[kubernetes] No default nodegroups in values

Since nodegroups are defined as key-value pairs in the values, there's no easy way to remove the example md0 nodegroup that was provided there for purposes of documentation. Commenting it out from values.yaml keeps the documentation in place, but doesn't force the node group onto users. Release note: [kubernetes] Remove potentially undesirable node group from default values of kubernetes chart. Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
[platform] Autodetect RobotLB (#1271 )
2026-03-05 14:38:57 +00:00 · 2025-07-24 22:01:05 +03:00 · 2025-07-24 22:41:10 +04:00 · 2025-07-24 19:10:46 +02:00 · 2025-07-24 18:55:30 +03:00 · 2025-07-24 17:45:55 +02:00
64 changed files with 732 additions and 95 deletions
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -264,8 +264,7 @@ jobs:
      - uses: actions/checkout@v4
      - id: set
        run: |
-          apps=$(find hack/e2e-apps -maxdepth 1 -mindepth 1 -name '*.bats' | \
-            awk -F/ '{sub(/\..+/, "", $NF); print $NF}' | jq -R . | jq -cs .)
+          apps=$(ls hack/e2e-apps/*.bats | cut -f3 -d/ | cut -f1 -d. | jq -R | jq -cs)
          echo "matrix={\"app\":$apps}" >> "$GITHUB_OUTPUT"

  test_apps:
--- a/1
+++ b/1
@@ -22,6 +22,7 @@ build: build-deps
 	make -C packages/system/metallb image
 	make -C packages/system/kamaji image
 	make -C packages/system/bucket image
+	make -C packages/system/objectstorage-controller image
 	make -C packages/core/testing image
 	make -C packages/core/installer image
 	make manifests
--- a/hack/e2e-apps/clickhouse.bats
+++ b/hack/e2e-apps/clickhouse.bats
@@ -38,4 +38,5 @@ EOF
  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
  timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
+  kubectl -n tenant-test delete clickhouse $name
 }
--- a/hack/e2e-apps/kubernetes-latest.bats
+++ b/hack/e2e-apps/kubernetes-latest.bats
@@ -0,0 +1,6 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane with latest version" {
+  . hack/e2e-apps/run-kubernetes.sh
+  run_kubernetes_test 'keys | sort_by(.) | .[-1]' 'test-latest-version' '59991'
+}
--- a/hack/e2e-apps/kubernetes-previous.bats
+++ b/hack/e2e-apps/kubernetes-previous.bats
@@ -0,0 +1,6 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane with previous version" {
+  . hack/e2e-apps/run-kubernetes.sh
+  run_kubernetes_test 'keys | sort_by(.) | .[-2]' 'test-previous-version' '59992'
+}
--- a/hack/e2e-apps/run-kubernetes.sh
+++ b/hack/e2e-apps/run-kubernetes.sh
@@ -1,5 +1,3 @@
-#!/usr/bin/env bats
-
 run_kubernetes_test() {
    local version_expr="$1"
    local test_name="$2"
@@ -104,10 +102,3 @@ EOF
  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io $test_name

 }
-
-@test "Create a tenant Kubernetes control plane with latest version" {
-  run_kubernetes_test 'keys | sort_by(.) | .[-1]' 'test-latest-version' '59991'
-}
-@test "Create a tenant Kubernetes control plane with previous version" {
-  run_kubernetes_test 'keys | sort_by(.) | .[-2]' 'test-previous-version' '59992'
-}
--- a/packages/apps/ferretdb/templates/external-svc.yaml
+++ b/packages/apps/ferretdb/templates/external-svc.yaml
@@ -8,7 +8,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  ports:
  - name: ferretdb
--- a/packages/apps/http-cache/templates/haproxy/service.yaml
+++ b/packages/apps/http-cache/templates/haproxy/service.yaml
@@ -10,7 +10,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  selector:
    app: {{ .Release.Name }}-haproxy
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.26.0
+version: 0.26.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -10,25 +10,25 @@ version: "v1.32"
 host: ""
 ## @param nodeGroups [object] Worker nodes configuration (see example)
 ##
-nodeGroups:
-  md0:
-    minReplicas: 0
-    maxReplicas: 10
-    instanceType: "u1.medium"
-    ephemeralStorage: 20Gi
-    roles:
-    - ingress-nginx
-
-    resources:
-      cpu: ""
-      memory: ""
-
-    ## List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)
-    ## e.g:
-    ## instanceType: "u1.xlarge"
-    ## gpus:
-    ## - name: nvidia.com/AD102GL_L40S
-    gpus: []
+nodeGroups: {}
+#   md0:
+#     minReplicas: 0
+#     maxReplicas: 10
+#     instanceType: "u1.medium"
+#     ephemeralStorage: 20Gi
+#     roles:
+#     - ingress-nginx
+# 
+#     resources:
+#       cpu: ""
+#       memory: ""
+# 
+#     ## List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)
+#     ## e.g:
+#     ## instanceType: "u1.xlarge"
+#     ## gpus:
+#     ## - name: nvidia.com/AD102GL_L40S
+#     gpus: []


 ## @section Cluster Addons
--- a/packages/apps/postgres/templates/external-svc.yaml
+++ b/packages/apps/postgres/templates/external-svc.yaml
@@ -7,7 +7,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  ports:
  - name: postgres
--- a/packages/apps/redis/templates/service.yaml
+++ b/packages/apps/redis/templates/service.yaml
@@ -11,7 +11,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  selector:
    app.kubernetes.io/component: redis
--- a/packages/apps/tcp-balancer/templates/service.yaml
+++ b/packages/apps/tcp-balancer/templates/service.yaml
@@ -10,7 +10,9 @@ spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  {{- if .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  {{- end }}
  selector:
    app: {{ .Release.Name }}-haproxy
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg

 type: application
-version: 1.11.1
+version: 1.11.2
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -48,6 +48,20 @@ spec:
    {{- range $i, $v := $parts }}
    {{- if ne $i 0 }}
    - matchLabels:
+        "k8s:app.kubernetes.io/name": "vminsert"
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- end }}    
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - toEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    - matchLabels:
+        "k8s:app.kubernetes.io/instance": "etcd"
        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
    {{- end }}
    {{- end }}
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -61,7 +61,8 @@ kubernetes 0.24.0 62cb694d
 kubernetes 0.25.0 70f82667
 kubernetes 0.25.1 acd4663a
 kubernetes 0.25.2 08cb7c0f
-kubernetes 0.26.0 HEAD
+kubernetes 0.26.0 68a47097
+kubernetes 0.26.1 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -151,7 +152,8 @@ tcp-balancer 0.5.0 08cb7c0f
 tcp-balancer 0.5.1 HEAD
 tenant 1.10.0 4369b031
 tenant 1.11.0 08cb7c0f
-tenant 1.11.1 HEAD
+tenant 1.11.1 28c9fcd6
+tenant 1.11.2 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43
--- a/packages/apps/virtual-machine/templates/service.yaml
+++ b/packages/apps/virtual-machine/templates/service.yaml
@@ -13,7 +13,9 @@ metadata:
 spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  selector:
    {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
  ports:
--- a/packages/apps/vm-instance/templates/service.yaml
+++ b/packages/apps/vm-instance/templates/service.yaml
@@ -13,7 +13,9 @@ metadata:
 spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
  allocateLoadBalancerNodePorts: false
+    {{- end }}
  selector:
    {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
  ports:
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.34.0@sha256:3716c495c7d5c1f321e59cdc445e0853e8219932ee40e07ffcec99da7fcc7c6c
+  image: ghcr.io/cozystack/cozystack/installer:v0.35.0-alpha.1@sha256:c50451e26a1a2a9f8962e26f6ab668b71b95186f53c1ae84118733e2cd464293
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -258,3 +258,10 @@ releases:
  privileged: true
  optional: true
  dependsOn: [cilium]
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb
+  dependsOn: [cilium]
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -171,3 +171,9 @@ releases:
  namespace: cozy-velero
  privileged: true
  optional: true
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -415,3 +415,10 @@ releases:
  privileged: true
  optional: true
  dependsOn: [monitoring-agents]
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb
+  dependsOn: [cilium, kubeovn]
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -238,3 +238,9 @@ releases:
  privileged: true
  optional: true
  dependsOn: [monitoring-agents]
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.34.0@sha256:2c7dab87c149b63f74f18a591f38b1253ab581055351aec81816519245bc04aa
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.35.0-alpha.1@sha256:ea73a2aeeac810be8eaee636aba6d6d10051772297ee76b6ce28a2aa7aa6a7f4
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.34.0@sha256:22a11dd07e3eaed843c1ab4f589b629740159a65aeeec9afc495ddd818868dfc
+ghcr.io/cozystack/cozystack/matchbox:v0.35.0-alpha.1@sha256:103e7c66ba47caee2126eca2d4b40e67041d4a3e6b729945b4dfc55decda74e7
--- a/packages/extra/seaweedfs/Makefile
+++ b/packages/extra/seaweedfs/Makefile
@@ -4,4 +4,4 @@ include ../../../scripts/package.mk

 generate:
 	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -o json -i '.properties.topology.enum = ["Simple","MultiZone"]' values.schema.json
+	yq -o json -i '.properties.topology.enum = ["Simple","MultiZone","Client"]' values.schema.json
--- a/packages/extra/seaweedfs/README.md
+++ b/packages/extra/seaweedfs/README.md
@@ -4,12 +4,14 @@

 ### Common parameters

-| Name                | Description                                                                                            | Value    |
-| ------------------- | ------------------------------------------------------------------------------------------------------ | -------- |
-| `host`              | The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host). | `""`     |
-| `topology`          | The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone)                             | `Simple` |
-| `replicationFactor` | The number of replicas for each volume in the SeaweedFS cluster.                                       | `2`      |
-| `replicas`          | Persistent Volume size for SeaweedFS                                                                   | `2`      |
-| `size`              | Persistent Volume size                                                                                 | `10Gi`   |
-| `storageClass`      | StorageClass used to store the data                                                                    | `""`     |
-| `zones`             | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.         | `{}`     |
+| Name                | Description                                                                                                              | Value           |
+| ------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------- |
+| `host`              | The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).                   | `""`            |
+| `topology`          | The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)                                       | `Simple`        |
+| `replicationFactor` | The number of replicas for each volume in the SeaweedFS cluster.                                                         | `2`             |
+| `replicas`          | Persistent Volume size for SeaweedFS                                                                                     | `2`             |
+| `size`              | Persistent Volume size                                                                                                   | `10Gi`          |
+| `storageClass`      | StorageClass used to store the data                                                                                      | `""`            |
+| `zones`             | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.                           | `{}`            |
+| `filer.external`    | Enable external access to the SeaweedFS filer from outside the cluster. Use this when `topology` is not set to `Client`. | `false`         |
+| `remoteEndpoint`    | The endpoint of the remote filer GRPC service. Used when `topology` is set to `Client`.                                  | `1.2.3.4:18888` |
--- a/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
+++ b/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
@@ -0,0 +1 @@
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.35.0-alpha.1@sha256:e4f9a7302285ea9febeb28fc2fa97cb7c01bb91e602f975c31aad1fe46f778f7
--- a/packages/extra/seaweedfs/templates/cm.yaml
+++ b/packages/extra/seaweedfs/templates/cm.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Release.Name }}-deployed-topology"
+data:
+  topology: {{ quote .Values.topology }}
--- a/packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml
+++ b/packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml
@@ -3,6 +3,7 @@ kind: Role
 metadata:
  name: {{ .Release.Name }}-dashboard-resources
 rules:
+{{- if not (eq .Values.topology "Client") }}
 - apiGroups:
  - ""
  resources:
@@ -27,13 +28,15 @@ rules:
  - {{ $.Release.Name }}-volume
  - {{ $.Release.Name }}-db
  verbs: ["get", "list", "watch"]
+{{- end }}
+
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ .Release.Name }}-dashboard-resources
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) }}
 roleRef:
  kind: Role
  name: {{ .Release.Name }}-dashboard-resources
--- a/packages/extra/seaweedfs/templates/external/cosi-bucket-class.yaml
+++ b/packages/extra/seaweedfs/templates/external/cosi-bucket-class.yaml
@@ -0,0 +1,16 @@
+{{- if eq .Values.topology "Client" }}
+---
+kind: BucketClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ .Release.Namespace }}
+driverName: {{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+deletionPolicy: Delete
+---
+kind: BucketAccessClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ .Release.Namespace }}
+driverName: {{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+authenticationType: KEY
+{{- end }}
--- a/packages/extra/seaweedfs/templates/external/cosi-cluster-role.yaml
+++ b/packages/extra/seaweedfs/templates/external/cosi-cluster-role.yaml
@@ -0,0 +1,61 @@
+{{- if eq .Values.topology "Client" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-objectstorage-provisioner
+rules:
+- apiGroups: ["objectstorage.k8s.io"]
+  resources:
+    - "buckets"
+    - "bucketaccesses"
+    - "bucketclaims"
+    - "bucketclasses"
+    - "bucketclasses/status"
+    - "bucketaccessclasses"
+    - "buckets/status"
+    - "bucketaccesses/status"
+    - "bucketclaims/status"
+    - "bucketaccessclasses/status"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "create"
+    - "delete"
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs:
+    - "get"
+    - "watch"
+    - "list"
+    - "delete"
+    - "update"
+    - "create"
+- apiGroups: [""]
+  resources:
+    - "secrets"
+    - "events"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "create"
+    - "delete"
+    - "patch"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-objectstorage-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-objectstorage-provisioner
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Namespace }}-objectstorage-provisioner
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
--- a/packages/extra/seaweedfs/templates/external/cosi-deployment.yaml
+++ b/packages/extra/seaweedfs/templates/external/cosi-deployment.yaml
@@ -0,0 +1,88 @@
+{{- if eq .Values.topology "Client" }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $.Release.Name }}-objectstorage-provisioner
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: objectstorage-provisioner
+    app.kubernetes.io/instance: seaweedfs
+    app.kubernetes.io/name: {{ $.Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: objectstorage-provisioner
+      app.kubernetes.io/instance: seaweedfs
+      app.kubernetes.io/name: {{ $.Release.Name }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+        app.kubernetes.io/component: objectstorage-provisioner
+        app.kubernetes.io/instance: seaweedfs
+        app.kubernetes.io/name: {{ $.Release.Name }}
+    spec:
+      containers:
+      - name: seaweedfs-cosi-driver
+        image: ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.1.2
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: DRIVERNAME
+          value: {{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+        - name: ENDPOINT
+          value: https://{{ .Values.host | default (printf "s3.%s" $host) }}
+        - name: SEAWEEDFS_FILER
+          value: {{ .Values.remoteEndpoint }}
+        - name: WEED_GRPC_CLIENT_KEY
+          value: /usr/local/share/ca-certificates/client/tls.key
+        - name: WEED_GRPC_CLIENT_CERT
+          value: /usr/local/share/ca-certificates/client/tls.crt
+        - name: WEED_GRPC_CA
+          value: /usr/local/share/ca-certificates/client/ca.crt
+        resources:
+          limits:
+            cpu: 500m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        volumeMounts:
+        - mountPath: /var/lib/cosi
+          name: socket
+        - mountPath: /usr/local/share/ca-certificates/client/
+          name: client-cert
+          readOnly: true
+      - name: seaweedfs-cosi-sidecar
+        image: "{{ $.Files.Get "images/objectstorage-sidecar.tag" | trim }}"
+        imagePullPolicy: IfNotPresent
+        args:
+        - --v=5
+        env:
+        - name: POD_NAMESPACE
+          value: {{ .Release.Namespace }}
+        volumeMounts:
+        - mountPath: /var/lib/cosi
+          name: socket
+      enableServiceLinks: false
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 10
+      serviceAccountName: {{ .Release.Name }}-objectstorage-provisioner
+      volumes:
+      - name: socket
+        emptyDir: {}
+      - name: client-cert
+        secret:
+          defaultMode: 420
+          secretName: seaweedfs-client-cert
+{{- end }}
--- a/packages/extra/seaweedfs/templates/external/cosi-service-account.yaml
+++ b/packages/extra/seaweedfs/templates/external/cosi-service-account.yaml
@@ -0,0 +1,8 @@
+{{- if eq .Values.topology "Client" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-objectstorage-provisioner
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true
+{{- end }}
--- a/packages/extra/seaweedfs/templates/seaweedfs.yaml
+++ b/packages/extra/seaweedfs/templates/seaweedfs.yaml
@@ -1,6 +1,9 @@
 {{- /* Preflight checks for Helm template */ -}}
-{{- if not (has .Values.topology (list "Simple" "MultiZone")) }}
-{{-   fail "Invalid value for .Values.topology. Must be one of 'Simple' or 'MultiZone'." }}
+{{- if not (has .Values.topology (list "Simple" "MultiZone" "Client")) }}
+{{-   fail "Invalid value for .Values.topology. Must be one of 'Simple', 'MultiZone' or 'Client'." }}
+{{- end }}
+{{- if and (eq .Values.topology "Client") (not .Values.remoteEndpoint) }}
+{{-   fail "When topology is 'Client', .Values.remoteEndpoint must be set to a valid remote filer GRPC service endpoint." }}
 {{- end }}
 {{- if lt (int .Values.replicationFactor) 1 }}
 {{-   fail "Invalid value for .Values.replicationFactor. Must be at least 1." }}
@@ -13,16 +16,24 @@
 {{-     fail "replicationFactor must be less than or equal to the number of zones defined in .Values.zones." }}
 {{-   end }}
 {{- end }}
-{{- if lookup "v1" "PersistentVolumeClaim" "" (printf "%s-data1-seaweedfs-volume-0" .Release.Name) }}
-{{-   if eq .Values.topology "MultiZone" }}
-{{-     fail "Not allowed to switch between Simple and MultiZone topologies after the first deployment." }}
-{{-   end }}
+
+{{- $detectedTopology := "Unknown" }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-deployed-topology" .Release.Name) }}
+{{- if $configMap }}
+{{-   $detectedTopology = dig "data" "topology" "Unknown" $configMap }}
 {{- else }}
-{{-   if and (eq .Values.topology "Simple") (.Release.IsUpgrade) }}
-{{-     fail "Not allowed to switch between Simple and MultiZone topologies after the first deployment." }}
+{{-   if lookup "v1" "PersistentVolumeClaim" .Release.Namespace (printf "data1-%s-volume-0" .Release.Name) }}
+{{-     $detectedTopology = "Simple" }}
+{{-   else if lookup "apps/v1" "StatefulSet" .Release.Namespace (printf "%s-master" .Release.Name) }}
+{{-     $detectedTopology = "MultiZone" }}
 {{-   end }}
 {{- end }}

+{{- if not (has $detectedTopology (list .Values.topology "Unknown")) }}
+{{-   fail (printf "Not allowed to switch between topologies after the first deployment: %s" $detectedTopology) }}
+{{- end }}
+
+{{- if not (eq .Values.topology "Client") }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -198,3 +209,4 @@ spec:
    cnpg.io/cluster: seaweedfs-db
    cnpg.io/podRole: instance
  version: {{ $.Chart.Version }}
+{{- end }}
--- a/packages/extra/seaweedfs/templates/svc-external.yaml
+++ b/packages/extra/seaweedfs/templates/svc-external.yaml
@@ -0,0 +1,18 @@
+{{- if and (not (eq .Values.topology "Client")) (.Values.filer.external) }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $.Release.Name }}-filer-external
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+  - name: swfs-filer-grpc
+    port: 18888
+    protocol: TCP
+    targetPort: 18888
+  selector:
+    app.kubernetes.io/component: filer
+    app.kubernetes.io/name: {{ $.Release.Name }}
+{{- end }}
--- a/packages/extra/seaweedfs/templates/vpa.yaml
+++ b/packages/extra/seaweedfs/templates/vpa.yaml
@@ -1,3 +1,4 @@
+{{- if not (eq .Values.topology "Client") }}
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
@@ -64,3 +65,4 @@ spec:
        maxAllowed:
          cpu: "1"
          memory: 2048Mi
+{{- end }}
--- a/packages/extra/seaweedfs/values.schema.json
+++ b/packages/extra/seaweedfs/values.schema.json
@@ -1,10 +1,25 @@
 {
  "properties": {
+    "filer": {
+      "properties": {
+        "external": {
+          "default": false,
+          "description": "Enable external access to the SeaweedFS filer from outside the cluster. Use this when `topology` is not set to `Client`.",
+          "type": "boolean"
+        }
+      },
+      "type": "object"
+    },
    "host": {
      "default": "",
      "description": "The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).",
      "type": "string"
    },
+    "remoteEndpoint": {
+      "default": "1.2.3.4:18888",
+      "description": "The endpoint of the remote filer GRPC service. Used when `topology` is set to `Client`.",
+      "type": "string"
+    },
    "replicas": {
      "default": 2,
      "description": "Persistent Volume size for SeaweedFS",
@@ -27,11 +42,12 @@
    },
    "topology": {
      "default": "Simple",
-      "description": "The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone)",
+      "description": "The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)",
      "type": "string",
      "enum": [
        "Simple",
-        "MultiZone"
+        "MultiZone",
+        "Client"
      ]
    },
    "zones": {
--- a/packages/extra/seaweedfs/values.yaml
+++ b/packages/extra/seaweedfs/values.yaml
@@ -3,7 +3,7 @@
 ## @param host The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).
 host: ""

-## @param topology The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone)
+## @param topology The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)
 ##
 topology: Simple

@@ -31,3 +31,10 @@ storageClass: ""
 ##     replicas: 2
 ##     size: 10Gi
 zones: {}
+
+## @param filer.external Enable external access to the SeaweedFS filer from outside the cluster. Use this when `topology` is not set to `Client`.
+filer:
+  external: false
+
+## @param remoteEndpoint The endpoint of the remote filer GRPC service. Used when `topology` is set to `Client`.
+remoteEndpoint: "1.2.3.4:18888"
--- a/packages/library/cozy-lib/templates/_network.tpl
+++ b/packages/library/cozy-lib/templates/_network.tpl
@@ -0,0 +1,23 @@
+{{- define "cozy-lib.network.defaultDisableLoadBalancerNodePorts" }}
+{{/* Default behavior prior to introduction */}}
+{{-   `true` }}
+{{- end }}
+
+{{/* 
+Invoke as {{ include "cozy-lib.network.disableLoadBalancerNodePorts" $ }}.
+Detects whether the current load balancer class requires nodeports to function
+correctly. Currently just checks if Hetzner's RobotLB is enabled, which does
+require nodeports, and so, returns `false`. Otherwise assumes that metallb is
+in use and returns `true`.
+*/}}
+
+{{- define "cozy-lib.network.disableLoadBalancerNodePorts" }}
+{{-   include "cozy-lib.loadCozyConfig" (list "" .) }}
+{{-   $cozyConfig := index . 1 "cozyConfig" }}
+{{-   if not $cozyConfig }}
+{{-     include "cozy-lib.network.defaultDisableLoadBalancerNodePorts" . }}
+{{-   else }}
+{{-     $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}
+{{-     not (has "robotlb" $enabledComponents) }}
+{{-   end }}
+{{- end }}
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:208d8ea43b4b493ee0bea80606f6b3041a02460be79c52ed12aecccd35ec2a02
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:34db8c950f14a3e2742b7c31bd3c6a1fe631c9b398caac611ed5cfdac5769d36
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.34.0@sha256:dad88c168719dcaa0b2e6bab352a90f44f4e23c58f525f96841cfce357920bdf
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.35.0-alpha.1@sha256:677b5af99f2b7d1adb4c25d5637f2fa5a1baffb423269fa166d2ea15a0028864
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.34.0@sha256:ef725447d1ddadbceb5218d6a2eb68b5fbace838173fbe00eb67ba72662ad171
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.35.0-alpha.1@sha256:7a510d046d7e1dd1f82a06f7a014bf7690f95cbd42005a417520b216141f86a0
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.34.0"
+  cozystackVersion: "v0.35.0-alpha.1"
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
@@ -76,7 +76,7 @@ data:
      "kubeappsNamespace": {{ .Release.Namespace | quote }},
      "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
      "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.34.0",
+      "appVersion": "v0.35.0-alpha.1",
      "authProxyEnabled": {{ .Values.authProxy.enabled }},
      "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
      "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -19,7 +19,7 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: dashboard
-      tag: v0.34.0
+      tag: v0.35.0-alpha.1
      digest: "sha256:ad4b95660b6c5c1b9736ca4768a3f9648705c2855d0a08880d570b4e480dba78"
  redis:
    master:
@@ -37,8 +37,8 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: kubeapps-apis
-      tag: v0.34.0
-      digest: "sha256:9f376d82db6802af32d137fef722237e1037e92ac8feb39131fcdfb5a0b02d30"
+      tag: v0.35.0-alpha.1
+      digest: "sha256:5eb100bab12012659caaa335e510438fec4db22929d2ff8131d51572f609c4b5"
    pluginConfig:
      flux:
        packages:
--- a/packages/system/hetzner-robotlb/Chart.yaml
+++ b/packages/system/hetzner-robotlb/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-hetzner-robotlb
+version: 0.1.3  # Placeholder, the actual version will be automatically set during the build process
--- a/packages/system/hetzner-robotlb/Makefile
+++ b/packages/system/hetzner-robotlb/Makefile
@@ -0,0 +1,9 @@
+export NAME=hetzner-robotlb
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	mkdir -p charts
+	helm pull oci://ghcr.io/intreecom/charts/robotlb --untar --untardir charts
--- a/packages/system/hetzner-robotlb/charts/robotlb/.helmignore
+++ b/packages/system/hetzner-robotlb/charts/robotlb/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/packages/system/hetzner-robotlb/charts/robotlb/Chart.yaml
+++ b/packages/system/hetzner-robotlb/charts/robotlb/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 0.0.5
+description: A Helm chart for robotlb (loadbalancer on hetzner cloud).
+name: robotlb
+type: application
+version: 0.1.3
--- a/packages/system/hetzner-robotlb/charts/robotlb/templates/NOTES.txt
+++ b/packages/system/hetzner-robotlb/charts/robotlb/templates/NOTES.txt
@@ -0,0 +1,4 @@
+The RobotLB Operator was successfully installed.
+Please follow the readme to create loadbalanced services.
+
+README: https://github.com/intreecom/robotlb
--- a/packages/system/hetzner-robotlb/charts/robotlb/templates/_helpers.tpl
+++ b/packages/system/hetzner-robotlb/charts/robotlb/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "robotlb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "robotlb.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "robotlb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "robotlb.labels" -}}
+helm.sh/chart: {{ include "robotlb.chart" . }}
+{{ include "robotlb.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "robotlb.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "robotlb.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "robotlb.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "robotlb.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml
+++ b/packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "robotlb.fullname" . }}
+  labels:
+    {{- include "robotlb.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "robotlb.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "robotlb.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "robotlb.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /usr/local/bin/robotlb
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.envs }}
+          env:
+            {{- range $key, $val := . }}
+              - name: {{ $key | quote }}
+                value: {{ $val | quote }}
+            {{ end -}}
+          {{- end }}
+          {{- with .Values.existingSecrets }}
+          envFrom:
+            {{- range $val := . }}
+            - secretRef:
+                name: {{ $val | quote }}
+            {{ end -}}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml
+++ b/packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "robotlb.fullname" . }}-cr
+rules: {{- toYaml .Values.serviceAccount.permissions | nindent 2 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "robotlb.fullname" . }}-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "robotlb.fullname" . }}-cr
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "robotlb.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/packages/system/hetzner-robotlb/charts/robotlb/templates/serviceaccount.yaml
+++ b/packages/system/hetzner-robotlb/charts/robotlb/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "robotlb.serviceAccountName" . }}
+  labels:
+    {{- include "robotlb.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
--- a/packages/system/hetzner-robotlb/charts/robotlb/values.yaml
+++ b/packages/system/hetzner-robotlb/charts/robotlb/values.yaml
@@ -0,0 +1,73 @@
+# Default values for robotlb.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  repository: ghcr.io/intreecom/robotlb
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+envs:
+  ROBOTLB_LOG_LEVEL: "INFO"
+
+existingSecrets: []
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+  # This is a list of cluster permissions to apply to the service account.
+  # By default it grants all permissions.
+  permissions:
+  - apiGroups: [""]
+    resources: [services, services/status]
+    verbs: [get, list, patch, update, watch]
+  - apiGroups: [""]
+    resources: [nodes, pods]
+    verbs: [get, list, watch]
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+  {}
+  # fsGroup: 2000
+
+securityContext:
+  {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+resources:
+  {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
--- a/packages/system/hetzner-robotlb/values.yaml
+++ b/packages/system/hetzner-robotlb/values.yaml
@@ -0,0 +1,3 @@
+robotlb:
+  replicas: 1
+  existingSecrets: ["hetzner-robotlb-credentials"]
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.34.0@sha256:09465ae8285b4ae43203581e443409cd4e1e119dde62a5c14d63ce064fb840b0
+    tag: v0.35.0-alpha.1@sha256:7ce47da363e7be4f297e6de42a72416238c66c613e2effdbfa3fef987701d61a
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.34.0@sha256:b7841916659646823f556b7ce299f6ed55a2d10ca81736c19e721a890efd4694
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.35.0-alpha.1@sha256:dab57f5f68e77830b63c37c1b0c3228f404137435eced38bb21982954e280398
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -64,4 +64,4 @@ global:
  images:
    kubeovn:
      repository: kubeovn
-      tag: v1.13.14@sha256:8409b093deada39a210784fd96461f16c1b1d5ae50e8a2285416b36a8ff6e13e
+      tag: v1.13.14@sha256:beb6e0bac9321fe9b26a11b24bf99a7e176af5e60a2826acc34a7edec5198e6a
--- a/packages/system/volumesnapshot-crd-for-tenant-k8s/templates/volumesnapshotclass.yaml
+++ b/packages/system/volumesnapshot-crd-for-tenant-k8s/templates/volumesnapshotclass.yaml
--- a/packages/system/objectstorage-controller/Makefile
+++ b/packages/system/objectstorage-controller/Makefile
@@ -24,6 +24,7 @@ image-controller image-sidecar:
 		--metadata-file images/$(TARGET).json \
 		--push=$(PUSH) --provenance=false --load=$(LOAD) \
 		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack"
-	IMAGE="$(REGISTRY)/objectstorage-$(TARGET):$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/$(TARGET).json -r)" && \
+	IMAGE="$(REGISTRY)/objectstorage-$(TARGET):$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/$(TARGET).json -r)" \
 		yq -i '$(YAML_PATH) = strenv(IMAGE)' $(VALUES_FILE)
 	rm -f images/$(TARGET).json
+	yq .seaweedfs.cosi.sidecar.image ../seaweedfs/values.yaml > ../../extra/seaweedfs/images/objectstorage-sidecar.tag
--- a/packages/system/objectstorage-controller/values.yaml
+++ b/packages/system/objectstorage-controller/values.yaml
@@ -1,3 +1,3 @@
 objectstorage:
  controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:latest@sha256:173067339794fbf94534132eec5968b5fb6718037b77aefa00fd70b7413a8d4c"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.35.0-alpha.1@sha256:2fe77880b81b0210273c85a142cb13e6857d13dd941337456b426597f5778bc3"
--- a/packages/system/seaweedfs/values.yaml
+++ b/packages/system/seaweedfs/values.yaml
@@ -4,7 +4,6 @@ global:
  extraEnvironmentVars:
    WEED_CLUSTER_SW_MASTER: "seaweedfs-master:9333"
    WEED_CLUSTER_SW_FILER: "seaweedfs-filer-client:8888"
-
 seaweedfs:
  master:
    replicas: 3
@@ -14,24 +13,19 @@ seaweedfs:
    # Y number of replica in other racks in the same data center
    # Z number of replica in other servers in the same rack
    defaultReplication: "001"
-  
    data:
      type: "emptyDir"
-  
    logs:
      type: ""
-  
  volume:
    replicas: 2
    # minimum free disk space(in percents). If free disk space lower this value - all volumes marks as ReadOnly
    minFreeSpacePercent: 5
-  
    dataDirs:
-    - name: data1
-      type: "persistentVolumeClaim"
-      size: "10Gi"
-      maxVolumes: 0
-  
+      - name: data1
+        type: "persistentVolumeClaim"
+        size: "10Gi"
+        maxVolumes: 0
  filer:
    replicas: 2
    #  replication type is XYZ:
@@ -41,10 +35,8 @@ seaweedfs:
    defaultReplicaPlacement: "001"
    data:
      type: "emptyDir"
-  
    logs:
      type: ""
-  
    extraEnvironmentVars:
      WEED_LEVELDB2_ENABLED: "false"
      WEED_POSTGRES2_ENABLED: "true"
@@ -73,7 +65,6 @@ seaweedfs:
        secretKeyRef:
          key: password
          name: seaweedfs-db-app
-
    s3:
      enabled: true
      port: 8333
@@ -86,13 +77,10 @@ seaweedfs:
      # should have a secret key called seaweedfs_s3_config with an inline json configure
      existingConfigSecret: null
      auditLogConfig: {}
-  
  s3:
    enableAuth: true
-  
    logs:
      type: ""
-   
    ingress:
      enabled: true
      className: "tenant-root"
@@ -104,9 +92,8 @@ seaweedfs:
        cert-manager.io/cluster-issuer: letsencrypt-prod
      tls:
        - hosts:
-          - seaweedfs.demo.cozystack.io
+            - seaweedfs.demo.cozystack.io
          secretName: seaweedfs-s3-ingress-tls
-
  cosi:
    enabled: true
    podLabels:
@@ -114,14 +101,12 @@ seaweedfs:
    driverName: "seaweedfs.objectstorage.k8s.io"
    bucketClassName: "seaweedfs"
    region: ""
-  
    sidecar:
-      image: "ghcr.io/kvaps/test:cosi-provisioner-sidecar-25"
-  
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.35.0-alpha.1@sha256:e4f9a7302285ea9febeb28fc2fa97cb7c01bb91e602f975c31aad1fe46f778f7"
  certificates:
    commonName: "SeaweedFS CA"
    ipAddresses: []
    keyAlgorithm: RSA
    keySize: 2048
-    duration: 2160h  # 90d
-    renewBefore: 360h  # 15d
+    duration: 2160h # 90d
+    renewBefore: 360h # 15d
--- a/pkg/registry/apps/application/rest.go
+++ b/pkg/registry/apps/application/rest.go
@@ -18,6 +18,7 @@ package application

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
@@ -41,6 +42,10 @@ import (

 	appsv1alpha1 "github.com/cozystack/cozystack/pkg/apis/apps/v1alpha1"
 	"github.com/cozystack/cozystack/pkg/config"
+	internalapiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	schemadefault "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/defaulting"

 	// Importing API errors package to construct appropriate error responses
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -78,10 +83,21 @@ type REST struct {
 	kindName      string
 	singularName  string
 	releaseConfig config.ReleaseConfig
+	specSchema    *structuralschema.Structural
 }

 // NewREST creates a new REST storage for Application with specific configuration
 func NewREST(dynamicClient dynamic.Interface, config *config.Resource) *REST {
+	var specSchema *structuralschema.Structural
+	if raw := strings.TrimSpace(config.Application.OpenAPISchema); raw != "" {
+		var js internalapiext.JSONSchemaProps
+		if err := json.Unmarshal([]byte(raw), &js); err != nil {
+			klog.Errorf("Failed to unmarshal OpenAPI schema: %v", err)
+		} else if specSchema, err = structuralschema.NewStructural(&js); err != nil {
+			klog.Errorf("Failed to create structural schema: %v", err)
+		}
+	}
+
 	return &REST{
 		dynamicClient: dynamicClient,
 		gvr: schema.GroupVersionResource{
@@ -96,6 +112,7 @@ func NewREST(dynamicClient dynamic.Interface, config *config.Resource) *REST {
 		kindName:      config.Application.Kind,
 		singularName:  config.Application.Singular,
 		releaseConfig: config.Release,
+		specSchema:    specSchema,
 	}
 }

@@ -918,6 +935,10 @@ func (r *REST) ConvertHelmReleaseToApplication(hr *unstructured.Unstructured) (a
 		return appsv1alpha1.Application{}, err
 	}

+	if err := r.applySpecDefaults(&app); err != nil {
+		return app, fmt.Errorf("defaulting error: %w", err)
+	}
+
 	klog.V(6).Infof("Successfully converted HelmRelease %s to Application", hr.GetName())
 	return app, nil
 }
@@ -1170,3 +1191,28 @@ func (e errNotAcceptable) Status() metav1.Status {
 		Message: e.Error(),
 	}
 }
+
+// applySpecDefaults applies default values to the Application spec based on the schema
+func (r *REST) applySpecDefaults(app *appsv1alpha1.Application) error {
+	if r.specSchema == nil {
+		return nil
+	}
+	var m map[string]any
+	if app.Spec != nil && len(app.Spec.Raw) > 0 {
+		if err := json.Unmarshal(app.Spec.Raw, &m); err != nil {
+			return err
+		}
+	}
+	if m == nil {
+		m = map[string]any{}
+	}
+
+	schemadefault.Default(m, r.specSchema)
+
+	raw, err := json.Marshal(m)
+	if err != nil {
+		return err
+	}
+	app.Spec = &apiextv1.JSON{Raw: raw}
+	return nil
+}
Author	SHA1	Message	Date
Timofei Larkin	fe6020561c	[kubernetes] No default nodegroups in values Since nodegroups are defined as key-value pairs in the values, there's no easy way to remove the example md0 nodegroup that was provided there for purposes of documentation. Commenting it out from values.yaml keeps the documentation in place, but doesn't force the node group onto users. Release note: [kubernetes] Remove potentially undesirable node group from default values of kubernetes chart. Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>	2025-07-24 22:01:05 +03:00
Timofei Larkin	2f61798fa8	[platform] Autodetect RobotLB (#1271 ) If running in Hetzner and using Hetzner's cloud load balancers, node ports need to be allocated for the load balancer to function correctly. Therefore if RobotLB is enabled, we probably need to assign node ports. Release note: [platform] Autodetect if node ports should be assigned to load balancer services.	2025-07-24 22:41:10 +04:00
Andrei Kvapil	68a47097c1	Release v0.35.0-alpha.1 (#1274 ) This PR prepares the release `v0.35.0-alpha.1`. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Chores * Updated multiple container image tags and digests across various components to version v0.35.0-alpha.1, ensuring use of the latest pre-release images. * Switched some image references from generic or "latest" tags to specific versioned tags for improved reproducibility. * Updated version references in configuration files and dashboards to reflect the new pre-release version. * Applied minor formatting and whitespace cleanups in configuration files. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2025-07-24 19:10:46 +02:00
Timofei Larkin	917a6f354d	[platform] Autodetect RobotLB If running in Hetzner and using Hetzner's cloud load balancers, node ports need to be allocated for the load balancer to function correctly. Therefore if RobotLB is enabled, we probably need to assign node ports. Release note: [platform] Autodetect if node ports should be assigned to load balancer services. Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>	2025-07-24 18:55:30 +03:00
Andrei Kvapil	847a834920	[robotlb] fix chart name for installing (#1237 ) <!-- Thank you for making a contribution! Here are some tips for you: - Start the PR title with the [label] of Cozystack component: - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc. - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc. - For development and maintenance: [tests], [ci], [docs], [maintenance]. - If it's a work in progress, consider creating this PR as a draft. - Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft. - Add the label `backport` if it's a bugfix that needs to be backported to a previous version. --> ## What this PR does Rename of chart name for fixing installing issues ### Release note <!-- Write a release note: - Explain what has changed internally and for users. - Start with the same [label] as in the PR title - Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md. --> ```release-note [robotlb] fix chart name for installing ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Chores * Updated the Helm chart name to "cozy-hetzner-robotlb". <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2025-07-24 17:45:55 +02:00
cozystack-bot	3088e987e3	Prepare release v0.35.0-alpha.1 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2025-07-24 15:39:28 +00:00
Andrei Kvapil	fddeea03f0	[cozystack-api] show default values from openapi spec (#1241 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com> <!-- Thank you for making a contribution! Here are some tips for you: - Start the PR title with the [label] of Cozystack component: - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc. - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc. - For development and maintenance: [tests], [ci], [docs], [maintenance]. - If it's a work in progress, consider creating this PR as a draft. - Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft. - Add the label `backport` if it's a bugfix that needs to be backported to a previous version. --> ## What this PR does ### Release note <!-- Write a release note: - Explain what has changed internally and for users. - Start with the same [label] as in the PR title - Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md. --> ```release-note [cozystack-api] show default values from openapi spec ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Application resources now automatically receive default values in their specifications when converted from HelmRelease, ensuring more complete and accurate configurations. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2025-07-24 17:26:14 +02:00
Andrei Kvapil	2fefafd061	[seaweedfs] Add Client topology (#1239 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com> <!-- Thank you for making a contribution! Here are some tips for you: - Start the PR title with the [label] of Cozystack component: - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc. - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc. - For development and maintenance: [tests], [ci], [docs], [maintenance]. - If it's a work in progress, consider creating this PR as a draft. - Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft. - Add the label `backport` if it's a bugfix that needs to be backported to a previous version. --> ## What this PR does ### Release note <!-- Write a release note: - Explain what has changed internally and for users. - Start with the same [label] as in the PR title - Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md. --> ```release-note [seaweedfs] Add Client topology ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for a new "Client" topology mode in SeaweedFS, enabling integration with remote filer endpoints. * Introduced new configuration options: `filer.external` to allow external filer access, and `remoteEndpoint` for specifying a remote filer service when using "Client" topology. * Added new Kubernetes resources (Deployment, ServiceAccount, ClusterRole, ClusterRoleBinding, BucketClass, BucketAccessClass) for object storage provisioner in "Client" mode. * Added a LoadBalancer service for external filer access when enabled. * Improvements * Enhanced configuration schema and documentation to reflect new topology and parameters. * Updated role and access control for dashboard resources. * Improved detection and validation of deployment topology, preventing unsupported changes post-deployment. * Bug Fixes * Ensured VerticalPodAutoscaler resources are not created when using "Client" topology. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2025-07-24 17:25:55 +02:00
Andrei Kvapil	084be87618	fix net pod policy (#1232 ) <!-- Thank you for making a contribution! Here are some tips for you: - Start the PR title with the [label] of Cozystack component: - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc. - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc. - For development and maintenance: [tests], [ci], [docs], [maintenance]. - If it's a work in progress, consider creating this PR as a draft. - Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft. - Add the label `backport` if it's a bugfix that needs to be backported to a previous version. --> ## What this PR does ### Release note <!-- Write a release note: - Explain what has changed internally and for users. - Start with the same [label] as in the PR title - Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md. --> ```release-note - fix net pod policy ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Chores * Updated tenant application version to 1.11.2. * Updated version mapping to reflect the new release. * New Features * Extended network policy to allow traffic to additional tenant-related services across namespace hierarchies. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2025-07-24 17:25:41 +02:00
kklinch0	6598213b58	fix net pod policy Signed-off-by: kklinch0 <kklinch0@gmail.com>	2025-07-24 17:28:10 +03:00
Andrei Kvapil	4079a69335	[seaweedfs] Add Client topology Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-07-24 15:59:14 +02:00
Andrei Kvapil	553c2d5482	[cozystack-api] show default values from openapi spec Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-07-24 15:42:05 +02:00
Andrei Kvapil	0c9ab17a12	Fix recording image for objectstorage Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-07-24 15:19:27 +02:00
Andrei Kvapil	5e8f6e0503	[cosi] fix building objectstorage images Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-07-24 01:24:13 +02:00
Andrei Kvapil	f04cd55f2a	[kubernetes] fix volumesnapshotclass installation (#1238 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com> <!-- Thank you for making a contribution! Here are some tips for you: - Start the PR title with the [label] of Cozystack component: - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc. - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc. - For development and maintenance: [tests], [ci], [docs], [maintenance]. - If it's a work in progress, consider creating this PR as a draft. - Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft. - Add the label `backport` if it's a bugfix that needs to be backported to a previous version. --> ## What this PR does This PR fixes regression introduced by https://github.com/cozystack/cozystack/pull/1203 error: ``` Helm install failed for release cozy-volumesnapshot-crd-for-tenant-k8s/volumesnapshot-crd-for-tenant-k8s with chart cozy-volumesnapshot-crd-for-tenant-k8s@0.34.0: unable to build kubernetes objects from release manifest: resource mapping not found for name: "kubevirt-snapshots" namespace: "" from "": no matches for kind "VolumeSnapshotClass" in version "snapshot.storage.k8s.io/v1"... ``` ### Release note <!-- Write a release note: - Explain what has changed internally and for users. - Start with the same [label] as in the PR title - Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md. --> ```release-note [kubernetes] fix volumesnapshotclass installation ```	2025-07-24 01:20:25 +02:00
Andrei Kvapil	53d9cf365d	[kubernetes] fix volumesnapshotclass installation Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2025-07-23 17:28:28 +02:00
Timofei Larkin	94e2fd0ff9	[ci] Refactor testing logic (#1236 ) * Simplify test discovery logic in workflow. * Delete Clickhouse after successful test. * Separate two k8s tests into separate jobs.	2025-07-23 18:33:05 +04:00
IvanHunters	0618446b95	fix chart name Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>	2025-07-23 14:45:25 +03:00
Timofei Larkin	640d0f10ac	[ci] Refactor testing logic * Simplify test discovery logic in workflow. * Delete Clickhouse after successful test. * Separate two k8s tests into separate jobs. Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>	2025-07-23 14:00:24 +03:00
Timofei Larkin	a03530a72f	[robotlb] add Hetzner Robotlb balancer (#1233 ) [robotlb] Add support for Hetzner load balancers Co-authored-by: Ahmad Murzahmatov <gwynbleidd2106@yandex.com>	2025-07-23 14:55:57 +04:00
IvanHunters	3612bbd8ca	[fix] add robotlb to bundles Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>	2025-07-23 13:26:36 +03:00
IvanHunters	028bb365ff	[lb] add hetzner robotlb balancer Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> Co-authored-by: Ahmad Murzahmatov <gwynbleidd2106@yandex.com>	2025-07-23 12:34:57 +03:00
				`@@ -0,0 +1 @@`
				`ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.35.0-alpha.1@sha256:e4f9a7302285ea9febeb28fc2fa97cb7c01bb91e602f975c31aad1fe46f778f7`