Refactor and implement TenantSecret

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
filter namespaces by checking access to them
2026-03-03 21:48:57 +00:00 · 2025-08-05 16:34:36 +02:00 · 2025-08-05 16:34:27 +02:00 · 2025-08-05 16:34:20 +02:00 · 2025-08-05 12:54:47 +02:00 · 2025-08-04 18:46:37 +04:00
430 changed files with 27445 additions and 53649 deletions
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -28,16 +28,7 @@ jobs:

      - name: Install generate
        run: |
-          sudo apt update
-          sudo apt install curl -y
-          sudo apt install nodejs -y
-          sudo apt install npm -y
-
-          git clone --branch 2.7.0 --depth 1 https://github.com/bitnami/readme-generator-for-helm.git
-          cd ./readme-generator-for-helm
-          npm install
-          npm install -g @yao-pkg/pkg
-          pkg . -o /usr/local/bin/readme-generator
+          curl -sSL https://github.com/cozystack/readme-generator-for-helm/releases/download/v1.0.0/readme-generator-for-helm-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ readme-generator-for-helm

      - name: Run pre-commit hooks
        run: |
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -1,5 +1,7 @@
 name: Pull Request

+env:
+  REGISTRY: ${{ secrets.OCIR_REPO }}
 on:
  pull_request:
    types: [opened, synchronize, reopened]
@@ -33,9 +35,9 @@ jobs:
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
+          username: ${{ secrets.OCIR_USER}}
+          password: ${{ secrets.OCIR_TOKEN }}
+          registry: iad.ocir.io
        env:
          DOCKER_CONFIG: ${{ runner.temp }}/.docker

@@ -262,8 +264,7 @@ jobs:
      - uses: actions/checkout@v4
      - id: set
        run: |
-          apps=$(find hack/e2e-apps -maxdepth 1 -mindepth 1 -name '*.bats' | \
-            awk -F/ '{sub(/\..+/, "", $NF); print $NF}' | jq -R . | jq -cs .)
+          apps=$(ls hack/e2e-apps/*.bats | cut -f3 -d/ | cut -f1 -d. | jq -R | jq -cs)
          echo "matrix={\"app\":$apps}" >> "$GITHUB_OUTPUT"

  test_apps:
--- a/.github/workflows/tags.yaml
+++ b/.github/workflows/tags.yaml
@@ -149,36 +149,35 @@ jobs:
          version:     ${{ steps.tag.outputs.tag }}            # A
          compare-to:  ${{ steps.latest_release.outputs.tag }} # B

-      # Create or reuse DRAFT GitHub Release
+      # Create or reuse draft release
      - name: Create / reuse draft release
        if: steps.check_release.outputs.skip == 'false'
        id: release
        uses: actions/github-script@v7
        with:
          script: |
-            const tag        = '${{ steps.tag.outputs.tag }}';
-            const isRc       = ${{ steps.tag.outputs.is_rc }};
-            const outdated   = '${{ steps.semver.outputs.comparison-result }}' === '<';
-            const makeLatest = outdated ? false : 'legacy';
-            const releases   = await github.rest.repos.listReleases({
+            const tag      = '${{ steps.tag.outputs.tag }}';
+            const isRc     = ${{ steps.tag.outputs.is_rc }};
+            const releases = await github.rest.repos.listReleases({
              owner: context.repo.owner,
              repo:  context.repo.repo
            });
-            let rel          = releases.data.find(r => r.tag_name === tag);
+
+            let rel = releases.data.find(r => r.tag_name === tag);
            if (!rel) {
              rel = await github.rest.repos.createRelease({
                owner: context.repo.owner,
                repo:  context.repo.repo,
-                tag_name:    tag,
-                name:        tag,
-                draft:       true,
-                prerelease:  isRc,
-                make_latest: makeLatest
+                tag_name:   tag,
+                name:       tag,
+                draft:      true,
+                prerelease: isRc               // no make_latest for drafts
              });
              console.log(`Draft release created for ${tag}`);
            } else {
              console.log(`Re-using existing release ${tag}`);
            }
+
            core.setOutput('upload_url', rel.upload_url);

      # Build + upload assets (optional)
--- a/.gitignore
+++ b/.gitignore
@@ -77,3 +77,5 @@ fabric.properties

 .DS_Store
 **/.DS_Store
+
+tmp/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -11,14 +11,14 @@ repos:
    - id: run-make-generate
      name: Run 'make generate' in all app directories
      entry: |
-        /bin/bash -c '
-          for dir in ./packages/apps/*/; do
+        flock -x .git/pre-commit.lock sh -c '
+          for dir in ./packages/apps/*/ ./packages/extra/*/ ./packages/system/cozystack-api/; do
            if [ -d "$dir" ]; then
              echo "Running make generate in $dir"
-              (cd "$dir" && make generate)
+              make generate -C "$dir" || exit $?
            fi
          done
          git diff --color=always | cat
        '
-      language: script
+      language: system
      files: ^.*$
--- a/1
+++ b/1
@@ -22,6 +22,7 @@ build: build-deps
 	make -C packages/system/metallb image
 	make -C packages/system/kamaji image
 	make -C packages/system/bucket image
+	make -C packages/system/objectstorage-controller image
 	make -C packages/core/testing image
 	make -C packages/core/installer image
 	make manifests
--- a/api/v1alpha1/cozystackresourcedefinitions_types.go
+++ b/api/v1alpha1/cozystackresourcedefinitions_types.go
@@ -0,0 +1,89 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+
+// CozystackResourceDefinition is the Schema for the cozystackresourcedefinitions API
+type CozystackResourceDefinition struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec CozystackResourceDefinitionSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// CozystackResourceDefinitionList contains a list of CozystackResourceDefinition
+type CozystackResourceDefinitionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CozystackResourceDefinition `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&CozystackResourceDefinition{}, &CozystackResourceDefinitionList{})
+}
+
+type CozystackResourceDefinitionSpec struct {
+	// Application configuration
+	Application CozystackResourceDefinitionApplication `json:"application"`
+	// Release configuration
+	Release CozystackResourceDefinitionRelease `json:"release"`
+}
+
+type CozystackResourceDefinitionChart struct {
+	// Name of the Helm chart
+	Name string `json:"name"`
+	// Source reference for the Helm chart
+	SourceRef SourceRef `json:"sourceRef"`
+}
+
+type SourceRef struct {
+	// Kind of the source reference
+	// +kubebuilder:default:="HelmRepository"
+	Kind string `json:"kind"`
+	// Name of the source reference
+	Name string `json:"name"`
+	// Namespace of the source reference
+	// +kubebuilder:default:="cozy-public"
+	Namespace string `json:"namespace"`
+}
+
+type CozystackResourceDefinitionApplication struct {
+	// Kind of the application, used for UI and API
+	Kind string `json:"kind"`
+	// OpenAPI schema for the application, used for API validation
+	OpenAPISchema string `json:"openAPISchema"`
+	// Plural name of the application, used for UI and API
+	Plural string `json:"plural"`
+	// Singular name of the application, used for UI and API
+	Singular string `json:"singular"`
+}
+
+type CozystackResourceDefinitionRelease struct {
+	// Helm chart configuration
+	Chart CozystackResourceDefinitionChart `json:"chart"`
+	// Labels for the release
+	Labels map[string]string `json:"labels,omitempty"`
+	// Prefix for the release name
+	Prefix string `json:"prefix"`
+}
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -25,6 +25,135 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinition) DeepCopyInto(out *CozystackResourceDefinition) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinition.
+func (in *CozystackResourceDefinition) DeepCopy() *CozystackResourceDefinition {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CozystackResourceDefinition) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionApplication) DeepCopyInto(out *CozystackResourceDefinitionApplication) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionApplication.
+func (in *CozystackResourceDefinitionApplication) DeepCopy() *CozystackResourceDefinitionApplication {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionApplication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionChart) DeepCopyInto(out *CozystackResourceDefinitionChart) {
+	*out = *in
+	out.SourceRef = in.SourceRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionChart.
+func (in *CozystackResourceDefinitionChart) DeepCopy() *CozystackResourceDefinitionChart {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionChart)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionList) DeepCopyInto(out *CozystackResourceDefinitionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CozystackResourceDefinition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionList.
+func (in *CozystackResourceDefinitionList) DeepCopy() *CozystackResourceDefinitionList {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CozystackResourceDefinitionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionRelease) DeepCopyInto(out *CozystackResourceDefinitionRelease) {
+	*out = *in
+	out.Chart = in.Chart
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionRelease.
+func (in *CozystackResourceDefinitionRelease) DeepCopy() *CozystackResourceDefinitionRelease {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionRelease)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionSpec) DeepCopyInto(out *CozystackResourceDefinitionSpec) {
+	*out = *in
+	out.Application = in.Application
+	in.Release.DeepCopyInto(&out.Release)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionSpec.
+func (in *CozystackResourceDefinitionSpec) DeepCopy() *CozystackResourceDefinitionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in Selector) DeepCopyInto(out *Selector) {
 	{
@@ -46,6 +175,21 @@ func (in Selector) DeepCopy() Selector {
 	return *out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SourceRef) DeepCopyInto(out *SourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceRef.
+func (in *SourceRef) DeepCopy() *SourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(SourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Workload) DeepCopyInto(out *Workload) {
 	*out = *in
--- a/cmd/cozystack-api/main.go
+++ b/cmd/cozystack-api/main.go
@@ -26,8 +26,8 @@ import (

 func main() {
 	ctx := genericapiserver.SetupSignalContext()
-	options := server.NewAppsServerOptions(os.Stdout, os.Stderr)
-	cmd := server.NewCommandStartAppsServer(ctx, options)
+	options := server.NewCozyServerOptions(os.Stdout, os.Stderr)
+	cmd := server.NewCommandStartCozyServer(ctx, options)
 	code := cli.Run(cmd)
 	os.Exit(code)
 }
--- a/dashboards/seaweedfs/seaweedfs.json
+++ b/dashboards/seaweedfs/seaweedfs.json
--- a/docs/changelogs/template.md
+++ b/docs/changelogs/template.md
@@ -0,0 +1,11 @@
+## Major Features and Improvements
+
+## Security
+
+## Fixes
+
+## Dependencies
+
+## Documentation
+
+## Development, Testing, and CI/CD
--- a/docs/changelogs/v0.31.1.md
+++ b/docs/changelogs/v0.31.1.md
@@ -0,0 +1,8 @@
+## Fixes
+
+* [build] Update Talos Linux v1.10.3 and fix assets. (@kvaps in https://github.com/cozystack/cozystack/pull/1006)
+* [ci] Fix uploading released artifacts to GitHub. (@kvaps in https://github.com/cozystack/cozystack/pull/1009)
+* [ci] Separate build and testing jobs. (@kvaps in https://github.com/cozystack/cozystack/pull/1005)
+* [docs] Write a full release post for v0.31.1. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/999)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.31.0...v0.31.1
--- a/docs/changelogs/v0.31.2.md
+++ b/docs/changelogs/v0.31.2.md
@@ -0,0 +1,12 @@
+## Security
+
+* Resolve a security problem that allowed a tenant administrator to gain enhanced privileges outside the tenant. (@kvaps in https://github.com/cozystack/cozystack/pull/1062, backported in https://github.com/cozystack/cozystack/pull/1066)
+
+## Fixes
+
+* [platform] Fix dependencies in `distro-full` bundle. (@klinch0 in  https://github.com/cozystack/cozystack/pull/1056, backported in https://github.com/cozystack/cozystack/pull/1064)
+* [platform] Fix RBAC for annotating namespaces. (@kvaps in https://github.com/cozystack/cozystack/pull/1031, backported in https://github.com/cozystack/cozystack/pull/1037)
+* [platform] Reduce system resource consumption by using smaller resource presets for VerticalPodAutoscaler, SeaweedFS, and KubeOVN. (@klinch0 in https://github.com/cozystack/cozystack/pull/1054, backported in https://github.com/cozystack/cozystack/pull/1058)
+* [dashboard] Fix a number of issues in the Cozystack Dashboard (@kvaps in https://github.com/cozystack/cozystack/pull/1042, backported in https://github.com/cozystack/cozystack/pull/1066)
+* [apps] Specify minimal working resource presets. (@kvaps in https://github.com/cozystack/cozystack/pull/1040, backported in https://github.com/cozystack/cozystack/pull/1041)
+* [apps] Update built-in documentation and configuration reference for managed Clickhouse application. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1059, backported in https://github.com/cozystack/cozystack/pull/1065)
--- a/docs/changelogs/v0.32.1.md
+++ b/docs/changelogs/v0.32.1.md
@@ -0,0 +1,38 @@
+## Major Features and Improvements
+
+* [postgres] Introduce new functionality for backup and restore in PostgreSQL. (@klinch0 in https://github.com/cozystack/cozystack/pull/1086)
+* [apps] Refactor resources in managed applications. (@kvaps in https://github.com/cozystack/cozystack/pull/1106)
+* [system] Make VMAgent's `extraArgs` tunable. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1091)
+
+## Fixes
+
+* [postgres] Escape users and database names. (@kvaps in https://github.com/cozystack/cozystack/pull/1087)
+* [tenant] Fix monitoring agents HelmReleases for tenant clusters. (@klinch0 in https://github.com/cozystack/cozystack/pull/1079)
+* [kubernetes] Wrap cert-manager CRDs in a conditional. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1076)
+* [kubernetes] Remove `useCustomSecretForPatchContainerd` option and enable it by default. (@kvaps in https://github.com/cozystack/cozystack/pull/1104)
+* [apps] Increase default resource presets for Clickhouse and Kafka from `nano` to `small`. Update OpenAPI specs and readme's. (@kvaps in https://github.com/cozystack/cozystack/pull/1103 and https://github.com/cozystack/cozystack/pull/1105)
+* [linstor] Add configurable DRBD network options for connection and timeout settings, replacing scripted logic for detecting devices that lost connection. (@kvaps in https://github.com/cozystack/cozystack/pull/1094)
+
+## Dependencies
+
+* Update cozy-proxy to v0.2.0 (@kvaps in https://github.com/cozystack/cozystack/pull/1081)
+* Update Kafka Operator to 0.45.1-rc1 (@kvaps in https://github.com/cozystack/cozystack/pull/1082 and https://github.com/cozystack/cozystack/pull/1102)
+* Update Flux Operator to 0.23.0 (@kingdonb in https://github.com/cozystack/cozystack/pull/1078)
+
+## Documentation
+
+* [docs] Release notes for v0.32.0 and two beta-versions. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1043)
+
+## Development, Testing, and CI/CD
+
+* [tests] Add Kafka, Redis. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1077)
+* [tests] Increase disk space for VMs in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1097)
+* [tests] Upd Kubernetes v1.33. (@kvaps in https://github.com/cozystack/cozystack/pull/1083)
+* [tests] increase postgres timeouts. (@kvaps in https://github.com/cozystack/cozystack/pull/1108)
+* [tests] don't wait for postgres ro service. (@kvaps in https://github.com/cozystack/cozystack/pull/1109)
+* [ci] Setup systemd timer to tear down sandbox. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1092)
+* [ci] Split testing job into several. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1075)
+* [ci] Run E2E tests as separate parallel jobs. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1093)
+* [ci] Refactor GitHub workflows. (@kvaps in https://github.com/cozystack/cozystack/pull/1107)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.32.0...v0.32.1
--- a/docs/changelogs/v0.33.0.md
+++ b/docs/changelogs/v0.33.0.md
@@ -0,0 +1,91 @@
+> [!WARNING]
+> A patch release [0.33.2](github.com/cozystack/cozystack/releases/tag/v0.33.2) fixing a regression in 0.33.0 has been released. 
+> It is recommended to skip this version and upgrade to [0.33.2](github.com/cozystack/cozystack/releases/tag/v0.33.2) instead.
+
+## Feature Highlights
+
+### Unified CPU and Memory Allocation Management
+
+Since version 0.31.0, Cozystack introduced a single-point-of-truth configuration variable `cpu-allocation-ratio`,
+making CPU resource requests and limits uniform in Virtual Machines managed by KubeVirt.
+The new release 0.33.0 introduces `memory-allocation-ratio` and expands both variables to all managed applications and tenant resource quotas.
+
+Resource presets also respect the allocation ratios and behave in the same way as explicit resource definitions.
+The new resource definition format is concise and simple for platform users.
+
+```yaml
+# resource definition in the configuration
+resources:
+  cpu: <defined cpu value>
+  memory: <defined memory value>
+```
+
+It results in Kubernetes resource requests and limits, based on defined values and the universal allocation ratios:
+
+```yaml
+# actual requests and limits, provided to the application
+resources:
+  limits:
+    cpu: <defined cpu value>
+    memory: <defined memory value>
+  requests:
+    cpu: <defined cpu value / cpu-allocation-ratio>
+    memory: <defined memory value / memory-allocation-ratio>
+```
+
+When updating from earlier Cozystack versions, resource configuration in managed applications will be automatically migrated to the new format.
+
+### Backing up and Restoring Data in Tenant Kubernetes
+
+One of the main features of the release is backup capability for PVCs in tenant Kubernetes clusters.
+It enables platform and tenant administrators to back up and restore data used by services in the tenant clusters.
+
+This new functionality in Cozystack is powered by [Velero](https://velero.io/) and needs an external S3-compatible storage.
+
+## Support for NFS Storage
+
+Cozystack now supports using NFS shared storage with a new optional system module.
+See the documentation: https://cozystack.io/docs/operations/storage/nfs/.
+
+## Features and Improvements
+
+* [kubernetes] Enable PVC backups in tenant Kubernetes clusters, powered by [Velero](https://velero.io/). (@klinch0 in https://github.com/cozystack/cozystack/pull/1132)
+* [nfs-driver] Enable NFS support by introducing a new optional system module `nfs-driver`.  (@kvaps in https://github.com/cozystack/cozystack/pull/1133)
+* [virtual-machine] Configure CPU sockets available to VMs with the `resources.cpu.sockets` configuration value. (@klinch0 in https://github.com/cozystack/cozystack/pull/1131)
+* [virtual-machine] Add support for using pre-imported "golden image" disks for virtual machines, enabling faster provisioning by referencing existing images instead of downloading via HTTP. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1112)
+* [kubernetes] Add an option to expose the Ingress-NGINX controller in tenant Kubernetes cluster via LoadBalancer. New configuration value `exposeMethod` offers a choice of `Proxied` and `LoadBalancer`. (@kvaps in https://github.com/cozystack/cozystack/pull/1114)
+* [apps] When updating from earlier Cozystack versions, automatically migrate to the new resource definition format: from `resources.requests.[cpu,memory]` and `resources.limits.[cpu,memory]` to `resources.[cpu,memory]`. (@kvaps in https://github.com/cozystack/cozystack/pull/1127)
+* [apps] Give examples of new resource definitions in the managed app README's. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1120)
+* [tenant] Respect `cpu-allocation-ratio` in tenant's `resourceQuotas`.(@kvaps in https://github.com/cozystack/cozystack/pull/1119)
+* [cozy-lib] Introduce helper function to calculate Java heap params based on memory requests and limits. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1157)
+
+## Security
+
+* [monitoring] Disable sign up in Alerta. (@klinch0 in https://github.com/cozystack/cozystack/pull/1129)
+
+## Fixes
+
+* [platform] Always set resources for managed apps . (@lllamnyp in https://github.com/cozystack/cozystack/pull/1156)
+* [platform] Remove the memory limit for Keycloak deployment. (@klinch0 in https://github.com/cozystack/cozystack/pull/1122)
+* [kubernetes] Fix a condition in the ingress template for tenant Kubernetes. (@kvaps in https://github.com/cozystack/cozystack/pull/1143)
+* [kubernetes] Fix a deadlock on reattaching a KubeVirt-CSI volume. (@kvaps in https://github.com/cozystack/cozystack/pull/1135)
+* [mysql] MySQL applications with a single replica now correctly create a `LoadBalancer` service. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1113)
+* [etcd] Fix resources and headless services in the etcd application. (@kvaps in https://github.com/cozystack/cozystack/pull/1128)
+* [apps] Enable selecting `resourcePreset` from a drop-down list for all applications by adding enum of allowed values in the config scheme. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1117)
+* [apps] Refactor resource presets provided to managed apps by `cozy-lib`. (@kvaps in https://github.com/cozystack/cozystack/pull/1155)
+* [keycloak] Calculate and pass Java heap parameters explicitly to prevent OOM errors. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1157)
+
+
+## Development, Testing, and CI/CD
+
+* [dx] Introduce cozyreport tool and gather reports in CI. (@kvaps in https://github.com/cozystack/cozystack/pull/1139)
+* [ci] Use Nexus as a pull-through cache for CI. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1124)
+* [ci] Save a list of observed images after each workflow run. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1089)
+* [ci] Skip Cozystack tests on PRs that only change the docs. Don't restart CI when a PR is labeled. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1136)
+* [dx] Fix Makefile variables for `capi-providers`. (@kvaps in https://github.com/cozystack/cozystack/pull/1115)
+* [tests] Introduce self-destructing testing environments. (@kvaps in https://github.com/cozystack/cozystack/pull/1138, https://github.com/cozystack/cozystack/pull/1140, https://github.com/cozystack/cozystack/pull/1141, https://github.com/cozystack/cozystack/pull/1142)
+* [e2e] Retry flaky application tests to improve total test time. (@kvaps in https://github.com/cozystack/cozystack/pull/1123)
+* [maintenance] Add a PR template. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1121)
+
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.32.1...v0.33.0
--- a/docs/changelogs/v0.33.1.md
+++ b/docs/changelogs/v0.33.1.md
@@ -0,0 +1,3 @@
+## Fixes
+
+* [kubevirt-csi] Fix a regression by updating the role of the CSI controller. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1165)
--- a/docs/changelogs/v0.33.2.md
+++ b/docs/changelogs/v0.33.2.md
@@ -0,0 +1,19 @@
+## Features and Improvements
+
+* [vm-instance] Enable running [Windows](https://cozystack.io/docs/operations/virtualization/windows/) and [MikroTik RouterOS](https://cozystack.io/docs/operations/virtualization/mikrotik/) in Cozystack. Add `bus` option and always specify `bootOrder` for all disks. (@kvaps in https://github.com/cozystack/cozystack/pull/1168)
+* [cozystack-api] Refactor OpenAPI Schema and support reading it from config. (@kvaps in https://github.com/cozystack/cozystack/pull/1173)
+* [cozystack-api] Enable using singular resource names in Cozystack API. For example, `kubectl get tenant` is now a valid command, in addition to `kubectl get tenants`. (@kvaps in https://github.com/cozystack/cozystack/pull/1169)
+* [postgres] Explain how to back up and restore PostgreSQL using Velero backups. (@klinch0 and @NickVolynkin in https://github.com/cozystack/cozystack/pull/1141)
+
+## Fixes
+
+* [virtual-machine,vm-instance] Adjusted RBAC role to let users read the service associated with the VMs they create. Consequently, users can now see details of the service in the dashboard and therefore read the IP address of the VM. (@klinch0 in https://github.com/cozystack/cozystack/pull/1161)
+* [cozystack-api] Fix an error with `resourceVersion` which resulted in message 'failed to update HelmRelease: helmreleases.helm.toolkit.fluxcd.io "xxx" is invalid...'. (@kvaps in https://github.com/cozystack/cozystack/pull/1170)
+* [cozystack-api] Fix an error in updating lists in Cozystack objects, which resulted in message "Warning: resource ... is missing the kubectl.kubernetes.io/last-applied-configuration annotation". (@kvaps in https://github.com/cozystack/cozystack/pull/1171)
+* [cozystack-api] Disable `startegic-json-patch` support. (@kvaps in https://github.com/cozystack/cozystack/pull/1179)
+* [dashboard] Fix the code for removing dashboard comments which used to mistakenly remove shebang from cloudInit scripts. (@kvaps in https://github.com/cozystack/cozystack/pull/1175).
+* [virtual-machine] Fix cloudInit and sshKeys processing. (@kvaps in https://github.com/cozystack/cozystack/pull/1175 and https://github.com/cozystack/cozystack/commit/da3ee5d0ea9e87529c8adc4fcccffabe8782292e)
+* [applications] Fix a typo in preset resource tables in the built-in documentation of managed applications. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1172)
+* [kubernetes] Enable deleting Velero component from a tenant Kubernetes cluster. (@klinch0 in https://github.com/cozystack/cozystack/pull/1176)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.33.1...v0.33.2
--- a/hack/download-dashboards.sh
+++ b/hack/download-dashboards.sh
@@ -81,6 +81,7 @@ modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/capacity-p
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-control-plane.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-stats.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kafka/strimzi-kafka.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//seaweedfs/seaweedfs.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//goldpinger/goldpinger.json
 EOT

--- a/hack/e2e-apps/bucket.bats
+++ b/hack/e2e-apps/bucket.bats
@@ -0,0 +1,47 @@
+#!/usr/bin/env bats
+
+@test "Create and Verify Seeweedfs Bucket" {
+  # Create the bucket resource
+  name='test'
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Bucket
+metadata:
+  name: ${name}
+  namespace: tenant-test
+spec: {}
+EOF
+
+  # Wait for the bucket to be ready
+  kubectl -n tenant-test wait hr bucket-${name} --timeout=100s --for=condition=ready
+  kubectl -n tenant-test wait bucketclaims.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.bucketReady}'
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.accessGranted}'
+
+  # Get and decode credentials
+  kubectl -n tenant-test get secret bucket-${name} -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-test-credentials.json
+
+  # Get credentials from the secret
+  ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-test-credentials.json)
+  SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-test-credentials.json)
+  BUCKET_NAME=$(jq -r '.spec.bucketName' bucket-test-credentials.json)
+
+  # Start port-forwarding
+  bash -c 'timeout 100s kubectl port-forward service/seaweedfs-s3 -n tenant-root 8333:8333 > /dev/null 2>&1 &'
+
+  # Wait for port-forward to be ready
+  timeout 30 sh -ec 'until nc -z localhost 8333; do sleep 1; done'
+
+  # Set up MinIO alias with error handling
+  mc alias set local https://localhost:8333 $ACCESS_KEY $SECRET_KEY --insecure
+
+  # Upload file to bucket
+  mc cp bucket-test-credentials.json $BUCKET_NAME/bucket-test-credentials.json
+
+  # Verify file was uploaded
+  mc ls $BUCKET_NAME/bucket-test-credentials.json
+
+  # Clean up uploaded file
+  mc rm $BUCKET_NAME/bucket-test-credentials.json
+
+  kubectl -n tenant-test delete bucket.apps.cozystack.io ${name}
+}
--- a/hack/e2e-apps/clickhouse.bats
+++ b/hack/e2e-apps/clickhouse.bats
@@ -38,4 +38,5 @@ EOF
  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
+  kubectl -n tenant-test delete clickhouse $name
 }
--- a/hack/e2e-apps/kubernetes-latest.bats
+++ b/hack/e2e-apps/kubernetes-latest.bats
@@ -0,0 +1,6 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane with latest version" {
+  . hack/e2e-apps/run-kubernetes.sh
+  run_kubernetes_test 'keys | sort_by(.) | .[-1]' 'test-latest-version' '59991'
+}
--- a/hack/e2e-apps/kubernetes-previous.bats
+++ b/hack/e2e-apps/kubernetes-previous.bats
@@ -0,0 +1,6 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane with previous version" {
+  . hack/e2e-apps/run-kubernetes.sh
+  run_kubernetes_test 'keys | sort_by(.) | .[-2]' 'test-previous-version' '59992'
+}
--- a/hack/e2e-apps/kubernetes.bats
+++ b/hack/e2e-apps/kubernetes.bats
@@ -1,72 +0,0 @@
-#!/usr/bin/env bats
-
-@test "Create a tenant Kubernetes control plane" {
-  kubectl apply -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Kubernetes
-metadata:
-  name: test
-  namespace: tenant-test
-spec:
-  addons:
-    certManager:
-      enabled: false
-      valuesOverride: {}
-    cilium:
-      valuesOverride: {}
-    fluxcd:
-      enabled: false
-      valuesOverride: {}
-    gatewayAPI:
-      enabled: false
-    gpuOperator:
-      enabled: false
-      valuesOverride: {}
-    ingressNginx:
-      enabled: true
-      hosts: []
-      valuesOverride: {}
-    monitoringAgents:
-      enabled: false
-      valuesOverride: {}
-    verticalPodAutoscaler:
-      valuesOverride: {}
-  controlPlane:
-    apiServer:
-      resources: {}
-      resourcesPreset: small
-    controllerManager:
-      resources: {}
-      resourcesPreset: micro
-    konnectivity:
-      server:
-        resources: {}
-        resourcesPreset: micro
-    replicas: 2
-    scheduler:
-      resources: {}
-      resourcesPreset: micro
-  host: ""
-  nodeGroups:
-    md0:
-      ephemeralStorage: 20Gi
-      gpus: []
-      instanceType: u1.medium
-      maxReplicas: 10
-      minReplicas: 0
-      resources:
-        cpu: ""
-        memory: ""
-      roles:
-      - ingress-nginx
-  storageClass: replicated
-EOF
-  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
-  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
-  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
-  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
-  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
-  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io test
-}
--- a/hack/e2e-apps/run-kubernetes.sh
+++ b/hack/e2e-apps/run-kubernetes.sh
@@ -0,0 +1,104 @@
+run_kubernetes_test() {
+    local version_expr="$1"
+    local test_name="$2"
+    local port="$3"
+    local k8s_version=$(yq "$version_expr" packages/apps/kubernetes/files/versions.yaml)
+
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Kubernetes
+metadata:
+  name: "${test_name}"
+  namespace: tenant-test
+spec:
+  addons:
+    certManager:
+      enabled: false
+      valuesOverride: {}
+    cilium:
+      valuesOverride: {}
+    fluxcd:
+      enabled: false
+      valuesOverride: {}
+    gatewayAPI:
+      enabled: false
+    gpuOperator:
+      enabled: false
+      valuesOverride: {}
+    ingressNginx:
+      enabled: true
+      hosts: []
+      valuesOverride: {}
+    monitoringAgents:
+      enabled: false
+      valuesOverride: {}
+    verticalPodAutoscaler:
+      valuesOverride: {}
+  controlPlane:
+    apiServer:
+      resources: {}
+      resourcesPreset: small
+    controllerManager:
+      resources: {}
+      resourcesPreset: micro
+    konnectivity:
+      server:
+        resources: {}
+        resourcesPreset: micro
+    replicas: 2
+    scheduler:
+      resources: {}
+      resourcesPreset: micro
+  host: ""
+  nodeGroups:
+    md0:
+      ephemeralStorage: 20Gi
+      gpus: []
+      instanceType: u1.medium
+      maxReplicas: 10
+      minReplicas: 0
+      resources:
+        cpu: ""
+        memory: ""
+      roles:
+      - ingress-nginx
+  storageClass: replicated
+  version: "${k8s_version}"
+EOF
+  # Wait for the tenant-test namespace to be active
+  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
+  
+  # Wait for the Kamaji control plane to be created (retry for up to 10 seconds)
+  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-'"${test_name}"'; do sleep 1; done'
+
+  # Wait for the tenant control plane to be fully created (timeout after 4 minutes)
+  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-${test_name} --timeout=4m
+  
+  # Wait for Kubernetes resources to be ready (timeout after 2 minutes)
+  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  
+  # Wait for all required deployments to be available (timeout after 4 minutes)
+  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-${test_name} kubernetes-${test_name}-cluster-autoscaler kubernetes-${test_name}-kccm kubernetes-${test_name}-kcsi-controller
+  
+  # Wait for the machine deployment to scale to 2 replicas (timeout after 1 minute)
+  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
+
+  # Get the admin kubeconfig and save it to a file
+  kubectl get secret kubernetes-${test_name}-admin-kubeconfig -ojsonpath='{.data.super-admin\.conf}' -n tenant-test | base64 -d > tenantkubeconfig
+
+  # Update the kubeconfig to use localhost for the API server
+  yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" tenantkubeconfig
+
+  # Set up port forwarding to the Kubernetes API server for a 40 second timeout
+  bash -c 'timeout 40s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
+
+  # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
+  timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
+
+  # Wait for all machine deployment replicas to be ready (timeout after 10 minutes)
+  kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+
+  # Clean up by deleting the Kubernetes resource
+  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io $test_name
+
+}
--- a/hack/e2e-install-cozystack.bats
+++ b/hack/e2e-install-cozystack.bats
@@ -123,10 +123,10 @@ EOF

@test "Configure Tenant and wait for applications" {
  # Patch root tenant and wait for its releases
-  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true}}'
+  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true, "seaweedfs": true}}'

-  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait hr/etcd hr/ingress hr/tenant-root -n tenant-root --timeout=2m --for=condition=ready
+  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring seaweedfs tenant-root >/dev/null 2>&1; do sleep 1; done'
+  kubectl wait hr/etcd hr/ingress hr/tenant-root hr/seaweedfs -n tenant-root --timeout=4m --for=condition=ready

  if ! kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready; then
    flux reconcile hr monitoring -n tenant-root --force
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -32,6 +32,10 @@ kube::codegen::gen_helpers \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
    "${SCRIPT_ROOT}/pkg/apis"

+kube::codegen::gen_helpers \
+    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
+    "${SCRIPT_ROOT}/api"
+
 if [[ -n "${API_KNOWN_VIOLATIONS_DIR:-}" ]]; then
    report_filename="${API_KNOWN_VIOLATIONS_DIR}/cozystack_api_violation_exceptions.list"
    if [[ "${UPDATE_API_KNOWN_VIOLATIONS:-}" == "true" ]]; then
--- a/internal/controller/system_helm_reconciler.go
+++ b/internal/controller/system_helm_reconciler.go
@@ -54,6 +54,7 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 		if !isSystemApp && !isTenantRoot {
 			continue
 		}
+		patchTarget := hr.DeepCopy()

 		if hr.Annotations == nil {
 			hr.Annotations = map[string]string{}
@@ -62,13 +63,12 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 		if hr.Annotations[digestAnnotation] == digest {
 			continue
 		}
+		patchTarget.Annotations[digestAnnotation] = digest
+		patchTarget.Annotations[forceReconcileKey] = now
+		patchTarget.Annotations[requestedAt] = now

 		patch := client.MergeFrom(hr.DeepCopy())
-		hr.Annotations[digestAnnotation] = digest
-		hr.Annotations[forceReconcileKey] = now
-		hr.Annotations[requestedAt] = now
-
-		if err := r.Patch(ctx, &hr, patch); err != nil {
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
 			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
 			continue
 		}
--- a/internal/controller/workload_controller.go
+++ b/internal/controller/workload_controller.go
@@ -3,11 +3,11 @@ package controller
 import (
 	"context"
 	"strings"
+	"time"

 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -15,63 +15,50 @@ import (
 	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 )

+const (
+	deletionRequeueDelay = 30 * time.Second
+)
+
 // WorkloadMonitorReconciler reconciles a WorkloadMonitor object
 type WorkloadReconciler struct {
 	client.Client
 	Scheme *runtime.Scheme
 }

+// workload_controller.go
 func (r *WorkloadReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
+	log := log.FromContext(ctx)
+
 	w := &cozyv1alpha1.Workload{}
-	err := r.Get(ctx, req.NamespacedName, w)
-	if err != nil {
+	if err := r.Get(ctx, req.NamespacedName, w); err != nil {
 		if apierrors.IsNotFound(err) {
 			return ctrl.Result{}, nil
 		}
-		logger.Error(err, "Unable to fetch Workload")
 		return ctrl.Result{}, err
 	}

-	// it's being deleted, nothing to handle
-	if w.DeletionTimestamp != nil {
-		return ctrl.Result{}, nil
+	// If my monitor is gone, delete me.
+	monName, has := w.Labels["workloads.cozystack.io/monitor"]
+	if !has {
+		return ctrl.Result{}, client.IgnoreNotFound(r.Delete(ctx, w))
 	}
-
-	t := getMonitoredObject(w)
-
-	if t == nil {
-		err = r.Delete(ctx, w)
-		if err != nil {
-			logger.Error(err, "failed to delete workload")
-		}
+	monitor := &cozyv1alpha1.WorkloadMonitor{}
+	if err := r.Get(ctx, client.ObjectKey{Namespace: w.Namespace, Name: monName}, monitor); apierrors.IsNotFound(err) {
+		// Monitor is gone → delete the Workload.  Ignore NotFound here, too.
+		return ctrl.Result{}, client.IgnoreNotFound(r.Delete(ctx, w))
+	} else if err != nil {
+		// Some other error fetching the monitor
+		log.Error(err, "failed to get WorkloadMonitor", "monitor", monName)
 		return ctrl.Result{}, err
 	}

-	err = r.Get(ctx, types.NamespacedName{Name: t.GetName(), Namespace: t.GetNamespace()}, t)
-
-	// found object, nothing to do
-	if err == nil {
-		return ctrl.Result{}, nil
-	}
-
-	// error getting object but not 404 -- requeue
-	if !apierrors.IsNotFound(err) {
-		logger.Error(err, "failed to get dependent object", "kind", t.GetObjectKind(), "dependent-object-name", t.GetName())
-		return ctrl.Result{}, err
-	}
-
-	err = r.Delete(ctx, w)
-	if err != nil {
-		logger.Error(err, "failed to delete workload")
-	}
-	return ctrl.Result{}, err
+	return ctrl.Result{}, nil
 }

 // SetupWithManager registers our controller with the Manager and sets up watches.
 func (r *WorkloadReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		// Watch WorkloadMonitor objects
+		// Watch Workload objects
 		For(&cozyv1alpha1.Workload{}).
 		Complete(r)
 }
--- a/internal/controller/workload_controller_test.go
+++ b/internal/controller/workload_controller_test.go
@@ -1,10 +1,17 @@
 package controller

 import (
+	"context"
 	"testing"

 	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )

 func TestUnprefixedMonitoredObjectReturnsNil(t *testing.T) {
@@ -24,3 +31,83 @@ func TestPodMonitoredObject(t *testing.T) {
 		t.Errorf(`getMonitoredObject(&Workload{Name: "%s"}) == %v, want &Pod{Name: "mypod"}`, w.Name, obj)
 	}
 }
+
+func TestWorkloadReconciler_DeletesOnMissingMonitor(t *testing.T) {
+	scheme := runtime.NewScheme()
+	_ = cozyv1alpha1.AddToScheme(scheme)
+	_ = corev1.AddToScheme(scheme)
+
+	// Workload with a non-existent monitor
+	w := &cozyv1alpha1.Workload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "pod-foo",
+			Namespace: "default",
+			Labels: map[string]string{
+				"workloadmonitor.cozystack.io/name": "missing-monitor",
+			},
+		},
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(w).
+		Build()
+	reconciler := &WorkloadReconciler{Client: fakeClient}
+	req := reconcile.Request{NamespacedName: types.NamespacedName{Name: "pod-foo", Namespace: "default"}}
+
+	if _, err := reconciler.Reconcile(context.TODO(), req); err != nil {
+		t.Fatalf("Reconcile returned error: %v", err)
+	}
+
+	// Expect workload to be deleted
+	err := fakeClient.Get(context.TODO(), req.NamespacedName, &cozyv1alpha1.Workload{})
+	if !apierrors.IsNotFound(err) {
+		t.Errorf("expected workload to be deleted, got: %v", err)
+	}
+}
+
+func TestWorkloadReconciler_KeepsWhenAllExist(t *testing.T) {
+	scheme := runtime.NewScheme()
+	_ = cozyv1alpha1.AddToScheme(scheme)
+	_ = corev1.AddToScheme(scheme)
+
+	// Create a monitor and its backing Pod
+	monitor := &cozyv1alpha1.WorkloadMonitor{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "mon",
+			Namespace: "default",
+		},
+	}
+	pod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+		},
+	}
+	w := &cozyv1alpha1.Workload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "pod-foo",
+			Namespace: "default",
+			Labels: map[string]string{
+				"workloadmonitor.cozystack.io/name": "mon",
+			},
+		},
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(monitor, pod, w).
+		Build()
+	reconciler := &WorkloadReconciler{Client: fakeClient}
+	req := reconcile.Request{NamespacedName: types.NamespacedName{Name: "pod-foo", Namespace: "default"}}
+
+	if _, err := reconciler.Reconcile(context.TODO(), req); err != nil {
+		t.Fatalf("Reconcile returned error: %v", err)
+	}
+
+	// Expect workload to remain
+	err := fakeClient.Get(context.TODO(), req.NamespacedName, &cozyv1alpha1.Workload{})
+	if err != nil {
+		t.Errorf("expected workload to persist, got error: %v", err)
+	}
+}
--- a/internal/controller/workloadmonitor_controller.go
+++ b/internal/controller/workloadmonitor_controller.go
@@ -9,6 +9,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -111,6 +112,7 @@ func (r *WorkloadMonitorReconciler) reconcileServiceForMonitor(
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("svc-%s", svc.Name),
 			Namespace: svc.Namespace,
+			Labels:    make(map[string]string, len(svc.Labels)),
 		},
 	}

@@ -137,9 +139,12 @@ func (r *WorkloadMonitorReconciler) reconcileServiceForMonitor(

 	_, err := ctrl.CreateOrUpdate(ctx, r.Client, workload, func() error {
 		// Update owner references with the new monitor
-		updateOwnerReferences(workload.GetObjectMeta(), monitor)
+		updateOwnerReferences(workload.GetObjectMeta(), &svc)

-		workload.Labels = svc.Labels
+		for k, v := range svc.Labels {
+			workload.Labels[k] = v
+		}
+		workload.Labels["workloads.cozystack.io/monitor"] = monitor.Name

 		// Fill Workload status fields:
 		workload.Status.Kind = monitor.Spec.Kind
@@ -168,6 +173,7 @@ func (r *WorkloadMonitorReconciler) reconcilePVCForMonitor(
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("pvc-%s", pvc.Name),
 			Namespace: pvc.Namespace,
+			Labels:    make(map[string]string, len(pvc.Labels)),
 		},
 	}

@@ -184,9 +190,12 @@ func (r *WorkloadMonitorReconciler) reconcilePVCForMonitor(

 	_, err := ctrl.CreateOrUpdate(ctx, r.Client, workload, func() error {
 		// Update owner references with the new monitor
-		updateOwnerReferences(workload.GetObjectMeta(), monitor)
+		updateOwnerReferences(workload.GetObjectMeta(), &pvc)

-		workload.Labels = pvc.Labels
+		for k, v := range pvc.Labels {
+			workload.Labels[k] = v
+		}
+		workload.Labels["workloads.cozystack.io/monitor"] = monitor.Name

 		// Fill Workload status fields:
 		workload.Status.Kind = monitor.Spec.Kind
@@ -248,19 +257,19 @@ func (r *WorkloadMonitorReconciler) reconcilePodForMonitor(
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("pod-%s", pod.Name),
 			Namespace: pod.Namespace,
-			Labels:    map[string]string{},
+			Labels:    make(map[string]string, len(pod.Labels)),
 		},
 	}

 	metaLabels := r.getWorkloadMetadata(&pod)
 	_, err := ctrl.CreateOrUpdate(ctx, r.Client, workload, func() error {
 		// Update owner references with the new monitor
-		updateOwnerReferences(workload.GetObjectMeta(), monitor)
+		updateOwnerReferences(workload.GetObjectMeta(), &pod)

-		// Copy labels from the Pod if needed
 		for k, v := range pod.Labels {
 			workload.Labels[k] = v
 		}
+		workload.Labels["workloads.cozystack.io/monitor"] = monitor.Name

 		// Add workload meta to labels
 		for k, v := range metaLabels {
@@ -370,15 +379,24 @@ func (r *WorkloadMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	monitor.Status.ObservedReplicas = observedReplicas
 	monitor.Status.AvailableReplicas = availableReplicas

-	// Default to operational = true, but check MinReplicas if set
-	monitor.Status.Operational = pointer.Bool(true)
-	if monitor.Spec.MinReplicas != nil && availableReplicas < *monitor.Spec.MinReplicas {
-		monitor.Status.Operational = pointer.Bool(false)
-	}
-
 	// Update the WorkloadMonitor status in the cluster
-	if err := r.Status().Update(ctx, monitor); err != nil {
-		logger.Error(err, "Unable to update WorkloadMonitor status", "monitor", monitor.Name)
+	err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		fresh := &cozyv1alpha1.WorkloadMonitor{}
+		if err := r.Get(ctx, req.NamespacedName, fresh); err != nil {
+			return err
+		}
+		fresh.Status.ObservedReplicas = observedReplicas
+		fresh.Status.AvailableReplicas = availableReplicas
+
+		// Default to operational = true, but check MinReplicas if set
+		monitor.Status.Operational = pointer.Bool(true)
+		if monitor.Spec.MinReplicas != nil && availableReplicas < *monitor.Spec.MinReplicas {
+			monitor.Status.Operational = pointer.Bool(false)
+		}
+		return r.Status().Update(ctx, fresh)
+	})
+	if err != nil {
+		logger.Error(err, "unable to update WorkloadMonitor status after retries")
 		return ctrl.Result{}, err
 	}

--- a/packages/apps/bucket/Makefile
+++ b/packages/apps/bucket/Makefile
@@ -1,4 +1,4 @@
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
--- a/packages/apps/bucket/values.schema.json
+++ b/packages/apps/bucket/values.schema.json
@@ -1,5 +1,5 @@
 {
+    "properties": {},
    "title": "Chart Values",
-    "type": "object",
-    "properties": {}
+    "type": "object"
 }
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.11.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/clickhouse/Makefile
+++ b/packages/apps/clickhouse/Makefile
@@ -1,11 +1,12 @@
 CLICKHOUSE_BACKUP_TAG = $(shell awk '$$0 ~ /^version:/ {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

 image:
 	docker buildx build images/clickhouse-backup \
--- a/packages/apps/clickhouse/README.md
+++ b/packages/apps/clickhouse/README.md
@@ -23,35 +23,35 @@ For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.

 ### Common parameters

-| Name             | Description                                              | Value  |
-| ---------------- | -------------------------------------------------------- | ------ |
-| `size`           | Size of Persistent Volume for data                       | `10Gi` |
-| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi`  |
-| `shards`         | Number of Clickhouse shards                              | `1`    |
-| `replicas`       | Number of Clickhouse replicas                            | `2`    |
-| `storageClass`   | StorageClass used to store the data                      | `""`   |
-| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`   |
+| Name              | Description                                                                                                                             | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of Clickhouse replicas                                                                                                           | `2`     |
+| `shards`          | Number of Clickhouse shards                                                                                                             | `1`     |
+| `resources`       | Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `small` |
+| `size`            | Persistent Volume Claim size, available for application data                                                                            | `10Gi`  |
+| `storageClass`    | StorageClass used to store the application data                                                                                         | `""`    |

-### Configuration parameters
+### Application-specific parameters

-| Name    | Description         | Value |
-| ------- | ------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| Name             | Description                                              | Value |
+| ---------------- | -------------------------------------------------------- | ----- |
+| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi` |
+| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`  |
+| `users`          | Users configuration                                      | `{}`  |

 ### Backup parameters

-| Name                     | Description                                                                                                                             | Value                                                  |
-| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                                 | `false`                                                |
-| `backup.s3Region`        | AWS S3 region where backups are stored                                                                                                  | `us-east-1`                                            |
-| `backup.s3Bucket`        | S3 bucket used for storing backups                                                                                                      | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                     | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | Access key for S3, used for authentication                                                                                              | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                                                                              | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | Password for Restic backup encryption                                                                                                   | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.       | `small`                                                |
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                        | `false`                                                |
+| `backup.s3Region`        | AWS S3 region where backups are stored         | `us-east-1`                                            |
+| `backup.s3Bucket`        | S3 bucket used for storing backups             | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication     | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication     | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | Password for Restic backup encryption          | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

 ## Parameter examples and reference

--- a/packages/apps/clickhouse/images/clickhouse-backup.tag
+++ b/packages/apps/clickhouse/images/clickhouse-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.11.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.11.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
--- a/packages/apps/clickhouse/values.schema.json
+++ b/packages/apps/clickhouse/values.schema.json
@@ -1,93 +1,75 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "size": {
-            "type": "string",
-            "description": "Size of Persistent Volume for data",
-            "default": "10Gi"
-        },
-        "logStorageSize": {
-            "type": "string",
-            "description": "Size of Persistent Volume for logs",
-            "default": "2Gi"
-        },
-        "shards": {
-            "type": "number",
-            "description": "Number of Clickhouse shards",
-            "default": 1
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of Clickhouse replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "logTTL": {
-            "type": "number",
-            "description": "TTL (expiration time) for query_log and query_thread_log",
-            "default": 15
-        },
        "backup": {
-            "type": "object",
            "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
-                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "S3 bucket used for storing backups",
-                    "default": "s3.example.org/clickhouse-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
                "cleanupStrategy": {
-                    "type": "string",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m",
                    "description": "Retention strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "type": "string"
                },
-                "s3AccessKey": {
-                    "type": "string",
-                    "description": "Access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
-                },
-                "s3SecretKey": {
-                    "type": "string",
-                    "description": "Secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                "enabled": {
+                    "default": false,
+                    "description": "Enable periodic backups",
+                    "type": "boolean"
                },
                "resticPassword": {
-                    "type": "string",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0",
                    "description": "Password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
+                },
+                "s3AccessKey": {
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "Access key for S3, used for authentication",
+                    "type": "string"
+                },
+                "s3Bucket": {
+                    "default": "s3.example.org/clickhouse-backups",
+                    "description": "S3 bucket used for storing backups",
+                    "type": "string"
+                },
+                "s3Region": {
+                    "default": "us-east-1",
+                    "description": "AWS S3 region where backups are stored",
+                    "type": "string"
+                },
+                "s3SecretKey": {
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "Secret key for S3, used for authentication",
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "logStorageSize": {
+            "default": "2Gi",
+            "description": "Size of Persistent Volume for logs",
+            "type": "string"
+        },
+        "logTTL": {
+            "default": 15,
+            "description": "TTL (expiration time) for query_log and query_thread_log",
+            "type": "number"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of Clickhouse replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "small",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -96,6 +78,23 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "shards": {
+            "default": 1,
+            "description": "Number of Clickhouse shards",
+            "type": "number"
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume Claim size, available for application data",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the application data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -1,21 +1,29 @@
 ## @section Common parameters
-
-## @param size Size of Persistent Volume for data
-## @param logStorageSize Size of Persistent Volume for logs
-## @param shards Number of Clickhouse shards
-## @param replicas Number of Clickhouse replicas
-## @param storageClass StorageClass used to store the data
-## @param logTTL TTL (expiration time) for query_log and query_thread_log
 ##
-size: 10Gi
-logStorageSize: 2Gi
-shards: 1
+## @param replicas Number of Clickhouse replicas
 replicas: 2
+## @param shards Number of Clickhouse shards
+shards: 1
+## @param resources Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
+
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "small"
+## @param size Persistent Volume Claim size, available for application data
+size: 10Gi
+## @param storageClass StorageClass used to store the application data
 storageClass: ""
+
+
+## @section Application-specific parameters
+##
+## @param logStorageSize Size of Persistent Volume for logs
+logStorageSize: 2Gi
+## @param logTTL TTL (expiration time) for query_log and query_thread_log
 logTTL: 15
-
-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -27,6 +35,7 @@ logTTL: 15
 ##
 users: {}

+
 ## @section Backup parameters

 ## @param backup.enabled Enable periodic backups
@@ -47,11 +56,3 @@ backup:
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

-## @param resources Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
-
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "small"
--- a/packages/apps/ferretdb/Chart.yaml
+++ b/packages/apps/ferretdb/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 1.0.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.24.0"
+appVersion: 2.4.0
--- a/packages/apps/ferretdb/Makefile
+++ b/packages/apps/ferretdb/Makefile
@@ -1,5 +1,13 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+
+update:
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/FerretDB/FerretDB | awk -F'[/^]' '{sub("^v", "", $$3)} END{print $$3}') && \
+	pgtag=$$(skopeo list-tags docker://ghcr.io/ferretdb/postgres-documentdb | jq -r --arg tag "$$tag" '.Tags[] | select(endswith("ferretdb-" + $$tag))' | sort -V | tail -n1) && \
+	sed -i "s|\(imageName: ghcr.io/ferretdb/postgres-documentdb:\).*|\1$$pgtag|" templates/postgres.yaml && \
+	sed -i "s|\(image: ghcr.io/ferretdb/ferretdb:\).*|\1$$tag|" templates/ferretdb.yaml && \
+	sed -i "s|\(appVersion: \).*|\1$$tag|" Chart.yaml
--- a/packages/apps/ferretdb/README.md
+++ b/packages/apps/ferretdb/README.md
@@ -8,37 +8,42 @@ Internally, FerretDB service is backed by Postgres.

 ### Common parameters

-| Name                     | Description                                                                                                                 | Value   |
-| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`               | Enable external access from outside the cluster                                                                             | `false` |
-| `size`                   | Persistent Volume size                                                                                                      | `10Gi`  |
-| `replicas`               | Number of replicas                                                                                                          | `2`     |
-| `storageClass`           | StorageClass used to store the data                                                                                         | `""`    |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `0`     |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `0`     |
+| Name              | Description                                                                                                                           | Value   |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of replicas                                                                                                                    | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `micro` |
+| `size`            | Persistent Volume size                                                                                                                | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                   | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                       | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name    | Description         | Value |
-| ------- | ------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| Name                     | Description                                                                                                                 | Value |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `0`   |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `0`   |
+| `users`                  | Users configuration                                                                                                         | `{}`  |

 ### Backup parameters

-| Name                     | Description                                                                                                                           | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                               | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                            | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                   | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                        | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                        | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                             | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `nano`                                                 |
+| Name                     | Description                                                | Value                               |
+| ------------------------ | ---------------------------------------------------------- | ----------------------------------- |
+| `backup.enabled`         | Enable regular backups                                     | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                        | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | Retention policy                                           | `30d`                               |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `s3://bucket/path/to/folder/`       |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `http://minio-gateway-service:9000` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |

+### Bootstrap (recovery) parameters

+| Name                     | Description                                                                                                          | Value   |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `""`    |

 ## Parameter examples and reference

--- a/packages/apps/ferretdb/images/postgres-backup.tag
+++ b/packages/apps/ferretdb/images/postgres-backup.tag
@@ -1 +0,0 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
--- a/packages/apps/ferretdb/templates/backup-cronjob.yaml
+++ b/packages/apps/ferretdb/templates/backup-cronjob.yaml
@@ -1,99 +0,0 @@
-{{- if .Values.backup.enabled }}
-{{ $image := .Files.Get "images/backup.json" | fromJson }}
-
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .Release.Name }}-backup
-spec:
-  schedule: "{{ .Values.backup.schedule }}"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 2
-      template:
-        spec:
-          restartPolicy: OnFailure
-      template:
-        metadata:
-          annotations:
-            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
-            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: pgdump
-            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
-            command:
-            - /bin/sh
-            - /scripts/backup.sh
-            env:
-            - name: REPO_PREFIX
-              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
-            - name: CLEANUP_STRATEGY
-              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: password
-            - name: PGHOST
-              value: {{ .Release.Name }}-postgres-rw
-            - name: PGPORT
-              value: "5432"
-            - name: PGDATABASE
-              value: postgres
-            - name: AWS_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3AccessKey
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3SecretKey
-            - name: AWS_DEFAULT_REGION
-              value: {{ .Values.backup.s3Region }}
-            - name: RESTIC_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: resticPassword
-            volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-            - mountPath: /tmp
-              name: tmp
-            - mountPath: /.cache
-              name: cache
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              privileged: false
-              readOnlyRootFilesystem: true
-              runAsNonRoot: true
-          volumes:
-          - name: scripts
-            secret:
-              secretName: {{ .Release.Name }}-backup-script
-          - name: tmp
-            emptyDir: {}
-          - name: cache
-            emptyDir: {}
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 9000
-            runAsGroup: 9000
-            seccompProfile:
-              type: RuntimeDefault
-{{- end }}
--- a/packages/apps/ferretdb/templates/backup-script.yaml
+++ b/packages/apps/ferretdb/templates/backup-script.yaml
@@ -1,50 +0,0 @@
-{{- if .Values.backup.enabled }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup-script
-stringData:
-  backup.sh: |
-    #!/bin/sh
-    set -e
-    set -o pipefail
-
-    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
-    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
-    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
-    echo "Job ID: $JOB_ID"
-    echo "Target repo: $REPO_PREFIX"
-    echo "Cleanup strategy: $CLEANUP_STRATEGY"
-    echo "Start backup for:"
-    echo "$DB_LIST"
-    echo
-    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
-          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
-        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
-        pg_dump -Z0 -Ft -d "$db" | \
-          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
-        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
-      )
-    done
-    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-
-    echo
-    echo "Run cleanup:"
-    echo
-
-    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
-        restic prune -r "s3:${REPO_PREFIX}/$db"
-      )
-    done
-    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-{{- end }}
--- a/packages/apps/ferretdb/templates/backup-secret.yaml
+++ b/packages/apps/ferretdb/templates/backup-secret.yaml
@@ -1,11 +0,0 @@
-{{- if .Values.backup.enabled }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup
-stringData:
-  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
-  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
-  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
-{{- end }}
--- a/packages/apps/ferretdb/templates/backup.yaml
+++ b/packages/apps/ferretdb/templates/backup.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ .Release.Name }}-postgres
+spec:
+  schedule: {{ .Values.backup.schedule | quote }}
+  backupOwnerReference: self
+  cluster:
+    name: {{ .Release.Name }}-postgres
+{{- end }}
--- a/packages/apps/ferretdb/templates/external-svc.yaml
+++ b/packages/apps/ferretdb/templates/external-svc.yaml
@@ -8,7 +8,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  ports:
  - name: ferretdb
--- a/packages/apps/ferretdb/templates/ferretdb.yaml
+++ b/packages/apps/ferretdb/templates/ferretdb.yaml
@@ -16,12 +16,14 @@ spec:
    spec:
      containers:
      - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.24.0
+        image: ghcr.io/ferretdb/ferretdb:2.4.0
        ports:
        - containerPort: 27017
        env:
-          - name: FERRETDB_POSTGRESQL_URL
+          - name: POSTGRESQL_PASSWORD
            valueFrom:
              secretKeyRef:
-                name: {{ .Release.Name }}-postgres-app
-                key: uri
+                name: {{ .Release.Name }}-postgres-superuser
+                key: password
+          - name: FERRETDB_POSTGRESQL_URL
+            value: "postgresql://postgres:$(POSTGRESQL_PASSWORD)@{{ .Release.Name }}-postgres-rw:5432/postgres"
--- a/packages/apps/ferretdb/templates/init-job.yaml
+++ b/packages/apps/ferretdb/templates/init-job.yaml
@@ -1,66 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ .Release.Name }}-init-job
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  template:
-    metadata:
-      name: {{ .Release.Name }}-init-job
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }}
-    spec:
-      restartPolicy: Never
-      containers:
-      - name: postgres
-        image: ghcr.io/cloudnative-pg/postgresql:15.3
-        command:
-        - bash
-        - /scripts/init.sh
-        env:
-        - name: PGUSER
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: username
-        - name: PGPASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: password
-        - name: PGHOST
-          value: {{ .Release.Name }}-postgres-rw
-        - name: PGPORT
-          value: "5432"
-        - name: PGDATABASE
-          value: postgres
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        volumeMounts:
-        - mountPath: /etc/secret
-          name: secret
-        - mountPath: /scripts
-          name: scripts
-      securityContext:
-        fsGroup: 26
-        runAsGroup: 26
-        runAsNonRoot: true
-        runAsUser: 26
-        seccompProfile:
-          type: RuntimeDefault
-      volumes:
-      - name: secret
-        secret:
-          secretName: {{ .Release.Name }}-postgres-superuser
-      - name: scripts
-        secret:
-          secretName: {{ .Release.Name }}-init-script
--- a/packages/apps/ferretdb/templates/init-script.yaml
+++ b/packages/apps/ferretdb/templates/init-script.yaml
@@ -1,131 +0,0 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-init-script
-stringData:
-  init.sh: |
-    #!/bin/bash
-    set -e
-
-    until pg_isready ; do sleep 5; done
-
-    echo "== create users"
-    {{- if .Values.users }}
-    psql -v ON_ERROR_STOP=1 <<\EOT
-    {{- range $user, $u := .Values.users }}
-    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
-    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
-    {{- end }}
-    EOT
-    {{- end }}
-
-    echo "== delete users"
-    MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ')
-    DEFINED_USERS="{{ join " " (keys .Values.users) }}"
-    DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done)
-
-    echo "users to delete: $DELETE_USERS"
-    for user in $DELETE_USERS; do
-    # https://stackoverflow.com/a/51257346/2931267
-    psql -v ON_ERROR_STOP=1 --echo-all <<EOT
-    REASSIGN OWNED BY $user TO postgres;
-    DROP OWNED BY $user;
-    DROP USER $user;
-    EOT
-    done
-
-    echo "== create roles"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    SELECT 'CREATE ROLE app_admin NOINHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'app_admin')\gexec
-    COMMENT ON ROLE app_admin IS 'role managed by helm';
-    EOT
-
-    echo "== grant privileges on databases to roles"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    ALTER DATABASE app OWNER TO app_admin;
-
-    DO $$
-    DECLARE
-        schema_record record;
-    BEGIN
-        -- Loop over all schemas
-        FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
-            -- Changing Schema Ownership
-            EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, 'app_admin');
-
-            -- Add rights for the admin role
-            EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, 'app_admin');
-        END LOOP;
-    END$$;
-    EOT
-
-    echo "== setup event trigger for schema creation"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
-    RETURNS event_trigger LANGUAGE plpgsql AS $$
-    DECLARE
-      obj record;
-    BEGIN
-      FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
-        -- Set owner for schema
-        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
-
-        -- Set privileges for admin role
-        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, 'app_admin');
-      END LOOP;
-    END;
-    $$;
-
-    DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
-    CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
-    WHEN TAG IN ('CREATE SCHEMA')
-    EXECUTE PROCEDURE auto_grant_schema_privileges();
-    EOT
-
-    echo "== assign roles to users"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    GRANT app_admin TO app;
-    {{- range $user, $u := $.Values.users }}
-    GRANT app_admin TO {{ $user }};
-    {{- end }}
-    EOT
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -5,6 +5,50 @@ metadata:
  name: {{ .Release.Name }}-postgres
 spec:
  instances: {{ .Values.replicas }}
+  {{- if .Values.backup.enabled }}
+  backup:
+    barmanObjectStore:
+      destinationPath: {{ .Values.backup.destinationPath }}
+      endpointURL: {{ .Values.backup.endpointURL }}
+      s3Credentials:
+        accessKeyId:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_SECRET_ACCESS_KEY
+    retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  {{- end }}
+
+  bootstrap:
+    initdb:
+      postInitSQL:
+        - 'CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;'
+    {{- if .Values.bootstrap.enabled }}
+    recovery:
+      source: {{ .Values.bootstrap.oldName }}
+      {{- if .Values.bootstrap.recoveryTime }}
+      recoveryTarget:
+        targetTime: {{ .Values.bootstrap.recoveryTime }}
+      {{- end }}
+    {{- end }}
+  {{- if .Values.bootstrap.enabled }}
+  externalClusters:
+    - name: {{ .Values.bootstrap.oldName }}
+      barmanObjectStore:
+        destinationPath: {{ .Values.backup.destinationPath }}
+        endpointURL: {{ .Values.backup.endpointURL }}
+        s3Credentials:
+          accessKeyId:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_ACCESS_KEY_ID
+          secretAccessKey:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_SECRET_ACCESS_KEY
+  {{- end }}
+  imageName: ghcr.io/ferretdb/postgres-documentdb:17-0.105.0-ferretdb-2.4.0
+  postgresUID: 999
+  postgresGID: 999
  enableSuperuserAccess: true
  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
  {{- if $configMap }}
@@ -22,6 +66,17 @@ spec:
  monitoring:
    enablePodMonitor: true

+  postgresql:
+    shared_preload_libraries:
+      - pg_cron
+      - pg_documentdb_core
+      - pg_documentdb
+    parameters:
+      cron.database_name: 'postgres'
+    pg_hba:
+      - host postgres postgres 127.0.0.1/32 trust
+      - host postgres postgres ::1/128 trust
+
  storage:
    size: {{ required ".Values.size is required" .Values.size }}
    {{- with .Values.storageClass }}
@@ -42,8 +97,6 @@ spec:
      passwordSecret:
        name: {{ printf "%s-user-%s" $.Release.Name $user }}
      login: true
-      inRoles:
-      - app
    {{- end }}
  {{- end }}

--- a/packages/apps/ferretdb/values.schema.json
+++ b/packages/apps/ferretdb/values.schema.json
@@ -1,98 +1,100 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "quorum": {
-            "type": "object",
-            "properties": {
-                "minSyncReplicas": {
-                    "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
-                    "default": 0
-                },
-                "maxSyncReplicas": {
-                    "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
-                    "default": 0
-                }
-            }
-        },
        "backup": {
-            "type": "object",
            "properties": {
+                "destinationPath": {
+                    "default": "s3://bucket/path/to/folder/",
+                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
+                    "type": "string"
+                },
                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
+                    "default": false,
+                    "description": "Enable regular backups",
+                    "type": "boolean"
                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
+                "endpointURL": {
+                    "default": "http://minio-gateway-service:9000",
+                    "description": "S3 Endpoint used to upload data to the cloud",
+                    "type": "string"
                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
-                "cleanupStrategy": {
-                    "type": "string",
-                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                "retentionPolicy": {
+                    "default": "30d",
+                    "description": "Retention policy",
+                    "type": "string"
                },
                "s3AccessKey": {
-                    "type": "string",
-                    "description": "The access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "Access key for S3, used for authentication",
+                    "type": "string"
                },
                "s3SecretKey": {
-                    "type": "string",
-                    "description": "The secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "Secret key for S3, used for authentication",
+                    "type": "string"
                },
-                "resticPassword": {
-                    "type": "string",
-                    "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                "schedule": {
+                    "default": "0 2 * * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "bootstrap": {
+            "properties": {
+                "enabled": {
+                    "default": false,
+                    "description": "Restore database cluster from a backup",
+                    "type": "boolean"
+                },
+                "oldName": {
+                    "default": "",
+                    "description": "Name of database cluster before deleting",
+                    "type": "string"
+                },
+                "recoveryTime": {
+                    "default": "",
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "quorum": {
+            "properties": {
+                "maxSyncReplicas": {
+                    "default": 0,
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
+                    "type": "number"
+                },
+                "minSyncReplicas": {
+                    "default": 0,
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
+                    "type": "number"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
+            "default": "micro",
            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
-            "default": "nano",
+            "type": "string",
            "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -101,6 +103,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/ferretdb/values.yaml
+++ b/packages/apps/ferretdb/values.yaml
@@ -1,24 +1,30 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

+
+## @section Application-specific parameters
+##
 ## Configuration for the quorum-based synchronous replication
 ## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed
 ## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)
 quorum:
  minSyncReplicas: 0
  maxSyncReplicas: 0
-
-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -29,31 +35,36 @@ quorum:
 ##
 users: {}

-## @section Backup parameters

-## @param backup.enabled Enable periodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
+## @section Backup parameters
+##
+## @param backup.enabled Enable regular backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
+## @param backup.retentionPolicy Retention policy
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
 backup:
  enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  retentionPolicy: 30d
+  destinationPath: s3://bucket/path/to/folder/
+  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * * *"
  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

-## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi

-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
+## @section Bootstrap (recovery) parameters
+##
+## @param bootstrap.enabled Restore database cluster from a backup
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @param bootstrap.oldName Name of database cluster before deleting
+##
+bootstrap:
+  enabled: false
+  # example: 2020-11-26 15:22:00.00000+00
+  recoveryTime: ""
+  oldName: ""
+
+
--- a/packages/apps/http-cache/Chart.yaml
+++ b/packages/apps/http-cache/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -1,4 +1,5 @@
 NGINX_CACHE_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
@@ -22,9 +23,9 @@ image-nginx:
 	rm -f images/nginx-cache.json

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.haproxy.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
-	yq -i -o json --indent 4 '.properties.nginx.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.haproxy.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -i -o json --indent 4 '.properties.nginx.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

 update:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/chrislim2888/IP2Location-C-Library | awk -F'[/^]' 'END{print $$3}') && \
--- a/packages/apps/http-cache/README.md
+++ b/packages/apps/http-cache/README.md
@@ -60,24 +60,34 @@ The deployment architecture is illustrated in the diagram below:

 ### Common parameters

-| Name                      | Description                                                                                                                          | Value   |
-| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `external`                | Enable external access from outside the cluster                                                                                      | `false` |
-| `size`                    | Persistent Volume size                                                                                                               | `10Gi`  |
-| `storageClass`            | StorageClass used to store the data                                                                                                  | `""`    |
-| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                           | `2`     |
-| `nginx.replicas`          | Number of Nginx replicas                                                                                                             | `2`     |
-| `haproxy.resources`       | Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `haproxy.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.    | `nano`  |
-| `nginx.resources`         | Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.   | `{}`    |
-| `nginx.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.    | `nano`  |
+| Name           | Description                                     | Value   |
+| -------------- | ----------------------------------------------- | ------- |
+| `size`         | Persistent Volume size                          | `10Gi`  |
+| `storageClass` | StorageClass used to store the data             | `""`    |
+| `external`     | Enable external access from outside the cluster | `false` |

-### Configuration parameters
+### Application-specific parameters

 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `endpoints` | Endpoints configuration | `[]`  |

+### HAProxy parameters
+
+| Name                      | Description                                                                                                                          | Value  |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------ |
+| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                           | `2`    |
+| `haproxy.resources`       | Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `haproxy.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano` |
+
+### Nginx parameters
+
+| Name                    | Description                                                                                                                        | Value  |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `nginx.replicas`        | Number of Nginx replicas                                                                                                           | `2`    |
+| `nginx.resources`       | Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `nginx.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `nano` |
+
 ## Parameter examples and reference

 ### resources and resourcesPreset
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.6.0@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5
+ghcr.io/cozystack/cozystack/nginx-cache:0.6.1@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5
--- a/packages/apps/http-cache/templates/haproxy/service.yaml
+++ b/packages/apps/http-cache/templates/haproxy/service.yaml
@@ -10,7 +10,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  selector:
    app: {{ .Release.Name }}-haproxy
--- a/packages/apps/http-cache/values.schema.json
+++ b/packages/apps/http-cache/values.schema.json
@@ -1,41 +1,33 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
+        "endpoints": {
+            "default": [],
+            "description": "Endpoints configuration",
+            "items": {},
+            "type": "array"
+        },
        "external": {
-            "type": "boolean",
+            "default": false,
            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
+            "type": "boolean"
        },
        "haproxy": {
-            "type": "object",
            "properties": {
                "replicas": {
-                    "type": "number",
+                    "default": 2,
                    "description": "Number of HAProxy replicas",
-                    "default": 2
+                    "type": "number"
                },
                "resources": {
-                    "type": "object",
+                    "default": {},
                    "description": "Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                },
                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
                    "default": "nano",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                    "enum": [
-                        "none",
                        "nano",
                        "micro",
                        "small",
@@ -45,27 +37,26 @@
                        "2xlarge"
                    ]
                }
-            }
+            },
+            "type": "object"
        },
        "nginx": {
-            "type": "object",
            "properties": {
                "replicas": {
-                    "type": "number",
+                    "default": 2,
                    "description": "Number of Nginx replicas",
-                    "default": 2
+                    "type": "number"
                },
                "resources": {
-                    "type": "object",
+                    "default": {},
                    "description": "Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                },
                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
                    "default": "nano",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                    "enum": [
-                        "none",
                        "nano",
                        "micro",
                        "small",
@@ -75,13 +66,20 @@
                        "2xlarge"
                    ]
                }
-            }
+            },
+            "type": "object"
        },
-        "endpoints": {
-            "type": "array",
-            "description": "Endpoints configuration",
-            "default": [],
-            "items": {}
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -1,37 +1,12 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param storageClass StorageClass used to store the data
-## @param haproxy.replicas Number of HAProxy replicas
-## @param nginx.replicas Number of Nginx replicas
 ##
-external: false
+## @param size Persistent Volume size
 size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
-haproxy:
-  replicas: 2
-  ## @param haproxy.resources Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-
-  ## @param haproxy.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "nano"
-nginx:
-  replicas: 2
-  ## @param nginx.resources Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-
-  ## @param nginx.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "nano"
-
-## @section Configuration parameters
+## @param external Enable external access from outside the cluster
+external: false
+## @section Application-specific parameters

 ## @param endpoints Endpoints configuration
 ## Example:
@@ -44,3 +19,29 @@ nginx:
 ##   - 10.100.3.13:80
 ##
 endpoints: []
+
+## @section HAProxy parameters
+haproxy:
+  ## @param haproxy.replicas Number of HAProxy replicas
+  replicas: 2
+  ## @param haproxy.resources Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param haproxy.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "nano"
+
+## @section Nginx parameters
+nginx:
+  ## @param nginx.replicas Number of Nginx replicas
+  replicas: 2
+  ## @param nginx.resources Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param nginx.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "nano"
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kafka/Makefile
+++ b/packages/apps/kafka/Makefile
@@ -1,6 +1,7 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.kafka.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
-	yq -i -o json --indent 4 '.properties.zookeeper.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.kafka.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -i -o json --indent 4 '.properties.zookeeper.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/kafka/README.md
+++ b/packages/apps/kafka/README.md
@@ -4,25 +4,35 @@

 ### Common parameters

+| Name       | Description                                     | Value   |
+| ---------- | ----------------------------------------------- | ------- |
+| `external` | Enable external access from outside the cluster | `false` |
+
+### Application-specific parameters
+
+| Name     | Description                        | Value |
+| -------- | ---------------------------------- | ----- |
+| `topics` | Topics configuration (see example) | `[]`  |
+
+### Kafka configuration
+
+| Name                    | Description                                                                                                                        | Value   |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `kafka.replicas`        | Number of Kafka replicas                                                                                                           | `3`     |
+| `kafka.resources`       | Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `kafka.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `small` |
+| `kafka.size`            | Persistent Volume size for Kafka                                                                                                   | `10Gi`  |
+| `kafka.storageClass`    | StorageClass used to store the Kafka data                                                                                          | `""`    |
+
+### Zookeeper configuration
+
 | Name                        | Description                                                                                                                            | Value   |
 | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`                  | Enable external access from outside the cluster                                                                                        | `false` |
-| `kafka.size`                | Persistent Volume size for Kafka                                                                                                       | `10Gi`  |
-| `kafka.replicas`            | Number of Kafka replicas                                                                                                               | `3`     |
-| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                              | `""`    |
-| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                   | `5Gi`   |
 | `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                           | `3`     |
-| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                          | `""`    |
-| `kafka.resources`           | Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.     | `{}`    |
-| `kafka.resourcesPreset`     | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `small` |
 | `zookeeper.resources`       | Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `zookeeper.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `small` |
-
-### Configuration parameters
-
-| Name     | Description          | Value |
-| -------- | -------------------- | ----- |
-| `topics` | Topics configuration | `[]`  |
+| `zookeeper.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `small` |
+| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                   | `5Gi`   |
+| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                          | `""`    |

 ## Parameter examples and reference

--- a/packages/apps/kafka/values.schema.json
+++ b/packages/apps/kafka/values.schema.json
@@ -1,41 +1,27 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
        "external": {
-            "type": "boolean",
+            "default": false,
            "description": "Enable external access from outside the cluster",
-            "default": false
+            "type": "boolean"
        },
        "kafka": {
-            "type": "object",
            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Persistent Volume size for Kafka",
-                    "default": "10Gi"
-                },
                "replicas": {
-                    "type": "number",
+                    "default": 3,
                    "description": "Number of Kafka replicas",
-                    "default": 3
-                },
-                "storageClass": {
-                    "type": "string",
-                    "description": "StorageClass used to store the Kafka data",
-                    "default": ""
+                    "type": "number"
                },
                "resources": {
-                    "type": "object",
+                    "default": {},
                    "description": "Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                },
                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
                    "default": "small",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                    "enum": [
-                        "none",
                        "nano",
                        "micro",
                        "small",
@@ -44,54 +30,66 @@
                        "xlarge",
                        "2xlarge"
                    ]
-                }
-            }
-        },
-        "zookeeper": {
-            "type": "object",
-            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Persistent Volume size for ZooKeeper",
-                    "default": "5Gi"
                },
-                "replicas": {
-                    "type": "number",
-                    "description": "Number of ZooKeeper replicas",
-                    "default": 3
+                "size": {
+                    "default": "10Gi",
+                    "description": "Persistent Volume size for Kafka",
+                    "type": "string"
                },
                "storageClass": {
-                    "type": "string",
-                    "description": "StorageClass used to store the ZooKeeper data",
-                    "default": ""
-                },
-                "resources": {
-                    "type": "object",
-                    "description": "Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
-                },
-                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
-                    "default": "small",
-                    "enum": [
-                        "none",
-                        "nano",
-                        "micro",
-                        "small",
-                        "medium",
-                        "large",
-                        "xlarge",
-                        "2xlarge"
-                    ]
+                    "default": "",
+                    "description": "StorageClass used to store the Kafka data",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
        },
        "topics": {
-            "type": "array",
-            "description": "Topics configuration",
            "default": [],
-            "items": {}
+            "description": "Topics configuration (see example)",
+            "items": {},
+            "type": "array"
+        },
+        "zookeeper": {
+            "properties": {
+                "replicas": {
+                    "default": 3,
+                    "description": "Number of ZooKeeper replicas",
+                    "type": "number"
+                },
+                "resources": {
+                    "default": {},
+                    "description": "Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.",
+                    "type": "object"
+                },
+                "resourcesPreset": {
+                    "default": "small",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
+                    "enum": [
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
+                },
+                "size": {
+                    "default": "5Gi",
+                    "description": "Persistent Volume size for ZooKeeper",
+                    "type": "string"
+                },
+                "storageClass": {
+                    "default": "",
+                    "description": "StorageClass used to store the ZooKeeper data",
+                    "type": "string"
+                }
+            },
+            "type": "object"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -1,42 +1,12 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param kafka.size Persistent Volume size for Kafka
-## @param kafka.replicas Number of Kafka replicas
-## @param kafka.storageClass StorageClass used to store the Kafka data
-## @param zookeeper.size Persistent Volume size for ZooKeeper
-## @param zookeeper.replicas Number of ZooKeeper replicas
-## @param zookeeper.storageClass StorageClass used to store the ZooKeeper data
 ##
+## @param external Enable external access from outside the cluster
 external: false
-kafka:
-  size: 10Gi
-  replicas: 3
-  storageClass: ""
-  ## @param kafka.resources Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  ## @param kafka.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "small"

-zookeeper:
-  size: 5Gi
-  replicas: 3
-  storageClass: ""
-  ## @param zookeeper.resources Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  ## @param zookeeper.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "small"

-## @section Configuration parameters
-
-## @param topics Topics configuration
+## @section Application-specific parameters
+##
+## @param topics Topics configuration (see example)
 ## Example:
 ## topics:
 ##   - name: Results
@@ -54,3 +24,41 @@ zookeeper:
 ##     replicas: 3
 ##
 topics: []
+
+## @section Kafka configuration
+##
+kafka:
+  ## @param kafka.replicas Number of Kafka replicas
+  replicas: 3
+  ## @param kafka.resources Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param kafka.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
+  ## @param kafka.size Persistent Volume size for Kafka
+  size: 10Gi
+  ## @param kafka.storageClass StorageClass used to store the Kafka data
+  storageClass: ""
+
+
+## @section Zookeeper configuration
+##
+zookeeper:
+  ## @param zookeeper.replicas Number of ZooKeeper replicas
+  replicas: 3
+  ## @param zookeeper.resources Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param zookeeper.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
+  ## @param zookeeper.size Persistent Volume size for ZooKeeper
+  size: 5Gi
+  ## @param zookeeper.storageClass StorageClass used to store the ZooKeeper data
+  storageClass: ""
+
+
+
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.25.2
+version: 0.26.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 1.32.4
+appVersion: 1.32.6
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,16 +1,18 @@
 KUBERNETES_VERSION = v1.32
 KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -o=json -i '.properties.version.enum = (load("files/versions.yaml") | keys)' values.schema.json
 	yq -o json -i '.properties.addons.properties.ingressNginx.properties.exposeMethod.enum = ["Proxied","LoadBalancer"]' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.apiServer.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.controllerManager.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.scheduler.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
-	yq -o json -i '.properties.controlPlane.properties.konnectivity.properties.server.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.apiServer.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.controllerManager.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.scheduler.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+	yq -o json -i '.properties.controlPlane.properties.konnectivity.properties.server.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler

--- a/packages/apps/kubernetes/README.md
+++ b/packages/apps/kubernetes/README.md
@@ -11,6 +11,9 @@ Tenant clusters are fully separated from the management cluster and are intended
 Within a tenant cluster, users can take advantage of LoadBalancer services and easily provision physical volumes as needed.                               
 The control-plane operates within containers, while the worker nodes are deployed as virtual machines, all seamlessly managed by the application.

+Kubernetes version in tenant clusters is independent of Kubernetes in the management cluster.
+Users can select the latest patch versions from 1.28 to 1.33.
+
 ## Why Use a Managed Kubernetes Cluster?

 Kubernetes has emerged as the industry standard, providing a unified and accessible API, primarily utilizing YAML for configuration.
@@ -81,12 +84,17 @@ See the reference for components utilized in this service:

 ### Common Parameters

-| Name                    | Description                                                                                                       | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+| Name           | Description                           | Value        |
+| -------------- | ------------------------------------- | ------------ |
+| `storageClass` | StorageClass used to store user data. | `replicated` |
+
+### Application-specific parameters
+
+| Name         | Description                                                                                                       | Value   |
+| ------------ | ----------------------------------------------------------------------------------------------------------------- | ------- |
+| `version`    | Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.                               | `v1.32` |
+| `host`       | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`    |
+| `nodeGroups` | Worker nodes configuration (see example)                                                                          | `{}`    |

 ### Cluster Addons

@@ -97,9 +105,9 @@ See the reference for components utilized in this service:
 | `addons.cilium.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.gatewayAPI.enabled`                   | Enable the Gateway API                                                                                                                                                            | `false`   |
 | `addons.ingressNginx.enabled`                 | Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).                                                                                       | `false`   |
-| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.ingressNginx.exposeMethod`            | Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)                                                                                            | `Proxied` |
 | `addons.ingressNginx.hosts`                   | List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.                                | `[]`      |
+| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.gpuOperator.enabled`                  | Enable the GPU-operator                                                                                                                                                           | `false`   |
 | `addons.gpuOperator.valuesOverride`           | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.fluxcd.enabled`                       | Enable FluxCD                                                                                                                                                                     | `false`   |
@@ -114,15 +122,15 @@ See the reference for components utilized in this service:

 | Name                                               | Description                                                                                                                            | Value    |
 | -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| `controlPlane.replicas`                            | Number of replicas for Kubernetes control-plane components.                                                                            | `2`      |
 | `controlPlane.apiServer.resources`                 | Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.         | `{}`     |
-| `controlPlane.apiServer.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `medium` |
+| `controlPlane.apiServer.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `medium` |
 | `controlPlane.controllerManager.resources`         | Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`     |
-| `controlPlane.controllerManager.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `micro`  |
+| `controlPlane.controllerManager.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |
 | `controlPlane.scheduler.resources`                 | Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.          | `{}`     |
-| `controlPlane.scheduler.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `micro`  |
+| `controlPlane.scheduler.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |
 | `controlPlane.konnectivity.server.resources`       | Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.           | `{}`     |
-| `controlPlane.konnectivity.server.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `micro`  |
-
+| `controlPlane.konnectivity.server.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |

 ## Parameter examples and reference

--- a/packages/apps/kubernetes/files/versions.yaml
+++ b/packages/apps/kubernetes/files/versions.yaml
@@ -0,0 +1,6 @@
+"v1.28": "v1.28.15"
+"v1.29": "v1.29.15"
+"v1.30": "v1.30.14"
+"v1.31": "v1.31.10"
+"v1.32": "v1.32.6"
+"v1.33": "v1.33.0"
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.25.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.26.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.25.2@sha256:e522960064290747a67502d4e8927c591bdb290bad1f0bae88a02758ebfd380f
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.26.2@sha256:5335c044313b69ee13b30ca4941687e509005e55f4ae25723861edbf2fbd6dd2
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile
@@ -21,6 +21,6 @@ RUN go mod vendor

 RUN CGO_ENABLED=0 go build -mod=vendor -ldflags="-s -w" -o bin/kubevirt-cloud-controller-manager ./cmd/kubevirt-cloud-controller-manager

-FROM registry.access.redhat.com/ubi9/ubi-micro
+FROM scratch
 COPY --from=builder /go/src/kubevirt.io/cloud-provider-kubevirt/bin/kubevirt-cloud-controller-manager /bin/kubevirt-cloud-controller-manager
 ENTRYPOINT [ "/bin/kubevirt-cloud-controller-manager" ]
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.25.2@sha256:761e7235ff9cb7f6f223f00954943e6a5af32ed6624ee592a8610122f96febb0
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.2@sha256:761e7235ff9cb7f6f223f00954943e6a5af32ed6624ee592a8610122f96febb0
--- a/packages/apps/kubernetes/templates/_versions.tpl
+++ b/packages/apps/kubernetes/templates/_versions.tpl
@@ -0,0 +1,7 @@
+{{- define "kubernetes.versionMap" }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
+    {{- printf `Kubernetes version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
+{{- end }}
+{{- index $versionMap .Values.version }}
+{{- end }}
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -151,7 +151,7 @@ spec:
      labels:
        policy.cozystack.io/allow-to-etcd: "true"
  replicas: 2
-  version: {{ $.Chart.AppVersion }}
+  version: {{ include "kubernetes.versionMap" $ }}
 ---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
@@ -290,7 +290,7 @@ spec:
        kind: KubevirtMachineTemplate
        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
        namespace: {{ $.Release.Namespace }}
-      version: v{{ $.Chart.AppVersion }}
+      version: {{ include "kubernetes.versionMap" $}}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineHealthCheck
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -69,6 +69,11 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
        - name: csi-provisioner
          image: quay.io/openshift/origin-csi-external-provisioner:latest
          resources:
@@ -78,6 +83,11 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
          args:
            - "--csi-address=$(ADDRESS)"
            - "--default-fstype=ext4"
@@ -118,6 +128,11 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
        - name: csi-liveness-probe
          image: quay.io/openshift/origin-csi-livenessprobe:latest
          args:
@@ -134,6 +149,62 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+        - name: csi-snapshotter
+          args:
+          - --timeout=1m
+          - --csi-address=$(ADDRESS)
+          - --worker-threads=10
+          - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
+          env:
+          - name: ADDRESS
+            value: /csi/csi.sock
+          image: registry.k8s.io/sig-storage/csi-snapshotter:v8.3.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 125m
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - mountPath: /csi
+            name: socket-dir
+          - mountPath: /etc/kubernetes/kubeconfig
+            name: kubeconfig
+            readOnly: true
+        - name: snapshot-controller
+          image: registry.k8s.io/sig-storage/snapshot-controller:v8.3.0
+          args:
+            - --worker-threads=10
+            - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 125m
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - mountPath: /etc/kubernetes/kubeconfig
+            name: kubeconfig
+            readOnly: true
      volumes:
        - name: socket-dir
          emptyDir: {}
--- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml
@@ -35,6 +35,8 @@ spec:
    storageClass: "{{ . }}"
  {{- end }}
  dependsOn:
+  - name: {{ .Release.Name }}-vsnap-crd
+    namespace: {{ .Release.Namespace }}
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml
@@ -4,6 +4,7 @@
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 vertical-pod-autoscaler:
+  vpaForVPA: false
  recommender:
    extraArgs:
      container-name-label: container
--- a/packages/apps/kubernetes/templates/helmreleases/volumesnapshot_crd.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/volumesnapshot_crd.yaml
@@ -0,0 +1,39 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-vsnap-crd
+  labels:
+    cozystack.io/repository: system
+    cozystack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: vsnap-crd
+  chart:
+    spec:
+      chart: cozy-vsnap-crd
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
+  targetNamespace: cozy-vsnap-crd
+  storageNamespace: cozy-vsnap-crd
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -1,34 +1,159 @@
 {
-  "title": "Chart Values",
-  "type": "object",
  "properties": {
-    "host": {
-      "type": "string",
-      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
-      "default": ""
+    "addons": {
+      "properties": {
+        "certManager": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "cilium": {
+          "properties": {
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "fluxcd": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable FluxCD",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "gatewayAPI": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the Gateway API",
+              "type": "boolean"
+            }
+          },
+          "type": "object"
+        },
+        "gpuOperator": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the GPU-operator",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "ingressNginx": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
+              "type": "boolean"
+            },
+            "exposeMethod": {
+              "default": "Proxied",
+              "description": "Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)",
+              "type": "string",
+              "enum": [
+                "Proxied",
+                "LoadBalancer"
+              ]
+            },
+            "hosts": {
+              "default": [],
+              "description": "List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.",
+              "items": {},
+              "type": "array"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "monitoringAgents": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "velero": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable velero for backup and restore k8s cluster.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "verticalPodAutoscaler": {
+          "properties": {
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        }
+      },
+      "type": "object"
    },
    "controlPlane": {
-      "type": "object",
      "properties": {
-        "replicas": {
-          "type": "number",
-          "description": "Number of replicas for Kubernetes control-plane components.",
-          "default": 2
-        },
        "apiServer": {
-          "type": "object",
          "properties": {
            "resources": {
-              "type": "object",
+              "default": {},
              "description": "Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
+              "type": "object"
            },
            "resourcesPreset": {
-              "type": "string",
-              "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
              "default": "medium",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
              "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -38,22 +163,21 @@
                "2xlarge"
              ]
            }
-          }
+          },
+          "type": "object"
        },
        "controllerManager": {
-          "type": "object",
          "properties": {
            "resources": {
-              "type": "object",
+              "default": {},
              "description": "Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
+              "type": "object"
            },
            "resourcesPreset": {
-              "type": "string",
-              "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
              "default": "micro",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
              "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -63,50 +187,23 @@
                "2xlarge"
              ]
            }
-          }
-        },
-        "scheduler": {
-          "type": "object",
-          "properties": {
-            "resources": {
-              "type": "object",
-              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
-            },
-            "resourcesPreset": {
-              "type": "string",
-              "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
-              "default": "micro",
-              "enum": [
-                "none",
-                "nano",
-                "micro",
-                "small",
-                "medium",
-                "large",
-                "xlarge",
-                "2xlarge"
-              ]
-            }
-          }
+          },
+          "type": "object"
        },
        "konnectivity": {
-          "type": "object",
          "properties": {
            "server": {
-              "type": "object",
              "properties": {
                "resources": {
-                  "type": "object",
+                  "default": {},
                  "description": "Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.",
-                  "default": {}
+                  "type": "object"
                },
                "resourcesPreset": {
-                  "type": "string",
-                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
                  "default": "micro",
+                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                  "type": "string",
                  "enum": [
-                    "none",
                    "nano",
                    "micro",
                    "small",
@@ -116,156 +213,68 @@
                    "2xlarge"
                  ]
                }
-              }
+              },
+              "type": "object"
            }
-          }
+          },
+          "type": "object"
+        },
+        "replicas": {
+          "default": 2,
+          "description": "Number of replicas for Kubernetes control-plane components.",
+          "type": "number"
+        },
+        "scheduler": {
+          "properties": {
+            "resources": {
+              "default": {},
+              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
+              "type": "object"
+            },
+            "resourcesPreset": {
+              "default": "micro",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
+              "enum": [
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+              ]
+            }
+          },
+          "type": "object"
        }
-      }
+      },
+      "type": "object"
+    },
+    "host": {
+      "default": "",
+      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
+      "type": "string"
    },
    "storageClass": {
-      "type": "string",
+      "default": "replicated",
      "description": "StorageClass used to store user data.",
-      "default": "replicated"
+      "type": "string"
    },
-    "addons": {
-      "type": "object",
-      "properties": {
-        "certManager": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "cilium": {
-          "type": "object",
-          "properties": {
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "gatewayAPI": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the Gateway API",
-              "default": false
-            }
-          }
-        },
-        "ingressNginx": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            },
-            "exposeMethod": {
-              "type": "string",
-              "description": "Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)",
-              "default": "Proxied",
-              "enum": [
-                "Proxied",
-                "LoadBalancer"
-              ]
-            },
-            "hosts": {
-              "type": "array",
-              "description": "List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.",
-              "default": [],
-              "items": {}
-            }
-          }
-        },
-        "gpuOperator": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the GPU-operator",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "fluxcd": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable FluxCD",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "monitoringAgents": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "verticalPodAutoscaler": {
-          "type": "object",
-          "properties": {
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "velero": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable velero for backup and restore k8s cluster.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        }
-      }
+    "version": {
+      "default": "v1.32",
+      "description": "Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.",
+      "type": "string",
+      "enum": [
+        "v1.28",
+        "v1.29",
+        "v1.30",
+        "v1.31",
+        "v1.32",
+        "v1.33"
+      ]
    }
-  }
+  },
+  "title": "Chart Values",
+  "type": "object"
 }
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -1,13 +1,14 @@
 ## @section Common Parameters

-## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
-## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
-##
-host: ""
 storageClass: replicated

-## @param nodeGroups [object] nodeGroups configuration
+## @section Application-specific parameters
+## @param version Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.
+version: "v1.32"
+## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
+host: ""
+## @param nodeGroups [object] Worker nodes configuration (see example)
 ##
 nodeGroups:
  md0:
@@ -33,13 +34,12 @@ nodeGroups:
 ## @section Cluster Addons
 ##
 addons:
-
  ## Cert-manager: automatically creates and manages SSL/TLS certificate
  ##
  certManager:
    ## @param addons.certManager.enabled Enable cert-manager, which automatically creates and manages SSL/TLS certificates.
-    ## @param addons.certManager.valuesOverride Custom values to override
    enabled: false
+    ## @param addons.certManager.valuesOverride Custom values to override
    valuesOverride: {}

  ## Cilium CNI plugin
@@ -58,18 +58,17 @@ addons:
  ##
  ingressNginx:
    ## @param addons.ingressNginx.enabled Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).
-    ## @param addons.ingressNginx.valuesOverride Custom values to override
-    ##
    enabled: false
    ## @param addons.ingressNginx.exposeMethod Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)
+    exposeMethod: Proxied
    ## @param addons.ingressNginx.hosts List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.
    ## e.g:
    ## hosts:
    ## - example.org
    ## - foo.example.net
    ##
-    exposeMethod: Proxied
    hosts: []
+    ## @param addons.ingressNginx.valuesOverride Custom values to override
    valuesOverride: {}

  ## GPU-operator: NVIDIA GPU Operator
@@ -116,36 +115,35 @@ addons:

 ## @section Kubernetes Control Plane Configuration
 ##
-
 controlPlane:
+  ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
  replicas: 2
-
  apiServer:
    ## @param controlPlane.apiServer.resources Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.
-    ## @param controlPlane.apiServer.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+    resources: {}
+    ## @param controlPlane.apiServer.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
    ## e.g:
    ## resources:
    ##   cpu: 4000m
    ##   memory: 4Gi
    ##
    resourcesPreset: "medium"
-    resources: {}

  controllerManager:
    ## @param controlPlane.controllerManager.resources Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.
-    ## @param controlPlane.controllerManager.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+    ## @param controlPlane.controllerManager.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
    resourcesPreset: "micro"
    resources: {}

  scheduler:
    ## @param controlPlane.scheduler.resources Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.
-    ## @param controlPlane.scheduler.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+    ## @param controlPlane.scheduler.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
    resourcesPreset: "micro"
    resources: {}

  konnectivity:
    server:
      ## @param controlPlane.konnectivity.server.resources Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.
-      ## @param controlPlane.konnectivity.server.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+      ## @param controlPlane.konnectivity.server.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
      resourcesPreset: "micro"
      resources: {}
--- a/packages/apps/mysql/Chart.yaml
+++ b/packages/apps/mysql/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.9.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/mysql/Makefile
+++ b/packages/apps/mysql/Makefile
@@ -1,11 +1,12 @@
 MARIADB_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

 image:
 	docker buildx build images/mariadb-backup \
--- a/packages/apps/mysql/README.md
+++ b/packages/apps/mysql/README.md
@@ -68,14 +68,16 @@ more details:

 ### Common parameters

-| Name           | Description                                     | Value   |
-| -------------- | ----------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
-| `size`         | Persistent Volume size                          | `10Gi`  |
-| `replicas`     | Number of MariaDB replicas                      | `2`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
+| Name              | Description                                                                                                                          | Value   |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| `replicas`        | Number of MariaDB replicas                                                                                                           | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano`  |
+| `size`            | Persistent Volume size                                                                                                               | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                  | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                      | `false` |

-### Configuration parameters
+### Application-specific parameters

 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
@@ -84,18 +86,16 @@ more details:

 ### Backup parameters

-| Name                     | Description                                                                                                                          | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                              | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                           | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                               | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                  | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                             | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                       | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                            | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.    | `nano`                                                 |
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                        | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/postgres-backups`                      |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

 ## Parameter examples and reference

--- a/packages/apps/mysql/images/mariadb-backup.tag
+++ b/packages/apps/mysql/images/mariadb-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.9.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.9.1@sha256:a3789db9e9e065ff60cbac70771b4a8aa1460db3194307cf5ca5d4fe1b412b6b
--- a/packages/apps/mysql/values.schema.json
+++ b/packages/apps/mysql/values.schema.json
@@ -1,83 +1,70 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of MariaDB replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
        "backup": {
-            "type": "object",
            "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
-                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
                "cleanupStrategy": {
-                    "type": "string",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m",
                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "type": "string"
                },
-                "s3AccessKey": {
-                    "type": "string",
-                    "description": "The access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
-                },
-                "s3SecretKey": {
-                    "type": "string",
-                    "description": "The secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                "enabled": {
+                    "default": false,
+                    "description": "Enable periodic backups",
+                    "type": "boolean"
                },
                "resticPassword": {
-                    "type": "string",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0",
                    "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
+                },
+                "s3AccessKey": {
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "The access key for S3, used for authentication",
+                    "type": "string"
+                },
+                "s3Bucket": {
+                    "default": "s3.example.org/postgres-backups",
+                    "description": "The S3 bucket used for storing backups",
+                    "type": "string"
+                },
+                "s3Region": {
+                    "default": "us-east-1",
+                    "description": "The AWS S3 region where backups are stored",
+                    "type": "string"
+                },
+                "s3SecretKey": {
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "The secret key for S3, used for authentication",
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of MariaDB replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -86,6 +73,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -1,17 +1,23 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of MariaDB replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of MariaDB replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

-## @section Configuration parameters
-
+## @section Application-specific parameters
+##
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -36,7 +42,7 @@ users: {}
 databases: {}

 ## @section Backup parameters
-
+##
 ## @param backup.enabled Enable periodic backups
 ## @param backup.s3Region The AWS S3 region where backups are stored
 ## @param backup.s3Bucket The S3 bucket used for storing backups
@@ -55,11 +61,3 @@ backup:
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

-## @param resources Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/apps/nats/Chart.yaml
+++ b/packages/apps/nats/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/nats/Makefile
+++ b/packages/apps/nats/Makefile
@@ -1,5 +1,6 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/nats/README.md
+++ b/packages/apps/nats/README.md
@@ -7,18 +7,23 @@ It provides a data layer for cloud native applications, IoT messaging, and micro

 ### Common parameters

-| Name                | Description                                                                                                                       | Value   |
-| ------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`          | Enable external access from outside the cluster                                                                                   | `false` |
-| `replicas`          | Persistent Volume size for NATS                                                                                                   | `2`     |
-| `storageClass`      | StorageClass used to store the data                                                                                               | `""`    |
-| `users`             | Users configuration                                                                                                               | `{}`    |
-| `jetstream.size`    | Jetstream persistent storage size                                                                                                 | `10Gi`  |
-| `jetstream.enabled` | Enable or disable Jetstream                                                                                                       | `true`  |
-| `config.merge`      | Additional configuration to merge into NATS config                                                                                | `{}`    |
-| `config.resolver`   | Additional configuration to merge into NATS config                                                                                | `{}`    |
-| `resources`         | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge. | `nano`  |
+| Name              | Description                                                                                                                       | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of replicas                                                                                                                | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.       | `nano`  |
+| `storageClass`    | StorageClass used to store the data                                                                                               | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                   | `false` |
+
+### Application-specific parameters
+
+| Name                | Description                                                               | Value  |
+| ------------------- | ------------------------------------------------------------------------- | ------ |
+| `users`             | Users configuration (see example)                                         | `{}`   |
+| `jetstream.enabled` | Enable or disable Jetstream                                               | `true` |
+| `jetstream.size`    | Jetstream persistent storage size                                         | `10Gi` |
+| `config.merge`      | Additional configuration to merge into NATS config (see example)          | `{}`   |
+| `config.resolver`   | Additional resolver configuration to merge into NATS config (see example) | `{}`   |

 ## Parameter examples and reference

--- a/packages/apps/nats/templates/nats.yaml
+++ b/packages/apps/nats/templates/nats.yaml
@@ -49,9 +49,6 @@ spec:
                resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.resourcesPreset .Values.resources $) | nindent 22 }}
      fullnameOverride: {{ .Release.Name }}
      config:
-        cluster:
-          routeURLs:
-            k8sClusterDomain: {{ $clusterDomain }}
        {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
        merge:
          {{- if gt (len $passwords) 0 }}
@@ -73,6 +70,8 @@ spec:
        {{- end }}
        cluster:
          enabled: true
+          routeURLs:
+            k8sClusterDomain: {{ $clusterDomain }}
          replicas: {{ .Values.replicas }}
        monitor:
          enabled: true
--- a/packages/apps/nats/values.schema.json
+++ b/packages/apps/nats/values.schema.json
@@ -1,63 +1,55 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Persistent Volume size for NATS",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "jetstream": {
-            "type": "object",
-            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Jetstream persistent storage size",
-                    "default": "10Gi"
-                },
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable or disable Jetstream",
-                    "default": true
-                }
-            }
-        },
        "config": {
-            "type": "object",
            "properties": {
                "merge": {
-                    "type": "object",
-                    "description": "Additional configuration to merge into NATS config",
-                    "default": {}
+                    "default": {},
+                    "description": "Additional configuration to merge into NATS config (see example)",
+                    "type": "object"
                },
                "resolver": {
-                    "type": "object",
-                    "description": "Additional configuration to merge into NATS config",
-                    "default": {}
+                    "default": {},
+                    "description": "Additional resolver configuration to merge into NATS config (see example)",
+                    "type": "object"
                }
-            }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "jetstream": {
+            "properties": {
+                "enabled": {
+                    "default": true,
+                    "description": "Enable or disable Jetstream",
+                    "type": "boolean"
+                },
+                "size": {
+                    "default": "10Gi",
+                    "description": "Jetstream persistent storage size",
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -66,6 +58,13 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/nats/values.yaml
+++ b/packages/apps/nats/values.yaml
@@ -1,14 +1,22 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param replicas Persistent Volume size for NATS
-## @param storageClass StorageClass used to store the data
 ##
-external: false
+## @param replicas Number of replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param storageClass StorageClass used to store the data
 storageClass: ""
-## @param users [object] Users configuration
+## @param external Enable external access from outside the cluster
+external: false
+
+## @section Application-specific parameters
+##
+## @param users [object] Users configuration (see example)
 ## Example:
 ## users:
 ##   user1:
@@ -17,18 +25,17 @@ storageClass: ""
 users: {}

 jetstream:
+  ## @param jetstream.enabled Enable or disable Jetstream
+  ## Set to true to enable Jetstream for persistent messaging in NATS.
+  ## Default: true
+  enabled: true
  ## @param jetstream.size Jetstream persistent storage size
  ## Specifies the size of the persistent storage for Jetstream (message store).
  ## Default: 10Gi
  size: 10Gi

-  ## @param jetstream.enabled Enable or disable Jetstream
-  ## Set to true to enable Jetstream for persistent messaging in NATS.
-  ## Default: true
-  enabled: true
-
 config:
-  ## @param config.merge Additional configuration to merge into NATS config
+  ## @param config.merge Additional configuration to merge into NATS config (see example)
  ## Allows you to customize NATS server settings by merging additional configurations.
  ## For example, you can add extra parameters, configure authentication, or set custom settings.
  ## Default: {}
@@ -56,17 +63,9 @@ config:
  ##   include ./my-config-last.conf;
  ## }
  merge: {}
-  ## @param config.resolver Additional configuration to merge into NATS config
+  ## @param config.resolver Additional resolver configuration to merge into NATS config (see example)
  ## Allows you to customize NATS server settings by merging resolver configurations.
  ## Default: {}
-  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
+  ## Example: https://github.com/nats-io/k8s/blob/94414664c254b0bbac3a07fc9693f6c4f8f88709/helm/charts/nats/values.yaml#L248-L270
  resolver: {}

-## @param resources Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.17.1
+version: 0.17.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/Makefile
+++ b/packages/apps/postgres/Makefile
@@ -1,5 +1,6 @@
 include ../../../scripts/package.mk
+PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/postgres/README.md
+++ b/packages/apps/postgres/README.md
@@ -66,22 +66,24 @@ See:

 ### Common parameters

-| Name                                    | Description                                                                                                              | Value   |
-| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `external`                              | Enable external access from outside the cluster                                                                          | `false` |
-| `size`                                  | Persistent Volume size                                                                                                   | `10Gi`  |
-| `replicas`                              | Number of Postgres replicas                                                                                              | `2`     |
-| `storageClass`                          | StorageClass used to store the data                                                                                      | `""`    |
-| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `100`   |
-| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `0`     |
-| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `0`     |
+| Name              | Description                                                                                                                             | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of Postgres replicas                                                                                                             | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `micro` |
+| `size`            | Persistent Volume size                                                                                                                  | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                     | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                         | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name        | Description             | Value |
-| ----------- | ----------------------- | ----- |
-| `users`     | Users configuration     | `{}`  |
-| `databases` | Databases configuration | `{}`  |
+| Name                                    | Description                                                                                                              | Value |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ----- |
+| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `100` |
+| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `0`   |
+| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `0`   |
+| `users`                                 | Users configuration                                                                                                      | `{}`  |
+| `databases`                             | Databases configuration                                                                                                  | `{}`  |

 ### Backup parameters

@@ -95,16 +97,13 @@ See:
 | `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
 | `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |

-### Bootstrap parameters
-
-| Name                     | Description                                                                                                                             | Value   |
-| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `bootstrap.enabled`      | Restore database cluster from a backup                                                                                                  | `false` |
-| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest                    | `""`    |
-| `bootstrap.oldName`      | Name of database cluster before deleting                                                                                                | `""`    |
-| `resources`              | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.       | `micro` |
+### Bootstrap (recovery) parameters

+| Name                     | Description                                                                                                          | Value   |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `""`    |

 ## Parameter examples and reference

--- a/packages/apps/postgres/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/postgres/templates/dashboard-resourcemap.yaml
@@ -11,6 +11,7 @@ rules:
  - {{ .Release.Name }}-r
  - {{ .Release.Name }}-ro
  - {{ .Release.Name }}-rw
+  - {{ .Release.Name }}-external-write
  verbs: ["get", "list", "watch"]
 - apiGroups:
  - ""
--- a/packages/apps/postgres/templates/external-svc.yaml
+++ b/packages/apps/postgres/templates/external-svc.yaml
@@ -7,7 +7,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  ports:
  - name: postgres
--- a/packages/apps/postgres/values.schema.json
+++ b/packages/apps/postgres/values.schema.json
@@ -1,133 +1,120 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of Postgres replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "postgresql": {
-            "type": "object",
-            "properties": {
-                "parameters": {
-                    "type": "object",
-                    "properties": {
-                        "max_connections": {
-                            "type": "number",
-                            "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
-                            "default": 100
-                        }
-                    }
-                }
-            }
-        },
-        "quorum": {
-            "type": "object",
-            "properties": {
-                "minSyncReplicas": {
-                    "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
-                    "default": 0
-                },
-                "maxSyncReplicas": {
-                    "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
-                    "default": 0
-                }
-            }
-        },
-        "databases": {
-            "type": "object",
-            "description": "Databases configuration",
-            "default": {}
-        },
        "backup": {
-            "type": "object",
            "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable regular backups",
-                    "default": false
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * * *"
-                },
-                "retentionPolicy": {
-                    "type": "string",
-                    "description": "Retention policy",
-                    "default": "30d"
-                },
                "destinationPath": {
-                    "type": "string",
+                    "default": "s3://bucket/path/to/folder/",
                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
-                    "default": "s3://bucket/path/to/folder/"
+                    "type": "string"
+                },
+                "enabled": {
+                    "default": false,
+                    "description": "Enable regular backups",
+                    "type": "boolean"
                },
                "endpointURL": {
-                    "type": "string",
+                    "default": "http://minio-gateway-service:9000",
                    "description": "S3 Endpoint used to upload data to the cloud",
-                    "default": "http://minio-gateway-service:9000"
+                    "type": "string"
+                },
+                "retentionPolicy": {
+                    "default": "30d",
+                    "description": "Retention policy",
+                    "type": "string"
                },
                "s3AccessKey": {
-                    "type": "string",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
                    "description": "Access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "type": "string"
                },
                "s3SecretKey": {
-                    "type": "string",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
                    "description": "Secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
        },
        "bootstrap": {
-            "type": "object",
            "properties": {
                "enabled": {
-                    "type": "boolean",
+                    "default": false,
                    "description": "Restore database cluster from a backup",
-                    "default": false
-                },
-                "recoveryTime": {
-                    "type": "string",
-                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
-                    "default": ""
+                    "type": "boolean"
                },
                "oldName": {
-                    "type": "string",
+                    "default": "",
                    "description": "Name of database cluster before deleting",
-                    "default": ""
+                    "type": "string"
+                },
+                "recoveryTime": {
+                    "default": "",
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "databases": {
+            "default": {},
+            "description": "Databases configuration",
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "postgresql": {
+            "properties": {
+                "parameters": {
+                    "properties": {
+                        "max_connections": {
+                            "default": 100,
+                            "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
+                            "type": "number"
+                        }
+                    },
+                    "type": "object"
+                }
+            },
+            "type": "object"
+        },
+        "quorum": {
+            "properties": {
+                "maxSyncReplicas": {
+                    "default": 0,
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "type": "number"
+                },
+                "minSyncReplicas": {
+                    "default": 0,
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "type": "number"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of Postgres replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "micro",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
-                "none",
                "nano",
                "micro",
                "small",
@@ -136,6 +123,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -1,30 +1,35 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of Postgres replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

-## Server Configuration
+
+## @section Application-specific parameters
+##
 ## @param postgresql.parameters.max_connections Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections
 postgresql:
  parameters:
    max_connections: 100

-## Configuration for the quorum-based synchronous replication
 ## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
 ## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
 quorum:
  minSyncReplicas: 0
  maxSyncReplicas: 0

-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -75,7 +80,7 @@ backup:
  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog

-## @section Bootstrap parameters
+## @section Bootstrap (recovery) parameters

 ## @param bootstrap.enabled Restore database cluster from a backup
 ## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
@@ -87,11 +92,3 @@ bootstrap:
  recoveryTime: ""
  oldName: ""

-## @param resources Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "micro"
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f`