ci: replace Gemini with GitHub Copilot CLI for changelog generation

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/backport.yaml

@@ -2,7 +2,7 @@ name: Automatic Backport
 
 on:
   pull_request_target:
-    types: [closed]   # fires when PR is closed (merged)
+    types: [closed, labeled]   # fires when PR is closed (merged) or labeled
 
 concurrency:
   group: backport-${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -13,22 +13,46 @@ permissions:
   pull-requests: write
 
 jobs:
-  backport:
+  # Determine which backports are needed
+  prepare:
     if: |
       github.event.pull_request.merged == true &&
-      contains(github.event.pull_request.labels.*.name, 'backport')
+      (
+        contains(github.event.pull_request.labels.*.name, 'backport') ||
+        contains(github.event.pull_request.labels.*.name, 'backport-previous') ||
+        (github.event.action == 'labeled' && (github.event.label.name == 'backport' || github.event.label.name == 'backport-previous'))
+      )
     runs-on: [self-hosted]
-
+    outputs:
+      backport_current: ${{ steps.labels.outputs.backport }}
+      backport_previous: ${{ steps.labels.outputs.backport_previous }}
+      current_branch: ${{ steps.branches.outputs.current_branch }}
+      previous_branch: ${{ steps.branches.outputs.previous_branch }}
     steps:
-      # 1. Decide which maintenance branch should receive the back‑port
-      - name: Determine target maintenance branch
-        id: target
+      - name: Check which labels are present
+        id: labels
         uses: actions/github-script@v7
         with:
           script: |
-            let rel;
+            const pr = context.payload.pull_request;
+            const labels = pr.labels.map(l => l.name);
+            const isBackport = labels.includes('backport');
+            const isBackportPrevious = labels.includes('backport-previous');
+            
+            core.setOutput('backport', isBackport ? 'true' : 'false');
+            core.setOutput('backport_previous', isBackportPrevious ? 'true' : 'false');
+            
+            console.log(`backport label: ${isBackport}, backport-previous label: ${isBackportPrevious}`);
+      
+      - name: Determine target branches
+        id: branches
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Get latest release
+            let latestRelease;
             try {
-              rel = await github.rest.repos.getLatestRelease({
+              latestRelease = await github.rest.repos.getLatestRelease({
                 owner: context.repo.owner,
                 repo: context.repo.repo
               });
@@ -36,18 +60,70 @@ jobs:
               core.setFailed('No existing releases found; cannot determine backport target.');
               return;
             }
-            const [maj, min] = rel.data.tag_name.replace(/^v/, '').split('.');
-            const branch = `release-${maj}.${min}`;
-            core.setOutput('branch', branch);
-            console.log(`Latest release ${rel.data.tag_name}; backporting to ${branch}`);
+            
+            const [maj, min] = latestRelease.data.tag_name.replace(/^v/, '').split('.');
+            const currentBranch = `release-${maj}.${min}`;
+            const prevMin = parseInt(min) - 1;
+            const previousBranch = prevMin >= 0 ? `release-${maj}.${prevMin}` : '';
+            
+            core.setOutput('current_branch', currentBranch);
+            core.setOutput('previous_branch', previousBranch);
+            
+            console.log(`Current branch: ${currentBranch}, Previous branch: ${previousBranch || 'N/A'}`);
+            
+            // Verify previous branch exists if we need it
+            if (previousBranch && '${{ steps.labels.outputs.backport_previous }}' === 'true') {
+              try {
+                await github.rest.repos.getBranch({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  branch: previousBranch
+                });
+                console.log(`Previous branch ${previousBranch} exists`);
+              } catch (e) {
+                core.setFailed(`Previous branch ${previousBranch} does not exist.`);
+                return;
+              }
+            }
+
+  backport:
+    needs: prepare
+    if: |
+      github.event.pull_request.merged == true &&
+      (needs.prepare.outputs.backport_current == 'true' || needs.prepare.outputs.backport_previous == 'true')
+    runs-on: [self-hosted]
+    strategy:
+      matrix:
+        backport_type: [current, previous]
+    steps:
+      # 1. Determine target branch based on matrix
+      - name: Set target branch
+        id: target
+        if: |
+          (matrix.backport_type == 'current' && needs.prepare.outputs.backport_current == 'true') ||
+          (matrix.backport_type == 'previous' && needs.prepare.outputs.backport_previous == 'true')
+        run: |
+          if [ "${{ matrix.backport_type }}" == "current" ]; then
+            echo "branch=${{ needs.prepare.outputs.current_branch }}" >> $GITHUB_OUTPUT
+            echo "Target branch: ${{ needs.prepare.outputs.current_branch }}"
+          else
+            echo "branch=${{ needs.prepare.outputs.previous_branch }}" >> $GITHUB_OUTPUT
+            echo "Target branch: ${{ needs.prepare.outputs.previous_branch }}"
+          fi
+      
       # 2. Checkout (required by backport‑action)
       - name: Checkout repository
+        if: steps.target.outcome == 'success'
         uses: actions/checkout@v4
 
       # 3. Create the back‑port pull request
       - name: Create back‑port PR
-        uses: korthout/backport-action@v3
+        id: backport
+        if: steps.target.outcome == 'success'
+        uses: korthout/backport-action@v3.2.1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           label_pattern: '' # don't read labels for targets
           target_branches: ${{ steps.target.outputs.branch }}
+          merge_commits: skip
+          conflict_resolution: draft_commit_conflicts

.github/workflows/pre-commit.yml

@@ -28,7 +28,7 @@ jobs:
 
       - name: Install generate
         run: |
-          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v1.0.5/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen
+          curl -sSL https://github.com/cozystack/cozyvalues-gen/releases/download/v1.0.6/cozyvalues-gen-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ cozyvalues-gen
 
       - name: Run pre-commit hooks
         run: |

.github/workflows/pull-requests.yaml

@@ -58,7 +58,7 @@ jobs:
           DOCKER_CONFIG: ${{ runner.temp }}/.docker
 
       - name: Build Talos image
-        run: make -C packages/core/talos talos-nocloud
+        run: make -C packages/core/installer talos-nocloud
 
       - name: Save git diff as patch
         if: "!contains(github.event.pull_request.labels.*.name, 'release')"

.github/workflows/tags.yaml

@@ -239,3 +239,166 @@ jobs:
             } else {
               console.log(`PR already exists from ${head} to ${base}`);
             }
+
+  generate-changelog:
+    name: Generate Changelog
+    runs-on: [self-hosted]
+    needs: [prepare-release]
+    permissions:
+      contents: write
+      pull-requests: write
+    if: needs.prepare-release.result == 'success'
+    steps:
+      - name: Parse tag and get base branch
+        id: tag
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const ref = context.ref.replace('refs/tags/', '');
+            const m = ref.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);
+            if (!m) {
+              core.setFailed(`❌ tag '${ref}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
+              return;
+            }
+            const version = m[1] + (m[2] ?? '');
+            const [maj, min] = m[1].split('.');
+            
+            // Determine base branch: if patch release (Z > 0), use release-X.Y, else use main
+            const patch = parseInt(m[1].split('.')[2]);
+            const baseBranch = patch > 0 ? `release-${maj}.${min}` : 'main';
+            
+            core.setOutput('version', version);
+            core.setOutput('tag', ref);
+            core.setOutput('base_branch', baseBranch);
+
+      - name: Checkout main branch
+        uses: actions/checkout@v4
+        with:
+          ref: main
+          fetch-depth: 0
+          fetch-tags: true
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Check if changelog already exists
+        id: check_changelog
+        run: |
+          CHANGELOG_FILE="docs/changelogs/v${{ steps.tag.outputs.version }}.md"
+          if [ -f "$CHANGELOG_FILE" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "Changelog file $CHANGELOG_FILE already exists"
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+            echo "Changelog file $CHANGELOG_FILE does not exist"
+          fi
+
+      - name: Setup Node.js
+        if: steps.check_changelog.outputs.exists == 'false'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Install GitHub Copilot CLI
+        if: steps.check_changelog.outputs.exists == 'false'
+        run: npm i -g @github/copilot
+
+      - name: Generate changelog using AI
+        if: steps.check_changelog.outputs.exists == 'false'
+        env:
+          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+        run: |
+          copilot --prompt "prepare changelog file for tagged release v${{ steps.tag.outputs.version }}, use @docs/agents/changelog.md for it. Create the changelog file at docs/changelogs/v${{ steps.tag.outputs.version }}.md" \
+            --allow-all-tools --allow-all-paths < /dev/null
+
+      - name: Create changelog branch and commit
+        if: steps.check_changelog.outputs.exists == 'false'
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+        run: |
+          git config user.name  "cozystack-bot"
+          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
+          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
+          
+          CHANGELOG_FILE="docs/changelogs/v${{ steps.tag.outputs.version }}.md"
+          CHANGELOG_BRANCH="changelog-v${{ steps.tag.outputs.version }}"
+          
+          if [ -f "$CHANGELOG_FILE" ]; then
+            # Fetch latest main branch
+            git fetch origin main
+            
+            # Delete local branch if it exists
+            git branch -D "$CHANGELOG_BRANCH" 2>/dev/null || true
+            
+            # Create and checkout new branch from main
+            git checkout -b "$CHANGELOG_BRANCH" origin/main
+            
+            # Add and commit changelog
+            git add "$CHANGELOG_FILE"
+            if git diff --staged --quiet; then
+              echo "⚠️ No changes to commit (file may already be committed)"
+            else
+              git commit -m "docs: add changelog for v${{ steps.tag.outputs.version }}" -s
+              echo "✅ Changelog committed to branch $CHANGELOG_BRANCH"
+            fi
+            
+            # Push the branch (force push to update if it exists)
+            git push -f origin "$CHANGELOG_BRANCH"
+          else
+            echo "⚠️ Changelog file was not generated"
+            exit 1
+          fi
+
+      - name: Create PR for changelog
+        if: steps.check_changelog.outputs.exists == 'false'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            const version = '${{ steps.tag.outputs.version }}';
+            const changelogBranch = `changelog-v${version}`;
+            const baseBranch = 'main';
+            
+            // Check if PR already exists
+            const prs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo:  context.repo.repo,
+              head:  `${context.repo.owner}:${changelogBranch}`,
+              base:   baseBranch,
+              state: 'open'
+            });
+            
+            if (prs.data.length > 0) {
+              const pr = prs.data[0];
+              console.log(`PR #${pr.number} already exists for changelog branch ${changelogBranch}`);
+              
+              // Update PR body with latest info
+              const body = `This PR adds the changelog for release \`v${version}\`.\n\n✅ Changelog has been automatically generated in \`docs/changelogs/v${version}.md\`.`;
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo:  context.repo.repo,
+                pull_number: pr.number,
+                body: body
+              });
+              console.log(`Updated existing PR #${pr.number}`);
+            } else {
+              // Create new PR
+              const pr = await github.rest.pulls.create({
+                owner: context.repo.owner,
+                repo:  context.repo.repo,
+                head:  changelogBranch,
+                base:  baseBranch,
+                title: `docs: add changelog for v${version}`,
+                body:  `This PR adds the changelog for release \`v${version}\`.\n\n✅ Changelog has been automatically generated in \`docs/changelogs/v${version}.md\`.`,
+                draft: false
+              });
+              
+              // Add label if needed
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo:  context.repo.repo,
+                issue_number: pr.data.number,
+                labels: ['documentation', 'automated']
+              });
+              
+              console.log(`Created PR #${pr.data.number} for changelog`);
+            }

ADOPTERS.md

@@ -32,4 +32,4 @@ This list is sorted in chronological order, based on the submission date.
 | [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |
 | [Hidora](https://hikube.cloud) | @matthieu-robin | 2025-09-17 | Hidora is a Swiss cloud provider delivering managed services and infrastructure solutions through datacenters located in Switzerland, ensuring data sovereignty and reliability. Its sovereign cloud platform, Hikube, is designed to run workloads with high availability across multiple datacenters, providing enterprises with a secure and scalable foundation for their applications based on Cozystack. |
 | [QOSI](https://qosi.kz) | @tabu-a | 2025-10-04 | QOSI is a non-profit organization driving open-source adoption and digital sovereignty across Kazakhstan and Central Asia. We use Cozystack as a platform for deploying sovereign, GPU-enabled clouds and educational environments under the National AI Program. Our goal is to accelerate the region’s transition toward open, self-hosted cloud-native technologies |
-|
+| [Cloupard](https://cloupard.kz/) | @serjiott | 2025-12-18 | Cloupard is a public cloud provider offering IaaS and PaaS services via datacenters in Kazakhstan and Uzbekistan. Uses CozyStack on bare metal to extend its managed PaaS offerings. |

Makefile

@@ -15,9 +15,9 @@ build: build-deps
 	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
 	make -C packages/system/cozystack-controller image
+	make -C packages/system/backup-controller image
 	make -C packages/system/lineage-controller-webhook image
 	make -C packages/system/cilium image
-	make -C packages/system/kubeovn image
 	make -C packages/system/kubeovn-webhook image
 	make -C packages/system/kubeovn-plunger image
 	make -C packages/system/dashboard image
@@ -26,18 +26,22 @@ build: build-deps
 	make -C packages/system/bucket image
 	make -C packages/system/objectstorage-controller image
 	make -C packages/core/testing image
-	make -C packages/core/installer image-operator
-	make -C packages/core/talos image
 	make -C packages/core/platform image
-	make -C packages/core/installer image-packages
+	make -C packages/core/installer image
 	make manifests
 
+repos:
+	rm -rf _out
+	make -C packages/system repo
+	make -C packages/apps repo
+	make -C packages/extra repo
+
 manifests:
 	mkdir -p _out/assets
-	(cd packages/core/installer/; helm template -n cozy-system cozystack-operator . | sed '/^WARNING/d') > _out/assets/cozystack-installer.yaml
+	(cd packages/core/installer/; helm template -n cozy-installer installer .) > _out/assets/cozystack-installer.yaml
 
 assets:
-	make -C packages/core/talos assets
+	make -C packages/core/installer assets
 
 test:
 	make -C packages/core/testing apply

api/.gitattributes

@@ -0,0 +1 @@
+zz_generated_deepcopy.go linguist-generated

api/backups/strategy/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=strategy.backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "strategy.backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

api/backups/strategy/v1alpha1/job_types.go

@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines strategy.backups.cozystack.io API types.
+//
+// Group: strategy.backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Job{},
+			&JobList{},
+		)
+		return nil
+	})
+}
+
+const (
+	JobStrategyKind = "Job"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// Job defines a backup strategy using a one-shot Job
+type Job struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   JobSpec   `json:"spec,omitempty"`
+	Status JobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// JobList contains a list of backup Jobs.
+type JobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Job `json:"items"`
+}
+
+// JobSpec specifies the desired behavior of a backup job.
+type JobSpec struct {
+	// Template holds a PodTemplateSpec with the right shape to
+	// run a single pod to completion and create a tarball with
+	// a given apps data. Helm-like Go templates are supported.
+	// The values of the source application are available under
+	// `.Values`. `.Release.Name` and `.Release.Namespace` are
+	// also exported.
+	Template corev1.PodTemplateSpec `json:"template"`
+}
+
+type JobStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/backups/strategy/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,123 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Job) DeepCopyInto(out *Job) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Job.
+func (in *Job) DeepCopy() *Job {
+	if in == nil {
+		return nil
+	}
+	out := new(Job)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Job) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobList) DeepCopyInto(out *JobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Job, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobList.
+func (in *JobList) DeepCopy() *JobList {
+	if in == nil {
+		return nil
+	}
+	out := new(JobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobSpec) DeepCopyInto(out *JobSpec) {
+	*out = *in
+	in.Template.DeepCopyInto(&out.Template)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobSpec.
+func (in *JobSpec) DeepCopy() *JobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobStatus) DeepCopyInto(out *JobStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobStatus.
+func (in *JobStatus) DeepCopy() *JobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JobStatus)
+	in.DeepCopyInto(out)
+	return out
+}

api/backups/v1alpha1/DESIGN.md

@@ -0,0 +1,421 @@
+# Cozystack Backups – Core API & Contracts (Draft)
+
+## 1. Overview
+
+Cozystack’s backup subsystem provides a generic, composable way to back up and restore managed applications:
+
+* Every **application instance** can have one or more **backup plans**.
+* Backups are stored in configurable **storage locations**.
+* The mechanics of *how* a backup/restore is performed are delegated to **strategy drivers**, each implementing driver-specific **BackupStrategy** CRDs.
+
+The core API:
+
+* Orchestrates **when** backups happen and **where** they’re stored.
+* Tracks **what** backups exist and their status.
+* Defines contracts with drivers via shared resources (`BackupJob`, `Backup`, `RestoreJob`).
+
+It does **not** implement the backup logic itself.
+
+This document covers only the **core** API and its contracts with drivers, not driver implementations.
+
+---
+
+## 2. Goals and non-goals
+
+### Goals
+
+* Provide a **stable core API** for:
+
+  * Declaring **backup plans** per application.
+  * Configuring **storage targets** (S3, in-cluster bucket, etc.).
+  * Tracking **backup artifacts**.
+  * Initiating and tracking **restores**.
+* Allow multiple **strategy drivers** to plug in, each supporting specific kinds of applications and strategies.
+* Let application/product authors implement backup for their kinds by:
+
+  * Creating **Plan** objects referencing a **driver-specific strategy**.
+  * Not having to write a backup engine themselves.
+
+### Non-goals
+
+* Implement backup logic for any specific application or storage backend.
+* Define the internal structure of driver-specific strategy CRDs.
+* Handle tenant-facing UI/UX (that’s built on top of these APIs).
+
+---
+
+## 3. Architecture
+
+High-level components:
+
+* **Core backups controller(s)** (Cozystack-owned):
+
+  * Group: `backups.cozystack.io`
+  * Own:
+
+    * `Plan`
+    * `BackupJob`
+    * `Backup`
+    * `RestoreJob`
+  * Responsibilities:
+
+    * Schedule backups based on `Plan`.
+    * Create `BackupJob` objects when due.
+    * Provide stable contracts for drivers to:
+
+      * Perform backups and create `Backup`s.
+      * Perform restores based on `Backup`s.
+
+* **Strategy drivers** (pluggable, possibly third-party):
+
+  * Their own API groups, e.g. `jobdriver.backups.cozystack.io`.
+  * Own **strategy CRDs** (e.g. `JobBackupStrategy`).
+  * Implement controllers that:
+
+    * Watch `BackupJob` / `RestoreJob`.
+    * Match runs whose `strategyRef` GVK they support.
+    * Execute backup/restore logic.
+    * Create and update `Backup` and run statuses.
+
+Strategy drivers and core communicate entirely via Kubernetes objects; there are no webhook/HTTP calls between them.
+
+* **Storage drivers** (pluggable, possibly third-party):
+
+  * **TBD**
+
+---
+
+## 4. Core API resources
+
+### 4.1 Plan
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Plan`
+
+**Purpose**
+Describe **when**, **how**, and **where** to back up a specific managed application.
+
+**Key fields (spec)**
+
+```go
+type PlanSpec struct {
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Where backups should be stored.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // When backups should run.
+    Schedule PlanSchedule `json:"schedule"`
+}
+```
+
+`PlanSchedule` (initially) supports only cron:
+
+```go
+type PlanScheduleType string
+
+const (
+    PlanScheduleTypeEmpty PlanScheduleType = ""
+    PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+```
+
+```go
+type PlanSchedule struct {
+    // Type is the schedule type. Currently only "cron" is supported.
+    // Defaults to "cron".
+    Type PlanScheduleType `json:"type,omitempty"`
+
+    // Cron expression (required for cron type).
+    Cron string `json:"cron,omitempty"`
+}
+```
+
+**Plan reconciliation contract**
+
+Core Plan controller:
+
+1. **Read schedule** from `spec.schedule` and compute the next fire time.
+2. When due:
+
+   * Create a `BackupJob` in the same namespace:
+
+     * `spec.planRef.name = plan.Name`
+     * `spec.applicationRef = plan.spec.applicationRef`
+     * `spec.storageRef = plan.spec.storageRef`
+     * `spec.strategyRef = plan.spec.strategyRef`
+     * `spec.triggeredBy = "Plan"`
+   * Set `ownerReferences` so the `BackupJob` is owned by the `Plan`.
+
+The Plan controller does **not**:
+
+* Execute backups itself.
+* Modify driver resources or `Backup` objects.
+* Touch `BackupJob.spec` after creation.
+
+---
+
+### 4.2 Storage
+
+**API Shape**
+
+TBD
+
+**Storage usage**
+
+* `Plan` and `BackupJob` reference `Storage` via `TypedLocalObjectReference`.
+* Drivers read `Storage` to know how/where to store or read artifacts.
+* Core treats `Storage` spec as opaque; it does not directly talk to S3 or buckets.
+
+---
+
+### 4.3 BackupJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=BackupJob`
+
+**Purpose**
+Represent a single **execution** of a backup operation, typically created when a `Plan` fires or when a user triggers an ad-hoc backup.
+
+**Key fields (spec)**
+
+```go
+type BackupJobSpec struct {
+    // Plan that triggered this run, if any.
+    PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Storage to use.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // Informational: what triggered this run ("Plan", "Manual", etc.).
+    TriggeredBy string `json:"triggeredBy,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupJobStatus struct {
+    Phase       BackupJobPhase         `json:"phase,omitempty"`
+    BackupRef   *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+    StartedAt   *metav1.Time           `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time           `json:"completedAt,omitempty"`
+    Message     string                 `json:"message,omitempty"`
+    Conditions  []metav1.Condition     `json:"conditions,omitempty"`
+}
+```
+
+`BackupJobPhase` is one of: `Pending`, `Running`, `Succeeded`, `Failed`.
+
+**BackupJob contract with drivers**
+
+* Core **creates** `BackupJob` and must treat `spec` as immutable afterwards.
+* Each driver controller:
+
+  * Watches `BackupJob`.
+  * Reconciles runs where `spec.strategyRef.apiGroup/kind` matches its **strategy type(s)**.
+* Driver responsibilities:
+
+  1. On first reconcile:
+
+     * Set `status.startedAt` if unset.
+     * Set `status.phase = Running`.
+  2. Resolve inputs:
+
+     * Read `Strategy` (driver-owned CRD), `Storage`, `Application`, optionally `Plan`.
+  3. Execute backup logic (implementation-specific).
+  4. On success:
+
+     * Create a `Backup` resource (see below).
+     * Set `status.backupRef` to the created `Backup`.
+     * Set `status.completedAt`.
+     * Set `status.phase = Succeeded`.
+  5. On failure:
+
+     * Set `status.completedAt`.
+     * Set `status.phase = Failed`.
+     * Set `status.message` and conditions.
+
+Drivers must **not** modify `BackupJob.spec` or delete `BackupJob` themselves.
+
+---
+
+### 4.4 Backup
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Backup`
+
+**Purpose**
+Represent a single **backup artifact** for a given application, decoupled from a particular run. usable as a stable, listable “thing you can restore from”.
+
+**Key fields (spec)**
+
+```go
+type BackupSpec struct {
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+    PlanRef        *corev1.LocalObjectReference     `json:"planRef,omitempty"`
+    StorageRef     corev1.TypedLocalObjectReference `json:"storageRef"`
+    StrategyRef    corev1.TypedLocalObjectReference `json:"strategyRef"`
+    TakenAt        metav1.Time                      `json:"takenAt"`
+    DriverMetadata map[string]string                `json:"driverMetadata,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupStatus struct {
+    Phase      BackupPhase       `json:"phase,omitempty"` // Pending, Ready, Failed, etc.
+    Artifact   *BackupArtifact   `json:"artifact,omitempty"`
+    Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+`BackupArtifact` describes the artifact (URI, size, checksum).
+
+**Backup contract with drivers**
+
+* On successful completion of a `BackupJob`, the **driver**:
+
+  * Creates a `Backup` in the same namespace (typically owned by the `BackupJob`).
+  * Populates `spec` fields with:
+
+    * The application, storage, strategy references.
+    * `takenAt`.
+    * Optional `driverMetadata`.
+  * Sets `status` with:
+
+    * `phase = Ready` (or equivalent when fully usable).
+    * `artifact` describing the stored object.
+* Core:
+
+  * Treats `Backup` spec as mostly immutable and opaque.
+  * Uses it to:
+
+    * List backups for a given application/plan.
+    * Anchor `RestoreJob` operations.
+    * Implement higher-level policies (retention) if needed.
+
+---
+
+### 4.5 RestoreJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=RestoreJob`
+
+**Purpose**
+Represent a single **restore operation** from a `Backup`, either back into the same application or into a new target application.
+
+**Key fields (spec)**
+
+```go
+type RestoreJobSpec struct {
+    // Backup to restore from.
+    BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+    // Target application; if omitted, drivers SHOULD restore into
+    // backup.spec.applicationRef.
+    TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type RestoreJobStatus struct {
+    Phase       RestoreJobPhase   `json:"phase,omitempty"` // Pending, Running, Succeeded, Failed
+    StartedAt   *metav1.Time      `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time      `json:"completedAt,omitempty"`
+    Message     string            `json:"message,omitempty"`
+    Conditions  []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+**RestoreJob contract with drivers**
+
+* RestoreJob is created either manually or by core.
+* Driver controller:
+
+  1. Watches `RestoreJob`.
+  2. On reconcile:
+
+     * Fetches the referenced `Backup`.
+     * Determines effective:
+
+       * **Strategy**: `backup.spec.strategyRef`.
+       * **Storage**: `backup.spec.storageRef`.
+       * **Target application**: `spec.targetApplicationRef` or `backup.spec.applicationRef`.
+     * If effective strategy’s GVK is one of its supported strategy types → driver is responsible.
+  3. Behaviour:
+
+     * On first reconcile, set `status.startedAt` and `phase = Running`.
+     * Resolve `Backup`, `Storage`, `Strategy`, target application.
+     * Execute restore logic (implementation-specific).
+     * On success:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Succeeded`.
+     * On failure:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Failed`.
+       * Set `status.message` and conditions.
+
+Drivers must not modify `RestoreJob.spec` or delete `RestoreJob`.
+
+---
+
+## 5. Strategy drivers (high-level)
+
+Strategy drivers are separate controllers that:
+
+* Define their own **strategy CRDs** (e.g. `JobBackupStrategy`) in their own API groups:
+
+  * e.g. `jobdriver.backups.cozystack.io/v1alpha1, Kind=JobBackupStrategy`
+* Implement the **BackupJob contract**:
+
+  * Watch `BackupJob`.
+  * Filter by `spec.strategyRef.apiGroup/kind`.
+  * Execute backup logic.
+  * Create/update `Backup`.
+* Implement the **RestoreJob contract**:
+
+  * Watch `RestoreJob`.
+  * Resolve `Backup`, then effective `strategyRef`.
+  * Filter by effective strategy GVK.
+  * Execute restore logic.
+
+The core backups API **does not** dictate:
+
+* The fields and structure of driver strategy specs.
+* How drivers implement backup/restore internally (Jobs, snapshots, native operator CRDs, etc.).
+
+Drivers are interchangeable as long as they respect:
+
+* The `BackupJob` and `RestoreJob` contracts.
+* The shapes and semantics of `Backup` objects.
+
+---
+
+## 6. Summary
+
+The Cozystack backups core API:
+
+* Uses a single group, `backups.cozystack.io`, for all core CRDs.
+* Cleanly separates:
+
+  * **When & where** (Plan + Storage) – core-owned.
+  * **What backup artifacts exist** (Backup) – driver-created but cluster-visible.
+  * **Execution lifecycle** (BackupJob, RestoreJob) – shared contract boundary.
+* Allows multiple strategy drivers to implement backup/restore logic without entangling their implementation with the core API.
+

api/backups/v1alpha1/backup_types.go

@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Backup{},
+			&BackupList{},
+		)
+		return nil
+	})
+}
+
+// BackupPhase represents the lifecycle phase of a Backup.
+type BackupPhase string
+
+const (
+	BackupPhaseEmpty   BackupPhase = ""
+	BackupPhasePending BackupPhase = "Pending"
+	BackupPhaseReady   BackupPhase = "Ready"
+	BackupPhaseFailed  BackupPhase = "Failed"
+)
+
+// BackupArtifact describes the stored backup object (tarball, snapshot, etc.).
+type BackupArtifact struct {
+	// URI is a driver-/storage-specific URI pointing to the backup artifact.
+	// For example: s3://bucket/prefix/file.tar.gz
+	URI string `json:"uri"`
+
+	// SizeBytes is the size of the artifact in bytes, if known.
+	// +optional
+	SizeBytes int64 `json:"sizeBytes,omitempty"`
+
+	// Checksum is the checksum of the artifact, if computed.
+	// For example: "sha256:<hex>".
+	// +optional
+	Checksum string `json:"checksum,omitempty"`
+}
+
+// BackupSpec describes an immutable backup artifact produced by a BackupJob.
+type BackupSpec struct {
+	// ApplicationRef refers to the application that was backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// PlanRef refers to the Plan that produced this backup, if any.
+	// For manually triggered backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// StorageRef refers to the Storage object that describes where the backup
+	// artifact is stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef refers to the driver-specific BackupStrategy that was used
+	// to create this backup. This allows the driver to later perform restores.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// TakenAt is the time at which the backup was taken (as reported by the
+	// driver). It may differ slightly from metadata.creationTimestamp.
+	TakenAt metav1.Time `json:"takenAt"`
+
+	// DriverMetadata holds driver-specific, opaque metadata associated with
+	// this backup (for example snapshot IDs, schema versions, etc.).
+	// This data is not interpreted by the core backup controllers.
+	// +optional
+	DriverMetadata map[string]string `json:"driverMetadata,omitempty"`
+}
+
+// BackupStatus represents the observed state of a Backup.
+type BackupStatus struct {
+	// Phase is a simple, high-level summary of the backup's state.
+	// Typical values are: Pending, Ready, Failed.
+	// +optional
+	Phase BackupPhase `json:"phase,omitempty"`
+
+	// Artifact describes the stored backup object, if available.
+	// +optional
+	Artifact *BackupArtifact `json:"artifact,omitempty"`
+
+	// Conditions represents the latest available observations of a Backup's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Backup represents a single backup artifact for a given application.
+type Backup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupSpec   `json:"spec,omitempty"`
+	Status BackupStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupList contains a list of Backups.
+type BackupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Backup `json:"items"`
+}

api/backups/v1alpha1/backupjob_types.go

@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&BackupJob{},
+			&BackupJobList{},
+		)
+		return nil
+	})
+}
+
+// BackupJobPhase represents the lifecycle phase of a BackupJob.
+type BackupJobPhase string
+
+const (
+	BackupJobPhaseEmpty     BackupJobPhase = ""
+	BackupJobPhasePending   BackupJobPhase = "Pending"
+	BackupJobPhaseRunning   BackupJobPhase = "Running"
+	BackupJobPhaseSucceeded BackupJobPhase = "Succeeded"
+	BackupJobPhaseFailed    BackupJobPhase = "Failed"
+)
+
+// BackupJobSpec describes the execution of a single backup operation.
+type BackupJobSpec struct {
+	// PlanRef refers to the Plan that requested this backup run.
+	// For ad-hoc/manual backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// ApplicationRef holds a reference to the managed application whose state
+	// is being backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that describes where
+	// the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the driver-specific BackupStrategy object
+	// that describes how the backup should be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+}
+
+// BackupJobStatus represents the observed state of a BackupJob.
+type BackupJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase BackupJobPhase `json:"phase,omitempty"`
+
+	// BackupRef refers to the Backup object created by this run, if any.
+	// +optional
+	BackupRef *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+
+	// StartedAt is the time at which the backup run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the backup run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// backup run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a BackupJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// BackupJob represents a single execution of a backup.
+// It is typically created by a Plan controller when a schedule fires.
+type BackupJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupJobSpec   `json:"spec,omitempty"`
+	Status BackupJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupJobList contains a list of BackupJobs.
+type BackupJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BackupJob `json:"items"`
+}

api/backups/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

api/backups/v1alpha1/plan_types.go

@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Plan{},
+			&PlanList{},
+		)
+		return nil
+	})
+}
+
+type PlanScheduleType string
+
+const (
+	PlanScheduleTypeEmpty PlanScheduleType = ""
+	PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+
+// Condtions
+const (
+	PlanConditionError = "Error"
+)
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Plan describes the schedule, method and storage location for the
+// backup of a given target application.
+type Plan struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PlanSpec   `json:"spec,omitempty"`
+	Status PlanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PlanList contains a list of backup Plans.
+type PlanList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Plan `json:"items"`
+}
+
+// PlanSpec references the storage, the strategy, the application to be
+// backed up and specifies the timetable on which the backups will run.
+type PlanSpec struct {
+	// ApplicationRef holds a reference to the managed application,
+	// whose state and configuration must be backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that
+	// describes the location where the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the Strategy object that
+	// describes, how a backup copy is to be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// Schedule specifies when backup copies are created.
+	Schedule PlanSchedule `json:"schedule"`
+}
+
+// PlanSchedule specifies when backup copies are created.
+type PlanSchedule struct {
+	// Type is the type of schedule specification. Supported values are
+	// [`cron`]. If omitted, defaults to `cron`.
+	// +optional
+	Type PlanScheduleType `json:"type,omitempty"`
+
+	// Cron contains the cron spec for scheduling backups. Must be
+	// specified if the schedule type is `cron`. Since only `cron` is
+	// supported, omitting this field is not allowed.
+	// +optional
+	Cron string `json:"cron,omitempty"`
+}
+
+type PlanStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/backups/v1alpha1/restorejob_types.go

@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&RestoreJob{},
+			&RestoreJobList{},
+		)
+		return nil
+	})
+}
+
+// RestoreJobPhase represents the lifecycle phase of a RestoreJob.
+type RestoreJobPhase string
+
+const (
+	RestoreJobPhaseEmpty     RestoreJobPhase = ""
+	RestoreJobPhasePending   RestoreJobPhase = "Pending"
+	RestoreJobPhaseRunning   RestoreJobPhase = "Running"
+	RestoreJobPhaseSucceeded RestoreJobPhase = "Succeeded"
+	RestoreJobPhaseFailed    RestoreJobPhase = "Failed"
+)
+
+// RestoreJobSpec describes the execution of a single restore operation.
+type RestoreJobSpec struct {
+	// BackupRef refers to the Backup that should be restored.
+	BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+	// TargetApplicationRef refers to the application into which the backup
+	// should be restored. If omitted, the driver SHOULD restore into the same
+	// application as referenced by backup.spec.applicationRef.
+	// +optional
+	TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+
+// RestoreJobStatus represents the observed state of a RestoreJob.
+type RestoreJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase RestoreJobPhase `json:"phase,omitempty"`
+
+	// StartedAt is the time at which the restore run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the restore run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// restore run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a RestoreJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJob represents a single execution of a restore from a Backup.
+type RestoreJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RestoreJobSpec   `json:"spec,omitempty"`
+	Status RestoreJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJobList contains a list of RestoreJobs.
+type RestoreJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RestoreJob `json:"items"`
+}

api/backups/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,501 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Backup) DeepCopyInto(out *Backup) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Backup.
+func (in *Backup) DeepCopy() *Backup {
+	if in == nil {
+		return nil
+	}
+	out := new(Backup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Backup) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupArtifact) DeepCopyInto(out *BackupArtifact) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupArtifact.
+func (in *BackupArtifact) DeepCopy() *BackupArtifact {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupArtifact)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJob) DeepCopyInto(out *BackupJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJob.
+func (in *BackupJob) DeepCopy() *BackupJob {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobList) DeepCopyInto(out *BackupJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]BackupJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobList.
+func (in *BackupJobList) DeepCopy() *BackupJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobSpec) DeepCopyInto(out *BackupJobSpec) {
+	*out = *in
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobSpec.
+func (in *BackupJobSpec) DeepCopy() *BackupJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobStatus) DeepCopyInto(out *BackupJobStatus) {
+	*out = *in
+	if in.BackupRef != nil {
+		in, out := &in.BackupRef, &out.BackupRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobStatus.
+func (in *BackupJobStatus) DeepCopy() *BackupJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupList) DeepCopyInto(out *BackupList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Backup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupList.
+func (in *BackupList) DeepCopy() *BackupList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupSpec) DeepCopyInto(out *BackupSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	in.TakenAt.DeepCopyInto(&out.TakenAt)
+	if in.DriverMetadata != nil {
+		in, out := &in.DriverMetadata, &out.DriverMetadata
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupSpec.
+func (in *BackupSpec) DeepCopy() *BackupSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupStatus) DeepCopyInto(out *BackupStatus) {
+	*out = *in
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(BackupArtifact)
+		**out = **in
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupStatus.
+func (in *BackupStatus) DeepCopy() *BackupStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Plan) DeepCopyInto(out *Plan) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Plan.
+func (in *Plan) DeepCopy() *Plan {
+	if in == nil {
+		return nil
+	}
+	out := new(Plan)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Plan) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanList) DeepCopyInto(out *PlanList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Plan, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanList.
+func (in *PlanList) DeepCopy() *PlanList {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PlanList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSchedule) DeepCopyInto(out *PlanSchedule) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSchedule.
+func (in *PlanSchedule) DeepCopy() *PlanSchedule {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSchedule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSpec) DeepCopyInto(out *PlanSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	out.Schedule = in.Schedule
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSpec.
+func (in *PlanSpec) DeepCopy() *PlanSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanStatus) DeepCopyInto(out *PlanStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanStatus.
+func (in *PlanStatus) DeepCopy() *PlanStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJob) DeepCopyInto(out *RestoreJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJob.
+func (in *RestoreJob) DeepCopy() *RestoreJob {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobList) DeepCopyInto(out *RestoreJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RestoreJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobList.
+func (in *RestoreJobList) DeepCopy() *RestoreJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobSpec) DeepCopyInto(out *RestoreJobSpec) {
+	*out = *in
+	out.BackupRef = in.BackupRef
+	if in.TargetApplicationRef != nil {
+		in, out := &in.TargetApplicationRef, &out.TargetApplicationRef
+		*out = new(v1.TypedLocalObjectReference)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobSpec.
+func (in *RestoreJobSpec) DeepCopy() *RestoreJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobStatus) DeepCopyInto(out *RestoreJobStatus) {
+	*out = *in
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobStatus.
+func (in *RestoreJobStatus) DeepCopy() *RestoreJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}

api/v1alpha1/bundles_types.go

@@ -1,230 +0,0 @@
-/*
-Copyright 2025.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// +kubebuilder:object:root=true
-// +kubebuilder:resource:scope=Cluster,shortName=bundle
-
-// Bundle is the Schema for the bundles API
-type Bundle struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec BundleSpec `json:"spec,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// BundleList contains a list of Bundles
-type BundleList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Bundle `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&Bundle{}, &BundleList{})
-}
-
-// BundleSpec defines the desired state of Bundle
-type BundleSpec struct {
-	// SourceRef is the source reference for the bundle charts
-	// +required
-	SourceRef BundleSourceRef `json:"sourceRef"`
-
-	// DependsOn is a list of bundle dependencies in the format "bundleName/target"
-	// For example: "cozystack-system/network"
-	// If specified, the dependencies listed in the target's packages will be taken
-	// from the specified bundle and added to all packages in this bundle
-	// +optional
-	DependsOn []string `json:"dependsOn,omitempty"`
-
-	// DependencyTargets defines named groups of packages that can be referenced
-	// by other bundles via dependsOn. Each target has a name and a list of packages.
-	// +optional
-	DependencyTargets []BundleDependencyTarget `json:"dependencyTargets,omitempty"`
-
-	// Libraries is a list of Helm library charts used by packages
-	// +optional
-	Libraries []BundleLibrary `json:"libraries,omitempty"`
-
-	// Artifacts is a list of Helm charts that will be built as ExternalArtifacts
-	// These artifacts can be referenced by ApplicationDefinitions
-	// +optional
-	Artifacts []BundleArtifact `json:"artifacts,omitempty"`
-
-	// Packages is a list of Helm releases to be installed as part of this bundle
-	// +required
-	Packages []BundleRelease `json:"packages"`
-
-	// DeletionPolicy defines how child resources should be handled when the bundle is deleted.
-	// - "Delete" (default): Child resources will be deleted when the bundle is deleted (via ownerReference).
-	// - "Orphan": Child resources will be orphaned (ownerReferences will be removed).
-	// +kubebuilder:validation:Enum=Delete;Orphan
-	// +kubebuilder:default=Delete
-	// +optional
-	DeletionPolicy DeletionPolicy `json:"deletionPolicy,omitempty"`
-
-	// Labels are labels that will be applied to all resources created by this bundle
-	// (ArtifactGenerators and HelmReleases). These labels are merged with the default
-	// cozystack.io/bundle label.
-	// +optional
-	Labels map[string]string `json:"labels,omitempty"`
-
-	// BasePath is the base path where packages are located in the source.
-	// For GitRepository, defaults to "packages" if not specified.
-	// For OCIRepository, defaults to empty string (root) if not specified.
-	// +optional
-	BasePath string `json:"basePath,omitempty"`
-}
-
-// DeletionPolicy defines how child resources should be handled when the parent is deleted.
-// +kubebuilder:validation:Enum=Delete;Orphan
-type DeletionPolicy string
-
-const (
-	// DeletionPolicyDelete means child resources will be deleted when the parent is deleted.
-	DeletionPolicyDelete DeletionPolicy = "Delete"
-	// DeletionPolicyOrphan means child resources will be orphaned (ownerReferences removed).
-	DeletionPolicyOrphan DeletionPolicy = "Orphan"
-)
-
-// BundleDependencyTarget defines a named group of packages that can be referenced
-// by other bundles via dependsOn
-type BundleDependencyTarget struct {
-	// Name is the unique identifier for this dependency target
-	// +required
-	Name string `json:"name"`
-
-	// Packages is a list of package names that belong to this target
-	// These packages will be added as dependencies when this target is referenced
-	// +required
-	Packages []string `json:"packages"`
-}
-
-// BundleLibrary defines a Helm library chart
-type BundleLibrary struct {
-	// Name is the unique identifier for this library
-	// +required
-	Name string `json:"name"`
-
-	// Path is the path to the library chart directory
-	// +required
-	Path string `json:"path"`
-}
-
-// BundleArtifact defines a Helm chart artifact that will be built as ExternalArtifact
-type BundleArtifact struct {
-	// Name is the unique identifier for this artifact (used as ExternalArtifact name)
-	// +required
-	Name string `json:"name"`
-
-	// Path is the path to the Helm chart directory
-	// +required
-	Path string `json:"path"`
-
-	// Libraries is a list of library names that this artifact depends on
-	// +optional
-	Libraries []string `json:"libraries,omitempty"`
-}
-
-// BundleSourceRef defines the source reference for bundle charts
-type BundleSourceRef struct {
-	// Kind of the source reference
-	// +kubebuilder:validation:Enum=GitRepository;OCIRepository
-	// +required
-	Kind string `json:"kind"`
-
-	// Name of the source reference
-	// +required
-	Name string `json:"name"`
-
-	// Namespace of the source reference
-	// +required
-	Namespace string `json:"namespace"`
-}
-
-// +kubebuilder:validation:XValidation:rule="(has(self.path) && !has(self.artifact)) || (!has(self.path) && has(self.artifact))",message="either path or artifact must be set, but not both"
-// BundleRelease defines a single Helm release within a bundle
-type BundleRelease struct {
-	// Name is the unique identifier for this release within the bundle
-	// +required
-	Name string `json:"name"`
-
-	// ReleaseName is the name of the HelmRelease resource that will be created
-	// +required
-	ReleaseName string `json:"releaseName"`
-
-	// Path is the path to the Helm chart directory
-	// Either Path or Artifact must be specified, but not both
-	// +optional
-	Path string `json:"path,omitempty"`
-
-	// Artifact is the name of an artifact from the bundle's artifacts list
-	// The artifact must exist in the bundle's artifacts section
-	// Either Path or Artifact must be specified, but not both
-	// +optional
-	Artifact string `json:"artifact,omitempty"`
-
-	// Namespace is the Kubernetes namespace where the release will be installed
-	// +required
-	Namespace string `json:"namespace"`
-
-	// Privileged indicates whether this release requires privileged access
-	// +optional
-	Privileged bool `json:"privileged,omitempty"`
-
-	// Disabled indicates whether this release is disabled (should not be installed)
-	// +optional
-	Disabled bool `json:"disabled,omitempty"`
-
-	// DependsOn is a list of release names that must be installed before this release
-	// +optional
-	DependsOn []string `json:"dependsOn,omitempty"`
-
-	// Libraries is a list of library names that this package depends on
-	// +optional
-	Libraries []string `json:"libraries,omitempty"`
-
-	// Values contains Helm chart values as a JSON object
-	// +optional
-	Values *apiextensionsv1.JSON `json:"values,omitempty"`
-
-	// ValuesFiles is a list of values file names to use
-	// +optional
-	ValuesFiles []string `json:"valuesFiles,omitempty"`
-
-	// Labels are labels that will be applied to the HelmRelease created for this package
-	// These labels are merged with bundle-level labels and the default cozystack.io/bundle label
-	// +optional
-	Labels map[string]string `json:"labels,omitempty"`
-
-	// NamespaceLabels are labels that will be applied to the namespace for this package
-	// These labels are merged with labels from other packages in the same namespace
-	// +optional
-	NamespaceLabels map[string]string `json:"namespaceLabels,omitempty"`
-
-	// NamespaceAnnotations are annotations that will be applied to the namespace for this package
-	// These annotations are merged with annotations from other packages in the same namespace
-	// +optional
-	NamespaceAnnotations map[string]string `json:"namespaceAnnotations,omitempty"`
-}

api/v1alpha1/cozystackresourcedefinitions_types.go

@@ -18,51 +18,50 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:scope=Cluster,shortName=appdef
+// +kubebuilder:resource:scope=Cluster
 
-// ApplicationDefinition is the Schema for the applicationdefinitions API
-type ApplicationDefinition struct {
+// CozystackResourceDefinition is the Schema for the cozystackresourcedefinitions API
+type CozystackResourceDefinition struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec ApplicationDefinitionSpec `json:"spec,omitempty"`
+	Spec CozystackResourceDefinitionSpec `json:"spec,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 
-// ApplicationDefinitionList contains a list of ApplicationDefinitions
-type ApplicationDefinitionList struct {
+// CozystackResourceDefinitionList contains a list of CozystackResourceDefinitions
+type CozystackResourceDefinitionList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ApplicationDefinition `json:"items"`
+	Items           []CozystackResourceDefinition `json:"items"`
 }
 
 func init() {
-	SchemeBuilder.Register(&ApplicationDefinition{}, &ApplicationDefinitionList{})
+	SchemeBuilder.Register(&CozystackResourceDefinition{}, &CozystackResourceDefinitionList{})
 }
 
-type ApplicationDefinitionSpec struct {
+type CozystackResourceDefinitionSpec struct {
 	// Application configuration
-	Application ApplicationDefinitionApplication `json:"application"`
+	Application CozystackResourceDefinitionApplication `json:"application"`
 	// Release configuration
-	Release ApplicationDefinitionRelease `json:"release"`
+	Release CozystackResourceDefinitionRelease `json:"release"`
 
 	// Secret selectors
-	Secrets ApplicationDefinitionResources `json:"secrets,omitempty"`
+	Secrets CozystackResourceDefinitionResources `json:"secrets,omitempty"`
 	// Service selectors
-	Services ApplicationDefinitionResources `json:"services,omitempty"`
+	Services CozystackResourceDefinitionResources `json:"services,omitempty"`
 	// Ingress selectors
-	Ingresses ApplicationDefinitionResources `json:"ingresses,omitempty"`
+	Ingresses CozystackResourceDefinitionResources `json:"ingresses,omitempty"`
 
 	// Dashboard configuration for this resource
-	Dashboard *ApplicationDefinitionDashboard `json:"dashboard,omitempty"`
+	Dashboard *CozystackResourceDefinitionDashboard `json:"dashboard,omitempty"`
 }
 
-type ApplicationDefinitionChart struct {
+type CozystackResourceDefinitionChart struct {
 	// Name of the Helm chart
 	Name string `json:"name"`
 	// Source reference for the Helm chart
@@ -80,7 +79,7 @@ type SourceRef struct {
 	Namespace string `json:"namespace"`
 }
 
-type ApplicationDefinitionApplication struct {
+type CozystackResourceDefinitionApplication struct {
 	// Kind of the application, used for UI and API
 	Kind string `json:"kind"`
 	// OpenAPI schema for the application, used for API validation
@@ -91,30 +90,17 @@ type ApplicationDefinitionApplication struct {
 	Singular string `json:"singular"`
 }
 
-// +kubebuilder:validation:XValidation:rule="(has(self.chart) && !has(self.chartRef)) || (!has(self.chart) && has(self.chartRef))",message="either chart or chartRef must be set, but not both"
-type ApplicationDefinitionRelease struct {
-	// Helm chart configuration (for HelmRepository source)
+type CozystackResourceDefinitionRelease struct {
+	// Helm chart configuration
 	// +optional
-	Chart *ApplicationDefinitionChart `json:"chart,omitempty"`
-	// Chart reference configuration (for ExternalArtifact source)
-	// +optional
-	ChartRef *ApplicationDefinitionChartRef `json:"chartRef,omitempty"`
+	Chart CozystackResourceDefinitionChart `json:"chart,omitempty"`
 	// Labels for the release
 	Labels map[string]string `json:"labels,omitempty"`
 	// Prefix for the release name
 	Prefix string `json:"prefix"`
-	// Default values to be merged into every HelmRelease created from this resource definition
-	// User-specified values in Application spec will override these default values
-	// +optional
-	Values *apiextensionsv1.JSON `json:"values,omitempty"`
 }
 
-type ApplicationDefinitionChartRef struct {
-	// Source reference for the chart (ExternalArtifact)
-	SourceRef SourceRef `json:"sourceRef"`
-}
-
-// ApplicationDefinitionResourceSelector extends metav1.LabelSelector with resourceNames support.
+// CozystackResourceDefinitionResourceSelector extends metav1.LabelSelector with resourceNames support.
 // A resource matches this selector only if it satisfies ALL criteria:
 // - Label selector conditions (matchExpressions and matchLabels)
 // - AND has a name that matches one of the names in resourceNames (if specified)
@@ -125,18 +111,19 @@ type ApplicationDefinitionChartRef struct {
 // - {{ .namespace }}: The namespace of the resource being processed
 //
 // Example YAML:
-//   secrets:
-//     include:
-//     - matchExpressions:
-//       - key: badlabel
-//         operator: DoesNotExist
-//       matchLabels:
-//         goodlabel: goodvalue
-//       resourceNames:
-//       - "{{ .name }}-secret"
-//       - "{{ .kind }}-{{ .name }}-tls"
-//       - "specificname"
-type ApplicationDefinitionResourceSelector struct {
+//
+//	secrets:
+//	  include:
+//	  - matchExpressions:
+//	    - key: badlabel
+//	      operator: DoesNotExist
+//	    matchLabels:
+//	      goodlabel: goodvalue
+//	    resourceNames:
+//	    - "{{ .name }}-secret"
+//	    - "{{ .kind }}-{{ .name }}-tls"
+//	    - "specificname"
+type CozystackResourceDefinitionResourceSelector struct {
 	metav1.LabelSelector `json:",inline"`
 	// ResourceNames is a list of resource names to match
 	// If specified, the resource must have one of these exact names to match the selector
@@ -144,16 +131,16 @@ type ApplicationDefinitionResourceSelector struct {
 	ResourceNames []string `json:"resourceNames,omitempty"`
 }
 
-type ApplicationDefinitionResources struct {
+type CozystackResourceDefinitionResources struct {
 	// Exclude contains an array of resource selectors that target resources.
 	// If a resource matches the selector in any of the elements in the array, it is
 	// hidden from the user, regardless of the matches in the include array.
-	Exclude []*ApplicationDefinitionResourceSelector `json:"exclude,omitempty"`
+	Exclude []*CozystackResourceDefinitionResourceSelector `json:"exclude,omitempty"`
 	// Include contains an array of resource selectors that target resources.
 	// If a resource matches the selector in any of the elements in the array, and
 	// matches none of the selectors in the exclude array that resource is marked
 	// as a tenant resource and is visible to users.
-	Include []*ApplicationDefinitionResourceSelector `json:"include,omitempty"`
+	Include []*CozystackResourceDefinitionResourceSelector `json:"include,omitempty"`
 }
 
 // ---- Dashboard types ----
@@ -170,8 +157,8 @@ const (
 	DashboardTabYAML      DashboardTab = "yaml"
 )
 
-// ApplicationDefinitionDashboard describes how this resource appears in the UI.
-type ApplicationDefinitionDashboard struct {
+// CozystackResourceDefinitionDashboard describes how this resource appears in the UI.
+type CozystackResourceDefinitionDashboard struct {
 	// Human-readable name shown in the UI (e.g., "Bucket")
 	Singular string `json:"singular"`
 	// Plural human-readable name (e.g., "Buckets")

api/v1alpha1/package_types.go

@@ -0,0 +1,89 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName={pkg,pkgs}
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Variant",type="string",JSONPath=".spec.variant",description="Selected variant"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status",description="Ready status"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].message",description="Ready message"
+
+// Package is the Schema for the packages API
+type Package struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PackageSpec   `json:"spec,omitempty"`
+	Status PackageStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PackageList contains a list of Packages
+type PackageList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Package `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Package{}, &PackageList{})
+}
+
+// PackageSpec defines the desired state of Package
+type PackageSpec struct {
+	// Variant is the name of the variant to use from the PackageSource
+	// If not specified, defaults to "default"
+	// +optional
+	Variant string `json:"variant,omitempty"`
+
+	// IgnoreDependencies is a list of package source dependencies to ignore
+	// Dependencies listed here will not be installed even if they are specified in the PackageSource
+	// +optional
+	IgnoreDependencies []string `json:"ignoreDependencies,omitempty"`
+
+	// Components is a map of release name to component overrides
+	// Allows overriding values and enabling/disabling specific components from the PackageSource
+	// +optional
+	Components map[string]PackageComponent `json:"components,omitempty"`
+}
+
+// PackageComponent defines overrides for a specific component
+type PackageComponent struct {
+	// Enabled indicates whether this component should be installed
+	// If false, the component will be disabled even if it's defined in the PackageSource
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// Values contains Helm chart values as a JSON object
+	// These values will be merged with the default values from the PackageSource
+	// +optional
+	Values *apiextensionsv1.JSON `json:"values,omitempty"`
+}
+
+// PackageStatus defines the observed state of Package
+type PackageStatus struct {
+	// Conditions represents the latest available observations of a Package's state
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/v1alpha1/packagesource_types.go

@@ -0,0 +1,171 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName={pkgsrc,pkgsrcs}
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Variants",type="string",JSONPath=".status.variants",description="Package variants (comma-separated)"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status",description="Ready status"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].message",description="Ready message"
+
+// PackageSource is the Schema for the packagesources API
+type PackageSource struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PackageSourceSpec   `json:"spec,omitempty"`
+	Status PackageSourceStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PackageSourceList contains a list of PackageSources
+type PackageSourceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PackageSource `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PackageSource{}, &PackageSourceList{})
+}
+
+// PackageSourceSpec defines the desired state of PackageSource
+type PackageSourceSpec struct {
+	// SourceRef is the source reference for the package source charts
+	// +optional
+	SourceRef *PackageSourceRef `json:"sourceRef,omitempty"`
+
+	// Variants is a list of package source variants
+	// Each variant defines components, applications, dependencies, and libraries for a specific configuration
+	// +optional
+	Variants []Variant `json:"variants,omitempty"`
+}
+
+// Variant defines a single variant configuration
+type Variant struct {
+	// Name is the unique identifier for this variant
+	// +required
+	Name string `json:"name"`
+
+	// DependsOn is a list of package source dependencies
+	// For example: "cozystack.networking"
+	// +optional
+	DependsOn []string `json:"dependsOn,omitempty"`
+
+	// Libraries is a list of Helm library charts used by components in this variant
+	// +optional
+	Libraries []Library `json:"libraries,omitempty"`
+
+	// Components is a list of Helm releases to be installed as part of this variant
+	// +optional
+	Components []Component `json:"components,omitempty"`
+}
+
+// Library defines a Helm library chart
+type Library struct {
+	// Name is the optional name for library placed in charts
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Path is the path to the library chart directory
+	// +required
+	Path string `json:"path"`
+}
+
+// PackageSourceRef defines the source reference for package source charts
+type PackageSourceRef struct {
+	// Kind of the source reference
+	// +kubebuilder:validation:Enum=GitRepository;OCIRepository
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the source reference
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the source reference
+	// +required
+	Namespace string `json:"namespace"`
+
+	// Path is the base path where packages are located in the source.
+	// For GitRepository, defaults to "packages" if not specified.
+	// For OCIRepository, defaults to empty string (root) if not specified.
+	// +optional
+	Path string `json:"path,omitempty"`
+}
+
+// ComponentInstall defines installation parameters for a component
+type ComponentInstall struct {
+	// ReleaseName is the name of the HelmRelease resource that will be created
+	// If not specified, defaults to the component Name field
+	// +optional
+	ReleaseName string `json:"releaseName,omitempty"`
+
+	// Namespace is the Kubernetes namespace where the release will be installed
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// Privileged indicates whether this release requires privileged access
+	// +optional
+	Privileged bool `json:"privileged,omitempty"`
+
+	// DependsOn is a list of component names that must be installed before this component
+	// +optional
+	DependsOn []string `json:"dependsOn,omitempty"`
+}
+
+// Component defines a single Helm release component within a package source
+type Component struct {
+	// Name is the unique identifier for this component within the package source
+	// +required
+	Name string `json:"name"`
+
+	// Path is the path to the Helm chart directory
+	// +required
+	Path string `json:"path"`
+
+	// Install defines installation parameters for this component
+	// +optional
+	Install *ComponentInstall `json:"install,omitempty"`
+
+	// Libraries is a list of library names that this component depends on
+	// These libraries must be defined at the variant level
+	// +optional
+	Libraries []string `json:"libraries,omitempty"`
+
+	// ValuesFiles is a list of values file names to use
+	// +optional
+	ValuesFiles []string `json:"valuesFiles,omitempty"`
+}
+
+// PackageSourceStatus defines the observed state of PackageSource
+type PackageSourceStatus struct {
+	// Variants is a comma-separated list of package variant names
+	// This field is populated by the controller based on spec.variants keys
+	// +optional
+	Variants string `json:"variants,omitempty"`
+
+	// Conditions represents the latest available observations of a PackageSource's state
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/v1alpha1/platform_types.go

@@ -1,71 +0,0 @@
-/*
-Copyright 2025.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// +kubebuilder:object:root=true
-// +kubebuilder:resource:scope=Cluster,shortName=platform
-
-// Platform is the Schema for the platforms API
-type Platform struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec PlatformSpec `json:"spec,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// PlatformList contains a list of Platform
-type PlatformList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Platform `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&Platform{}, &PlatformList{})
-}
-
-// PlatformSpec defines the desired state of Platform
-type PlatformSpec struct {
-	// SourceRef is the source reference for the platform chart
-	// This is used to generate the ArtifactGenerator
-	// +required
-	SourceRef SourceRef `json:"sourceRef"`
-
-	// Values contains Helm chart values as a JSON object
-	// These values are passed directly to HelmRelease.values
-	// +optional
-	Values *apiextensionsv1.JSON `json:"values,omitempty"`
-
-	// Interval is the interval at which to reconcile the HelmRelease
-	// +kubebuilder:default="5m"
-	// +optional
-	Interval *metav1.Duration `json:"interval,omitempty"`
-
-	// BasePath is the base path where the platform chart is located in the source.
-	// For GitRepository, defaults to "packages/core/platform" if not specified.
-	// For OCIRepository, defaults to "core/platform" if not specified.
-	// +optional
-	BasePath string `json:"basePath,omitempty"`
-}
-

api/v1alpha1/zz_generated.deepcopy.go

@@ -28,25 +28,75 @@ import (
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinition) DeepCopyInto(out *ApplicationDefinition) {
+func (in *Component) DeepCopyInto(out *Component) {
+	*out = *in
+	if in.Install != nil {
+		in, out := &in.Install, &out.Install
+		*out = new(ComponentInstall)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Libraries != nil {
+		in, out := &in.Libraries, &out.Libraries
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ValuesFiles != nil {
+		in, out := &in.ValuesFiles, &out.ValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Component.
+func (in *Component) DeepCopy() *Component {
+	if in == nil {
+		return nil
+	}
+	out := new(Component)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentInstall) DeepCopyInto(out *ComponentInstall) {
+	*out = *in
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentInstall.
+func (in *ComponentInstall) DeepCopy() *ComponentInstall {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentInstall)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinition) DeepCopyInto(out *CozystackResourceDefinition) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinition.
-func (in *ApplicationDefinition) DeepCopy() *ApplicationDefinition {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinition.
+func (in *CozystackResourceDefinition) DeepCopy() *CozystackResourceDefinition {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinition)
+	out := new(CozystackResourceDefinition)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ApplicationDefinition) DeepCopyObject() runtime.Object {
+func (in *CozystackResourceDefinition) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -54,54 +104,38 @@ func (in *ApplicationDefinition) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionApplication) DeepCopyInto(out *ApplicationDefinitionApplication) {
+func (in *CozystackResourceDefinitionApplication) DeepCopyInto(out *CozystackResourceDefinitionApplication) {
 	*out = *in
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionApplication.
-func (in *ApplicationDefinitionApplication) DeepCopy() *ApplicationDefinitionApplication {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionApplication.
+func (in *CozystackResourceDefinitionApplication) DeepCopy() *CozystackResourceDefinitionApplication {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionApplication)
+	out := new(CozystackResourceDefinitionApplication)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionChart) DeepCopyInto(out *ApplicationDefinitionChart) {
+func (in *CozystackResourceDefinitionChart) DeepCopyInto(out *CozystackResourceDefinitionChart) {
 	*out = *in
 	out.SourceRef = in.SourceRef
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionChart.
-func (in *ApplicationDefinitionChart) DeepCopy() *ApplicationDefinitionChart {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionChart.
+func (in *CozystackResourceDefinitionChart) DeepCopy() *CozystackResourceDefinitionChart {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionChart)
+	out := new(CozystackResourceDefinitionChart)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionChartRef) DeepCopyInto(out *ApplicationDefinitionChartRef) {
-	*out = *in
-	out.SourceRef = in.SourceRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionChartRef.
-func (in *ApplicationDefinitionChartRef) DeepCopy() *ApplicationDefinitionChartRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ApplicationDefinitionChartRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionDashboard) DeepCopyInto(out *ApplicationDefinitionDashboard) {
+func (in *CozystackResourceDefinitionDashboard) DeepCopyInto(out *CozystackResourceDefinitionDashboard) {
 	*out = *in
 	if in.Tags != nil {
 		in, out := &in.Tags, &out.Tags
@@ -126,42 +160,42 @@ func (in *ApplicationDefinitionDashboard) DeepCopyInto(out *ApplicationDefinitio
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionDashboard.
-func (in *ApplicationDefinitionDashboard) DeepCopy() *ApplicationDefinitionDashboard {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionDashboard.
+func (in *CozystackResourceDefinitionDashboard) DeepCopy() *CozystackResourceDefinitionDashboard {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionDashboard)
+	out := new(CozystackResourceDefinitionDashboard)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionList) DeepCopyInto(out *ApplicationDefinitionList) {
+func (in *CozystackResourceDefinitionList) DeepCopyInto(out *CozystackResourceDefinitionList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]ApplicationDefinition, len(*in))
+		*out = make([]CozystackResourceDefinition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionList.
-func (in *ApplicationDefinitionList) DeepCopy() *ApplicationDefinitionList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionList.
+func (in *CozystackResourceDefinitionList) DeepCopy() *CozystackResourceDefinitionList {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionList)
+	out := new(CozystackResourceDefinitionList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ApplicationDefinitionList) DeepCopyObject() runtime.Object {
+func (in *CozystackResourceDefinitionList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -169,18 +203,9 @@ func (in *ApplicationDefinitionList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionRelease) DeepCopyInto(out *ApplicationDefinitionRelease) {
+func (in *CozystackResourceDefinitionRelease) DeepCopyInto(out *CozystackResourceDefinitionRelease) {
 	*out = *in
-	if in.Chart != nil {
-		in, out := &in.Chart, &out.Chart
-		*out = new(ApplicationDefinitionChart)
-		**out = **in
-	}
-	if in.ChartRef != nil {
-		in, out := &in.ChartRef, &out.ChartRef
-		*out = new(ApplicationDefinitionChartRef)
-		**out = **in
-	}
+	out.Chart = in.Chart
 	if in.Labels != nil {
 		in, out := &in.Labels, &out.Labels
 		*out = make(map[string]string, len(*in))
@@ -188,25 +213,20 @@ func (in *ApplicationDefinitionRelease) DeepCopyInto(out *ApplicationDefinitionR
 			(*out)[key] = val
 		}
 	}
-	if in.Values != nil {
-		in, out := &in.Values, &out.Values
-		*out = new(v1.JSON)
-		(*in).DeepCopyInto(*out)
-	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionRelease.
-func (in *ApplicationDefinitionRelease) DeepCopy() *ApplicationDefinitionRelease {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionRelease.
+func (in *CozystackResourceDefinitionRelease) DeepCopy() *CozystackResourceDefinitionRelease {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionRelease)
+	out := new(CozystackResourceDefinitionRelease)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionResourceSelector) DeepCopyInto(out *ApplicationDefinitionResourceSelector) {
+func (in *CozystackResourceDefinitionResourceSelector) DeepCopyInto(out *CozystackResourceDefinitionResourceSelector) {
 	*out = *in
 	in.LabelSelector.DeepCopyInto(&out.LabelSelector)
 	if in.ResourceNames != nil {
@@ -216,55 +236,55 @@ func (in *ApplicationDefinitionResourceSelector) DeepCopyInto(out *ApplicationDe
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionResourceSelector.
-func (in *ApplicationDefinitionResourceSelector) DeepCopy() *ApplicationDefinitionResourceSelector {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionResourceSelector.
+func (in *CozystackResourceDefinitionResourceSelector) DeepCopy() *CozystackResourceDefinitionResourceSelector {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionResourceSelector)
+	out := new(CozystackResourceDefinitionResourceSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionResources) DeepCopyInto(out *ApplicationDefinitionResources) {
+func (in *CozystackResourceDefinitionResources) DeepCopyInto(out *CozystackResourceDefinitionResources) {
 	*out = *in
 	if in.Exclude != nil {
 		in, out := &in.Exclude, &out.Exclude
-		*out = make([]*ApplicationDefinitionResourceSelector, len(*in))
+		*out = make([]*CozystackResourceDefinitionResourceSelector, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
 				in, out := &(*in)[i], &(*out)[i]
-				*out = new(ApplicationDefinitionResourceSelector)
+				*out = new(CozystackResourceDefinitionResourceSelector)
 				(*in).DeepCopyInto(*out)
 			}
 		}
 	}
 	if in.Include != nil {
 		in, out := &in.Include, &out.Include
-		*out = make([]*ApplicationDefinitionResourceSelector, len(*in))
+		*out = make([]*CozystackResourceDefinitionResourceSelector, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
 				in, out := &(*in)[i], &(*out)[i]
-				*out = new(ApplicationDefinitionResourceSelector)
+				*out = new(CozystackResourceDefinitionResourceSelector)
 				(*in).DeepCopyInto(*out)
 			}
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionResources.
-func (in *ApplicationDefinitionResources) DeepCopy() *ApplicationDefinitionResources {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionResources.
+func (in *CozystackResourceDefinitionResources) DeepCopy() *CozystackResourceDefinitionResources {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionResources)
+	out := new(CozystackResourceDefinitionResources)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationDefinitionSpec) DeepCopyInto(out *ApplicationDefinitionSpec) {
+func (in *CozystackResourceDefinitionSpec) DeepCopyInto(out *CozystackResourceDefinitionSpec) {
 	*out = *in
 	out.Application = in.Application
 	in.Release.DeepCopyInto(&out.Release)
@@ -273,41 +293,57 @@ func (in *ApplicationDefinitionSpec) DeepCopyInto(out *ApplicationDefinitionSpec
 	in.Ingresses.DeepCopyInto(&out.Ingresses)
 	if in.Dashboard != nil {
 		in, out := &in.Dashboard, &out.Dashboard
-		*out = new(ApplicationDefinitionDashboard)
+		*out = new(CozystackResourceDefinitionDashboard)
 		(*in).DeepCopyInto(*out)
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDefinitionSpec.
-func (in *ApplicationDefinitionSpec) DeepCopy() *ApplicationDefinitionSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionSpec.
+func (in *CozystackResourceDefinitionSpec) DeepCopy() *CozystackResourceDefinitionSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(ApplicationDefinitionSpec)
+	out := new(CozystackResourceDefinitionSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Bundle) DeepCopyInto(out *Bundle) {
+func (in *Library) DeepCopyInto(out *Library) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Library.
+func (in *Library) DeepCopy() *Library {
+	if in == nil {
+		return nil
+	}
+	out := new(Library)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Package) DeepCopyInto(out *Package) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Bundle.
-func (in *Bundle) DeepCopy() *Bundle {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Package.
+func (in *Package) DeepCopy() *Package {
 	if in == nil {
 		return nil
 	}
-	out := new(Bundle)
+	out := new(Package)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Bundle) DeepCopyObject() runtime.Object {
+func (in *Package) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -315,297 +351,230 @@ func (in *Bundle) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleArtifact) DeepCopyInto(out *BundleArtifact) {
+func (in *PackageComponent) DeepCopyInto(out *PackageComponent) {
 	*out = *in
-	if in.Libraries != nil {
-		in, out := &in.Libraries, &out.Libraries
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleArtifact.
-func (in *BundleArtifact) DeepCopy() *BundleArtifact {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleArtifact)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleDependencyTarget) DeepCopyInto(out *BundleDependencyTarget) {
-	*out = *in
-	if in.Packages != nil {
-		in, out := &in.Packages, &out.Packages
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleDependencyTarget.
-func (in *BundleDependencyTarget) DeepCopy() *BundleDependencyTarget {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleDependencyTarget)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleLibrary) DeepCopyInto(out *BundleLibrary) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleLibrary.
-func (in *BundleLibrary) DeepCopy() *BundleLibrary {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleLibrary)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleList) DeepCopyInto(out *BundleList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]Bundle, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleList.
-func (in *BundleList) DeepCopy() *BundleList {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *BundleList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleRelease) DeepCopyInto(out *BundleRelease) {
-	*out = *in
-	if in.DependsOn != nil {
-		in, out := &in.DependsOn, &out.DependsOn
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.Libraries != nil {
-		in, out := &in.Libraries, &out.Libraries
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.Values != nil {
-		in, out := &in.Values, &out.Values
-		*out = new(v1.JSON)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ValuesFiles != nil {
-		in, out := &in.ValuesFiles, &out.ValuesFiles
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.NamespaceLabels != nil {
-		in, out := &in.NamespaceLabels, &out.NamespaceLabels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.NamespaceAnnotations != nil {
-		in, out := &in.NamespaceAnnotations, &out.NamespaceAnnotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleRelease.
-func (in *BundleRelease) DeepCopy() *BundleRelease {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleRelease)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleSourceRef) DeepCopyInto(out *BundleSourceRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleSourceRef.
-func (in *BundleSourceRef) DeepCopy() *BundleSourceRef {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleSourceRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BundleSpec) DeepCopyInto(out *BundleSpec) {
-	*out = *in
-	out.SourceRef = in.SourceRef
-	if in.DependsOn != nil {
-		in, out := &in.DependsOn, &out.DependsOn
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.DependencyTargets != nil {
-		in, out := &in.DependencyTargets, &out.DependencyTargets
-		*out = make([]BundleDependencyTarget, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Libraries != nil {
-		in, out := &in.Libraries, &out.Libraries
-		*out = make([]BundleLibrary, len(*in))
-		copy(*out, *in)
-	}
-	if in.Artifacts != nil {
-		in, out := &in.Artifacts, &out.Artifacts
-		*out = make([]BundleArtifact, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Packages != nil {
-		in, out := &in.Packages, &out.Packages
-		*out = make([]BundleRelease, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BundleSpec.
-func (in *BundleSpec) DeepCopy() *BundleSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(BundleSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Platform) DeepCopyInto(out *Platform) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Platform.
-func (in *Platform) DeepCopy() *Platform {
-	if in == nil {
-		return nil
-	}
-	out := new(Platform)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Platform) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PlatformList) DeepCopyInto(out *PlatformList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]Platform, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlatformList.
-func (in *PlatformList) DeepCopy() *PlatformList {
-	if in == nil {
-		return nil
-	}
-	out := new(PlatformList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PlatformList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) {
-	*out = *in
-	out.SourceRef = in.SourceRef
-	if in.Values != nil {
-		in, out := &in.Values, &out.Values
-		*out = new(v1.JSON)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Interval != nil {
-		in, out := &in.Interval, &out.Interval
-		*out = new(metav1.Duration)
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
 		**out = **in
 	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = new(v1.JSON)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlatformSpec.
-func (in *PlatformSpec) DeepCopy() *PlatformSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageComponent.
+func (in *PackageComponent) DeepCopy() *PackageComponent {
 	if in == nil {
 		return nil
 	}
-	out := new(PlatformSpec)
+	out := new(PackageComponent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageList) DeepCopyInto(out *PackageList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Package, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageList.
+func (in *PackageList) DeepCopy() *PackageList {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PackageList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSource) DeepCopyInto(out *PackageSource) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSource.
+func (in *PackageSource) DeepCopy() *PackageSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PackageSource) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceList) DeepCopyInto(out *PackageSourceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PackageSource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceList.
+func (in *PackageSourceList) DeepCopy() *PackageSourceList {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PackageSourceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceRef) DeepCopyInto(out *PackageSourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceRef.
+func (in *PackageSourceRef) DeepCopy() *PackageSourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceSpec) DeepCopyInto(out *PackageSourceSpec) {
+	*out = *in
+	if in.SourceRef != nil {
+		in, out := &in.SourceRef, &out.SourceRef
+		*out = new(PackageSourceRef)
+		**out = **in
+	}
+	if in.Variants != nil {
+		in, out := &in.Variants, &out.Variants
+		*out = make([]Variant, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceSpec.
+func (in *PackageSourceSpec) DeepCopy() *PackageSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceStatus) DeepCopyInto(out *PackageSourceStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceStatus.
+func (in *PackageSourceStatus) DeepCopy() *PackageSourceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSpec) DeepCopyInto(out *PackageSpec) {
+	*out = *in
+	if in.IgnoreDependencies != nil {
+		in, out := &in.IgnoreDependencies, &out.IgnoreDependencies
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make(map[string]PackageComponent, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSpec.
+func (in *PackageSpec) DeepCopy() *PackageSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageStatus) DeepCopyInto(out *PackageStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageStatus.
+func (in *PackageStatus) DeepCopy() *PackageStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageStatus)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -646,6 +615,38 @@ func (in *SourceRef) DeepCopy() *SourceRef {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Variant) DeepCopyInto(out *Variant) {
+	*out = *in
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Libraries != nil {
+		in, out := &in.Libraries, &out.Libraries
+		*out = make([]Library, len(*in))
+		copy(*out, *in)
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]Component, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variant.
+func (in *Variant) DeepCopy() *Variant {
+	if in == nil {
+		return nil
+	}
+	out := new(Variant)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Workload) DeepCopyInto(out *Workload) {
 	*out = *in

cmd/backup-controller/main.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "core.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.PlanReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Plan")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

cmd/backupstrategy-controller/main.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "strategy.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.BackupJobStrategyReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Job")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

cmd/cozystack-assets-server/main.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+	"path/filepath"
+)
+
+func main() {
+	addr := flag.String("address", ":8123", "Address to listen on")
+	dir := flag.String("dir", "/cozystack/assets", "Directory to serve files from")
+	flag.Parse()
+
+	absDir, err := filepath.Abs(*dir)
+	if err != nil {
+		log.Fatalf("Error getting absolute path for %s: %v", *dir, err)
+	}
+
+	fs := http.FileServer(http.Dir(absDir))
+	http.Handle("/", fs)
+
+	log.Printf("Server starting on %s, serving directory %s", *addr, absDir)
+
+	err = http.ListenAndServe(*addr, nil)
+	if err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}

cmd/cozystack-controller/main.go

@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
+	"time"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -38,6 +39,7 @@ import (
 	cozystackiov1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 	"github.com/cozystack/cozystack/internal/controller"
 	"github.com/cozystack/cozystack/internal/controller/dashboard"
+	"github.com/cozystack/cozystack/internal/telemetry"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	// +kubebuilder:scaffold:imports
@@ -63,6 +65,10 @@ func main() {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
+	var disableTelemetry bool
+	var telemetryEndpoint string
+	var telemetryInterval string
+	var cozystackVersion string
 	var reconcileDeployment bool
 	var tlsOpts []func(*tls.Config)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
@@ -75,6 +81,14 @@ func main() {
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.BoolVar(&disableTelemetry, "disable-telemetry", false,
+		"Disable telemetry collection")
+	flag.StringVar(&telemetryEndpoint, "telemetry-endpoint", "https://telemetry.cozystack.io",
+		"Endpoint for sending telemetry data")
+	flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
+		"Interval between telemetry data collection (e.g. 15m, 1h)")
+	flag.StringVar(&cozystackVersion, "cozystack-version", "unknown",
+		"Version of Cozystack")
 	flag.BoolVar(&reconcileDeployment, "reconcile-deployment", false,
 		"If set, the Cozystack API server is assumed to run as a Deployment, else as a DaemonSet.")
 	opts := zap.Options{
@@ -83,6 +97,21 @@ func main() {
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
+	// Parse telemetry interval
+	interval, err := time.ParseDuration(telemetryInterval)
+	if err != nil {
+		setupLog.Error(err, "invalid telemetry interval")
+		os.Exit(1)
+	}
+
+	// Configure telemetry
+	telemetryConfig := telemetry.Config{
+		Disabled:         disableTelemetry,
+		Endpoint:         telemetryEndpoint,
+		Interval:         interval,
+		CozystackVersion: cozystackVersion,
+	}
+
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
@@ -171,20 +200,40 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = (&controller.NamespaceHelmReconciler{
+	if err = (&controller.TenantHelmReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "NamespaceHelmReconciler")
+		setupLog.Error(err, "unable to create controller", "controller", "TenantHelmReconciler")
 		os.Exit(1)
 	}
 
-	if err = (&controller.ApplicationDefinitionReconciler{
+	if err = (&controller.CozystackConfigReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
-		CozystackAPIKind: "Deployment",
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "ApplicationDefinitionReconciler")
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackConfigReconciler")
+		os.Exit(1)
+	}
+
+	cozyAPIKind := "DaemonSet"
+	if reconcileDeployment {
+		cozyAPIKind = "Deployment"
+	}
+	if err = (&controller.CozystackResourceDefinitionReconciler{
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		CozystackAPIKind: cozyAPIKind,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackResourceDefinitionReconciler")
+		os.Exit(1)
+	}
+
+	if err = (&controller.CozystackResourceDefinitionHelmReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackResourceDefinitionHelmReconciler")
 		os.Exit(1)
 	}
 
@@ -208,6 +257,19 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Initialize telemetry collector
+	collector, err := telemetry.NewCollector(mgr.GetClient(), &telemetryConfig, mgr.GetConfig())
+	if err != nil {
+		setupLog.V(1).Error(err, "unable to create telemetry collector, telemetry will be disabled")
+	}
+
+	if collector != nil {
+		if err := mgr.Add(collector); err != nil {
+			setupLog.Error(err, "unable to set up telemetry collector")
+			setupLog.V(1).Error(err, "unable to set up telemetry collector, continuing without telemetry")
+		}
+	}
+
 	setupLog.Info("starting manager")
 	ctx := ctrl.SetupSignalHandler()
 	dashboardManager.InitializeStaticResources(ctx)

cmd/cozystack-operator/main.go

@@ -1,312 +0,0 @@
-/*
-Copyright 2025 The Cozystack Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"os"
-	"strings"
-	"time"
-
-	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
-	// to ensure that exec-entrypoint and run can make use of them.
-	_ "k8s.io/client-go/plugin/pkg/client/auth"
-
-	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcewatcherv1beta1 "github.com/fluxcd/source-watcher/api/v2/v1beta1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/healthz"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
-
-	"github.com/cozystack/cozystack/internal/fluxinstall"
-	"github.com/cozystack/cozystack/internal/operator"
-	"github.com/cozystack/cozystack/internal/telemetry"
-	// +kubebuilder:scaffold:imports
-)
-
-var (
-	scheme   = runtime.NewScheme()
-	setupLog = ctrl.Log.WithName("setup")
-)
-
-// stringSliceFlag is a custom flag type that allows multiple values
-type stringSliceFlag []string
-
-func (f *stringSliceFlag) String() string {
-	return strings.Join(*f, ",")
-}
-
-func (f *stringSliceFlag) Set(value string) error {
-	*f = append(*f, value)
-	return nil
-}
-
-func init() {
-	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
-	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
-	utilruntime.Must(cozyv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(helmv2.AddToScheme(scheme))
-	utilruntime.Must(sourcev1.AddToScheme(scheme))
-	utilruntime.Must(sourcewatcherv1beta1.AddToScheme(scheme))
-	// +kubebuilder:scaffold:scheme
-}
-
-func main() {
-	var metricsAddr string
-	var enableLeaderElection bool
-	var probeAddr string
-	var secureMetrics bool
-	var enableHTTP2 bool
-	var installFlux bool
-	var disableTelemetry bool
-	var telemetryEndpoint string
-	var telemetryInterval string
-	var cozystackVersion string
-	var installFluxResources stringSliceFlag
-
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
-		"Enable leader election for controller manager. "+
-			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", false,
-		"If set the metrics endpoint is served securely")
-	flag.BoolVar(&enableHTTP2, "enable-http2", false,
-		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
-	flag.BoolVar(&installFlux, "install-flux", false, "Install Flux components before starting reconcile loop")
-	flag.Var(&installFluxResources, "install-flux-resource", "Install Flux resource (JSON format). Can be specified multiple times. Applied after Flux installation.")
-	flag.BoolVar(&disableTelemetry, "disable-telemetry", false,
-		"Disable telemetry collection")
-	flag.StringVar(&telemetryEndpoint, "telemetry-endpoint", "https://telemetry.cozystack.io",
-		"Endpoint for sending telemetry data")
-	flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
-		"Interval between telemetry data collection (e.g. 15m, 1h)")
-	flag.StringVar(&cozystackVersion, "cozystack-version", "unknown",
-		"Version of Cozystack")
-
-	opts := zap.Options{
-		Development: true,
-	}
-	opts.BindFlags(flag.CommandLine)
-	flag.Parse()
-
-	// Parse telemetry interval
-	interval, err := time.ParseDuration(telemetryInterval)
-	if err != nil {
-		setupLog.Error(err, "invalid telemetry interval")
-		os.Exit(1)
-	}
-
-	// Configure telemetry
-	telemetryConfig := telemetry.Config{
-		Disabled:         disableTelemetry,
-		Endpoint:         telemetryEndpoint,
-		Interval:         interval,
-		CozystackVersion: cozystackVersion,
-	}
-
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
-
-	config := ctrl.GetConfigOrDie()
-
-	// Start the controller manager
-	setupLog.Info("Starting controller manager")
-	mgr, err := ctrl.NewManager(config, ctrl.Options{
-		Scheme: scheme,
-		Metrics: metricsserver.Options{
-			BindAddress:   metricsAddr,
-			SecureServing: secureMetrics,
-		},
-		WebhookServer: webhook.NewServer(webhook.Options{
-			Port: 9443,
-		}),
-		HealthProbeBindAddress: probeAddr,
-		LeaderElection:         enableLeaderElection,
-		LeaderElectionID:       "platform-operator.cozystack.io",
-		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
-		// when the Manager ends. This requires the binary to immediately end when the
-		// Manager is stopped, otherwise, setting this significantly speeds up voluntary
-		// leader transitions as the new leader don't have to wait LeaseDuration time first.
-		//
-		// In the default scaffold provided, the program ends immediately after
-		// the manager stops, so would be fine to enable this option. However,
-		// if you are doing or is intended to do any operation such as perform cleanups
-		// after the manager stops then its usage might be unsafe.
-		// LeaderElectionReleaseOnCancel: true,
-	})
-	if err != nil {
-		setupLog.Error(err, "unable to start manager")
-		os.Exit(1)
-	}
-
-	// Install Flux before starting reconcile loop
-	if installFlux {
-		setupLog.Info("Installing Flux components before starting reconcile loop")
-		installCtx, installCancel := context.WithTimeout(context.Background(), 5*time.Minute)
-		defer installCancel()
-
-		// The namespace will be automatically extracted from the embedded manifests
-		if err := fluxinstall.Install(installCtx, mgr.GetClient(), fluxinstall.WriteEmbeddedManifests); err != nil {
-			setupLog.Error(err, "failed to install Flux, continuing anyway")
-			// Don't exit - allow operator to start even if Flux install fails
-			// This allows the operator to work in environments where Flux is already installed
-		} else {
-			setupLog.Info("Flux installation completed successfully")
-		}
-	}
-
-	// Install Flux resources after Flux installation
-	if len(installFluxResources) > 0 {
-		setupLog.Info("Installing Flux resources", "count", len(installFluxResources))
-		installCtx, installCancel := context.WithTimeout(context.Background(), 2*time.Minute)
-		defer installCancel()
-
-		if err := installFluxResourcesFunc(installCtx, mgr.GetClient(), installFluxResources); err != nil {
-			setupLog.Error(err, "failed to install Flux resources, continuing anyway")
-			// Don't exit - allow operator to start even if resource installation fails
-		} else {
-			setupLog.Info("Flux resources installation completed successfully")
-		}
-	}
-
-	bundleReconciler := &operator.BundleReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}
-	if err = bundleReconciler.SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Bundle")
-		os.Exit(1)
-	}
-
-	platformReconciler := &operator.PlatformReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}
-	if err = platformReconciler.SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Platform")
-		os.Exit(1)
-	}
-
-	// +kubebuilder:scaffold:builder
-
-	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up health check")
-		os.Exit(1)
-	}
-	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up ready check")
-		os.Exit(1)
-	}
-
-	// Initialize telemetry collector
-	collector, err := telemetry.NewCollector(mgr.GetClient(), &telemetryConfig, mgr.GetConfig())
-	if err != nil {
-		setupLog.V(1).Error(err, "unable to create telemetry collector, telemetry will be disabled")
-	}
-
-	if collector != nil {
-		if err := mgr.Add(collector); err != nil {
-			setupLog.Error(err, "unable to set up telemetry collector")
-			setupLog.V(1).Error(err, "unable to set up telemetry collector, continuing without telemetry")
-		}
-	}
-
-	setupLog.Info("Starting controller manager")
-	mgrCtx := ctrl.SetupSignalHandler()
-	if err := mgr.Start(mgrCtx); err != nil {
-		setupLog.Error(err, "problem running manager")
-		os.Exit(1)
-	}
-}
-
-// installFluxResourcesFunc installs Flux resources from JSON strings
-func installFluxResourcesFunc(ctx context.Context, k8sClient client.Client, resources []string) error {
-	logger := log.FromContext(ctx)
-
-	for i, resourceJSON := range resources {
-		logger.Info("Installing Flux resource", "index", i+1, "total", len(resources))
-
-		// Parse JSON into unstructured object
-		var obj unstructured.Unstructured
-		if err := json.Unmarshal([]byte(resourceJSON), &obj.Object); err != nil {
-			return fmt.Errorf("failed to parse resource JSON at index %d: %w", i, err)
-		}
-
-		// Validate that it has required fields
-		if obj.GetAPIVersion() == "" {
-			return fmt.Errorf("resource at index %d missing apiVersion", i)
-		}
-		if obj.GetKind() == "" {
-			return fmt.Errorf("resource at index %d missing kind", i)
-		}
-		if obj.GetName() == "" {
-			return fmt.Errorf("resource at index %d missing metadata.name", i)
-		}
-
-		// Apply the resource (create or update)
-		logger.Info("Applying Flux resource",
-			"apiVersion", obj.GetAPIVersion(),
-			"kind", obj.GetKind(),
-			"name", obj.GetName(),
-			"namespace", obj.GetNamespace(),
-		)
-
-		// Use server-side apply or create/update
-		existing := &unstructured.Unstructured{}
-		existing.SetGroupVersionKind(obj.GroupVersionKind())
-		key := client.ObjectKey{
-			Name:      obj.GetName(),
-			Namespace: obj.GetNamespace(),
-		}
-
-		err := k8sClient.Get(ctx, key, existing)
-		if err != nil {
-			if client.IgnoreNotFound(err) == nil {
-				// Resource doesn't exist, create it
-				if err := k8sClient.Create(ctx, &obj); err != nil {
-					return fmt.Errorf("failed to create resource %s/%s: %w", obj.GetKind(), obj.GetName(), err)
-				}
-				logger.Info("Created Flux resource", "kind", obj.GetKind(), "name", obj.GetName())
-			} else {
-				return fmt.Errorf("failed to check if resource exists: %w", err)
-			}
-		} else {
-			// Resource exists, update it
-			obj.SetResourceVersion(existing.GetResourceVersion())
-			if err := k8sClient.Update(ctx, &obj); err != nil {
-				return fmt.Errorf("failed to update resource %s/%s: %w", obj.GetKind(), obj.GetName(), err)
-			}
-			logger.Info("Updated Flux resource", "kind", obj.GetKind(), "name", obj.GetName())
-		}
-	}
-
-	return nil
-}

docs/changelogs/v0.38.3.md

@@ -0,0 +1,14 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.38.3
+-->
+
+## Improvements
+
+* **[core:installer] Address buildx warnings for installer image builds**: Aligns Dockerfile syntax casing to remove buildx warnings, keeping installer builds clean ([**@nbykov0**](https://github.com/nbykov0) in #1682).
+* **[system:coredns] Align CoreDNS app labels with Talos defaults**: Matches CoreDNS labels to Talos conventions so services select pods consistently across platform and tenant clusters ([**@nbykov0**](https://github.com/nbykov0) in #1675).
+* **[system:monitoring-agents] Rename CoreDNS metrics service to avoid conflicts**: Renames the metrics service so it no longer clashes with the CoreDNS service used for name resolution in tenant clusters ([**@nbykov0**](https://github.com/nbykov0) in #1676).
+
+---
+
+**Full Changelog**: [v0.38.2...v0.38.3](https://github.com/cozystack/cozystack/compare/v0.38.2...v0.38.3)
+

docs/changelogs/v0.38.4.md

@@ -0,0 +1,18 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.38.4
+-->
+
+## Fixes
+
+* **[linstor] Update piraeus-operator v2.10.2 to handle fsck checks reliably**: Upgrades LINSTOR CSI to avoid failed mounts when fsck sees mounted volumes, improving volume publish reliability ([**@kvaps**](https://github.com/kvaps) in #1689, #1697).
+* **[dashboard] Nest CustomFormsOverride properties under spec.properties**: Fixes schema generation so custom form properties are placed under `spec.properties`, preventing mis-rendered or missing form fields ([**@kvaps**](https://github.com/kvaps) in #1692, #1700).
+* **[virtual-machine] Guard PVC resize to only expand storage**: Ensures resize jobs run only when storage size increases, avoiding unintended shrink attempts during VM updates ([**@kvaps**](https://github.com/kvaps) in #1688, #1701).
+
+## Documentation
+
+* **[website] Clarify GPU check command**: Makes the kubectl command for validating GPU binding more explicit, including namespace context ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website#379).
+
+---
+
+**Full Changelog**: [v0.38.3...v0.38.4](https://github.com/cozystack/cozystack/compare/v0.38.3...v0.38.4)
+

docs/changelogs/v0.39.0.md

@@ -0,0 +1,73 @@
+# Cozystack v0.39 — "Enhanced Networking & Monitoring"
+
+This release introduces topology-aware routing for Cilium services, automatic pod rollouts on configuration changes, improved monitoring capabilities, and numerous bug fixes and improvements across the platform.
+
+## Highlights
+
+* **Topology-Aware Routing**: Enabled topology-aware routing for Cilium services, improving traffic distribution and reducing latency by routing traffic to endpoints in the same zone when possible ([**@nbykov0**](https://github.com/nbykov0) in #1734).
+* **Automatic Pod Rollouts**: Cilium and Cilium operator pods now automatically restart when configuration changes, ensuring configuration updates are applied immediately ([**@kvaps**](https://github.com/kvaps) in #1728, #1745).
+* **Windows VM Scheduling**: Added nodeAffinity configuration for Windows VMs based on scheduling config, enabling dedicated nodes for Windows workloads ([**@kvaps**](https://github.com/kvaps) in #1693, #1744).
+* **SeaweedFS Updates**: Updated to SeaweedFS v4.02 with improved S3 daemon performance and fixes ([**@kvaps**](https://github.com/kvaps) in #1725, #1732).
+
+---
+
+## Major Features and Improvements
+
+### Networking
+
+* **[system/cilium] Enable topology-aware routing for services**: Enabled topology-aware routing for services, improving traffic distribution and reducing latency by routing traffic to endpoints in the same zone when possible. This feature helps optimize network performance in multi-zone deployments ([**@nbykov0**](https://github.com/nbykov0) in #1734).
+* **[cilium] Enable automatic pod rollout on configmap updates**: Cilium and Cilium operator pods now automatically restart when the cilium-config ConfigMap is updated, ensuring configuration changes are applied immediately without manual intervention ([**@kvaps**](https://github.com/kvaps) in #1728, #1745).
+
+### Virtual Machines
+
+* **[virtual-machine,vm-instance] Add nodeAffinity for Windows VMs based on scheduling config**: Added nodeAffinity configuration to virtual-machine and vm-instance charts to support dedicated nodes for Windows VMs. When `dedicatedNodesForWindowsVMs` is enabled in the `cozystack-scheduling` ConfigMap, Windows VMs are scheduled on nodes with label `scheduling.cozystack.io/vm-windows=true`, while non-Windows VMs prefer nodes without this label ([**@kvaps**](https://github.com/kvaps) in #1693, #1744).
+
+### Storage
+
+* **Update SeaweedFS v4.02**: Updated SeaweedFS to version 4.02 with improved performance for S3 daemon and fixes for known issues. This update includes better S3 compatibility and performance improvements ([**@kvaps**](https://github.com/kvaps) in #1725, #1732).
+
+## Improvements
+
+* **[seaweedfs] Extended CA certificate duration to reduce disruptive CA rotations**: Extended CA certificate duration to reduce disruptive CA rotations, improving long-term certificate management and reducing operational overhead ([**@IvanHunters**](https://github.com/IvanHunters) in #1657).
+* **[dashboard] Add config hash annotations to restart pods on config changes**: Added config hash annotations to dashboard deployment templates to ensure pods are automatically restarted when their configuration changes, ensuring configuration updates are applied immediately ([**@kvaps**](https://github.com/kvaps) in #1662).
+* **[tenant][kubernetes] Introduce better cleanup logic**: Improved cleanup logic for tenant Kubernetes resources, ensuring proper resource cleanup when tenants are deleted or updated. Added automated pre-delete cleanup job for tenant namespaces to remove tenant-related releases during uninstall ([**@kvaps**](https://github.com/kvaps) in #1661).
+* **[system:coredns] update coredns app labels to match Talos coredns labels**: Updated coredns app labels to match Talos coredns labels, ensuring consistency across the platform ([**@nbykov0**](https://github.com/nbykov0) in #1675).
+* **[system:monitoring-agents] rename coredns metrics service**: Renamed coredns metrics service to avoid interference with coredns service used for name resolution in tenant k8s clusters ([**@nbykov0**](https://github.com/nbykov0) in #1676).
+* **[core:installer] Address buildx warnings**: Fixed Dockerfile syntax warnings from buildx, ensuring clean builds without warnings ([**@nbykov0**](https://github.com/nbykov0) in #1682).
+
+## Fixes
+
+* **[apps] Refactor apiserver to use typed objects and fix UnstructuredList GVK**: Refactored the apiserver REST handlers to use typed objects (`appsv1alpha1.Application`) instead of `unstructured.Unstructured`, eliminating the need for runtime conversions and simplifying the codebase. Additionally, fixed an issue where `UnstructuredList` objects were using the first registered kind from `typeToGVK` instead of the kind from the object's field when multiple kinds are registered with the same Go type. This fix includes the upstream fix from kubernetes/kubernetes#135537 ([**@kvaps**](https://github.com/kvaps) in #1679, #1709).
+* **[dashboard] Fix CustomFormsOverride schema to nest properties under spec.properties**: Fixed the logic for generating CustomFormsOverride schema to properly nest properties under `spec.properties` instead of directly under `properties`, ensuring correct form schema generation ([**@kvaps**](https://github.com/kvaps) in #1692, #1700).
+* **[virtual-machine] Improve check for resizing job**: Improved storage resize logic to only expand persistent volume claims when storage is being increased, preventing unintended storage reduction operations. Added validation to accurately compare current and desired storage sizes before triggering resize operations ([**@kvaps**](https://github.com/kvaps) in #1688, #1701).
+* **[linstor] Update piraeus-operator v2.10.2**: Updated LINSTOR CSI to fix issues with the new fsck behaviour, resolving mount failures when fsck attempts to run on mounted devices ([**@kvaps**](https://github.com/kvaps) in #1689, #1697).
+* **[api] Revert dynamic list kinds representation fix (fixes namespace deletion regression)**: Reverted changes from #1630 that caused a regression affecting namespace deletion and upgrades from previous versions. The regression caused namespace deletion failures with errors like "content is not a list: []unstructured.Unstructured" during namespace finalization. This revert restores compatibility with namespace deletion controller and fixes upgrade issues from previous versions ([**@kvaps**](https://github.com/kvaps) in #1677).
+
+## Dependencies
+
+* **Update SeaweedFS v4.02**: Updated SeaweedFS to version 4.02 ([**@kvaps**](https://github.com/kvaps) in #1725, #1732).
+* **[linstor] Update piraeus-operator v2.10.2**: Updated piraeus-operator to version 2.10.2 ([**@kvaps**](https://github.com/kvaps) in #1689, #1697).
+
+## Documentation
+
+* **[website] docs(talm): update talm init syntax for mandatory --preset and --name flags**: Updated documentation to reflect breaking changes in talm, adding mandatory `--preset` and `--name` flags to the talm init command ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#386).
+
+---
+
+## Contributors
+
+We'd like to thank all contributors who made this release possible:
+
+* [**@IvanHunters**](https://github.com/IvanHunters)
+* [**@kvaps**](https://github.com/kvaps)
+* [**@lexfrei**](https://github.com/lexfrei)
+* [**@nbykov0**](https://github.com/nbykov0)
+
+---
+
+**Full Changelog**: [v0.38.0...v0.39.0](https://github.com/cozystack/cozystack/compare/v0.38.0...v0.39.0)
+
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.39.0
+-->
+

docs/changelogs/v0.39.1.md

@@ -0,0 +1,12 @@
+<!--
+https://github.com/cozystack/cozystack/releases/tag/v0.39.1
+-->
+
+## Features and Improvements
+
+* **[monitoring] Add SLACK_SEVERITY_FILTER field and VMAgent for tenant monitoring**: Introduced the SLACK_SEVERITY_FILTER environment variable in the Alerta deployment to enable filtering of alert severities for Slack notifications based on the disabledSeverity configuration. Additionally, added a VMAgent resource template for scraping metrics within tenant namespaces, improving monitoring granularity and control. This enhancement allows administrators to configure which alert severities are sent to Slack and enables tenant-specific metrics collection for better observability ([**@IvanHunters**](https://github.com/IvanHunters) in #1712).
+
+---
+
+**Full Changelog**: [v0.39.0...v0.39.1](https://github.com/cozystack/cozystack/compare/v0.39.0...v0.39.1)
+

examples/platform-example.yaml

@@ -1,31 +0,0 @@
-apiVersion: cozystack.io/v1alpha1
-kind: Platform
-metadata:
-  name: cozystack-platform
-  # Cluster-scoped resource, no namespace needed
-spec:
-  # SourceRef is required - reference to the OCIRepository or GitRepository
-  sourceRef:
-    kind: OCIRepository
-    name: cozystack-packages
-    namespace: cozy-system
-  
-  # Optional: Interval for HelmRelease reconciliation (default: 5m)
-  interval: 5m
-  
-  # Optional: BasePath is the base path where the platform chart is located in the source.
-  # For GitRepository, defaults to "packages/core/platform" if not specified.
-  # For OCIRepository, defaults to "core/platform" if not specified.
-  # basePath: core/platform
-  
-  # Optional: Values to pass to HelmRelease
-  # These values will be merged with sourceRef (which is automatically added)
-  values:
-    # Any custom values can be added here
-    # sourceRef will be automatically added by the controller
-    # Example custom values:
-    # customKey: customValue
-    # nested:
-    #   config:
-    #     enabled: true
-

go.mod

@@ -6,16 +6,14 @@ go 1.25.0
 
 require (
 	github.com/fluxcd/helm-controller/api v1.4.3
-	github.com/fluxcd/source-controller/api v1.6.2
-	github.com/fluxcd/source-watcher/api/v2 v2.0.2
 	github.com/go-logr/logr v1.4.3
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/gofuzz v1.2.0
 	github.com/onsi/ginkgo/v2 v2.23.3
 	github.com/onsi/gomega v1.37.0
 	github.com/prometheus/client_golang v1.22.0
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.11.1
 	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.34.1
@@ -46,7 +44,6 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fluxcd/pkg/apis/acl v0.9.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.13.0 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.22.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
@@ -127,3 +124,6 @@ require (
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
+
+// See: issues.k8s.io/135537
+replace k8s.io/apimachinery => github.com/cozystack/apimachinery v0.0.0-20251219010959-1f91eabae46c

go.sum

@@ -18,6 +18,8 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cozystack/apimachinery v0.0.0-20251219010959-1f91eabae46c h1:C2wIfH/OzhU9XOK/e6Ik9cg7nZ1z6fN4lf6a3yFdik8=
+github.com/cozystack/apimachinery v0.0.0-20251219010959-1f91eabae46c/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -35,16 +37,10 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluxcd/helm-controller/api v1.4.3 h1:CdZwjL1liXmYCWyk2jscmFEB59tICIlnWB9PfDDW5q4=
 github.com/fluxcd/helm-controller/api v1.4.3/go.mod h1:0XrBhKEaqvxyDj/FziG1Q8Fmx2UATdaqLgYqmZh6wW4=
-github.com/fluxcd/pkg/apis/acl v0.9.0 h1:wBpgsKT+jcyZEcM//OmZr9RiF8klL3ebrDp2u2ThsnA=
-github.com/fluxcd/pkg/apis/acl v0.9.0/go.mod h1:TttNS+gocsGLwnvmgVi3/Yscwqrjc17+vhgYfqkfrV4=
 github.com/fluxcd/pkg/apis/kustomize v1.13.0 h1:GGf0UBVRIku+gebY944icVeEIhyg1P/KE3IrhOyJJnE=
 github.com/fluxcd/pkg/apis/kustomize v1.13.0/go.mod h1:TLKVqbtnzkhDuhWnAsN35977HvRfIjs+lgMuNro/LEc=
 github.com/fluxcd/pkg/apis/meta v1.22.0 h1:EHWQH5ZWml7i8eZ/AMjm1jxid3j/PQ31p+hIwCt6crM=
 github.com/fluxcd/pkg/apis/meta v1.22.0/go.mod h1:Kc1+bWe5p0doROzuV9XiTfV/oL3ddsemYXt8ZYWdVVg=
-github.com/fluxcd/source-controller/api v1.6.2 h1:UmodAeqLIeF29HdTqf2GiacZyO+hJydJlepDaYsMvhc=
-github.com/fluxcd/source-controller/api v1.6.2/go.mod h1:ZJcAi0nemsnBxjVgmJl0WQzNvB0rMETxQMTdoFosmMw=
-github.com/fluxcd/source-watcher/api/v2 v2.0.2 h1:fWSxsDqYN7My2AEpQwbP7O6Qjix8nGBX+UE/qWHtZfM=
-github.com/fluxcd/source-watcher/api/v2 v2.0.2/go.mod h1:Hs6ueayPt23jlkIr/d1pGPZ+OHiibQwWjxvU6xqljzg=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
@@ -146,6 +142,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -298,8 +296,6 @@ k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
 k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
 k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI=
 k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc=
-k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
-k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
 k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA=
 k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0=
 k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=

hack/cozyreport.sh

@@ -12,19 +12,13 @@ command -V tar >/dev/null || exit $?
 
 echo "Collecting Cozystack information..."
 mkdir -p $REPORT_DIR/cozystack
-kubectl get deploy -n cozy-system cozystack-operator cozystack-controller -o yaml > $REPORT_DIR/cozystack/deployments.yaml 2>&1
-
-echo "Collecting platforms..."
-kubectl get platforms.cozystack.io -A > $REPORT_DIR/cozystack/platforms.txt 2>&1
-kubectl get platforms.cozystack.io -A -o yaml > $REPORT_DIR/cozystack/platforms.yaml 2>&1
-
-echo "Collecting bundles..."
-kubectl get bundles.cozystack.io -A > $REPORT_DIR/cozystack/bundles.txt 2>&1
-kubectl get bundles.cozystack.io -A -o yaml > $REPORT_DIR/cozystack/bundles.yaml 2>&1
-
-echo "Collecting applicationdefinitions..."
-kubectl get applicationdefinitions.cozystack.io -A > $REPORT_DIR/cozystack/applicationdefinitions.txt 2>&1
-kubectl get applicationdefinitions.cozystack.io -A -o yaml > $REPORT_DIR/cozystack/applicationdefinitions.yaml 2>&1
+kubectl get deploy -n cozy-system cozystack -o jsonpath='{.spec.template.spec.containers[0].image}' > $REPORT_DIR/cozystack/image.txt 2>&1
+kubectl get cm -n cozy-system --no-headers | awk '$1 ~ /^cozystack/' |
+  while read NAME _; do
+    DIR=$REPORT_DIR/cozystack/configs
+    mkdir -p $DIR
+    kubectl get cm -n cozy-system $NAME -o yaml > $DIR/$NAME.yaml 2>&1
+  done
 
 # -- kubernetes module
 
@@ -62,36 +56,6 @@ kubectl get hr -A --no-headers | awk '$4 != "True"' | \
     kubectl describe hr -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
   done
 
-echo "Collecting artifactgenerators..."
-kubectl get artifactgenerators.source.extensions.fluxcd.io -A > $REPORT_DIR/kubernetes/artifactgenerators.txt 2>&1
-kubectl get artifactgenerators.source.extensions.fluxcd.io -A --no-headers | awk '$4 != "True"' | \
-  while read NAMESPACE NAME _; do
-    DIR=$REPORT_DIR/kubernetes/artifactgenerators/$NAMESPACE/$NAME
-    mkdir -p $DIR
-    kubectl get artifactgenerators.source.extensions.fluxcd.io -n $NAMESPACE $NAME -o yaml > $DIR/artifactgenerator.yaml 2>&1
-    kubectl describe artifactgenerators.source.extensions.fluxcd.io -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
-  done
-
-echo "Collecting ocirepositories..."
-kubectl get ocirepositories.source.toolkit.fluxcd.io -A > $REPORT_DIR/kubernetes/ocirepositories.txt 2>&1
-kubectl get ocirepositories.source.toolkit.fluxcd.io -A --no-headers | awk '$4 != "True"' | \
-  while read NAMESPACE NAME _; do
-    DIR=$REPORT_DIR/kubernetes/ocirepositories/$NAMESPACE/$NAME
-    mkdir -p $DIR
-    kubectl get ocirepositories.source.toolkit.fluxcd.io -n $NAMESPACE $NAME -o yaml > $DIR/ocirepository.yaml 2>&1
-    kubectl describe ocirepositories.source.toolkit.fluxcd.io -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
-  done
-
-echo "Collecting gitrepositories..."
-kubectl get gitrepositories.source.toolkit.fluxcd.io -A > $REPORT_DIR/kubernetes/gitrepositories.txt 2>&1
-kubectl get gitrepositories.source.toolkit.fluxcd.io -A --no-headers | awk '$4 != "True"' | \
-  while read NAMESPACE NAME _; do
-    DIR=$REPORT_DIR/kubernetes/gitrepositories/$NAMESPACE/$NAME
-    mkdir -p $DIR
-    kubectl get gitrepositories.source.toolkit.fluxcd.io -n $NAMESPACE $NAME -o yaml > $DIR/gitrepository.yaml 2>&1
-    kubectl describe gitrepositories.source.toolkit.fluxcd.io -n $NAMESPACE $NAME > $DIR/describe.txt 2>&1
-  done
-
 echo "Collecting pods..."
 kubectl get pod -A -o wide > $REPORT_DIR/kubernetes/pods.txt 2>&1
 kubectl get pod -A --no-headers | awk '$4 !~ /Running|Succeeded|Completed/' |

hack/e2e-install-cozystack.bats

@@ -8,51 +8,23 @@
 }
 
 @test "Install Cozystack" {
+  # Create namespace & configmap required by installer
+  kubectl create namespace cozy-system --dry-run=client -o yaml | kubectl apply -f -
+  kubectl create configmap cozystack -n cozy-system \
+          --from-literal=bundle-name=paas-full \
+          --from-literal=ipv4-pod-cidr=10.244.0.0/16 \
+          --from-literal=ipv4-pod-gateway=10.244.0.1 \
+          --from-literal=ipv4-svc-cidr=10.96.0.0/16 \
+          --from-literal=ipv4-join-cidr=100.64.0.0/16 \
+          --from-literal=root-host=example.org \
+          --from-literal=api-server-endpoint=https://192.168.123.10:6443 \
+          --dry-run=client -o yaml | kubectl apply -f -
+
   # Apply installer manifests from file
   kubectl apply -f _out/assets/cozystack-installer.yaml
 
   # Wait for the installer deployment to become available
-  kubectl wait deployment/cozystack-operator -n cozy-system --timeout=1m --for=condition=Available
-
-  # Wait for cozy-fluxcd namespace to be created
-  timeout 30 sh -ec 'until kubectl get namespace cozy-fluxcd >/dev/null 2>&1; do sleep 1; done'
-
-  # Wait for Flux deployment
-  timeout 30 sh -ec 'until kubectl get deployment/flux -n cozy-fluxcd >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait deployment/flux -n cozy-fluxcd --timeout=1m --for=condition=Available
-
-  # Create Platform resource instead of configmap
-  kubectl apply -f - <<'EOF'
-apiVersion: cozystack.io/v1alpha1
-kind: Platform
-metadata:
-  name: cozystack-platform
-spec:
-  sourceRef:
-    kind: OCIRepository
-    name: cozystack-packages
-    namespace: cozy-system
-  values:
-    bundles:
-      system:
-        type: "full"
-    networking:
-      podCIDR: "10.244.0.0/16"
-      podGateway: "10.244.0.1"
-      serviceCIDR: "10.96.0.0/16"
-      joinCIDR: "100.64.0.0/16"
-    publishing:
-      host: "example.org"
-      apiServerEndpoint: "https://192.168.123.10:6443"
-EOF
-
-  # Wait for ArtifactGenerator for cozystack-packages
-  timeout 60 sh -ec 'until kubectl get artifactgenerators.source.extensions.fluxcd.io cozystack-packages -n cozy-system >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait artifactgenerators.source.extensions.fluxcd.io/cozystack-packages -n cozy-system --for=condition=ready --timeout=5m
-
-  # Wait for bundle ArtifactGenerators
-  timeout 60 sh -ec 'until kubectl get artifactgenerators.source.extensions.fluxcd.io cozystack-system cozystack-iaas cozystack-paas cozystack-naas -n cozy-system >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait artifactgenerators.source.extensions.fluxcd.io -n cozy-system --for=condition=ready --timeout=5m cozystack-system cozystack-iaas cozystack-paas cozystack-naas
+  kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available
 
   # Wait until HelmReleases appear & reconcile them
   timeout 60 sh -ec 'until kubectl get hr -A -l cozystack.io/system-app=true | grep -q cozys; do sleep 1; done'
@@ -168,8 +140,9 @@ EOF
     kubectl wait hr/seaweedfs-system -n tenant-root --timeout=2m --for=condition=ready
   fi
 
+
   # Expose Cozystack services through ingress
-  kubectl patch platform/cozystack-platform --type merge -p '{"spec":{"values":{"publishing":{"exposedServices":["api","dashboard","cdi-uploadproxy","vm-exportproxy","keycloak"]}}}}'
+  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"expose-services":"api,dashboard,cdi-uploadproxy,vm-exportproxy,keycloak"}}'
 
   # NGINX ingress controller
   timeout 60 sh -ec 'until kubectl get deploy root-ingress-controller -n tenant-root >/dev/null 2>&1; do sleep 1; done'
@@ -196,7 +169,7 @@ EOF
 }
 
 @test "Keycloak OIDC stack is healthy" {
-  kubectl patch platform/cozystack-platform --type merge -p '{"spec":{"values":{"authentication":{"oidc":{"enabled":true}}}}}'
+  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"oidc-enabled":"true"}}'
 
   timeout 120 sh -ec 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
   kubectl wait hr/keycloak hr/keycloak-configure hr/keycloak-operator -n cozy-keycloak --timeout=10m --for=condition=ready

hack/e2e-test-openapi.bats

@@ -21,14 +21,33 @@
 }
 
 @test "Test kinds" {
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/tenants | jq -r '.kind')
+  if [ "$val" != "TenantList" ]; then
+    echo "Expected kind to be TenantList, got $val"
+    exit 1
+  fi
   val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/tenants | jq -r '.items[0].kind')
   if [ "$val" != "Tenant" ]; then
     echo "Expected kind to be Tenant, got $val"
     exit 1
   fi
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/ingresses | jq -r '.kind')
+  if [ "$val" != "IngressList" ]; then
+    echo "Expected kind to be IngressList, got $val"
+    exit 1
+  fi
   val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/ingresses | jq -r '.items[0].kind')
   if [ "$val" != "Ingress" ]; then
     echo "Expected kind to be Ingress, got $val"
     exit 1
   fi
 }
+
+@test "Create and delete namespace" {
+  kubectl create ns cozy-test-create-and-delete-namespace --dry-run=client -o yaml | kubectl apply -f -
+  if ! kubectl delete ns cozy-test-create-and-delete-namespace; then
+    echo "Failed to delete namespace"
+    kubectl describe ns cozy-test-create-and-delete-namespace
+    exit 1
+  fi
+}

hack/update-codegen.sh

@@ -23,6 +23,14 @@ CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-
 API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
 CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
+TMPDIR=$(mktemp -d)
+OPERATOR_CRDDIR=packages/core/installer/definitions
+COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/definitions
+COZY_RD_CRDDIR=packages/system/cozystack-resource-definition-crd/definition
+BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
+BACKUPSTRATEGY_CRDDIR=packages/system/backupstrategy-controller/definitions
+
+trap 'rm -rf ${TMPDIR}' EXIT
 
 source "${CODEGEN_PKG}/kube_codegen.sh"
 
@@ -53,10 +61,15 @@ kube::codegen::gen_openapi \
     "${SCRIPT_ROOT}/pkg/apis"
 
 $CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=packages/system/cozystack-controller/crds
-mv packages/system/cozystack-controller/crds/cozystack.io_applicationdefinitions.yaml \
-        packages/core/installer/crds/cozystack.io_applicationdefinitions.yaml
-mv packages/system/cozystack-controller/crds/cozystack.io_bundles.yaml \
-        packages/core/installer/crds/cozystack.io_bundles.yaml
-mv packages/system/cozystack-controller/crds/cozystack.io_platforms.yaml \
-        packages/core/installer/crds/cozystack.io_platforms.yaml
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR} 
+
+mv ${TMPDIR}/cozystack.io_packages.yaml ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml
+mv ${TMPDIR}/cozystack.io_packagesources.yaml ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml
+
+mv ${TMPDIR}/cozystack.io_cozystackresourcedefinitions.yaml \
+        ${COZY_RD_CRDDIR}/cozystack.io_cozystackresourcedefinitions.yaml
+
+mv ${TMPDIR}/backups.cozystack.io*.yaml ${BACKUPS_CORE_CRDDIR}/
+mv ${TMPDIR}/strategy.backups.cozystack.io*.yaml ${BACKUPSTRATEGY_CRDDIR}/
+
+mv ${TMPDIR}/*.yaml ${COZY_CONTROLLER_CRDDIR}/

hack/update-crd.sh

@@ -8,7 +8,7 @@ need yq; need jq; need base64
 CHART_YAML="${CHART_YAML:-Chart.yaml}"
 VALUES_YAML="${VALUES_YAML:-values.yaml}"
 SCHEMA_JSON="${SCHEMA_JSON:-values.schema.json}"
-CRD_DIR="../../core/platform/bundles/*/applicationdefinitions"
+CRD_DIR="../../system/cozystack-resource-definitions/cozyrds"
 
 [[ -f "$CHART_YAML" ]] || { echo "No $CHART_YAML found"; exit 1; }
 [[ -f "$SCHEMA_JSON" ]] || { echo "No $SCHEMA_JSON found"; exit 1; }
@@ -54,71 +54,37 @@ fi
 # Base64 (portable: no -w / -b options)
 ICON_B64="$(base64 < "$ICON_PATH" | tr -d '\n' | tr -d '\r')"
 
-# Find path to output CRD YAML
-OUT="$(find $CRD_DIR -type f -name "${NAME}.yaml" | head -n 1)"
-if [[ -z "$OUT" ]]; then
-  echo "Error: ApplicationDefinition file for '${NAME}' not found in ${CRD_DIR}"
-  echo "Please create the file first in one of the following directories:"
-  
-  # Auto-detect existing directories
-  BASE_DIR="../../core/platform/bundles"
-  if [[ -d "$BASE_DIR" ]]; then
-    for bundle_dir in "$BASE_DIR"/*/applicationdefinitions; do
-      if [[ -d "$bundle_dir" ]]; then
-        bundle_name="$(basename "$(dirname "$bundle_dir")")"
-        echo "  touch ${bundle_dir}/${NAME}.yaml  # ${bundle_name}"
-      fi
-    done
-  else
-    # Fallback if base directory doesn't exist
-    echo "  touch ../../core/platform/bundles/iaas/applicationdefinitions/${NAME}.yaml"
-    echo "  touch ../../core/platform/bundles/paas/applicationdefinitions/${NAME}.yaml"
-    echo "  touch ../../core/platform/bundles/naas/applicationdefinitions/${NAME}.yaml"
-    echo "  touch ../../core/platform/bundles/system/applicationdefinitions/${NAME}.yaml"
-  fi
-  exit 1
-fi
+# Decide which HelmRepository name to use based on path
+#   .../apps/...  -> cozystack-apps
+#   .../extra/... -> cozystack-extra
+# default: cozystack-apps
+SOURCE_NAME="cozystack-apps"
+case "$PWD" in
+  *"/apps/"*)  SOURCE_NAME="cozystack-apps" ;;
+  *"/extra/"*) SOURCE_NAME="cozystack-extra" ;;
+esac
 
-if [[ ! -s "$OUT" ]]; then
+# If file doesn't exist, create a minimal skeleton
+OUT="${OUT:-$CRD_DIR/$NAME.yaml}"
+if [[ ! -f "$OUT" ]]; then
   cat >"$OUT" <<EOF
 apiVersion: cozystack.io/v1alpha1
-kind: ApplicationDefinition
+kind: CozystackResourceDefinition
 metadata:
   name: ${NAME}
-spec:
-  release:
-    values:
-      _cozystack:
+spec: {}
 EOF
 fi
 
-# Determine package type (apps or extra) from current directory
-CURRENT_DIR="$(pwd)"
-PACKAGE_TYPE="apps"  # default
-if [[ "$CURRENT_DIR" == *"/packages/extra/"* ]]; then
-  PACKAGE_TYPE="extra"
-elif [[ "$CURRENT_DIR" == *"/packages/apps/"* ]]; then
-  PACKAGE_TYPE="apps"
-fi
-
-# Extract bundle type (iaas, paas, naas, system) from OUT path
-OUT_DIR="$(dirname "$OUT")"
-BUNDLE_DIR="$(dirname "$OUT_DIR")"
-BUNDLE_TYPE="$(basename "$BUNDLE_DIR")"
-ARTIFACT_PREFIX="cozystack-${BUNDLE_TYPE}"
-ARTIFACT_NAME="${ARTIFACT_PREFIX}-${NAME}"
-
 # Export vars for yq env()
 export RES_NAME="$NAME"
-# For packages/extra, prefix should be empty; for packages/apps, prefix is "${NAME}-"
-if [[ "$PACKAGE_TYPE" == "extra" ]]; then
+export PREFIX="$NAME-"
+if [ "$SOURCE_NAME" == "cozystack-extra" ]; then
   export PREFIX=""
-else
-  export PREFIX="${NAME}-"
 fi
 export DESCRIPTION="$DESC"
 export ICON_B64="$ICON_B64"
-export ARTIFACT_NAME="$ARTIFACT_NAME"
+export SOURCE_NAME="$SOURCE_NAME"
 export SCHEMA_JSON_MIN="$(jq -c . "$SCHEMA_JSON")"
 
 # Generate keysOrder from values.yaml
@@ -148,12 +114,6 @@ export KEYS_ORDER="$(
   '
 )"
 
-# Remove lines with cozystack.build-values before updating (Helm template syntax breaks yq parsing)
-if [[ -f "$OUT" && -n "$OUT" ]]; then
-  # Use grep to filter out the line, more reliable than sed
-  grep -v 'cozystack\.build-values' "$OUT" > "${OUT}.tmp" && mv "${OUT}.tmp" "$OUT"
-fi
-
 # Update only necessary fields in-place
 # - openAPISchema is loaded from file as a multi-line string (block scalar)
 # - labels ensure cozystack.io/ui: "true"
@@ -161,26 +121,19 @@ fi
 # - sourceRef derived from directory (apps|extra)
 yq -i '
   .apiVersion = (.apiVersion // "cozystack.io/v1alpha1") |
-  .kind       = (.kind       // "ApplicationDefinition") |
+  .kind       = (.kind       // "CozystackResourceDefinition") |
   .metadata.name = strenv(RES_NAME) |
   .spec.application.openAPISchema = strenv(SCHEMA_JSON_MIN) |
   (.spec.application.openAPISchema style="literal") |
   .spec.release.prefix = (strenv(PREFIX)) |
   .spec.release.labels."cozystack.io/ui" = "true" |
-  del(.spec.release.chart) |
-  .spec.release.chartRef.sourceRef.kind = "ExternalArtifact" |
-  .spec.release.chartRef.sourceRef.name = strenv(ARTIFACT_NAME) |
-  .spec.release.chartRef.sourceRef.namespace = "cozy-system" |
+  .spec.release.chart.name = strenv(RES_NAME) |
+  .spec.release.chart.sourceRef.kind = "HelmRepository" |
+  .spec.release.chart.sourceRef.name = strenv(SOURCE_NAME) |
+  .spec.release.chart.sourceRef.namespace = "cozy-public" |
   .spec.dashboard.description = strenv(DESCRIPTION) |
   .spec.dashboard.icon = strenv(ICON_B64) |
   .spec.dashboard.keysOrder = env(KEYS_ORDER)
 ' "$OUT"
 
-# Add back the Helm template line after _cozystack
-if [[ -f "$OUT" && -n "$OUT" ]]; then
-  HELM_TEMPLATE='        {{- include "cozystack.build-values" . | nindent 8 }}'
-  # Use awk for more reliable insertion
-  awk -v template="$HELM_TEMPLATE" '/_cozystack:/ {print; print template; next} {print}' "$OUT" > "${OUT}.tmp" && mv "${OUT}.tmp" "$OUT"
-fi
-
 echo "Updated $OUT"

internal/backupcontroller/factory/backupjob.go

@@ -0,0 +1,28 @@
+package factory
+
+import (
+	"fmt"
+	"time"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func BackupJob(p *backupsv1alpha1.Plan, scheduledFor time.Time) *backupsv1alpha1.BackupJob {
+	job := &backupsv1alpha1.BackupJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-%d", p.Name, scheduledFor.Unix()/60),
+			Namespace: p.Namespace,
+		},
+		Spec: backupsv1alpha1.BackupJobSpec{
+			PlanRef: &corev1.LocalObjectReference{
+				Name: p.Name,
+			},
+			ApplicationRef: *p.Spec.ApplicationRef.DeepCopy(),
+			StorageRef:     *p.Spec.StorageRef.DeepCopy(),
+			StrategyRef:    *p.Spec.StrategyRef.DeepCopy(),
+		},
+	}
+	return job
+}

internal/backupcontroller/jobstrategy_controller.go

@@ -0,0 +1,31 @@
+package backupcontroller
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+)
+
+// BackupJobStrategyReconciler reconciles BackupJob with a strategy referencing
+// Job.strategy.backups.cozystack.io objects.
+type BackupJobStrategyReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *BackupJobStrategyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ = log.FromContext(ctx)
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *BackupJobStrategyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.BackupJob{}).
+		Complete(r)
+}

internal/backupcontroller/plan_controller.go

@@ -0,0 +1,104 @@
+package backupcontroller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	cron "github.com/robfig/cron/v3"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller/factory"
+)
+
+const (
+	minRequeueDelay         = 30 * time.Second
+	startingDeadlineSeconds = 300 * time.Second
+)
+
+// PlanReconciler reconciles a Plan object
+type PlanReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *PlanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	log.V(2).Info("reconciling")
+
+	p := &backupsv1alpha1.Plan{}
+
+	if err := r.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, p); err != nil {
+		if apierrors.IsNotFound(err) {
+			log.V(3).Info("Plan not found")
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	tCheck := time.Now().Add(-startingDeadlineSeconds)
+	sch, err := cron.ParseStandard(p.Spec.Schedule.Cron)
+	if err != nil {
+		errWrapped := fmt.Errorf("could not parse cron %s: %w", p.Spec.Schedule.Cron, err)
+		log.Error(err, "could not parse cron", "cron", p.Spec.Schedule.Cron)
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionTrue,
+			Reason:  "Failed to parse cron spec",
+			Message: errWrapped.Error(),
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// Clear error condition if cron parsing succeeds
+	if condition := meta.FindStatusCondition(p.Status.Conditions, backupsv1alpha1.PlanConditionError); condition != nil && condition.Status == metav1.ConditionTrue {
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionFalse,
+			Reason:  "Cron spec is valid",
+			Message: "The cron schedule has been successfully parsed",
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
+	tNext := sch.Next(tCheck)
+
+	if time.Now().Before(tNext) {
+		return ctrl.Result{RequeueAfter: tNext.Sub(time.Now())}, nil
+	}
+
+	job := factory.BackupJob(p, tNext)
+	if err := controllerutil.SetControllerReference(p, job, r.Scheme); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if err := r.Create(ctx, job); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *PlanReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.Plan{}).
+		Complete(r)
+}

internal/controller/applicationdefinition_controller.go

@@ -1,502 +0,0 @@
-package controller
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"slices"
-	"sync"
-	"time"
-
-	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-
-	"github.com/cozystack/cozystack/pkg/cozylib"
-)
-
-// +kubebuilder:rbac:groups=cozystack.io,resources=applicationdefinitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
-type ApplicationDefinitionReconciler struct {
-	client.Client
-	Scheme *runtime.Scheme
-
-	Debounce time.Duration
-
-	mu          sync.Mutex
-	lastEvent   time.Time
-	lastHandled time.Time
-
-	CozystackAPIKind string
-}
-
-func (r *ApplicationDefinitionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-	logger.Info("Reconciling ApplicationDefinitions", "request", req.NamespacedName)
-
-	// Get all ApplicationDefinitions
-	crdList := &cozyv1alpha1.ApplicationDefinitionList{}
-	if err := r.List(ctx, crdList); err != nil {
-		logger.Error(err, "failed to list ApplicationDefinitions")
-		return ctrl.Result{}, err
-	}
-
-	logger.Info("Found ApplicationDefinitions", "count", len(crdList.Items))
-
-	// Update HelmReleases for each CRD
-	for i := range crdList.Items {
-		crd := &crdList.Items[i]
-		logger.V(4).Info("Processing CRD", "crd", crd.Name, "hasValues", crd.Spec.Release.Values != nil)
-		if err := r.updateHelmReleasesForCRD(ctx, crd); err != nil {
-			logger.Error(err, "failed to update HelmReleases for CRD", "crd", crd.Name)
-			// Continue with other CRDs even if one fails
-		}
-	}
-
-	// Continue with debounced restart logic
-	return r.debouncedRestart(ctx)
-}
-
-func (r *ApplicationDefinitionReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	if r.Debounce == 0 {
-		r.Debounce = 5 * time.Second
-	}
-
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("applicationdefinition-controller").
-		Watches(
-			&cozyv1alpha1.ApplicationDefinition{},
-			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
-				r.mu.Lock()
-				r.lastEvent = time.Now()
-				r.mu.Unlock()
-				return []reconcile.Request{{
-					NamespacedName: types.NamespacedName{
-						Namespace: "cozy-system",
-						Name:      "cozystack-api",
-					},
-				}}
-			}),
-		).
-		Watches(
-			&helmv2.HelmRelease{},
-			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
-				hr, ok := obj.(*helmv2.HelmRelease)
-				if !ok {
-					return nil
-				}
-				// Only watch HelmReleases with cozystack.io/ui=true label
-				if hr.Labels == nil || hr.Labels["cozystack.io/ui"] != "true" {
-					return nil
-				}
-				// Trigger reconciliation of all CRDs when a HelmRelease with the label is created/updated
-				r.mu.Lock()
-				r.lastEvent = time.Now()
-				r.mu.Unlock()
-				return []reconcile.Request{{
-					NamespacedName: types.NamespacedName{
-						Namespace: "cozy-system",
-						Name:      "cozystack-api",
-					},
-				}}
-			}),
-		).
-		Complete(r)
-}
-
-type crdHashView struct {
-	Name string                           `json:"name"`
-	Spec cozyv1alpha1.ApplicationDefinitionSpec `json:"spec"`
-}
-
-func (r *ApplicationDefinitionReconciler) computeConfigHash(ctx context.Context) (string, error) {
-	list := &cozyv1alpha1.ApplicationDefinitionList{}
-	if err := r.List(ctx, list); err != nil {
-		return "", err
-	}
-
-	slices.SortFunc(list.Items, sortApplicationDefinitions)
-
-	views := make([]crdHashView, 0, len(list.Items))
-	for i := range list.Items {
-		views = append(views, crdHashView{
-			Name: list.Items[i].Name,
-			Spec: list.Items[i].Spec,
-		})
-	}
-	b, err := json.Marshal(views)
-	if err != nil {
-		return "", err
-	}
-	sum := sha256.Sum256(b)
-	return hex.EncodeToString(sum[:]), nil
-}
-
-func (r *ApplicationDefinitionReconciler) debouncedRestart(ctx context.Context) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-
-	r.mu.Lock()
-	le := r.lastEvent
-	lh := r.lastHandled
-	debounce := r.Debounce
-	r.mu.Unlock()
-
-	if debounce <= 0 {
-		debounce = 5 * time.Second
-	}
-	if le.IsZero() {
-		return ctrl.Result{}, nil
-	}
-	if d := time.Since(le); d < debounce {
-		return ctrl.Result{RequeueAfter: debounce - d}, nil
-	}
-	if !lh.Before(le) {
-		return ctrl.Result{}, nil
-	}
-
-	newHash, err := r.computeConfigHash(ctx)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-
-	tpl, obj, patch, err := r.getWorkload(ctx, types.NamespacedName{Namespace: "cozy-system", Name: "cozystack-api"})
-	if err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	oldHash := tpl.Annotations["cozystack.io/config-hash"]
-
-	if oldHash == newHash && oldHash != "" {
-		r.mu.Lock()
-		r.lastHandled = le
-		r.mu.Unlock()
-		logger.Info("No changes in CRD config; skipping restart", "hash", newHash)
-		return ctrl.Result{}, nil
-	}
-
-	tpl.Annotations["cozystack.io/config-hash"] = newHash
-
-	if err := r.Patch(ctx, obj, patch); err != nil {
-		return ctrl.Result{}, err
-	}
-
-	r.mu.Lock()
-	r.lastHandled = le
-	r.mu.Unlock()
-
-	logger.Info("Updated cozystack-api podTemplate config-hash; rollout triggered",
-		"old", oldHash, "new", newHash)
-	return ctrl.Result{}, nil
-}
-
-func (r *ApplicationDefinitionReconciler) getWorkload(
-	ctx context.Context,
-	key types.NamespacedName,
-) (tpl *corev1.PodTemplateSpec, obj client.Object, patch client.Patch, err error) {
-	if r.CozystackAPIKind == "Deployment" {
-		dep := &appsv1.Deployment{}
-		if err := r.Get(ctx, key, dep); err != nil {
-			return nil, nil, nil, err
-		}
-		obj = dep
-		tpl = &dep.Spec.Template
-		patch = client.MergeFrom(dep.DeepCopy())
-	} else {
-		ds := &appsv1.DaemonSet{}
-		if err := r.Get(ctx, key, ds); err != nil {
-			return nil, nil, nil, err
-		}
-		obj = ds
-		tpl = &ds.Spec.Template
-		patch = client.MergeFrom(ds.DeepCopy())
-	}
-	if tpl.Annotations == nil {
-		tpl.Annotations = make(map[string]string)
-	}
-	return tpl, obj, patch, nil
-}
-
-func sortApplicationDefinitions(a, b cozyv1alpha1.ApplicationDefinition) int {
-	if a.Name == b.Name {
-		return 0
-	}
-	if a.Name < b.Name {
-		return -1
-	}
-	return 1
-}
-
-// updateHelmReleasesForCRD updates all HelmReleases that match the application labels from ApplicationDefinition
-func (r *ApplicationDefinitionReconciler) updateHelmReleasesForCRD(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
-	logger := log.FromContext(ctx)
-
-	// Use application labels to find HelmReleases
-	// Labels: apps.cozystack.io/application.kind and apps.cozystack.io/application.group
-	applicationKind := crd.Spec.Application.Kind
-	applicationGroup := "apps.cozystack.io" // All applications use this group
-
-	// Build label selector for HelmReleases
-	// Only reconcile HelmReleases with cozystack.io/ui=true label
-	labelSelector := client.MatchingLabels{
-		"apps.cozystack.io/application.kind":  applicationKind,
-		"apps.cozystack.io/application.group": applicationGroup,
-		"cozystack.io/ui":                      "true",
-	}
-
-	// List all HelmReleases with matching labels
-	hrList := &helmv2.HelmReleaseList{}
-	if err := r.List(ctx, hrList, labelSelector); err != nil {
-		logger.Error(err, "failed to list HelmReleases", "kind", applicationKind, "group", applicationGroup)
-		return err
-	}
-
-	logger.Info("Found HelmReleases to update", "crd", crd.Name, "kind", applicationKind, "count", len(hrList.Items), "hasValues", crd.Spec.Release.Values != nil)
-	if crd.Spec.Release.Values != nil {
-		logger.V(4).Info("CRD has values", "crd", crd.Name, "valuesSize", len(crd.Spec.Release.Values.Raw))
-	}
-
-	// Log each HelmRelease that will be updated
-	for i := range hrList.Items {
-		hr := &hrList.Items[i]
-		logger.V(4).Info("Processing HelmRelease", "name", hr.Name, "namespace", hr.Namespace, "kind", applicationKind)
-	}
-
-	// Update each HelmRelease
-	for i := range hrList.Items {
-		hr := &hrList.Items[i]
-		if err := r.updateHelmReleaseChart(ctx, hr, crd); err != nil {
-			logger.Error(err, "failed to update HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
-			continue
-		}
-	}
-
-	return nil
-}
-
-// updateHelmReleaseChart updates the chart/chartRef and values in HelmRelease based on ApplicationDefinition
-func (r *ApplicationDefinitionReconciler) updateHelmReleaseChart(ctx context.Context, hr *helmv2.HelmRelease, crd *cozyv1alpha1.ApplicationDefinition) error {
-	logger := log.FromContext(ctx)
-	updated := false
-	hrCopy := hr.DeepCopy()
-
-	// Update based on Chart or ChartRef configuration
-	if crd.Spec.Release.Chart != nil {
-		// Using Chart (HelmRepository)
-		if hrCopy.Spec.Chart == nil {
-			// Need to create Chart spec
-			hrCopy.Spec.Chart = &helmv2.HelmChartTemplate{
-				Spec: helmv2.HelmChartTemplateSpec{
-					Chart: crd.Spec.Release.Chart.Name,
-					SourceRef: helmv2.CrossNamespaceObjectReference{
-						Kind:      crd.Spec.Release.Chart.SourceRef.Kind,
-						Name:      crd.Spec.Release.Chart.SourceRef.Name,
-						Namespace: crd.Spec.Release.Chart.SourceRef.Namespace,
-					},
-				},
-			}
-			// Clear ChartRef if it exists
-			hrCopy.Spec.ChartRef = nil
-			updated = true
-		} else {
-			// Update existing Chart spec
-			if hrCopy.Spec.Chart.Spec.Chart != crd.Spec.Release.Chart.Name ||
-				hrCopy.Spec.Chart.Spec.SourceRef.Kind != crd.Spec.Release.Chart.SourceRef.Kind ||
-				hrCopy.Spec.Chart.Spec.SourceRef.Name != crd.Spec.Release.Chart.SourceRef.Name ||
-				hrCopy.Spec.Chart.Spec.SourceRef.Namespace != crd.Spec.Release.Chart.SourceRef.Namespace {
-				hrCopy.Spec.Chart.Spec.Chart = crd.Spec.Release.Chart.Name
-				hrCopy.Spec.Chart.Spec.SourceRef = helmv2.CrossNamespaceObjectReference{
-					Kind:      crd.Spec.Release.Chart.SourceRef.Kind,
-					Name:      crd.Spec.Release.Chart.SourceRef.Name,
-					Namespace: crd.Spec.Release.Chart.SourceRef.Namespace,
-				}
-				// Clear ChartRef if it exists
-				hrCopy.Spec.ChartRef = nil
-				updated = true
-			}
-		}
-	} else if crd.Spec.Release.ChartRef != nil {
-		// Using ChartRef (ExternalArtifact)
-		expectedChartRef := &helmv2.CrossNamespaceSourceReference{
-			Kind:      "ExternalArtifact",
-			Name:      crd.Spec.Release.ChartRef.SourceRef.Name,
-			Namespace: crd.Spec.Release.ChartRef.SourceRef.Namespace,
-		}
-
-		if hrCopy.Spec.ChartRef == nil {
-			// Need to create ChartRef
-			hrCopy.Spec.ChartRef = expectedChartRef
-			// Clear Chart if it exists
-			hrCopy.Spec.Chart = nil
-			updated = true
-		} else {
-			// Update existing ChartRef
-			if hrCopy.Spec.ChartRef.Kind != expectedChartRef.Kind ||
-				hrCopy.Spec.ChartRef.Name != expectedChartRef.Name ||
-				hrCopy.Spec.ChartRef.Namespace != expectedChartRef.Namespace {
-				hrCopy.Spec.ChartRef = expectedChartRef
-				// Clear Chart if it exists
-				hrCopy.Spec.Chart = nil
-				updated = true
-			}
-		}
-	}
-
-	// Update Values from CRD if specified
-	var mergedValues *apiextensionsv1.JSON
-	var err error
-	if crd.Spec.Release.Values != nil {
-		logger.V(4).Info("Merging values from CRD", "name", hr.Name, "namespace", hr.Namespace, "crd", crd.Name)
-		mergedValues, err = cozylib.MergeValuesWithCRDPriority(crd.Spec.Release.Values, hrCopy.Spec.Values)
-		if err != nil {
-			logger.Error(err, "failed to merge values", "name", hr.Name, "namespace", hr.Namespace)
-			return fmt.Errorf("failed to merge values: %w", err)
-		}
-	} else {
-		// Even if CRD has no values, we still need to ensure _namespace is set
-		mergedValues = hrCopy.Spec.Values
-	}
-
-	// Always inject namespace annotations (top-level _namespace field)
-	// This matches the behavior in cozystack-api and NamespaceHelmReconciler
-	namespace := &corev1.Namespace{}
-	if err := r.Get(ctx, client.ObjectKey{Name: hrCopy.Namespace}, namespace); err == nil {
-		mergedValues, err = cozylib.InjectNamespaceAnnotationsIntoValues(mergedValues, namespace)
-		if err != nil {
-			logger.Error(err, "failed to inject namespace annotations", "name", hr.Name, "namespace", hr.Namespace)
-			// Continue even if namespace annotations injection fails
-		}
-	}
-
-	// Always update values to ensure _cozystack and _namespace are applied
-	// This ensures that CRD values (especially _cozystack and _namespace) are always applied
-	// We always update to ensure CRD values are propagated, even if they appear equal
-	// This is important because JSON comparison might not catch all differences (e.g., field order)
-	if crd.Spec.Release.Values != nil || mergedValues != hrCopy.Spec.Values {
-		hrCopy.Spec.Values = mergedValues
-		updated = true
-		if crd.Spec.Release.Values != nil {
-			logger.Info("Updated values from CRD", "name", hr.Name, "namespace", hr.Namespace, "crd", crd.Name)
-		} else {
-			logger.V(4).Info("Updated values with namespace labels", "name", hr.Name, "namespace", hr.Namespace, "crd", crd.Name)
-		}
-	} else {
-		logger.V(4).Info("No values update needed", "name", hr.Name, "namespace", hr.Namespace, "crd", crd.Name)
-	}
-
-	if !updated {
-		return nil
-	}
-
-	// Update the HelmRelease
-	patch := client.MergeFrom(hr.DeepCopy())
-	if err := r.Patch(ctx, hrCopy, patch); err != nil {
-		return err
-	}
-
-	logger.Info("Updated HelmRelease", "name", hr.Name, "namespace", hr.Namespace, "crd", crd.Name)
-	return nil
-}
-
-// mergeHelmReleaseValues merges CRD default values with existing HelmRelease values
-// All fields are merged except "_cozystack" and "_namespace" which are fully overwritten from CRD values
-// Existing HelmRelease values (outside of _cozystack and _namespace) take precedence (user values override defaults)
-func (r *ApplicationDefinitionReconciler) mergeHelmReleaseValues(crdValues, existingValues *apiextensionsv1.JSON) (*apiextensionsv1.JSON, error) {
-	// If CRD has no values, preserve existing
-	if crdValues == nil || len(crdValues.Raw) == 0 {
-		return existingValues, nil
-	}
-
-	// If existing has no values, use CRD values
-	if existingValues == nil || len(existingValues.Raw) == 0 {
-		return crdValues, nil
-	}
-
-	var crdMap, existingMap map[string]interface{}
-
-	// Parse CRD values (defaults)
-	if err := json.Unmarshal(crdValues.Raw, &crdMap); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal CRD values: %w", err)
-	}
-
-	// Parse existing HelmRelease values
-	if err := json.Unmarshal(existingValues.Raw, &existingMap); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal existing values: %w", err)
-	}
-
-	// Start with existing values as base (user values take priority)
-	// Then merge CRD values on top, but _cozystack and _namespace from CRD completely overwrite
-	merged := deepMergeMaps(existingMap, crdMap)
-
-	// Explicitly handle "_cozystack" field: CRD values completely overwrite existing
-	// This ensures _cozystack field from CRD is always used, even if user modified it
-	if crdCozystack, exists := crdMap["_cozystack"]; exists {
-		merged["_cozystack"] = crdCozystack
-	}
-
-	// Explicitly handle "_namespace" field: CRD values completely overwrite existing
-	// This ensures _namespace field from CRD is always used, even if user modified it
-	if crdNamespace, exists := crdMap["_namespace"]; exists {
-		merged["_namespace"] = crdNamespace
-	}
-
-	mergedJSON, err := json.Marshal(merged)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal merged values: %w", err)
-	}
-
-	return &apiextensionsv1.JSON{Raw: mergedJSON}, nil
-}
-
-// deepMergeMaps performs a deep merge of two maps
-func deepMergeMaps(base, override map[string]interface{}) map[string]interface{} {
-	result := make(map[string]interface{})
-
-	// Copy base map
-	for k, v := range base {
-		result[k] = v
-	}
-
-	// Merge override map
-	for k, v := range override {
-		if baseVal, exists := result[k]; exists {
-			// If both are maps, recursively merge
-			if baseMap, ok := baseVal.(map[string]interface{}); ok {
-				if overrideMap, ok := v.(map[string]interface{}); ok {
-					result[k] = deepMergeMaps(baseMap, overrideMap)
-					continue
-				}
-			}
-		}
-		// Override takes precedence
-		result[k] = v
-	}
-
-	return result
-}
-
-// valuesEqual compares two JSON values for equality
-func valuesEqual(a, b *apiextensionsv1.JSON) bool {
-	if a == nil && b == nil {
-		return true
-	}
-	if a == nil || b == nil {
-		return false
-	}
-	// Simple byte comparison (could be improved with canonical JSON)
-	return string(a.Raw) == string(b.Raw)
-}
-

internal/controller/cozystackresource_controller.go

@@ -0,0 +1,189 @@
+package controller
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"slices"
+	"sync"
+	"time"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+type CozystackResourceDefinitionReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+
+	Debounce time.Duration
+
+	mu          sync.Mutex
+	lastEvent   time.Time
+	lastHandled time.Time
+
+	CozystackAPIKind string
+}
+
+func (r *CozystackResourceDefinitionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	// Only handle debounced restart logic
+	// HelmRelease reconciliation is handled by CozystackResourceDefinitionHelmReconciler
+	return r.debouncedRestart(ctx)
+}
+
+func (r *CozystackResourceDefinitionReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	if r.Debounce == 0 {
+		r.Debounce = 5 * time.Second
+	}
+
+	return ctrl.NewControllerManagedBy(mgr).
+		Named("cozystackresource-controller").
+		Watches(
+			&cozyv1alpha1.CozystackResourceDefinition{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				r.mu.Lock()
+				r.lastEvent = time.Now()
+				r.mu.Unlock()
+				return []reconcile.Request{{
+					NamespacedName: types.NamespacedName{
+						Namespace: "cozy-system",
+						Name:      "cozystack-api",
+					},
+				}}
+			}),
+		).
+		Complete(r)
+}
+
+type crdHashView struct {
+	Name string                                       `json:"name"`
+	Spec cozyv1alpha1.CozystackResourceDefinitionSpec `json:"spec"`
+}
+
+func (r *CozystackResourceDefinitionReconciler) computeConfigHash(ctx context.Context) (string, error) {
+	list := &cozyv1alpha1.CozystackResourceDefinitionList{}
+	if err := r.List(ctx, list); err != nil {
+		return "", err
+	}
+
+	slices.SortFunc(list.Items, sortCozyRDs)
+
+	views := make([]crdHashView, 0, len(list.Items))
+	for i := range list.Items {
+		views = append(views, crdHashView{
+			Name: list.Items[i].Name,
+			Spec: list.Items[i].Spec,
+		})
+	}
+	b, err := json.Marshal(views)
+	if err != nil {
+		return "", err
+	}
+	sum := sha256.Sum256(b)
+	return hex.EncodeToString(sum[:]), nil
+}
+
+func (r *CozystackResourceDefinitionReconciler) debouncedRestart(ctx context.Context) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	r.mu.Lock()
+	le := r.lastEvent
+	lh := r.lastHandled
+	debounce := r.Debounce
+	r.mu.Unlock()
+
+	if debounce <= 0 {
+		debounce = 5 * time.Second
+	}
+	if le.IsZero() {
+		return ctrl.Result{}, nil
+	}
+	if d := time.Since(le); d < debounce {
+		return ctrl.Result{RequeueAfter: debounce - d}, nil
+	}
+	if !lh.Before(le) {
+		return ctrl.Result{}, nil
+	}
+
+	newHash, err := r.computeConfigHash(ctx)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	tpl, obj, patch, err := r.getWorkload(ctx, types.NamespacedName{Namespace: "cozy-system", Name: "cozystack-api"})
+	if err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	oldHash := tpl.Annotations["cozystack.io/config-hash"]
+
+	if oldHash == newHash && oldHash != "" {
+		r.mu.Lock()
+		r.lastHandled = le
+		r.mu.Unlock()
+		logger.Info("No changes in CRD config; skipping restart", "hash", newHash)
+		return ctrl.Result{}, nil
+	}
+
+	tpl.Annotations["cozystack.io/config-hash"] = newHash
+
+	if err := r.Patch(ctx, obj, patch); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	r.mu.Lock()
+	r.lastHandled = le
+	r.mu.Unlock()
+
+	logger.Info("Updated cozystack-api podTemplate config-hash; rollout triggered",
+		"old", oldHash, "new", newHash)
+	return ctrl.Result{}, nil
+}
+
+func (r *CozystackResourceDefinitionReconciler) getWorkload(
+	ctx context.Context,
+	key types.NamespacedName,
+) (tpl *corev1.PodTemplateSpec, obj client.Object, patch client.Patch, err error) {
+	if r.CozystackAPIKind == "Deployment" {
+		dep := &appsv1.Deployment{}
+		if err := r.Get(ctx, key, dep); err != nil {
+			return nil, nil, nil, err
+		}
+		obj = dep
+		tpl = &dep.Spec.Template
+		patch = client.MergeFrom(dep.DeepCopy())
+	} else {
+		ds := &appsv1.DaemonSet{}
+		if err := r.Get(ctx, key, ds); err != nil {
+			return nil, nil, nil, err
+		}
+		obj = ds
+		tpl = &ds.Spec.Template
+		patch = client.MergeFrom(ds.DeepCopy())
+	}
+	if tpl.Annotations == nil {
+		tpl.Annotations = make(map[string]string)
+	}
+	return tpl, obj, patch, nil
+}
+
+func sortCozyRDs(a, b cozyv1alpha1.CozystackResourceDefinition) int {
+	if a.Name == b.Name {
+		return 0
+	}
+	if a.Name < b.Name {
+		return -1
+	}
+	return 1
+}

internal/controller/cozystackresourcedefinition_helmreconciler.go

@@ -0,0 +1,166 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+
+	"k8s.io/apimachinery/pkg/runtime"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// +kubebuilder:rbac:groups=cozystack.io,resources=cozystackresourcedefinitions,verbs=get;list;watch
+// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;update;patch
+
+// CozystackResourceDefinitionHelmReconciler reconciles CozystackResourceDefinitions
+// and updates related HelmReleases when a CozyRD changes.
+// This controller does NOT watch HelmReleases to avoid mutual reconciliation storms
+// with Flux's helm-controller.
+type CozystackResourceDefinitionHelmReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *CozystackResourceDefinitionHelmReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	// Get the CozystackResourceDefinition that triggered this reconciliation
+	crd := &cozyv1alpha1.CozystackResourceDefinition{}
+	if err := r.Get(ctx, req.NamespacedName, crd); err != nil {
+		logger.Error(err, "failed to get CozystackResourceDefinition", "name", req.Name)
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	// Update HelmReleases related to this specific CozyRD
+	if err := r.updateHelmReleasesForCRD(ctx, crd); err != nil {
+		logger.Error(err, "failed to update HelmReleases for CRD", "crd", crd.Name)
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *CozystackResourceDefinitionHelmReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		Named("cozystackresourcedefinition-helm-reconciler").
+		For(&cozyv1alpha1.CozystackResourceDefinition{}).
+		Complete(r)
+}
+
+// updateHelmReleasesForCRD updates all HelmReleases that match the application labels from CozystackResourceDefinition
+func (r *CozystackResourceDefinitionHelmReconciler) updateHelmReleasesForCRD(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
+	logger := log.FromContext(ctx)
+
+	// Use application labels to find HelmReleases
+	// Labels: apps.cozystack.io/application.kind and apps.cozystack.io/application.group
+	applicationKind := crd.Spec.Application.Kind
+
+	// Validate that applicationKind is non-empty
+	if applicationKind == "" {
+		logger.V(4).Info("Skipping HelmRelease update: Application.Kind is empty", "crd", crd.Name)
+		return nil
+	}
+
+	applicationGroup := "apps.cozystack.io" // All applications use this group
+
+	// Build label selector for HelmReleases
+	// Only reconcile HelmReleases with cozystack.io/ui=true label
+	labelSelector := client.MatchingLabels{
+		"apps.cozystack.io/application.kind":  applicationKind,
+		"apps.cozystack.io/application.group": applicationGroup,
+		"cozystack.io/ui":                      "true",
+	}
+
+	// List all HelmReleases with matching labels
+	hrList := &helmv2.HelmReleaseList{}
+	if err := r.List(ctx, hrList, labelSelector); err != nil {
+		logger.Error(err, "failed to list HelmReleases", "kind", applicationKind, "group", applicationGroup)
+		return err
+	}
+
+	logger.V(4).Info("Found HelmReleases to update", "crd", crd.Name, "kind", applicationKind, "count", len(hrList.Items))
+
+	// Update each HelmRelease
+	for i := range hrList.Items {
+		hr := &hrList.Items[i]
+		if err := r.updateHelmReleaseChart(ctx, hr, crd); err != nil {
+			logger.Error(err, "failed to update HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			continue
+		}
+	}
+
+	return nil
+}
+
+// updateHelmReleaseChart updates the chart in HelmRelease based on CozystackResourceDefinition
+func (r *CozystackResourceDefinitionHelmReconciler) updateHelmReleaseChart(ctx context.Context, hr *helmv2.HelmRelease, crd *cozyv1alpha1.CozystackResourceDefinition) error {
+	logger := log.FromContext(ctx)
+	hrCopy := hr.DeepCopy()
+	updated := false
+
+	// Validate Chart configuration exists
+	if crd.Spec.Release.Chart.Name == "" {
+		logger.V(4).Info("Skipping HelmRelease chart update: Chart.Name is empty", "crd", crd.Name)
+		return nil
+	}
+
+	// Validate SourceRef fields
+	if crd.Spec.Release.Chart.SourceRef.Kind == "" ||
+		crd.Spec.Release.Chart.SourceRef.Name == "" ||
+		crd.Spec.Release.Chart.SourceRef.Namespace == "" {
+		logger.Error(fmt.Errorf("invalid SourceRef in CRD"), "Skipping HelmRelease chart update: SourceRef fields are incomplete",
+			"crd", crd.Name,
+			"kind", crd.Spec.Release.Chart.SourceRef.Kind,
+			"name", crd.Spec.Release.Chart.SourceRef.Name,
+			"namespace", crd.Spec.Release.Chart.SourceRef.Namespace)
+		return nil
+	}
+
+	// Get version and reconcileStrategy from CRD or use defaults
+	version := ">= 0.0.0-0"
+	reconcileStrategy := "Revision"
+	// TODO: Add Version and ReconcileStrategy fields to CozystackResourceDefinitionChart if needed
+
+	// Build expected SourceRef
+	expectedSourceRef := helmv2.CrossNamespaceObjectReference{
+		Kind:      crd.Spec.Release.Chart.SourceRef.Kind,
+		Name:      crd.Spec.Release.Chart.SourceRef.Name,
+		Namespace: crd.Spec.Release.Chart.SourceRef.Namespace,
+	}
+
+	if hrCopy.Spec.Chart == nil {
+		// Need to create Chart spec
+		hrCopy.Spec.Chart = &helmv2.HelmChartTemplate{
+			Spec: helmv2.HelmChartTemplateSpec{
+				Chart:             crd.Spec.Release.Chart.Name,
+				Version:           version,
+				ReconcileStrategy: reconcileStrategy,
+				SourceRef:         expectedSourceRef,
+			},
+		}
+		updated = true
+	} else {
+		// Update existing Chart spec
+		if hrCopy.Spec.Chart.Spec.Chart != crd.Spec.Release.Chart.Name ||
+			hrCopy.Spec.Chart.Spec.SourceRef != expectedSourceRef {
+			hrCopy.Spec.Chart.Spec.Chart = crd.Spec.Release.Chart.Name
+			hrCopy.Spec.Chart.Spec.SourceRef = expectedSourceRef
+			updated = true
+		}
+	}
+
+	if updated {
+		logger.V(4).Info("Updating HelmRelease chart", "name", hr.Name, "namespace", hr.Namespace)
+		if err := r.Update(ctx, hrCopy); err != nil {
+			return fmt.Errorf("failed to update HelmRelease: %w", err)
+		}
+	}
+
+	return nil
+}
+

internal/controller/dashboard/breadcrumb.go

@@ -14,7 +14,7 @@ import (
 )
 
 // ensureBreadcrumb creates or updates a Breadcrumb resource for the given CRD
-func (m *Manager) ensureBreadcrumb(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+func (m *Manager) ensureBreadcrumb(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
 	group, version, kind := pickGVK(crd)
 
 	lowerKind := strings.ToLower(kind)

internal/controller/dashboard/customcolumns.go

@@ -21,7 +21,7 @@ import (
 //
 //	metadata.name: stock-namespace-<group>.<version>.<plural>
 //	spec.id:       stock-namespace-/<group>/<version>/<plural>
-func (m *Manager) ensureCustomColumnsOverride(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) (controllerutil.OperationResult, error) {
+func (m *Manager) ensureCustomColumnsOverride(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) (controllerutil.OperationResult, error) {
 	g, v, kind := pickGVK(crd)
 	plural := pickPlural(kind, crd)
 	// Details page segment uses lowercase kind, mirroring your example

internal/controller/dashboard/customformsoverride.go

@@ -15,7 +15,7 @@ import (
 )
 
 // ensureCustomFormsOverride creates or updates a CustomFormsOverride resource for the given CRD
-func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
 	g, v, kind := pickGVK(crd)
 	plural := pickPlural(kind, crd)
 
@@ -105,8 +105,26 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
 		"properties": map[string]any{},
 	}
 
+	// Check if there's a spec property
+	specProp, ok := props["spec"].(map[string]any)
+	if !ok {
+		return map[string]any{}, nil
+	}
+
+	specProps, ok := specProp["properties"].(map[string]any)
+	if !ok {
+		return map[string]any{}, nil
+	}
+
+	// Create spec.properties structure in schema
+	schemaProps := schema["properties"].(map[string]any)
+	specSchema := map[string]any{
+		"properties": map[string]any{},
+	}
+	schemaProps["spec"] = specSchema
+
 	// Process spec properties recursively
-	processSpecProperties(props, schema["properties"].(map[string]any))
+	processSpecProperties(specProps, specSchema["properties"].(map[string]any))
 
 	return schema, nil
 }

internal/controller/dashboard/customformsoverride_test.go

@@ -9,41 +9,46 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	// Test OpenAPI schema with various field types
 	openAPISchema := `{
 		"properties": {
-			"simpleString": {
-				"type": "string",
-				"description": "A simple string field"
-			},
-			"stringWithEnum": {
-				"type": "string",
-				"enum": ["option1", "option2"],
-				"description": "String with enum should be skipped"
-			},
-			"numberField": {
-				"type": "number",
-				"description": "Number field should be skipped"
-			},
-			"nestedObject": {
+			"spec": {
 				"type": "object",
 				"properties": {
-					"nestedString": {
+					"simpleString": {
 						"type": "string",
-						"description": "Nested string should get multilineString"
+						"description": "A simple string field"
 					},
-					"nestedStringWithEnum": {
+					"stringWithEnum": {
 						"type": "string",
-						"enum": ["a", "b"],
-						"description": "Nested string with enum should be skipped"
-					}
-				}
-			},
-			"arrayOfObjects": {
-				"type": "array",
-				"items": {
-					"type": "object",
-					"properties": {
-						"itemString": {
-							"type": "string",
-							"description": "String in array item"
+						"enum": ["option1", "option2"],
+						"description": "String with enum should be skipped"
+					},
+					"numberField": {
+						"type": "number",
+						"description": "Number field should be skipped"
+					},
+					"nestedObject": {
+						"type": "object",
+						"properties": {
+							"nestedString": {
+								"type": "string",
+								"description": "Nested string should get multilineString"
+							},
+							"nestedStringWithEnum": {
+								"type": "string",
+								"enum": ["a", "b"],
+								"description": "Nested string with enum should be skipped"
+							}
+						}
+					},
+					"arrayOfObjects": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"itemString": {
+									"type": "string",
+									"description": "String in array item"
+								}
+							}
 						}
 					}
 				}
@@ -70,33 +75,44 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 		t.Fatal("schema.properties is not a map")
 	}
 
-	// Check simpleString
-	simpleString, ok := props["simpleString"].(map[string]any)
+	// Check spec property exists
+	spec, ok := props["spec"].(map[string]any)
 	if !ok {
-		t.Fatal("simpleString not found in properties")
+		t.Fatal("spec not found in properties")
+	}
+
+	specProps, ok := spec["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("spec.properties is not a map")
+	}
+
+	// Check simpleString
+	simpleString, ok := specProps["simpleString"].(map[string]any)
+	if !ok {
+		t.Fatal("simpleString not found in spec.properties")
 	}
 	if simpleString["type"] != "multilineString" {
 		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
 	}
 
 	// Check stringWithEnum should not be present (or should not have multilineString)
-	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
+	if stringWithEnum, ok := specProps["stringWithEnum"].(map[string]any); ok {
 		if stringWithEnum["type"] == "multilineString" {
 			t.Error("stringWithEnum should not have multilineString type")
 		}
 	}
 
 	// Check numberField should not be present
-	if numberField, ok := props["numberField"].(map[string]any); ok {
+	if numberField, ok := specProps["numberField"].(map[string]any); ok {
 		if numberField["type"] != nil {
 			t.Error("numberField should not have any type override")
 		}
 	}
 
 	// Check nested object
-	nestedObject, ok := props["nestedObject"].(map[string]any)
+	nestedObject, ok := specProps["nestedObject"].(map[string]any)
 	if !ok {
-		t.Fatal("nestedObject not found in properties")
+		t.Fatal("nestedObject not found in spec.properties")
 	}
 	nestedProps, ok := nestedObject["properties"].(map[string]any)
 	if !ok {
@@ -113,9 +129,9 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	}
 
 	// Check array of objects
-	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
+	arrayOfObjects, ok := specProps["arrayOfObjects"].(map[string]any)
 	if !ok {
-		t.Fatal("arrayOfObjects not found in properties")
+		t.Fatal("arrayOfObjects not found in spec.properties")
 	}
 	items, ok := arrayOfObjects["items"].(map[string]any)
 	if !ok {

internal/controller/dashboard/customformsprefill.go

@@ -16,7 +16,7 @@ import (
 )
 
 // ensureCustomFormsPrefill creates or updates a CustomFormsPrefill resource for the given CRD
-func (m *Manager) ensureCustomFormsPrefill(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) (reconcile.Result, error) {
+func (m *Manager) ensureCustomFormsPrefill(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) (reconcile.Result, error) {
 	logger := log.FromContext(ctx)
 
 	app := crd.Spec.Application

internal/controller/dashboard/factory.go

@@ -15,7 +15,7 @@ import (
 )
 
 // ensureFactory creates or updates a Factory resource for the given CRD
-func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+func (m *Manager) ensureFactory(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
 	g, v, kind := pickGVK(crd)
 	plural := pickPlural(kind, crd)
 
@@ -557,7 +557,7 @@ type factoryFlags struct {
 
 // factoryFeatureFlags tries several conventional locations so you can evolve the API
 // without breaking the controller. Defaults are false (hidden).
-func factoryFeatureFlags(crd *cozyv1alpha1.ApplicationDefinition) factoryFlags {
+func factoryFeatureFlags(crd *cozyv1alpha1.CozystackResourceDefinition) factoryFlags {
 	var f factoryFlags
 
 	f.Workloads = true

internal/controller/dashboard/helpers.go

@@ -23,7 +23,7 @@ type fieldInfo struct {
 
 // pickGVK tries to read group/version/kind from the CRD. We prefer the "application" section,
 // falling back to other likely fields if your schema differs.
-func pickGVK(crd *cozyv1alpha1.ApplicationDefinition) (group, version, kind string) {
+func pickGVK(crd *cozyv1alpha1.CozystackResourceDefinition) (group, version, kind string) {
 	// Best guess based on your examples:
 	if crd.Spec.Application.Kind != "" {
 		kind = crd.Spec.Application.Kind
@@ -41,7 +41,7 @@ func pickGVK(crd *cozyv1alpha1.ApplicationDefinition) (group, version, kind stri
 }
 
 // pickPlural prefers a field on the CRD if you have it; otherwise do a simple lowercase + "s".
-func pickPlural(kind string, crd *cozyv1alpha1.ApplicationDefinition) string {
+func pickPlural(kind string, crd *cozyv1alpha1.CozystackResourceDefinition) string {
 	// If you have crd.Spec.Application.Plural, prefer it. Example:
 	if crd.Spec.Application.Plural != "" {
 		return crd.Spec.Application.Plural

internal/controller/dashboard/manager.go

@@ -56,7 +56,7 @@ func NewManager(c client.Client, scheme *runtime.Scheme) *Manager {
 func (m *Manager) SetupWithManager(mgr ctrl.Manager) error {
 	if err := ctrl.NewControllerManagedBy(mgr).
 		Named("dashboard-reconciler").
-		For(&cozyv1alpha1.ApplicationDefinition{}).
+		For(&cozyv1alpha1.CozystackResourceDefinition{}).
 		Complete(m); err != nil {
 		return err
 	}
@@ -72,7 +72,7 @@ func (m *Manager) SetupWithManager(mgr ctrl.Manager) error {
 func (m *Manager) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	l := log.FromContext(ctx)
 
-	crd := &cozyv1alpha1.ApplicationDefinition{}
+	crd := &cozyv1alpha1.CozystackResourceDefinition{}
 
 	err := m.Get(ctx, types.NamespacedName{Name: req.Name}, crd)
 	if err != nil {
@@ -99,7 +99,7 @@ func (m *Manager) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result,
 //   - ensureMarketplacePanel      (implemented)
 //   - ensureSidebar               (implemented)
 //   - ensureTableUriMapping 	     (implemented)
-func (m *Manager) EnsureForCRD(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) (reconcile.Result, error) {
+func (m *Manager) EnsureForCRD(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) (reconcile.Result, error) {
 	// Early return if crd.Spec.Dashboard is nil to prevent oscillation
 	if crd.Spec.Dashboard == nil {
 		return reconcile.Result{}, nil
@@ -148,7 +148,7 @@ func (m *Manager) InitializeStaticResources(ctx context.Context) error {
 }
 
 // addDashboardLabels adds standard dashboard management labels to a resource
-func (m *Manager) addDashboardLabels(obj client.Object, crd *cozyv1alpha1.ApplicationDefinition, resourceType string) {
+func (m *Manager) addDashboardLabels(obj client.Object, crd *cozyv1alpha1.CozystackResourceDefinition, resourceType string) {
 	labels := obj.GetLabels()
 	if labels == nil {
 		labels = make(map[string]string)
@@ -197,7 +197,7 @@ func (m *Manager) getStaticResourceSelector() client.MatchingLabels {
 // CleanupOrphanedResources removes dashboard resources that are no longer needed
 // This should be called after cache warming to ensure all current resources are known
 func (m *Manager) CleanupOrphanedResources(ctx context.Context) error {
-	var crdList cozyv1alpha1.ApplicationDefinitionList
+	var crdList cozyv1alpha1.CozystackResourceDefinitionList
 	if err := m.List(ctx, &crdList, &client.ListOptions{}); err != nil {
 		return err
 	}
@@ -228,7 +228,7 @@ func (m *Manager) CleanupOrphanedResources(ctx context.Context) error {
 }
 
 // buildExpectedResourceSet creates a map of expected resource names by type
-func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefinition) map[string]map[string]bool {
+func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.CozystackResourceDefinition) map[string]map[string]bool {
 	expected := make(map[string]map[string]bool)
 
 	// Initialize maps for each resource type

internal/controller/dashboard/marketplacepanel.go

@@ -16,7 +16,7 @@ import (
 )
 
 // ensureMarketplacePanel creates or updates a MarketplacePanel resource for the given CRD
-func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) (reconcile.Result, error) {
+func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) (reconcile.Result, error) {
 	logger := log.FromContext(ctx)
 
 	mp := &dashv1alpha1.MarketplacePanel{}

internal/controller/dashboard/sidebar.go

@@ -28,12 +28,12 @@ import (
 //   - Categories are ordered strictly as:
 //     Marketplace, IaaS, PaaS, NaaS, <others A→Z>, Resources, Administration
 //   - Items within each category: sort by Weight (desc), then Label (A→Z).
-func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
 	// Build the full menu once.
 
 	// 1) Fetch all CRDs
-	var all []cozyv1alpha1.ApplicationDefinition
-	var crdList cozyv1alpha1.ApplicationDefinitionList
+	var all []cozyv1alpha1.CozystackResourceDefinition
+	var crdList cozyv1alpha1.CozystackResourceDefinitionList
 	if err := m.List(ctx, &crdList, &client.ListOptions{}); err != nil {
 		return err
 	}
@@ -228,7 +228,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 // upsertMultipleSidebars creates/updates several Sidebar resources with the same menu spec.
 func (m *Manager) upsertMultipleSidebars(
 	ctx context.Context,
-	crd *cozyv1alpha1.ApplicationDefinition,
+	crd *cozyv1alpha1.CozystackResourceDefinition,
 	ids []string,
 	keysAndTags map[string]any,
 	menuItems []any,
@@ -335,7 +335,7 @@ func orderCategoryLabels[T any](cats map[string][]T) []string {
 }
 
 // safeCategory returns spec.dashboard.category or "Resources" if not set.
-func safeCategory(def *cozyv1alpha1.ApplicationDefinition) string {
+func safeCategory(def *cozyv1alpha1.CozystackResourceDefinition) string {
 	if def == nil || def.Spec.Dashboard == nil {
 		return "Resources"
 	}

internal/controller/dashboard/tableurimapping.go

@@ -7,7 +7,7 @@ import (
 )
 
 // ensureTableUriMapping creates or updates a TableUriMapping resource for the given CRD
-func (m *Manager) ensureTableUriMapping(ctx context.Context, crd *cozyv1alpha1.ApplicationDefinition) error {
+func (m *Manager) ensureTableUriMapping(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
 	// Links are fully managed by the CustomColumnsOverride.
 	return nil
 }

internal/controller/namespace_helm_reconciler.go

@@ -1,170 +0,0 @@
-/*
-Copyright 2025.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controller
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-
-	"github.com/cozystack/cozystack/pkg/cozylib"
-)
-
-// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
-// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;update;patch
-type NamespaceHelmReconciler struct {
-	client.Client
-	Scheme *runtime.Scheme
-}
-
-// Reconcile processes namespace changes and updates HelmReleases with namespace labels
-func (r *NamespaceHelmReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-
-	// Get the namespace
-	namespace := &corev1.Namespace{}
-	if err := r.Get(ctx, req.NamespacedName, namespace); err != nil {
-		logger.Error(err, "unable to fetch Namespace")
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-		// Extract namespace.cozystack.io/* annotations
-		namespaceLabels := cozylib.ExtractNamespaceAnnotations(namespace)
-	if len(namespaceLabels) == 0 {
-		// No namespace labels to process, skip
-		return ctrl.Result{}, nil
-	}
-
-	logger.Info("processing namespace labels", "namespace", namespace.Name, "labels", namespaceLabels)
-
-	// List all HelmReleases in this namespace
-	helmReleaseList := &helmv2.HelmReleaseList{}
-	if err := r.List(ctx, helmReleaseList, client.InNamespace(namespace.Name)); err != nil {
-		logger.Error(err, "unable to list HelmReleases in namespace", "namespace", namespace.Name)
-		return ctrl.Result{}, err
-	}
-
-	// Update each HelmRelease with namespace labels
-	updated := 0
-	for i := range helmReleaseList.Items {
-		hr := &helmReleaseList.Items[i]
-		if err := r.updateHelmReleaseWithNamespaceLabels(ctx, hr, namespaceLabels); err != nil {
-			logger.Error(err, "failed to update HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
-			continue
-		}
-		updated++
-	}
-
-	if updated > 0 {
-		logger.Info("updated HelmReleases with namespace labels", "namespace", namespace.Name, "count", updated)
-	}
-
-	return ctrl.Result{}, nil
-}
-
-
-// updateHelmReleaseWithNamespaceLabels updates HelmRelease values with namespace labels
-func (r *NamespaceHelmReconciler) updateHelmReleaseWithNamespaceLabels(ctx context.Context, hr *helmv2.HelmRelease, namespaceLabels map[string]string) error {
-	logger := log.FromContext(ctx)
-
-	// Parse current values
-	var valuesMap map[string]interface{}
-	if hr.Spec.Values != nil && len(hr.Spec.Values.Raw) > 0 {
-		if err := json.Unmarshal(hr.Spec.Values.Raw, &valuesMap); err != nil {
-			return fmt.Errorf("failed to unmarshal HelmRelease values: %w", err)
-		}
-	} else {
-		valuesMap = make(map[string]interface{})
-	}
-
-	// Convert namespaceLabels from map[string]string to map[string]interface{}
-	namespaceLabelsMap := make(map[string]interface{})
-	for k, v := range namespaceLabels {
-		namespaceLabelsMap[k] = v
-	}
-
-	// Check if namespace labels need to be updated (top-level _namespace field)
-	needsUpdate := false
-	currentNamespace, exists := valuesMap["_namespace"]
-	if !exists {
-		needsUpdate = true
-		valuesMap["_namespace"] = namespaceLabelsMap
-	} else {
-		currentNamespaceMap, ok := currentNamespace.(map[string]interface{})
-		if !ok {
-			needsUpdate = true
-			valuesMap["_namespace"] = namespaceLabelsMap
-		} else {
-			// Compare and update if different
-			for k, v := range namespaceLabelsMap {
-				if currentVal, exists := currentNamespaceMap[k]; !exists || currentVal != v {
-					needsUpdate = true
-					currentNamespaceMap[k] = v
-				}
-			}
-			// Remove keys that are no longer in namespace labels
-			for k := range currentNamespaceMap {
-				if _, exists := namespaceLabelsMap[k]; !exists {
-					needsUpdate = true
-					delete(currentNamespaceMap, k)
-				}
-			}
-			if needsUpdate {
-				valuesMap["_namespace"] = currentNamespaceMap
-			}
-		}
-	}
-
-	if !needsUpdate {
-		// No changes needed
-		return nil
-	}
-
-	// Marshal back to JSON
-	mergedJSON, err := json.Marshal(valuesMap)
-	if err != nil {
-		return fmt.Errorf("failed to marshal values with namespace labels: %w", err)
-	}
-
-	// Update HelmRelease
-	patchTarget := hr.DeepCopy()
-	patchTarget.Spec.Values = &apiextensionsv1.JSON{Raw: mergedJSON}
-
-	patch := client.MergeFrom(hr)
-	if err := r.Patch(ctx, patchTarget, patch); err != nil {
-		return fmt.Errorf("failed to patch HelmRelease: %w", err)
-	}
-
-	logger.Info("updated HelmRelease with namespace labels", "name", hr.Name, "namespace", hr.Namespace)
-	return nil
-}
-
-// SetupWithManager sets up the controller with the Manager
-func (r *NamespaceHelmReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Namespace{}).
-		Complete(r)
-}
-

internal/controller/system_helm_reconciler.go

@@ -0,0 +1,140 @@
+package controller
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"time"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+type CozystackConfigReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+var configMapNames = []string{"cozystack", "cozystack-branding", "cozystack-scheduling"}
+
+const configMapNamespace = "cozy-system"
+const digestAnnotation = "cozystack.io/cozy-config-digest"
+const forceReconcileKey = "reconcile.fluxcd.io/forceAt"
+const requestedAt = "reconcile.fluxcd.io/requestedAt"
+
+func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+	time.Sleep(2 * time.Second)
+
+	digest, err := r.computeDigest(ctx)
+	if err != nil {
+		log.Error(err, "failed to compute config digest")
+		return ctrl.Result{}, nil
+	}
+
+	var helmList helmv2.HelmReleaseList
+	if err := r.List(ctx, &helmList); err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to list HelmReleases: %w", err)
+	}
+
+	now := time.Now().Format(time.RFC3339Nano)
+	updated := 0
+
+	for _, hr := range helmList.Items {
+		isSystemApp := hr.Labels["cozystack.io/system-app"] == "true"
+		isTenantRoot := hr.Namespace == "tenant-root" && hr.Name == "tenant-root"
+		if !isSystemApp && !isTenantRoot {
+			continue
+		}
+		patchTarget := hr.DeepCopy()
+
+		if hr.Annotations == nil {
+			hr.Annotations = map[string]string{}
+		}
+
+		if hr.Annotations[digestAnnotation] == digest {
+			continue
+		}
+		patchTarget.Annotations[digestAnnotation] = digest
+		patchTarget.Annotations[forceReconcileKey] = now
+		patchTarget.Annotations[requestedAt] = now
+
+		patch := client.MergeFrom(hr.DeepCopy())
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
+			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			continue
+		}
+		updated++
+		log.Info("patched HelmRelease with new config digest", "name", hr.Name, "namespace", hr.Namespace)
+	}
+
+	log.Info("finished reconciliation", "updatedHelmReleases", updated)
+	return ctrl.Result{}, nil
+}
+
+func (r *CozystackConfigReconciler) computeDigest(ctx context.Context) (string, error) {
+	hash := sha256.New()
+
+	for _, name := range configMapNames {
+		var cm corev1.ConfigMap
+		err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: name}, &cm)
+		if err != nil {
+			if kerrors.IsNotFound(err) {
+				continue // ignore missing
+			}
+			return "", err
+		}
+
+		// Sort keys for consistent hashing
+		var keys []string
+		for k := range cm.Data {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			v := cm.Data[k]
+			fmt.Fprintf(hash, "%s:%s=%s\n", name, k, v)
+		}
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+func (r *CozystackConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		WithEventFilter(predicate.Funcs{
+			UpdateFunc: func(e event.UpdateEvent) bool {
+				cm, ok := e.ObjectNew.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			CreateFunc: func(e event.CreateEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			DeleteFunc: func(e event.DeleteEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+		}).
+		For(&corev1.ConfigMap{}).
+		Complete(r)
+}
+
+func contains(slice []string, val string) bool {
+	for _, s := range slice {
+		if s == val {
+			return true
+		}
+	}
+	return false
+}

internal/controller/tenant_helm_reconciler.go

@@ -0,0 +1,159 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	e "errors"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	"gopkg.in/yaml.v2"
+	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+type TenantHelmReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *TenantHelmReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+	time.Sleep(2 * time.Second)
+
+	hr := &helmv2.HelmRelease{}
+	if err := r.Get(ctx, req.NamespacedName, hr); err != nil {
+		if errors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+		logger.Error(err, "unable to fetch HelmRelease")
+		return ctrl.Result{}, err
+	}
+
+	if !strings.HasPrefix(hr.Name, "tenant-") {
+		return ctrl.Result{}, nil
+	}
+
+	if len(hr.Status.Conditions) == 0 || hr.Status.Conditions[0].Type != "Ready" {
+		return ctrl.Result{}, nil
+	}
+
+	if len(hr.Status.History) == 0 {
+		logger.Info("no history in HelmRelease status", "name", hr.Name)
+		return ctrl.Result{}, nil
+	}
+
+	if hr.Status.History[0].Status != "deployed" {
+		return ctrl.Result{}, nil
+	}
+
+	newDigest := hr.Status.History[0].Digest
+	var hrList helmv2.HelmReleaseList
+	childNamespace := getChildNamespace(hr.Namespace, hr.Name)
+	if childNamespace == "tenant-root" && hr.Name == "tenant-root" {
+		if hr.Spec.Values == nil {
+			logger.Error(e.New("hr.Spec.Values is nil"), "cant annotate tenant-root ns")
+			return ctrl.Result{}, nil
+		}
+		err := annotateTenantRootNs(*hr.Spec.Values, r.Client)
+		if err != nil {
+			logger.Error(err, "cant annotate tenant-root ns")
+			return ctrl.Result{}, nil
+		}
+		logger.Info("namespace 'tenant-root' annotated")
+	}
+
+	if err := r.List(ctx, &hrList, client.InNamespace(childNamespace)); err != nil {
+		logger.Error(err, "unable to list HelmReleases in namespace", "namespace", hr.Name)
+		return ctrl.Result{}, err
+	}
+
+	for _, item := range hrList.Items {
+		if item.Name == hr.Name {
+			continue
+		}
+		oldDigest := item.GetAnnotations()["cozystack.io/tenant-config-digest"]
+		if oldDigest == newDigest {
+			continue
+		}
+		patchTarget := item.DeepCopy()
+
+		if patchTarget.Annotations == nil {
+			patchTarget.Annotations = map[string]string{}
+		}
+		ts := time.Now().Format(time.RFC3339Nano)
+
+		patchTarget.Annotations["cozystack.io/tenant-config-digest"] = newDigest
+		patchTarget.Annotations["reconcile.fluxcd.io/forceAt"] = ts
+		patchTarget.Annotations["reconcile.fluxcd.io/requestedAt"] = ts
+
+		patch := client.MergeFrom(item.DeepCopy())
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
+			logger.Error(err, "failed to patch HelmRelease", "name", patchTarget.Name)
+			continue
+		}
+
+		logger.Info("patched HelmRelease with new digest", "name", patchTarget.Name, "digest", newDigest, "version", hr.Status.History[0].Version)
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *TenantHelmReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&helmv2.HelmRelease{}).
+		Complete(r)
+}
+
+func getChildNamespace(currentNamespace, hrName string) string {
+	tenantName := strings.TrimPrefix(hrName, "tenant-")
+
+	switch {
+	case currentNamespace == "tenant-root" && hrName == "tenant-root":
+		// 1) root tenant inside root namespace
+		return "tenant-root"
+
+	case currentNamespace == "tenant-root":
+		// 2) any other tenant in root namespace
+		return fmt.Sprintf("tenant-%s", tenantName)
+
+	default:
+		// 3) tenant in a dedicated namespace
+		return fmt.Sprintf("%s-%s", currentNamespace, tenantName)
+	}
+}
+
+func annotateTenantRootNs(values apiextensionsv1.JSON, c client.Client) error {
+	var data map[string]interface{}
+	if err := yaml.Unmarshal(values.Raw, &data); err != nil {
+		return fmt.Errorf("failed to parse HelmRelease values: %w", err)
+	}
+
+	host, ok := data["host"].(string)
+	if !ok || host == "" {
+		return fmt.Errorf("host field not found or not a string")
+	}
+
+	var ns corev1.Namespace
+	if err := c.Get(context.TODO(), client.ObjectKey{Name: "tenant-root"}, &ns); err != nil {
+		return fmt.Errorf("failed to get namespace tenant-root: %w", err)
+	}
+
+	if ns.Annotations == nil {
+		ns.Annotations = map[string]string{}
+	}
+	ns.Annotations["namespace.cozystack.io/host"] = host
+
+	if err := c.Update(context.TODO(), &ns); err != nil {
+		return fmt.Errorf("failed to update namespace: %w", err)
+	}
+
+	return nil
+}

internal/fluxinstall/install.go

@@ -1,352 +0,0 @@
-/*
-Copyright 2025 The Cozystack Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package fluxinstall
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/serializer/yaml"
-	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-// Install installs Flux components using embedded manifests.
-// It extracts the manifests and applies them to the cluster.
-// The namespace is automatically determined from the Namespace object in the manifests.
-func Install(ctx context.Context, k8sClient client.Client, writeEmbeddedManifests func(string) error) error {
-	logger := log.FromContext(ctx)
-
-	// Create temporary directory for manifests
-	tmpDir, err := os.MkdirTemp("", "flux-install-*")
-	if err != nil {
-		return fmt.Errorf("failed to create temp directory: %w", err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	// Extract embedded manifests (generated by cozypkg)
-	manifestsDir := filepath.Join(tmpDir, "manifests")
-	if err := os.MkdirAll(manifestsDir, 0755); err != nil {
-		return fmt.Errorf("failed to create manifests directory: %w", err)
-	}
-
-	if err := writeEmbeddedManifests(manifestsDir); err != nil {
-		return fmt.Errorf("failed to extract embedded manifests: %w", err)
-	}
-
-	// Find the manifest file (should be fluxcd.yaml from cozypkg)
-	manifestPath := filepath.Join(manifestsDir, "fluxcd.yaml")
-	if _, err := os.Stat(manifestPath); err != nil {
-		// Try to find any YAML file if fluxcd.yaml doesn't exist
-		entries, err := os.ReadDir(manifestsDir)
-		if err != nil {
-			return fmt.Errorf("failed to read manifests directory: %w", err)
-		}
-		for _, entry := range entries {
-			if strings.HasSuffix(entry.Name(), ".yaml") {
-				manifestPath = filepath.Join(manifestsDir, entry.Name())
-				break
-			}
-		}
-	}
-
-	// Parse and apply manifests
-	objects, err := parseManifests(manifestPath)
-	if err != nil {
-		return fmt.Errorf("failed to parse manifests: %w", err)
-	}
-
-	if len(objects) == 0 {
-		return fmt.Errorf("no objects found in manifests")
-	}
-
-	// Inject KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT if set in operator environment
-	if err := injectKubernetesServiceEnv(objects); err != nil {
-		logger.Info("Failed to inject KUBERNETES_SERVICE_* env vars, continuing anyway", "error", err)
-	}
-
-	// Extract namespace from Namespace object in manifests
-	namespace, err := extractNamespace(objects)
-	if err != nil {
-		return fmt.Errorf("failed to extract namespace from manifests: %w", err)
-	}
-
-	logger.Info("Installing Flux components", "namespace", namespace)
-
-	// Apply manifests using server-side apply
-	logger.Info("Applying Flux manifests", "count", len(objects), "manifest", manifestPath, "namespace", namespace)
-	if err := applyManifests(ctx, k8sClient, objects); err != nil {
-		return fmt.Errorf("failed to apply manifests: %w", err)
-	}
-
-	logger.Info("Flux installation completed successfully")
-	return nil
-}
-
-// parseManifests parses YAML manifests into unstructured objects.
-func parseManifests(manifestPath string) ([]*unstructured.Unstructured, error) {
-	data, err := os.ReadFile(manifestPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read manifest file: %w", err)
-	}
-
-	return readYAMLObjects(bytes.NewReader(data))
-}
-
-// readYAMLObjects parses multi-document YAML into unstructured objects.
-func readYAMLObjects(reader io.Reader) ([]*unstructured.Unstructured, error) {
-	var objects []*unstructured.Unstructured
-	yamlReader := k8syaml.NewYAMLReader(bufio.NewReader(reader))
-
-	for {
-		doc, err := yamlReader.Read()
-		if err != nil {
-			if err == io.EOF {
-				break
-			}
-			return nil, fmt.Errorf("failed to read YAML document: %w", err)
-		}
-
-		// Skip empty documents
-		if len(bytes.TrimSpace(doc)) == 0 {
-			continue
-		}
-
-		obj := &unstructured.Unstructured{}
-		decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewReader(doc), len(doc))
-		if err := decoder.Decode(obj); err != nil {
-			// Skip documents that can't be decoded (might be comments or empty)
-			if err == io.EOF {
-				continue
-			}
-			return nil, fmt.Errorf("failed to decode YAML document: %w", err)
-		}
-
-		// Skip empty objects (no kind)
-		if obj.GetKind() == "" {
-			continue
-		}
-
-		objects = append(objects, obj)
-	}
-
-	return objects, nil
-}
-
-// applyManifests applies Kubernetes objects using server-side apply.
-func applyManifests(ctx context.Context, k8sClient client.Client, objects []*unstructured.Unstructured) error {
-	logger := log.FromContext(ctx)
-	decoder := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
-
-	// Separate CRDs and namespaces from other resources
-	var stageOne []*unstructured.Unstructured // CRDs and Namespaces
-	var stageTwo []*unstructured.Unstructured // Everything else
-
-	for _, obj := range objects {
-		if isClusterDefinition(obj) {
-			stageOne = append(stageOne, obj)
-		} else {
-			stageTwo = append(stageTwo, obj)
-		}
-	}
-
-	// Apply stage one (CRDs and Namespaces) first
-	if len(stageOne) > 0 {
-		logger.Info("Applying cluster definitions", "count", len(stageOne))
-		if err := applyObjects(ctx, k8sClient, decoder, stageOne); err != nil {
-			return fmt.Errorf("failed to apply cluster definitions: %w", err)
-		}
-
-		// Wait a bit for CRDs to be registered
-		time.Sleep(2 * time.Second)
-	}
-
-	// Apply stage two (everything else)
-	if len(stageTwo) > 0 {
-		logger.Info("Applying resources", "count", len(stageTwo))
-		if err := applyObjects(ctx, k8sClient, decoder, stageTwo); err != nil {
-			return fmt.Errorf("failed to apply resources: %w", err)
-		}
-	}
-
-	return nil
-}
-
-// applyObjects applies a list of objects using server-side apply.
-func applyObjects(ctx context.Context, k8sClient client.Client, decoder runtime.Decoder, objects []*unstructured.Unstructured) error {
-	for _, obj := range objects {
-		// Use server-side apply with force ownership and field manager
-		// FieldManager is required for apply patch operations
-		patchOptions := &client.PatchOptions{
-			FieldManager: "cozystack-operator",
-			Force:        func() *bool { b := true; return &b }(),
-		}
-
-		if err := k8sClient.Patch(ctx, obj, client.Apply, patchOptions); err != nil {
-			return fmt.Errorf("failed to apply object %s/%s: %w", obj.GetKind(), obj.GetName(), err)
-		}
-	}
-	return nil
-}
-
-
-// extractNamespace extracts the namespace name from the Namespace object in the manifests.
-func extractNamespace(objects []*unstructured.Unstructured) (string, error) {
-	for _, obj := range objects {
-		if obj.GetKind() == "Namespace" {
-			namespace := obj.GetName()
-			if namespace == "" {
-				return "", fmt.Errorf("Namespace object has no name")
-			}
-			return namespace, nil
-		}
-	}
-	return "", fmt.Errorf("no Namespace object found in manifests")
-}
-
-// isClusterDefinition checks if an object is a CRD or Namespace.
-func isClusterDefinition(obj *unstructured.Unstructured) bool {
-	kind := obj.GetKind()
-	return kind == "CustomResourceDefinition" || kind == "Namespace"
-}
-
-// injectKubernetesServiceEnv injects KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT
-// environment variables into all containers of Deployment, StatefulSet, and DaemonSet objects
-// if these variables are set in the operator's environment.
-func injectKubernetesServiceEnv(objects []*unstructured.Unstructured) error {
-	kubernetesHost := os.Getenv("KUBERNETES_SERVICE_HOST")
-	kubernetesPort := os.Getenv("KUBERNETES_SERVICE_PORT")
-
-	// If neither variable is set, nothing to do
-	if kubernetesHost == "" && kubernetesPort == "" {
-		return nil
-	}
-
-	for _, obj := range objects {
-		kind := obj.GetKind()
-		if kind != "Deployment" && kind != "StatefulSet" && kind != "DaemonSet" {
-			continue
-		}
-
-		// Navigate to spec.template.spec.containers
-		spec, found, err := unstructured.NestedMap(obj.Object, "spec", "template", "spec")
-		if !found || err != nil {
-			continue
-		}
-
-		// Update containers
-		containers, found, err := unstructured.NestedSlice(spec, "containers")
-		if found && err == nil {
-			containers = updateContainersEnv(containers, kubernetesHost, kubernetesPort)
-			if err := unstructured.SetNestedSlice(spec, containers, "containers"); err != nil {
-				continue
-			}
-		}
-
-		// Update initContainers
-		initContainers, found, err := unstructured.NestedSlice(spec, "initContainers")
-		if found && err == nil {
-			initContainers = updateContainersEnv(initContainers, kubernetesHost, kubernetesPort)
-			if err := unstructured.SetNestedSlice(spec, initContainers, "initContainers"); err != nil {
-				continue
-			}
-		}
-
-		// Update spec in the object
-		if err := unstructured.SetNestedMap(obj.Object, spec, "spec", "template", "spec"); err != nil {
-			continue
-		}
-	}
-
-	return nil
-}
-
-// updateContainersEnv updates environment variables for a slice of containers.
-func updateContainersEnv(containers []interface{}, kubernetesHost, kubernetesPort string) []interface{} {
-	for i, container := range containers {
-		containerMap, ok := container.(map[string]interface{})
-		if !ok {
-			continue
-		}
-
-		env, found, err := unstructured.NestedSlice(containerMap, "env")
-		if err != nil {
-			continue
-		}
-
-		if !found {
-			env = []interface{}{}
-		}
-
-		// Update or add KUBERNETES_SERVICE_HOST
-		if kubernetesHost != "" {
-			env = setEnvVar(env, "KUBERNETES_SERVICE_HOST", kubernetesHost)
-		}
-
-		// Update or add KUBERNETES_SERVICE_PORT
-		if kubernetesPort != "" {
-			env = setEnvVar(env, "KUBERNETES_SERVICE_PORT", kubernetesPort)
-		}
-
-		// Update the container's env
-		if err := unstructured.SetNestedSlice(containerMap, env, "env"); err != nil {
-			continue
-		}
-
-		// Update the container in the slice
-		containers[i] = containerMap
-	}
-
-	return containers
-}
-
-// setEnvVar updates or adds an environment variable in the env slice.
-func setEnvVar(env []interface{}, name, value string) []interface{} {
-	// Check if variable already exists
-	for i, envVar := range env {
-		envVarMap, ok := envVar.(map[string]interface{})
-		if !ok {
-			continue
-		}
-
-		if envVarMap["name"] == name {
-			// Update existing variable
-			envVarMap["value"] = value
-			env[i] = envVarMap
-			return env
-		}
-	}
-
-	// Add new variable
-	env = append(env, map[string]interface{}{
-		"name":  name,
-		"value": value,
-	})
-
-	return env
-}
-

internal/fluxinstall/manifests.embed.go

@@ -1,51 +0,0 @@
-/*
-Copyright 2025 The Cozystack Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package fluxinstall
-
-import (
-	"embed"
-	"fmt"
-	"io/fs"
-	"os"
-	"path"
-)
-
-//go:embed manifests/*.yaml
-var embeddedFluxManifests embed.FS
-
-// WriteEmbeddedManifests extracts embedded Flux manifests to a temporary directory.
-func WriteEmbeddedManifests(dir string) error {
-	manifests, err := fs.ReadDir(embeddedFluxManifests, "manifests")
-	if err != nil {
-		return fmt.Errorf("failed to read embedded manifests: %w", err)
-	}
-
-	for _, manifest := range manifests {
-		data, err := fs.ReadFile(embeddedFluxManifests, path.Join("manifests", manifest.Name()))
-		if err != nil {
-			return fmt.Errorf("failed to read file %s: %w", manifest.Name(), err)
-		}
-
-		outputPath := path.Join(dir, manifest.Name())
-		if err := os.WriteFile(outputPath, data, 0666); err != nil {
-			return fmt.Errorf("failed to write file %s: %w", outputPath, err)
-		}
-	}
-
-	return nil
-}
-

internal/lineagecontrollerwebhook/config.go

@@ -4,28 +4,56 @@ import (
 	"fmt"
 	"strings"
 
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )
 
+type appRef struct {
+	group string
+	kind  string
+}
+
+type runtimeConfig struct {
+	appCRDMap map[appRef]*cozyv1alpha1.CozystackResourceDefinition
+}
+
 func (l *LineageControllerWebhook) initConfig() {
-	// No longer needed - we use labels directly from HelmRelease
+	l.initOnce.Do(func() {
+		if l.config.Load() == nil {
+			l.config.Store(&runtimeConfig{
+				appCRDMap: make(map[appRef]*cozyv1alpha1.CozystackResourceDefinition),
+			})
+		}
+	})
+}
+
+// getApplicationLabel safely extracts an application label from HelmRelease
+func getApplicationLabel(hr *helmv2.HelmRelease, key string) (string, error) {
+	if hr.Labels == nil {
+		return "", fmt.Errorf("cannot map helm release %s/%s to dynamic app: labels are nil", hr.Namespace, hr.Name)
+	}
+	val, ok := hr.Labels[key]
+	if !ok {
+		return "", fmt.Errorf("cannot map helm release %s/%s to dynamic app: missing %s label", hr.Namespace, hr.Name, key)
+	}
+	return val, nil
 }
 
 func (l *LineageControllerWebhook) Map(hr *helmv2.HelmRelease) (string, string, string, error) {
 	// Extract application metadata from labels
-	appKind, ok := hr.Labels["apps.cozystack.io/application.kind"]
-	if !ok {
-		return "", "", "", fmt.Errorf("cannot map helm release %s/%s to dynamic app: missing apps.cozystack.io/application.kind label", hr.Namespace, hr.Name)
+	appKind, err := getApplicationLabel(hr, "apps.cozystack.io/application.kind")
+	if err != nil {
+		return "", "", "", err
 	}
 	
-	appGroup, ok := hr.Labels["apps.cozystack.io/application.group"]
-	if !ok {
-		return "", "", "", fmt.Errorf("cannot map helm release %s/%s to dynamic app: missing apps.cozystack.io/application.group label", hr.Namespace, hr.Name)
+	appGroup, err := getApplicationLabel(hr, "apps.cozystack.io/application.group")
+	if err != nil {
+		return "", "", "", err
 	}
 	
-	appName, ok := hr.Labels["apps.cozystack.io/application.name"]
-	if !ok {
-		return "", "", "", fmt.Errorf("cannot map helm release %s/%s to dynamic app: missing apps.cozystack.io/application.name label", hr.Namespace, hr.Name)
+	appName, err := getApplicationLabel(hr, "apps.cozystack.io/application.name")
+	if err != nil {
+		return "", "", "", err
 	}
 	
 	// Construct API version from group
@@ -35,5 +63,11 @@ func (l *LineageControllerWebhook) Map(hr *helmv2.HelmRelease) (string, string,
 	// HelmRelease name format: <prefix><application-name>
 	prefix := strings.TrimSuffix(hr.Name, appName)
 	
+	// Validate the derived prefix
+	// This ensures correctness when appName appears multiple times in hr.Name
+	if prefix+appName != hr.Name {
+		return "", "", "", fmt.Errorf("cannot derive prefix from helm release %s/%s: name does not end with application name %s", hr.Namespace, hr.Name, appName)
+	}
+	
 	return apiVersion, appKind, prefix, nil
 }

internal/lineagecontrollerwebhook/controller.go

@@ -1,11 +1,44 @@
 package lineagecontrollerwebhook
 
 import (
+	"context"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-// SetupWithManagerAsController is no longer needed since we don't watch ApplicationDefinitions
+// +kubebuilder:rbac:groups=cozystack.io,resources=cozystackresourcedefinitions,verbs=list;watch;get
+
 func (c *LineageControllerWebhook) SetupWithManagerAsController(mgr ctrl.Manager) error {
-	// No controller needed - we use labels directly from HelmRelease
-	return nil
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&cozyv1alpha1.CozystackResourceDefinition{}).
+		Complete(c)
+}
+
+func (c *LineageControllerWebhook) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	l := log.FromContext(ctx)
+	crds := &cozyv1alpha1.CozystackResourceDefinitionList{}
+	if err := c.List(ctx, crds); err != nil {
+		l.Error(err, "failed reading CozystackResourceDefinitions")
+		return ctrl.Result{}, err
+	}
+	cfg := &runtimeConfig{
+		appCRDMap: make(map[appRef]*cozyv1alpha1.CozystackResourceDefinition),
+	}
+	for _, crd := range crds.Items {
+		appRef := appRef{
+			"apps.cozystack.io",
+			crd.Spec.Application.Kind,
+		}
+
+		newRef := crd
+		if _, exists := cfg.appCRDMap[appRef]; exists {
+			l.Info("duplicate app mapping detected; ignoring subsequent entry", "key", appRef)
+		} else {
+			cfg.appCRDMap[appRef] = &newRef
+		}
+	}
+	c.config.Store(cfg)
+	return ctrl.Result{}, nil
 }

internal/lineagecontrollerwebhook/matcher.go

@@ -42,7 +42,7 @@ func matchName(ctx context.Context, name string, templateContext map[string]stri
 	return false
 }
 
-func matchResourceToSelector(ctx context.Context, name string, templateContext, l map[string]string, s *cozyv1alpha1.ApplicationDefinitionResourceSelector) bool {
+func matchResourceToSelector(ctx context.Context, name string, templateContext, l map[string]string, s *cozyv1alpha1.CozystackResourceDefinitionResourceSelector) bool {
 	sel, err := metav1.LabelSelectorAsSelector(&s.LabelSelector)
 	if err != nil {
 		log.FromContext(ctx).Error(err, "failed to convert label selector to selector")
@@ -53,7 +53,7 @@ func matchResourceToSelector(ctx context.Context, name string, templateContext,
 	return labelMatches && nameMatches
 }
 
-func matchResourceToSelectorArray(ctx context.Context, name string, templateContext, l map[string]string, ss []*cozyv1alpha1.ApplicationDefinitionResourceSelector) bool {
+func matchResourceToSelectorArray(ctx context.Context, name string, templateContext, l map[string]string, ss []*cozyv1alpha1.CozystackResourceDefinitionResourceSelector) bool {
 	for _, s := range ss {
 		if matchResourceToSelector(ctx, name, templateContext, l, s) {
 			return true
@@ -62,7 +62,7 @@ func matchResourceToSelectorArray(ctx context.Context, name string, templateCont
 	return false
 }
 
-func matchResourceToExcludeInclude(ctx context.Context, name string, templateContext, l map[string]string, resources *cozyv1alpha1.ApplicationDefinitionResources) bool {
+func matchResourceToExcludeInclude(ctx context.Context, name string, templateContext, l map[string]string, resources *cozyv1alpha1.CozystackResourceDefinitionResources) bool {
 	if resources == nil {
 		return false
 	}

internal/lineagecontrollerwebhook/webhook.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/cozystack/cozystack/pkg/lineage"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -32,8 +33,8 @@ const (
 	ManagerNameKey   = "apps.cozystack.io/application.name"
 )
 
-// getResourceSelectors returns the appropriate ApplicationDefinitionResources for a given GroupKind
-func (h *LineageControllerWebhook) getResourceSelectors(gk schema.GroupKind, crd *cozyv1alpha1.ApplicationDefinition) *cozyv1alpha1.ApplicationDefinitionResources {
+// getResourceSelectors returns the appropriate CozystackResourceDefinitionResources for a given GroupKind
+func (h *LineageControllerWebhook) getResourceSelectors(gk schema.GroupKind, crd *cozyv1alpha1.CozystackResourceDefinition) *cozyv1alpha1.CozystackResourceDefinitionResources {
 	switch {
 	case gk.Group == "" && gk.Kind == "Secret":
 		return &crd.Spec.Secrets
@@ -87,16 +88,13 @@ func (h *LineageControllerWebhook) Handle(ctx context.Context, req admission.Req
 		"name", req.Name,
 		"operation", req.Operation,
 	)
-	logger.Info("webhook called", "gvk", req.Kind.String(), "namespace", req.Namespace, "name", req.Name, "operation", req.Operation)
 	warn := make(admission.Warnings, 0)
 
 	obj := &unstructured.Unstructured{}
 	if err := h.decodeUnstructured(req, obj); err != nil {
-		logger.Error(err, "failed to decode object")
 		return admission.Errored(400, fmt.Errorf("decode object: %w", err))
 	}
 
-	logger.V(1).Info("decoded object", "labels", obj.GetLabels(), "ownerReferences", obj.GetOwnerReferences())
 	labels, err := h.computeLabels(ctx, obj)
 	for {
 		if err != nil && errors.Is(err, NoAncestors) {
@@ -119,10 +117,9 @@ func (h *LineageControllerWebhook) Handle(ctx context.Context, req admission.Req
 
 	mutated, err := json.Marshal(obj)
 	if err != nil {
-		logger.Error(err, "failed to marshal mutated object")
-		return admission.Errored(500, fmt.Errorf("marshal mutated object: %w", err))
+		return admission.Errored(500, fmt.Errorf("marshal mutated pod: %w", err))
 	}
-	logger.Info("mutated object", "namespace", obj.GetNamespace(), "name", obj.GetName(), "labels", labels)
+	logger.V(1).Info("mutated pod", "namespace", obj.GetNamespace(), "name", obj.GetName())
 	return admission.PatchResponseFromRaw(req.Object.Raw, mutated).WithWarnings(warn...)
 }
 
@@ -159,9 +156,21 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 		ManagerKindKey: obj.GetKind(),
 		ManagerNameKey: obj.GetName(),
 	}
-	// Resource selectors are no longer needed since we don't use ApplicationDefinitions
-	// Set tenant resource label to false by default (can be overridden by other logic if needed)
-	labels[corev1alpha1.TenantResourceLabelKey] = "false"
+	templateLabels := map[string]string{
+		"kind":      strings.ToLower(obj.GetKind()),
+		"name":      obj.GetName(),
+		"namespace": o.GetNamespace(),
+	}
+	cfg := h.config.Load().(*runtimeConfig)
+	crd := cfg.appCRDMap[appRef{gv.Group, obj.GetKind()}]
+	resourceSelectors := h.getResourceSelectors(o.GroupVersionKind().GroupKind(), crd)
+
+	labels[corev1alpha1.TenantResourceLabelKey] = func(b bool) string {
+		if b {
+			return corev1alpha1.TenantResourceLabelValue
+		}
+		return "false"
+	}(matchResourceToExcludeInclude(ctx, o.GetName(), templateLabels, o.GetLabels(), resourceSelectors))
 	return labels, err
 }
 

internal/operator/platform_reconciler.go

@@ -1,541 +0,0 @@
-/*
-Copyright 2025 The Cozystack Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package operator
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	sourcewatcherv1beta1 "github.com/fluxcd/source-watcher/api/v2/v1beta1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-)
-
-// PlatformReconciler reconciles Platform resources
-type PlatformReconciler struct {
-	client.Client
-	Scheme *runtime.Scheme
-}
-
-// +kubebuilder:rbac:groups=cozystack.io,resources=platforms,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cozystack.io,resources=platforms/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=source.extensions.fluxcd.io,resources=artifactgenerators,verbs=get;list;watch;create;update;patch;delete
-
-// Reconcile is part of the main kubernetes reconciliation loop
-func (r *PlatformReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-
-	platform := &cozyv1alpha1.Platform{}
-	if err := r.Get(ctx, req.NamespacedName, platform); err != nil {
-		if apierrors.IsNotFound(err) {
-			// Cleanup orphaned resources
-			return r.cleanupOrphanedResources(ctx, req.NamespacedName)
-		}
-		return ctrl.Result{}, err
-	}
-
-	// Set defaults
-	if platform.Spec.Interval == nil {
-		platform.Spec.Interval = &metav1.Duration{Duration: 5 * 60 * 1000000000} // 5m
-	}
-
-	// Reconcile ArtifactGenerator
-	if err := r.reconcileArtifactGenerator(ctx, platform); err != nil {
-		logger.Error(err, "failed to reconcile ArtifactGenerator")
-		return ctrl.Result{}, err
-	}
-
-	// Reconcile HelmRelease
-	if err := r.reconcileHelmRelease(ctx, platform); err != nil {
-		logger.Error(err, "failed to reconcile HelmRelease")
-		return ctrl.Result{}, err
-	}
-
-	// Cleanup orphaned resources with platform label
-	if err := r.cleanupOrphanedPlatformResources(ctx, platform); err != nil {
-		logger.Error(err, "failed to cleanup orphaned platform resources")
-		// Don't return error, just log it - cleanup is best effort
-	}
-
-	return ctrl.Result{}, nil
-}
-
-// reconcileArtifactGenerator creates or updates the ArtifactGenerator for the platform
-func (r *PlatformReconciler) reconcileArtifactGenerator(ctx context.Context, platform *cozyv1alpha1.Platform) error {
-	logger := log.FromContext(ctx)
-
-	// Use fixed namespace for cluster-scoped resource
-	namespace := "cozy-system"
-
-	// Get basePath with default values (already includes full path to platform)
-	basePath := r.getBasePath(platform)
-
-	// Build full path from basePath (basePath already contains the full path)
-	fullPath := r.buildSourcePath(platform.Spec.SourceRef.Name, basePath, "")
-	// Extract the last component for the artifact name
-	artifactPathParts := strings.Split(strings.Trim(basePath, "/"), "/")
-	artifactName := artifactPathParts[len(artifactPathParts)-1]
-
-	copyOps := []sourcewatcherv1beta1.CopyOperation{
-		{
-			From: fullPath + "/**",
-			To:   fmt.Sprintf("@artifact/%s/", artifactName),
-		},
-	}
-
-	// Create ArtifactGenerator
-	ag := &sourcewatcherv1beta1.ArtifactGenerator{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      platform.Name,
-			Namespace: namespace,
-			Labels: map[string]string{
-				"cozystack.io/platform": platform.Name,
-			},
-		},
-		Spec: sourcewatcherv1beta1.ArtifactGeneratorSpec{
-			Sources: []sourcewatcherv1beta1.SourceReference{
-				{
-					Alias:     platform.Spec.SourceRef.Name,
-					Kind:      platform.Spec.SourceRef.Kind,
-					Name:      platform.Spec.SourceRef.Name,
-					Namespace: platform.Spec.SourceRef.Namespace,
-				},
-			},
-			OutputArtifacts: []sourcewatcherv1beta1.OutputArtifact{
-				{
-					Name: artifactName,
-					Copy: copyOps,
-				},
-			},
-		},
-	}
-
-	// Set ownerReference
-	ag.OwnerReferences = []metav1.OwnerReference{
-		{
-			APIVersion: platform.APIVersion,
-			Kind:       platform.Kind,
-			Name:       platform.Name,
-			UID:        platform.UID,
-			Controller: func() *bool { b := true; return &b }(),
-		},
-	}
-
-	logger.Info("reconciling ArtifactGenerator", "name", platform.Name, "namespace", namespace)
-
-	if err := r.createOrUpdate(ctx, ag); err != nil {
-		return fmt.Errorf("failed to reconcile ArtifactGenerator %s: %w", platform.Name, err)
-	}
-
-	logger.Info("reconciled ArtifactGenerator", "name", platform.Name, "namespace", namespace)
-	return nil
-}
-
-// reconcileHelmRelease creates or updates the HelmRelease for the platform
-func (r *PlatformReconciler) reconcileHelmRelease(ctx context.Context, platform *cozyv1alpha1.Platform) error {
-	logger := log.FromContext(ctx)
-
-	// HelmRelease name is fixed: cozystack-platform
-	// Use fixed namespace for cluster-scoped resource
-	namespace := "cozy-system"
-
-	// Get artifact name (last component of basePath)
-	basePath := r.getBasePath(platform)
-	artifactPathParts := strings.Split(strings.Trim(basePath, "/"), "/")
-	artifactName := artifactPathParts[len(artifactPathParts)-1]
-
-	// Merge values with sourceRef
-	values := r.mergeValuesWithSourceRef(platform.Spec.Values, platform.Spec.SourceRef)
-
-	// Create HelmRelease
-	hr := &helmv2.HelmRelease{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      platform.Name,
-			Namespace: namespace,
-			Labels: map[string]string{
-				"cozystack.io/platform": platform.Name,
-			},
-		},
-		Spec: helmv2.HelmReleaseSpec{
-			Interval:        *platform.Spec.Interval,
-			TargetNamespace: "cozy-system",
-			ReleaseName:     "cozystack-platform",
-			ChartRef: &helmv2.CrossNamespaceSourceReference{
-				Kind:      "ExternalArtifact",
-				Name:      artifactName,
-				Namespace: namespace,
-			},
-			Values: values,
-			Install: &helmv2.Install{
-				Remediation: &helmv2.InstallRemediation{
-					Retries: -1,
-				},
-			},
-			Upgrade: &helmv2.Upgrade{
-				Remediation: &helmv2.UpgradeRemediation{
-					Retries: -1,
-				},
-			},
-		},
-	}
-
-	// Set ownerReference
-	hr.OwnerReferences = []metav1.OwnerReference{
-		{
-			APIVersion: platform.APIVersion,
-			Kind:       platform.Kind,
-			Name:       platform.Name,
-			UID:        platform.UID,
-			Controller: func() *bool { b := true; return &b }(),
-		},
-	}
-
-	logger.Info("reconciling HelmRelease", "name", platform.Name, "namespace", namespace)
-
-	if err := r.createOrUpdate(ctx, hr); err != nil {
-		return fmt.Errorf("failed to reconcile HelmRelease %s: %w", platform.Name, err)
-	}
-
-	logger.Info("reconciled HelmRelease", "name", platform.Name, "namespace", namespace)
-	return nil
-}
-
-// mergeValuesWithSourceRef merges platform values with sourceRef
-func (r *PlatformReconciler) mergeValuesWithSourceRef(values *apiextensionsv1.JSON, sourceRef cozyv1alpha1.SourceRef) *apiextensionsv1.JSON {
-	// Build sourceRef map
-	sourceRefMap := map[string]interface{}{
-		"kind":      sourceRef.Kind,
-		"name":      sourceRef.Name,
-		"namespace": sourceRef.Namespace,
-	}
-
-	// If values is nil or empty, create new values with sourceRef
-	if values == nil || len(values.Raw) == 0 {
-		valuesMap := map[string]interface{}{
-			"sourceRef": sourceRefMap,
-		}
-		raw, _ := json.Marshal(valuesMap)
-		return &apiextensionsv1.JSON{Raw: raw}
-	}
-
-	// Parse existing values
-	var valuesMap map[string]interface{}
-	if err := json.Unmarshal(values.Raw, &valuesMap); err != nil {
-		// If unmarshal fails, create new values with sourceRef
-		valuesMap = map[string]interface{}{
-			"sourceRef": sourceRefMap,
-		}
-		raw, _ := json.Marshal(valuesMap)
-		return &apiextensionsv1.JSON{Raw: raw}
-	}
-
-	// Merge sourceRef into values (overwrite if exists)
-	valuesMap["sourceRef"] = sourceRefMap
-
-	// Marshal back to JSON
-	raw, err := json.Marshal(valuesMap)
-	if err != nil {
-		// If marshal fails, return original values
-		return values
-	}
-
-	return &apiextensionsv1.JSON{Raw: raw}
-}
-
-// getBasePath returns the basePath with default values based on source kind
-func (r *PlatformReconciler) getBasePath(platform *cozyv1alpha1.Platform) string {
-	if platform.Spec.BasePath != "" {
-		return platform.Spec.BasePath
-	}
-	// Default values based on kind
-	if platform.Spec.SourceRef.Kind == "OCIRepository" {
-		return "core/platform" // Full path for OCI
-	}
-	// Default for GitRepository
-	return "packages/core/platform" // Full path for Git
-}
-
-// buildSourcePath builds the full source path from basePath and chart path
-func (r *PlatformReconciler) buildSourcePath(sourceName, basePath, chartPath string) string {
-	// Remove leading/trailing slashes and combine
-	parts := []string{}
-	if basePath != "" {
-		parts = append(parts, strings.Trim(basePath, "/"))
-	}
-	if chartPath != "" {
-		parts = append(parts, strings.Trim(chartPath, "/"))
-	}
-	fullPath := strings.Join(parts, "/")
-	if fullPath == "" {
-		return fmt.Sprintf("@%s", sourceName)
-	}
-	return fmt.Sprintf("@%s/%s", sourceName, fullPath)
-}
-
-// cleanupOrphanedResources removes ArtifactGenerator and HelmRelease when Platform is deleted
-func (r *PlatformReconciler) cleanupOrphanedResources(ctx context.Context, name client.ObjectKey) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-	namespace := "cozy-system"
-
-	// Cleanup HelmReleases with the platform label that don't match
-	hrList := &helmv2.HelmReleaseList{}
-	if err := r.List(ctx, hrList, client.InNamespace(namespace), client.MatchingLabels{
-		"cozystack.io/platform": name.Name,
-	}); err != nil {
-		logger.Error(err, "failed to list HelmReleases for cleanup")
-		return ctrl.Result{}, err
-	}
-
-	for i := range hrList.Items {
-		hr := &hrList.Items[i]
-		// Check if this HelmRelease should exist (matches current Platform name)
-		// Since Platform is being deleted, all matching HelmReleases should be deleted
-		// OwnerReferences should handle this, but we'll also delete explicitly
-		if err := r.Delete(ctx, hr); err != nil {
-			if !apierrors.IsNotFound(err) {
-				logger.Error(err, "failed to delete orphaned HelmRelease", "name", hr.Name)
-			}
-		} else {
-			logger.Info("deleted orphaned HelmRelease", "name", hr.Name)
-		}
-	}
-
-	// Cleanup ArtifactGenerators with the platform label
-	agList := &sourcewatcherv1beta1.ArtifactGeneratorList{}
-	if err := r.List(ctx, agList, client.InNamespace(namespace), client.MatchingLabels{
-		"cozystack.io/platform": name.Name,
-	}); err != nil {
-		logger.Error(err, "failed to list ArtifactGenerators for cleanup")
-		return ctrl.Result{}, err
-	}
-
-	for i := range agList.Items {
-		ag := &agList.Items[i]
-		if err := r.Delete(ctx, ag); err != nil {
-			if !apierrors.IsNotFound(err) {
-				logger.Error(err, "failed to delete orphaned ArtifactGenerator", "name", ag.Name)
-			}
-		} else {
-			logger.Info("deleted orphaned ArtifactGenerator", "name", ag.Name)
-		}
-	}
-
-	return ctrl.Result{}, nil
-}
-
-// cleanupOrphanedPlatformResources removes HelmRelease and ArtifactGenerator resources
-// that have the platform label but don't match the current Platform
-func (r *PlatformReconciler) cleanupOrphanedPlatformResources(ctx context.Context, platform *cozyv1alpha1.Platform) error {
-	logger := log.FromContext(ctx)
-	namespace := "cozy-system"
-	platformName := platform.Name
-
-	// Cleanup orphaned HelmReleases
-	hrList := &helmv2.HelmReleaseList{}
-	if err := r.List(ctx, hrList, client.InNamespace(namespace), client.MatchingLabels{
-		"cozystack.io/platform": platformName,
-	}); err != nil {
-		return fmt.Errorf("failed to list HelmReleases: %w", err)
-	}
-
-	for i := range hrList.Items {
-		hr := &hrList.Items[i]
-		// Only delete if it doesn't match the current Platform name
-		// (in case Platform name changed)
-		if hr.Name != platformName {
-			logger.Info("deleting orphaned HelmRelease", "name", hr.Name, "expected", platformName)
-			if err := r.Delete(ctx, hr); err != nil {
-				if !apierrors.IsNotFound(err) {
-					logger.Error(err, "failed to delete orphaned HelmRelease", "name", hr.Name)
-					// Continue with other resources
-				}
-			}
-		}
-	}
-
-	// Cleanup orphaned ArtifactGenerators
-	agList := &sourcewatcherv1beta1.ArtifactGeneratorList{}
-	if err := r.List(ctx, agList, client.InNamespace(namespace), client.MatchingLabels{
-		"cozystack.io/platform": platformName,
-	}); err != nil {
-		return fmt.Errorf("failed to list ArtifactGenerators: %w", err)
-	}
-
-	for i := range agList.Items {
-		ag := &agList.Items[i]
-		// Only delete if it doesn't match the current Platform name
-		if ag.Name != platformName {
-			logger.Info("deleting orphaned ArtifactGenerator", "name", ag.Name, "expected", platformName)
-			if err := r.Delete(ctx, ag); err != nil {
-				if !apierrors.IsNotFound(err) {
-					logger.Error(err, "failed to delete orphaned ArtifactGenerator", "name", ag.Name)
-					// Continue with other resources
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
-// createOrUpdate creates or updates a resource
-func (r *PlatformReconciler) createOrUpdate(ctx context.Context, obj client.Object) error {
-	existing := obj.DeepCopyObject().(client.Object)
-	key := client.ObjectKeyFromObject(obj)
-
-	err := r.Get(ctx, key, existing)
-	if apierrors.IsNotFound(err) {
-		return r.Create(ctx, obj)
-	} else if err != nil {
-		return err
-	}
-
-	// Preserve resource version
-	obj.SetResourceVersion(existing.GetResourceVersion())
-	// Merge labels and annotations
-	labels := obj.GetLabels()
-	if labels == nil {
-		labels = make(map[string]string)
-	}
-	for k, v := range existing.GetLabels() {
-		if _, ok := labels[k]; !ok {
-			labels[k] = v
-		}
-	}
-	obj.SetLabels(labels)
-
-	annotations := obj.GetAnnotations()
-	if annotations == nil {
-		annotations = make(map[string]string)
-	}
-	for k, v := range existing.GetAnnotations() {
-		if _, ok := annotations[k]; !ok {
-			annotations[k] = v
-		}
-	}
-	obj.SetAnnotations(annotations)
-
-	// For ArtifactGenerator, explicitly update Spec and ownerReferences
-	if ag, ok := obj.(*sourcewatcherv1beta1.ArtifactGenerator); ok {
-		if existingAG, ok := existing.(*sourcewatcherv1beta1.ArtifactGenerator); ok {
-			logger := log.FromContext(ctx)
-			logger.V(1).Info("updating ArtifactGenerator Spec", "name", ag.Name, "namespace", ag.Namespace)
-			existingAG.Spec = ag.Spec
-			existingAG.SetLabels(ag.GetLabels())
-			existingAG.SetAnnotations(ag.GetAnnotations())
-			// Always use ownerReferences from the new object (set in reconcileArtifactGenerator)
-			existingAG.SetOwnerReferences(ag.GetOwnerReferences())
-			obj = existingAG
-		}
-	}
-
-	// For HelmRelease, explicitly update Spec and ownerReferences
-	if hr, ok := obj.(*helmv2.HelmRelease); ok {
-		if existingHR, ok := existing.(*helmv2.HelmRelease); ok {
-			logger := log.FromContext(ctx)
-			logger.V(1).Info("updating HelmRelease Spec", "name", hr.Name, "namespace", hr.Namespace)
-			existingHR.Spec = hr.Spec
-			existingHR.SetLabels(hr.GetLabels())
-			existingHR.SetAnnotations(hr.GetAnnotations())
-			// Always use ownerReferences from the new object (set in reconcileHelmRelease)
-			existingHR.SetOwnerReferences(hr.GetOwnerReferences())
-			obj = existingHR
-		}
-	}
-
-	return r.Update(ctx, obj)
-}
-
-// SetupWithManager sets up the controller with the Manager
-func (r *PlatformReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cozystack-platform").
-		For(&cozyv1alpha1.Platform{}).
-		Watches(
-			&helmv2.HelmRelease{},
-			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
-				hr, ok := obj.(*helmv2.HelmRelease)
-				if !ok {
-					return nil
-				}
-				// Only watch HelmReleases with cozystack.io/platform label
-				platformName := hr.Labels["cozystack.io/platform"]
-				if platformName == "" {
-					return nil
-				}
-				return []reconcile.Request{
-					{
-						NamespacedName: client.ObjectKey{
-							Name: platformName,
-							// Cluster-scoped resource has no namespace
-						},
-					},
-				}
-			}),
-			builder.WithPredicates(
-				predicate.NewPredicateFuncs(func(obj client.Object) bool {
-					// Only watch resources with cozystack.io/platform label
-					labels := obj.GetLabels()
-					return labels != nil && labels["cozystack.io/platform"] != ""
-				}),
-			),
-		).
-		Watches(
-			&sourcewatcherv1beta1.ArtifactGenerator{},
-			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
-				ag, ok := obj.(*sourcewatcherv1beta1.ArtifactGenerator)
-				if !ok {
-					return nil
-				}
-				// Only watch ArtifactGenerators with cozystack.io/platform label
-				platformName := ag.Labels["cozystack.io/platform"]
-				if platformName == "" {
-					return nil
-				}
-				return []reconcile.Request{
-					{
-						NamespacedName: client.ObjectKey{
-							Name: platformName,
-							// Cluster-scoped resource has no namespace
-						},
-					},
-				}
-			}),
-			builder.WithPredicates(
-				predicate.NewPredicateFuncs(func(obj client.Object) bool {
-					// Only watch resources with cozystack.io/platform label
-					labels := obj.GetLabels()
-					return labels != nil && labels["cozystack.io/platform"] != ""
-				}),
-			),
-		).
-		Complete(r)
-}

internal/shared/crdmem/memory.go

@@ -11,13 +11,13 @@ import (
 
 type Memory struct {
 	mu        sync.RWMutex
-	data      map[string]cozyv1alpha1.ApplicationDefinition
+	data      map[string]cozyv1alpha1.CozystackResourceDefinition
 	primed    bool
 	primeOnce sync.Once
 }
 
 func New() *Memory {
-	return &Memory{data: make(map[string]cozyv1alpha1.ApplicationDefinition)}
+	return &Memory{data: make(map[string]cozyv1alpha1.CozystackResourceDefinition)}
 }
 
 var (
@@ -30,7 +30,7 @@ func Global() *Memory {
 	return global
 }
 
-func (m *Memory) Upsert(obj *cozyv1alpha1.ApplicationDefinition) {
+func (m *Memory) Upsert(obj *cozyv1alpha1.CozystackResourceDefinition) {
 	if obj == nil {
 		return
 	}
@@ -45,10 +45,10 @@ func (m *Memory) Delete(name string) {
 	m.mu.Unlock()
 }
 
-func (m *Memory) Snapshot() []cozyv1alpha1.ApplicationDefinition {
+func (m *Memory) Snapshot() []cozyv1alpha1.CozystackResourceDefinition {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
-	out := make([]cozyv1alpha1.ApplicationDefinition, 0, len(m.data))
+	out := make([]cozyv1alpha1.CozystackResourceDefinition, 0, len(m.data))
 	for _, v := range m.data {
 		out = append(out, v)
 	}
@@ -72,7 +72,7 @@ func (m *Memory) EnsurePrimingWithManager(mgr ctrl.Manager) error {
 			if ok := mgr.GetCache().WaitForCacheSync(ctx); !ok {
 				return nil
 			}
-			var list cozyv1alpha1.ApplicationDefinitionList
+			var list cozyv1alpha1.CozystackResourceDefinitionList
 			if err := mgr.GetClient().List(ctx, &list); err == nil {
 				for i := range list.Items {
 					m.Upsert(&list.Items[i])
@@ -87,11 +87,11 @@ func (m *Memory) EnsurePrimingWithManager(mgr ctrl.Manager) error {
 	return errOut
 }
 
-func (m *Memory) ListFromCacheOrAPI(ctx context.Context, c client.Client) ([]cozyv1alpha1.ApplicationDefinition, error) {
+func (m *Memory) ListFromCacheOrAPI(ctx context.Context, c client.Client) ([]cozyv1alpha1.CozystackResourceDefinition, error) {
 	if m.IsPrimed() {
 		return m.Snapshot(), nil
 	}
-	var list cozyv1alpha1.ApplicationDefinitionList
+	var list cozyv1alpha1.CozystackResourceDefinitionList
 	if err := c.List(ctx, &list); err != nil {
 		return nil, err
 	}

internal/telemetry/collector.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"sort"
 	"strings"
 	"time"
 
@@ -121,51 +120,17 @@ func (c *Collector) collect(ctx context.Context) {
 
 	clusterID := string(kubeSystemNS.UID)
 
-	// Get all Bundles
-	var bundleList cozyv1alpha1.BundleList
-	bundleNameStr := ""
-	bundleEnable := ""
-	bundleDisable := ""
-	oidcEnabled := "false"
-
-	if err := c.client.List(ctx, &bundleList); err != nil {
-		logger.Info(fmt.Sprintf("Failed to list Bundles: %v", err))
-		// Continue with empty bundle data instead of returning
-	} else {
-		// Collect bundle names (sorted alphabetically)
-		bundleNames := make([]string, 0, len(bundleList.Items))
-		for _, bundle := range bundleList.Items {
-			bundleNames = append(bundleNames, bundle.Name)
-		}
-		sort.Strings(bundleNames)
-		bundleNameStr = strings.Join(bundleNames, ",")
-
-		// Collect all packages from all bundles
-		var allEnabledPackages []string
-		var allDisabledPackages []string
-
-		for _, bundle := range bundleList.Items {
-			for _, pkg := range bundle.Spec.Packages {
-				if pkg.Disabled {
-					allDisabledPackages = append(allDisabledPackages, pkg.Name)
-				} else {
-					allEnabledPackages = append(allEnabledPackages, pkg.Name)
-					// Check if keycloak package is enabled
-					if pkg.Name == "keycloak" {
-						oidcEnabled = "true"
-					}
-				}
-			}
-		}
-
-		// Sort package lists alphabetically
-		sort.Strings(allEnabledPackages)
-		sort.Strings(allDisabledPackages)
-
-		bundleEnable = strings.Join(allEnabledPackages, ",")
-		bundleDisable = strings.Join(allDisabledPackages, ",")
+	var cozystackCM corev1.ConfigMap
+	if err := c.client.Get(ctx, types.NamespacedName{Namespace: "cozy-system", Name: "cozystack"}, &cozystackCM); err != nil {
+		logger.Info(fmt.Sprintf("Failed to get cozystack configmap in cozy-system namespace: %v", err))
+		return
 	}
 
+	oidcEnabled := cozystackCM.Data["oidc-enabled"]
+	bundle := cozystackCM.Data["bundle-name"]
+	bundleEnable := cozystackCM.Data["bundle-enable"]
+	bundleDisable := cozystackCM.Data["bundle-disable"]
+
 	// Get Kubernetes version from nodes
 	var nodeList corev1.NodeList
 	if err := c.client.List(ctx, &nodeList); err != nil {
@@ -178,41 +143,32 @@ func (c *Collector) collect(ctx context.Context) {
 
 	// Add Cozystack info metric
 	if len(nodeList.Items) > 0 {
-		k8sVersion := "unknown"
-		if version, err := c.discoveryClient.ServerVersion(); err == nil && version != nil {
-			k8sVersion = version.String()
-		}
+		k8sVersion, _ := c.discoveryClient.ServerVersion()
 		metrics.WriteString(fmt.Sprintf(
-			"cozy_cluster_info{cozystack_version=\"%s\",kubernetes_version=\"%s\",oidc_enabled=\"%s\",bundle_name=\"%s\",bundle_enable=\"%s\",bundle_disable=\"%s\"} 1\n",
+			"cozy_cluster_info{cozystack_version=\"%s\",kubernetes_version=\"%s\",oidc_enabled=\"%s\",bundle_name=\"%s\",bunde_enable=\"%s\",bunde_disable=\"%s\"} 1\n",
 			c.config.CozystackVersion,
 			k8sVersion,
 			oidcEnabled,
-			bundleNameStr,
+			bundle,
 			bundleEnable,
 			bundleDisable,
 		))
 	}
 
 	// Collect node metrics
-	if len(nodeList.Items) > 0 {
 	nodeOSCount := make(map[string]int)
-		kernelVersion := "unknown"
 	for _, node := range nodeList.Items {
 		key := fmt.Sprintf("%s (%s)", node.Status.NodeInfo.OperatingSystem, node.Status.NodeInfo.OSImage)
 		nodeOSCount[key] = nodeOSCount[key] + 1
-			if kernelVersion == "unknown" && node.Status.NodeInfo.KernelVersion != "" {
-				kernelVersion = node.Status.NodeInfo.KernelVersion
-			}
 	}
 
 	for osKey, count := range nodeOSCount {
 		metrics.WriteString(fmt.Sprintf(
 			"cozy_nodes_count{os=\"%s\",kernel=\"%s\"} %d\n",
 			osKey,
-				kernelVersion,
+			nodeList.Items[0].Status.NodeInfo.KernelVersion,
 			count,
 		))
-		}
 	}
 
 	// Collect LoadBalancer services metrics
@@ -292,8 +248,9 @@ func (c *Collector) collect(ctx context.Context) {
 	var monitorList cozyv1alpha1.WorkloadMonitorList
 	if err := c.client.List(ctx, &monitorList); err != nil {
 		logger.Info(fmt.Sprintf("Failed to list WorkloadMonitors: %v", err))
-		// Continue without workload metrics instead of returning
-	} else {
+		return
+	}
+
 	for _, monitor := range monitorList.Items {
 		metrics.WriteString(fmt.Sprintf(
 			"cozy_workloads_count{uid=\"%s\",kind=\"%s\",type=\"%s\",version=\"%s\"} %d\n",
@@ -303,7 +260,6 @@ func (c *Collector) collect(ctx context.Context) {
 			monitor.Spec.Version,
 			monitor.Status.ObservedReplicas,
 		))
-		}
 	}
 
 	// Send metrics

packages/apps/Makefile

@@ -1,7 +1,12 @@
 OUT=../../_out/repos/apps
 CHARTS := $(shell find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}')
 
-include ../../hack/common-envs.mk
+include ../../scripts/common-envs.mk
+
+repo:
+	rm -rf "$(OUT)"
+	helm package -d "$(OUT)" $(CHARTS) --version $(COZYSTACK_VERSION)
+	helm repo index "$(OUT)"
 
 fix-charts:
 	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i -e "s/^name: .*/name: $$i/" -e "s/^version: .*/version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process/g" "$$i/Chart.yaml"; done

packages/apps/README.md

@@ -0,0 +1,8 @@
+### How to test packages local
+
+```bash
+cd packages/core/installer
+make image-cozystack REGISTRY=YOUR_CUSTOM_REGISTRY
+make apply
+kubectl delete po -l app=source-controller -n cozy-fluxcd
+```

packages/apps/bucket/Makefile

@@ -1,4 +1,4 @@
-include ../../../hack/package.mk
+include ../../../scripts/package.mk
 
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md

packages/apps/bucket/templates/bucketclaim.yaml

@@ -1,6 +1,5 @@
-{{- $cozystack := .Values._cozystack | default dict }}
-{{- $namespace := .Values._namespace | default dict }}
-{{- $seaweedfs := dig "seaweedfs" "" $namespace }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $seaweedfs := index $myNS.metadata.annotations "namespace.cozystack.io/seaweedfs" }}
 apiVersion: objectstorage.k8s.io/v1alpha1
 kind: BucketClaim
 metadata:

packages/apps/bucket/templates/helmrelease.yaml

@@ -3,10 +3,15 @@ kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-system
 spec:
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-bucket
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-bucket
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   interval: 5m
   timeout: 10m
   install:

packages/apps/clickhouse/Makefile

@@ -1,7 +1,7 @@
 CLICKHOUSE_BACKUP_TAG = $(shell awk '$$0 ~ /^version:/ {print $$2}' Chart.yaml)
 
-include ../../../hack/common-envs.mk
-include ../../../hack/package.mk
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
 
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md

packages/apps/clickhouse/templates/chkeeper.yaml

@@ -1,5 +1,5 @@
-{{- $cozystack := .Values._cozystack | default dict }}
-{{- $clusterDomain := dig "networking" "clusterDomain" "cozy.local" $cozystack }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 
 {{- if .Values.clickhouseKeeper.enabled }}
 apiVersion: "clickhouse-keeper.altinity.com/v1"

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,5 +1,5 @@
-{{- $cozystack := .Values._cozystack | default dict }}
-{{- $clusterDomain := dig "networking" "clusterDomain" "cozy.local" $cozystack }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
 {{- $users := .Values.users }}

packages/apps/ferretdb/Makefile

@@ -1,4 +1,4 @@
-include ../../../hack/package.mk
+include ../../../scripts/package.mk
 
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md

packages/apps/ferretdb/templates/postgres.yaml

@@ -50,13 +50,15 @@ spec:
   postgresUID: 999
   postgresGID: 999
   enableSuperuserAccess: true
-  {{- $cozystack := .Values._cozystack | default dict }}
-  {{- $topologySpreadConstraints := dig "scheduling" "topologySpreadConstraints" (list) $cozystack }}
-  {{- if $topologySpreadConstraints }}
-  topologySpreadConstraints:
-    {{- range $topologySpreadConstraints }}
-    - {{- mergeOverwrite (dict "labelSelector" (dict "matchLabels" (dict "cnpg.io/cluster" (printf "%s-postgres" $.Release.Name)))) . | toYaml | nindent 6 | trim }}
-    {{- end }}
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+  {{- if $rawConstraints }}
+  {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
+    labelSelector:
+      matchLabels:
+        cnpg.io/cluster: {{ .Release.Name }}-postgres
+  {{- end }}
   {{- end }}
   minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
   maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}

packages/apps/foundationdb/Makefile

@@ -1,4 +1,4 @@
-include ../../../hack/package.mk
+include ../../../scripts/package.mk
 
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md

packages/apps/foundationdb/templates/cluster.yaml

@@ -1,5 +1,5 @@
-{{- $cozystack := .Values._cozystack | default dict }}
-{{- $clusterDomain := dig "networking" "clusterDomain" "cozy.local" $cozystack }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" | default (dict "data" (dict)) }}
+{{- $clusterDomain := index $cozyConfig.data "cluster-domain" | default "cozy.local" }}
 ---
 apiVersion: apps.foundationdb.org/v1beta2
 kind: FoundationDBCluster

packages/apps/http-cache/Makefile

@@ -1,7 +1,7 @@
 NGINX_CACHE_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 
-include ../../../hack/common-envs.mk
-include ../../../hack/package.mk
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
 
 image: image-nginx
 

packages/apps/kafka/Makefile

@@ -1,4 +1,4 @@
-include ../../../hack/package.mk
+include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 
 generate:

packages/apps/kubernetes/.helmignore

@@ -1,3 +1,4 @@
 .helmignore
 /logos
 /Makefile
+/hack

packages/apps/kubernetes/Makefile

@@ -1,14 +1,17 @@
 KUBERNETES_VERSION = v1.33
 KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 
-include ../../../hack/common-envs.mk
-include ../../../hack/package.mk
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
 
 generate:
 	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
-	yq -o=json -i '.properties.version.enum = (load("files/versions.yaml") | keys)' values.schema.json
 	../../../hack/update-crd.sh
 
+update:
+	hack/update-versions.sh
+	make generate
+
 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler
 
 image-ubuntu-container-disk:

packages/apps/kubernetes/README.md

@@ -104,7 +104,7 @@ See the reference for components utilized in this service:
 | `nodeGroups[name].resources.memory` | Memory (RAM) available.                                                                        | `quantity`          | `""`        |
 | `nodeGroups[name].gpus`             | List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM).                            | `[]object`          | `[]`        |
 | `nodeGroups[name].gpus[i].name`     | Name of GPU, such as "nvidia.com/AD102GL_L40S".                                                | `string`            | `""`        |
-| `version`                           | Kubernetes version (vMAJOR.MINOR). Supported: 1.28–1.33.                                     | `string`            | `v1.33`     |
+| `version`                           | Kubernetes major.minor version to deploy                                                       | `string`            | `v1.33`     |
 | `host`                              | External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty. | `string`            | `""`        |
 
 

packages/apps/kubernetes/files/versions.yaml

@@ -1,6 +1,6 @@
-"v1.28": "v1.28.15"
-"v1.29": "v1.29.15"
-"v1.30": "v1.30.14"
-"v1.31": "v1.31.10"
-"v1.32": "v1.32.6"
 "v1.33": "v1.33.0"
+"v1.32": "v1.32.10"
+"v1.31": "v1.31.14"
+"v1.30": "v1.30.14"
+"v1.29": "v1.29.15"
+"v1.28": "v1.28.15"

packages/apps/kubernetes/hack/update-versions.sh

@@ -0,0 +1,260 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+KUBERNETES_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+VALUES_FILE="${KUBERNETES_DIR}/values.yaml"
+VERSIONS_FILE="${KUBERNETES_DIR}/files/versions.yaml"
+MAKEFILE="${KUBERNETES_DIR}/Makefile"
+KAMAJI_DOCKERFILE="${KUBERNETES_DIR}/../../system/kamaji/images/kamaji/Dockerfile"
+
+# Check if skopeo is installed
+if ! command -v skopeo &> /dev/null; then
+    echo "Error: skopeo is not installed. Please install skopeo and try again." >&2
+    exit 1
+fi
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "Error: jq is not installed. Please install jq and try again." >&2
+    exit 1
+fi
+
+# Get kamaji version from Dockerfile
+echo "Reading kamaji version from Dockerfile..."
+if [ ! -f "$KAMAJI_DOCKERFILE" ]; then
+    echo "Error: Kamaji Dockerfile not found at $KAMAJI_DOCKERFILE" >&2
+    exit 1
+fi
+
+KAMAJI_VERSION=$(grep "^ARG VERSION=" "$KAMAJI_DOCKERFILE" | cut -d= -f2 | tr -d '"')
+if [ -z "$KAMAJI_VERSION" ]; then
+    echo "Error: Could not extract kamaji version from Dockerfile" >&2
+    exit 1
+fi
+
+echo "Kamaji version: $KAMAJI_VERSION"
+
+# Get Kubernetes version from kamaji repository
+echo "Fetching Kubernetes version from kamaji repository..."
+KUBERNETES_VERSION_FROM_KAMAJI=$(curl -sSL "https://raw.githubusercontent.com/clastix/kamaji/${KAMAJI_VERSION}/internal/upgrade/kubeadm_version.go" | grep "KubeadmVersion" | sed -E 's/.*KubeadmVersion = "([^"]+)".*/\1/')
+
+if [ -z "$KUBERNETES_VERSION_FROM_KAMAJI" ]; then
+    echo "Error: Could not fetch Kubernetes version from kamaji repository" >&2
+    exit 1
+fi
+
+echo "Kubernetes version from kamaji: $KUBERNETES_VERSION_FROM_KAMAJI"
+
+# Extract major.minor version (e.g., "1.33" from "v1.33.0")
+KUBERNETES_MAJOR_MINOR=$(echo "$KUBERNETES_VERSION_FROM_KAMAJI" | sed -E 's/v([0-9]+)\.([0-9]+)\.[0-9]+/\1.\2/')
+KUBERNETES_MAJOR=$(echo "$KUBERNETES_MAJOR_MINOR" | cut -d. -f1)
+KUBERNETES_MINOR=$(echo "$KUBERNETES_MAJOR_MINOR" | cut -d. -f2)
+
+echo "Kubernetes major.minor: $KUBERNETES_MAJOR_MINOR"
+
+# Get available image tags
+echo "Fetching available image tags from registry..."
+AVAILABLE_TAGS=$(skopeo list-tags docker://registry.k8s.io/kube-apiserver | jq -r '.Tags[] | select(test("^v[0-9]+\\.[0-9]+\\.[0-9]+$"))' | sort -V)
+
+if [ -z "$AVAILABLE_TAGS" ]; then
+    echo "Error: Could not fetch available image tags" >&2
+    exit 1
+fi
+
+# Filter out versions higher than KUBERNETES_VERSION_FROM_KAMAJI
+echo "Filtering versions above ${KUBERNETES_VERSION_FROM_KAMAJI}..."
+FILTERED_TAGS=$(echo "$AVAILABLE_TAGS" | while read tag; do
+    if [ -n "$tag" ]; then
+        # Compare tag with KUBERNETES_VERSION_FROM_KAMAJI using version sort
+        # Include tag if it's less than or equal to KUBERNETES_VERSION_FROM_KAMAJI
+        if [ "$(printf '%s\n%s\n' "$tag" "$KUBERNETES_VERSION_FROM_KAMAJI" | sort -V | head -1)" = "$tag" ] || [ "$tag" = "$KUBERNETES_VERSION_FROM_KAMAJI" ]; then
+            echo "$tag"
+        fi
+    fi
+done)
+
+if [ -z "$FILTERED_TAGS" ]; then
+    echo "Error: No versions found after filtering" >&2
+    exit 1
+fi
+
+AVAILABLE_TAGS="$FILTERED_TAGS"
+echo "Filtered to $(echo "$AVAILABLE_TAGS" | wc -l | tr -d ' ') versions"
+
+# Find the latest patch version for the supported major.minor version
+echo "Finding latest patch version for ${KUBERNETES_MAJOR_MINOR}..."
+SUPPORTED_PATCH_TAGS=$(echo "$AVAILABLE_TAGS" | grep "^v${KUBERNETES_MAJOR}\\.${KUBERNETES_MINOR}\\.")
+if [ -z "$SUPPORTED_PATCH_TAGS" ]; then
+    echo "Error: Could not find any patch versions for ${KUBERNETES_MAJOR_MINOR}" >&2
+    exit 1
+fi
+KUBERNETES_VERSION=$(echo "$SUPPORTED_PATCH_TAGS" | tail -n1)
+echo "Using latest patch version: $KUBERNETES_VERSION"
+
+# Build versions map: major.minor -> latest patch version
+# First, collect all unique major.minor versions from available tags
+echo "Collecting all available major.minor versions..."
+ALL_MAJOR_MINOR_VERSIONS=$(echo "$AVAILABLE_TAGS" | sed -E 's/v([0-9]+)\.([0-9]+)\.[0-9]+/v\1.\2/' | sort -V -u)
+
+# Find the position of the supported version in the sorted list
+SUPPORTED_MAJOR_MINOR="v${KUBERNETES_MAJOR}.${KUBERNETES_MINOR}"
+echo "Looking for supported version: $SUPPORTED_MAJOR_MINOR"
+
+# Get all versions that are <= supported version
+# Create a temporary file for filtering
+TEMP_VERSIONS=$(mktemp)
+
+echo "$ALL_MAJOR_MINOR_VERSIONS" | while read version; do
+    # Compare versions using sort -V (version sort)
+    # If version <= supported, include it
+    if [ "$(printf '%s\n%s\n' "$version" "$SUPPORTED_MAJOR_MINOR" | sort -V | head -1)" = "$version" ] || [ "$version" = "$SUPPORTED_MAJOR_MINOR" ]; then
+        echo "$version"
+    fi
+done > "$TEMP_VERSIONS"
+
+# Get the supported version and 5 previous versions (total 6 versions)
+# First, find the position of supported version
+SUPPORTED_POS=$(grep -n "^${SUPPORTED_MAJOR_MINOR}$" "$TEMP_VERSIONS" | cut -d: -f1)
+
+if [ -z "$SUPPORTED_POS" ]; then
+    echo "Error: Supported version $SUPPORTED_MAJOR_MINOR not found in available versions" >&2
+    exit 1
+fi
+
+# Calculate start position (5 versions before supported, or from beginning if less than 5 available)
+TOTAL_LINES=$(wc -l < "$TEMP_VERSIONS" | tr -d ' ')
+START_POS=$((SUPPORTED_POS - 5))
+if [ $START_POS -lt 1 ]; then
+    START_POS=1
+fi
+
+# Extract versions from START_POS to SUPPORTED_POS (inclusive)
+CANDIDATE_VERSIONS=$(sed -n "${START_POS},${SUPPORTED_POS}p" "$TEMP_VERSIONS")
+
+if [ -z "$CANDIDATE_VERSIONS" ]; then
+    echo "Error: Could not find supported version $SUPPORTED_MAJOR_MINOR in available versions" >&2
+    exit 1
+fi
+
+declare -A VERSION_MAP
+VERSIONS=()
+
+# Process each candidate version
+for major_minor_key in $CANDIDATE_VERSIONS; do
+    # Extract major and minor for matching
+    major=$(echo "$major_minor_key" | sed -E 's/v([0-9]+)\.([0-9]+)/\1/')
+    minor=$(echo "$major_minor_key" | sed -E 's/v([0-9]+)\.([0-9]+)/\2/')
+    
+    # Find all tags that match this major.minor version
+    matching_tags=$(echo "$AVAILABLE_TAGS" | grep "^v${major}\\.${minor}\\.")
+    
+    if [ -n "$matching_tags" ]; then
+        # Get the latest patch version for this major.minor version
+        latest_tag=$(echo "$matching_tags" | tail -n1)
+        
+        VERSION_MAP["${major_minor_key}"]="${latest_tag}"
+        VERSIONS+=("${major_minor_key}")
+        echo "Found version: ${major_minor_key} -> ${latest_tag}"
+    fi
+done
+
+if [ ${#VERSIONS[@]} -eq 0 ]; then
+    echo "Error: No matching versions found" >&2
+    exit 1
+fi
+
+# Sort versions in descending order (newest first)
+IFS=$'\n' VERSIONS=($(printf '%s\n' "${VERSIONS[@]}" | sort -V -r))
+unset IFS
+
+echo "Versions to add: ${VERSIONS[*]}"
+
+# Create/update versions.yaml file
+echo "Updating $VERSIONS_FILE..."
+{
+    for ver in "${VERSIONS[@]}"; do
+        echo "\"${ver}\": \"${VERSION_MAP[$ver]}\""
+    done
+} > "$VERSIONS_FILE"
+
+echo "Successfully updated $VERSIONS_FILE"
+
+# Update values.yaml - enum with major.minor versions only
+TEMP_FILE=$(mktemp)
+trap "rm -f $TEMP_FILE $TEMP_VERSIONS" EXIT
+
+# Build new version section
+NEW_VERSION_SECTION="## @enum {string} Version"
+for ver in "${VERSIONS[@]}"; do
+    NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+## @value $ver"
+done
+NEW_VERSION_SECTION="${NEW_VERSION_SECTION}
+
+## @param {Version} version - Kubernetes major.minor version to deploy
+version: \"${VERSIONS[0]}\""
+
+# Check if version section already exists
+if grep -q "^## @enum {string} Version" "$VALUES_FILE"; then
+    # Version section exists, update it using awk
+    echo "Updating existing version section in $VALUES_FILE..."
+    
+    # Use awk to replace the section from "## @enum {string} Version" to "version: " (inclusive)
+    # Delete the old section and insert the new one
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @enum {string} Version/ {
+            in_section = 1
+            print new_section
+            next
+        }
+        in_section && /^version: / {
+            in_section = 0
+            next
+        }
+        in_section {
+            next
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+else
+    # Version section doesn't exist, insert it before Application-specific parameters section
+    echo "Inserting new version section in $VALUES_FILE..."
+    
+    # Use awk to insert before "## @section Application-specific parameters"
+    awk -v new_section="$NEW_VERSION_SECTION" '
+        /^## @section Application-specific parameters/ {
+            print new_section
+            print ""
+        }
+        { print }
+    ' "$VALUES_FILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$VALUES_FILE"
+fi
+
+echo "Successfully updated $VALUES_FILE with versions: ${VERSIONS[*]}"
+
+# Update KUBERNETES_VERSION in Makefile
+# Extract major.minor from KUBERNETES_VERSION (e.g., "v1.33" from "v1.33.4")
+KUBERNETES_MAJOR_MINOR_FOR_MAKEFILE=$(echo "$KUBERNETES_VERSION" | sed -E 's/v([0-9]+)\.([0-9]+)\.[0-9]+/v\1.\2/')
+
+if grep -q "^KUBERNETES_VERSION" "$MAKEFILE"; then
+    # Update existing KUBERNETES_VERSION line using awk
+    echo "Updating KUBERNETES_VERSION in $MAKEFILE..."
+    awk -v new_version="${KUBERNETES_MAJOR_MINOR_FOR_MAKEFILE}" '
+        /^KUBERNETES_VERSION = / {
+            print "KUBERNETES_VERSION = " new_version
+            next
+        }
+        { print }
+    ' "$MAKEFILE" > "$TEMP_FILE.tmp"
+    mv "$TEMP_FILE.tmp" "$MAKEFILE"
+    echo "Successfully updated KUBERNETES_VERSION in $MAKEFILE to ${KUBERNETES_MAJOR_MINOR_FOR_MAKEFILE}"
+else
+    echo "Warning: KUBERNETES_VERSION not found in $MAKEFILE" >&2
+fi
+

packages/apps/kubernetes/templates/cluster.yaml

@@ -1,8 +1,7 @@
-{{- $cozystack := .Values._cozystack | default dict }}
-{{- $namespace := .Values._namespace | default dict }}
-{{- $etcd := dig "etcd" "" $namespace }}
-{{- $ingress := dig "ingress" "" $namespace }}
-{{- $host := dig "host" "" $namespace }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 {{- $kubevirtmachinetemplateNames := list }}
 {{- define "kubevirtmachinetemplate" -}}
 spec:
@@ -32,11 +31,14 @@ spec:
             {{- end }}
             cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ .groupName }}
         spec:
-          {{- $cozystack := $.Values._cozystack | default dict }}
-          {{- $topologySpreadConstraints := dig "scheduling" "topologySpreadConstraints" (list) $cozystack }}
-          {{- if $topologySpreadConstraints }}
-          {{- range $topologySpreadConstraints }}
-          - {{- mergeOverwrite (dict "labelSelector" (dict "matchLabels" (dict "cluster.x-k8s.io/cluster-name" $.Release.Name))) . | toYaml | nindent 12 | trim }}
+          {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+          {{- if $configMap }}
+          {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+          {{- if $rawConstraints }}
+          {{- $rawConstraints | fromYaml | toYaml | nindent 10 }}
+            labelSelector:
+              matchLabels:
+                cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
           {{- end }}
           {{- end }}
           domain:

packages/apps/kubernetes/templates/delete.yaml

@@ -5,8 +5,8 @@ metadata:
   annotations:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
-  name: {{ .Release.Name }}-cleanup
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+  name: {{ .Release.Name }}-pre-cleanup
 spec:
   template:
     metadata:
@@ -65,7 +65,6 @@ spec:
 
               echo "Cleanup completed successfully"
 
-
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -73,7 +72,7 @@ metadata:
   name: {{ .Release.Name }}-cleanup
   annotations:
     helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
     helm.sh/hook-weight: "0"
 ---
 apiVersion: rbac.authorization.k8s.io/v1

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

@@ -8,10 +8,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cert-manager-crds
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-cert-manager-crds
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-cert-manager-crds
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig
@@ -40,8 +45,6 @@ spec:
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
   {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
 {{- if .Values.addons.certManager.valuesOverride }}
 ---
 apiVersion: v1

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -8,10 +8,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cert-manager
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-cert-manager
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-cert-manager
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -22,10 +22,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cilium
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-cilium
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-cilium
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/coredns.yaml

@@ -13,10 +13,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: coredns
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-coredns
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-coredns
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -8,10 +8,15 @@ metadata:
 spec:
   interval: 5m
   releaseName: csi
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-kubevirt-csi-node
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-kubevirt-csi-node
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig
@@ -32,6 +37,8 @@ spec:
   dependsOn:
   - name: {{ .Release.Name }}-vsnap-crd
     namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
   {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}

packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml

@@ -8,10 +8,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: fluxcd-operator
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-fluxcd-operator
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-fluxcd-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig
@@ -51,10 +56,15 @@ metadata:
 spec:
   interval: 5m
   releaseName: fluxcd
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-fluxcd
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-fluxcd
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-kubeconfig

packages/apps/kubernetes/templates/helmreleases/gateway-api-crds.yaml

@@ -8,10 +8,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: gateway-api-crds
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-gateway-api-crds
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-gateway-api-crds
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/gpu-operator.yaml

@@ -8,10 +8,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: gpu-operator
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-gpu-operator
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-gpu-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml

@@ -27,10 +27,15 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: ingress-nginx
-  chartRef:
-    kind: ExternalArtifact
-    name: cozystack-iaas-kubernetes-ingress-nginx
-    namespace: cozy-system
+  chart:
+    spec:
+      chart: cozy-ingress-nginx
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig