Add AI-agent for changelogs generation

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

docs/agents/changelog.md

@@ -139,15 +139,15 @@ This will include all commits from v0.37.1, v0.37.2, v0.37.3, etc., up to v0.38.
 Cozystack release may include changes from related repositories. Check and include commits from these repositories if tags were released during the release period:
 
 **Required repositories:**
-- **Documentation**: [https://github.com/cozystack/website](https://github.com/cozystack/website)
+- **Documentation**: https://github.com/cozystack/website
   - **MANDATORY**: Always check this repository for documentation changes during the release period
   - **MANDATORY**: Get GitHub username for EVERY commit. Extract PR number from commit message, then use `gh pr view <PR_NUMBER> --repo cozystack/website --json author --jq .author.login` to get PR author. Only if no PR number, fall back to `gh api repos/cozystack/website/commits/<hash> --jq '.author.login'`
 
 **Optional repositories (MUST check ALL of them for tags during release period):**
-- [https://github.com/cozystack/talm](https://github.com/cozystack/talm)
-- [https://github.com/cozystack/boot-to-talos](https://github.com/cozystack/boot-to-talos)
-- [https://github.com/cozystack/cozypkg](https://github.com/cozystack/cozypkg)
-- [https://github.com/cozystack/cozy-proxy](https://github.com/cozystack/cozy-proxy)
+- https://github.com/cozystack/talm
+- https://github.com/cozystack/boot-to-talos
+- https://github.com/cozystack/cozypkg
+- https://github.com/cozystack/cozy-proxy
 
 **⚠️ IMPORTANT**: You MUST check ALL optional repositories for tags created during the release period. Do NOT skip this step even if you think there might not be any tags. Use the process below to verify.
 
@@ -309,21 +309,21 @@ git log <previous_version>..<new_version> --format="%s%n%b" | grep -oE '#[0-9]+'
    
    **Why this matters**: Using the wrong author in changelogs gives incorrect credit and can confuse contributors. The merge/squash commit is created by the person who clicks "Merge" in GitHub, not the PR author.
    
-**For commits without PR numbers (rare):**
-- Only if a commit has no PR number, fall back to commit author: `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
-- But this should be very rare - most commits should have PR numbers
+   **For commits without PR numbers (rare):**
+   - Only if a commit has no PR number, fall back to commit author: `gh api repos/cozystack/cozystack/commits/<hash> --jq '.author.login'`
+   - But this should be very rare - most commits should have PR numbers
 
 **Extract PR number from commit messages:**
-- Check commit message subject (`%s`) and body (`%b`) for PR references: `#1234` or `(#1234)`
-- **Primary method**: Extract from commit message format `(#PR_NUMBER)` or `in #PR_NUMBER` or `Merge pull request #1234`
-- Use regex: `grep -oE '#[0-9]+'` to find all PR numbers
-
-**⚠️ CRITICAL: Verify PR numbers match commit messages!**
-- Always verify that the PR number in the changelog matches the PR number in the commit message
-- Common mistake: Using wrong PR number (e.g., #1614 instead of #1617) when multiple similar commits exist
-- To verify: Check the actual commit message: `git log <commit_hash> -1 --format="%s%n%b" | grep -oE '#[0-9]+'`
-- If multiple PR numbers appear in a commit, use the one that matches the PR title/description
-- For merge commits, check the merged branch commits, not just the merge commit message
+   - Check commit message subject (`%s`) and body (`%b`) for PR references: `#1234` or `(#1234)`
+   - **Primary method**: Extract from commit message format `(#PR_NUMBER)` or `in #PR_NUMBER` or `Merge pull request #1234`
+   - Use regex: `grep -oE '#[0-9]+'` to find all PR numbers
+   
+   **⚠️ CRITICAL: Verify PR numbers match commit messages!**
+   - Always verify that the PR number in the changelog matches the PR number in the commit message
+   - Common mistake: Using wrong PR number (e.g., #1614 instead of #1617) when multiple similar commits exist
+   - To verify: Check the actual commit message: `git log <commit_hash> -1 --format="%s%n%b" | grep -oE '#[0-9]+'`
+   - If multiple PR numbers appear in a commit, use the one that matches the PR title/description
+   - For merge commits, check the merged branch commits, not just the merge commit message
 
 3. **Understand the change:**
    ```bash

docs/agents/contributing.md

@@ -95,83 +95,6 @@ Clean up:
 rm /tmp/pr_body.md
 ```
 
-## Addressing AI Bot Reviewer Comments
-
-When the user asks to fix comments from AI bot reviewers (like Qodo, Copilot, etc.):
-
-### 1. Get PR Comments
-
-View all comments on the pull request:
-
-```bash
-gh pr view <PR-number> --comments
-```
-
-Or for the current branch:
-
-```bash
-gh pr view --comments
-```
-
-### 2. Review Each Comment Carefully
-
-**Important**: Do NOT blindly apply all suggestions. Each comment should be evaluated:
-
-- **Consider context** - Does the suggestion make sense for this specific case?
-- **Check project conventions** - Does it align with Cozystack patterns?
-- **Evaluate impact** - Will this improve code quality or introduce issues?
-- **Question validity** - AI bots can be wrong or miss context
-
-**When to apply:**
-- ✅ Legitimate bugs or security issues
-- ✅ Clear improvements to code quality
-- ✅ Better error handling or edge cases
-- ✅ Conformance to project conventions
-
-**When to skip:**
-- ❌ Stylistic preferences that don't match project style
-- ❌ Over-engineering simple code
-- ❌ Changes that break existing patterns
-- ❌ Suggestions that show misunderstanding of the code
-
-### 3. Apply Valid Fixes
-
-Make changes addressing the valid comments. Use your judgment.
-
-### 4. Leave Changes Uncommitted
-
-**Critical**: Do NOT commit or push the changes automatically.
-
-Leave the changes in the working directory so the user can:
-- Review the fixes
-- Decide whether to commit them
-- Make additional adjustments if needed
-
-```bash
-# After making changes, show status but DON'T commit
-git status
-git diff
-```
-
-The user will commit and push when ready.
-
-### Example Workflow
-
-```bash
-# Get PR comments
-gh pr view 1234 --comments
-
-# Review comments and identify valid ones
-# Make necessary changes to address valid comments
-# ... edit files ...
-
-# Show what was changed (but don't commit)
-git status
-git diff
-
-# Tell the user what was fixed and what was skipped
-```
-
 ## Git Permissions
 
 Request these permissions when needed:

docs/changelogs/v0.37.1.md

@@ -1,31 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.1
--->
-
-## Features and Improvements
-
-* **[api] Efficient listing of TenantNamespaces**: Optimized TenantNamespace listing by replacing per-namespace SubjectAccessReview calls with group-based rolebinding checks, significantly reducing API latency and improving performance ([**@lllamnyp**](https://github.com/lllamnyp) in #1507).
-
-## Fixes
-
-* **[api] Fix RBAC for listing of TenantNamespaces and handle system:masters**: Fixed regression in TenantNamespace listing RBAC and added proper handling for system:masters group to ensure correct authorization ([**@kvaps**](https://github.com/kvaps) in #1511).
-* **[dashboard] Fix logout**: Fixed dashboard logout functionality to properly clear session and redirect users ([**@kvaps**](https://github.com/kvaps) in #1510).
-* **[installer] Add additional check to wait for lineage-webhook**: Added additional readiness check to ensure lineage-webhook is fully ready before proceeding with installation, improving upgrade reliability ([**@kvaps**](https://github.com/kvaps) in #1506).
-
-## Development, Testing, and CI/CD
-
-* **[tests] Make Kubernetes tests POSIX-compatible**: Replaced bash-specific constructs with POSIX-compliant code, ensuring tests work reliably with /bin/sh and improving compatibility across different shell environments ([**@IvanHunters**](https://github.com/IvanHunters) in #1509).
-
-## Documentation
-
-* **[website] Update troubleshooting documentation**: Updated Kubernetes installation troubleshooting guide with additional information and fixes ([**@lb0o**](https://github.com/lb0o) in cozystack/website@82beddd).
-* **[website] Add LLDPD disabling documentation**: Added minimal patch documentation for disabling lldpd based on official LLDPD usage guide ([**@lb0o**](https://github.com/lb0o) in cozystack/website@7ec5d7b).
-* **[website] Fix typo in utility command**: Fixed typo in utility command documentation ([**@lb0o**](https://github.com/lb0o) in cozystack/website@6c76cb5).
-* **[website] Update backup and recovery docs**: Updated backup and recovery documentation with latest information ([**@kvaps**](https://github.com/kvaps) in cozystack/website@2781aa5).
-* **[website] Add Troubleshooting checklist**: Added troubleshooting checklist to help users diagnose and resolve common issues ([**@kvaps**](https://github.com/kvaps) in cozystack/website@59fc304).
-
----
-
-**Full Changelog**: [v0.37.0...v0.37.1](https://github.com/cozystack/cozystack/compare/v0.37.0...v0.37.1)
-

docs/changelogs/v0.37.2.md

@@ -1,21 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.2
--->
-
-## Features and Improvements
-
-* **[lineage] Separate webhook from cozy controller**: Separated the lineage-controller-webhook from cozystack-controller into a separate daemonset component deployed on all control-plane nodes, reducing API server latency and improving performance by decreasing outgoing API calls. Introduced internal label to track resources already handled by the webhook ([**@lllamnyp**](https://github.com/lllamnyp) in #1515).
-
-## Fixes
-
-* **[api] Fix listing tenantnamespaces for non-oidc users**: Fixed TenantNamespace listing functionality for users not using OIDC authentication, ensuring proper namespace visibility for all authentication methods ([**@kvaps**](https://github.com/kvaps) in #1517, #1519).
-
-## Migration and Upgrades
-
-* **[platform] Better migration for 0.36.2->0.37.2+**: Improved migration script for users upgrading directly from 0.36.2 to 0.37.2+, ensuring the new lineage webhook daemonset is properly deployed and fixing a bug where webhook readiness was not appropriately verified during migration ([**@lllamnyp**](https://github.com/lllamnyp) in #1521, #1522).
-
----
-
-**Full Changelog**: [v0.37.1...v0.37.2](https://github.com/cozystack/cozystack/compare/v0.37.1...v0.37.2)
-

docs/changelogs/v0.37.3.md

@@ -1,45 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.3
--->
-
-## Features and Improvements
-
-* **[apps] Make VM service user facing**: Virtual machine services are now marked as user-facing, improving service discovery and visibility in the dashboard ([**@lllamnyp**](https://github.com/lllamnyp) in #1523).
-* **[seaweedfs] Allow users to discover their buckets**: Users can now discover and list their S3 buckets in SeaweedFS, improving usability and bucket management ([**@kvaps**](https://github.com/kvaps) in #1528).
-* **[seaweedfs] Update SeaweedFS v3.99 and deploy S3 as stacked service**: Updated SeaweedFS to version 3.99 and deployed S3 gateway as a stacked service for better integration and performance ([**@kvaps**](https://github.com/kvaps) in #1562).
-* **[dashboard] Show service LB IP**: Fixed JSON path issue to correctly display Service LoadBalancer IPs in the dashboard table view, improving visibility of service endpoints ([**@lllamnyp**](https://github.com/lllamnyp) in #1524).
-* **[dashboard] Update openapi-ui v1.0.3 + fixes**: Updated OpenAPI UI to version 1.0.3 with various fixes and improvements ([**@kvaps**](https://github.com/kvaps) in #1564).
-* **[kubernetes] Use controlPlane.replicas field**: Fixed managed Kubernetes app to properly use the `controlPlane.replicas` field instead of hardcoding the value, allowing users to configure control plane replica count ([**@lllamnyp**](https://github.com/lllamnyp) in #1556).
-* **[monitoring] add settings alert for slack**: Added Slack integration configuration for Alerta alerts, enabling notifications to Slack channels ([**@scooby87**](https://github.com/scooby87) in #1545).
-
-## Fixes
-
-* **[lineage] Check for nil chart in HelmRelease**: Added nil check to prevent crashes when lineage webhook encounters HelmReleases using `chartRef` instead of `chart`, improving stability ([**@lllamnyp**](https://github.com/lllamnyp) in #1525).
-* **[kamaji] Respect 3rd party labels**: Applied patch to Kamaji controller to respect third-party labels, preventing reconciliation loops between lineage webhook and Kamaji controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1531, #1534).
-* **[redis-operator] Build patched operator in-tree**: Moved Redis operator build into Cozystack organization and patched it to prevent overwriting third-party labels on owned resources ([**@lllamnyp**](https://github.com/lllamnyp) in #1547).
-* **[mariadb-operator] Add post-delete job to remove PVCs**: Added post-delete job to automatically remove PersistentVolumeClaims when MariaDB instances are deleted, preventing orphaned storage resources ([**@IvanHunters**](https://github.com/IvanHunters) in #1553).
-* **[velero] Set defaultItemOperationTimeout=24h**: Set default item operation timeout to 24 hours for Velero backups, preventing timeouts on large backup operations ([**@kvaps**](https://github.com/kvaps) in #1542).
-
-## Dependencies
-
-* **Update LINSTOR v1.32.3**: Updated LINSTOR to version 1.32.3 with latest features and bug fixes ([**@kvaps**](https://github.com/kvaps) in #1565).
-
-## System Configuration
-
-* **[system] kube-ovn: turn off enableLb**: Disabled load balancer functionality in Kube-OVN configuration ([**@nbykov0**](https://github.com/nbykov0) in #1548).
-
-## Documentation
-
-* **[website] Update LINSTOR documentation**: Updated LINSTOR guide and set failmode=continue for ZFS configurations ([**@kvaps**](https://github.com/kvaps) in cozystack/website@033804e).
-* **[website] Update managed apps reference**: Updated managed applications reference documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b886a74).
-* **[website] Update external apps documentation**: Updated documentation for external applications ([**@kvaps**](https://github.com/kvaps) in cozystack/website@565dad9).
-* **[website] Add naming conventions**: Added naming conventions documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b227abb).
-* **[website] Update golden image documentation**: Updated documentation for creating golden images for virtual machines ([**@kvaps**](https://github.com/kvaps) in cozystack/website@34c2f3a, cozystack/website@ef65593).
-* **[website] Fix documentation formatting**: Fixed alerts, infoboxes, tabs styles and main page formatting ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e992e97, cozystack/website@b2c4dee).
-* **[website] Fix typo in blog article**: Fixed typo in blog article ([**@kvaps**](https://github.com/kvaps) in cozystack/website@0a4bbf3).
-
----
-
-**Full Changelog**: [v0.37.2...v0.37.3](https://github.com/cozystack/cozystack/compare/v0.37.2...v0.37.3)
-

docs/changelogs/v0.37.4.md

@@ -1,29 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.4
--->
-
-## Features and Improvements
-
-* **[tenant] Allow listing workloads**: Enabled listing of workloads for tenants, improving visibility and management of tenant resources ([**@kvaps**](https://github.com/kvaps) in #1576, #1577).
-
-## Fixes
-
-* **[seaweedfs] Fix migration to v3.99**: Fixed migration issues when upgrading SeaweedFS to version 3.99, ensuring smooth upgrades ([**@kvaps**](https://github.com/kvaps) in #1572, #1575).
-* **[nats] Merge container spec, not podTemplate**: Fixed NATS configuration to properly merge container specifications instead of podTemplate, ensuring correct container configuration ([**@lllamnyp**](https://github.com/lllamnyp) in #1571, #1574).
-
-## Development, Testing, and CI/CD
-
-* **[e2e] Increase Kubernetes connection timeouts**: Increased connection and request timeouts in E2E tests when communicating with Kubernetes API, improving test stability under high load and slow cluster response conditions ([**@IvanHunters**](https://github.com/IvanHunters) in #1570, #1573).
-
-## Documentation
-
-* **[website] Optimize website for mobile devices**: Improved website layout and responsiveness for mobile devices ([**@kvaps**](https://github.com/kvaps) in cozystack/website@3ab2338).
-* **[website] Add OpenAPI UI**: Added OpenAPI UI documentation and integration ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b1c1668).
-* **[website] Update Cozystack video in hero banner**: Updated hero banner with new Cozystack video ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e351137).
-* **[website] Add screenshots carousel**: Added screenshots carousel to showcase Cozystack features ([**@kvaps**](https://github.com/kvaps) in cozystack/website@8422bd0).
-
----
-
-**Full Changelog**: [v0.37.3...v0.37.4](https://github.com/cozystack/cozystack/compare/v0.37.3...v0.37.4)
-

docs/changelogs/v0.37.5.md

@@ -1,28 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.5
--->
-
-## Features and Improvements
-
-* **[dashboard-controller] Move badges generation logic to internal dashboard component**: Moved badges generation logic to internal dashboard component for better code organization and maintainability ([**@kvaps**](https://github.com/kvaps) in #1567).
-
-## Security
-
-* **[redis] Bump Redis image version for security fixes**: Updated Redis image version to include latest security fixes, improving cluster security ([**@IvanHunters**](https://github.com/IvanHunters) in #1580).
-* **[flux] Close Flux Operator ports to external access**: Removed hostPort and hostNetwork from Flux Operator Deployment, ensuring ports 8080 and 8081 are only accessible within the cluster, preventing external exposure and improving security ([**@IvanHunters**](https://github.com/IvanHunters) in #1581).
-* **[ingress] Enforce HTTPS-only for API**: Added force-ssl-redirect annotation to default API Ingress, ensuring all HTTP traffic is redirected to HTTPS, preventing unencrypted external access and improving security ([**@IvanHunters**](https://github.com/IvanHunters) in #1582, #1585).
-
-## Fixes
-
-* **[nats] Fixes for NATS App Helm chart, fix template issues with config.merge**: Fixed template issues in NATS Helm chart related to config.merge value, ensuring correct configuration ([**@insignia96**](https://github.com/insignia96) in #1583, #1591).
-* **[kubevirt] Fix: kubevirt metrics rule**: Fixed KubeVirt metrics rule configuration ([**@kvaps**](https://github.com/kvaps) in #1584, #1588).
-
-## System Configuration
-
-* **[core] rm talos lldp extension**: Removed Talos LLDP extension from core configuration ([**@nbykov0**](https://github.com/nbykov0) in #1586).
-
----
-
-**Full Changelog**: [v0.37.4...v0.37.5](https://github.com/cozystack/cozystack/compare/v0.37.4...v0.37.5)
-

docs/changelogs/v0.37.6.md

@@ -1,30 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.6
--->
-
-## Features and Improvements
-
-* **[api] Use shared informer cache**: Optimized API server by using shared informer cache, reducing API server load and improving performance ([**@lllamnyp**](https://github.com/lllamnyp) in #1539).
-* **[dashboard] sync with upstream & enhancements**: Synchronized dashboard with upstream and added various enhancements ([**@kvaps**](https://github.com/kvaps) in #1603).
-* **[cozystack-api][dashboard] Fix filtering for application services/ingresses/secrets**: Fixed filtering functionality for application services, ingresses, and secrets in both API and dashboard ([**@kvaps**](https://github.com/kvaps) in #1612).
-
-## Fixes
-
-* **[controller] Remove crdmem, handle DaemonSet**: Removed crdmem and improved DaemonSet handling in controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1555).
-* **[dashboard] Revert reconciler removal**: Reverted reconciler removal to restore proper dashboard functionality ([**@lllamnyp**](https://github.com/lllamnyp) in #1559).
-* **[dashboard-controller] Fix static resources reconciliation and showing secrets**: Fixed static resources reconciliation and improved secret display in dashboard controller ([**@kvaps**](https://github.com/kvaps) in #1605).
-* **[api,lineage] Ensure node-local traffic**: Ensured node-local traffic handling for API and lineage components ([**@lllamnyp**](https://github.com/lllamnyp) in #1606).
-* **[virtual-machine] Revert per-vm network policies**: Reverted per-VM network policies to previous behavior ([**@lllamnyp**](https://github.com/lllamnyp) in #1611).
-* **[cozy-lib] Fix: handling resources=nil**: Fixed handling of nil resources in cozy-lib templates ([**@kvaps**](https://github.com/kvaps) in #1607).
-* **[nats] Use dig function to check for existing secret and prevent nil indexing**: Fixed NATS app chart to use dig function for checking existing secrets and prevent nil indexing errors ([**@kvaps**](https://github.com/kvaps) in #1609, #1610).
-
-## Development, Testing, and CI/CD
-
-* **[cozystack-controller] improve API tests**: Improved API tests for cozystack-controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1599).
-* **[kubernetes] Helm hooks for cleanup**: Added Helm hooks for cleanup operations in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1616).
-
----
-
-**Full Changelog**: [v0.37.5...v0.37.6](https://github.com/cozystack/cozystack/compare/v0.37.5...v0.37.6)
-

docs/changelogs/v0.37.7.md

@@ -1,18 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.7
--->
-
-## Fixes
-
-* **[kubernetes] Cleanup loadbalancer services**: Added cleanup functionality for load balancer services in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1622).
-* **[rbac] Fix permissions for high-privilege users**: Fixed RBAC permissions for high-privilege users, ensuring proper access control ([**@lllamnyp**](https://github.com/lllamnyp) in #1624).
-
-## System Configuration
-
-* **[system] kubeovn: increase limits**: Increased resource limits for Kube-OVN components to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1629).
-
----
-
-**Full Changelog**: [v0.37.6...v0.37.7](https://github.com/cozystack/cozystack/compare/v0.37.6...v0.37.7)
-

docs/changelogs/v0.37.8.md

@@ -1,19 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.8
--->
-
-## Fixes
-
-* **[cozy-lib] Fix malformed ResourceQuota rendering for LoadBalancer services**: Fixed malformed ResourceQuota rendering for LoadBalancer services in cozy-lib templates ([**@IvanHunters**](https://github.com/IvanHunters) in #1642).
-* **[extra] ingress: rm spaces from external ip list**: Removed spaces from external IP list in ingress configuration, fixing formatting issues ([**@nbykov0**](https://github.com/nbykov0) in #1652).
-* **scripts: fix 20 migration**: Fixed migration script #20 to ensure proper execution during upgrades ([**@nbykov0**](https://github.com/nbykov0) in #1653).
-
-## System Configuration
-
-* **Increase strimzi memory limit**: Increased memory limit for Strimzi Kafka operator to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1651).
-
----
-
-**Full Changelog**: [v0.37.7...v0.37.8](https://github.com/cozystack/cozystack/compare/v0.37.7...v0.37.8)
-

docs/changelogs/v0.37.9.md

@@ -1,19 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.37.9
--->
-
-## Improvements
-
-* **[seaweedfs] Extended CA certificate duration to reduce disruptive CA rotations**: Extended CA certificate duration to reduce disruptive CA rotations. ([**@IvanHunters**](https://github.com/IvanHunters) in #1657, #1666).
-* **[dashboard] Add config hash annotations to restart pods on config changes**: Added config hash annotations to restart pods when configuration changes, ensuring pods are automatically restarted when their configuration is updated ([**@kvaps**](https://github.com/kvaps) in #1662, #1665).
-
-## Fixes
-
-* **[tenant][kubernetes] Introduce better cleanup logic**: Improved cleanup logic for tenant Kubernetes resources, ensuring proper resource cleanup when tenants are deleted or updated ([**@kvaps**](https://github.com/kvaps) in #1661).
-* **[dashboard] Fix loading arrays in forms when editing existing objects**: Fixed issue where arrays in forms were not loading correctly when editing existing objects in the dashboard ([**@kvaps**](https://github.com/kvaps)).
-
----
-
-**Full Changelog**: [v0.37.8...v0.37.9](https://github.com/cozystack/cozystack/compare/v0.37.8...v0.37.9)
-

docs/changelogs/v0.38.0.md

@@ -1,235 +0,0 @@
-# Cozystack v0.38 — "VPC & Enhanced Networking"
-
-This release introduces **Virtual Private Cloud (VPC)** support, enabling advanced networking capabilities for tenant applications. We've also added VNC console support in the dashboard, made Kubernetes worker versions configurable, and delivered numerous improvements and fixes across the platform.
-
-### Virtual Private Cloud (VPC) Networking
-
-Cozystack v0.38.0 introduces Virtual Private Cloud (VPC) support, enabling platform administrators to create isolated network segments for tenant applications. VPCs provide network isolation and allow fine-grained control over network topology, subnets, and routing. Each VPC can contain multiple subnets, and administrators can configure subnet details including IP ranges, gateway settings, and DNS configuration.
-
-The VPC feature integrates seamlessly with the Cozystack dashboard, allowing users to view and manage VPCs and their subnets through an intuitive interface. Subnet details are exposed in the dashboard as tables, making it easy to understand network configuration at a glance. VPC configuration is stored in ConfigMaps with predictable naming, ensuring reliable access to subnet information.
-
-This feature is particularly valuable for multi-tenant environments where network isolation is critical, and for applications that require specific network configurations or routing rules.
-
-### VNC Console for Virtual Machines
-
-The Cozystack dashboard now includes a built-in VNC console for virtual machines, enabling users to access VM console directly from the web interface without requiring external tools. This feature provides immediate access to virtual machine consoles for troubleshooting, configuration, and maintenance tasks. The VNC console integration streamlines VM management workflows and improves the user experience by keeping all VM operations within the Cozystack dashboard.
-
-## Highlights
-
-* **Virtual Private Cloud (VPC)**: New VPC system module enables advanced networking with Multus CNI, subnet management, and network isolation for tenant applications ([**@nbykov0**](https://github.com/nbykov0) in #1543; [**@lllamnyp**](https://github.com/lllamnyp) in #1587, #1590, #1600, #1621, #1638).
-* **VNC Console in Dashboard**: Users can now access virtual machine consoles directly from the dashboard, improving VM management experience ([**@kvaps**](https://github.com/kvaps) in #1627).
-* **Configurable Kubernetes Worker Versions**: Platform administrators can now configure Kubernetes worker node versions independently, providing more flexibility in cluster management ([**@lllamnyp**](https://github.com/lllamnyp) in #1619).
-* **Security Enhancements**: Multiple security improvements including HTTPS-only enforcement for API, closed Flux Operator ports, and Redis security updates ([**@IvanHunters**](https://github.com/IvanHunters) in #1580, #1581, #1582).
-* **Cozy-lib Improvements**: Enhanced flatten function with better ResourceQuota handling and nil resource support ([**@lllamnyp**](https://github.com/lllamnyp) in #1647; [**@IvanHunters**](https://github.com/IvanHunters) in #1642; [**@kvaps**](https://github.com/kvaps) in #1607).
-
----
-
-## New features
-
-### VPC (Virtual Private Cloud)
-
-* **[system] Add VPC**: Introduced Virtual Private Cloud system module with Multus CNI integration, enabling advanced networking capabilities for tenant applications ([**@nbykov0**](https://github.com/nbykov0) in #1543).
-* **[vpc] Install Multus by default**: Multus CNI is now installed by default when VPC is enabled, providing multi-network interface support ([**@lllamnyp**](https://github.com/lllamnyp) in #1587).
-* **[vpc] Give predictable name to subnet configmap**: Subnet configuration maps now use predictable naming for better management and debugging ([**@lllamnyp**](https://github.com/lllamnyp) in #1590).
-* **[vpc] Entry per subnet in the subnets configmap**: Each subnet now has its own entry in the subnets configmap, improving subnet organization and management ([**@lllamnyp**](https://github.com/lllamnyp) in #1600).
-* **[vpc,dashboard] Print subnet details as table**: Subnet details are now displayed as a table in the dashboard, improving visibility and management ([**@lllamnyp**](https://github.com/lllamnyp) in #1621).
-* **[apps] Add VPC app**: Added VPC application for tenant use, enabling users to create and manage VPCs ([**@nbykov0**](https://github.com/nbykov0) in #1543).
-
-### Dashboard
-
-* **[dashboard] Introduce VNC console**: Added VNC console support in the dashboard, allowing users to access virtual machine consoles directly from the web interface ([**@kvaps**](https://github.com/kvaps) in #1627).
-* **[dashboard] sync with upstream & enhancements**: Synchronized dashboard with upstream project and added various enhancements ([**@kvaps**](https://github.com/kvaps) in #1603).
-* **[dashboard] Migrate patches to upstream project**: Migrated dashboard patches to upstream project for better maintainability ([**@kvaps**](https://github.com/kvaps) in #1569).
-
-### Kubernetes
-
-* **[kubernetes] Make worker version configurable**: Platform administrators can now configure Kubernetes worker node versions independently from control plane versions, providing more flexibility ([**@lllamnyp**](https://github.com/lllamnyp) in #1619).
-* **[kubernetes] Use controlPlane.replicas field**: Fixed managed Kubernetes app to properly use the `controlPlane.replicas` field instead of hardcoding the value ([**@lllamnyp**](https://github.com/lllamnyp) in #1556).
-* **[kubernetes] Helm hooks for cleanup**: Added Helm hooks for cleanup operations in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1606).
-
-### API & Platform
-
-* **[api] Efficient listing of TenantNamespaces**: Optimized TenantNamespace listing by replacing per-namespace SubjectAccessReview calls with group-based rolebinding checks, significantly reducing API latency ([**@lllamnyp**](https://github.com/lllamnyp) in #1507).
-* **[api] Use shared informer cache**: Optimized API server by using shared informer cache, reducing API server load and improving performance ([**@lllamnyp**](https://github.com/lllamnyp) in #1539).
-* **[api] Fix representation of dynamic list kinds**: Fixed API representation of dynamic list kinds for better compatibility ([**@lllamnyp**](https://github.com/lllamnyp) in #1630).
-* **[api] Delete previous instance when changing type**: API now properly deletes previous instance when changing application type ([**@lllamnyp**](https://github.com/lllamnyp) in #1579).
-
-### Applications
-
-* **[tenant] Allow listing workloads**: Enabled listing of workloads for tenants, improving visibility and management of tenant resources ([**@kvaps**](https://github.com/kvaps) in #1576).
-* **[apps] Make VM service user facing**: Virtual machine services are now marked as user-facing, improving service discovery and visibility in the dashboard ([**@lllamnyp**](https://github.com/lllamnyp) in #1523).
-* **[foundationdb] Upgrade FDB app for latest Cozy**: Upgraded FoundationDB application for compatibility with latest Cozystack version ([**@lllamnyp**](https://github.com/lllamnyp) in #1505).
-
-### Storage & Backups
-
-* **[seaweedfs] Update SeaweedFS v3.99 and deploy S3 as stacked service**: Updated SeaweedFS to version 3.99 and deployed S3 gateway as a stacked service for better integration and performance ([**@kvaps**](https://github.com/kvaps) in #1562).
-* **[seaweedfs] Allow users to discover their buckets**: Users can now discover and list their S3 buckets in SeaweedFS, improving usability and bucket management ([**@kvaps**](https://github.com/kvaps) in #1528).
-* **[velero] Set defaultItemOperationTimeout=24h**: Set default item operation timeout to 24 hours for Velero backups, preventing timeouts on large backup operations ([**@kvaps**](https://github.com/kvaps) in #1542).
-
-### Monitoring & Operations
-
-* **[monitoring] add settings alert for slack**: Added Slack integration configuration for Alerta alerts, enabling notifications to Slack channels ([**@scooby87**](https://github.com/scooby87) in #1545).
-
----
-
-## Improvements (minor)
-
-* **[lineage] Separate webhook from cozy controller**: Separated the lineage-controller-webhook from cozystack-controller into a separate daemonset component deployed on all control-plane nodes, reducing API server latency ([**@lllamnyp**](https://github.com/lllamnyp) in #1515).
-* **[dashboard] Show service LB IP**: Fixed JSON path issue to correctly display Service LoadBalancer IPs in the dashboard table view ([**@lllamnyp**](https://github.com/lllamnyp) in #1524).
-* **[dashboard] Update openapi-ui v1.0.3 + fixes**: Updated OpenAPI UI to version 1.0.3 with various fixes and improvements ([**@kvaps**](https://github.com/kvaps) in #1564).
-* **[dashboard-controller] Move badges generation logic to internal dashboard component**: Moved badges generation logic to internal dashboard component for better code organization ([**@kvaps**](https://github.com/kvaps) in #1567).
-* **[bucket] Expose bucket name in secrets**: Bucket names are now exposed in secrets for better integration with applications ([**@lllamnyp**](https://github.com/lllamnyp) in #1518).
-* **[platform] Better migration for 0.36.2->0.37.2+**: Improved migration script for users upgrading directly from 0.36.2 to 0.37.2+ ([**@lllamnyp**](https://github.com/lllamnyp) in #1521).
-* **[cozy-lib] Improve flatten function**: Improved flatten function in cozy-lib with better handling of complex resource structures ([**@lllamnyp**](https://github.com/lllamnyp) in #1647).
-* **[dx] JSDoc compatible syntax for values.yaml**: Added JSDoc compatible syntax for values.yaml documentation ([**@kvaps**](https://github.com/kvaps) in #1536).
-* **[system] Tune kubevirt rollout and eviction settings**: Tuned KubeVirt rollout and eviction settings for better stability ([**@nbykov0**](https://github.com/nbykov0) in #1544).
-* **[system] multus: update to the latest version**: Updated Multus CNI to the latest version ([**@nbykov0**](https://github.com/nbykov0) in #1628).
-* **[system] kubeovn: increase limits**: Increased resource limits for Kube-OVN components to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1629).
-* **[linstor] Update Piraeus Operator to v2.10.1 to enable RWX support**: Updated Piraeus Operator to v2.10.1, enabling ReadWriteMany (RWX) volume support ([**@kvaps**](https://github.com/kvaps) in #1650).
-* **[ci,dx] Bump MariaDB operator version**: Bumped MariaDB operator version for latest features and bug fixes ([**@IvanHunters**](https://github.com/IvanHunters) in #1646).
-
----
-
-## Bug fixes
-
-* **[api] Fix RBAC for listing of TenantNamespaces and handle system:masters**: Fixed regression in TenantNamespace listing RBAC and added proper handling for system:masters group ([**@kvaps**](https://github.com/kvaps) in #1511).
-* **[api] Fix listing tenantnamespaces for non-oidc users**: Fixed TenantNamespace listing functionality for users not using OIDC authentication ([**@kvaps**](https://github.com/kvaps) in #1517).
-* **[dashboard] Fix logout**: Fixed dashboard logout functionality to properly clear session and redirect users ([**@kvaps**](https://github.com/kvaps) in #1510).
-* **[installer] Add additional check to wait for lineage-webhook**: Added additional readiness check to ensure lineage-webhook is fully ready before proceeding with installation ([**@kvaps**](https://github.com/kvaps) in #1506).
-* **[lineage] Check for nil chart in HelmRelease**: Added nil check to prevent crashes when lineage webhook encounters HelmReleases using `chartRef` instead of `chart` ([**@lllamnyp**](https://github.com/lllamnyp) in #1525).
-* **[kamaji] Respect 3rd party labels**: Applied patch to Kamaji controller to respect third-party labels, preventing reconciliation loops ([**@lllamnyp**](https://github.com/lllamnyp) in #1531).
-* **[redis-operator] Build patched operator in-tree**: Moved Redis operator build into Cozystack organization and patched it to prevent overwriting third-party labels ([**@lllamnyp**](https://github.com/lllamnyp) in #1547).
-* **[mariadb-operator] Add post-delete job to remove PVCs**: Added post-delete job to automatically remove PersistentVolumeClaims when MariaDB instances are deleted ([**@IvanHunters**](https://github.com/IvanHunters) in #1553).
-* **[seaweedfs] Fix migration to v3.99**: Fixed migration issues when upgrading SeaweedFS to version 3.99 ([**@kvaps**](https://github.com/kvaps) in #1572).
-* **[nats] Merge container spec, not podTemplate**: Fixed NATS configuration to properly merge container specifications instead of podTemplate ([**@lllamnyp**](https://github.com/lllamnyp) in #1571).
-* **[nats] Fixes for NATS App Helm chart, fix template issues with config.merge**: Fixed template issues in NATS Helm chart related to config.merge value ([**@insignia96**](https://github.com/insignia96) in #1583).
-* **[nats] Fix NATS app chart to use existing secret credentials when present**: Fixed NATS app chart to use existing secret credentials when present, preventing credential regeneration ([**@insignia96**](https://github.com/insignia96) in #1599).
-* **[kubevirt] Fix: kubevirt metrics rule**: Fixed KubeVirt metrics rule configuration ([**@kvaps**](https://github.com/kvaps) in #1584).
-* **[controller] Remove crdmem, handle DaemonSet**: Removed crdmem and improved DaemonSet handling in controller ([**@lllamnyp**](https://github.com/lllamnyp) in #1555).
-* **[dashboard] Revert reconciler removal**: Reverted reconciler removal to restore proper dashboard functionality ([**@lllamnyp**](https://github.com/lllamnyp) in #1559).
-* **[dashboard-controller] Fix static resources reconciliation and showing secrets**: Fixed static resources reconciliation and improved secret display in dashboard controller ([**@kvaps**](https://github.com/kvaps) in #1615).
-* **[cozystack-api][dashboard] Fix filtering for application services/ingresses/secrets**: Fixed filtering functionality for application services, ingresses, and secrets in both API and dashboard ([**@kvaps**](https://github.com/kvaps) in #1612).
-* **[virtual-machine] Revert per-vm network policies**: Reverted per-VM network policies to previous behavior ([**@kvaps**](https://github.com/kvaps) in #1611).
-* **[cozy-lib] Fix: handling resources=nil**: Fixed handling of nil resources in cozy-lib templates ([**@kvaps**](https://github.com/kvaps) in #1607).
-* **[cozy-lib] Fix malformed ResourceQuota rendering for LoadBalancer services**: Fixed malformed ResourceQuota rendering for LoadBalancer services in cozy-lib templates ([**@IvanHunters**](https://github.com/IvanHunters) in #1642).
-* **[kubernetes] Cleanup loadbalancer services**: Added cleanup functionality for load balancer services in Kubernetes app ([**@lllamnyp**](https://github.com/lllamnyp) in #1631).
-* **[rbac] Fix permissions for high-privilege users**: Fixed RBAC permissions for high-privilege users, ensuring proper access control ([**@lllamnyp**](https://github.com/lllamnyp) in #1622).
-* **[vpc] Fix access to subnet details configmap**: Fixed access to subnet details configmap in VPC functionality ([**@lllamnyp**](https://github.com/lllamnyp) in #1638).
-* **[api,lineage] Ensure node-local traffic**: Ensured node-local traffic handling for API and lineage components ([**@lllamnyp**](https://github.com/lllamnyp) in #1554).
-* **[extra] ingress: rm spaces from external ip list**: Removed spaces from external IP list in ingress configuration, fixing formatting issues ([**@nbykov0**](https://github.com/nbykov0) in #1652).
-* **scripts: fix 20 migration**: Fixed migration script #20 to ensure proper execution during upgrades ([**@nbykov0**](https://github.com/nbykov0) in #1653).
-
----
-
-## Security
-
-* **[redis] Bump Redis image version for security fixes**: Updated Redis image version to include latest security fixes, improving cluster security ([**@IvanHunters**](https://github.com/IvanHunters) in #1580).
-* **[flux] Close Flux Operator ports to external access**: Removed hostPort and hostNetwork from Flux Operator Deployment, ensuring ports 8080 and 8081 are only accessible within the cluster ([**@IvanHunters**](https://github.com/IvanHunters) in #1581).
-* **[ingress] Enforce HTTPS-only for API**: Added force-ssl-redirect annotation to default API Ingress, ensuring all HTTP traffic is redirected to HTTPS ([**@IvanHunters**](https://github.com/IvanHunters) in #1582).
-
----
-
-## Dependencies & version updates
-
-* **Update LINSTOR v1.32.3**: Updated LINSTOR to version 1.32.3 with latest features and bug fixes ([**@kvaps**](https://github.com/kvaps) in #1565).
-* **Update Talos Linux v1.11.3**: Updated Talos Linux to version 1.11.3 ([**@kvaps**](https://github.com/kvaps) in #1527).
-* **Update Kube-OVN v1.14.11**: Updated Kube-OVN to version 1.14.11 ([**@kvaps**](https://github.com/kvaps) in #1514).
-* **[linstor] Update Piraeus Operator to v2.10.1**: Updated Piraeus Operator to v2.10.1 to enable RWX support ([**@kvaps**](https://github.com/kvaps) in #1650).
-* **[system] multus: update to the latest version**: Updated Multus CNI to the latest version ([**@nbykov0**](https://github.com/nbykov0) in #1628).
-* **[ci,dx] Bump MariaDB operator version**: Bumped MariaDB operator version ([**@IvanHunters**](https://github.com/IvanHunters) in #1646).
-* **Increase strimzi memory limit**: Increased memory limit for Strimzi Kafka operator to improve stability and performance ([**@nbykov0**](https://github.com/nbykov0) in #1651).
-
----
-
-## System Configuration
-
-* **[system] kube-ovn: turn off enableLb**: Disabled load balancer functionality in Kube-OVN configuration ([**@nbykov0**](https://github.com/nbykov0) in #1548).
-* **[core] rm talos lldp extension**: Removed Talos LLDP extension from core configuration ([**@nbykov0**](https://github.com/nbykov0) in #1586).
-
----
-
-## Development, Testing, and CI/CD
-
-* **[tests] Make Kubernetes tests POSIX-compatible**: Replaced bash-specific constructs with POSIX-compliant code, ensuring tests work reliably with /bin/sh ([**@IvanHunters**](https://github.com/IvanHunters) in #1509).
-* **[ferretdb] fix tests**: Fixed FerretDB tests to ensure proper execution ([**@IvanHunters**](https://github.com/IvanHunters) in #1540).
-* **[e2e] Increase Kubernetes connection timeouts**: Increased connection and request timeouts in E2E tests when communicating with Kubernetes API ([**@IvanHunters**](https://github.com/IvanHunters) in #1570).
-* **[cozystack-controller] improve API tests**: Improved API tests for cozystack-controller ([**@kvaps**](https://github.com/kvaps) in #1617).
-* **[ci] Fix build from external forks**: Fixed build process to work correctly from external forks ([**@kvaps**](https://github.com/kvaps) in #1530).
-* **[ci,dx] Add unit tests for cozy-lib**: Added unit tests for cozy-lib to improve code quality and reliability ([**@lllamnyp**](https://github.com/lllamnyp) in #1643).
-
----
-
-## Documentation
-
-* **[website] Add VPC page**: Added VPC documentation page explaining VPC features and usage ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@9ccac78).
-* **[website] Add VPC to auto-update list**: Added VPC to auto-update list in documentation ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@ca2bce6).
-* **[website] Update dashboard part in OIDC configuration doc**: Updated OIDC configuration documentation with dashboard information ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@6c44b93).
-* **[website] Update storage requirements**: Updated storage requirements documentation ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website@cac3af6).
-* **[website] Add System Resource Planning Recommendations**: Added system resource planning recommendations documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@c877c2a).
-* **[website] Optimize website for mobile devices**: Improved website layout and responsiveness for mobile devices ([**@kvaps**](https://github.com/kvaps) in cozystack/website@3ab2338).
-* **[website] Add OpenAPI UI**: Added OpenAPI UI documentation and integration ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b1c1668).
-* **[website] Update Cozystack video in hero banner**: Updated hero banner with new Cozystack video ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e351137).
-* **[website] Add screenshots carousel**: Added screenshots carousel to showcase Cozystack features ([**@kvaps**](https://github.com/kvaps) in cozystack/website@8422bd0).
-* **[website] Update LINSTOR documentation**: Updated LINSTOR guide and set failmode=continue for ZFS configurations ([**@kvaps**](https://github.com/kvaps) in cozystack/website@033804e).
-* **[website] Update managed apps reference**: Updated managed applications reference documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b886a74, cozystack/website@41c1849, cozystack/website@0ab71fd).
-* **[website] Update external apps documentation**: Updated documentation for external applications ([**@kvaps**](https://github.com/kvaps) in cozystack/website@565dad9).
-* **[website] Add naming conventions**: Added naming conventions documentation ([**@kvaps**](https://github.com/kvaps) in cozystack/website@b227abb).
-* **[website] Update golden image documentation**: Updated documentation for creating golden images for virtual machines ([**@kvaps**](https://github.com/kvaps) in cozystack/website@34c2f3a, cozystack/website@ef65593).
-* **[website] Fix documentation formatting**: Fixed alerts, infoboxes, tabs styles and main page formatting ([**@kvaps**](https://github.com/kvaps) in cozystack/website@e992e97, cozystack/website@b2c4dee).
-* **[website] Fix typo in blog article**: Fixed typo in blog article ([**@kvaps**](https://github.com/kvaps) in cozystack/website@0a4bbf3).
-* **[apps] vpc: more docs**: Added more VPC documentation ([**@nbykov0**](https://github.com/nbykov0) in #1594).
-* **[apps] vpc: fix typo in README**: Fixed typo in VPC README ([**@nbykov0**](https://github.com/nbykov0) in #1637).
-
----
-
-## Additional Repositories
-
-### boot-to-talos
-
-* **[boot-to-talos] Introduce boot/install mode**: Introduced boot/install mode in boot-to-talos tool ([**@kvaps**](https://github.com/kvaps) in cozystack/boot-to-talos#5).
-
-### cozypkg
-
-* **[cozypkg] Handle valuesFiles from cozypkg.cozystack.io/values-files annotation**: Added support for handling valuesFiles from annotation in cozypkg ([**@kvaps**](https://github.com/kvaps) in cozystack/cozypkg#8).
-
----
-
-## Refactors & chores
-
-* **[dashboard] Migrate patches to upstream project**: Migrated dashboard patches to upstream project for better maintainability ([**@kvaps**](https://github.com/kvaps) in #1569).
-* **Update CODEOWNERS**: Updated CODEOWNERS file ([**@nbykov0**](https://github.com/nbykov0) in #1537).
-* **Add QOSI to ADOPTERS.md**: Added QOSI to adopters list ([**@tabu-a**](https://github.com/tabu-a) in #1589).
-
----
-
-## Breaking changes & upgrade notes
-
-No breaking changes in this release.
-
----
-
-## Contributors
-
-We'd like to thank all contributors who made this release possible:
-
-* [**@IvanHunters**](https://github.com/IvanHunters)
-* [**@insignia96**](https://github.com/insignia96)
-* [**@kvaps**](https://github.com/kvaps)
-* [**@lllamnyp**](https://github.com/lllamnyp)
-* [**@nbykov0**](https://github.com/nbykov0)
-* [**@scooby87**](https://github.com/scooby87)
-* [**@tabu-a**](https://github.com/tabu-a)
-
-### New Contributors
-
-We're excited to welcome our first-time contributors:
-
-* [**@tabu-a**](https://github.com/tabu-a) - First contribution!
-
----
-
-**Full Changelog**: [v0.37.0...v0.38.0](https://github.com/cozystack/cozystack/compare/v0.37.0...v0.38.0)
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.38.0
--->

docs/changelogs/v0.38.1.md

@@ -1,19 +0,0 @@
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.38.1
--->
-
-## Improvements
-
-* **[seaweedfs] Extended CA certificate duration to reduce disruptive CA rotations**: Extended CA certificate duration to reduce disruptive CA rotations. ([**@IvanHunters**](https://github.com/IvanHunters) in #1657, #1666).
-* **[dashboard] Add config hash annotations to restart pods on config changes**: Added config hash annotations to restart pods when configuration changes, ensuring pods are automatically restarted when their configuration is updated ([**@kvaps**](https://github.com/kvaps) in #1662, #1665).
-
-## Fixes
-
-* **[tenant][kubernetes] Introduce better cleanup logic**: Improved cleanup logic for tenant Kubernetes resources, ensuring proper resource cleanup when tenants are deleted or updated ([**@kvaps**](https://github.com/kvaps) in #1661).
-* **[dashboard] Fix loading arrays in forms when editing existing objects**: Fixed issue where arrays in forms were not loading correctly when editing existing objects in the dashboard ([**@kvaps**](https://github.com/kvaps)).
-
----
-
-**Full Changelog**: [v0.38.0...v0.38.1](https://github.com/cozystack/cozystack/compare/v0.38.0...v0.38.1)
-

go.mod

@@ -6,15 +6,11 @@ go 1.23.0
 
 require (
 	github.com/fluxcd/helm-controller/api v1.1.0
-	github.com/go-logr/logr v1.4.2
-	github.com/go-logr/zapr v1.3.0
 	github.com/google/gofuzz v1.2.0
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
-	github.com/prometheus/client_golang v1.19.1
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
-	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
@@ -48,7 +44,9 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -76,6 +74,7 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -95,6 +94,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.33.0 // indirect
@@ -119,6 +119,3 @@ require (
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
-
-// See: issues.k8s.io/135537
-replace k8s.io/apimachinery => github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614

go.sum

@@ -18,8 +18,6 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614 h1:jH9elECUvhiIs3IMv3oS5k1JgCLVsSK6oU4dmq5gyW8=
-github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -293,6 +291,8 @@ k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
 k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
 k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0=
 k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM=
+k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
+k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
 k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
 k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=

hack/check-optional-repos.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 ###############################################################################
 # check-optional-repos.sh - Check optional repositories for tags and commits #
 # during a release period                                                     #

hack/e2e-apps/run-kubernetes.sh

@@ -72,7 +72,7 @@ EOF
   kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-${test_name} --timeout=4m
 
   # Wait for Kubernetes resources to be ready (timeout after 2 minutes)
-  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=5m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
 
   # Wait for all required deployments to be available (timeout after 4 minutes)
   kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-${test_name} kubernetes-${test_name}-cluster-autoscaler kubernetes-${test_name}-kccm kubernetes-${test_name}-kcsi-controller
@@ -87,7 +87,7 @@ EOF
 
 
   # Set up port forwarding to the Kubernetes API server for a 200 second timeout
-  bash -c 'timeout 500s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
+  bash -c 'timeout 300s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
   # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
   timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
 
@@ -124,100 +124,6 @@ EOF
     exit 1
   fi
 
-
-  kubectl --kubeconfig tenantkubeconfig-${test_name} apply -f - <<EOF
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tenant-test
-EOF
-
-  # Backend 1
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "${test_name}-backend"
-  namespace: tenant-test
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: backend
-      backend: "${test_name}-backend"
-  template:
-    metadata:
-      labels:
-        app: backend
-        backend: "${test_name}-backend"
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:alpine
-        ports:
-        - containerPort: 80
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 80
-          initialDelaySeconds: 2
-          periodSeconds: 2
-EOF
-
-  # LoadBalancer Service
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
-apiVersion: v1
-kind: Service
-metadata:
-  name: "${test_name}-backend"
-  namespace: tenant-test
-spec:
-  type: LoadBalancer
-  selector:
-    app: backend
-    backend: "${test_name}-backend"
-  ports:
-  - port: 80
-    targetPort: 80
-EOF
-
-  # Wait for pods readiness
-  kubectl wait deployment --kubeconfig tenantkubeconfig-${test_name} ${test_name}-backend -n tenant-test --for=condition=Available --timeout=90s
-  
-  # Wait for LoadBalancer to be provisioned (IP or hostname)
-  timeout 90 sh -ec "
-    until kubectl get svc ${test_name}-backend --kubeconfig tenantkubeconfig-${test_name} -n tenant-test \
-      -o jsonpath='{.status.loadBalancer.ingress[0]}' | grep -q .; do
-      sleep 5
-    done
-  "
-
-LB_ADDR=$(
-  kubectl get svc --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" \
-    -n tenant-test \
-    -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}'
-)
-
-if [ -z "$LB_ADDR" ]; then
-  echo "LoadBalancer address is empty" >&2
-  exit 1
-fi
-
-  for i in $(seq 1 20); do
-    echo "Attempt $i"
-    curl --silent --fail "http://${LB_ADDR}" && break
-    sleep 3
-  done
-
-  if [ "$i" -eq 20 ]; then
-    echo "LoadBalancer not reachable" >&2
-    exit 1
-  fi
-
-  # Cleanup
-  kubectl delete deployment --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-  kubectl delete service --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-
   # Wait for all machine deployment replicas to be ready (timeout after 10 minutes)
   kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
 

hack/e2e-test-openapi.bats

@@ -42,12 +42,3 @@
     exit 1
   fi
 }
-
-@test "Create and delete namespace" {
-  kubectl create ns cozy-test-create-and-delete-namespace --dry-run=client -o yaml | kubectl apply -f -
-  if ! kubectl delete ns cozy-test-create-and-delete-namespace; then
-    echo "Failed to delete namespace"
-    kubectl describe ns cozy-test-create-and-delete-namespace
-    exit 1
-  fi
-}

internal/controller/dashboard/customformsoverride.go

@@ -105,26 +105,8 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
 		"properties": map[string]any{},
 	}
 
-	// Check if there's a spec property
-	specProp, ok := props["spec"].(map[string]any)
-	if !ok {
-		return map[string]any{}, nil
-	}
-
-	specProps, ok := specProp["properties"].(map[string]any)
-	if !ok {
-		return map[string]any{}, nil
-	}
-
-	// Create spec.properties structure in schema
-	schemaProps := schema["properties"].(map[string]any)
-	specSchema := map[string]any{
-		"properties": map[string]any{},
-	}
-	schemaProps["spec"] = specSchema
-
 	// Process spec properties recursively
-	processSpecProperties(specProps, specSchema["properties"].(map[string]any))
+	processSpecProperties(props, schema["properties"].(map[string]any))
 
 	return schema, nil
 }

internal/controller/dashboard/customformsoverride_test.go

@@ -9,46 +9,41 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	// Test OpenAPI schema with various field types
 	openAPISchema := `{
 		"properties": {
-			"spec": {
+			"simpleString": {
+				"type": "string",
+				"description": "A simple string field"
+			},
+			"stringWithEnum": {
+				"type": "string",
+				"enum": ["option1", "option2"],
+				"description": "String with enum should be skipped"
+			},
+			"numberField": {
+				"type": "number",
+				"description": "Number field should be skipped"
+			},
+			"nestedObject": {
 				"type": "object",
 				"properties": {
-					"simpleString": {
+					"nestedString": {
 						"type": "string",
-						"description": "A simple string field"
+						"description": "Nested string should get multilineString"
 					},
-					"stringWithEnum": {
+					"nestedStringWithEnum": {
 						"type": "string",
-						"enum": ["option1", "option2"],
-						"description": "String with enum should be skipped"
-					},
-					"numberField": {
-						"type": "number",
-						"description": "Number field should be skipped"
-					},
-					"nestedObject": {
-						"type": "object",
-						"properties": {
-							"nestedString": {
-								"type": "string",
-								"description": "Nested string should get multilineString"
-							},
-							"nestedStringWithEnum": {
-								"type": "string",
-								"enum": ["a", "b"],
-								"description": "Nested string with enum should be skipped"
-							}
-						}
-					},
-					"arrayOfObjects": {
-						"type": "array",
-						"items": {
-							"type": "object",
-							"properties": {
-								"itemString": {
-									"type": "string",
-									"description": "String in array item"
-								}
-							}
+						"enum": ["a", "b"],
+						"description": "Nested string with enum should be skipped"
+					}
+				}
+			},
+			"arrayOfObjects": {
+				"type": "array",
+				"items": {
+					"type": "object",
+					"properties": {
+						"itemString": {
+							"type": "string",
+							"description": "String in array item"
 						}
 					}
 				}
@@ -75,44 +70,33 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 		t.Fatal("schema.properties is not a map")
 	}
 
-	// Check spec property exists
-	spec, ok := props["spec"].(map[string]any)
-	if !ok {
-		t.Fatal("spec not found in properties")
-	}
-
-	specProps, ok := spec["properties"].(map[string]any)
-	if !ok {
-		t.Fatal("spec.properties is not a map")
-	}
-
 	// Check simpleString
-	simpleString, ok := specProps["simpleString"].(map[string]any)
+	simpleString, ok := props["simpleString"].(map[string]any)
 	if !ok {
-		t.Fatal("simpleString not found in spec.properties")
+		t.Fatal("simpleString not found in properties")
 	}
 	if simpleString["type"] != "multilineString" {
 		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
 	}
 
 	// Check stringWithEnum should not be present (or should not have multilineString)
-	if stringWithEnum, ok := specProps["stringWithEnum"].(map[string]any); ok {
+	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
 		if stringWithEnum["type"] == "multilineString" {
 			t.Error("stringWithEnum should not have multilineString type")
 		}
 	}
 
 	// Check numberField should not be present
-	if numberField, ok := specProps["numberField"].(map[string]any); ok {
+	if numberField, ok := props["numberField"].(map[string]any); ok {
 		if numberField["type"] != nil {
 			t.Error("numberField should not have any type override")
 		}
 	}
 
 	// Check nested object
-	nestedObject, ok := specProps["nestedObject"].(map[string]any)
+	nestedObject, ok := props["nestedObject"].(map[string]any)
 	if !ok {
-		t.Fatal("nestedObject not found in spec.properties")
+		t.Fatal("nestedObject not found in properties")
 	}
 	nestedProps, ok := nestedObject["properties"].(map[string]any)
 	if !ok {
@@ -129,9 +113,9 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	}
 
 	// Check array of objects
-	arrayOfObjects, ok := specProps["arrayOfObjects"].(map[string]any)
+	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
 	if !ok {
-		t.Fatal("arrayOfObjects not found in spec.properties")
+		t.Fatal("arrayOfObjects not found in properties")
 	}
 	items, ok := arrayOfObjects["items"].(map[string]any)
 	if !ok {

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:31ebc09cfa11d8b438d2bbb32fa61b133aaf4b48b1a1282c9e59b5c127af61c1
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:372ad087ae96bd0cd642e2b0855ec7ffb1369d6cf4f0b92204725557c11bc0ff
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:2d39989846c3579dd020b9f6c77e6e314cc81aa344eaac0f6d633e723c17196d

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.0.0@sha256:feb5df18d485939114fa3792dd46d09be1faa3e826adf2f1d6c8f7d46455d017
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.0.0@sha256:5335c044313b69ee13b30ca4941687e509005e55f4ae25723861edbf2fbd6dd2

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:b42c6af641ee0eadb7e0a42e368021b4759f443cb7b71b7e745a64f0fc8b752e
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:d25e567bc8b17b596e050f5ff410e36112c7966e33f4b372c752e7350bacc894
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:a09724a7f95283f9130b3da2a89d81c4c6051c6edf0392a81b6fc90f404b76b6

packages/apps/kubernetes/templates/delete.yaml

@@ -3,15 +3,12 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   annotations:
-    "helm.sh/hook": pre-delete
+    "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "10"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
   name: {{ .Release.Name }}-cleanup
 spec:
   template:
-    metadata:
-      labels:
-        policy.cozystack.io/allow-to-apiserver: "true"
     spec:
       serviceAccountName: {{ .Release.Name }}-cleanup
       restartPolicy: Never
@@ -27,43 +24,14 @@ spec:
           command:
             - /bin/sh
             - -c
-            - |
-              set -e
-              echo "Step 1: Suspending all HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
-              for hr in $(kubectl -n {{ .Release.Namespace }} get helmreleases.helm.toolkit.fluxcd.io -l "cozystack.io/target-cluster-name={{ .Release.Name }}" -o name 2>/dev/null || true); do
-                if [ -n "$hr" ]; then           
-                  echo "  Suspending $hr"
-                  kubectl -n {{ .Release.Namespace }} patch "$hr" \
-                    -p '{"spec": {"suspend": true}}' \
-                    --type=merge --field-manager=flux-client-side-apply
-                fi
-              done
+            - kubectl -n {{ .Release.Namespace }} delete datavolumes
+              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
+              --ignore-not-found=true
 
-              echo "Step 2: Deleting HelmReleases with label cozystack.io/target-cluster-name={{ .Release.Name }}"
-              kubectl -n {{ .Release.Namespace }} delete helmreleases.helm.toolkit.fluxcd.io \
-                -l "cozystack.io/target-cluster-name={{ .Release.Name }}" \
-                --ignore-not-found=true --wait=true
-
-              echo "Step 3: Deleting KamajiControlPlane {{ .Release.Name }}"
-              kubectl -n {{ .Release.Namespace }} delete kamajicontrolplanes.controlplane.cluster.x-k8s.io {{ .Release.Name }} \
-                --ignore-not-found=true
-
-              echo "Step 4: Deleting TenantControlPlane {{ .Release.Name }}"
-              kubectl -n {{ .Release.Namespace }} delete tenantcontrolplanes.kamaji.clastix.io {{ .Release.Name }} \
-                --ignore-not-found=true
-
-              echo "Step 5: Cleaning up DataVolumes"
-              kubectl -n {{ .Release.Namespace }} delete datavolumes \
-                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
-                --ignore-not-found=true
-
-              echo "Step 6: Cleaning up LoadBalancer Services"
-              kubectl -n {{ .Release.Namespace }} delete services \
-                -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}" \
-                --field-selector spec.type=LoadBalancer \
-                --ignore-not-found=true
-
-              echo "Cleanup completed successfully"
+              kubectl -n {{ .Release.Namespace }} delete services
+              -l "cluster.x-k8s.io/cluster-name={{ .Release.Name }}"
+              --field-selector spec.type=LoadBalancer
+              --ignore-not-found=true
 
 
 ---
@@ -72,7 +40,7 @@ kind: ServiceAccount
 metadata:
   name: {{ .Release.Name }}-cleanup
   annotations:
-    helm.sh/hook: pre-delete
+    helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
     helm.sh/hook-weight: "0"
 ---
@@ -80,39 +48,11 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   annotations:
-    "helm.sh/hook": pre-delete
+    "helm.sh/hook": post-delete
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
     "helm.sh/hook-weight": "5"
   name: {{ .Release.Name }}-cleanup
 rules:
-  - apiGroups:
-      - "helm.toolkit.fluxcd.io"
-    resources:
-      - helmreleases
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-      - delete
-  - apiGroups:
-      - "controlplane.cluster.x-k8s.io"
-    resources:
-      - kamajicontrolplanes
-    verbs:
-      - get
-      - list
-      - watch
-      - delete
-  - apiGroups:
-      - "kamaji.clastix.io"
-    resources:
-      - tenantcontrolplanes
-    verbs:
-      - get
-      - list
-      - watch
-      - delete
   - apiGroups:
       - "cdi.kubevirt.io"
     resources:
@@ -120,7 +60,6 @@ rules:
     verbs:
       - get
       - list
-      - watch
       - delete
   - apiGroups:
       - ""
@@ -129,14 +68,13 @@ rules:
     verbs:
       - get
       - list
-      - watch
       - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   annotations:
-    "helm.sh/hook": pre-delete
+    "helm.sh/hook": post-delete
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
     "helm.sh/hook-weight": "5"
   name: {{ .Release.Name }}-cleanup
@@ -148,3 +86,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ .Release.Name }}-cleanup
     namespace: {{ .Release.Namespace }}
+

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -0,0 +1,104 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+  name: {{ .Release.Name }}-flux-teardown
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ .Release.Name }}-flux-teardown
+      restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
+      containers:
+        - name: kubectl
+          image: docker.io/clastix/kubectl:v1.32
+          command:
+            - /bin/sh
+            - -c
+            - >-
+              kubectl
+              --namespace={{ .Release.Namespace }}
+              patch
+              helmrelease
+              {{ .Release.Name }}-cilium
+              {{ .Release.Name }}-gateway-api-crds
+              {{ .Release.Name }}-csi
+              {{ .Release.Name }}-cert-manager
+              {{ .Release.Name }}-cert-manager-crds
+              {{ .Release.Name }}-vertical-pod-autoscaler
+              {{ .Release.Name }}-vertical-pod-autoscaler-crds
+              {{ .Release.Name }}-ingress-nginx
+              {{ .Release.Name }}-fluxcd-operator
+              {{ .Release.Name }}-fluxcd
+              {{ .Release.Name }}-gpu-operator
+              {{ .Release.Name }}-velero
+              {{ .Release.Name }}-coredns
+              -p '{"spec": {"suspend": true}}'
+              --type=merge --field-manager=flux-client-side-apply || true
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-flux-teardown
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed,hook-succeeded
+    helm.sh/hook-weight: "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install,post-install,pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-flux-teardown
+rules:
+  - apiGroups:
+      - "helm.toolkit.fluxcd.io"
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - patch
+    resourceNames:
+      - {{ .Release.Name }}-cilium
+      - {{ .Release.Name }}-csi
+      - {{ .Release.Name }}-cert-manager
+      - {{ .Release.Name }}-cert-manager-crds
+      - {{ .Release.Name }}-gateway-api-crds
+      - {{ .Release.Name }}-vertical-pod-autoscaler
+      - {{ .Release.Name }}-vertical-pod-autoscaler-crds
+      - {{ .Release.Name }}-ingress-nginx
+      - {{ .Release.Name }}-fluxcd-operator
+      - {{ .Release.Name }}-fluxcd
+      - {{ .Release.Name }}-gpu-operator
+      - {{ .Release.Name }}-velero
+      - {{ .Release.Name }}-coredns
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+  name: {{ .Release.Name }}-flux-teardown
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-flux-teardown
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-flux-teardown
+    namespace: {{ .Release.Namespace }}

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.0.0@sha256:aca403030ff5d831415d72367866fdf291fab73ee2cfddbe4c93c2915a316ab1
+ghcr.io/cozystack/cozystack/mariadb-backup:0.0.0@sha256:1c0beb1b23a109b0e13727b4c73d2c74830e11cede92858ab20101b66f45a858

packages/apps/tenant/templates/cleanup-job.yaml

@@ -1,85 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "tenant.name" . }}-cleanup
-  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-    helm.sh/hook-weight: "-5"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "tenant.name" . }}-cleanup
-  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-    helm.sh/hook-weight: "-5"
-rules:
-- apiGroups: ["helm.toolkit.fluxcd.io"]
-  resources: ["helmreleases"]
-  verbs: ["get", "list", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "tenant.name" . }}-cleanup
-  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-    helm.sh/hook-weight: "-5"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "tenant.name" . }}-cleanup
-subjects:
-- kind: ServiceAccount
-  name: {{ include "tenant.name" . }}-cleanup
-  namespace: {{ include "tenant.name" . }}
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "tenant.name" . }}-cleanup
-  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-    helm.sh/hook-weight: "0"
-spec:
-  ttlSecondsAfterFinished: 300
-  template:
-    metadata:
-      name: {{ include "tenant.name" . }}-cleanup
-      labels:
-        policy.cozystack.io/allow-to-apiserver: "true"
-    spec:
-      serviceAccountName: {{ include "tenant.name" . }}-cleanup
-      restartPolicy: OnFailure
-      containers:
-      - name: cleanup
-        image: bitnami/kubectl:latest
-        command:
-        - /bin/bash
-        - -c
-        - |
-          set -e
-          NAMESPACE="{{ include "tenant.name" . }}"
-          
-          echo "Cleaning up HelmReleases in namespace: $NAMESPACE"
-          
-          echo "Deleting Applications"
-          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
-            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule!=true' \
-            --ignore-not-found=true --wait=true
-          
-          echo "Deleting Tenant Modules"
-          kubectl delete helmreleases.helm.toolkit.fluxcd.io -n "$NAMESPACE" \
-            -l 'cozystack.io/ui=true,internal.cozystack.io/tenantmodule=true' \
-            --ignore-not-found=true --wait=true
-          
-          echo "Cleanup completed successfully"

packages/apps/virtual-machine/templates/_helpers.tpl

@@ -69,36 +69,3 @@ Generate a stable UUID for cloud-init re-initialization upon upgrade.
 {{- end }}
 {{- $uuid }}
 {{- end }}
-
-{{/*
-Node Affinity for Windows VMs
-*/}}
-{{- define "virtual-machine.nodeAffinity" -}}
-{{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" -}}
-{{- if $configMap -}}
-{{- $dedicatedNodesForWindowsVMs := get $configMap.data "dedicatedNodesForWindowsVMs" -}}
-{{- if eq $dedicatedNodesForWindowsVMs "true" -}}
-{{- $isWindows := hasPrefix "windows" (toString .Values.instanceProfile) -}}
-affinity:
-  nodeAffinity:
-    {{- if $isWindows }}
-    requiredDuringSchedulingIgnoredDuringExecution:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: scheduling.cozystack.io/vm-windows
-          operator: In
-          values:
-          - "true"
-    {{- else }}
-    preferredDuringSchedulingIgnoredDuringExecution:
-    - weight: 100
-      preference:
-        matchExpressions:
-        - key: scheduling.cozystack.io/vm-windows
-          operator: NotIn
-          values:
-          - "true"
-    {{- end }}
-{{- end -}}
-{{- end -}}
-{{- end -}}

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -27,11 +27,7 @@
 {{- if and $existingPVC $desiredStorage -}}
   {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
   {{- if not (eq $currentStorage $desiredStorage) -}}
-    {{- $oldSize := (include "cozy-lib.resources.toFloat" $currentStorage) | float64 -}}
-    {{- $newSize := (include "cozy-lib.resources.toFloat" $desiredStorage) | float64 -}}
-    {{- if gt $newSize $oldSize -}}
-      {{- $needResizePVC = true -}}
-    {{- end -}}
+    {{- $needResizePVC = true -}}
   {{- end -}}
 {{- end -}}
 

packages/apps/virtual-machine/templates/vm.yaml

@@ -124,8 +124,6 @@ spec:
 
       terminationGracePeriodSeconds: 30
 
-      {{- include "virtual-machine.nodeAffinity" . | nindent 6 }}
-
       volumes:
         - name: systemdisk
           dataVolume:

packages/apps/vm-disk/templates/pvc-resize-hook.yaml

@@ -1,17 +1,5 @@
 {{- $existingPVC := lookup "v1" "PersistentVolumeClaim" .Release.Namespace .Release.Name }}
-{{- $shouldResize := false -}}
-{{- if and $existingPVC .Values.storage -}}
-  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
-  {{- if ne $currentStorage .Values.storage -}}
-    {{- $oldSize := (include "cozy-lib.resources.toFloat" $currentStorage) | float64 -}}
-    {{- $newSize := (include "cozy-lib.resources.toFloat" .Values.storage) | float64 -}}
-    {{- if gt $newSize $oldSize -}}
-      {{- $shouldResize = true -}}
-    {{- end -}}
-  {{- end -}}
-{{- end -}}
-
-{{- if $shouldResize -}}
+{{- if and $existingPVC (ne ($existingPVC.spec.resources.requests.storage | toString) .Values.storage) -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -35,7 +23,6 @@ spec:
           command: ["sh", "-xec"]
           args:
             - |
-              echo "Resizing PVC to {{ .Values.storage }}..."
               kubectl patch pvc {{ .Release.Name }} -p '{"spec":{"resources":{"requests":{"storage":"{{ .Values.storage }}"}}}}'
 ---
 apiVersion: v1

packages/apps/vm-instance/templates/_helpers.tpl

@@ -69,36 +69,3 @@ Generate a stable UUID for cloud-init re-initialization upon upgrade.
 {{- end }}
 {{- $uuid }}
 {{- end }}
-
-{{/*
-Node Affinity for Windows VMs
-*/}}
-{{- define "virtual-machine.nodeAffinity" -}}
-{{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" -}}
-{{- if $configMap -}}
-{{- $dedicatedNodesForWindowsVMs := get $configMap.data "dedicatedNodesForWindowsVMs" -}}
-{{- if eq $dedicatedNodesForWindowsVMs "true" -}}
-{{- $isWindows := hasPrefix "windows" (toString .Values.instanceProfile) -}}
-affinity:
-  nodeAffinity:
-    {{- if $isWindows }}
-    requiredDuringSchedulingIgnoredDuringExecution:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: scheduling.cozystack.io/vm-windows
-          operator: In
-          values:
-          - "true"
-    {{- else }}
-    preferredDuringSchedulingIgnoredDuringExecution:
-    - weight: 100
-      preference:
-        matchExpressions:
-        - key: scheduling.cozystack.io/vm-windows
-          operator: NotIn
-          values:
-          - "true"
-    {{- end }}
-{{- end -}}
-{{- end -}}
-{{- end -}}

packages/apps/vm-instance/templates/vm.yaml

@@ -95,9 +95,6 @@ spec:
             noCloud: {}
       {{- end }}
       terminationGracePeriodSeconds: 30
-
-      {{- include "virtual-machine.nodeAffinity" . | nindent 6 }}
-
       volumes:
       {{- range .Values.disks }}
       - name: disk-{{ .name }}

packages/core/installer/images/cozystack/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine AS k8s-await-election-builder
+FROM golang:1.24-alpine as k8s-await-election-builder
 
 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
@@ -13,7 +13,7 @@ RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
  && make \
  && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election
 
-FROM golang:1.24-alpine AS builder
+FROM golang:1.24-alpine as builder
 
 ARG TARGETOS
 ARG TARGETARCH

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.38.8@sha256:2a82678c2b020047ca3f4baaaa79e1284810fbe5d5ffdc024b242bc9f33df168
+  image: ghcr.io/cozystack/cozystack/installer:v0.38.0@sha256:1a902ebd15fe375079098c088dd5b40475926c8d9576faf6348433f0fd86a963

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.38.8@sha256:bc12856b5c2dff2855b26b1a2909d05d07a4c4e2af5f0c36468de09585888573
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.38.0@sha256:cb17739b46eca263b2a31c714a3cb211da6f9de259b1641c2fc72c91bdfc93bb

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.38.8@sha256:dbce65fee982b7d2b6b7baa9ac862e178f9e153f8918fc0c5c57be03ccfd6730
+ghcr.io/cozystack/cozystack/matchbox:v0.38.0@sha256:9ff2bdcf802445f6c1cabdf0e6fc32ee10043b1067945232a91088abad63f583

packages/extra/monitoring/images/grafana.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana:0.0.0@sha256:8ce0cd90c8f614cdabf5a41f8aa50b7dfbd02b31b9a0bd7897927e7f89968e07
+ghcr.io/cozystack/cozystack/grafana:0.0.0@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.8@sha256:2d1833c78c35b697a3634d4b3be9a3218edae95a77583e9e121c10a92e7433ec
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.0@sha256:4548d85e7e69150aaf52fbb17fb9487e9714bdd8407aff49762cf39b9d0ab29c

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:ecb140d026ed72660306953a7eec140d7ac81e79544d5bbf1aba5f62aa5f8b69
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:f21b1c37872221323cee0490f9c58e04fa360c2b8c68700ab0455bc39f3ad160

packages/system/cilium/values.yaml

@@ -18,6 +18,3 @@ cilium:
     digest: "sha256:81262986a41487bfa3d0465091d3a386def5bd1ab476350bd4af2fdee5846fe6"
   envoy:
     enabled: false
-  rollOutCiliumPods: true
-  operator:
-    rollOutPods: true

packages/system/coredns/values.yaml

@@ -3,6 +3,3 @@ coredns:
     repository: registry.k8s.io/coredns/coredns
     tag: v1.12.4
   replicaCount: 2
-  k8sAppLabelOverride: kube-dns
-  service:
-    name: kube-dns

packages/system/cozystack-api/values.yaml

@@ -1,5 +1,5 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.38.8@sha256:51574c6bb61ae31e63193f84daf18c14ceb71580786e262191c4aa0ac44b1519
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.38.0@sha256:5eb5d6369c7c7ba0fa6b34b7c5022faa15c860b72e441b5fbde3eceda94efc88
   localK8sAPIEndpoint:
     enabled: true
   replicas: 2

packages/system/cozystack-controller/values.yaml

@@ -1,6 +1,6 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.38.8@sha256:6be8fa0a56c0dca71086deddef1b16d23c613b912c7ca379096ca3ad0e50dffb
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.38.0@sha256:4628a3711b6a6fc2e446255ee172cd268b28b07c65e98c302ea8897574dcbf22
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.38.8"
+  cozystackVersion: "v0.38.0"
   cozystackAPIKind: "DaemonSet"

packages/system/dashboard/images/openapi-ui-k8s-bff/Dockerfile

@@ -3,7 +3,7 @@ ARG NODE_VERSION=20.18.1
 FROM node:${NODE_VERSION}-alpine AS builder
 WORKDIR /src
 
-ARG COMMIT_REF=183dc9dcbb0f8a1833dad642c35faa385c71e58d
+ARG COMMIT_REF=ba56271739505284aee569f914fc90e6a9c670da
 RUN wget -O- https://github.com/PRO-Robotech/openapi-ui-k8s-bff/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 
 ENV PATH=/src/node_modules/.bin:$PATH

packages/system/dashboard/templates/configmap.yaml

@@ -1,6 +1,6 @@
 {{- $brandingConfig:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
 
-{{- $tenantText := "v0.38.8" }}
+{{- $tenantText := "v0.38.0" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}

packages/system/dashboard/templates/nginx.yaml

@@ -16,7 +16,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/nginx-config.yaml") . | sha256sum }}
+        checksum/configmap-configurationnginxfile: 258c66b019c8c7f4a5d0a78dfd7bf297ce486b213346fbd2879c466abfc377e0
       labels:
         app.kubernetes.io/instance: incloud-web
         app.kubernetes.io/name: nginx

packages/system/dashboard/templates/web.yaml

@@ -15,8 +15,7 @@ spec:
     type: RollingUpdate
   template:
     metadata:
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      annotations: null
       labels:
         app.kubernetes.io/instance: incloud-web
         app.kubernetes.io/name: web

packages/system/dashboard/values.yaml

@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.38.8@sha256:54f53571422c50f6aab613031d519a305564e4ec0b456baa23e98b7707ac001b
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.38.0@sha256:78570edb9f4e329ffed0f8da3942acee1536323169d56324e57360df66044c28
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.38.8@sha256:1f7827a1978bd9c81ac924dd0e78f6a3ce834a9a64af55047e220812bc15a944
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.38.0@sha256:b7f18b86913d94338f1ceb93fca6409d19f565e35d6d6e683ca93441920fec71
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:v0.38.8@sha256:4fc8a11f8a1a81aa0774ae2b1ed2e05d36d0b3ef1e37979cc4994e65114d93ae
+  image: ghcr.io/cozystack/cozystack/token-proxy:v0.38.0@sha256:fad27112617bb17816702571e1f39d0ac3fe5283468d25eb12f79906cdab566b

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.38.8@sha256:4588de4380fb70c29c4a762fb19a9bbe210e68bc5ff67035c752c44daf319bfc
+    tag: v0.38.0@sha256:125e4e6a8b86418e891416d29353053ab8b65182b7e443f221b557c11a385280
     repository: ghcr.io/cozystack/cozystack/kamaji
   resources:
     limits:
@@ -13,4 +13,4 @@ kamaji:
       cpu: 100m
       memory: 100Mi
   extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.38.8@sha256:4588de4380fb70c29c4a762fb19a9bbe210e68bc5ff67035c752c44daf319bfc
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.38.0@sha256:125e4e6a8b86418e891416d29353053ab8b65182b7e443f221b557c11a385280

packages/system/kubeovn-plunger/values.yaml

@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.38.8@sha256:14537e277f6de81ec4fda42b8ffc25b224834b9e3af81ef42b80c50cee6f68ef
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.38.0@sha256:a140bdcc300bcfb63a5d64884d02d802d7669ba96dc65292a06f3b200ff627f8
 ovnCentralName: ovn-central

packages/system/kubeovn-webhook/values.yaml

@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.38.8@sha256:e6334c29d3aaf0dea766c88e3e05b53ad623d1bb497b3c836e6f76adade45b29
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.38.0@sha256:7bfd458299a507f2cf82cddb65941ded6991fd4ba92fd46010cbc8c363126085

packages/system/kubeovn/values.yaml

@@ -65,4 +65,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.14.11@sha256:85612c4fb14feb930f04771b0ca377a51344fa5e3e2eb09d95c059aa19c4c8ae
+      tag: v1.14.11@sha256:1b0f472cf30d5806e3afd10439ce8f9cfe8a004322dbd1911f7d69171fe936e5

packages/system/kubevirt-csi-node/values.yaml

@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:b42c6af641ee0eadb7e0a42e368021b4759f443cb7b71b7e745a64f0fc8b752e
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb

packages/system/kubevirt-operator/alerts/PrometheusRule.yaml

@@ -27,7 +27,7 @@ spec:
       expr: |
         max_over_time(
           kubevirt_vmi_info{
-            phase!="running",
+            phase!="Running",
             exported_namespace=~".+",
             name=~".+"
           }[10m]

packages/system/lineage-controller-webhook/values.yaml

@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.38.8@sha256:d2525b2cef34a6eea59d77e2bbca52eb0cd377a526b41643e104873613e7b6a0
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.38.0@sha256:fc2b04f59757904ec1557a39529b84b595114b040ef95d677fd7f21ac3958e0a
   debug: false
   localK8sAPIEndpoint:
     enabled: true

packages/system/metallb/values.yaml

@@ -4,8 +4,8 @@ metallb:
   controller:
     image:
       repository: ghcr.io/cozystack/cozystack/metallb-controller
-      tag: v0.15.2@sha256:623ce74b5802bff6e29f29478ccab29ce4162a64148be006c69e16cc3207e289
+      tag: v0.15.2@sha256:0e9080234fc8eedab78ad2831fb38df375c383e901a752d72b353c8d13b9605f
   speaker:
     image:
       repository: ghcr.io/cozystack/cozystack/metallb-speaker
-      tag: v0.15.2@sha256:f264058afd9228452a260ab9c9dd1859404745627a2a38c2ba4671e27f3b3bb2
+      tag: v0.15.2@sha256:e14d4c328c3ab91a6eadfeea90da96388503492d165e7e8582f291b1872e53b2

packages/system/monitoring-agents/templates/coredns-scrape.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: coredns-metrics
+  name: coredns
   namespace: kube-system
   labels:
     app: coredns
@@ -19,7 +19,7 @@ spec:
 apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMServiceScrape
 metadata:
-  name: coredns-metrics
+  name: coredns
   namespace: cozy-monitoring
 spec:
   selector:

packages/system/multus/templates/multus-daemonset-thick.yml

@@ -162,6 +162,7 @@ spec:
               memory: "100Mi"
             limits:
               cpu: "100m"
+              memory: "300Mi"
           securityContext:
             privileged: true
           terminationMessagePolicy: FallbackToLogsOnError

packages/system/objectstorage-controller/values.yaml

@@ -1,3 +1,3 @@
 objectstorage:
   controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.38.8@sha256:cbf22bcbeed7049340aa41f41cc130596bdb962873116e0c4eb5bab123ae13b0"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.38.0@sha256:7d37495cce46d30d4613ecfacaa7b7f140e7ea8f3dbcc3e8c976e271de6cc71b"

packages/system/piraeus-operator/charts/piraeus/Chart.yaml

@@ -3,8 +3,8 @@ name: piraeus
 description: |
   The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.10.2
-appVersion: "v2.10.2"
+version: 2.10.1
+appVersion: "v2.10.1"
 maintainers:
   - name: Piraeus Datastore
     url: https://piraeus.io

packages/system/piraeus-operator/charts/piraeus/templates/config.yaml

@@ -23,10 +23,10 @@ data:
         tag: v1.32.3
         image: piraeus-server
       linstor-csi:
-        tag: v1.10.3
+        tag: v1.10.2
         image: piraeus-csi
       nfs-server:
-        tag: v1.10.3
+        tag: v1.10.2
         image: piraeus-csi-nfs-server
       drbd-reactor:
         tag: v1.10.0
@@ -44,7 +44,7 @@ data:
         tag: v1.3.0
         image: linstor-affinity-controller
       drbd-module-loader:
-        tag: v9.2.16
+        tag: v9.2.15
         # The special "match" attribute is used to select an image based on the node's reported OS.
         # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
         # here. If one matches, that specific image name will be used instead of the fallback image.
@@ -99,7 +99,7 @@ data:
         tag: v2.17.0
         image: livenessprobe
       csi-provisioner:
-        tag: v6.1.0
+        tag: v6.0.0
         image: csi-provisioner
       csi-snapshotter:
         tag: v8.4.0

packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml

@@ -993,24 +993,6 @@ spec:
                 - Retain
                 - Delete
                 type: string
-              evacuationStrategy:
-                description: EvacuationStrategy configures the evacuation of volumes
-                  from a Satellite when DeletionPolicy "Evacuate" is used.
-                nullable: true
-                properties:
-                  attachedVolumeReattachTimeout:
-                    default: 5m
-                    description: |-
-                      AttachedVolumeReattachTimeout configures how long evacuation waits for attached volumes to reattach on
-                      different nodes. Setting this to 0 disable this evacuation step.
-                    type: string
-                  unattachedVolumeAttachTimeout:
-                    default: 5m
-                    description: |-
-                      UnattachedVolumeAttachTimeout configures how long evacuation waits for unattached volumes to attach on
-                      different nodes. Setting this to 0 disable this evacuation step.
-                    type: string
-                type: object
               internalTLS:
                 description: |-
                   InternalTLS configures secure communication for the LINSTOR Satellite.
@@ -1701,23 +1683,6 @@ spec:
                 - Retain
                 - Delete
                 type: string
-              evacuationStrategy:
-                description: EvacuationStrategy configures the evacuation of volumes
-                  from a Satellite when DeletionPolicy "Evacuate" is used.
-                properties:
-                  attachedVolumeReattachTimeout:
-                    default: 5m
-                    description: |-
-                      AttachedVolumeReattachTimeout configures how long evacuation waits for attached volumes to reattach on
-                      different nodes. Setting this to 0 disable this evacuation step.
-                    type: string
-                  unattachedVolumeAttachTimeout:
-                    default: 5m
-                    description: |-
-                      UnattachedVolumeAttachTimeout configures how long evacuation waits for unattached volumes to attach on
-                      different nodes. Setting this to 0 disable this evacuation step.
-                    type: string
-                type: object
               internalTLS:
                 description: |-
                   InternalTLS configures secure communication for the LINSTOR Satellite.

packages/system/seaweedfs/charts/seaweedfs/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 description: SeaweedFS
 name: seaweedfs
-appVersion: "4.02"
+appVersion: "3.99"
 # Dev note: Trigger a helm chart release by `git tag -a helm-<version>`
-version: 4.0.402
+version: 4.0.399

packages/system/seaweedfs/charts/seaweedfs/templates/all-in-one/all-in-one-deployment.yaml

@@ -15,9 +15,9 @@ metadata:
     {{- toYaml .Values.allInOne.annotations | nindent 4 }}
   {{- end }}
 spec:
-  replicas: {{ .Values.allInOne.replicas | default 1 }}
+  replicas: 1
   strategy:
-    type: {{ .Values.allInOne.updateStrategy.type | default "Recreate" }}
+    type: Recreate
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
@@ -130,23 +130,12 @@ spec:
               value: {{ include "seaweedfs.cluster.masterAddress" . | quote }}
             - name: {{ $clusterFilerKey }}
               value: {{ include "seaweedfs.cluster.filerAddress" . | quote }}
-            {{- if .Values.allInOne.secretExtraEnvironmentVars }}
-            {{- range $key, $value := .Values.allInOne.secretExtraEnvironmentVars }}
-            - name: {{ $key }}
-              valueFrom:
-                {{ toYaml $value | nindent 16 }}
-            {{- end }}
-            {{- end }}
           command:
             - "/bin/sh"
             - "-ec"
             - |
               /usr/bin/weed \
-              {{- if .Values.allInOne.loggingOverrideLevel }}
-              -v={{ .Values.allInOne.loggingOverrideLevel }} \
-              {{- else }}
               -v={{ .Values.global.loggingLevel }} \
-              {{- end }}
               server \
               -dir=/data \
               -master \
@@ -202,9 +191,6 @@ spec:
               {{- else if .Values.master.metricsPort }}
               -metricsPort={{ .Values.master.metricsPort }} \
               {{- end }}
-              {{- if .Values.allInOne.metricsIp }}
-              -metricsIp={{ .Values.allInOne.metricsIp }} \
-              {{- end }}
               -filer \
               -filer.port={{ .Values.filer.port }} \
               {{- if .Values.filer.disableDirListing }}
@@ -233,75 +219,61 @@ spec:
               {{- end }}
               {{- if .Values.allInOne.s3.enabled }}
               -s3 \
-              -s3.port={{ .Values.allInOne.s3.port | default .Values.s3.port }} \
-              {{- $domainName := .Values.allInOne.s3.domainName | default .Values.s3.domainName }}
-              {{- if $domainName }}
-              -s3.domainName={{ $domainName }} \
+              -s3.port={{ .Values.s3.port }} \
+              {{- if .Values.s3.domainName }}
+              -s3.domainName={{ .Values.s3.domainName }} \
               {{- end }}
               {{- if .Values.global.enableSecurity }}
-              {{- $httpsPort := .Values.allInOne.s3.httpsPort | default .Values.s3.httpsPort }}
-              {{- if $httpsPort }}
-              -s3.port.https={{ $httpsPort }} \
+              {{- if .Values.s3.httpsPort }}
+              -s3.port.https={{ .Values.s3.httpsPort }} \
               {{- end }}
               -s3.cert.file=/usr/local/share/ca-certificates/client/tls.crt \
               -s3.key.file=/usr/local/share/ca-certificates/client/tls.key \
               {{- end }}
-              {{- if or .Values.allInOne.s3.enableAuth .Values.s3.enableAuth .Values.filer.s3.enableAuth }}
+              {{- if eq (typeOf .Values.s3.allowEmptyFolder) "bool" }}
+              -s3.allowEmptyFolder={{ .Values.s3.allowEmptyFolder }} \
+              {{- end }}
+              {{- if .Values.s3.enableAuth }}
               -s3.config=/etc/sw/s3/seaweedfs_s3_config \
               {{- end }}
-              {{- $auditLogConfig := .Values.allInOne.s3.auditLogConfig | default .Values.s3.auditLogConfig }}
-              {{- if $auditLogConfig }}
+              {{- if .Values.s3.auditLogConfig }}
               -s3.auditLogConfig=/etc/sw/s3/s3_auditLogConfig.json \
               {{- end }}
               {{- end }}
               {{- if .Values.allInOne.sftp.enabled }}
               -sftp \
-              -sftp.port={{ .Values.allInOne.sftp.port | default .Values.sftp.port }} \
-              {{- $sshPrivateKey := .Values.allInOne.sftp.sshPrivateKey | default .Values.sftp.sshPrivateKey }}
-              {{- if $sshPrivateKey }}
-              -sftp.sshPrivateKey={{ $sshPrivateKey }} \
+              -sftp.port={{ .Values.sftp.port }} \
+              {{- if .Values.sftp.sshPrivateKey }}
+              -sftp.sshPrivateKey={{ .Values.sftp.sshPrivateKey }} \
               {{- end }}
-              {{- $hostKeysFolder := .Values.allInOne.sftp.hostKeysFolder | default .Values.sftp.hostKeysFolder }}
-              {{- if $hostKeysFolder }}
-              -sftp.hostKeysFolder={{ $hostKeysFolder }} \
+              {{- if .Values.sftp.hostKeysFolder }}
+              -sftp.hostKeysFolder={{ .Values.sftp.hostKeysFolder }} \
               {{- end }}
-              {{- $authMethods := .Values.allInOne.sftp.authMethods | default .Values.sftp.authMethods }}
-              {{- if $authMethods }}
-              -sftp.authMethods={{ $authMethods }} \
+              {{- if .Values.sftp.authMethods }}
+              -sftp.authMethods={{ .Values.sftp.authMethods }} \
               {{- end }}
-              {{- $maxAuthTries := .Values.allInOne.sftp.maxAuthTries | default .Values.sftp.maxAuthTries }}
-              {{- if $maxAuthTries }}
-              -sftp.maxAuthTries={{ $maxAuthTries }} \
+              {{- if .Values.sftp.maxAuthTries }}
+              -sftp.maxAuthTries={{ .Values.sftp.maxAuthTries }} \
               {{- end }}
-              {{- $bannerMessage := .Values.allInOne.sftp.bannerMessage | default .Values.sftp.bannerMessage }}
-              {{- if $bannerMessage }}
-              -sftp.bannerMessage="{{ $bannerMessage }}" \
+              {{- if .Values.sftp.bannerMessage }}
+              -sftp.bannerMessage="{{ .Values.sftp.bannerMessage }}" \
               {{- end }}
-              {{- $loginGraceTime := .Values.allInOne.sftp.loginGraceTime | default .Values.sftp.loginGraceTime }}
-              {{- if $loginGraceTime }}
-              -sftp.loginGraceTime={{ $loginGraceTime }} \
+              {{- if .Values.sftp.loginGraceTime }}
+              -sftp.loginGraceTime={{ .Values.sftp.loginGraceTime }} \
               {{- end }}
-              {{- $clientAliveInterval := .Values.allInOne.sftp.clientAliveInterval | default .Values.sftp.clientAliveInterval }}
-              {{- if $clientAliveInterval }}
-              -sftp.clientAliveInterval={{ $clientAliveInterval }} \
+              {{- if .Values.sftp.clientAliveInterval }}
+              -sftp.clientAliveInterval={{ .Values.sftp.clientAliveInterval }} \
               {{- end }}
-              {{- $clientAliveCountMax := .Values.allInOne.sftp.clientAliveCountMax | default .Values.sftp.clientAliveCountMax }}
-              {{- if $clientAliveCountMax }}
-              -sftp.clientAliveCountMax={{ $clientAliveCountMax }} \
+              {{- if .Values.sftp.clientAliveCountMax }}
+              -sftp.clientAliveCountMax={{ .Values.sftp.clientAliveCountMax }} \
               {{- end }}
-              {{- if or .Values.allInOne.sftp.enableAuth .Values.sftp.enableAuth }}
               -sftp.userStoreFile=/etc/sw/sftp/seaweedfs_sftp_config \
               {{- end }}
-              {{- end }}
-              {{- $extraArgsCount := len .Values.allInOne.extraArgs }}
-              {{- range $i, $arg := .Values.allInOne.extraArgs }}
-              {{ $arg | quote }}{{ if ne (add1 $i) $extraArgsCount }} \{{ end }}
-              {{- end }}
 
           volumeMounts:
             - name: data
               mountPath: /data
-            {{- if and .Values.allInOne.s3.enabled (or .Values.allInOne.s3.enableAuth .Values.s3.enableAuth .Values.filer.s3.enableAuth) }}
+            {{- if and .Values.allInOne.s3.enabled (or .Values.s3.enableAuth .Values.filer.s3.enableAuth) }}
             - name: config-s3-users
               mountPath: /etc/sw/s3
               readOnly: true
@@ -310,12 +282,10 @@ spec:
             - name: config-ssh
               mountPath: /etc/sw/ssh
               readOnly: true
-            {{- if or .Values.allInOne.sftp.enableAuth .Values.sftp.enableAuth }}
             - mountPath: /etc/sw/sftp
               name: config-users
               readOnly: true
             {{- end }}
-            {{- end }}
             {{- if .Values.filer.notificationConfig }}
             - name: notification-config
               mountPath: /etc/seaweedfs/notification.toml
@@ -362,16 +332,15 @@ spec:
             - containerPort: {{ .Values.filer.grpcPort }}
               name: swfs-fil-grpc
             {{- if .Values.allInOne.s3.enabled }}
-            - containerPort: {{ .Values.allInOne.s3.port | default .Values.s3.port }}
+            - containerPort: {{ .Values.s3.port }}
               name: swfs-s3
-              {{- $httpsPort := .Values.allInOne.s3.httpsPort | default .Values.s3.httpsPort }}
-              {{- if $httpsPort }}
-            - containerPort: {{ $httpsPort }}
+              {{- if .Values.s3.httpsPort }}
+            - containerPort: {{ .Values.s3.httpsPort }}
               name: swfs-s3-tls
               {{- end }}
             {{- end }}
             {{- if .Values.allInOne.sftp.enabled }}
-            - containerPort: {{ .Values.allInOne.sftp.port | default .Values.sftp.port }}
+            - containerPort: {{ .Values.sftp.port }}
               name: swfs-sftp
             {{- end }}
             {{- if .Values.allInOne.metricsPort }}
@@ -383,7 +352,7 @@ spec:
             httpGet:
               path: {{ .Values.allInOne.readinessProbe.httpGet.path }}
               port: {{ .Values.master.port }}
-              scheme: {{ .Values.allInOne.readinessProbe.httpGet.scheme }}
+              scheme: {{ .Values.allInOne.readinessProbe.scheme }}
             initialDelaySeconds: {{ .Values.allInOne.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.allInOne.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.allInOne.readinessProbe.successThreshold }}
@@ -395,7 +364,7 @@ spec:
             httpGet:
               path: {{ .Values.allInOne.livenessProbe.httpGet.path }}
               port: {{ .Values.master.port }}
-              scheme: {{ .Values.allInOne.livenessProbe.httpGet.scheme }}
+              scheme: {{ .Values.allInOne.livenessProbe.scheme }}
             initialDelaySeconds: {{ .Values.allInOne.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.allInOne.livenessProbe.periodSeconds }}
             successThreshold: {{ .Values.allInOne.livenessProbe.successThreshold }}
@@ -420,31 +389,26 @@ spec:
             path: {{ .Values.allInOne.data.hostPathPrefix }}/seaweedfs-all-in-one-data/
             type: DirectoryOrCreate
           {{- else if eq .Values.allInOne.data.type "persistentVolumeClaim" }}
-          persistentVolumeClaim:
-            claimName: {{ template "seaweedfs.name" . }}-all-in-one-data
-          {{- else if eq .Values.allInOne.data.type "existingClaim" }}
           persistentVolumeClaim:
             claimName: {{ .Values.allInOne.data.claimName }}
           {{- else if eq .Values.allInOne.data.type "emptyDir" }}
           emptyDir: {}
           {{- end }}
-        {{- if and .Values.allInOne.s3.enabled (or .Values.allInOne.s3.enableAuth .Values.s3.enableAuth .Values.filer.s3.enableAuth) }}
+        {{- if and .Values.allInOne.s3.enabled (or .Values.s3.enableAuth .Values.filer.s3.enableAuth) }}
         - name: config-s3-users
           secret:
             defaultMode: 420
-            secretName: {{ default (printf "%s-s3-secret" (include "seaweedfs.name" .)) (or .Values.allInOne.s3.existingConfigSecret .Values.s3.existingConfigSecret .Values.filer.s3.existingConfigSecret) }}
+            secretName: {{ default (printf "%s-s3-secret" (include "seaweedfs.name" .)) (or .Values.s3.existingConfigSecret .Values.filer.s3.existingConfigSecret) }}
         {{- end }}
         {{- if .Values.allInOne.sftp.enabled }}
         - name: config-ssh
           secret:
             defaultMode: 420
-            secretName: {{ default (printf "%s-sftp-ssh-secret" (include "seaweedfs.name" .)) (or .Values.allInOne.sftp.existingSshConfigSecret .Values.sftp.existingSshConfigSecret) }}
-        {{- if or .Values.allInOne.sftp.enableAuth .Values.sftp.enableAuth }}
+            secretName: {{ default (printf "%s-sftp-ssh-secret" (include "seaweedfs.name" .)) .Values.sftp.existingSshConfigSecret }}
         - name: config-users
           secret:
             defaultMode: 420
-            secretName: {{ default (printf "%s-sftp-secret" (include "seaweedfs.name" .)) (or .Values.allInOne.sftp.existingConfigSecret .Values.sftp.existingConfigSecret) }}
-        {{- end }}
+            secretName: {{ default (printf "%s-sftp-secret" (include "seaweedfs.name" .)) .Values.sftp.existingConfigSecret }}
         {{- end }}
         {{- if .Values.filer.notificationConfig }}
         - name: notification-config

packages/system/seaweedfs/charts/seaweedfs/templates/all-in-one/all-in-one-pvc.yaml

@@ -1,28 +1,21 @@
-{{- if .Values.allInOne.enabled }}
-{{- if eq .Values.allInOne.data.type "persistentVolumeClaim" }}
+{{- if and .Values.allInOne.enabled (eq .Values.allInOne.data.type "persistentVolumeClaim") }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ template "seaweedfs.name" . }}-all-in-one-data
-  namespace: {{ .Release.Namespace }}
+  name: {{ .Values.allInOne.data.claimName }}
   labels:
-    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: seaweedfs-all-in-one
-  {{- with .Values.allInOne.data.annotations }}
+  {{- if .Values.allInOne.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- toYaml .Values.allInOne.annotations | nindent 4 }}
   {{- end }}
 spec:
   accessModes:
-  {{- toYaml (.Values.allInOne.data.accessModes | default (list "ReadWriteOnce")) | nindent 4 }}
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.allInOne.data.size }}
   {{- if .Values.allInOne.data.storageClass }}
   storageClassName: {{ .Values.allInOne.data.storageClass }}
   {{- end }}
-  resources:
-    requests:
-      storage: {{ .Values.allInOne.data.size | default "10Gi" }}
-{{- end }}
-{{- end }}
+{{- end }}

packages/system/seaweedfs/charts/seaweedfs/templates/all-in-one/all-in-one-service.yml

@@ -15,7 +15,6 @@ metadata:
     {{- toYaml .Values.allInOne.service.annotations | nindent 4 }}
   {{- end }}
 spec:
-  type: {{ .Values.allInOne.service.type | default "ClusterIP" }}
   internalTrafficPolicy: {{ .Values.allInOne.service.internalTrafficPolicy | default "Cluster" }}
   ports:
   # Master ports
@@ -51,14 +50,13 @@ spec:
   # S3 ports (if enabled)
   {{- if .Values.allInOne.s3.enabled }}
   - name: "swfs-s3"
-    port: {{ .Values.allInOne.s3.port | default .Values.s3.port }}
-    targetPort: {{ .Values.allInOne.s3.port | default .Values.s3.port }}
+    port: {{ if .Values.allInOne.s3.enabled }}{{ .Values.s3.port }}{{ else }}{{ .Values.filer.s3.port }}{{ end }}
+    targetPort: {{ if .Values.allInOne.s3.enabled }}{{ .Values.s3.port }}{{ else }}{{ .Values.filer.s3.port }}{{ end }}
     protocol: TCP
-  {{- $httpsPort := .Values.allInOne.s3.httpsPort | default .Values.s3.httpsPort }}
-  {{- if $httpsPort }}
+  {{- if and .Values.allInOne.s3.enabled .Values.s3.httpsPort }}
   - name: "swfs-s3-tls"
-    port: {{ $httpsPort }}
-    targetPort: {{ $httpsPort }}
+    port: {{ .Values.s3.httpsPort }}
+    targetPort: {{ .Values.s3.httpsPort }}
     protocol: TCP
   {{- end }}
   {{- end }}
@@ -66,8 +64,8 @@ spec:
   # SFTP ports (if enabled)
   {{- if .Values.allInOne.sftp.enabled }}
   - name: "swfs-sftp"
-    port: {{ .Values.allInOne.sftp.port | default .Values.sftp.port }}
-    targetPort: {{ .Values.allInOne.sftp.port | default .Values.sftp.port }}
+    port: {{ .Values.sftp.port }}
+    targetPort: {{ .Values.sftp.port }}
     protocol: TCP
   {{- end }}
   
@@ -82,4 +80,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
     app.kubernetes.io/component: seaweedfs-all-in-one
-{{- end }}
+{{- end }}

packages/system/seaweedfs/charts/seaweedfs/templates/cert/ca-cert.yaml

@@ -13,12 +13,6 @@ spec:
   secretName: {{ template "seaweedfs.name" . }}-ca-cert
   commonName: "{{ template "seaweedfs.name" . }}-root-ca"
   isCA: true
-  {{- if .Values.certificates.ca.duration }}
-  duration: {{ .Values.certificates.ca.duration }}
-  {{- end }}
-  {{- if .Values.certificates.ca.renewBefore }}
-  renewBefore: {{ .Values.certificates.ca.renewBefore }}
-  {{- end }}
   issuerRef:
     name: {{ template "seaweedfs.name" . }}-issuer
     kind: Issuer

packages/system/seaweedfs/charts/seaweedfs/templates/filer/filer-ingress.yaml

@@ -1,8 +1,5 @@
-{{- /* Filer ingress works for both normal mode (filer.enabled) and all-in-one mode (allInOne.enabled) */}}
-{{- $filerEnabled := or .Values.filer.enabled .Values.allInOne.enabled }}
-{{- if and $filerEnabled .Values.filer.ingress.enabled }}
-{{- /* Determine service name based on deployment mode */}}
-{{- $serviceName := ternary (printf "%s-all-in-one" (include "seaweedfs.name" .)) (printf "%s-filer" (include "seaweedfs.name" .)) .Values.allInOne.enabled }}
+{{- if .Values.filer.enabled }}
+{{- if .Values.filer.ingress.enabled }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
@@ -36,14 +33,16 @@ spec:
         backend:
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
           service:
-            name: {{ $serviceName }}
+            name: {{ template "seaweedfs.name" . }}-filer
             port:
               number: {{ .Values.filer.port }}
+              #name:
 {{- else }}
-          serviceName: {{ $serviceName }}
+          serviceName: {{ template "seaweedfs.name" . }}-filer
           servicePort: {{ .Values.filer.port }}
 {{- end }}
 {{- if .Values.filer.ingress.host }}
     host: {{ .Values.filer.ingress.host }}
 {{- end }}
 {{- end }}
+{{- end }}

packages/system/seaweedfs/charts/seaweedfs/templates/filer/filer-statefulset.yaml

@@ -213,6 +213,9 @@ spec:
               -s3.cert.file=/usr/local/share/ca-certificates/client/tls.crt \
               -s3.key.file=/usr/local/share/ca-certificates/client/tls.key \
               {{- end }}
+              {{- if eq (typeOf .Values.filer.s3.allowEmptyFolder) "bool" }}
+              -s3.allowEmptyFolder={{ .Values.filer.s3.allowEmptyFolder }} \
+              {{- end }}
               {{- if .Values.filer.s3.enableAuth }}
               -s3.config=/etc/sw/seaweedfs_s3_config \
               {{- end }}
@@ -286,7 +289,7 @@ spec:
             httpGet:
               path: {{ .Values.filer.readinessProbe.httpGet.path }}
               port: {{ .Values.filer.port }}
-              scheme: {{ .Values.filer.readinessProbe.httpGet.scheme }}
+              scheme: {{ .Values.filer.readinessProbe.scheme }}
             initialDelaySeconds: {{ .Values.filer.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.filer.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.filer.readinessProbe.successThreshold }}
@@ -298,7 +301,7 @@ spec:
             httpGet:
               path: {{ .Values.filer.livenessProbe.httpGet.path }}
               port: {{ .Values.filer.port }}
-              scheme: {{ .Values.filer.livenessProbe.httpGet.scheme }}
+              scheme: {{ .Values.filer.livenessProbe.scheme }}
             initialDelaySeconds: {{ .Values.filer.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.filer.livenessProbe.periodSeconds }}
             successThreshold: {{ .Values.filer.livenessProbe.successThreshold }}
@@ -389,12 +392,10 @@ spec:
       nodeSelector:
         {{ tpl .Values.filer.nodeSelector . | indent 8 | trim }}
       {{- end }}
-  {{- if and (.Values.filer.enablePVC) (not .Values.filer.data) }}
+  {{- if and (.Values.filer.enablePVC) (eq .Values.filer.data.type "persistentVolumeClaim") }}
   # DEPRECATION: Deprecate in favor of filer.data section below
   volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
+  - metadata:
       name: data-filer
     spec:
       accessModes:
@@ -410,9 +411,7 @@ spec:
   {{- if $pvc_exists }}
   volumeClaimTemplates:
     {{- if eq .Values.filer.data.type "persistentVolumeClaim" }}
-    - apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
+    - metadata:
         name: data-filer
         {{- with .Values.filer.data.annotations }}
         annotations:
@@ -426,9 +425,7 @@ spec:
             storage: {{ .Values.filer.data.size }}
     {{- end }}
     {{- if eq .Values.filer.logs.type "persistentVolumeClaim" }}
-    - apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
+    - metadata:
         name: seaweedfs-filer-log-volume
         {{- with .Values.filer.logs.annotations }}
         annotations:

packages/system/seaweedfs/charts/seaweedfs/templates/master/master-statefulset.yaml

@@ -235,7 +235,7 @@ spec:
             httpGet:
               path: {{ .Values.master.readinessProbe.httpGet.path }}
               port: {{ .Values.master.port }}
-              scheme: {{ .Values.master.readinessProbe.httpGet.scheme }}
+              scheme: {{ .Values.master.readinessProbe.scheme }}
             initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.master.readinessProbe.successThreshold }}
@@ -247,7 +247,7 @@ spec:
             httpGet:
               path: {{ .Values.master.livenessProbe.httpGet.path }}
               port: {{ .Values.master.port }}
-              scheme: {{ .Values.master.livenessProbe.httpGet.scheme }}
+              scheme: {{ .Values.master.livenessProbe.scheme }}
             initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }}
             successThreshold: {{ .Values.master.livenessProbe.successThreshold }}
@@ -327,9 +327,7 @@ spec:
   {{- if $pvc_exists }}
   volumeClaimTemplates:
     {{- if eq .Values.master.data.type "persistentVolumeClaim"}}
-    - apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
+    - metadata:
         name: data-{{ .Release.Namespace }}
         {{- with .Values.master.data.annotations }}
         annotations:
@@ -343,9 +341,7 @@ spec:
             storage: {{ .Values.master.data.size }}
     {{- end }}
     {{- if eq .Values.master.logs.type "persistentVolumeClaim"}}
-    - apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
+    - metadata:
         name: seaweedfs-master-log-volume
         {{- with .Values.master.logs.annotations }}
         annotations:

packages/system/seaweedfs/charts/seaweedfs/templates/s3/s3-deployment.yaml

@@ -143,6 +143,9 @@ spec:
               {{- if .Values.s3.domainName }}
               -domainName={{ .Values.s3.domainName }} \
               {{- end }}
+              {{- if eq (typeOf .Values.s3.allowEmptyFolder) "bool" }}
+              -allowEmptyFolder={{ .Values.s3.allowEmptyFolder }} \
+              {{- end }}
               {{- if .Values.s3.enableAuth }}
               -config=/etc/sw/seaweedfs_s3_config \
               {{- end }}
@@ -201,7 +204,7 @@ spec:
             httpGet:
               path: {{ .Values.s3.readinessProbe.httpGet.path }}
               port: {{ .Values.s3.port }}
-              scheme: {{ .Values.s3.readinessProbe.httpGet.scheme }}
+              scheme: {{ .Values.s3.readinessProbe.scheme }}
             initialDelaySeconds: {{ .Values.s3.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.s3.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.s3.readinessProbe.successThreshold }}
@@ -213,7 +216,7 @@ spec:
             httpGet:
               path: {{ .Values.s3.livenessProbe.httpGet.path }}
               port: {{ .Values.s3.port }}
-              scheme: {{ .Values.s3.livenessProbe.httpGet.scheme }}
+              scheme: {{ .Values.s3.livenessProbe.scheme }}
             initialDelaySeconds: {{ .Values.s3.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.s3.livenessProbe.periodSeconds }}
             successThreshold: {{ .Values.s3.livenessProbe.successThreshold }}

packages/system/seaweedfs/charts/seaweedfs/templates/s3/s3-ingress.yaml

@@ -1,9 +1,4 @@
-{{- /* S3 ingress works for standalone S3 gateway (s3.enabled), S3 on Filer (filer.s3.enabled), and all-in-one mode (allInOne.s3.enabled) */}}
-{{- $s3Enabled := or .Values.s3.enabled (and .Values.filer.s3.enabled (not .Values.allInOne.enabled)) (and .Values.allInOne.enabled .Values.allInOne.s3.enabled) }}
-{{- if and $s3Enabled .Values.s3.ingress.enabled }}
-{{- /* Determine service name based on deployment mode */}}
-{{- $serviceName := ternary (printf "%s-all-in-one" (include "seaweedfs.name" .)) (printf "%s-s3" (include "seaweedfs.name" .)) .Values.allInOne.enabled }}
-{{- $s3Port := .Values.allInOne.s3.port | default .Values.s3.port }}
+{{- if .Values.s3.ingress.enabled }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
@@ -37,12 +32,13 @@ spec:
         backend:
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
           service:
-            name: {{ $serviceName }}
+            name: {{ template "seaweedfs.name" . }}-s3
             port:
-              number: {{ $s3Port }}
+              number: {{ .Values.s3.port }}
+              #name:
 {{- else }}
-          serviceName: {{ $serviceName }}
-          servicePort: {{ $s3Port }}
+          serviceName: {{ template "seaweedfs.name" . }}-s3
+          servicePort: {{ .Values.s3.port }}
 {{- end }}
 {{- if .Values.s3.ingress.host }}
     host: {{ .Values.s3.ingress.host | quote }}

packages/system/seaweedfs/charts/seaweedfs/templates/shared/post-install-bucket-hook.yaml

@@ -1,32 +1,6 @@
-{{- /* Support bucket creation for both standalone filer.s3 and allInOne modes */}}
-{{- $createBuckets := list }}
-{{- $s3Enabled := false }}
-{{- $enableAuth := false }}
-{{- $existingConfigSecret := "" }}
-
-{{- /* Check allInOne mode first */}}
-{{- if .Values.allInOne.enabled }}
-  {{- if .Values.allInOne.s3.enabled }}
-    {{- $s3Enabled = true }}
-    {{- if .Values.allInOne.s3.createBuckets }}
-      {{- $createBuckets = .Values.allInOne.s3.createBuckets }}
-    {{- end }}
-    {{- $enableAuth = or .Values.allInOne.s3.enableAuth .Values.s3.enableAuth .Values.filer.s3.enableAuth }}
-    {{- $existingConfigSecret = or .Values.allInOne.s3.existingConfigSecret .Values.s3.existingConfigSecret .Values.filer.s3.existingConfigSecret }}
-  {{- end }}
-{{- else if .Values.master.enabled }}
-  {{- /* Check standalone filer.s3 mode */}}
-  {{- if .Values.filer.s3.enabled }}
-    {{- $s3Enabled = true }}
-    {{- if .Values.filer.s3.createBuckets }}
-      {{- $createBuckets = .Values.filer.s3.createBuckets }}
-    {{- end }}
-    {{- $enableAuth = .Values.filer.s3.enableAuth }}
-    {{- $existingConfigSecret = .Values.filer.s3.existingConfigSecret }}
-  {{- end }}
-{{- end }}
-
-{{- if and $s3Enabled $createBuckets }}
+{{- if .Values.master.enabled }}
+{{- if .Values.filer.s3.enabled }}
+{{- if .Values.filer.s3.createBuckets }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -58,9 +32,9 @@ spec:
           - name: WEED_CLUSTER_DEFAULT
             value: "sw"
           - name: WEED_CLUSTER_SW_MASTER
-            value: {{ include "seaweedfs.cluster.masterAddress" . | quote }}
+            value: "{{ template "seaweedfs.name" . }}-master.{{ .Release.Namespace }}:{{ .Values.master.port }}"
           - name: WEED_CLUSTER_SW_FILER
-            value: {{ include "seaweedfs.cluster.filerAddress" . | quote }}
+            value: "{{ template "seaweedfs.name" . }}-filer-client.{{ .Release.Namespace }}:{{ .Values.filer.port }}"
           - name: POD_IP
             valueFrom:
               fieldRef:
@@ -97,29 +71,24 @@ spec:
               echo "Service at $url failed to become ready within 5 minutes"
               exit 1
             }
-            {{- if .Values.allInOne.enabled }}
-            wait_for_service "http://$WEED_CLUSTER_SW_MASTER{{ .Values.allInOne.readinessProbe.httpGet.path }}"
-            wait_for_service "http://$WEED_CLUSTER_SW_FILER{{ .Values.filer.readinessProbe.httpGet.path }}"
-            {{- else }}
             wait_for_service "http://$WEED_CLUSTER_SW_MASTER{{ .Values.master.readinessProbe.httpGet.path }}"
             wait_for_service "http://$WEED_CLUSTER_SW_FILER{{ .Values.filer.readinessProbe.httpGet.path }}"
-            {{- end }}
-          {{- range $createBuckets }}
-            /bin/echo \
-            "s3.bucket.create --name {{ .name }}" |\
+          {{- range $reg, $props := $.Values.filer.s3.createBuckets }}
+            exec /bin/echo \
+            "s3.bucket.create --name {{ $props.name }}" |\
             /usr/bin/weed shell
           {{- end }}
-          {{- range $createBuckets }}
-          {{- if .anonymousRead }}
-            /bin/echo \
+          {{- range $reg, $props := $.Values.filer.s3.createBuckets }}
+          {{- if $props.anonymousRead }}
+            exec /bin/echo \
             "s3.configure --user anonymous \
-                --buckets {{ .name }} \
+                --buckets {{ $props.name }} \
                 --actions Read \
                 --apply true" |\
                 /usr/bin/weed shell
           {{- end }}  
           {{- end }}
-        {{- if $enableAuth }}
+        {{- if .Values.filer.s3.enableAuth }}
         volumeMounts:
           - name: config-users
             mountPath: /etc/sw
@@ -137,15 +106,17 @@ spec:
         {{- if .Values.filer.containerSecurityContext.enabled }}
         securityContext: {{- omit .Values.filer.containerSecurityContext "enabled" | toYaml | nindent 12 }}
         {{- end }}
-    {{- if $enableAuth }}
+    {{- if .Values.filer.s3.enableAuth }}
       volumes:
         - name: config-users
           secret:
             defaultMode: 420
-            {{- if $existingConfigSecret }}
-            secretName: {{ $existingConfigSecret }}
+            {{- if not (empty .Values.filer.s3.existingConfigSecret) }}
+            secretName: {{ .Values.filer.s3.existingConfigSecret }}
             {{- else }}
-            secretName: {{ template "seaweedfs.name" . }}-s3-secret
+            secretName: seaweedfs-s3-secret
             {{- end }}
-    {{- end }}
-{{- end }}
+    {{- end }}{{/** if .Values.filer.s3.enableAuth **/}}
+{{- end }}{{/** if .Values.master.enabled **/}}
+{{- end }}{{/** if .Values.filer.s3.enabled **/}}
+{{- end }}{{/** if .Values.filer.s3.createBuckets **/}}

packages/system/seaweedfs/charts/seaweedfs/templates/volume/volume-statefulset.yaml

@@ -251,7 +251,7 @@ spec:
             httpGet:
               path: {{ $volume.readinessProbe.httpGet.path }}
               port: {{ $volume.port }}
-              scheme: {{ $volume.readinessProbe.httpGet.scheme }}
+              scheme: {{ $volume.readinessProbe.scheme }}
             initialDelaySeconds: {{ $volume.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ $volume.readinessProbe.periodSeconds }}
             successThreshold: {{ $volume.readinessProbe.successThreshold }}
@@ -263,7 +263,7 @@ spec:
             httpGet:
               path: {{ $volume.livenessProbe.httpGet.path }}
               port: {{ $volume.port }}
-              scheme: {{ $volume.livenessProbe.httpGet.scheme }}
+              scheme: {{ $volume.livenessProbe.scheme }}
             initialDelaySeconds: {{ $volume.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ $volume.livenessProbe.periodSeconds }}
             successThreshold: {{ $volume.livenessProbe.successThreshold }}

packages/system/seaweedfs/charts/seaweedfs/values.yaml

@@ -22,8 +22,6 @@ global:
   serviceAccountName: "seaweedfs"
   automountServiceAccountToken: true
   certificates:
-    duration: 87600h
-    renewBefore: 720h
     alphacrds: false
   monitoring:
     enabled: false
@@ -237,27 +235,27 @@ master:
 
   ingress:
     enabled: false
-    className: ""
+    className: "nginx"
     # host: false for "*" hostname
     host: "master.seaweedfs.local"
     path: "/sw-master/?(.*)"
     pathType: ImplementationSpecific
-    annotations: {}
-      # nginx.ingress.kubernetes.io/auth-type: "basic"
-      # nginx.ingress.kubernetes.io/auth-secret: "default/ingress-basic-auth-secret"
-      # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - SW-Master'
-      # nginx.ingress.kubernetes.io/service-upstream: "true"
-      # nginx.ingress.kubernetes.io/rewrite-target: /$1
-      # nginx.ingress.kubernetes.io/use-regex: "true"
-      # nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
-      # nginx.ingress.kubernetes.io/ssl-redirect: "false"
-      # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
-      # nginx.ingress.kubernetes.io/configuration-snippet: |
-      #   sub_filter '<head>' '<head> <base href="/sw-master/">'; #add base url
-      #   sub_filter '="/' '="./';                                #make absolute paths to relative
-      #   sub_filter '=/' '=./';
-      #   sub_filter '/seaweedfsstatic' './seaweedfsstatic';
-      #   sub_filter_once off;
+    annotations:
+      nginx.ingress.kubernetes.io/auth-type: "basic"
+      nginx.ingress.kubernetes.io/auth-secret: "default/ingress-basic-auth-secret"
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - SW-Master'
+      nginx.ingress.kubernetes.io/service-upstream: "true"
+      nginx.ingress.kubernetes.io/rewrite-target: /$1
+      nginx.ingress.kubernetes.io/use-regex: "true"
+      nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
+      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        sub_filter '<head>' '<head> <base href="/sw-master/">'; #add base url
+        sub_filter '="/' '="./';                                #make absolute paths to relative
+        sub_filter '=/' '=./';
+        sub_filter '/seaweedfsstatic' './seaweedfsstatic';
+        sub_filter_once off;
     tls: []
 
   extraEnvironmentVars:
@@ -310,7 +308,7 @@ volume:
   # limit file size to avoid out of memory, default 256mb
   fileSizeLimitMB: null
   # minimum free disk space(in percents). If free disk space lower this value - all volumes marks as ReadOnly
-  minFreeSpacePercent: 1
+  minFreeSpacePercent: 7
 
   # Custom command line arguments to add to the volume command
   # Example to fix IPv6 metrics connectivity issues:
@@ -771,28 +769,28 @@ filer:
 
   ingress:
     enabled: false
-    className: ""
+    className: "nginx"
     # host: false for "*" hostname
     host: "seaweedfs.cluster.local"
     path: "/sw-filer/?(.*)"
     pathType: ImplementationSpecific
-    annotations: {}
-      # nginx.ingress.kubernetes.io/backend-protocol: GRPC
-      # nginx.ingress.kubernetes.io/auth-type: "basic"
-      # nginx.ingress.kubernetes.io/auth-secret: "default/ingress-basic-auth-secret"
-      # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - SW-Filer'
-      # nginx.ingress.kubernetes.io/service-upstream: "true"
-      # nginx.ingress.kubernetes.io/rewrite-target: /$1
-      # nginx.ingress.kubernetes.io/use-regex: "true"
-      # nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
-      # nginx.ingress.kubernetes.io/ssl-redirect: "false"
-      # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
-      # nginx.ingress.kubernetes.io/configuration-snippet: |
-      #   sub_filter '<head>' '<head> <base href="/sw-filer/">'; #add base url
-      #   sub_filter '="/' '="./';                               #make absolute paths to relative
-      #   sub_filter '=/' '=./';
-      #   sub_filter '/seaweedfsstatic' './seaweedfsstatic';
-      #   sub_filter_once off;
+    annotations:
+      nginx.ingress.kubernetes.io/backend-protocol: GRPC
+      nginx.ingress.kubernetes.io/auth-type: "basic"
+      nginx.ingress.kubernetes.io/auth-secret: "default/ingress-basic-auth-secret"
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - SW-Filer'
+      nginx.ingress.kubernetes.io/service-upstream: "true"
+      nginx.ingress.kubernetes.io/rewrite-target: /$1
+      nginx.ingress.kubernetes.io/use-regex: "true"
+      nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
+      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        sub_filter '<head>' '<head> <base href="/sw-filer/">'; #add base url
+        sub_filter '="/' '="./';                               #make absolute paths to relative
+        sub_filter '=/' '=./';
+        sub_filter '/seaweedfsstatic' './seaweedfsstatic';
+        sub_filter_once off;
 
   # extraEnvVars is a list of extra environment variables to set with the stateful set.
   extraEnvironmentVars:
@@ -856,6 +854,8 @@ filer:
     port: 8333
     # add additional https port
     httpsPort: 0
+    # allow empty folders
+    allowEmptyFolder: false
     # Suffix of the host name, {bucket}.{domainName}
     domainName: ""
     # enable user & permission to s3 (need to inject to all services)
@@ -873,7 +873,7 @@ filer:
     #     anonymousRead: false
 
 s3:
-  enabled: false
+  enabled: true
   imageOverride: null
   restartPolicy: null
   replicas: 1
@@ -883,6 +883,8 @@ s3:
   httpsPort: 0
   metricsPort: 9327
   loggingOverrideLevel: null
+  # allow empty folders
+  allowEmptyFolder: true
   # enable user & permission to s3 (need to inject to all services)
   enableAuth: false
   # set to the name of an existing kubernetes Secret with the s3 json config file
@@ -975,9 +977,9 @@ s3:
   extraEnvironmentVars:
 
   # Custom command line arguments to add to the s3 command
-  # Default idleTimeout is 120 seconds. Example to customize:
-  # extraArgs: ["-idleTimeout=300"]
-  extraArgs: []
+  # Example to fix connection idle seconds:
+  extraArgs: ["-idleTimeout=30"]
+  # extraArgs: []
 
   # used to configure livenessProbe on s3 containers
   #
@@ -1007,7 +1009,7 @@ s3:
 
   ingress:
     enabled: false
-    className: ""
+    className: "nginx"
     # host: false for "*" hostname
     host: "seaweedfs.cluster.local"
     path: "/"
@@ -1093,7 +1095,6 @@ allInOne:
   enabled: false
   imageOverride: null
   restartPolicy: Always
-  replicas: 1  # Number of replicas (note: multiple replicas may require shared storage)
 
   # Core configuration
   idleTimeout: 30  # Connection idle seconds
@@ -1105,85 +1106,24 @@ allInOne:
   metricsIp: ""  # Metrics listen IP. If empty, defaults to bindAddress
   loggingOverrideLevel: null  # Override logging level
 
-  # Custom command line arguments to add to the server command
-  # Example to fix IPv6 metrics connectivity issues:
-  # extraArgs: ["-metricsIp", "0.0.0.0"]
-  # Example with multiple args:
-  # extraArgs: ["-customFlag", "value", "-anotherFlag"]
-  extraArgs: []
-
-  # Update strategy configuration
-  # type: Recreate or RollingUpdate
-  # For single replica, Recreate is recommended to avoid data conflicts.
-  # For multiple replicas with RollingUpdate, you MUST use shared storage
-  # (e.g., data.type: persistentVolumeClaim with ReadWriteMany access mode)
-  # to avoid data loss or inconsistency between pods.
-  updateStrategy:
-    type: Recreate
-
-  # S3 gateway configuration
-  # Note: Most parameters below default to null, which means they inherit from
-  # the global s3.* settings. Set explicit values here to override for allInOne only.
+  # Service configuration
   s3:
     enabled: false  # Whether to enable S3 gateway
-    port: null  # S3 gateway port (null inherits from s3.port)
-    httpsPort: null  # S3 gateway HTTPS port (null inherits from s3.httpsPort)
-    domainName: null  # Suffix of the host name (null inherits from s3.domainName)
-    enableAuth: false  # Enable user & permission to S3
-    # Set to the name of an existing kubernetes Secret with the s3 json config file
-    # should have a secret key called seaweedfs_s3_config with an inline json config
-    existingConfigSecret: null
-    auditLogConfig: null  # S3 audit log configuration (null inherits from s3.auditLogConfig)
-    # You may specify buckets to be created during the install process.
-    # Buckets may be exposed publicly by setting `anonymousRead` to `true`
-    # createBuckets:
-    #   - name: bucket-a
-    #     anonymousRead: true
-    #   - name: bucket-b
-    #     anonymousRead: false
-
-  # SFTP server configuration
-  # Note: Most parameters below default to null, which means they inherit from
-  # the global sftp.* settings. Set explicit values here to override for allInOne only.
   sftp:
     enabled: false  # Whether to enable SFTP server
-    port: null  # SFTP port (null inherits from sftp.port)
-    sshPrivateKey: null  # Path to SSH private key (null inherits from sftp.sshPrivateKey)
-    hostKeysFolder: null  # Path to SSH host keys folder (null inherits from sftp.hostKeysFolder)
-    authMethods: null  # Comma-separated auth methods (null inherits from sftp.authMethods)
-    maxAuthTries: null  # Maximum authentication attempts (null inherits from sftp.maxAuthTries)
-    bannerMessage: null  # Banner message (null inherits from sftp.bannerMessage)
-    loginGraceTime: null  # Login grace time (null inherits from sftp.loginGraceTime)
-    clientAliveInterval: null  # Client keep-alive interval (null inherits from sftp.clientAliveInterval)
-    clientAliveCountMax: null  # Maximum missed keep-alive messages (null inherits from sftp.clientAliveCountMax)
-    enableAuth: false  # Enable SFTP authentication
-    # Set to the name of an existing kubernetes Secret with the sftp json config file
-    existingConfigSecret: null
-    # Set to the name of an existing kubernetes Secret with the SSH keys
-    existingSshConfigSecret: null
 
   # Service settings
   service:
     annotations: {}  # Annotations for the service
     type: ClusterIP  # Service type (ClusterIP, NodePort, LoadBalancer)
-    internalTrafficPolicy: Cluster  # Internal traffic policy
-
-  # Note: For ingress in all-in-one mode, use the standard s3.ingress and
-  # filer.ingress settings. The templates automatically detect all-in-one mode
-  # and point to the correct service (seaweedfs-all-in-one instead of
-  # seaweedfs-s3 or seaweedfs-filer).
 
   # Storage configuration
   data:
-    type: "emptyDir"  # Options: "hostPath", "persistentVolumeClaim", "emptyDir", "existingClaim"
+    type: "emptyDir"  # Options: "hostPath", "persistentVolumeClaim", "emptyDir"
     hostPathPrefix: /mnt/data  # Path prefix for hostPath volumes
-    claimName: seaweedfs-data-pvc  # Name of the PVC to use (for existingClaim type)
-    size: null  # Size of the PVC (null defaults to 10Gi for persistentVolumeClaim type)
-    storageClass: null  # Storage class for the PVC (null uses cluster default)
-    # accessModes for the PVC. Default is ["ReadWriteOnce"].
-    # For multi-replica deployments, use ["ReadWriteMany"] with a compatible storage class.
-    accessModes: []
-    annotations: {}  # Annotations for the PVC
+    claimName: seaweedfs-data-pvc  # Name of the PVC to use
+    size: ""  # Size of the PVC
+    storageClass: ""  # Storage class for the PVC
 
   # Health checks
   readinessProbe:
@@ -1191,7 +1131,7 @@ allInOne:
     httpGet:
       path: /cluster/status
       port: 9333
-      scheme: HTTP
+    scheme: HTTP
     initialDelaySeconds: 10
     periodSeconds: 15
     successThreshold: 1
@@ -1203,7 +1143,7 @@ allInOne:
     httpGet:
       path: /cluster/status
       port: 9333
-      scheme: HTTP
+    scheme: HTTP
     initialDelaySeconds: 20
     periodSeconds: 30
     successThreshold: 1
@@ -1212,18 +1152,6 @@ allInOne:
 
   # Additional resources
   extraEnvironmentVars: {}  # Additional environment variables
-  # Secret environment variables (for database credentials, etc.)
-  # Example:
-  # secretExtraEnvironmentVars:
-  #   WEED_POSTGRES_USERNAME:
-  #     secretKeyRef:
-  #       name: postgres-credentials
-  #       key: username
-  #   WEED_POSTGRES_PASSWORD:
-  #     secretKeyRef:
-  #       name: postgres-credentials
-  #       key: password
-  secretExtraEnvironmentVars: {}
   extraVolumeMounts: ""  # Additional volume mounts
   extraVolumes: ""  # Additional volumes
   initContainers: ""  # Init containers
@@ -1243,7 +1171,7 @@ allInOne:
             matchLabels:
               app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
               app.kubernetes.io/instance: {{ .Release.Name }}
-              app.kubernetes.io/component: seaweedfs-all-in-one
+              app.kubernetes.io/component: master
           topologyKey: kubernetes.io/hostname
 
   # Topology Spread Constraints Settings
@@ -1251,16 +1179,16 @@ allInOne:
   # for a PodSpec. By Default no constraints are set.
   topologySpreadConstraints: ""
 
-  # Toleration Settings for pods
+  # Toleration Settings for master pods
   # This should be a multi-line string matching the Toleration array
   # in a PodSpec.
   tolerations: ""
 
-  # nodeSelector labels for pod assignment, formatted as a muli-line string.
+  # nodeSelector labels for master pod assignment, formatted as a muli-line string.
   # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
   nodeSelector: ""
 
-  # Used to assign priority to pods
+  # Used to assign priority to master pods
   # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
   priorityClassName: ""
 
@@ -1340,9 +1268,6 @@ certificates:
   keySize: 2048
   duration: 2160h  # 90d
   renewBefore: 360h  # 15d
-  ca:
-    duration: 87600h  # 10 years
-    renewBefore: 720h  # 30d
   externalCertificates:
     # This will avoid the need to use cert-manager and will rely on providing your own external certificates and CA
     # you will need to store your provided certificates in the secret read by the different services:

packages/system/seaweedfs/images/seaweedfs/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=4.02
+ARG VERSION=3.99
 FROM chrislusf/seaweedfs:${VERSION}

packages/system/seaweedfs/values.yaml

@@ -124,7 +124,7 @@ seaweedfs:
     bucketClassName: "seaweedfs"
     region: ""
     sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.8@sha256:2d1833c78c35b697a3634d4b3be9a3218edae95a77583e9e121c10a92e7433ec"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.38.0@sha256:4548d85e7e69150aaf52fbb17fb9487e9714bdd8407aff49762cf39b9d0ab29c"
   certificates:
     commonName: "SeaweedFS CA"
     ipAddresses: []

pkg/registry/apps/application/rest.go

@@ -28,6 +28,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	fields "k8s.io/apimachinery/pkg/fields"
 	labels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -141,9 +142,17 @@ func (r *REST) GetSingularName() string {
 // Create handles the creation of a new Application by converting it to a HelmRelease
 func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
 	// Assert the object is of type Application
-	app, ok := obj.(*appsv1alpha1.Application)
+	us, ok := obj.(*unstructured.Unstructured)
 	if !ok {
-		return nil, fmt.Errorf("expected *appsv1alpha1.Application object, got %T", obj)
+		return nil, fmt.Errorf("expected unstructured.Unstructured object, got %T", obj)
+	}
+
+	app := &appsv1alpha1.Application{}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
+		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
+		klog.Errorf(errMsg)
+		return nil, fmt.Errorf(errMsg)
 	}
 
 	// Convert Application to HelmRelease
@@ -177,8 +186,15 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 
 	klog.V(6).Infof("Successfully created and converted HelmRelease %s to Application", helmRelease.GetName())
 
-	klog.V(6).Infof("Successfully retrieved and converted resource %s of type %s", convertedApp.GetName(), r.gvr.Resource)
-	return &convertedApp, nil
+	// Convert Application to unstructured format
+	unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedApp)
+	if err != nil {
+		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", convertedApp.GetName(), err)
+		return nil, fmt.Errorf("failed to convert Application to unstructured: %v", err)
+	}
+
+	klog.V(6).Infof("Successfully retrieved and converted resource %s of type %s to unstructured", convertedApp.GetName(), r.gvr.Resource)
+	return &unstructured.Unstructured{Object: unstructuredApp}, nil
 }
 
 // Get retrieves an Application by converting the corresponding HelmRelease
@@ -222,8 +238,25 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 		return nil, fmt.Errorf("conversion error: %v", err)
 	}
 
-	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s", name, r.gvr.Resource)
-	return &convertedApp, nil
+	// Explicitly set apiVersion and kind for Application
+	convertedApp.TypeMeta = metav1.TypeMeta{
+		APIVersion: "apps.cozystack.io/v1alpha1",
+		Kind:       r.kindName,
+	}
+
+	// Convert Application to unstructured format
+	unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedApp)
+	if err != nil {
+		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", name, err)
+		return nil, fmt.Errorf("failed to convert Application to unstructured: %v", err)
+	}
+
+	// Explicitly set apiVersion and kind in unstructured object
+	unstructuredApp["apiVersion"] = "apps.cozystack.io/v1alpha1"
+	unstructuredApp["kind"] = r.kindName
+
+	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s to unstructured", name, r.gvr.Resource)
+	return &unstructured.Unstructured{Object: unstructuredApp}, nil
 }
 
 // List retrieves a list of Applications by converting HelmReleases
@@ -306,8 +339,8 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 		return nil, err
 	}
 
-	// Initialize Application items array
-	items := make([]appsv1alpha1.Application, 0, len(hrList.Items))
+	// Initialize unstructured items array
+	items := make([]unstructured.Unstructured, 0)
 
 	// Iterate over HelmReleases and convert to Applications
 	for i := range hrList.Items {
@@ -354,13 +387,19 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 			}
 		}
 
-		items = append(items, app)
+		// Convert Application to unstructured
+		unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&app)
+		if err != nil {
+			klog.Errorf("Error converting Application %s to unstructured: %v", app.Name, err)
+			continue
+		}
+		items = append(items, unstructured.Unstructured{Object: unstructuredApp})
 	}
 
-	// Create ApplicationList with proper kind
-	appList := r.NewList().(*appsv1alpha1.ApplicationList)
+	// Explicitly set apiVersion and kind in unstructured object
+	appList := r.NewList().(*unstructured.Unstructured)
 	appList.SetResourceVersion(hrList.GetResourceVersion())
-	appList.Items = items
+	appList.Object["items"] = items
 
 	klog.V(6).Infof("Successfully listed %d Application resources in namespace %s", len(items), namespace)
 	return appList, nil
@@ -408,9 +447,16 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 	}
 
 	// Assert the new object is of type Application
-	app, ok := newObj.(*appsv1alpha1.Application)
+	us, ok := newObj.(*unstructured.Unstructured)
 	if !ok {
-		errMsg := fmt.Sprintf("expected *appsv1alpha1.Application object, got %T", newObj)
+		errMsg := fmt.Sprintf("expected unstructured.Unstructured object, got %T", newObj)
+		klog.Errorf(errMsg)
+		return nil, false, fmt.Errorf(errMsg)
+	}
+	app := &appsv1alpha1.Application{}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
+		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
 		klog.Errorf(errMsg)
 		return nil, false, fmt.Errorf(errMsg)
 	}
@@ -471,9 +517,24 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 
 	klog.V(6).Infof("Successfully updated and converted HelmRelease %s to Application", helmRelease.GetName())
 
-	klog.V(6).Infof("Returning updated Application object: %+v", convertedApp)
+	// Explicitly set apiVersion and kind for Application
+	convertedApp.TypeMeta = metav1.TypeMeta{
+		APIVersion: "apps.cozystack.io/v1alpha1",
+		Kind:       r.kindName,
+	}
 
-	return &convertedApp, false, nil
+	// Convert Application to unstructured format
+	unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedApp)
+	if err != nil {
+		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", convertedApp.GetName(), err)
+		return nil, false, fmt.Errorf("failed to convert Application to unstructured: %v", err)
+	}
+	obj := &unstructured.Unstructured{Object: unstructuredApp}
+	obj.SetGroupVersionKind(r.gvk)
+
+	klog.V(6).Infof("Returning patched Application object: %+v", unstructuredApp)
+
+	return obj, false, nil
 }
 
 // Delete removes an Application by deleting the corresponding HelmRelease
@@ -667,10 +728,19 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 					}
 				}
 
+				// Convert Application to unstructured
+				unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&app)
+				if err != nil {
+					klog.Errorf("Failed to convert Application to unstructured: %v", err)
+					continue
+				}
+				obj := &unstructured.Unstructured{Object: unstructuredApp}
+				obj.SetGroupVersionKind(r.gvk)
+
 				// Create watch event with Application object
 				appEvent := watch.Event{
 					Type:   event.Type,
-					Object: &app,
+					Object: obj,
 				}
 
 				// Send event to custom watcher
@@ -696,8 +766,8 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 
 // Helper function to get HelmRelease name from object
 func helmReleaseName(obj runtime.Object) string {
-	if app, ok := obj.(*appsv1alpha1.Application); ok {
-		return app.GetName()
+	if u, ok := obj.(*unstructured.Unstructured); ok {
+		return u.GetName()
 	}
 	return "<unknown>"
 }
@@ -989,6 +1059,56 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO
 	case *appsv1alpha1.Application:
 		table = r.buildTableFromApplication(*obj)
 		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
+	case *unstructured.UnstructuredList:
+		apps := make([]appsv1alpha1.Application, 0, len(obj.Items))
+		for _, u := range obj.Items {
+			var a appsv1alpha1.Application
+			err := runtime.DefaultUnstructuredConverter.FromUnstructured(u.Object, &a)
+			if err != nil {
+				klog.Errorf("Failed to convert Unstructured to Application: %v", err)
+				continue
+			}
+			apps = append(apps, a)
+		}
+		table = r.buildTableFromApplications(apps)
+		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
+	case *unstructured.Unstructured:
+		var apps []appsv1alpha1.Application
+		for {
+			var items interface{}
+			var ok bool
+			var objects []unstructured.Unstructured
+			if items, ok = obj.Object["items"]; !ok {
+				break
+			}
+			if objects, ok = items.([]unstructured.Unstructured); !ok {
+				break
+			}
+			apps = make([]appsv1alpha1.Application, 0, len(objects))
+			var a appsv1alpha1.Application
+			for i := range objects {
+				err := runtime.DefaultUnstructuredConverter.FromUnstructured(objects[i].Object, &a)
+				if err != nil {
+					klog.Errorf("Failed to convert Unstructured to Application: %v", err)
+					continue
+				}
+				apps = append(apps, a)
+			}
+			break
+		}
+		if apps != nil {
+			table = r.buildTableFromApplications(apps)
+			table.ListMeta.ResourceVersion = obj.GetResourceVersion()
+			break
+		}
+		var app appsv1alpha1.Application
+		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &app)
+		if err != nil {
+			klog.Errorf("Failed to convert Unstructured to Application: %v", err)
+			return nil, fmt.Errorf("failed to convert Unstructured to Application: %v", err)
+		}
+		table = r.buildTableFromApplication(app)
+		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
 	default:
 		resource := schema.GroupResource{}
 		if info, ok := request.RequestInfoFrom(ctx); ok {
@@ -1027,11 +1147,10 @@ func (r *REST) buildTableFromApplications(apps []appsv1alpha1.Application) metav
 	}
 	now := time.Now()
 
-	for i := range apps {
-		app := &apps[i]
+	for _, app := range apps {
 		row := metav1.TableRow{
 			Cells:  []interface{}{app.GetName(), getReadyStatus(app.Status.Conditions), computeAge(app.GetCreationTimestamp().Time, now), getVersion(app.Status.Version)},
-			Object: runtime.RawExtension{Object: app},
+			Object: runtime.RawExtension{Object: &app},
 		}
 		table.Rows = append(table.Rows, row)
 	}
@@ -1052,10 +1171,9 @@ func (r *REST) buildTableFromApplication(app appsv1alpha1.Application) metav1.Ta
 	}
 	now := time.Now()
 
-	a := app
 	row := metav1.TableRow{
 		Cells:  []interface{}{app.GetName(), getReadyStatus(app.Status.Conditions), computeAge(app.GetCreationTimestamp().Time, now), getVersion(app.Status.Version)},
-		Object: runtime.RawExtension{Object: &a},
+		Object: runtime.RawExtension{Object: &app},
 	}
 	table.Rows = append(table.Rows, row)
 
@@ -1119,21 +1237,16 @@ func (r *REST) Destroy() {
 
 // New creates a new instance of Application
 func (r *REST) New() runtime.Object {
-	obj := &appsv1alpha1.Application{}
-	obj.TypeMeta = metav1.TypeMeta{
-		APIVersion: r.gvk.GroupVersion().String(),
-		Kind:       r.kindName,
-	}
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(r.gvk)
 	return obj
 }
 
 // NewList returns an empty list of Application objects
 func (r *REST) NewList() runtime.Object {
-	obj := &appsv1alpha1.ApplicationList{}
-	obj.TypeMeta = metav1.TypeMeta{
-		APIVersion: r.gvk.GroupVersion().String(),
-		Kind:       r.kindName + "List",
-	}
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(r.gvk.GroupVersion().WithKind(r.kindName + "List"))
+	obj.Object["items"] = make([]interface{}, 0)
 	return obj
 }
 

pkg/registry/core/tenantmodule/rest.go

@@ -26,6 +26,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	fields "k8s.io/apimachinery/pkg/fields"
 	labels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -146,8 +147,25 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 		return nil, fmt.Errorf("conversion error: %v", err)
 	}
 
-	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s", name, r.gvr.Resource)
-	return &convertedModule, nil
+	// Explicitly set apiVersion and kind for TenantModule
+	convertedModule.TypeMeta = metav1.TypeMeta{
+		APIVersion: "core.cozystack.io/v1alpha1",
+		Kind:       r.kindName,
+	}
+
+	// Convert TenantModule to unstructured format
+	unstructuredModule, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedModule)
+	if err != nil {
+		klog.Errorf("Failed to convert TenantModule to unstructured for resource %s: %v", name, err)
+		return nil, fmt.Errorf("failed to convert TenantModule to unstructured: %v", err)
+	}
+
+	// Explicitly set apiVersion and kind in unstructured object
+	unstructuredModule["apiVersion"] = "core.cozystack.io/v1alpha1"
+	unstructuredModule["kind"] = r.kindName
+
+	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s to unstructured", name, r.gvr.Resource)
+	return &unstructured.Unstructured{Object: unstructuredModule}, nil
 }
 
 // List retrieves a list of TenantModules by converting HelmReleases
@@ -227,8 +245,8 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 		return nil, err
 	}
 
-	// Initialize TenantModule items array
-	items := make([]corev1alpha1.TenantModule, 0, len(hrList.Items))
+	// Initialize unstructured items array
+	items := make([]unstructured.Unstructured, 0)
 
 	// Iterate over HelmReleases and convert to TenantModules
 	for i := range hrList.Items {
@@ -276,15 +294,19 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 			}
 		}
 
-		items = append(items, module)
+		// Convert TenantModule to unstructured
+		unstructuredModule, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&module)
+		if err != nil {
+			klog.Errorf("Error converting TenantModule %s to unstructured: %v", module.Name, err)
+			continue
+		}
+		items = append(items, unstructured.Unstructured{Object: unstructuredModule})
 	}
 
-	// Create TenantModuleList with proper kind
-	moduleList := &corev1alpha1.TenantModuleList{}
-	moduleList.TypeMeta = metav1.TypeMeta{
-		APIVersion: "core.cozystack.io/v1alpha1",
-		Kind:       r.kindName + "List",
-	}
+	// Explicitly set apiVersion and kind in unstructured object
+	moduleList := &unstructured.UnstructuredList{}
+	moduleList.SetAPIVersion("core.cozystack.io/v1alpha1")
+	moduleList.SetKind(r.kindName + "List")
 	moduleList.SetResourceVersion(hrList.GetResourceVersion())
 	moduleList.Items = items
 
@@ -433,10 +455,17 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 					}
 				}
 
+				// Convert TenantModule to unstructured
+				unstructuredModule, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&module)
+				if err != nil {
+					klog.Errorf("Failed to convert TenantModule to unstructured: %v", err)
+					continue
+				}
+
 				// Create watch event with TenantModule object
 				moduleEvent := watch.Event{
 					Type:   event.Type,
-					Object: &module,
+					Object: &unstructured.Unstructured{Object: unstructuredModule},
 				}
 
 				// Send event to custom watcher
@@ -591,11 +620,27 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO
 	var table metav1.Table
 
 	switch obj := object.(type) {
-	case *corev1alpha1.TenantModuleList:
-		table = r.buildTableFromTenantModules(obj.Items)
-		table.ListMeta.ResourceVersion = obj.ListMeta.ResourceVersion
-	case *corev1alpha1.TenantModule:
-		table = r.buildTableFromTenantModule(*obj)
+	case *unstructured.UnstructuredList:
+		modules := make([]corev1alpha1.TenantModule, 0, len(obj.Items))
+		for _, u := range obj.Items {
+			var m corev1alpha1.TenantModule
+			err := runtime.DefaultUnstructuredConverter.FromUnstructured(u.Object, &m)
+			if err != nil {
+				klog.Errorf("Failed to convert Unstructured to TenantModule: %v", err)
+				continue
+			}
+			modules = append(modules, m)
+		}
+		table = r.buildTableFromTenantModules(modules)
+		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
+	case *unstructured.Unstructured:
+		var module corev1alpha1.TenantModule
+		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &module)
+		if err != nil {
+			klog.Errorf("Failed to convert Unstructured to TenantModule: %v", err)
+			return nil, fmt.Errorf("failed to convert Unstructured to TenantModule: %v", err)
+		}
+		table = r.buildTableFromTenantModule(module)
 		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
 	default:
 		resource := schema.GroupResource{}
@@ -635,11 +680,10 @@ func (r *REST) buildTableFromTenantModules(modules []corev1alpha1.TenantModule)
 	}
 	now := time.Now()
 
-	for i := range modules {
-		module := &modules[i]
+	for _, module := range modules {
 		row := metav1.TableRow{
 			Cells:  []interface{}{module.GetName(), getReadyStatus(module.Status.Conditions), computeAge(module.GetCreationTimestamp().Time, now), getVersion(module.Status.Version)},
-			Object: runtime.RawExtension{Object: module},
+			Object: runtime.RawExtension{Object: &module},
 		}
 		table.Rows = append(table.Rows, row)
 	}
@@ -660,10 +704,9 @@ func (r *REST) buildTableFromTenantModule(module corev1alpha1.TenantModule) meta
 	}
 	now := time.Now()
 
-	m := module
 	row := metav1.TableRow{
 		Cells:  []interface{}{module.GetName(), getReadyStatus(module.Status.Conditions), computeAge(module.GetCreationTimestamp().Time, now), getVersion(module.Status.Version)},
-		Object: runtime.RawExtension{Object: &m},
+		Object: runtime.RawExtension{Object: &module},
 	}
 	table.Rows = append(table.Rows, row)
 
@@ -708,22 +751,12 @@ func (r *REST) Destroy() {
 
 // New creates a new instance of TenantModule
 func (r *REST) New() runtime.Object {
-	obj := &corev1alpha1.TenantModule{}
-	obj.TypeMeta = metav1.TypeMeta{
-		APIVersion: r.gvk.GroupVersion().String(),
-		Kind:       r.kindName,
-	}
-	return obj
+	return &corev1alpha1.TenantModule{}
 }
 
 // NewList returns an empty list of TenantModule objects
 func (r *REST) NewList() runtime.Object {
-	obj := &corev1alpha1.TenantModuleList{}
-	obj.TypeMeta = metav1.TypeMeta{
-		APIVersion: r.gvk.GroupVersion().String(),
-		Kind:       r.kindName + "List",
-	}
-	return obj
+	return &corev1alpha1.TenantModuleList{}
 }
 
 // Kind returns the resource kind used for API discovery