          "description": "NVIDIA GPU Operator.",
+          "description": "GPU-operator: NVIDIA GPU Operator",
          "type": "object",
          "default": {},
          "required": [
@@ -120,12 +120,12 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable GPU Operator.",
+              "description": "Enable the GPU-operator",
              "type": "boolean",
              "default": false
            },
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -133,7 +133,7 @@
          }
        },
        "ingressNginx": {
-          "description": "Ingress-NGINX controller.",
+          "description": "Ingress-NGINX Controller",
          "type": "object",
          "default": {},
          "required": [
@@ -143,17 +143,21 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable the controller (requires nodes labeled `ingress-nginx`).",
+              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
              "type": "boolean",
              "default": false
            },
            "exposeMethod": {
-              "description": "Method to expose the controller. Allowed values: `Proxied`, `LoadBalancer`.",
+              "description": "Method to expose the Ingress-NGINX controller. Allowed values: `Proxied`, `LoadBalancer`.",
              "type": "string",
-              "default": "Proxied"
+              "default": "Proxied",
+              "enum": [
+                "Proxied",
+                "LoadBalancer"
+              ]
            },
            "hosts": {
-              "description": "Domains routed to this tenant cluster when `exposeMethod` is `Proxied`.",
+              "description": "List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.",
              "type": "array",
              "default": [],
              "items": {
@@ -161,7 +165,7 @@
              }
            },
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -169,7 +173,7 @@
          }
        },
        "monitoringAgents": {
-          "description": "Monitoring agents.",
+          "description": "MonitoringAgents",
          "type": "object",
          "default": {},
          "required": [
@@ -178,12 +182,12 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable monitoring agents.",
+              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
              "type": "boolean",
              "default": false
            },
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -191,7 +195,7 @@
          }
        },
        "velero": {
-          "description": "Velero backup/restore addon.",
+          "description": "Velero",
          "type": "object",
          "default": {},
          "required": [
@@ -200,12 +204,12 @@
          ],
          "properties": {
            "enabled": {
-              "description": "Enable Velero.",
+              "description": "Enable Velero for backup and recovery of a tenant Kubernetes cluster.",
              "type": "boolean",
              "default": false
            },
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -213,7 +217,7 @@
          }
        },
        "verticalPodAutoscaler": {
-          "description": "Vertical Pod Autoscaler.",
+          "description": "VerticalPodAutoscaler",
          "type": "object",
          "default": {},
          "required": [
@@ -221,7 +225,7 @@
          ],
          "properties": {
            "valuesOverride": {
-              "description": "Custom Helm values overrides.",
+              "description": "Custom values to override",
              "type": "object",
              "default": {},
              "x-kubernetes-preserve-unknown-fields": true
@@ -231,7 +235,7 @@
      }
    },
    "controlPlane": {
-      "description": "Kubernetes control-plane configuration.",
+      "description": "Control Plane Configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -243,7 +247,7 @@
      ],
      "properties": {
        "apiServer": {
-          "description": "API Server configuration.",
+          "description": "Control plane API server configuration.",
          "type": "object",
          "default": {},
          "required": [
@@ -252,12 +256,12 @@
          ],
          "properties": {
            "resources": {
-              "description": "CPU and memory resources for API Server.",
+              "description": "Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.",
              "type": "object",
              "default": {},
              "properties": {
                "cpu": {
-                  "description": "CPU available.",
+                  "description": "CPU available to each worker node",
                  "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                  "anyOf": [
                    {
@@ -270,7 +274,7 @@
                  "x-kubernetes-int-or-string": true
                },
                "memory": {
-                  "description": "Memory (RAM) available.",
+                  "description": "Memory (RAM) available to each worker node",
                  "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                  "anyOf": [
                    {
@@ -285,7 +289,7 @@
              }
            },
            "resourcesPreset": {
-              "description": "Preset if `resources` omitted.",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
              "type": "string",
              "default": "medium",
              "enum": [
@@ -310,12 +314,12 @@
          ],
          "properties": {
            "resources": {
-              "description": "CPU and memory resources for Controller Manager.",
+              "description": "Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.",
              "type": "object",
              "default": {},
              "properties": {
                "cpu": {
-                  "description": "CPU available.",
+                  "description": "CPU available to each worker node",
                  "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                  "anyOf": [
                    {
@@ -328,7 +332,7 @@
                  "x-kubernetes-int-or-string": true
                },
                "memory": {
-                  "description": "Memory (RAM) available.",
+                  "description": "Memory (RAM) available to each worker node",
                  "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                  "anyOf": [
                    {
@@ -343,7 +347,7 @@
              }
            },
            "resourcesPreset": {
-              "description": "Preset if `resources` omitted.",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
              "type": "string",
              "default": "micro",
              "enum": [
@@ -367,7 +371,7 @@
          ],
          "properties": {
            "server": {
-              "description": "Konnectivity Server configuration.",
+              "description": "Konnectivity server configuration.",
              "type": "object",
              "default": {},
              "required": [
@@ -376,12 +380,12 @@
              ],
              "properties": {
                "resources": {
-                  "description": "CPU and memory resources for Konnectivity.",
+                  "description": "Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.",
                  "type": "object",
                  "default": {},
                  "properties": {
                    "cpu": {
-                      "description": "CPU available.",
+                      "description": "CPU available to each worker node",
                      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                      "anyOf": [
                        {
@@ -394,7 +398,7 @@
                      "x-kubernetes-int-or-string": true
                    },
                    "memory": {
-                      "description": "Memory (RAM) available.",
+                      "description": "Memory (RAM) available to each worker node",
                      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                      "anyOf": [
                        {
@@ -409,7 +413,7 @@
                  }
                },
                "resourcesPreset": {
-                  "description": "Preset if `resources` omitted.",
+                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
                  "type": "string",
                  "default": "micro",
                  "enum": [
@@ -427,7 +431,7 @@
          }
        },
        "replicas": {
-          "description": "Number of control-plane replicas.",
+          "description": "Number of replicas for Kubernetes control plane components.",
          "type": "integer",
          "default": 2
        },
@@ -441,12 +445,12 @@
          ],
          "properties": {
            "resources": {
-              "description": "CPU and memory resources for Scheduler.",
+              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
              "type": "object",
              "default": {},
              "properties": {
                "cpu": {
-                  "description": "CPU available.",
+                  "description": "CPU available to each worker node",
                  "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                  "anyOf": [
                    {
@@ -459,7 +463,7 @@
                  "x-kubernetes-int-or-string": true
                },
                "memory": {
-                  "description": "Memory (RAM) available.",
+                  "description": "Memory (RAM) available to each worker node",
                  "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                  "anyOf": [
                    {
@@ -474,7 +478,7 @@
              }
            },
            "resourcesPreset": {
-              "description": "Preset if `resources` omitted.",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
              "type": "string",
              "default": "micro",
              "enum": [
@@ -492,12 +496,11 @@
      }
    },
    "host": {
-      "description": "External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.",
-      "type": "string",
-      "default": ""
+      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
+      "type": "string"
    },
    "nodeGroups": {
-      "description": "Worker nodes configuration map.",
+      "description": "Worker nodes configuration",
      "type": "object",
      "default": {
        "md0": {
@@ -523,7 +526,7 @@
        ],
        "properties": {
          "ephemeralStorage": {
-            "description": "Ephemeral storage size.",
+            "description": "Ephemeral storage size",
            "default": "20Gi",
            "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
            "anyOf": [
@@ -537,8 +540,9 @@
            "x-kubernetes-int-or-string": true
          },
          "gpus": {
-            "description": "List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).",
+            "description": "List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)",
            "type": "array",
+            "default": [],
            "items": {
              "type": "object",
              "required": [
@@ -546,33 +550,34 @@
              ],
              "properties": {
                "name": {
-                  "description": "Name of GPU, such as \"nvidia.com/AD102GL_L40S\".",
+                  "description": "Name of GPU, such as \"nvidia.com/AD102GL_L40S\"",
                  "type": "string"
                }
              }
            }
          },
          "instanceType": {
-            "description": "Virtual machine instance type.",
+            "description": "Virtual machine instance type",
            "type": "string",
            "default": "u1.medium"
          },
          "maxReplicas": {
-            "description": "Maximum number of replicas.",
+            "description": "Maximum amount of replicas",
            "type": "integer",
            "default": 10
          },
          "minReplicas": {
-            "description": "Minimum number of replicas.",
+            "description": "Minimum amount of replicas",
            "type": "integer",
            "default": 0
          },
          "resources": {
-            "description": "CPU and memory resources for each worker node.",
+            "description": "Resources available to each worker node",
            "type": "object",
+            "default": {},
            "properties": {
              "cpu": {
-                "description": "CPU available.",
+                "description": "CPU available to each worker node",
                "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                "anyOf": [
                  {
@@ -585,7 +590,7 @@
                "x-kubernetes-int-or-string": true
              },
              "memory": {
-                "description": "Memory (RAM) available.",
+                "description": "Memory (RAM) available to each worker node",
                "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
                "anyOf": [
                  {
@@ -600,7 +605,7 @@
            }
          },
          "roles": {
-            "description": "List of node roles.",
+            "description": "List of node's roles",
            "type": "array",
            "items": {
              "type": "string"
@@ -610,12 +615,12 @@
      }
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
+      "description": "StorageClass used to store the data",
      "type": "string",
      "default": "replicated"
    },
    "version": {
-      "description": "Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.",
+      "description": "Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.",
      "type": "string",
      "default": "v1.33",
      "enum": [
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -1,40 +1,27 @@
-##
 ## @section Common Parameters
-##

-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: replicated

+## @section Application-specific parameters
+## @param version {string} Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.
+version: "v1.33"
+## @param host {string} Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
+host: ""
+
+## @param nodeGroups {map[string]nodeGroup} Worker nodes configuration
+## @field nodeGroup {nodeGroup} Node configuration
+## @field nodeGroup.minReplicas {int default=0} Minimum amount of replicas
+## @field nodeGroup.maxReplicas {int default=10} Maximum amount of replicas
+## @field nodeGroup.instanceType {string default="u1.medium"} Virtual machine instance type
+## @field nodeGroup.ephemeralStorage {quantity default="20Gi"} Ephemeral storage size
+## @field nodeGroup.roles {[]string default=[]} List of node's roles
+## @field nodeGroup.resources {resources default={}} Resources available to each worker node
+## @field resources.cpu {*quantity} CPU available to each worker node
+## @field resources.memory {*quantity} Memory (RAM) available to each worker node
+## @field nodeGroup.gpus {[]gpu default={}} List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)
+## @field gpu.name {string} Name of GPU, such as "nvidia.com/AD102GL_L40S"
 ##
-## @section Application-specific Parameters
-##
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for a node or component.
-## @field {quantity} [cpu] - CPU available.
-## @field {quantity} [memory] - Memory (RAM) available.
-
-## @typedef {struct} GPU - GPU configuration.
-## @field {string} name - Name of GPU, such as "nvidia.com/AD102GL_L40S".
-
-## @typedef {struct} NodeGroup - Worker node group configuration.
-## @field {int} minReplicas=0 - Minimum number of replicas.
-## @field {int} maxReplicas=10 - Maximum number of replicas.
-## @field {string} instanceType="u1.medium" - Virtual machine instance type.
-## @field {quantity} ephemeralStorage="20Gi" - Ephemeral storage size.
-## @field {[]string} roles - List of node roles.
-## @field {Resources} resources - CPU and memory resources for each worker node.
-## @field {[]GPU} gpus - List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).
-
-## @param {map[string]NodeGroup} nodeGroups - Worker nodes configuration map.
 nodeGroups:
  md0:
    minReplicas: 0
@@ -44,142 +31,141 @@ nodeGroups:
    roles:
    - ingress-nginx
    resources: {}
+    ## List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)
+    ## e.g:
+    ## instanceType: "u1.xlarge"
+    ## gpus:
+    ## - name: nvidia.com/AD102GL_L40S
    gpus: []

-## @param {string} version - Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.
-version: "v1.33"

-## @param {string} host - External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.
-host: ""
-
-##
 ## @section Cluster Addons
 ##
-
-## @typedef {struct} CertManagerAddon - cert-manager addon.
-## @field {bool} enabled - Enable cert-manager.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} CiliumAddon - Cilium CNI plugin.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} GatewayAPIAddon - Gateway API addon.
-## @field {bool} enabled - Enable Gateway API.
-
-## @typedef {struct} IngressNginxAddon - Ingress-NGINX controller.
-## @field {bool} enabled - Enable the controller (requires nodes labeled `ingress-nginx`).
-## @field {string} exposeMethod - Method to expose the controller. Allowed values: `Proxied`, `LoadBalancer`.
-## @field {[]string} hosts - Domains routed to this tenant cluster when `exposeMethod` is `Proxied`.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} GPUOperatorAddon - NVIDIA GPU Operator.
-## @field {bool} enabled - Enable GPU Operator.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} FluxCDAddon - FluxCD GitOps operator.
-## @field {bool} enabled - Enable FluxCD.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} MonitoringAgentsAddon - Monitoring agents (Fluent Bit, VMAgents).
-## @field {bool} enabled - Enable monitoring agents.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} VerticalPodAutoscalerAddon - Vertical Pod Autoscaler.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} VeleroAddon - Velero backup and recovery addon.
-## @field {bool} enabled - Enable Velero.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} CoreDNSAddon - CoreDNS addon.
-## @field {object} valuesOverride - Custom Helm values overrides.
-
-## @typedef {struct} Addons - Cluster addons configuration.
-## @field {CertManagerAddon} certManager - Cert-manager addon.
-## @field {CiliumAddon} cilium - Cilium CNI plugin.
-## @field {GatewayAPIAddon} gatewayAPI - Gateway API addon.
-## @field {IngressNginxAddon} ingressNginx - Ingress-NGINX controller.
-## @field {GPUOperatorAddon} gpuOperator - NVIDIA GPU Operator.
-## @field {FluxCDAddon} fluxcd - FluxCD GitOps operator.
-## @field {MonitoringAgentsAddon} monitoringAgents - Monitoring agents.
-## @field {VerticalPodAutoscalerAddon} verticalPodAutoscaler - Vertical Pod Autoscaler.
-## @field {VeleroAddon} velero - Velero backup/restore addon.
-## @field {CoreDNSAddon} coredns - CoreDNS addon.
-
-## @param {Addons} addons - Cluster addons configuration.
+## @param addons {addons} Cluster addons configuration
 addons:
+  ## @field addons.certManager {certManager} Cert-manager: automatically creates and manages SSL/TLS certificate
+  ##
  certManager:
+    ## @field certManager.enabled {bool} Enable cert-manager, which automatically creates and manages SSL/TLS certificates.
    enabled: false
-    valuesOverride: {}
-  cilium:
-    valuesOverride: {}
-  gatewayAPI:
-    enabled: false
-  ingressNginx:
-    enabled: false
-    exposeMethod: Proxied
-    hosts: []
-    valuesOverride: {}
-  gpuOperator:
-    enabled: false
-    valuesOverride: {}
-  fluxcd:
-    enabled: false
-    valuesOverride: {}
-  monitoringAgents:
-    enabled: false
-    valuesOverride: {}
-  verticalPodAutoscaler:
-    valuesOverride: {}
-  velero:
-    enabled: false
-    valuesOverride: {}
-  coredns:
+    ## @field certManager.valuesOverride {object} Custom values to override
+    valuesOverride: {}
+
+  ## @field addons.cilium {cilium} Cilium CNI plugin
+  ##
+  cilium:
+    ## @field cilium.valuesOverride {object} Custom values to override
+    valuesOverride: {}
+
+  ## @field addons.gatewayAPI {gatewayAPI} Gateway API
+  ##
+  gatewayAPI:
+    ## @field gatewayAPI.enabled {bool} Enable the Gateway API
+    enabled: false
+
+  ## @field addons.ingressNginx {ingressNginx} Ingress-NGINX Controller
+  ##
+  ingressNginx:
+    ## @field ingressNginx.enabled {bool} Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).
+    enabled: false
+    ## @field ingressNginx.exposeMethod {string enum:"Proxied,LoadBalancer"} Method to expose the Ingress-NGINX controller. Allowed values: `Proxied`, `LoadBalancer`.
+    exposeMethod: Proxied
+    ## @field ingressNginx.hosts {[]string} List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.
+    ## e.g:
+    ## hosts:
+    ## - example.org
+    ## - foo.example.net
+    ##
+    hosts: []
+    ## @field ingressNginx.valuesOverride {object} Custom values to override
+    valuesOverride: {}
+
+  ## @field addons.gpuOperator {gpuOperator} GPU-operator: NVIDIA GPU Operator
+  ##
+  gpuOperator:
+    ## @field gpuOperator.enabled {bool} Enable the GPU-operator
+    ## @field gpuOperator.valuesOverride {object} Custom values to override
+    enabled: false
+    valuesOverride: {}
+
+  ## @field addons.fluxcd {fluxcd} Flux CD
+  ##
+  fluxcd:
+    ## @field fluxcd.enabled {bool} Enable FluxCD
+    ## @field fluxcd.valuesOverride {object} Custom values to override
+    ##
+    enabled: false
+    valuesOverride: {}
+
+  ## @field addons.monitoringAgents {monitoringAgents} MonitoringAgents
+  ##
+  monitoringAgents:
+    ## @field monitoringAgents.enabled {bool} Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.
+    ## @field monitoringAgents.valuesOverride {object} Custom values to override
+    ##
+    enabled: false
+    valuesOverride: {}
+
+  ## @field addons.verticalPodAutoscaler {verticalPodAutoscaler} VerticalPodAutoscaler
+  ##
+  verticalPodAutoscaler:
+    ## @field verticalPodAutoscaler.valuesOverride {object} Custom values to override
+    ##
+    valuesOverride: {}
+
+  ## @field addons.velero {velero} Velero
+  ##
+  velero:
+    ## @field velero.enabled {bool} Enable Velero for backup and recovery of a tenant Kubernetes cluster.
+    ## @field velero.valuesOverride {object} Custom values to override
+    ##
+    enabled: false
+    valuesOverride: {}
+
+  ## @field addons.coredns {coredns} Coredns
+  ##
+  coredns:
+    ## @field coredns.valuesOverride {object} Custom values to override
+    ##
    valuesOverride: {}

-##
 ## @section Kubernetes Control Plane Configuration
 ##
-
-## @typedef {struct} APIServer - API Server configuration.
-## @field {Resources} resources - CPU and memory resources for API Server.
-## @field {ResourcesPreset} resourcesPreset="medium" - Preset if `resources` omitted.
-
-## @typedef {struct} ControllerManager - Controller Manager configuration.
-## @field {Resources} resources - CPU and memory resources for Controller Manager.
-## @field {ResourcesPreset} resourcesPreset="micro" - Preset if `resources` omitted.
-
-## @typedef {struct} Scheduler - Scheduler configuration.
-## @field {Resources} resources - CPU and memory resources for Scheduler.
-## @field {ResourcesPreset} resourcesPreset="micro" - Preset if `resources` omitted.
-
-## @typedef {struct} KonnectivityServer - Konnectivity Server configuration.
-## @field {Resources} resources - CPU and memory resources for Konnectivity.
-## @field {ResourcesPreset} resourcesPreset="micro" - Preset if `resources` omitted.
-
-## @typedef {struct} Konnectivity - Konnectivity configuration.
-## @field {KonnectivityServer} server - Konnectivity Server configuration.
-
-## @typedef {struct} ControlPlane - Kubernetes control plane configuration.
-## @field {int} replicas=2 - Number of control-plane replicas.
-## @field {APIServer} apiServer - API Server configuration.
-## @field {ControllerManager} controllerManager - Controller Manager configuration.
-## @field {Scheduler} scheduler - Scheduler configuration.
-## @field {Konnectivity} konnectivity - Konnectivity configuration.
-
-## @param {ControlPlane} controlPlane - Kubernetes control-plane configuration.
+## @param controlPlane {controlPlane} Control Plane Configuration
 controlPlane:
+  ## @field controlPlane.replicas {int} Number of replicas for Kubernetes control plane components.
  replicas: 2
+  ## @field controlPlane.apiServer {apiServer} Control plane API server configuration.
  apiServer:
+    ## @field apiServer.resources {resources} Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.
+    ## e.g:
+    ## resources:
+    ##   cpu: 4000m
+    ##   memory: 4Gi
+    ##
    resources: {}
+    ## @field apiServer.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
    resourcesPreset: "medium"
+
+  ## @field controlPlane.controllerManager {controllerManager} Controller Manager configuration.
  controllerManager:
-    resources: {}
+    ## @field controllerManager.resources {resources} Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.
+    ## @field controllerManager.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
    resourcesPreset: "micro"
+    resources: {}
+
+  ## @field controlPlane.scheduler {scheduler} Scheduler configuration.
  scheduler:
-    resources: {}
+    ## @field scheduler.resources {resources} Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.
+    ## @field scheduler.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
    resourcesPreset: "micro"
+    resources: {}
+
+  ## @field controlPlane.konnectivity {konnectivity} Konnectivity configuration.
  konnectivity:
+    ## @field konnectivity.server {konnectivityServer} Konnectivity server configuration.
    server:
-      resources: {}
+      ## @field konnectivityServer.resources {resources} Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.
+      ## @field konnectivityServer.resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
      resourcesPreset: "micro"
+      resources: {}
--- a/packages/apps/mysql/README.md
+++ b/packages/apps/mysql/README.md
@@ -69,44 +69,44 @@ more details:

 ### Common parameters

-| Name               | Description                                                                                                                       | Type       | Value   |
-| ------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `replicas`         | Number of MariaDB replicas.                                                                                                       | `int`      | `2`     |
-| `resources`        | Explicit CPU and memory configuration for each MariaDB replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                    | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                           | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                           | `string`   | `nano`  |
-| `size`             | Persistent Volume Claim size available for application data.                                                                      | `quantity` | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                              | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                                  | `bool`     | `false` |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of MariaDB replicas                                                                                                                | `int`       | `2`     |
+| `resources`        | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.      | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `nano`  |
+| `size`             | Persistent Volume Claim size, available for application data                                                                              | `quantity`  | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |
+| `external`         | Enable external access from outside the cluster                                                                                           | `bool`      | `false` |


 ### Application-specific parameters

-| Name                             | Description                              | Type                | Value |
-| -------------------------------- | ---------------------------------------- | ------------------- | ----- |
-| `users`                          | Users configuration map.                 | `map[string]object` | `{}`  |
-| `users[name].password`           | Password for the user.                   | `string`            | `""`  |
-| `users[name].maxUserConnections` | Maximum number of connections.           | `int`               | `0`   |
-| `databases`                      | Databases configuration map.             | `map[string]object` | `{}`  |
-| `databases[name].roles`          | Roles assigned to users.                 | `object`            | `{}`  |
-| `databases[name].roles.admin`    | List of users with admin privileges.     | `[]string`          | `[]`  |
-| `databases[name].roles.readonly` | List of users with read-only privileges. | `[]string`          | `[]`  |
+| Name                             | Description                             | Type                | Value   |
+| -------------------------------- | --------------------------------------- | ------------------- | ------- |
+| `users`                          | Users configuration                     | `map[string]object` | `{...}` |
+| `users[name].password`           | Password for the user                   | `string`            | `""`    |
+| `users[name].maxUserConnections` | Maximum amount of connections           | `int`               | `0`     |
+| `databases`                      | Databases configuration                 | `map[string]object` | `{...}` |
+| `databases[name].roles`          | Roles for the database                  | `*object`           | `null`  |
+| `databases[name].roles.admin`    | List of users with admin privileges     | `[]string`          | `[]`    |
+| `databases[name].roles.readonly` | List of users with read-only privileges | `[]string`          | `[]`    |


 ### Backup parameters

-| Name                     | Description                                     | Type     | Value                                                  |
-| ------------------------ | ----------------------------------------------- | -------- | ------------------------------------------------------ |
-| `backup`                 | Backup configuration.                           | `object` | `{}`                                                   |
-| `backup.enabled`         | Enable regular backups (default: false).        | `bool`   | `false`                                                |
-| `backup.s3Region`        | AWS S3 region where backups are stored.         | `string` | `us-east-1`                                            |
-| `backup.s3Bucket`        | S3 bucket used for storing backups.             | `string` | `s3.example.org/mysql-backups`                         |
-| `backup.schedule`        | Cron schedule for automated backups.            | `string` | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups. | `string` | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | Access key for S3 authentication.               | `string` | `<your-access-key>`                                    |
-| `backup.s3SecretKey`     | Secret key for S3 authentication.               | `string` | `<your-secret-key>`                                    |
-| `backup.resticPassword`  | Password for Restic backup encryption.          | `string` | `<password>`                                           |
+| Name                     | Description                                    | Type     | Value                                                  |
+| ------------------------ | ---------------------------------------------- | -------- | ------------------------------------------------------ |
+| `backup`                 | Backup configuration                           | `object` | `{}`                                                   |
+| `backup.enabled`         | Enable regular backups, default is `false`.    | `bool`   | `false`                                                |
+| `backup.s3Region`        | AWS S3 region where backups are stored         | `string` | `us-east-1`                                            |
+| `backup.s3Bucket`        | S3 bucket used for storing backups             | `string` | `s3.example.org/mysql-backups`                         |
+| `backup.schedule`        | Cron schedule for automated backups            | `string` | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups | `string` | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication     | `string` | `<your-access-key>`                                    |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication     | `string` | `<your-secret-key>`                                    |
+| `backup.resticPassword`  | Password for Restic backup encryption          | `string` | `<password>`                                           |


 ## Parameter examples and reference
--- a/packages/apps/mysql/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/mysql/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-primary
+  - {{ .Release.Name }}-secondary
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/mysql/values.schema.json
+++ b/packages/apps/mysql/values.schema.json
@@ -3,7 +3,7 @@
  "type": "object",
  "properties": {
    "backup": {
-      "description": "Backup configuration.",
+      "description": "Backup configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -18,67 +18,67 @@
      ],
      "properties": {
        "cleanupStrategy": {
-          "description": "Retention strategy for cleaning up old backups.",
+          "description": "Retention strategy for cleaning up old backups",
          "type": "string",
          "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
        },
        "enabled": {
-          "description": "Enable regular backups (default: false).",
+          "description": "Enable regular backups, default is `false`.",
          "type": "boolean",
          "default": false
        },
        "resticPassword": {
-          "description": "Password for Restic backup encryption.",
+          "description": "Password for Restic backup encryption",
          "type": "string",
          "default": "\u003cpassword\u003e"
        },
        "s3AccessKey": {
-          "description": "Access key for S3 authentication.",
+          "description": "Access key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-access-key\u003e"
        },
        "s3Bucket": {
-          "description": "S3 bucket used for storing backups.",
+          "description": "S3 bucket used for storing backups",
          "type": "string",
          "default": "s3.example.org/mysql-backups"
        },
        "s3Region": {
-          "description": "AWS S3 region where backups are stored.",
+          "description": "AWS S3 region where backups are stored",
          "type": "string",
          "default": "us-east-1"
        },
        "s3SecretKey": {
-          "description": "Secret key for S3 authentication.",
+          "description": "Secret key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-secret-key\u003e"
        },
        "schedule": {
-          "description": "Cron schedule for automated backups.",
+          "description": "Cron schedule for automated backups",
          "type": "string",
          "default": "0 2 * * *"
        }
      }
    },
    "databases": {
-      "description": "Databases configuration map.",
+      "description": "Databases configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "roles": {
-            "description": "Roles assigned to users.",
+            "description": "Roles for the database",
            "type": "object",
            "properties": {
              "admin": {
-                "description": "List of users with admin privileges.",
+                "description": "List of users with admin privileges",
                "type": "array",
                "items": {
                  "type": "string"
                }
              },
              "readonly": {
-                "description": "List of users with read-only privileges.",
+                "description": "List of users with read-only privileges",
                "type": "array",
                "items": {
                  "type": "string"
@@ -90,22 +90,22 @@
      }
    },
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "replicas": {
-      "description": "Number of MariaDB replicas.",
+      "description": "Number of MariaDB replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each MariaDB replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -118,7 +118,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -133,7 +133,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "nano",
      "enum": [
@@ -147,7 +147,7 @@
      ]
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "10Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -161,12 +161,11 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    },
    "users": {
-      "description": "Users configuration map.",
+      "description": "Users configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
@@ -177,11 +176,11 @@
        ],
        "properties": {
          "maxUserConnections": {
-            "description": "Maximum number of connections.",
+            "description": "Maximum amount of connections",
            "type": "integer"
          },
          "password": {
-            "description": "Password for the user.",
+            "description": "Password for the user",
            "type": "string"
          }
        }
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -1,48 +1,28 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each MariaDB replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of MariaDB replicas.
+## @param replicas {int} Number of MariaDB replicas
 replicas: 2
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each MariaDB replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
 resources: {}
-
-## @param {ResourcesPreset} resourcesPreset="nano" - Default sizing preset used when `resources` is omitted.
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "nano"
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 10Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
 ## @section Application-specific parameters
 ##
-
-## @typedef {struct} User - User configuration.
-## @field {string} password - Password for the user.
-## @field {int} maxUserConnections - Maximum number of connections.
-
-## @param {map[string]User} users - Users configuration map.
-users: {}
+## @param users {map[string]user} Users configuration
+## @field user.password {string} Password for the user
+## @field user.maxUserConnections {int} Maximum amount of connections
 ## Example:
 ## users:
 ##   user1:
@@ -51,16 +31,15 @@ users: {}
 ##   user2:
 ##     maxUserConnections: 1000
 ##     password: hackme
+##
+users: {}

-## @typedef {struct} DatabaseRoles - Role assignments for a database.
-## @field {[]string} [admin] - List of users with admin privileges.
-## @field {[]string} [readonly] - List of users with read-only privileges.

-## @typedef {struct} Database - Database configuration.
-## @field {DatabaseRoles} [roles] - Roles assigned to users.
-
-## @param {map[string]Database} databases - Databases configuration map.
-databases: {}
+## @param databases {map[string]database} Databases configuration
+## @field database.roles {*databaseRoles} Roles for the database
+## @field databaseRoles.admin {[]string} List of users with admin privileges
+## @field databaseRoles.readonly {[]string} List of users with read-only privileges
+##
 ## Example:
 ## databases:
 ##   myapp1:
@@ -69,22 +48,19 @@ databases: {}
 ##       - user1
 ##       readonly:
 ##       - user2
+databases: {}

-##
 ## @section Backup parameters
 ##
-
-## @typedef {struct} Backup - Backup configuration.
-## @field {bool} enabled - Enable regular backups (default: false).
-## @field {string} s3Region - AWS S3 region where backups are stored.
-## @field {string} s3Bucket - S3 bucket used for storing backups.
-## @field {string} schedule - Cron schedule for automated backups.
-## @field {string} cleanupStrategy - Retention strategy for cleaning up old backups.
-## @field {string} s3AccessKey - Access key for S3 authentication.
-## @field {string} s3SecretKey - Secret key for S3 authentication.
-## @field {string} resticPassword - Password for Restic backup encryption.
-
-## @param {Backup} backup - Backup configuration.
+## @param backup {backup} Backup configuration
+## @field backup.enabled {bool} Enable regular backups, default is `false`.
+## @field backup.s3Region {string} AWS S3 region where backups are stored
+## @field backup.s3Bucket {string} S3 bucket used for storing backups
+## @field backup.schedule {string} Cron schedule for automated backups
+## @field backup.cleanupStrategy {string} Retention strategy for cleaning up old backups
+## @field backup.s3AccessKey {string} Access key for S3, used for authentication
+## @field backup.s3SecretKey {string} Secret key for S3, used for authentication
+## @field backup.resticPassword {string} Password for Restic backup encryption
 backup:
  enabled: false
  s3Region: us-east-1
@@ -94,3 +70,4 @@ backup:
  s3AccessKey: "<your-access-key>"
  s3SecretKey: "<your-secret-key>"
  resticPassword: "<password>"
+
--- a/packages/apps/nats/README.md
+++ b/packages/apps/nats/README.md
@@ -7,29 +7,29 @@ It provides a data layer for cloud native applications, IoT messaging, and micro

 ### Common parameters

-| Name               | Description                                                                                                                    | Type       | Value   |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------ | ---------- | ------- |
-| `replicas`         | Number of replicas.                                                                                                            | `int`      | `2`     |
-| `resources`        | Explicit CPU and memory configuration for each NATS replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                 | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                        | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                        | `string`   | `nano`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                           | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                               | `bool`     | `false` |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of replicas                                                                                                                        | `int`       | `2`     |
+| `resources`        | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.         | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `nano`  |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |
+| `external`         | Enable external access from outside the cluster                                                                                           | `bool`      | `false` |


 ### Application-specific parameters

-| Name                   | Description                                                   | Type                | Value  |
-| ---------------------- | ------------------------------------------------------------- | ------------------- | ------ |
-| `users`                | Users configuration map.                                      | `map[string]object` | `{}`   |
-| `users[name].password` | Password for the user.                                        | `string`            | `""`   |
-| `jetstream`            | Jetstream configuration.                                      | `object`            | `{}`   |
-| `jetstream.enabled`    | Enable or disable Jetstream for persistent messaging in NATS. | `bool`              | `true` |
-| `jetstream.size`       | Jetstream persistent storage size.                            | `quantity`          | `10Gi` |
-| `config`               | NATS configuration.                                           | `object`            | `{}`   |
-| `config.merge`         | Additional configuration to merge into NATS config.           | `*object`           | `{}`   |
-| `config.resolver`      | Additional resolver configuration to merge into NATS config.  | `*object`           | `{}`   |
+| Name                   | Description                                                                                                    | Type                | Value   |
+| ---------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------- | ------- |
+| `users`                | Users configuration                                                                                            | `map[string]object` | `{...}` |
+| `users[name].password` | Password for the user                                                                                          | `*string`           | `null`  |
+| `jetstream`            | Jetstream configuration                                                                                        | `object`            | `{}`    |
+| `jetstream.enabled`    | Enable or disable Jetstream. Set to `true` (default) to enable Jetstream for persistent messaging in NATS.     | `bool`              | `true`  |
+| `jetstream.size`       | Jetstream persistent storage size. Specifies the size of the persistent storage for Jetstream (message store). | `quantity`          | `10Gi`  |
+| `config`               | NATS configuration                                                                                             | `object`            | `{}`    |
+| `config.merge`         | Additional configuration to merge into NATS config (see example)                                               | `*object`           | `{}`    |
+| `config.resolver`      | Additional resolver configuration to merge into NATS config (see example)                                      | `*object`           | `{}`    |


 ## Parameter examples and reference
--- a/packages/apps/nats/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/nats/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/nats/templates/nats.yaml
+++ b/packages/apps/nats/templates/nats.yaml
@@ -1,6 +1,14 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
+
+{{- with (dig "data" (dict) $existingSecret) }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
 {{- range $user, $u := .Values.users }}
  {{- if $u.password }}
    {{- $_ := set $passwords $user $u.password }}
--- a/packages/apps/nats/values.schema.json
+++ b/packages/apps/nats/values.schema.json
@@ -3,18 +3,18 @@
  "type": "object",
  "properties": {
    "config": {
-      "description": "NATS configuration.",
+      "description": "NATS configuration",
      "type": "object",
      "default": {},
      "properties": {
        "merge": {
-          "description": "Additional configuration to merge into NATS config.",
+          "description": "Additional configuration to merge into NATS config (see example)",
          "type": "object",
          "default": {},
          "x-kubernetes-preserve-unknown-fields": true
        },
        "resolver": {
-          "description": "Additional resolver configuration to merge into NATS config.",
+          "description": "Additional resolver configuration to merge into NATS config (see example)",
          "type": "object",
          "default": {},
          "x-kubernetes-preserve-unknown-fields": true
@@ -22,12 +22,12 @@
      }
    },
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "jetstream": {
-      "description": "Jetstream configuration.",
+      "description": "Jetstream configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -36,12 +36,12 @@
      ],
      "properties": {
        "enabled": {
-          "description": "Enable or disable Jetstream for persistent messaging in NATS.",
+          "description": "Enable or disable Jetstream. Set to `true` (default) to enable Jetstream for persistent messaging in NATS.",
          "type": "boolean",
          "default": true
        },
        "size": {
-          "description": "Jetstream persistent storage size.",
+          "description": "Jetstream persistent storage size. Specifies the size of the persistent storage for Jetstream (message store).",
          "default": "10Gi",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
@@ -57,17 +57,17 @@
      }
    },
    "replicas": {
-      "description": "Number of replicas.",
+      "description": "Number of replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each NATS replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -80,7 +80,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -95,7 +95,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "nano",
      "enum": [
@@ -109,19 +109,18 @@
      ]
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    },
    "users": {
-      "description": "Users configuration map.",
+      "description": "Users configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "password": {
-            "description": "Password for the user.",
+            "description": "Password for the user",
            "type": "string"
          }
        }
--- a/packages/apps/nats/values.yaml
+++ b/packages/apps/nats/values.yaml
@@ -1,64 +1,75 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each NATS replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of replicas.
+## @param replicas {int} Number of replicas
 replicas: 2
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each NATS replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
 resources: {}
-
-## @param {ResourcesPreset} resourcesPreset="nano" - Default sizing preset used when `resources` is omitted.
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "nano"
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
 ## @section Application-specific parameters
 ##
-
-## @typedef {struct} User - User configuration.
-## @field {string} [password] - Password for the user.
-
-## @param {map[string]User} users - Users configuration map.
-users: {}
+## @param users {map[string]user} Users configuration
+## @field user.password {*string} Password for the user
 ## Example:
 ## users:
 ##   user1:
 ##     password: strongpassword
 ##   user2: {}
+users: {}

-## @typedef {struct} Jetstream - Jetstream configuration.
-## @field {bool} enabled=true - Enable or disable Jetstream for persistent messaging in NATS.
-## @field {quantity} size - Jetstream persistent storage size.
-
-## @param {Jetstream} jetstream - Jetstream configuration.
+## @param jetstream {jetstream} Jetstream configuration
 jetstream:
+  ## @field jetstream.enabled {bool} Enable or disable Jetstream. Set to `true` (default) to enable Jetstream for persistent messaging in NATS.
+  ##
+  ## Default: true
  enabled: true
+  ## @field jetstream.size {quantity} Jetstream persistent storage size. Specifies the size of the persistent storage for Jetstream (message store).
+  ##
  size: 10Gi

-## @typedef {struct} Config - NATS configuration.
-## @field {*object} [merge] - Additional configuration to merge into NATS config.
-## @field {*object} [resolver] - Additional resolver configuration to merge into NATS config.
-
-## @param {Config} config - NATS configuration.
+## @param config {config} NATS configuration
 config:
+  ## @field config.merge {*object} Additional configuration to merge into NATS config (see example)
+  ## Allows you to customize NATS server settings by merging additional configurations.
+  ## For example, you can add extra parameters, configure authentication, or set custom settings.
+  ## Default: {}
+  ## example:
+  ##
+  ##   merge:
+  ##     $include: ./my-config.conf
+  ##     zzz$include: ./my-config-last.conf
+  ##     server_name: nats
+  ##     authorization:
+  ##       token: << $TOKEN >>
+  ##     jetstream:
+  ##       max_memory_store: << 1GB >>
+  ##
+  ## will yield the config:
+  ## {
+  ##   include ./my-config.conf;
+  ##   "authorization": {
+  ##     "token": $TOKEN
+  ##   },
+  ##   "jetstream": {
+  ##     "max_memory_store": 1GB
+  ##   },
+  ##   "server_name": "nats",
+  ##   include ./my-config-last.conf;
+  ## }
  merge: {}
+  ## @field config.resolver {*object} Additional resolver configuration to merge into NATS config (see example)
+  ## Allows you to customize NATS server settings by merging resolver configurations.
+  ## Default: {}
+  ## Example: https://github.com/nats-io/k8s/blob/94414664c254b0bbac3a07fc9693f6c4f8f88709/helm/charts/nats/values.yaml#L248-L270
  resolver: {}
+
--- a/packages/apps/postgres/README.md
+++ b/packages/apps/postgres/README.md
@@ -66,78 +66,60 @@ See:

 ### Common parameters

-| Name               | Description                                                                                                                          | Type       | Value   |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ---------- | ------- |
-| `replicas`         | Number of Postgres replicas.                                                                                                         | `int`      | `2`     |
-| `resources`        | Explicit CPU and memory configuration for each PostgreSQL replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                       | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                              | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                              | `string`   | `micro` |
-| `size`             | Persistent Volume Claim size available for application data.                                                                         | `quantity` | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                                 | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                                     | `bool`     | `false` |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of Postgres replicas                                                                                                               | `int`       | `2`     |
+| `resources`        | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.   | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `micro` |
+| `size`             | Persistent Volume Claim size, available for application data                                                                              | `quantity`  | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |
+| `external`         | Enable external access from outside the cluster                                                                                           | `bool`      | `false` |


 ### Application-specific parameters

-| Name                                    | Description                                                      | Type     | Value |
-| --------------------------------------- | ---------------------------------------------------------------- | -------- | ----- |
-| `postgresql`                            | PostgreSQL server configuration.                                 | `object` | `{}`  |
-| `postgresql.parameters`                 | PostgreSQL server parameters.                                    | `object` | `{}`  |
-| `postgresql.parameters.max_connections` | Maximum number of concurrent connections to the database server. | `int`    | `100` |
-
-
-### Quorum-based synchronous replication
-
-| Name                     | Description                                                                        | Type     | Value |
-| ------------------------ | ---------------------------------------------------------------------------------- | -------- | ----- |
-| `quorum`                 | Quorum configuration for synchronous replication.                                  | `object` | `{}`  |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas required for commit.                        | `int`    | `0`   |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas allowed (must be less than total replicas). | `int`    | `0`   |
-
-
-### Users configuration
-
-| Name                      | Description                                  | Type                | Value   |
-| ------------------------- | -------------------------------------------- | ------------------- | ------- |
-| `users`                   | Users configuration map.                     | `map[string]object` | `{}`    |
-| `users[name].password`    | Password for the user.                       | `string`            | `""`    |
-| `users[name].replication` | Whether the user has replication privileges. | `bool`              | `false` |
-
-
-### Databases configuration
-
-| Name                             | Description                              | Type                | Value |
-| -------------------------------- | ---------------------------------------- | ------------------- | ----- |
-| `databases`                      | Databases configuration map.             | `map[string]object` | `{}`  |
-| `databases[name].roles`          | Roles assigned to users.                 | `object`            | `{}`  |
-| `databases[name].roles.admin`    | List of users with admin privileges.     | `[]string`          | `[]`  |
-| `databases[name].roles.readonly` | List of users with read-only privileges. | `[]string`          | `[]`  |
-| `databases[name].extensions`     | List of enabled PostgreSQL extensions.   | `[]string`          | `[]`  |
+| Name                                    | Description                                                                                                              | Type                | Value   |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------- | ------- |
+| `postgresql`                            | PostgreSQL server configuration                                                                                          | `object`            | `{}`    |
+| `postgresql.parameters`                 | PostgreSQL server parameters                                                                                             | `object`            | `{}`    |
+| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `int`               | `100`   |
+| `quorum`                                | Quorum configuration for synchronous replication                                                                         | `object`            | `{}`    |
+| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `int`               | `0`     |
+| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `int`               | `0`     |
+| `users`                                 | Users configuration                                                                                                      | `map[string]object` | `{...}` |
+| `users[name].password`                  | Password for the user                                                                                                    | `*string`           | `null`  |
+| `users[name].replication`               | Whether the user has replication privileges                                                                              | `*bool`             | `null`  |
+| `databases`                             | Databases configuration                                                                                                  | `map[string]object` | `{...}` |
+| `databases[name].roles`                 | Roles for the database                                                                                                   | `*object`           | `null`  |
+| `databases[name].roles.admin`           | List of users with admin privileges                                                                                      | `[]string`          | `[]`    |
+| `databases[name].roles.readonly`        | List of users with read-only privileges                                                                                  | `[]string`          | `[]`    |
+| `databases[name].extensions`            | Extensions enabled for the database                                                                                      | `[]string`          | `[]`    |


 ### Backup parameters

-| Name                     | Description                                            | Type     | Value                               |
-| ------------------------ | ------------------------------------------------------ | -------- | ----------------------------------- |
-| `backup`                 | Backup configuration.                                  | `object` | `{}`                                |
-| `backup.enabled`         | Enable regular backups.                                | `bool`   | `false`                             |
-| `backup.schedule`        | Cron schedule for automated backups.                   | `string` | `0 2 * * * *`                       |
-| `backup.retentionPolicy` | Retention policy (e.g. "30d").                         | `string` | `30d`                               |
-| `backup.destinationPath` | Destination path for backups (e.g. s3://bucket/path/). | `string` | `s3://bucket/path/to/folder/`       |
-| `backup.endpointURL`     | S3 endpoint URL for uploads.                           | `string` | `http://minio-gateway-service:9000` |
-| `backup.s3AccessKey`     | Access key for S3 authentication.                      | `string` | `<your-access-key>`                 |
-| `backup.s3SecretKey`     | Secret key for S3 authentication.                      | `string` | `<your-secret-key>`                 |
+| Name                     | Description                                                | Type      | Value                               |
+| ------------------------ | ---------------------------------------------------------- | --------- | ----------------------------------- |
+| `backup`                 | Backup configuration                                       | `object`  | `{}`                                |
+| `backup.enabled`         | Enable regular backups                                     | `*bool`   | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                        | `*string` | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | Retention policy                                           | `*string` | `30d`                               |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `*string` | `s3://bucket/path/to/folder/`       |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `*string` | `http://minio-gateway-service:9000` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `*string` | `<your-access-key>`                 |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `*string` | `<your-secret-key>`                 |


 ### Bootstrap (recovery) parameters

-| Name                     | Description                                                         | Type     | Value   |
-| ------------------------ | ------------------------------------------------------------------- | -------- | ------- |
-| `bootstrap`              | Bootstrap configuration.                                            | `object` | `{}`    |
-| `bootstrap.enabled`      | Whether to restore from a backup.                                   | `bool`   | `false` |
-| `bootstrap.recoveryTime` | Timestamp (RFC3339) for point-in-time recovery; empty means latest. | `string` | `""`    |
-| `bootstrap.oldName`      | Previous cluster name before deletion.                              | `string` | `""`    |
+| Name                     | Description                                                                                                          | Type      | Value   |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | --------- | ------- |
+| `bootstrap`              | Bootstrap configuration                                                                                              | `object`  | `{}`    |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `bool`    | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `*string` | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `string`  | `""`    |


 ## Parameter examples and reference
--- a/packages/apps/postgres/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/postgres/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-r
+  - {{ .Release.Name }}-ro
+  - {{ .Release.Name }}-rw
+  - {{ .Release.Name }}-external-write
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/postgres/values.schema.json
+++ b/packages/apps/postgres/values.schema.json
@@ -3,52 +3,49 @@
  "type": "object",
  "properties": {
    "backup": {
-      "description": "Backup configuration.",
+      "description": "Backup configuration",
      "type": "object",
      "default": {},
-      "required": [
-        "enabled"
-      ],
      "properties": {
        "destinationPath": {
-          "description": "Destination path for backups (e.g. s3://bucket/path/).",
+          "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
          "type": "string",
          "default": "s3://bucket/path/to/folder/"
        },
        "enabled": {
-          "description": "Enable regular backups.",
+          "description": "Enable regular backups",
          "type": "boolean",
          "default": false
        },
        "endpointURL": {
-          "description": "S3 endpoint URL for uploads.",
+          "description": "S3 Endpoint used to upload data to the cloud",
          "type": "string",
          "default": "http://minio-gateway-service:9000"
        },
        "retentionPolicy": {
-          "description": "Retention policy (e.g. \"30d\").",
+          "description": "Retention policy",
          "type": "string",
          "default": "30d"
        },
        "s3AccessKey": {
-          "description": "Access key for S3 authentication.",
+          "description": "Access key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-access-key\u003e"
        },
        "s3SecretKey": {
-          "description": "Secret key for S3 authentication.",
+          "description": "Secret key for S3, used for authentication",
          "type": "string",
          "default": "\u003cyour-secret-key\u003e"
        },
        "schedule": {
-          "description": "Cron schedule for automated backups.",
+          "description": "Cron schedule for automated backups",
          "type": "string",
          "default": "0 2 * * * *"
        }
      }
    },
    "bootstrap": {
-      "description": "Bootstrap configuration.",
+      "description": "Bootstrap configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -57,49 +54,47 @@
      ],
      "properties": {
        "enabled": {
-          "description": "Whether to restore from a backup.",
+          "description": "Restore database cluster from a backup",
          "type": "boolean",
          "default": false
        },
        "oldName": {
-          "description": "Previous cluster name before deletion.",
-          "type": "string",
-          "default": ""
+          "description": "Name of database cluster before deleting",
+          "type": "string"
        },
        "recoveryTime": {
-          "description": "Timestamp (RFC3339) for point-in-time recovery; empty means latest.",
-          "type": "string",
-          "default": ""
+          "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+          "type": "string"
        }
      }
    },
    "databases": {
-      "description": "Databases configuration map.",
+      "description": "Databases configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "extensions": {
-            "description": "List of enabled PostgreSQL extensions.",
+            "description": "Extensions enabled for the database",
            "type": "array",
            "items": {
              "type": "string"
            }
          },
          "roles": {
-            "description": "Roles assigned to users.",
+            "description": "Roles for the database",
            "type": "object",
            "properties": {
              "admin": {
-                "description": "List of users with admin privileges.",
+                "description": "List of users with admin privileges",
                "type": "array",
                "items": {
                  "type": "string"
                }
              },
              "readonly": {
-                "description": "List of users with read-only privileges.",
+                "description": "List of users with read-only privileges",
                "type": "array",
                "items": {
                  "type": "string"
@@ -111,22 +106,28 @@
      }
    },
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "postgresql": {
-      "description": "PostgreSQL server configuration.",
+      "description": "PostgreSQL server configuration",
      "type": "object",
      "default": {},
+      "required": [
+        "parameters"
+      ],
      "properties": {
        "parameters": {
-          "description": "PostgreSQL server parameters.",
+          "description": "PostgreSQL server parameters",
          "type": "object",
          "default": {},
+          "required": [
+            "max_connections"
+          ],
          "properties": {
            "max_connections": {
-              "description": "Maximum number of concurrent connections to the database server.",
+              "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
              "type": "integer",
              "default": 100
            }
@@ -135,7 +136,7 @@
      }
    },
    "quorum": {
-      "description": "Quorum configuration for synchronous replication.",
+      "description": "Quorum configuration for synchronous replication",
      "type": "object",
      "default": {},
      "required": [
@@ -144,29 +145,29 @@
      ],
      "properties": {
        "maxSyncReplicas": {
-          "description": "Maximum number of synchronous replicas allowed (must be less than total replicas).",
+          "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
          "type": "integer",
          "default": 0
        },
        "minSyncReplicas": {
-          "description": "Minimum number of synchronous replicas required for commit.",
+          "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
          "type": "integer",
          "default": 0
        }
      }
    },
    "replicas": {
-      "description": "Number of Postgres replicas.",
+      "description": "Number of Postgres replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each PostgreSQL replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -179,7 +180,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -194,7 +195,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "micro",
      "enum": [
@@ -208,7 +209,7 @@
      ]
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "10Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -222,23 +223,22 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    },
    "users": {
-      "description": "Users configuration map.",
+      "description": "Users configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "password": {
-            "description": "Password for the user.",
+            "description": "Password for the user",
            "type": "string"
          },
          "replication": {
-            "description": "Whether the user has replication privileges.",
+            "description": "Whether the user has replication privileges",
            "type": "boolean"
          }
        }
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -1,76 +1,44 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each PostgreSQL replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of Postgres replicas.
+## @param replicas {int} Number of Postgres replicas
 replicas: 2
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each PostgreSQL replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
 resources: {}
-
-## @param {ResourcesPreset} resourcesPreset="micro" - Default sizing preset used when `resources` is omitted.
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "micro"
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 10Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
 ## @section Application-specific parameters
+## @param postgresql {postgresql} PostgreSQL server configuration
+## @field postgresql.parameters {postgresqlParameters} PostgreSQL server parameters
+## @field postgresqlParameters.max_connections {int} Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections
 ##
-
-## @typedef {struct} PostgreSQLParameters - PostgreSQL server parameters.
-## @field {int} [max_connections] - Maximum number of concurrent connections to the database server.
-
-## @typedef {struct} PostgreSQL - PostgreSQL server configuration.
-## @field {PostgreSQLParameters} [parameters] - PostgreSQL server parameters.
-
-## @param {PostgreSQL} postgresql - PostgreSQL server configuration.
 postgresql:
  parameters:
    max_connections: 100

-##
-## @section Quorum-based synchronous replication
-##
-
-## @typedef {struct} Quorum - Quorum configuration for synchronous replication.
-## @field {int} minSyncReplicas - Minimum number of synchronous replicas required for commit.
-## @field {int} maxSyncReplicas - Maximum number of synchronous replicas allowed (must be less than total replicas).
-
-## @param {Quorum} quorum - Quorum configuration for synchronous replication.
+## Configuration for the quorum-based synchronous replication
+## @param quorum {quorum} Quorum configuration for synchronous replication
+## @field quorum.minSyncReplicas {int} Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @field quorum.maxSyncReplicas {int} Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
 quorum:
  minSyncReplicas: 0
  maxSyncReplicas: 0

+## @param users {map[string]user} Users configuration
+## @field user.password {*string} Password for the user
+## @field user.replication {*bool} Whether the user has replication privileges
 ##
-## @section Users configuration
-##
-
-## @typedef {struct} User - User configuration.
-## @field {string} [password] - Password for the user.
-## @field {bool} [replication] - Whether the user has replication privileges.
-
-## @param {map[string]User} users - Users configuration map.
-users: {}
 ## Example:
 ## users:
 ##   user1:
@@ -81,21 +49,15 @@ users: {}
 ##     password: qwerty123
 ##   debezium:
 ##     replication: true
-
 ##
-## @section Databases configuration
+users: {}
+
+## @param databases {map[string]database} Databases configuration
+## @field database.roles {*databaseRoles} Roles for the database
+## @field databaseRoles.admin {[]string} List of users with admin privileges
+## @field databaseRoles.readonly {[]string} List of users with read-only privileges
+## @field database.extensions {[]string} Extensions enabled for the database
 ##
-
-## @typedef {struct} DatabaseRoles - Role assignments for a database.
-## @field {[]string} [admin] - List of users with admin privileges.
-## @field {[]string} [readonly] - List of users with read-only privileges.
-
-## @typedef {struct} Database - Database configuration.
-## @field {DatabaseRoles} [roles] - Roles assigned to users.
-## @field {[]string} [extensions] - List of enabled PostgreSQL extensions.
-
-## @param {map[string]Database} databases - Databases configuration map.
-databases: {}
 ## Example:
 ## databases:
 ##   myapp:
@@ -111,21 +73,18 @@ databases: {}
 ##       - airflow
 ##     extensions:
 ##     - hstore
+databases: {}

-##
 ## @section Backup parameters
-##

-## @typedef {struct} Backup - Backup configuration.
-## @field {bool} enabled - Enable regular backups.
-## @field {string} [schedule] - Cron schedule for automated backups.
-## @field {string} [retentionPolicy] - Retention policy (e.g. "30d").
-## @field {string} [destinationPath] - Destination path for backups (e.g. s3://bucket/path/).
-## @field {string} [endpointURL] - S3 endpoint URL for uploads.
-## @field {string} [s3AccessKey] - Access key for S3 authentication.
-## @field {string} [s3SecretKey] - Secret key for S3 authentication.
-
-## @param {Backup} backup - Backup configuration.
+## @param backup {backup} Backup configuration
+## @field backup.enabled {*bool} Enable regular backups
+## @field backup.schedule {*string} Cron schedule for automated backups
+## @field backup.retentionPolicy {*string} Retention policy
+## @field backup.destinationPath {*string} Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @field backup.endpointURL {*string} S3 Endpoint used to upload data to the cloud
+## @field backup.s3AccessKey {*string} Access key for S3, used for authentication
+## @field backup.s3SecretKey {*string} Secret key for S3, used for authentication
 backup:
  enabled: false
  retentionPolicy: 30d
@@ -135,18 +94,16 @@ backup:
  s3AccessKey: "<your-access-key>"
  s3SecretKey: "<your-secret-key>"

-##
 ## @section Bootstrap (recovery) parameters
+
+## @param bootstrap {bootstrap} Bootstrap configuration
+## @field bootstrap.enabled {bool} Restore database cluster from a backup
+## @field bootstrap.recoveryTime {*string} Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @field bootstrap.oldName {string} Name of database cluster before deleting
 ##
-
-## @typedef {struct} Bootstrap - Bootstrap configuration for restoring a database cluster from a backup.
-## @field {bool} enabled - Whether to restore from a backup.
-## @field {string} [recoveryTime] - Timestamp (RFC3339) for point-in-time recovery; empty means latest.
-## @field {string} oldName - Previous cluster name before deletion.
-
-## @param {Bootstrap} bootstrap - Bootstrap configuration.
 bootstrap:
  enabled: false
  # example: 2020-11-26 15:22:00.00000+00
  recoveryTime: ""
  oldName: ""
+
--- a/packages/apps/rabbitmq/README.md
+++ b/packages/apps/rabbitmq/README.md
@@ -13,28 +13,28 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an

 ### Common parameters

-| Name               | Description                                                                                                                        | Type       | Value   |
-| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `replicas`         | Number of RabbitMQ replicas.                                                                                                       | `int`      | `3`     |
-| `resources`        | Explicit CPU and memory configuration for each RabbitMQ replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                     | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                            | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                            | `string`   | `nano`  |
-| `size`             | Persistent Volume Claim size available for application data.                                                                       | `quantity` | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                               | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                                   | `bool`     | `false` |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of RabbitMQ replicas                                                                                                               | `int`       | `3`     |
+| `resources`        | Explicit CPU and memory configuration for each RabbitMQ replica.  When left empty, the preset defined in `resourcesPreset` is applied.    | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `nano`  |
+| `size`             | Persistent Volume Claim size, available for application data                                                                              | `quantity`  | `10Gi`  |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |
+| `external`         | Enable external access from outside the cluster                                                                                           | `bool`      | `false` |


 ### Application-specific parameters

-| Name                          | Description                      | Type                | Value |
-| ----------------------------- | -------------------------------- | ------------------- | ----- |
-| `users`                       | Users configuration map.         | `map[string]object` | `{}`  |
-| `users[name].password`        | Password for the user.           | `string`            | `""`  |
-| `vhosts`                      | Virtual hosts configuration map. | `map[string]object` | `{}`  |
-| `vhosts[name].roles`          | Virtual host roles list.         | `object`            | `{}`  |
-| `vhosts[name].roles.admin`    | List of admin users.             | `[]string`          | `[]`  |
-| `vhosts[name].roles.readonly` | List of readonly users.          | `[]string`          | `[]`  |
+| Name                          | Description                 | Type                | Value   |
+| ----------------------------- | --------------------------- | ------------------- | ------- |
+| `users`                       | Users configuration         | `map[string]object` | `{...}` |
+| `users[name].password`        | Password for the user       | `*string`           | `null`  |
+| `vhosts`                      | Virtual Hosts configuration | `map[string]object` | `{...}` |
+| `vhosts[name].roles`          | Virtual host roles list     | `object`            | `{}`    |
+| `vhosts[name].roles.admin`    | List of admin users         | `[]string`          | `[]`    |
+| `vhosts[name].roles.readonly` | List of readonly users      | `[]string`          | `[]`    |


 ## Parameter examples and reference
--- a/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-default-user
+  {{- range $name, $u := .Values.users }}
+  - {{ $.Release.Name }}-{{ kebabcase $name }}-credentials
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/rabbitmq/values.schema.json
+++ b/packages/apps/rabbitmq/values.schema.json
@@ -3,22 +3,22 @@
  "type": "object",
  "properties": {
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "replicas": {
-      "description": "Number of RabbitMQ replicas.",
+      "description": "Number of RabbitMQ replicas",
      "type": "integer",
      "default": 3
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each RabbitMQ replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each RabbitMQ replica.  When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -31,7 +31,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -46,7 +46,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "nano",
      "enum": [
@@ -60,7 +60,7 @@
      ]
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "10Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -74,26 +74,25 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    },
    "users": {
-      "description": "Users configuration map.",
+      "description": "Users configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
        "type": "object",
        "properties": {
          "password": {
-            "description": "Password for the user.",
+            "description": "Password for the user",
            "type": "string"
          }
        }
      }
    },
    "vhosts": {
-      "description": "Virtual hosts configuration map.",
+      "description": "Virtual Hosts configuration",
      "type": "object",
      "default": {},
      "additionalProperties": {
@@ -103,18 +102,18 @@
        ],
        "properties": {
          "roles": {
-            "description": "Virtual host roles list.",
+            "description": "Virtual host roles list",
            "type": "object",
            "properties": {
              "admin": {
-                "description": "List of admin users.",
+                "description": "List of admin users",
                "type": "array",
                "items": {
                  "type": "string"
                }
              },
              "readonly": {
-                "description": "List of readonly users.",
+                "description": "List of readonly users",
                "type": "array",
                "items": {
                  "type": "string"
--- a/packages/apps/rabbitmq/values.yaml
+++ b/packages/apps/rabbitmq/values.yaml
@@ -1,47 +1,29 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each RabbitMQ replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of RabbitMQ replicas.
+## @param replicas {int} Number of RabbitMQ replicas
 replicas: 3
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each RabbitMQ replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each RabbitMQ replica.  When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
+# resources:
+#   cpu: 4000m
+#   memory: 4Gi
 resources: {}

-## @param {ResourcesPreset} resourcesPreset="nano" - Default sizing preset used when `resources` is omitted.
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "nano"
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 10Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
+
 ## @section Application-specific parameters
 ##
-
-## @typedef {struct} User - User configuration.
-## @field {string} [password] - Password for the user.
-
-## @param {map[string]User} users - Users configuration map.
-users: {}
+## @param users {map[string]user} Users configuration
+## @field user.password {*string} Password for the user
 ## Example:
 ## users:
 ##   user1:
@@ -50,16 +32,14 @@ users: {}
 ##     password: hackme
 ##   user3:
 ##     password: testtest
+##
+users: {}

-## @typedef {struct} Roles - Virtual host roles.
-## @field {[]string} [admin] - List of admin users.
-## @field {[]string} [readonly] - List of readonly users.
-
-## @typedef {struct} Vhost - Virtual host configuration.
-## @field {Roles} roles - Virtual host roles list.
-
-## @param {map[string]Vhost} vhosts - Virtual hosts configuration map.
-vhosts: {}
+## @param vhosts {map[string]vhost} Virtual Hosts configuration
+## @field vhost.roles {roles} Virtual host roles list
+## @field roles.admin {[]string} List of admin users
+## @field roles.readonly {[]string} List of readonly users
+##
 ## Example:
 ## vhosts:
 ##   myapp:
@@ -73,3 +53,5 @@ vhosts: {}
 ##     roles:
 ##       admin:
 ##       - user3
+vhosts: {}
+
--- a/packages/apps/redis/README.md
+++ b/packages/apps/redis/README.md
@@ -13,23 +13,23 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche

 ### Common parameters

-| Name               | Description                                                                                                                     | Type       | Value   |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `replicas`         | Number of Redis replicas.                                                                                                       | `int`      | `2`     |
-| `resources`        | Explicit CPU and memory configuration for each Redis replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                  | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                         | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                         | `string`   | `nano`  |
-| `size`             | Persistent Volume Claim size available for application data.                                                                    | `quantity` | `1Gi`   |
-| `storageClass`     | StorageClass used to store the data.                                                                                            | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                                | `bool`     | `false` |
+| Name               | Description                                                                                                                               | Type        | Value   |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------- |
+| `replicas`         | Number of Redis replicas                                                                                                                  | `int`       | `2`     |
+| `resources`        | Explicit CPU and memory configuration for each Redis replica.  When left empty, the preset defined in `resourcesPreset` is applied.       | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                             | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                    | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`. | `string`    | `nano`  |
+| `size`             | Persistent Volume Claim size, available for application data                                                                              | `quantity`  | `1Gi`   |
+| `storageClass`     | StorageClass used to store the data                                                                                                       | `string`    | `""`    |
+| `external`         | Enable external access from outside the cluster                                                                                           | `bool`      | `false` |


 ### Application-specific parameters

-| Name          | Description                 | Type   | Value  |
-| ------------- | --------------------------- | ------ | ------ |
-| `authEnabled` | Enable password generation. | `bool` | `true` |
+| Name          | Description                | Type   | Value  |
+| ------------- | -------------------------- | ------ | ------ |
+| `authEnabled` | Enable password generation | `bool` | `true` |


 ## Parameter examples and reference
--- a/packages/apps/redis/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/redis/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,41 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - rfs-{{ .Release.Name }}
+  - rfrm-{{ .Release.Name }}
+  - rfrs-{{ .Release.Name }}
+  - "{{ .Release.Name }}-external-lb"
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - "{{ .Release.Name }}-auth"
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}-redis
+  - {{ .Release.Name }}-sentinel
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -3,27 +3,27 @@
  "type": "object",
  "properties": {
    "authEnabled": {
-      "description": "Enable password generation.",
+      "description": "Enable password generation",
      "type": "boolean",
      "default": true
    },
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "replicas": {
-      "description": "Number of Redis replicas.",
+      "description": "Number of Redis replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each Redis replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each Redis replica.  When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -36,7 +36,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -51,7 +51,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "nano",
      "enum": [
@@ -65,7 +65,7 @@
      ]
    },
    "size": {
-      "description": "Persistent Volume Claim size available for application data.",
+      "description": "Persistent Volume Claim size, available for application data",
      "default": "1Gi",
      "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
      "anyOf": [
@@ -79,9 +79,8 @@
      "x-kubernetes-int-or-string": true
    },
    "storageClass": {
-      "description": "StorageClass used to store the data.",
-      "type": "string",
-      "default": ""
+      "description": "StorageClass used to store the data",
+      "type": "string"
    }
  }
 }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -1,41 +1,25 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each Redis replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of Redis replicas.
+## @param replicas {int} Number of Redis replicas
 replicas: 2
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each Redis replica. When omitted, the preset defined in `resourcesPreset` is applied.
+## @param resources {*resources} Explicit CPU and memory configuration for each Redis replica.  When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
 resources: {}
-
-## @param {ResourcesPreset} resourcesPreset="nano" - Default sizing preset used when `resources` is omitted.
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "nano"
-
-## @param {quantity} size - Persistent Volume Claim size available for application data.
+## @param size {quantity} Persistent Volume Claim size, available for application data
 size: 1Gi
-
-## @param {string} storageClass - StorageClass used to store the data.
+## @param storageClass {string} StorageClass used to store the data
 storageClass: ""
-
-## @param {bool} external - Enable external access from outside the cluster.
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
+
 ## @section Application-specific parameters
 ##
-
-## @param {bool} authEnabled - Enable password generation.
+## @param authEnabled {bool} Enable password generation
 authEnabled: true
--- a/packages/apps/tcp-balancer/README.md
+++ b/packages/apps/tcp-balancer/README.md
@@ -12,28 +12,28 @@ Managed TCP Load Balancer Service efficiently utilizes HAProxy for load balancin

 ### Common parameters

-| Name               | Description                                                                                                                            | Type       | Value   |
-| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `replicas`         | Number of HAProxy replicas.                                                                                                            | `int`      | `2`     |
-| `resources`        | Explicit CPU and memory configuration for each TCP Balancer replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                         | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                                | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                                | `string`   | `nano`  |
-| `external`         | Enable external access from outside the cluster.                                                                                       | `bool`     | `false` |
+| Name               | Description                                                                                                                                | Type        | Value   |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | ------- |
+| `replicas`         | Number of HAProxy replicas                                                                                                                 | `int`       | `2`     |
+| `resources`        | Explicit CPU and memory configuration for each TCP Balancer replica.  When left empty, the preset defined in `resourcesPreset` is applied. | `*object`   | `null`  |
+| `resources.cpu`    | CPU available to each replica                                                                                                              | `*quantity` | `null`  |
+| `resources.memory` | Memory (RAM) available to each replica                                                                                                     | `*quantity` | `null`  |
+| `resourcesPreset`  | Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.  | `string`    | `nano`  |
+| `external`         | Enable external access from outside the cluster                                                                                            | `bool`      | `false` |


 ### Application-specific parameters

-| Name                             | Description                                                   | Type       | Value   |
-| -------------------------------- | ------------------------------------------------------------- | ---------- | ------- |
-| `httpAndHttps`                   | HTTP and HTTPS configuration.                                 | `object`   | `{}`    |
-| `httpAndHttps.mode`              | Mode for balancer.                                            | `string`   | `tcp`   |
-| `httpAndHttps.targetPorts`       | Target ports configuration.                                   | `object`   | `{}`    |
-| `httpAndHttps.targetPorts.http`  | HTTP port number.                                             | `int`      | `80`    |
-| `httpAndHttps.targetPorts.https` | HTTPS port number.                                            | `int`      | `443`   |
-| `httpAndHttps.endpoints`         | Endpoint addresses list.                                      | `[]string` | `[]`    |
-| `whitelistHTTP`                  | Secure HTTP by whitelisting client networks (default: false). | `bool`     | `false` |
-| `whitelist`                      | List of allowed client networks.                              | `[]string` | `[]`    |
+| Name                             | Description                                                      | Type       | Value   |
+| -------------------------------- | ---------------------------------------------------------------- | ---------- | ------- |
+| `httpAndHttps`                   | HTTP and HTTPS configuration                                     | `object`   | `{}`    |
+| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`    | `string`   | `tcp`   |
+| `httpAndHttps.targetPorts`       | Target ports configuration                                       | `object`   | `{}`    |
+| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                | `int`      | `80`    |
+| `httpAndHttps.targetPorts.https` | HTTPS port number.                                               | `int`      | `443`   |
+| `httpAndHttps.endpoints`         | Endpoint addresses list                                          | `[]string` | `[]`    |
+| `whitelistHTTP`                  | Secure HTTP by whitelisting client networks, `false` by default. | `bool`     | `false` |
+| `whitelist`                      | List of allowed client networks                                  | `[]string` | `[]`    |


 ## Parameter examples and reference
--- a/packages/apps/tcp-balancer/values.schema.json
+++ b/packages/apps/tcp-balancer/values.schema.json
@@ -3,12 +3,12 @@
  "type": "object",
  "properties": {
    "external": {
-      "description": "Enable external access from outside the cluster.",
+      "description": "Enable external access from outside the cluster",
      "type": "boolean",
      "default": false
    },
    "httpAndHttps": {
-      "description": "HTTP and HTTPS configuration.",
+      "description": "HTTP and HTTPS configuration",
      "type": "object",
      "default": {},
      "required": [
@@ -17,7 +17,7 @@
      ],
      "properties": {
        "endpoints": {
-          "description": "Endpoint addresses list.",
+          "description": "Endpoint addresses list",
          "type": "array",
          "default": [],
          "items": {
@@ -25,7 +25,7 @@
          }
        },
        "mode": {
-          "description": "Mode for balancer.",
+          "description": "Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`",
          "type": "string",
          "default": "tcp",
          "enum": [
@@ -34,7 +34,7 @@
          ]
        },
        "targetPorts": {
-          "description": "Target ports configuration.",
+          "description": "Target ports configuration",
          "type": "object",
          "default": {},
          "required": [
@@ -57,17 +57,16 @@
      }
    },
    "replicas": {
-      "description": "Number of HAProxy replicas.",
+      "description": "Number of HAProxy replicas",
      "type": "integer",
      "default": 2
    },
    "resources": {
-      "description": "Explicit CPU and memory configuration for each TCP Balancer replica. When omitted, the preset defined in `resourcesPreset` is applied.",
+      "description": "Explicit CPU and memory configuration for each TCP Balancer replica.  When left empty, the preset defined in `resourcesPreset` is applied.",
      "type": "object",
-      "default": {},
      "properties": {
        "cpu": {
-          "description": "CPU available to each replica.",
+          "description": "CPU available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -80,7 +79,7 @@
          "x-kubernetes-int-or-string": true
        },
        "memory": {
-          "description": "Memory (RAM) available to each replica.",
+          "description": "Memory (RAM) available to each replica",
          "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
          "anyOf": [
            {
@@ -95,7 +94,7 @@
      }
    },
    "resourcesPreset": {
-      "description": "Default sizing preset used when `resources` is omitted.",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.",
      "type": "string",
      "default": "nano",
      "enum": [
@@ -109,7 +108,7 @@
      ]
    },
    "whitelist": {
-      "description": "List of allowed client networks.",
+      "description": "List of allowed client networks",
      "type": "array",
      "default": [],
      "items": {
@@ -117,7 +116,7 @@
      }
    },
    "whitelistHTTP": {
-      "description": "Secure HTTP by whitelisting client networks (default: false).",
+      "description": "Secure HTTP by whitelisting client networks, `false` by default.",
      "type": "boolean",
      "default": false
    }
--- a/packages/apps/tcp-balancer/values.yaml
+++ b/packages/apps/tcp-balancer/values.yaml
@@ -1,50 +1,44 @@
-##
 ## @section Common parameters
 ##
-
-## @typedef {struct} Resources - Explicit CPU and memory configuration for each TCP Balancer replica.
-## @field {quantity} [cpu] - CPU available to each replica.
-## @field {quantity} [memory] - Memory (RAM) available to each replica.
-
-## @enum {string} ResourcesPreset - Default sizing preset.
-## @value nano
-## @value micro
-## @value small
-## @value medium
-## @value large
-## @value xlarge
-## @value 2xlarge
-
-## @param {int} replicas - Number of HAProxy replicas.
+## @param replicas {int} Number of HAProxy replicas
 replicas: 2
-
-## @param {Resources} [resources] - Explicit CPU and memory configuration for each TCP Balancer replica. When omitted, the preset defined in `resourcesPreset` is applied.
-resources: {}
-
-## @param {ResourcesPreset} resourcesPreset="nano" - Default sizing preset used when `resources` is omitted.
+## @param resources {*resources} Explicit CPU and memory configuration for each TCP Balancer replica.  When left empty, the preset defined in `resourcesPreset` is applied.
+## @field resources.cpu {*quantity} CPU available to each replica
+## @field resources.memory {*quantity} Memory (RAM) available to each replica
+#resources: {}
+# resources:
+#   cpu: 4000m
+#   memory: 4Gi
+## @param resourcesPreset {string enum:"nano,micro,small,medium,large,xlarge,2xlarge"} Default sizing preset used when `resources` is omitted. Allowed values: `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
 resourcesPreset: "nano"
-
-## @param {bool} external - Enable external access from outside the cluster.
+##
+## @param external {bool} Enable external access from outside the cluster
 external: false

-##
+
 ## @section Application-specific parameters
 ##
+## @param httpAndHttps {httpAndHttps} HTTP and HTTPS configuration
+## @field httpAndHttps.mode {string enum:"tcp,tcp-with-proxy"} Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`
+## @field httpAndHttps.targetPorts {targetPorts} Target ports configuration
+## @field targetPorts.http {int} HTTP port number.
+## @field targetPorts.https {int} HTTPS port number.
+## @field httpAndHttps.endpoints {[]string} Endpoint addresses list
+## Example:
+##
+## httpAndHttps:
+##   mode: tcp
+##   targetPorts:
+##     http: 80
+##     https: 443
+##   endpoints:
+##    - 10.100.3.1
+##    - 10.100.3.11
+##    - 10.100.3.2
+##    - 10.100.3.12
+##    - 10.100.3.3
+##    - 10.100.3.13

-## @enum {string} Mode - Mode for balancer.
-## @value tcp
-## @value tcp-with-proxy
-
-## @typedef {struct} TargetPorts - Target ports configuration.
-## @field {int} http - HTTP port number.
-## @field {int} https - HTTPS port number.
-
-## @typedef {struct} HttpAndHttps - HTTP and HTTPS configuration.
-## @field {Mode} mode - Mode for balancer.
-## @field {TargetPorts} targetPorts - Target ports configuration.
-## @field {[]string} endpoints - Endpoint addresses list.
-
-## @param {HttpAndHttps} httpAndHttps - HTTP and HTTPS configuration.
 httpAndHttps:
  mode: tcp
  targetPorts:
@@ -52,14 +46,14 @@ httpAndHttps:
    https: 443
  endpoints: []

-## @param {bool} whitelistHTTP - Secure HTTP by whitelisting client networks (default: false).
-whitelistHTTP: false
+## @param whitelistHTTP {bool} Secure HTTP by whitelisting client networks, `false` by default.
+## @param whitelist {[]string} List of allowed client networks
 ## Example:
 ## whitelistHTTP: true
 ## whitelist:
 ## - "1.2.3.4"
 ## - "10.100.0.0/16"
 ##
-
-## @param {[]string} whitelist - List of allowed client networks.
+whitelistHTTP: false
 whitelist: []
+
--- a/packages/apps/tenant/README.md
+++ b/packages/apps/tenant/README.md
@@ -69,13 +69,13 @@ tenant-u1

 ### Common parameters

-| Name             | Description                                                                                                                | Type                  | Value   |
-| ---------------- | -------------------------------------------------------------------------------------------------------------------------- | --------------------- | ------- |
-| `host`           | The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host). | `string`              | `""`    |
-| `etcd`           | Deploy own Etcd cluster.                                                                                                   | `bool`                | `false` |
-| `monitoring`     | Deploy own Monitoring Stack.                                                                                               | `bool`                | `false` |
-| `ingress`        | Deploy own Ingress Controller.                                                                                             | `bool`                | `false` |
-| `seaweedfs`      | Deploy own SeaweedFS.                                                                                                      | `bool`                | `false` |
-| `isolated`       | Enforce tenant namespace with network policies (default: true).                                                            | `bool`                | `true`  |
-| `resourceQuotas` | Define resource quotas for the tenant.                                                                                     | `map[string]quantity` | `{}`    |
+| Name             | Description                                                                                                                 | Type                  | Value   |
+| ---------------- | --------------------------------------------------------------------------------------------------------------------------- | --------------------- | ------- |
+| `host`           | The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host). | `*string`             | `""`    |
+| `etcd`           | Deploy own Etcd cluster                                                                                                     | `bool`                | `false` |
+| `monitoring`     | Deploy own Monitoring Stack                                                                                                 | `bool`                | `false` |
+| `ingress`        | Deploy own Ingress Controller                                                                                               | `bool`                | `false` |
+| `seaweedfs`      | Deploy own SeaweedFS                                                                                                        | `bool`                | `false` |
+| `isolated`       | Enforce tenant namespace with network policies, `true` by default                                                           | `bool`                | `true`  |
+| `resourceQuotas` | Define resource quotas for the tenant                                                                                       | `map[string]quantity` | `{}`    |

--- a/packages/apps/tenant/templates/cleanup-job.yaml
+++ b/packages/apps/tenant/templates/cleanup-job.yaml
@@ -0,0 +1,85 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+rules:
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources: ["helmreleases"]
+  verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "-5"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "tenant.name" . }}-cleanup
+subjects:
+- kind: ServiceAccount
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "tenant.name" . }}-cleanup
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "0"
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "tenant.name" . }}-cleanup
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ include "tenant.name" . }}-cleanup
+      restartPolicy: OnFailure
+      containers:
+      - name: cleanup
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/bash
+        - -c
+        - |
+          set -e
+          NAMESPACE="{{ include "tenant.name" . }}"
+          
+          echo "Cleaning up HelmReleases in namespace: $NAMESPACE"
+          
+          echo "Deleting Applications"
+          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
+            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule!=true' \
+            --ignore-not-found=true --wait=true
+          
+          echo "Deleting Tenant Modules"
+          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
+            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule=true' \
+            --ignore-not-found=true --wait=true
+          
+          echo "Cleanup completed successfully"
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -20,11 +20,7 @@ metadata:
  name: allow-external-communication
  namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector:
-    matchExpressions:
-    - key: policy.cozystack.io/allow-external-communication
-      operator: NotIn
-      values: ["false"]
+  endpointSelector: {}
  ingress:
  - fromEntities:
      - world
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -35,7 +35,6 @@ rules:
  resources:
  - tenantmodules
  - tenantsecrets
-  - tenantsecretstables
  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -123,7 +122,7 @@ metadata:
  name: {{ include "tenant.name" . }}-view
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-view
@@ -193,7 +192,6 @@ rules:
    resources:
    - tenantmodules
    - tenantsecrets
-    - tenantsecretstables
    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -202,7 +200,7 @@ metadata:
  name: {{ include "tenant.name" . }}-use
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "use" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-use
@@ -273,7 +271,6 @@ rules:
    - vmdisks
    - vminstances
    - infos
-    - virtualprivateclouds
    verbs:
    - get
    - list
@@ -293,7 +290,6 @@ rules:
    resources:
    - tenantmodules
    - tenantsecrets
-    - tenantsecretstables
    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -302,7 +298,7 @@ metadata:
  name: {{ include "tenant.name" . }}-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "admin" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-admin
@@ -368,7 +364,6 @@ rules:
    resources:
    - tenantmodules
    - tenantsecrets
-    - tenantsecretstables
    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
@@ -377,7 +372,7 @@ metadata:
  name: {{ include "tenant.name" . }}-super-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-super-admin
--- a/packages/apps/tenant/values.schema.json
+++ b/packages/apps/tenant/values.schema.json
@@ -3,32 +3,31 @@
  "type": "object",
  "properties": {
    "etcd": {
-      "description": "Deploy own Etcd cluster.",
+      "description": "Deploy own Etcd cluster",
      "type": "boolean",
      "default": false
    },
    "host": {
-      "description": "The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).",
-      "type": "string",
-      "default": ""
+      "description": "The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host).",
+      "type": "string"
    },
    "ingress": {
-      "description": "Deploy own Ingress Controller.",
+      "description": "Deploy own Ingress Controller",
      "type": "boolean",
      "default": false
    },
    "isolated": {
-      "description": "Enforce tenant namespace with network policies (default: true).",
+      "description": "Enforce tenant namespace with network policies, `true` by default",
      "type": "boolean",
      "default": true
    },
    "monitoring": {
-      "description": "Deploy own Monitoring Stack.",
+      "description": "Deploy own Monitoring Stack",
      "type": "boolean",
      "default": false
    },
    "resourceQuotas": {
-      "description": "Define resource quotas for the tenant.",
+      "description": "Define resource quotas for the tenant",
      "type": "object",
      "default": {},
      "additionalProperties": {
@@ -45,7 +44,7 @@
      }
    },
    "seaweedfs": {
-      "description": "Deploy own SeaweedFS.",
+      "description": "Deploy own SeaweedFS",
      "type": "boolean",
      "default": false
    }
--- a/packages/apps/tenant/values.yaml
+++ b/packages/apps/tenant/values.yaml
@@ -1,24 +1,21 @@
-##
 ## @section Common parameters
-##

-## @param {string} [host] - The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).
+## @param host {*string} The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host).
+## @param etcd {bool} Deploy own Etcd cluster
+## @param monitoring {bool} Deploy own Monitoring Stack
+## @param ingress {bool} Deploy own Ingress Controller
+## @param seaweedfs {bool} Deploy own SeaweedFS
+## @param isolated {bool} Enforce tenant namespace with network policies, `true` by default
 host: ""
-
-## @param {bool} etcd - Deploy own Etcd cluster.
 etcd: false
-
-## @param {bool} monitoring - Deploy own Monitoring Stack.
 monitoring: false
-
-## @param {bool} ingress - Deploy own Ingress Controller.
 ingress: false
-
-## @param {bool} seaweedfs - Deploy own SeaweedFS.
 seaweedfs: false
-
-## @param {bool} isolated - Enforce tenant namespace with network policies (default: true).
 isolated: true
-
-## @param {map[string]quantity} resourceQuotas - Define resource quotas for the tenant.
+## @param resourceQuotas {map[string]quantity} Define resource quotas for the tenant
 resourceQuotas: {}
+# resourceQuotas:
+#   cpu: "1"
+#   memory: "1Gi"
+#   nvidia.com/gpu: 4
+#   storage: 100Gi
--- a/packages/apps/virtual-machine/README.md
+++ b/packages/apps/virtual-machine/README.md
@@ -36,29 +36,27 @@ virtctl ssh <user>@<vm>

 ### Common parameters

-| Name                      | Description                                             | Type       | Value        |
-| ------------------------- | ------------------------------------------------------- | ---------- | ------------ |
-| `external`                | Enable external access from outside the cluster.        | `bool`     | `false`      |
-| `externalMethod`          | Method to pass through traffic to the VM.               | `string`   | `PortList`   |
-| `externalPorts`           | Ports to forward from outside the cluster.              | `[]int`    | `[22]`       |
-| `running`                 | Whether the virtual machine should be running.          | `bool`     | `true`       |
-| `instanceType`            | Virtual Machine instance type.                          | `string`   | `u1.medium`  |
-| `instanceProfile`         | Virtual Machine preferences profile.                    | `string`   | `ubuntu`     |
-| `systemDisk`              | System disk configuration.                              | `object`   | `{}`         |
-| `systemDisk.image`        | The base image for the virtual machine.                 | `string`   | `ubuntu`     |
-| `systemDisk.storage`      | The size of the disk allocated for the virtual machine. | `string`   | `5Gi`        |
-| `systemDisk.storageClass` | StorageClass used to store the data.                    | `string`   | `replicated` |
-| `subnets`                 | Additional subnets                                      | `[]object` | `[]`         |
-| `subnets[i].name`         | Subnet name                                             | `string`   | `""`         |
-| `gpus`                    | List of GPUs to attach.                                 | `[]object` | `[]`         |
-| `gpus[i].name`            | The name of the GPU resource to attach.                 | `string`   | `""`         |
-| `resources`               | Resource configuration for the virtual machine.         | `object`   | `{}`         |
-| `resources.cpu`           | Number of CPU cores allocated.                          | `quantity` | `""`         |
-| `resources.sockets`       | Number of CPU sockets (vCPU topology).                  | `quantity` | `""`         |
-| `resources.memory`        | Amount of memory allocated.                             | `quantity` | `""`         |
-| `sshKeys`                 | List of SSH public keys for authentication.             | `[]string` | `[]`         |
-| `cloudInit`               | Cloud-init user data.                                   | `string`   | `""`         |
-| `cloudInitSeed`           | Seed string to generate SMBIOS UUID for the VM.         | `string`   | `""`         |
+| Name                      | Description                                                                                                                                                                                                                               | Type        | Value        |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ------------ |
+| `external`                | Enable external access from outside the cluster                                                                                                                                                                                           | `bool`      | `false`      |
+| `externalMethod`          | Specify method to pass through the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`                                                                                                                               | `string`    | `PortList`   |
+| `externalPorts`           | Specify ports to forward from outside the cluster                                                                                                                                                                                         | `[]int`     | `[22]`       |
+| `running`                 | if the virtual machine should be running                                                                                                                                                                                                  | `bool`      | `true`       |
+| `instanceType`            | Virtual Machine instance type                                                                                                                                                                                                             | `string`    | `u1.medium`  |
+| `instanceProfile`         | Virtual Machine preferences profile                                                                                                                                                                                                       | `string`    | `ubuntu`     |
+| `systemDisk`              | System disk configuration                                                                                                                                                                                                                 | `object`    | `{}`         |
+| `systemDisk.image`        | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`                                                                                                                                | `string`    | `ubuntu`     |
+| `systemDisk.storage`      | The size of the disk allocated for the virtual machine                                                                                                                                                                                    | `string`    | `5Gi`        |
+| `systemDisk.storageClass` | StorageClass used to store the data                                                                                                                                                                                                       | `*string`   | `replicated` |
+| `gpus`                    | List of GPUs to attach                                                                                                                                                                                                                    | `[]object`  | `[]`         |
+| `gpus[i].name`            | The name of the GPU to attach. This should match the GPU resource name in the cluster.                                                                                                                                                    | `string`    | `""`         |
+| `resources`               | Resources                                                                                                                                                                                                                                 | `*object`   | `null`       |
+| `resources.cpu`           | The number of CPU cores allocated to the virtual machine                                                                                                                                                                                  | `*quantity` | `null`       |
+| `resources.sockets`       | The number of CPU sockets allocated to the virtual machine (used to define vCPU topology)                                                                                                                                                 | `*quantity` | `null`       |
+| `resources.memory`        | The amount of memory allocated to the virtual machine                                                                                                                                                                                     | `*quantity` | `null`       |
+| `sshKeys`                 | List of SSH public keys for authentication. Can be a single key or a list of keys.                                                                                                                                                        | `[]string`  | `[]`         |
+| `cloudInit`               | Cloud-init user data config. See cloud-init documentation for more details: [format](https://cloudinit.readthedocs.io/en/latest/explanation/format.html), [examples](https://cloudinit.readthedocs.io/en/latest/reference/examples.html). | `string`    | `""`         |
+| `cloudInitSeed`           | A seed string to generate an SMBIOS UUID for the VM.                                                                                                                                                                                      | `string`    | `""`         |


 ## U Series
--- a/packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ include "virtual-machine.fullname" . }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: virtual-machine
+  type: virtual-machine
+  selector:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}
--- a/packages/apps/virtual-machine/templates/secret-network-config.yaml
+++ b/packages/apps/virtual-machine/templates/secret-network-config.yaml
@@ -1,40 +0,0 @@
-# if subnets are specified and image is either ubunu or alpine
-{{- if and .Values.subnets (or (eq .Values.systemDisk.image "ubuntu") (eq .Values.systemDisk.image "alpine")) }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "virtual-machine.fullname" $ }}-network-config
-stringData:
-  networkData: |
-    network:
-      version: 1
-      config:
-      {{- if eq .Values.systemDisk.image "ubuntu" }}
-      # main iface
-      - type: physical
-        name: enp1s0
-        subnets:
-          - type: dhcp
-      # additional ifaces attached to subnets
-      {{- range $i, $subnet := .Values.subnets }}
-      - type: physical
-        name: enp{{ add 2 $i }}s0
-        subnets:
-          - type: dhcp
-      {{- end }}
-      {{- else if eq .Values.systemDisk.image "alpine" }}
-      #main iface
-      - type: physical
-        name: eth0
-        subnets:
-          - type: dhcp
-      # additional ifaces attached to subnets
-      {{- range $i, $subnet := .Values.subnets }}
-      - type: physical
-        name: eth{{ add1 $i }}
-        subnets:
-          - type: dhcp
-      {{- end }}
-      {{- end }}
-{{- end }}
--- a/packages/apps/virtual-machine/templates/service.yaml
+++ b/packages/apps/virtual-machine/templates/service.yaml
@@ -28,27 +28,3 @@ spec:
    {{- end }}
    {{- end }}
 {{- end }}
---
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: {{ include "virtual-machine.fullname" . }}
-spec:
-  endpointSelector:
-    matchLabels:
-      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
-  ingress:
-  - fromEntities:
-      - cluster
-  - fromEntities:
-      - world
-    {{- if eq .Values.externalMethod "PortList" }}
-    toPorts:
-      - ports:
-          {{- range .Values.externalPorts }}
-          - port: {{ quote . }}
-          {{- end }}
-    {{- end }}
-  egress:
-  - toEntities:
-      - world
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -51,9 +51,9 @@ spec:
          {{- else if eq .Values.systemDisk.image "ubuntu" }}
          url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
          {{- else if eq .Values.systemDisk.image "fedora" }}
-          url: https://download.fedoraproject.org/pub/fedora/linux/releases/42/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-42-1.1.x86_64.qcow2
+          url: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
          {{- else if eq .Values.systemDisk.image "alpine" }}
-          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.8-x86_64-bios-cloudinit-r0.qcow2
+          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
          {{- else if eq .Values.systemDisk.image "talos" }}
          url: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
          {{- end }}
@@ -62,7 +62,6 @@ spec:
  template:
    metadata:
      annotations:
-        policy.cozystack.io/allow-external-communication: "false"
        kubevirt.io/allow-pod-bridge-network-live-migration: "true"
      labels:
        {{- include "virtual-machine.labels" . | nindent 8 }}
@@ -93,7 +92,7 @@ spec:
          - disk:
              bus: scsi
            name: systemdisk
-          {{- if or .Values.cloudInit .Values.sshKeys (and .Values.subnets (or (eq .Values.systemDisk.image "ubuntu") (eq .Values.systemDisk.image "alpine"))) }}
+          {{- if or .Values.cloudInit .Values.sshKeys }}
          - disk:
              bus: virtio
            name: cloudinitdisk
@@ -102,12 +101,6 @@ spec:
          interfaces:
          - name: default
            bridge: {}
-          {{- if .Values.subnets }}
-          {{- range $i, $subnet := .Values.subnets }}
-          - name: {{ $subnet.name }}
-            bridge: {}
-          {{- end }}
-          {{- end }}

        machine:
          type: ""
@@ -129,26 +122,13 @@ spec:
        - name: systemdisk
          dataVolume:
            name: {{ include "virtual-machine.fullname" . }}
-        {{- if or .Values.cloudInit .Values.sshKeys (and .Values.subnets (or (eq .Values.systemDisk.image "ubuntu") (eq .Values.systemDisk.image "alpine"))) }}
+        {{- if or .Values.cloudInit .Values.sshKeys }}
        - name: cloudinitdisk
          cloudInitNoCloud:
-            {{- if or .Values.cloudInit .Values.sshKeys }}
            secretRef:
              name: {{ include "virtual-machine.fullname" . }}-cloud-init
-            {{- end }}
-            {{- if and .Values.subnets (or (eq .Values.systemDisk.image "ubuntu") (eq .Values.systemDisk.image "alpine")) }}
-            networkDataSecretRef:
-              name: {{ include "virtual-machine.fullname" . }}-network-config
-            {{- end }}
        {{- end }}

      networks:
      - name: default
        pod: {}
-      {{- if .Values.subnets }}
-      {{- range $i, $subnet := .Values.subnets }}
-      - name: {{ $subnet.name }}
-        multus:
-          networkName: {{ $.Release.Namespace }}/{{ $subnet.name }}
-      {{- end }}
-      {{- end }}
--- a/Show More
+++ b/Show More