api

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/auto-release.yaml

@@ -1,188 +0,0 @@
-name: Auto Patch Release
-
-on:
-  schedule:
-    # Run daily at 2:00 AM CET (1:00 UTC in winter, 0:00 UTC in summer)
-    # Using 1:00 UTC to approximate 2:00 AM CET
-    - cron: '0 1 * * *'
-  workflow_dispatch: # Allow manual trigger
-
-concurrency:
-  group: auto-release-${{ github.workflow }}
-  cancel-in-progress: false
-
-jobs:
-  auto-release:
-    name: Auto Patch Release
-    runs-on: [self-hosted]
-    permissions:
-      contents: write
-      pull-requests: read
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
-      - name: Configure git
-        env:
-          GH_PAT: ${{ secrets.GH_PAT }}
-        run: |
-          git config user.name  "cozystack-bot"
-          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
-          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
-          git config --unset-all http.https://github.com/.extraheader || true
-
-      - name: Process release branches
-        uses: actions/github-script@v7
-        env:
-          GH_PAT: ${{ secrets.GH_PAT }}
-        with:
-          github-token: ${{ secrets.GH_PAT }}
-          script: |
-            const { execSync } = require('child_process');
-
-            // Configure git to use PAT for authentication
-            execSync('git config user.name "cozystack-bot"', { encoding: 'utf8' });
-            execSync('git config user.email "217169706+cozystack-bot@users.noreply.github.com"', { encoding: 'utf8' });
-            execSync(`git remote set-url origin https://cozystack-bot:${process.env.GH_PAT}@github.com/${process.env.GITHUB_REPOSITORY}`, { encoding: 'utf8' });
-            // Remove GITHUB_TOKEN extraheader to ensure PAT is used (needed to trigger other workflows)
-            execSync('git config --unset-all http.https://github.com/.extraheader || true', { encoding: 'utf8' });
-
-            // Get all release-X.Y branches
-            const branches = execSync('git branch -r | grep -E "origin/release-[0-9]+\\.[0-9]+$" | sed "s|origin/||" | tr -d " "', { encoding: 'utf8' })
-              .split('\n')
-              .filter(b => b.trim())
-              .filter(b => /^release-\d+\.\d+$/.test(b));
-            
-            console.log(`Found ${branches.length} release branches: ${branches.join(', ')}`);
-            
-            // Get all published releases (not draft)
-            const allReleases = await github.rest.repos.listReleases({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              per_page: 100
-            });
-            
-            // Filter to only published releases (not draft) with tags matching vX.Y.Z (no suffixes)
-            const publishedReleases = allReleases.data
-              .filter(r => !r.draft)
-              .filter(r => /^v\d+\.\d+\.\d+$/.test(r.tag_name));
-            
-            console.log(`Found ${publishedReleases.length} published releases without suffixes`);
-            
-            for (const branch of branches) {
-              console.log(`\n=== Processing branch: ${branch} ===`);
-              
-              // Extract X.Y from branch name (release-X.Y)
-              const match = branch.match(/^release-(\d+\.\d+)$/);
-              if (!match) {
-                console.log(`  ⚠️  Branch ${branch} doesn't match pattern, skipping`);
-                continue;
-              }
-              
-              const [major, minor] = match[1].split('.');
-              const versionPrefix = `v${major}.${minor}.`;
-              
-              console.log(`  Looking for releases with prefix: ${versionPrefix}`);
-              
-              // Find the latest published release for this branch (vX.Y.Z without suffixes)
-              const branchReleases = publishedReleases
-                .filter(r => r.tag_name.startsWith(versionPrefix))
-                .filter(r => /^v\d+\.\d+\.\d+$/.test(r.tag_name)); // Ensure no suffixes
-              
-              if (branchReleases.length === 0) {
-                console.log(`  ⚠️  No published releases found for ${branch}, skipping`);
-                continue;
-              }
-              
-              // Sort by version (descending) to get the latest
-              branchReleases.sort((a, b) => {
-                const aVersion = a.tag_name.match(/^v(\d+)\.(\d+)\.(\d+)$/);
-                const bVersion = b.tag_name.match(/^v(\d+)\.(\d+)\.(\d+)$/);
-                if (!aVersion || !bVersion) return 0;
-                
-                const aNum = parseInt(aVersion[1]) * 10000 + parseInt(aVersion[2]) * 100 + parseInt(aVersion[3]);
-                const bNum = parseInt(bVersion[1]) * 10000 + parseInt(bVersion[2]) * 100 + parseInt(bVersion[3]);
-                return bNum - aNum;
-              });
-              
-              const latestRelease = branchReleases[0];
-              console.log(`  ✅ Latest published release: ${latestRelease.tag_name}`);
-              
-              // Get the commit SHA for this release tag
-              let releaseCommitSha;
-              try {
-                releaseCommitSha = execSync(`git rev-list -n 1 ${latestRelease.tag_name}`, { encoding: 'utf8' }).trim();
-                console.log(`  Release commit SHA: ${releaseCommitSha}`);
-              } catch (error) {
-                console.log(`  ⚠️  Could not find commit for tag ${latestRelease.tag_name}, skipping`);
-                continue;
-              }
-              
-              // Checkout the branch
-              execSync(`git fetch origin ${branch}:${branch}`, { encoding: 'utf8' });
-              execSync(`git checkout ${branch}`, { encoding: 'utf8' });
-              
-              // Get the latest commit on the branch
-              const latestBranchCommit = execSync('git rev-parse HEAD', { encoding: 'utf8' }).trim();
-              console.log(`  Latest branch commit: ${latestBranchCommit}`);
-              
-              // Check if there are new commits after the release
-              const commitsAfterRelease = execSync(
-                `git rev-list ${releaseCommitSha}..HEAD --oneline`,
-                { encoding: 'utf8' }
-              ).trim();
-              
-              if (!commitsAfterRelease) {
-                console.log(`  ℹ️  No new commits after ${latestRelease.tag_name}, skipping`);
-                continue;
-              }
-              
-              console.log(`  ✅ Found new commits after release:`);
-              console.log(commitsAfterRelease);
-              
-              // Calculate next version (Z+1)
-              const versionMatch = latestRelease.tag_name.match(/^v(\d+)\.(\d+)\.(\d+)$/);
-              if (!versionMatch) {
-                console.log(`  ❌ Could not parse version from ${latestRelease.tag_name}, skipping`);
-                continue;
-              }
-              
-              const nextPatch = parseInt(versionMatch[3]) + 1;
-              const nextTag = `v${versionMatch[1]}.${versionMatch[2]}.${nextPatch}`;
-              
-              console.log(`  🏷️  Creating new tag: ${nextTag} on commit ${latestBranchCommit}`);
-              
-              // Create and push the tag with base_ref for workflow triggering
-              try {
-                // Delete local tag if exists to force update
-                try {
-                  execSync(`git tag -d ${nextTag}`, { encoding: 'utf8' });
-                } catch (e) {
-                  // Tag doesn't exist locally, that's fine
-                }
-
-                // Delete remote tag if exists
-                try {
-                  execSync(`git push origin :refs/tags/${nextTag}`, { encoding: 'utf8' });
-                } catch (e) {
-                  // Tag doesn't exist remotely, that's fine
-                }
-
-                // Create tag locally
-                execSync(`git tag ${nextTag} ${latestBranchCommit}`, { encoding: 'utf8' });
-
-                // Push tag with HEAD reference to preserve base_ref
-                execSync(`git push origin HEAD:refs/tags/${nextTag}`, { encoding: 'utf8' });
-                console.log(`  ✅ Successfully created and pushed tag ${nextTag}`);
-              } catch (error) {
-                console.log(`  ❌ Error creating/pushing tag ${nextTag}: ${error.message}`);
-                core.setFailed(`Failed to create tag ${nextTag} for branch ${branch}`);
-              }
-            }
-            
-            console.log(`\n✅ Finished processing all release branches`);
-

.github/workflows/pull-requests-release.yaml

@@ -46,12 +46,7 @@ jobs:
           fetch-depth: 0
 
       - name: Create tag on merge commit
-        env:
-          GH_PAT: ${{ secrets.GH_PAT }}
         run: |
-          git config user.name  "cozystack-bot"
-          git config user.email "217169706+cozystack-bot@users.noreply.github.com"
-          git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
           git tag -f ${{ steps.get_tag.outputs.tag }} ${{ github.sha }}
           git push -f origin ${{ steps.get_tag.outputs.tag }}
 
@@ -110,95 +105,67 @@ jobs:
               }
             }
 
-      # Publish draft release and ensure correct latest flag
-      - name: Publish draft release
+      # Get the latest published release
+      - name: Get the latest published release
+        id: latest_release
         uses: actions/github-script@v7
         with:
           script: |
-            const tag = '${{ steps.get_tag.outputs.tag }}';
+            try {
+              const rel = await github.rest.repos.getLatestRelease({
+                owner: context.repo.owner,
+                repo:  context.repo.repo
+              });
+              core.setOutput('tag', rel.data.tag_name);
+            } catch (_) {
+              core.setOutput('tag', '');
+            }
+
+      # Compare current tag vs latest using semver-utils
+      - name: Semver compare
+        id: semver
+        uses: madhead/semver-utils@v4.3.0
+        with:
+          version:    ${{ steps.get_tag.outputs.tag }}
+          compare-to: ${{ steps.latest_release.outputs.tag }}
+
+      # Derive flags: prerelease?  make_latest?
+      - name: Calculate publish flags
+        id: flags
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const tag = '${{ steps.get_tag.outputs.tag }}';              // v0.31.5-rc.1
             const m = tag.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);
             if (!m) {
               core.setFailed(`❌ tag '${tag}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
               return;
             }
-            const isRc = Boolean(m[2]);
+            const version = m[1] + (m[2] ?? '');                         // 0.31.5-rc.1
+            const isRc    = Boolean(m[2]);
+            core.setOutput('is_rc',      isRc);
+            const outdated = '${{ steps.semver.outputs.comparison-result }}' === '<';
+            core.setOutput('make_latest', isRc || outdated ? 'false' : 'legacy');
 
-            // Parse semver string to comparable numbers
-            function parseSemver(v) {
-              const match = v.replace(/^v/, '').match(/^(\d+)\.(\d+)\.(\d+)/);
-              if (!match) return null;
-              return {
-                major: parseInt(match[1]),
-                minor: parseInt(match[2]),
-                patch: parseInt(match[3])
-              };
-            }
-
-            // Compare two semver objects
-            function compareSemver(a, b) {
-              if (a.major !== b.major) return a.major - b.major;
-              if (a.minor !== b.minor) return a.minor - b.minor;
-              return a.patch - b.patch;
-            }
-
-            const currentSemver = parseSemver(tag);
-
-            // Get all releases
+      # Publish draft release with correct flags
+      - name: Publish draft release
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const tag = '${{ steps.get_tag.outputs.tag }}';
             const releases = await github.rest.repos.listReleases({
               owner: context.repo.owner,
-              repo: context.repo.repo,
-              per_page: 100
+              repo:  context.repo.repo
             });
-
-            // Find draft release to publish
             const draft = releases.data.find(r => r.tag_name === tag && r.draft);
             if (!draft) throw new Error(`Draft release for ${tag} not found`);
-
-            // Find max semver among published releases (excluding current draft)
-            const publishedReleases = releases.data
-              .filter(r => !r.draft && !r.prerelease)
-              .filter(r => /^v\d+\.\d+\.\d+$/.test(r.tag_name))
-              .map(r => ({ id: r.id, tag: r.tag_name, semver: parseSemver(r.tag_name) }))
-              .filter(r => r.semver !== null);
-
-            let maxRelease = null;
-            for (const rel of publishedReleases) {
-              if (!maxRelease || compareSemver(rel.semver, maxRelease.semver) > 0) {
-                maxRelease = rel;
-              }
-            }
-
-            // Determine if this release should be latest
-            const isOutdated = maxRelease && compareSemver(currentSemver, maxRelease.semver) < 0;
-            const makeLatest = (isRc || isOutdated) ? 'false' : 'true';
-
-            if (isRc) {
-              console.log(`🏷️  ${tag} is a prerelease, make_latest: false`);
-            } else if (isOutdated) {
-              console.log(`🏷️  ${tag} < ${maxRelease.tag} (max semver), make_latest: false`);
-            } else {
-              console.log(`🏷️  ${tag} is the highest version, make_latest: true`);
-            }
-
-            // Publish the release
             await github.rest.repos.updateRelease({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              release_id: draft.id,
-              draft: false,
-              prerelease: isRc,
-              make_latest: makeLatest
+              owner:       context.repo.owner,
+              repo:        context.repo.repo,
+              release_id:  draft.id,
+              draft:       false,
+              prerelease:  ${{ steps.flags.outputs.is_rc }},
+              make_latest: '${{ steps.flags.outputs.make_latest }}'
             });
-            console.log(`🚀 Published release ${tag}`);
 
-            // If this is a backport/outdated release, ensure the correct release is marked as latest
-            if (isOutdated && maxRelease) {
-              console.log(`🔧 Ensuring ${maxRelease.tag} remains the latest release...`);
-              await github.rest.repos.updateRelease({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                release_id: maxRelease.id,
-                make_latest: 'true'
-              });
-              console.log(`✅ Restored ${maxRelease.tag} as latest release`);
-            }
+            console.log(`🚀 Published release for ${tag}`);

.github/workflows/pull-requests.yaml

@@ -58,7 +58,7 @@ jobs:
           DOCKER_CONFIG: ${{ runner.temp }}/.docker
 
       - name: Build Talos image
-        run: make -C packages/core/talos talos-nocloud
+        run: make -C packages/core/installer talos-nocloud
 
       - name: Save git diff as patch
         if: "!contains(github.event.pull_request.labels.*.name, 'release')"

.github/workflows/retest.yaml

@@ -1,78 +0,0 @@
-name: Retest
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  retest:
-    name: Retest PR
-    runs-on: ubuntu-latest
-    if: |
-      github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/retest')
-    permissions:
-      actions: write
-      pull-requests: read
-
-    steps:
-      - name: Rerun from Prepare environment
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prNumber = context.issue.number;
-
-            // Get the PR to find the head SHA
-            const pr = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: prNumber
-            });
-
-            // Find the latest workflow run for this PR
-            const runs = await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'pull-requests.yaml',
-              head_sha: pr.data.head.sha
-            });
-
-            if (runs.data.workflow_runs.length === 0) {
-              core.setFailed('No workflow runs found for this PR');
-              return;
-            }
-
-            const latestRun = runs.data.workflow_runs[0];
-            console.log(`Found workflow run: ${latestRun.id} (${latestRun.status})`);
-
-            // Check if workflow is waiting for approval (fork PRs)
-            if (latestRun.conclusion === 'action_required') {
-              core.setFailed('Workflow is waiting for approval. A maintainer must approve the workflow first.');
-              return;
-            }
-
-            // Get jobs for this run
-            const jobs = await github.rest.actions.listJobsForWorkflowRun({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              run_id: latestRun.id
-            });
-
-            // Find "Prepare environment" job
-            const prepareJob = jobs.data.jobs.find(j => j.name === 'Prepare environment');
-
-            if (!prepareJob) {
-              core.setFailed('Could not find "Prepare environment" job');
-              return;
-            }
-
-            console.log(`Found job: ${prepareJob.name} (id: ${prepareJob.id}, status: ${prepareJob.status})`);
-
-            // Rerun the job
-            await github.rest.actions.reRunJobForWorkflowRun({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              job_id: prepareJob.id
-            });
-
-            console.log(`✅ Triggered rerun of job "${prepareJob.name}" (${prepareJob.id})`);

.github/workflows/tags.yaml

@@ -123,6 +123,32 @@ jobs:
           git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
           git push origin HEAD || true
 
+      # Get `latest_version` from latest published release 
+      - name: Get latest published release
+        if: steps.check_release.outputs.skip == 'false'
+        id: latest_release
+        uses: actions/github-script@v7
+        with:
+          script: |
+            try {
+              const rel = await github.rest.repos.getLatestRelease({
+                owner: context.repo.owner,
+                repo:  context.repo.repo
+              });
+              core.setOutput('tag', rel.data.tag_name);
+            } catch (_) {
+              core.setOutput('tag', '');
+            }
+
+      # Compare tag (A) with latest (B)
+      - name: Semver compare
+        if: steps.check_release.outputs.skip == 'false'
+        id: semver
+        uses: madhead/semver-utils@v4.3.0
+        with:
+          version:     ${{ steps.tag.outputs.tag }}            # A
+          compare-to:  ${{ steps.latest_release.outputs.tag }} # B
+
       # Create or reuse draft release
       - name: Create / reuse draft release
         if: steps.check_release.outputs.skip == 'false'

.github/workflows/update-releasenotes.yaml

@@ -1,92 +0,0 @@
-name: Update Release Notes
-
-on:
-  push:
-    branches:
-      - main
-
-concurrency:
-  group: update-releasenotes-${{ github.workflow }}
-  cancel-in-progress: false
-
-jobs:
-  update-releasenotes:
-    name: Update Release Notes
-    runs-on: [self-hosted]
-    permissions:
-      contents: write
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Update release notes from changelogs
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            
-            const changelogDir = 'docs/changelogs';
-            
-            // Get releases from first page
-            const releases = await github.rest.repos.listReleases({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              per_page: 30
-            });
-            
-            console.log(`Found ${releases.data.length} releases (first page only)`);
-            
-            // Process each release
-            for (const release of releases.data) {
-              const tag = release.tag_name;
-              const changelogFile = `${tag}.md`;
-              const changelogPath = path.join(changelogDir, changelogFile);
-              
-              console.log(`\nProcessing release: ${tag}`);
-              
-              // Check if changelog file exists
-              if (!fs.existsSync(changelogPath)) {
-                console.log(`  ⚠️  Changelog file ${changelogFile} does not exist, skipping...`);
-                continue;
-              }
-              
-              // Read changelog file content
-              let changelogContent;
-              try {
-                changelogContent = fs.readFileSync(changelogPath, 'utf8');
-              } catch (error) {
-                console.log(`  ❌ Error reading file ${changelogPath}: ${error.message}`);
-                continue;
-              }
-              
-              if (!changelogContent.trim()) {
-                console.log(`  ⚠️  Changelog file ${changelogFile} is empty, skipping...`);
-                continue;
-              }
-              
-              // Check if content is already up to date
-              const currentBody = release.body || '';
-              if (currentBody.trim() === changelogContent.trim()) {
-                console.log(`  ✓ Content is already up to date, skipping...`);
-                continue;
-              }
-              
-              // Update release notes
-              try {
-                await github.rest.repos.updateRelease({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  release_id: release.id,
-                  body: changelogContent
-                });
-                console.log(`  ✅ Successfully updated release notes for ${tag}`);
-              } catch (error) {
-                console.log(`  ❌ Error updating release ${tag}: ${error.message}`);
-                core.setFailed(`Failed to update release notes for ${tag}`);
-              }
-            }
-

AGENTS.md

@@ -3,38 +3,14 @@
 This file provides structured guidance for AI coding assistants and agents
 working with the **Cozystack** project.
 
-## Activation
+## Agent Documentation
 
-**CRITICAL**: When the user asks you to do something that matches the scope of a documented process, you MUST read the corresponding documentation file and follow the instructions exactly as written.
-
-- **Commits, PRs, git operations** (e.g., "create a commit", "make a PR", "fix review comments", "rebase", "cherry-pick")
-  - Read: [`contributing.md`](./docs/agents/contributing.md)
-  - Action: Read the entire file and follow ALL instructions step-by-step
-
-- **Changelog generation** (e.g., "generate changelog", "create changelog", "prepare changelog for version X")
-  - Read: [`changelog.md`](./docs/agents/changelog.md)
-  - Action: Read the entire file and follow ALL steps in the checklist. Do NOT skip any mandatory steps
-
-- **Release creation** (e.g., "create release", "prepare release", "tag release", "make a release")
-  - Read: [`releasing.md`](./docs/agents/releasing.md)
-  - Action: Read the file and follow the referenced release process in `docs/release.md`
-
-- **Project structure, conventions, code layout** (e.g., "where should I put X", "what's the convention for Y", "how is the project organized")
-  - Read: [`overview.md`](./docs/agents/overview.md)
-  - Action: Read relevant sections to understand project structure and conventions
-
-- **General questions about contributing**
-  - Read: [`contributing.md`](./docs/agents/contributing.md)
-  - Action: Read the file to understand git workflow, commit format, PR process
-
-**Important rules:**
-- ✅ **ONLY read the file if the task matches the documented process scope** - do not read files for tasks that don't match their purpose
-- ✅ **ALWAYS read the file FIRST** before starting the task (when applicable)
-- ✅ **Follow instructions EXACTLY** as written in the documentation
-- ✅ **Do NOT skip mandatory steps** (especially in changelog.md)
-- ✅ **Do NOT assume** you know the process - always check the documentation when the task matches
-- ❌ **Do NOT read files** for tasks that are outside their documented scope
-- 📖 **Note**: [`overview.md`](./docs/agents/overview.md) can be useful as a reference to understand project structure and conventions, even when not explicitly required by the task
+| Agent | Purpose |
+|-------|---------|
+| [overview.md](./docs/agents/overview.md) | Project structure and conventions |
+| [contributing.md](./docs/agents/contributing.md) | Commits, pull requests, and git workflow |
+| [changelog.md](./docs/agents/changelog.md) | Changelog generation instructions |
+| [releasing.md](./docs/agents/releasing.md) | Release process and workflow |
 
 ## Project Overview
 

Makefile

@@ -15,9 +15,9 @@ build: build-deps
 	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
 	make -C packages/system/cozystack-controller image
+	make -C packages/system/backup-controller image
 	make -C packages/system/lineage-controller-webhook image
 	make -C packages/system/cilium image
-	make -C packages/system/linstor image
 	make -C packages/system/kubeovn-webhook image
 	make -C packages/system/kubeovn-plunger image
 	make -C packages/system/dashboard image
@@ -26,7 +26,6 @@ build: build-deps
 	make -C packages/system/bucket image
 	make -C packages/system/objectstorage-controller image
 	make -C packages/core/testing image
-	make -C packages/core/talos image
 	make -C packages/core/platform image
 	make -C packages/core/installer image
 	make manifests
@@ -42,7 +41,7 @@ manifests:
 	(cd packages/core/installer/; helm template -n cozy-installer installer .) > _out/assets/cozystack-installer.yaml
 
 assets:
-	make -C packages/core/talos assets
+	make -C packages/core/installer assets
 
 test:
 	make -C packages/core/testing apply

api/.gitattributes

@@ -0,0 +1 @@
+zz_generated_deepcopy.go linguist-generated

api/backups/strategy/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=strategy.backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "strategy.backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

api/backups/strategy/v1alpha1/job_types.go

@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines strategy.backups.cozystack.io API types.
+//
+// Group: strategy.backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Job{},
+			&JobList{},
+		)
+		return nil
+	})
+}
+
+const (
+	JobStrategyKind = "Job"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// Job defines a backup strategy using a one-shot Job
+type Job struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   JobSpec   `json:"spec,omitempty"`
+	Status JobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// JobList contains a list of backup Jobs.
+type JobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Job `json:"items"`
+}
+
+// JobSpec specifies the desired behavior of a backup job.
+type JobSpec struct {
+	// Template holds a PodTemplateSpec with the right shape to
+	// run a single pod to completion and create a tarball with
+	// a given apps data. Helm-like Go templates are supported.
+	// The values of the source application are available under
+	// `.Values`. `.Release.Name` and `.Release.Namespace` are
+	// also exported.
+	Template corev1.PodTemplateSpec `json:"template"`
+}
+
+type JobStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/backups/strategy/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,123 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Job) DeepCopyInto(out *Job) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Job.
+func (in *Job) DeepCopy() *Job {
+	if in == nil {
+		return nil
+	}
+	out := new(Job)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Job) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobList) DeepCopyInto(out *JobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Job, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobList.
+func (in *JobList) DeepCopy() *JobList {
+	if in == nil {
+		return nil
+	}
+	out := new(JobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobSpec) DeepCopyInto(out *JobSpec) {
+	*out = *in
+	in.Template.DeepCopyInto(&out.Template)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobSpec.
+func (in *JobSpec) DeepCopy() *JobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobStatus) DeepCopyInto(out *JobStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobStatus.
+func (in *JobStatus) DeepCopy() *JobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JobStatus)
+	in.DeepCopyInto(out)
+	return out
+}

api/backups/v1alpha1/DESIGN.md

@@ -0,0 +1,421 @@
+# Cozystack Backups – Core API & Contracts (Draft)
+
+## 1. Overview
+
+Cozystack’s backup subsystem provides a generic, composable way to back up and restore managed applications:
+
+* Every **application instance** can have one or more **backup plans**.
+* Backups are stored in configurable **storage locations**.
+* The mechanics of *how* a backup/restore is performed are delegated to **strategy drivers**, each implementing driver-specific **BackupStrategy** CRDs.
+
+The core API:
+
+* Orchestrates **when** backups happen and **where** they’re stored.
+* Tracks **what** backups exist and their status.
+* Defines contracts with drivers via shared resources (`BackupJob`, `Backup`, `RestoreJob`).
+
+It does **not** implement the backup logic itself.
+
+This document covers only the **core** API and its contracts with drivers, not driver implementations.
+
+---
+
+## 2. Goals and non-goals
+
+### Goals
+
+* Provide a **stable core API** for:
+
+  * Declaring **backup plans** per application.
+  * Configuring **storage targets** (S3, in-cluster bucket, etc.).
+  * Tracking **backup artifacts**.
+  * Initiating and tracking **restores**.
+* Allow multiple **strategy drivers** to plug in, each supporting specific kinds of applications and strategies.
+* Let application/product authors implement backup for their kinds by:
+
+  * Creating **Plan** objects referencing a **driver-specific strategy**.
+  * Not having to write a backup engine themselves.
+
+### Non-goals
+
+* Implement backup logic for any specific application or storage backend.
+* Define the internal structure of driver-specific strategy CRDs.
+* Handle tenant-facing UI/UX (that’s built on top of these APIs).
+
+---
+
+## 3. Architecture
+
+High-level components:
+
+* **Core backups controller(s)** (Cozystack-owned):
+
+  * Group: `backups.cozystack.io`
+  * Own:
+
+    * `Plan`
+    * `BackupJob`
+    * `Backup`
+    * `RestoreJob`
+  * Responsibilities:
+
+    * Schedule backups based on `Plan`.
+    * Create `BackupJob` objects when due.
+    * Provide stable contracts for drivers to:
+
+      * Perform backups and create `Backup`s.
+      * Perform restores based on `Backup`s.
+
+* **Strategy drivers** (pluggable, possibly third-party):
+
+  * Their own API groups, e.g. `jobdriver.backups.cozystack.io`.
+  * Own **strategy CRDs** (e.g. `JobBackupStrategy`).
+  * Implement controllers that:
+
+    * Watch `BackupJob` / `RestoreJob`.
+    * Match runs whose `strategyRef` GVK they support.
+    * Execute backup/restore logic.
+    * Create and update `Backup` and run statuses.
+
+Strategy drivers and core communicate entirely via Kubernetes objects; there are no webhook/HTTP calls between them.
+
+* **Storage drivers** (pluggable, possibly third-party):
+
+  * **TBD**
+
+---
+
+## 4. Core API resources
+
+### 4.1 Plan
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Plan`
+
+**Purpose**
+Describe **when**, **how**, and **where** to back up a specific managed application.
+
+**Key fields (spec)**
+
+```go
+type PlanSpec struct {
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Where backups should be stored.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // When backups should run.
+    Schedule PlanSchedule `json:"schedule"`
+}
+```
+
+`PlanSchedule` (initially) supports only cron:
+
+```go
+type PlanScheduleType string
+
+const (
+    PlanScheduleTypeEmpty PlanScheduleType = ""
+    PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+```
+
+```go
+type PlanSchedule struct {
+    // Type is the schedule type. Currently only "cron" is supported.
+    // Defaults to "cron".
+    Type PlanScheduleType `json:"type,omitempty"`
+
+    // Cron expression (required for cron type).
+    Cron string `json:"cron,omitempty"`
+}
+```
+
+**Plan reconciliation contract**
+
+Core Plan controller:
+
+1. **Read schedule** from `spec.schedule` and compute the next fire time.
+2. When due:
+
+   * Create a `BackupJob` in the same namespace:
+
+     * `spec.planRef.name = plan.Name`
+     * `spec.applicationRef = plan.spec.applicationRef`
+     * `spec.storageRef = plan.spec.storageRef`
+     * `spec.strategyRef = plan.spec.strategyRef`
+     * `spec.triggeredBy = "Plan"`
+   * Set `ownerReferences` so the `BackupJob` is owned by the `Plan`.
+
+The Plan controller does **not**:
+
+* Execute backups itself.
+* Modify driver resources or `Backup` objects.
+* Touch `BackupJob.spec` after creation.
+
+---
+
+### 4.2 Storage
+
+**API Shape**
+
+TBD
+
+**Storage usage**
+
+* `Plan` and `BackupJob` reference `Storage` via `TypedLocalObjectReference`.
+* Drivers read `Storage` to know how/where to store or read artifacts.
+* Core treats `Storage` spec as opaque; it does not directly talk to S3 or buckets.
+
+---
+
+### 4.3 BackupJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=BackupJob`
+
+**Purpose**
+Represent a single **execution** of a backup operation, typically created when a `Plan` fires or when a user triggers an ad-hoc backup.
+
+**Key fields (spec)**
+
+```go
+type BackupJobSpec struct {
+    // Plan that triggered this run, if any.
+    PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Storage to use.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // Informational: what triggered this run ("Plan", "Manual", etc.).
+    TriggeredBy string `json:"triggeredBy,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupJobStatus struct {
+    Phase       BackupJobPhase         `json:"phase,omitempty"`
+    BackupRef   *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+    StartedAt   *metav1.Time           `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time           `json:"completedAt,omitempty"`
+    Message     string                 `json:"message,omitempty"`
+    Conditions  []metav1.Condition     `json:"conditions,omitempty"`
+}
+```
+
+`BackupJobPhase` is one of: `Pending`, `Running`, `Succeeded`, `Failed`.
+
+**BackupJob contract with drivers**
+
+* Core **creates** `BackupJob` and must treat `spec` as immutable afterwards.
+* Each driver controller:
+
+  * Watches `BackupJob`.
+  * Reconciles runs where `spec.strategyRef.apiGroup/kind` matches its **strategy type(s)**.
+* Driver responsibilities:
+
+  1. On first reconcile:
+
+     * Set `status.startedAt` if unset.
+     * Set `status.phase = Running`.
+  2. Resolve inputs:
+
+     * Read `Strategy` (driver-owned CRD), `Storage`, `Application`, optionally `Plan`.
+  3. Execute backup logic (implementation-specific).
+  4. On success:
+
+     * Create a `Backup` resource (see below).
+     * Set `status.backupRef` to the created `Backup`.
+     * Set `status.completedAt`.
+     * Set `status.phase = Succeeded`.
+  5. On failure:
+
+     * Set `status.completedAt`.
+     * Set `status.phase = Failed`.
+     * Set `status.message` and conditions.
+
+Drivers must **not** modify `BackupJob.spec` or delete `BackupJob` themselves.
+
+---
+
+### 4.4 Backup
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Backup`
+
+**Purpose**
+Represent a single **backup artifact** for a given application, decoupled from a particular run. usable as a stable, listable “thing you can restore from”.
+
+**Key fields (spec)**
+
+```go
+type BackupSpec struct {
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+    PlanRef        *corev1.LocalObjectReference     `json:"planRef,omitempty"`
+    StorageRef     corev1.TypedLocalObjectReference `json:"storageRef"`
+    StrategyRef    corev1.TypedLocalObjectReference `json:"strategyRef"`
+    TakenAt        metav1.Time                      `json:"takenAt"`
+    DriverMetadata map[string]string                `json:"driverMetadata,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupStatus struct {
+    Phase      BackupPhase       `json:"phase,omitempty"` // Pending, Ready, Failed, etc.
+    Artifact   *BackupArtifact   `json:"artifact,omitempty"`
+    Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+`BackupArtifact` describes the artifact (URI, size, checksum).
+
+**Backup contract with drivers**
+
+* On successful completion of a `BackupJob`, the **driver**:
+
+  * Creates a `Backup` in the same namespace (typically owned by the `BackupJob`).
+  * Populates `spec` fields with:
+
+    * The application, storage, strategy references.
+    * `takenAt`.
+    * Optional `driverMetadata`.
+  * Sets `status` with:
+
+    * `phase = Ready` (or equivalent when fully usable).
+    * `artifact` describing the stored object.
+* Core:
+
+  * Treats `Backup` spec as mostly immutable and opaque.
+  * Uses it to:
+
+    * List backups for a given application/plan.
+    * Anchor `RestoreJob` operations.
+    * Implement higher-level policies (retention) if needed.
+
+---
+
+### 4.5 RestoreJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=RestoreJob`
+
+**Purpose**
+Represent a single **restore operation** from a `Backup`, either back into the same application or into a new target application.
+
+**Key fields (spec)**
+
+```go
+type RestoreJobSpec struct {
+    // Backup to restore from.
+    BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+    // Target application; if omitted, drivers SHOULD restore into
+    // backup.spec.applicationRef.
+    TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type RestoreJobStatus struct {
+    Phase       RestoreJobPhase   `json:"phase,omitempty"` // Pending, Running, Succeeded, Failed
+    StartedAt   *metav1.Time      `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time      `json:"completedAt,omitempty"`
+    Message     string            `json:"message,omitempty"`
+    Conditions  []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+**RestoreJob contract with drivers**
+
+* RestoreJob is created either manually or by core.
+* Driver controller:
+
+  1. Watches `RestoreJob`.
+  2. On reconcile:
+
+     * Fetches the referenced `Backup`.
+     * Determines effective:
+
+       * **Strategy**: `backup.spec.strategyRef`.
+       * **Storage**: `backup.spec.storageRef`.
+       * **Target application**: `spec.targetApplicationRef` or `backup.spec.applicationRef`.
+     * If effective strategy’s GVK is one of its supported strategy types → driver is responsible.
+  3. Behaviour:
+
+     * On first reconcile, set `status.startedAt` and `phase = Running`.
+     * Resolve `Backup`, `Storage`, `Strategy`, target application.
+     * Execute restore logic (implementation-specific).
+     * On success:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Succeeded`.
+     * On failure:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Failed`.
+       * Set `status.message` and conditions.
+
+Drivers must not modify `RestoreJob.spec` or delete `RestoreJob`.
+
+---
+
+## 5. Strategy drivers (high-level)
+
+Strategy drivers are separate controllers that:
+
+* Define their own **strategy CRDs** (e.g. `JobBackupStrategy`) in their own API groups:
+
+  * e.g. `jobdriver.backups.cozystack.io/v1alpha1, Kind=JobBackupStrategy`
+* Implement the **BackupJob contract**:
+
+  * Watch `BackupJob`.
+  * Filter by `spec.strategyRef.apiGroup/kind`.
+  * Execute backup logic.
+  * Create/update `Backup`.
+* Implement the **RestoreJob contract**:
+
+  * Watch `RestoreJob`.
+  * Resolve `Backup`, then effective `strategyRef`.
+  * Filter by effective strategy GVK.
+  * Execute restore logic.
+
+The core backups API **does not** dictate:
+
+* The fields and structure of driver strategy specs.
+* How drivers implement backup/restore internally (Jobs, snapshots, native operator CRDs, etc.).
+
+Drivers are interchangeable as long as they respect:
+
+* The `BackupJob` and `RestoreJob` contracts.
+* The shapes and semantics of `Backup` objects.
+
+---
+
+## 6. Summary
+
+The Cozystack backups core API:
+
+* Uses a single group, `backups.cozystack.io`, for all core CRDs.
+* Cleanly separates:
+
+  * **When & where** (Plan + Storage) – core-owned.
+  * **What backup artifacts exist** (Backup) – driver-created but cluster-visible.
+  * **Execution lifecycle** (BackupJob, RestoreJob) – shared contract boundary.
+* Allows multiple strategy drivers to implement backup/restore logic without entangling their implementation with the core API.
+

api/backups/v1alpha1/backup_types.go

@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Backup{},
+			&BackupList{},
+		)
+		return nil
+	})
+}
+
+// BackupPhase represents the lifecycle phase of a Backup.
+type BackupPhase string
+
+const (
+	BackupPhaseEmpty   BackupPhase = ""
+	BackupPhasePending BackupPhase = "Pending"
+	BackupPhaseReady   BackupPhase = "Ready"
+	BackupPhaseFailed  BackupPhase = "Failed"
+)
+
+// BackupArtifact describes the stored backup object (tarball, snapshot, etc.).
+type BackupArtifact struct {
+	// URI is a driver-/storage-specific URI pointing to the backup artifact.
+	// For example: s3://bucket/prefix/file.tar.gz
+	URI string `json:"uri"`
+
+	// SizeBytes is the size of the artifact in bytes, if known.
+	// +optional
+	SizeBytes int64 `json:"sizeBytes,omitempty"`
+
+	// Checksum is the checksum of the artifact, if computed.
+	// For example: "sha256:<hex>".
+	// +optional
+	Checksum string `json:"checksum,omitempty"`
+}
+
+// BackupSpec describes an immutable backup artifact produced by a BackupJob.
+type BackupSpec struct {
+	// ApplicationRef refers to the application that was backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// PlanRef refers to the Plan that produced this backup, if any.
+	// For manually triggered backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// StorageRef refers to the Storage object that describes where the backup
+	// artifact is stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef refers to the driver-specific BackupStrategy that was used
+	// to create this backup. This allows the driver to later perform restores.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// TakenAt is the time at which the backup was taken (as reported by the
+	// driver). It may differ slightly from metadata.creationTimestamp.
+	TakenAt metav1.Time `json:"takenAt"`
+
+	// DriverMetadata holds driver-specific, opaque metadata associated with
+	// this backup (for example snapshot IDs, schema versions, etc.).
+	// This data is not interpreted by the core backup controllers.
+	// +optional
+	DriverMetadata map[string]string `json:"driverMetadata,omitempty"`
+}
+
+// BackupStatus represents the observed state of a Backup.
+type BackupStatus struct {
+	// Phase is a simple, high-level summary of the backup's state.
+	// Typical values are: Pending, Ready, Failed.
+	// +optional
+	Phase BackupPhase `json:"phase,omitempty"`
+
+	// Artifact describes the stored backup object, if available.
+	// +optional
+	Artifact *BackupArtifact `json:"artifact,omitempty"`
+
+	// Conditions represents the latest available observations of a Backup's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Backup represents a single backup artifact for a given application.
+type Backup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupSpec   `json:"spec,omitempty"`
+	Status BackupStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupList contains a list of Backups.
+type BackupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Backup `json:"items"`
+}

api/backups/v1alpha1/backupjob_types.go

@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&BackupJob{},
+			&BackupJobList{},
+		)
+		return nil
+	})
+}
+
+// BackupJobPhase represents the lifecycle phase of a BackupJob.
+type BackupJobPhase string
+
+const (
+	BackupJobPhaseEmpty     BackupJobPhase = ""
+	BackupJobPhasePending   BackupJobPhase = "Pending"
+	BackupJobPhaseRunning   BackupJobPhase = "Running"
+	BackupJobPhaseSucceeded BackupJobPhase = "Succeeded"
+	BackupJobPhaseFailed    BackupJobPhase = "Failed"
+)
+
+// BackupJobSpec describes the execution of a single backup operation.
+type BackupJobSpec struct {
+	// PlanRef refers to the Plan that requested this backup run.
+	// For ad-hoc/manual backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// ApplicationRef holds a reference to the managed application whose state
+	// is being backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that describes where
+	// the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the driver-specific BackupStrategy object
+	// that describes how the backup should be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+}
+
+// BackupJobStatus represents the observed state of a BackupJob.
+type BackupJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase BackupJobPhase `json:"phase,omitempty"`
+
+	// BackupRef refers to the Backup object created by this run, if any.
+	// +optional
+	BackupRef *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+
+	// StartedAt is the time at which the backup run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the backup run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// backup run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a BackupJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// BackupJob represents a single execution of a backup.
+// It is typically created by a Plan controller when a schedule fires.
+type BackupJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupJobSpec   `json:"spec,omitempty"`
+	Status BackupJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupJobList contains a list of BackupJobs.
+type BackupJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BackupJob `json:"items"`
+}

api/backups/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

api/backups/v1alpha1/plan_types.go

@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Plan{},
+			&PlanList{},
+		)
+		return nil
+	})
+}
+
+type PlanScheduleType string
+
+const (
+	PlanScheduleTypeEmpty PlanScheduleType = ""
+	PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+
+// Condtions
+const (
+	PlanConditionError = "Error"
+)
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Plan describes the schedule, method and storage location for the
+// backup of a given target application.
+type Plan struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PlanSpec   `json:"spec,omitempty"`
+	Status PlanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PlanList contains a list of backup Plans.
+type PlanList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Plan `json:"items"`
+}
+
+// PlanSpec references the storage, the strategy, the application to be
+// backed up and specifies the timetable on which the backups will run.
+type PlanSpec struct {
+	// ApplicationRef holds a reference to the managed application,
+	// whose state and configuration must be backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that
+	// describes the location where the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the Strategy object that
+	// describes, how a backup copy is to be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// Schedule specifies when backup copies are created.
+	Schedule PlanSchedule `json:"schedule"`
+}
+
+// PlanSchedule specifies when backup copies are created.
+type PlanSchedule struct {
+	// Type is the type of schedule specification. Supported values are
+	// [`cron`]. If omitted, defaults to `cron`.
+	// +optional
+	Type PlanScheduleType `json:"type,omitempty"`
+
+	// Cron contains the cron spec for scheduling backups. Must be
+	// specified if the schedule type is `cron`. Since only `cron` is
+	// supported, omitting this field is not allowed.
+	// +optional
+	Cron string `json:"cron,omitempty"`
+}
+
+type PlanStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/backups/v1alpha1/restorejob_types.go

@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&RestoreJob{},
+			&RestoreJobList{},
+		)
+		return nil
+	})
+}
+
+// RestoreJobPhase represents the lifecycle phase of a RestoreJob.
+type RestoreJobPhase string
+
+const (
+	RestoreJobPhaseEmpty     RestoreJobPhase = ""
+	RestoreJobPhasePending   RestoreJobPhase = "Pending"
+	RestoreJobPhaseRunning   RestoreJobPhase = "Running"
+	RestoreJobPhaseSucceeded RestoreJobPhase = "Succeeded"
+	RestoreJobPhaseFailed    RestoreJobPhase = "Failed"
+)
+
+// RestoreJobSpec describes the execution of a single restore operation.
+type RestoreJobSpec struct {
+	// BackupRef refers to the Backup that should be restored.
+	BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+	// TargetApplicationRef refers to the application into which the backup
+	// should be restored. If omitted, the driver SHOULD restore into the same
+	// application as referenced by backup.spec.applicationRef.
+	// +optional
+	TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+
+// RestoreJobStatus represents the observed state of a RestoreJob.
+type RestoreJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase RestoreJobPhase `json:"phase,omitempty"`
+
+	// StartedAt is the time at which the restore run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the restore run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// restore run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a RestoreJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJob represents a single execution of a restore from a Backup.
+type RestoreJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RestoreJobSpec   `json:"spec,omitempty"`
+	Status RestoreJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJobList contains a list of RestoreJobs.
+type RestoreJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RestoreJob `json:"items"`
+}

api/backups/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,501 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Backup) DeepCopyInto(out *Backup) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Backup.
+func (in *Backup) DeepCopy() *Backup {
+	if in == nil {
+		return nil
+	}
+	out := new(Backup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Backup) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupArtifact) DeepCopyInto(out *BackupArtifact) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupArtifact.
+func (in *BackupArtifact) DeepCopy() *BackupArtifact {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupArtifact)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJob) DeepCopyInto(out *BackupJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJob.
+func (in *BackupJob) DeepCopy() *BackupJob {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobList) DeepCopyInto(out *BackupJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]BackupJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobList.
+func (in *BackupJobList) DeepCopy() *BackupJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobSpec) DeepCopyInto(out *BackupJobSpec) {
+	*out = *in
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobSpec.
+func (in *BackupJobSpec) DeepCopy() *BackupJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobStatus) DeepCopyInto(out *BackupJobStatus) {
+	*out = *in
+	if in.BackupRef != nil {
+		in, out := &in.BackupRef, &out.BackupRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobStatus.
+func (in *BackupJobStatus) DeepCopy() *BackupJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupList) DeepCopyInto(out *BackupList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Backup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupList.
+func (in *BackupList) DeepCopy() *BackupList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupSpec) DeepCopyInto(out *BackupSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	in.TakenAt.DeepCopyInto(&out.TakenAt)
+	if in.DriverMetadata != nil {
+		in, out := &in.DriverMetadata, &out.DriverMetadata
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupSpec.
+func (in *BackupSpec) DeepCopy() *BackupSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupStatus) DeepCopyInto(out *BackupStatus) {
+	*out = *in
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(BackupArtifact)
+		**out = **in
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupStatus.
+func (in *BackupStatus) DeepCopy() *BackupStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Plan) DeepCopyInto(out *Plan) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Plan.
+func (in *Plan) DeepCopy() *Plan {
+	if in == nil {
+		return nil
+	}
+	out := new(Plan)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Plan) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanList) DeepCopyInto(out *PlanList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Plan, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanList.
+func (in *PlanList) DeepCopy() *PlanList {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PlanList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSchedule) DeepCopyInto(out *PlanSchedule) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSchedule.
+func (in *PlanSchedule) DeepCopy() *PlanSchedule {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSchedule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSpec) DeepCopyInto(out *PlanSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	out.Schedule = in.Schedule
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSpec.
+func (in *PlanSpec) DeepCopy() *PlanSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanStatus) DeepCopyInto(out *PlanStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanStatus.
+func (in *PlanStatus) DeepCopy() *PlanStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJob) DeepCopyInto(out *RestoreJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJob.
+func (in *RestoreJob) DeepCopy() *RestoreJob {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobList) DeepCopyInto(out *RestoreJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RestoreJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobList.
+func (in *RestoreJobList) DeepCopy() *RestoreJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobSpec) DeepCopyInto(out *RestoreJobSpec) {
+	*out = *in
+	out.BackupRef = in.BackupRef
+	if in.TargetApplicationRef != nil {
+		in, out := &in.TargetApplicationRef, &out.TargetApplicationRef
+		*out = new(v1.TypedLocalObjectReference)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobSpec.
+func (in *RestoreJobSpec) DeepCopy() *RestoreJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobStatus) DeepCopyInto(out *RestoreJobStatus) {
+	*out = *in
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobStatus.
+func (in *RestoreJobStatus) DeepCopy() *RestoreJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}

api/v1alpha1/cozystackresourcedefinitions_types.go

@@ -92,7 +92,8 @@ type CozystackResourceDefinitionApplication struct {
 
 type CozystackResourceDefinitionRelease struct {
 	// Helm chart configuration
-	Chart CozystackResourceDefinitionChart `json:"chart"`
+	// +optional
+	Chart CozystackResourceDefinitionChart `json:"chart,omitempty"`
 	// Labels for the release
 	Labels map[string]string `json:"labels,omitempty"`
 	// Prefix for the release name
@@ -110,17 +111,18 @@ type CozystackResourceDefinitionRelease struct {
 // - {{ .namespace }}: The namespace of the resource being processed
 //
 // Example YAML:
-//   secrets:
-//     include:
-//     - matchExpressions:
-//       - key: badlabel
-//         operator: DoesNotExist
-//       matchLabels:
-//         goodlabel: goodvalue
-//       resourceNames:
-//       - "{{ .name }}-secret"
-//       - "{{ .kind }}-{{ .name }}-tls"
-//       - "specificname"
+//
+//	secrets:
+//	  include:
+//	  - matchExpressions:
+//	    - key: badlabel
+//	      operator: DoesNotExist
+//	    matchLabels:
+//	      goodlabel: goodvalue
+//	    resourceNames:
+//	    - "{{ .name }}-secret"
+//	    - "{{ .kind }}-{{ .name }}-tls"
+//	    - "specificname"
 type CozystackResourceDefinitionResourceSelector struct {
 	metav1.LabelSelector `json:",inline"`
 	// ResourceNames is a list of resource names to match

api/v1alpha1/package_types.go

@@ -0,0 +1,89 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName={pkg,pkgs}
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Variant",type="string",JSONPath=".spec.variant",description="Selected variant"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status",description="Ready status"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].message",description="Ready message"
+
+// Package is the Schema for the packages API
+type Package struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PackageSpec   `json:"spec,omitempty"`
+	Status PackageStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PackageList contains a list of Packages
+type PackageList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Package `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Package{}, &PackageList{})
+}
+
+// PackageSpec defines the desired state of Package
+type PackageSpec struct {
+	// Variant is the name of the variant to use from the PackageSource
+	// If not specified, defaults to "default"
+	// +optional
+	Variant string `json:"variant,omitempty"`
+
+	// IgnoreDependencies is a list of package source dependencies to ignore
+	// Dependencies listed here will not be installed even if they are specified in the PackageSource
+	// +optional
+	IgnoreDependencies []string `json:"ignoreDependencies,omitempty"`
+
+	// Components is a map of release name to component overrides
+	// Allows overriding values and enabling/disabling specific components from the PackageSource
+	// +optional
+	Components map[string]PackageComponent `json:"components,omitempty"`
+}
+
+// PackageRelease defines overrides for a specific component
+type PackageComponent struct {
+	// Enabled indicates whether this component should be installed
+	// If false, the component will be disabled even if it's defined in the PackageSource
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// Values contains Helm chart values as a JSON object
+	// These values will be merged with the default values from the PackageSource
+	// +optional
+	Values *apiextensionsv1.JSON `json:"values,omitempty"`
+}
+
+// PackageStatus defines the observed state of Package
+type PackageStatus struct {
+	// Conditions represents the latest available observations of a Package's state
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/v1alpha1/packagesource_types.go

@@ -0,0 +1,184 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName={pkgsrc,pkgsrcs}
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Variants",type="string",JSONPath=".status.variants",description="Package variants (comma-separated)"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status",description="Ready status"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].message",description="Ready message"
+
+// PackageSource is the Schema for the packagesources API
+type PackageSource struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PackageSourceSpec   `json:"spec,omitempty"`
+	Status PackageSourceStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PackageSourceList contains a list of PackageSources
+type PackageSourceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PackageSource `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PackageSource{}, &PackageSourceList{})
+}
+
+// PackageSourceSpec defines the desired state of PackageSource
+type PackageSourceSpec struct {
+	// SourceRef is the source reference for the package source charts
+	// +optional
+	SourceRef *PackageSourceRef `json:"sourceRef,omitempty"`
+
+	// Variants is a list of package source variants
+	// Each variant defines components, applications, dependencies, and libraries for a specific configuration
+	// +optional
+	Variants []Variant `json:"variants,omitempty"`
+}
+
+// Variant defines a single variant configuration
+type Variant struct {
+	// Name is the unique identifier for this variant
+	// +required
+	Name string `json:"name"`
+
+	// DependsOn is a list of package source dependencies
+	// For example: "cozystack.networking"
+	// +optional
+	DependsOn []string `json:"dependsOn,omitempty"`
+
+	// Libraries is a list of Helm library charts used by components in this variant
+	// +optional
+	Libraries []Library `json:"libraries,omitempty"`
+
+	// Components is a list of Helm releases to be installed as part of this variant
+	// +optional
+	Components []Component `json:"components,omitempty"`
+}
+
+// DependencyTarget defines a named group of packages that can be referenced
+// by other package sources via dependsOn
+type DependencyTarget struct {
+	// Name is the unique identifier for this dependency target
+	// +required
+	Name string `json:"name"`
+
+	// Packages is a list of package names that belong to this target
+	// These packages will be added as dependencies when this target is referenced
+	// +required
+	Packages []string `json:"packages"`
+}
+
+// Library defines a Helm library chart
+type Library struct {
+	// Name is the optional name for library placed in charts
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Path is the path to the library chart directory
+	// +required
+	Path string `json:"path"`
+}
+
+// PackageSourceRef defines the source reference for package source charts
+type PackageSourceRef struct {
+	// Kind of the source reference
+	// +kubebuilder:validation:Enum=GitRepository;OCIRepository
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the source reference
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the source reference
+	// +required
+	Namespace string `json:"namespace"`
+
+	// Path is the base path where packages are located in the source.
+	// For GitRepository, defaults to "packages" if not specified.
+	// For OCIRepository, defaults to empty string (root) if not specified.
+	// +optional
+	Path string `json:"path,omitempty"`
+}
+
+// ComponentInstall defines installation parameters for a component
+type ComponentInstall struct {
+	// ReleaseName is the name of the HelmRelease resource that will be created
+	// If not specified, defaults to the component Name field
+	// +optional
+	ReleaseName string `json:"releaseName,omitempty"`
+
+	// Namespace is the Kubernetes namespace where the release will be installed
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// Privileged indicates whether this release requires privileged access
+	// +optional
+	Privileged bool `json:"privileged,omitempty"`
+
+	// DependsOn is a list of component names that must be installed before this component
+	// +optional
+	DependsOn []string `json:"dependsOn,omitempty"`
+}
+
+// Component defines a single Helm release component within a package source
+type Component struct {
+	// Name is the unique identifier for this component within the package source
+	// +required
+	Name string `json:"name"`
+
+	// Path is the path to the Helm chart directory
+	// +required
+	Path string `json:"path"`
+
+	// Install defines installation parameters for this component
+	// +optional
+	Install *ComponentInstall `json:"install,omitempty"`
+
+	// Libraries is a list of library names that this component depends on
+	// These libraries must be defined at the variant level
+	// +optional
+	Libraries []string `json:"libraries,omitempty"`
+
+	// ValuesFiles is a list of values file names to use
+	// +optional
+	ValuesFiles []string `json:"valuesFiles,omitempty"`
+}
+
+// PackageSourceStatus defines the observed state of PackageSource
+type PackageSourceStatus struct {
+	// Variants is a comma-separated list of package variant names
+	// This field is populated by the controller based on spec.variants keys
+	// +optional
+	Variants string `json:"variants,omitempty"`
+
+	// Conditions represents the latest available observations of a PackageSource's state
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -21,10 +21,62 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Component) DeepCopyInto(out *Component) {
+	*out = *in
+	if in.Install != nil {
+		in, out := &in.Install, &out.Install
+		*out = new(ComponentInstall)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Libraries != nil {
+		in, out := &in.Libraries, &out.Libraries
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ValuesFiles != nil {
+		in, out := &in.ValuesFiles, &out.ValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Component.
+func (in *Component) DeepCopy() *Component {
+	if in == nil {
+		return nil
+	}
+	out := new(Component)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentInstall) DeepCopyInto(out *ComponentInstall) {
+	*out = *in
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentInstall.
+func (in *ComponentInstall) DeepCopy() *ComponentInstall {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentInstall)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CozystackResourceDefinition) DeepCopyInto(out *CozystackResourceDefinition) {
 	*out = *in
@@ -256,6 +308,297 @@ func (in *CozystackResourceDefinitionSpec) DeepCopy() *CozystackResourceDefiniti
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DependencyTarget) DeepCopyInto(out *DependencyTarget) {
+	*out = *in
+	if in.Packages != nil {
+		in, out := &in.Packages, &out.Packages
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DependencyTarget.
+func (in *DependencyTarget) DeepCopy() *DependencyTarget {
+	if in == nil {
+		return nil
+	}
+	out := new(DependencyTarget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Library) DeepCopyInto(out *Library) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Library.
+func (in *Library) DeepCopy() *Library {
+	if in == nil {
+		return nil
+	}
+	out := new(Library)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Package) DeepCopyInto(out *Package) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Package.
+func (in *Package) DeepCopy() *Package {
+	if in == nil {
+		return nil
+	}
+	out := new(Package)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Package) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageComponent) DeepCopyInto(out *PackageComponent) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = new(v1.JSON)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageComponent.
+func (in *PackageComponent) DeepCopy() *PackageComponent {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageComponent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageList) DeepCopyInto(out *PackageList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Package, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageList.
+func (in *PackageList) DeepCopy() *PackageList {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PackageList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSource) DeepCopyInto(out *PackageSource) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSource.
+func (in *PackageSource) DeepCopy() *PackageSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PackageSource) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceList) DeepCopyInto(out *PackageSourceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PackageSource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceList.
+func (in *PackageSourceList) DeepCopy() *PackageSourceList {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PackageSourceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceRef) DeepCopyInto(out *PackageSourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceRef.
+func (in *PackageSourceRef) DeepCopy() *PackageSourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceSpec) DeepCopyInto(out *PackageSourceSpec) {
+	*out = *in
+	if in.SourceRef != nil {
+		in, out := &in.SourceRef, &out.SourceRef
+		*out = new(PackageSourceRef)
+		**out = **in
+	}
+	if in.Variants != nil {
+		in, out := &in.Variants, &out.Variants
+		*out = make([]Variant, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceSpec.
+func (in *PackageSourceSpec) DeepCopy() *PackageSourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSourceStatus) DeepCopyInto(out *PackageSourceStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSourceStatus.
+func (in *PackageSourceStatus) DeepCopy() *PackageSourceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSourceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageSpec) DeepCopyInto(out *PackageSpec) {
+	*out = *in
+	if in.IgnoreDependencies != nil {
+		in, out := &in.IgnoreDependencies, &out.IgnoreDependencies
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make(map[string]PackageComponent, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageSpec.
+func (in *PackageSpec) DeepCopy() *PackageSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PackageStatus) DeepCopyInto(out *PackageStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PackageStatus.
+func (in *PackageStatus) DeepCopy() *PackageStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PackageStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in Selector) DeepCopyInto(out *Selector) {
 	{
@@ -292,6 +635,38 @@ func (in *SourceRef) DeepCopy() *SourceRef {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Variant) DeepCopyInto(out *Variant) {
+	*out = *in
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Libraries != nil {
+		in, out := &in.Libraries, &out.Libraries
+		*out = make([]Library, len(*in))
+		copy(*out, *in)
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]Component, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variant.
+func (in *Variant) DeepCopy() *Variant {
+	if in == nil {
+		return nil
+	}
+	out := new(Variant)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Workload) DeepCopyInto(out *Workload) {
 	*out = *in

cmd/backup-controller/main.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "core.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.PlanReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Plan")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

cmd/backupstrategy-controller/main.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "strategy.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.BackupJobStrategyReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Job")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

cmd/cozypkg/cmd/add.go

@@ -0,0 +1,565 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/cobra"
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/yaml"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+)
+
+var addCmdFlags struct {
+	files      []string
+	kubeconfig string
+}
+
+var addCmd = &cobra.Command{
+	Use:   "add [package]...",
+	Short: "Install PackageSource and its dependencies interactively",
+	Long: `Install PackageSource and its dependencies interactively.
+
+You can specify packages as arguments or use -f flag to read from files.
+Multiple -f flags can be specified, and they can point to files or directories.`,
+	Args: cobra.ArbitraryArgs,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := context.Background()
+
+		// Collect package names from arguments and files
+		packageNames := make(map[string]bool)
+		packagesFromFiles := make(map[string]string) // packageName -> filePath
+		
+		for _, arg := range args {
+			packageNames[arg] = true
+		}
+
+		// Read packages from files
+		for _, filePath := range addCmdFlags.files {
+			packages, err := readPackagesFromFile(filePath)
+			if err != nil {
+				return fmt.Errorf("failed to read packages from %s: %w", filePath, err)
+			}
+			for _, pkg := range packages {
+				packageNames[pkg] = true
+				packagesFromFiles[pkg] = filePath
+			}
+		}
+
+		if len(packageNames) == 0 {
+			return fmt.Errorf("no packages specified")
+		}
+
+		// Create Kubernetes client config
+		var config *rest.Config
+		var err error
+
+		if addCmdFlags.kubeconfig != "" {
+			config, err = clientcmd.BuildConfigFromFlags("", addCmdFlags.kubeconfig)
+			if err != nil {
+				return fmt.Errorf("failed to load kubeconfig from %s: %w", addCmdFlags.kubeconfig, err)
+			}
+		} else {
+			config, err = ctrl.GetConfig()
+			if err != nil {
+				return fmt.Errorf("failed to get kubeconfig: %w", err)
+			}
+		}
+
+		scheme := runtime.NewScheme()
+		utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+		utilruntime.Must(cozyv1alpha1.AddToScheme(scheme))
+
+		k8sClient, err := client.New(config, client.Options{Scheme: scheme})
+		if err != nil {
+			return fmt.Errorf("failed to create k8s client: %w", err)
+		}
+
+		// Process each package
+		for packageName := range packageNames {
+			// Check if package comes from a file
+			if filePath, fromFile := packagesFromFiles[packageName]; fromFile {
+				// Try to create Package directly from file
+				if err := createPackageFromFile(ctx, k8sClient, filePath, packageName); err == nil {
+					fmt.Fprintf(os.Stderr, "✓ Added Package %s\n", packageName)
+					continue
+				}
+				// If failed, fall back to interactive installation
+			}
+			
+			// Interactive installation from PackageSource
+			if err := installPackage(ctx, k8sClient, packageName); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	},
+}
+
+func readPackagesFromFile(filePath string) ([]string, error) {
+	info, err := os.Stat(filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	var packages []string
+
+	if info.IsDir() {
+		// Read all YAML files from directory
+		err := filepath.Walk(filePath, func(path string, info os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+			if info.IsDir() || !strings.HasSuffix(path, ".yaml") && !strings.HasSuffix(path, ".yml") {
+				return nil
+			}
+
+			pkgs, err := readPackagesFromYAMLFile(path)
+			if err != nil {
+				return fmt.Errorf("failed to read %s: %w", path, err)
+			}
+			packages = append(packages, pkgs...)
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		packages, err = readPackagesFromYAMLFile(filePath)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return packages, nil
+}
+
+func readPackagesFromYAMLFile(filePath string) ([]string, error) {
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	var packages []string
+
+	// Split YAML documents (in case of multiple resources)
+	documents := strings.Split(string(data), "---")
+	
+	for _, doc := range documents {
+		doc = strings.TrimSpace(doc)
+		if doc == "" {
+			continue
+		}
+
+		// Parse using Kubernetes decoder
+		decoder := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
+		obj := &unstructured.Unstructured{}
+		_, _, err := decoder.Decode([]byte(doc), nil, obj)
+		if err != nil {
+			continue
+		}
+
+		// Check if it's a Package
+		if obj.GetKind() == "Package" {
+			name := obj.GetName()
+			if name != "" {
+				packages = append(packages, name)
+			}
+			continue
+		}
+
+		// Check if it's a PackageSource
+		if obj.GetKind() == "PackageSource" {
+			name := obj.GetName()
+			if name != "" {
+				packages = append(packages, name)
+			}
+			continue
+		}
+
+		// Try to parse as PackageList
+		if obj.GetKind() == "PackageList" {
+			items, found, err := unstructured.NestedSlice(obj.Object, "items")
+			if err == nil && found {
+				for _, item := range items {
+					if itemMap, ok := item.(map[string]interface{}); ok {
+						if metadata, ok := itemMap["metadata"].(map[string]interface{}); ok {
+							if name, ok := metadata["name"].(string); ok && name != "" {
+								packages = append(packages, name)
+							}
+						}
+					}
+				}
+			}
+			continue
+		}
+
+		// Try to parse as PackageSourceList
+		if obj.GetKind() == "PackageSourceList" {
+			items, found, err := unstructured.NestedSlice(obj.Object, "items")
+			if err == nil && found {
+				for _, item := range items {
+					if itemMap, ok := item.(map[string]interface{}); ok {
+						if metadata, ok := itemMap["metadata"].(map[string]interface{}); ok {
+							if name, ok := metadata["name"].(string); ok && name != "" {
+								packages = append(packages, name)
+							}
+						}
+					}
+				}
+			}
+			continue
+		}
+	}
+
+	if len(packages) == 0 {
+		return nil, fmt.Errorf("no valid packages found in file")
+	}
+
+	return packages, nil
+}
+
+// buildDependencyTree builds a dependency tree starting from the root PackageSource
+// Returns both the dependency tree and a map of dependencies to their requesters
+func buildDependencyTree(ctx context.Context, k8sClient client.Client, rootName string) (map[string][]string, map[string]string, error) {
+	tree := make(map[string][]string)
+	dependencyRequesters := make(map[string]string) // dep -> requester
+	visited := make(map[string]bool)
+	
+	// Ensure root is in tree even if it has no dependencies
+	tree[rootName] = []string{}
+
+	var buildTree func(string) error
+	buildTree = func(pkgName string) error {
+		if visited[pkgName] {
+			return nil
+		}
+		visited[pkgName] = true
+
+		// Get PackageSource
+		ps := &cozyv1alpha1.PackageSource{}
+		if err := k8sClient.Get(ctx, client.ObjectKey{Name: pkgName}, ps); err != nil {
+			// If PackageSource doesn't exist, just skip it
+			return nil
+		}
+
+		// Collect all dependencies from all variants
+		deps := make(map[string]bool)
+		for _, variant := range ps.Spec.Variants {
+			for _, dep := range variant.DependsOn {
+				deps[dep] = true
+			}
+		}
+
+		// Add dependencies to tree
+		for dep := range deps {
+			if _, exists := tree[pkgName]; !exists {
+				tree[pkgName] = []string{}
+			}
+			tree[pkgName] = append(tree[pkgName], dep)
+			// Track who requested this dependency
+			dependencyRequesters[dep] = pkgName
+			// Recursively build tree for dependencies
+			if err := buildTree(dep); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	}
+
+	if err := buildTree(rootName); err != nil {
+		return nil, nil, err
+	}
+
+	return tree, dependencyRequesters, nil
+}
+
+// topologicalSort performs topological sort on the dependency tree
+// Returns order from root to leaves (dependencies first)
+func topologicalSort(tree map[string][]string) ([]string, error) {
+	// Build reverse graph (dependencies -> dependents)
+	reverseGraph := make(map[string][]string)
+	allNodes := make(map[string]bool)
+
+	for node, deps := range tree {
+		allNodes[node] = true
+		for _, dep := range deps {
+			allNodes[dep] = true
+			reverseGraph[dep] = append(reverseGraph[dep], node)
+		}
+	}
+
+	// Calculate in-degrees (how many dependencies a node has)
+	inDegree := make(map[string]int)
+	for node := range allNodes {
+		inDegree[node] = 0
+	}
+	for node, deps := range tree {
+		inDegree[node] = len(deps)
+	}
+
+	// Kahn's algorithm - start with nodes that have no dependencies
+	var queue []string
+	for node, degree := range inDegree {
+		if degree == 0 {
+			queue = append(queue, node)
+		}
+	}
+
+	var result []string
+	for len(queue) > 0 {
+		node := queue[0]
+		queue = queue[1:]
+		result = append(result, node)
+
+		// Process dependents (nodes that depend on this node)
+		for _, dependent := range reverseGraph[node] {
+			inDegree[dependent]--
+			if inDegree[dependent] == 0 {
+				queue = append(queue, dependent)
+			}
+		}
+	}
+
+	// Check for cycles
+	if len(result) != len(allNodes) {
+		return nil, fmt.Errorf("dependency cycle detected")
+	}
+
+	return result, nil
+}
+
+// createPackageFromFile creates a Package resource directly from a YAML file
+func createPackageFromFile(ctx context.Context, k8sClient client.Client, filePath string, packageName string) error {
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return err
+	}
+
+	// Split YAML documents
+	documents := strings.Split(string(data), "---")
+	
+	for _, doc := range documents {
+		doc = strings.TrimSpace(doc)
+		if doc == "" {
+			continue
+		}
+
+		// Parse using Kubernetes decoder
+		decoder := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
+		obj := &unstructured.Unstructured{}
+		_, _, err := decoder.Decode([]byte(doc), nil, obj)
+		if err != nil {
+			continue
+		}
+
+		// Check if it's a Package with matching name
+		if obj.GetKind() == "Package" && obj.GetName() == packageName {
+			// Convert to Package
+			var pkg cozyv1alpha1.Package
+			if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, &pkg); err != nil {
+				return fmt.Errorf("failed to convert Package: %w", err)
+			}
+
+			// Create Package
+			if err := k8sClient.Create(ctx, &pkg); err != nil {
+				return fmt.Errorf("failed to create Package: %w", err)
+			}
+
+			return nil
+		}
+	}
+
+	return fmt.Errorf("Package %s not found in file", packageName)
+}
+
+func installPackage(ctx context.Context, k8sClient client.Client, packageSourceName string) error {
+	// Get PackageSource
+	packageSource := &cozyv1alpha1.PackageSource{}
+	if err := k8sClient.Get(ctx, client.ObjectKey{Name: packageSourceName}, packageSource); err != nil {
+		return fmt.Errorf("failed to get PackageSource %s: %w", packageSourceName, err)
+	}
+
+	// Build dependency tree
+	dependencyTree, dependencyRequesters, err := buildDependencyTree(ctx, k8sClient, packageSourceName)
+	if err != nil {
+		return fmt.Errorf("failed to build dependency tree: %w", err)
+	}
+
+	// Topological sort (install from root to leaves)
+	installOrder, err := topologicalSort(dependencyTree)
+	if err != nil {
+		return fmt.Errorf("failed to sort dependencies: %w", err)
+	}
+
+	// Get all PackageSources for variant selection
+	var allPackageSources cozyv1alpha1.PackageSourceList
+	if err := k8sClient.List(ctx, &allPackageSources); err != nil {
+		return fmt.Errorf("failed to list PackageSources: %w", err)
+	}
+
+	packageSourceMap := make(map[string]*cozyv1alpha1.PackageSource)
+	for i := range allPackageSources.Items {
+		packageSourceMap[allPackageSources.Items[i].Name] = &allPackageSources.Items[i]
+	}
+
+	// Get all installed Packages
+	var installedPackages cozyv1alpha1.PackageList
+	if err := k8sClient.List(ctx, &installedPackages); err != nil {
+		return fmt.Errorf("failed to list Packages: %w", err)
+	}
+
+	installedMap := make(map[string]*cozyv1alpha1.Package)
+	for i := range installedPackages.Items {
+		installedMap[installedPackages.Items[i].Name] = &installedPackages.Items[i]
+	}
+
+	// First, collect all variant selections
+	fmt.Fprintf(os.Stderr, "Installing %s and its dependencies...\n\n", packageSourceName)
+	packageVariants := make(map[string]string) // packageName -> variant
+
+	for _, pkgName := range installOrder {
+		// Check if already installed
+		if installed, exists := installedMap[pkgName]; exists {
+			variant := installed.Spec.Variant
+			if variant == "" {
+				variant = "default"
+			}
+			fmt.Fprintf(os.Stderr, "✓ %s (already installed, variant: %s)\n", pkgName, variant)
+			packageVariants[pkgName] = variant
+			continue
+		}
+
+		// Get PackageSource for this dependency
+		ps, exists := packageSourceMap[pkgName]
+		if !exists {
+			requester := dependencyRequesters[pkgName]
+			if requester != "" {
+				return fmt.Errorf("PackageSource %s not found (required by %s)", pkgName, requester)
+			}
+			return fmt.Errorf("PackageSource %s not found", pkgName)
+		}
+
+		// Select variant interactively
+		variant, err := selectVariantInteractive(ps)
+		if err != nil {
+			return fmt.Errorf("failed to select variant for %s: %w", pkgName, err)
+		}
+
+		packageVariants[pkgName] = variant
+	}
+
+		// Now create all Package resources
+		for _, pkgName := range installOrder {
+			// Skip if already installed
+			if _, exists := installedMap[pkgName]; exists {
+				continue
+			}
+
+			variant := packageVariants[pkgName]
+
+			// Create Package
+			pkg := &cozyv1alpha1.Package{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: pkgName,
+				},
+				Spec: cozyv1alpha1.PackageSpec{
+					Variant: variant,
+				},
+			}
+
+			if err := k8sClient.Create(ctx, pkg); err != nil {
+				return fmt.Errorf("failed to create Package %s: %w", pkgName, err)
+			}
+
+			fmt.Fprintf(os.Stderr, "✓ Added Package %s\n", pkgName)
+		}
+
+		return nil
+}
+
+// selectVariantInteractive prompts user to select a variant
+func selectVariantInteractive(ps *cozyv1alpha1.PackageSource) (string, error) {
+	if len(ps.Spec.Variants) == 0 {
+		return "", fmt.Errorf("no variants available for PackageSource %s", ps.Name)
+	}
+
+	reader := bufio.NewReader(os.Stdin)
+
+	fmt.Fprintf(os.Stderr, "\nPackageSource: %s\n", ps.Name)
+	fmt.Fprintf(os.Stderr, "Available variants:\n")
+	for i, variant := range ps.Spec.Variants {
+		fmt.Fprintf(os.Stderr, "  %d. %s\n", i+1, variant.Name)
+	}
+
+	// If only one variant, use it as default
+	defaultVariant := ps.Spec.Variants[0].Name
+	var prompt string
+	if len(ps.Spec.Variants) == 1 {
+		prompt = "Select variant [1]: "
+	} else {
+		prompt = fmt.Sprintf("Select variant (1-%d): ", len(ps.Spec.Variants))
+	}
+
+	for {
+		fmt.Fprintf(os.Stderr, prompt)
+		input, err := reader.ReadString('\n')
+		if err != nil {
+			return "", fmt.Errorf("failed to read input: %w", err)
+		}
+
+		input = strings.TrimSpace(input)
+
+		// If input is empty and there's a default variant, use it
+		if input == "" && len(ps.Spec.Variants) == 1 {
+			return defaultVariant, nil
+		}
+
+		choice, err := strconv.Atoi(input)
+		if err != nil || choice < 1 || choice > len(ps.Spec.Variants) {
+			fmt.Fprintf(os.Stderr, "Invalid choice. Please enter a number between 1 and %d.\n", len(ps.Spec.Variants))
+			continue
+		}
+
+		return ps.Spec.Variants[choice-1].Name, nil
+	}
+}
+
+func init() {
+	rootCmd.AddCommand(addCmd)
+	addCmd.Flags().StringArrayVarP(&addCmdFlags.files, "file", "f", []string{}, "Read packages from file or directory (can be specified multiple times)")
+	addCmd.Flags().StringVar(&addCmdFlags.kubeconfig, "kubeconfig", "", "Path to kubeconfig file (defaults to ~/.kube/config or KUBECONFIG env var)")
+}
+

cmd/cozypkg/cmd/del.go

@@ -0,0 +1,121 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+)
+
+var delCmdFlags struct {
+	files      []string
+	kubeconfig string
+}
+
+var delCmd = &cobra.Command{
+	Use:   "del [package]...",
+	Short: "Delete Package resources",
+	Long: `Delete Package resources.
+
+You can specify packages as arguments or use -f flag to read from files.
+Multiple -f flags can be specified, and they can point to files or directories.`,
+	Args: cobra.ArbitraryArgs,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := context.Background()
+
+		// Collect package names from arguments and files
+		packageNames := make(map[string]bool)
+		for _, arg := range args {
+			packageNames[arg] = true
+		}
+
+		// Read packages from files (reuse function from add.go)
+		for _, filePath := range delCmdFlags.files {
+			packages, err := readPackagesFromFile(filePath)
+			if err != nil {
+				return fmt.Errorf("failed to read packages from %s: %w", filePath, err)
+			}
+			for _, pkg := range packages {
+				packageNames[pkg] = true
+			}
+		}
+
+		if len(packageNames) == 0 {
+			return fmt.Errorf("no packages specified")
+		}
+
+		// Create Kubernetes client config
+		var config *rest.Config
+		var err error
+
+		if delCmdFlags.kubeconfig != "" {
+			config, err = clientcmd.BuildConfigFromFlags("", delCmdFlags.kubeconfig)
+			if err != nil {
+				return fmt.Errorf("failed to load kubeconfig from %s: %w", delCmdFlags.kubeconfig, err)
+			}
+		} else {
+			config, err = ctrl.GetConfig()
+			if err != nil {
+				return fmt.Errorf("failed to get kubeconfig: %w", err)
+			}
+		}
+
+		scheme := runtime.NewScheme()
+		utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+		utilruntime.Must(cozyv1alpha1.AddToScheme(scheme))
+
+		k8sClient, err := client.New(config, client.Options{Scheme: scheme})
+		if err != nil {
+			return fmt.Errorf("failed to create k8s client: %w", err)
+		}
+
+		// Delete each package
+		for packageName := range packageNames {
+			pkg := &cozyv1alpha1.Package{}
+			pkg.Name = packageName
+			if err := k8sClient.Delete(ctx, pkg); err != nil {
+				if client.IgnoreNotFound(err) == nil {
+					fmt.Fprintf(os.Stderr, "⚠ Package %s not found, skipping\n", packageName)
+					continue
+				}
+				return fmt.Errorf("failed to delete Package %s: %w", packageName, err)
+			}
+			fmt.Fprintf(os.Stderr, "✓ Deleted Package %s\n", packageName)
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(delCmd)
+	delCmd.Flags().StringArrayVarP(&delCmdFlags.files, "file", "f", []string{}, "Read packages from file or directory (can be specified multiple times)")
+	delCmd.Flags().StringVar(&delCmdFlags.kubeconfig, "kubeconfig", "", "Path to kubeconfig file (defaults to ~/.kube/config or KUBECONFIG env var)")
+}
+

cmd/cozypkg/cmd/dependencies.go

@@ -0,0 +1,300 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/emicklei/dot"
+	"github.com/spf13/cobra"
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+)
+
+var dotCmdFlags struct {
+	installed  bool
+	components bool
+	files      []string
+	kubeconfig string
+}
+
+var dotCmd = &cobra.Command{
+	Use:   "dot [package]...",
+	Short: "Generate dependency graph as graphviz DOT format",
+	Long: `Generate dependency graph as graphviz DOT format.
+
+Pipe the output through the "dot" program (part of graphviz package) to render the graph:
+
+    cozypkg dot | dot -Tpng > graph.png
+
+By default, shows dependencies for all PackageSource resources.
+Use --installed to show only installed Package resources.
+Specify packages as arguments or use -f flag to read from files.`,
+	Args: cobra.ArbitraryArgs,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := context.Background()
+
+		// Collect package names from arguments and files
+		packageNames := make(map[string]bool)
+		for _, arg := range args {
+			packageNames[arg] = true
+		}
+
+		// Read packages from files (reuse function from add.go)
+		for _, filePath := range dotCmdFlags.files {
+			packages, err := readPackagesFromFile(filePath)
+			if err != nil {
+				return fmt.Errorf("failed to read packages from %s: %w", filePath, err)
+			}
+			for _, pkg := range packages {
+				packageNames[pkg] = true
+			}
+		}
+
+		// Convert to slice, empty means all packages
+		var selectedPackages []string
+		if len(packageNames) > 0 {
+			for pkg := range packageNames {
+				selectedPackages = append(selectedPackages, pkg)
+			}
+		}
+
+		// If multiple packages specified, show graph for all of them
+		// If single package, use packageName for backward compatibility
+		var packageName string
+		if len(selectedPackages) == 1 {
+			packageName = selectedPackages[0]
+		} else if len(selectedPackages) > 1 {
+			// Multiple packages - pass empty string to packageName, use selectedPackages
+			packageName = ""
+		}
+
+		// packagesOnly is inverse of components flag (if components=false, then packagesOnly=true)
+		packagesOnly := !dotCmdFlags.components
+		graph, allNodes, err := buildGraphFromCluster(ctx, dotCmdFlags.kubeconfig, packagesOnly, dotCmdFlags.installed, packageName, selectedPackages)
+		if err != nil {
+			return fmt.Errorf("error getting PackageSource dependencies: %w", err)
+		}
+
+		dotGraph := generateDOTGraph(graph, allNodes, packagesOnly)
+		dotGraph.Write(os.Stdout)
+
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(dotCmd)
+	dotCmd.Flags().BoolVarP(&dotCmdFlags.installed, "installed", "i", false, "show dependencies only for installed Package resources")
+	dotCmd.Flags().BoolVar(&dotCmdFlags.components, "components", true, "show component-level dependencies (default: true)")
+	dotCmd.Flags().StringArrayVarP(&dotCmdFlags.files, "file", "f", []string{}, "Read packages from file or directory (can be specified multiple times)")
+	dotCmd.Flags().StringVar(&dotCmdFlags.kubeconfig, "kubeconfig", "", "Path to kubeconfig file (defaults to ~/.kube/config or KUBECONFIG env var)")
+}
+
+var (
+	dependenciesScheme = runtime.NewScheme()
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(dependenciesScheme))
+	utilruntime.Must(cozyv1alpha1.AddToScheme(dependenciesScheme))
+}
+
+// buildGraphFromCluster builds a dependency graph from PackageSource resources in the cluster.
+func buildGraphFromCluster(ctx context.Context, kubeconfig string, packagesOnly bool, installedOnly bool, packageName string, selectedPackages []string) (map[string][]string, map[string]bool, error) {
+	// Create Kubernetes client config
+	var config *rest.Config
+	var err error
+
+	if kubeconfig != "" {
+		// Load kubeconfig from explicit path
+		config, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to load kubeconfig from %s: %w", kubeconfig, err)
+		}
+	} else {
+		// Use default kubeconfig loading (from env var or ~/.kube/config)
+		config, err = ctrl.GetConfig()
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to get kubeconfig: %w", err)
+		}
+	}
+
+	k8sClient, err := client.New(config, client.Options{Scheme: dependenciesScheme})
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create k8s client: %w", err)
+	}
+
+	// Get installed Packages if needed
+	installedPackages := make(map[string]bool)
+	if installedOnly || packageName != "" {
+		var packageList cozyv1alpha1.PackageList
+		if err := k8sClient.List(ctx, &packageList); err != nil {
+			return nil, nil, fmt.Errorf("failed to list Packages: %w", err)
+		}
+		for _, pkg := range packageList.Items {
+			installedPackages[pkg.Name] = true
+		}
+	}
+
+	// List all PackageSource resources
+	var packageSourceList cozyv1alpha1.PackageSourceList
+	if err := k8sClient.List(ctx, &packageSourceList); err != nil {
+		return nil, nil, fmt.Errorf("failed to list PackageSources: %w", err)
+	}
+
+	graph := make(map[string][]string)
+	allNodes := make(map[string]bool)
+
+	// Process each PackageSource
+	for _, ps := range packageSourceList.Items {
+		psName := ps.Name
+		if psName == "" {
+			continue
+		}
+
+		// Filter by package name if specified
+		if packageName != "" && psName != packageName {
+			continue
+		}
+
+		// Filter by selected packages if specified
+		if len(selectedPackages) > 0 {
+			found := false
+			for _, selected := range selectedPackages {
+				if psName == selected {
+					found = true
+					break
+				}
+			}
+			if !found {
+				continue
+			}
+		}
+
+		// Filter by installed packages if flag is set
+		if installedOnly && !installedPackages[psName] {
+			continue
+		}
+
+		allNodes[psName] = true
+
+		// Extract dependencies from variants
+		for _, variant := range ps.Spec.Variants {
+			// Variant-level dependencies
+			for _, dep := range variant.DependsOn {
+				// If installedOnly is set, only include dependencies that are installed
+				if installedOnly && !installedPackages[dep] {
+					continue
+				}
+				graph[psName] = append(graph[psName], dep)
+				allNodes[dep] = true
+			}
+
+			// Component-level dependencies
+			if !packagesOnly {
+				for _, component := range variant.Components {
+					componentName := fmt.Sprintf("%s.%s", psName, component.Name)
+					allNodes[componentName] = true
+
+					if component.Install != nil {
+						for _, dep := range component.Install.DependsOn {
+							// Check if it's a local component dependency or external
+							if strings.Contains(dep, ".") {
+								graph[componentName] = append(graph[componentName], dep)
+								allNodes[dep] = true
+							} else {
+								// Local component dependency
+								localDep := fmt.Sprintf("%s.%s", psName, dep)
+								graph[componentName] = append(graph[componentName], localDep)
+								allNodes[localDep] = true
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return graph, allNodes, nil
+}
+
+// generateDOTGraph generates a DOT graph from the dependency graph.
+func generateDOTGraph(graph map[string][]string, allNodes map[string]bool, packagesOnly bool) *dot.Graph {
+	g := dot.NewGraph(dot.Directed)
+	g.Attr("rankdir", "LR")
+	g.Attr("nodesep", "0.5")
+	g.Attr("ranksep", "1.0")
+
+	// Add nodes
+	for node := range allNodes {
+		if packagesOnly && strings.Contains(node, ".") && !strings.HasPrefix(node, "cozystack.") {
+			// Skip component nodes when packages-only is enabled
+			continue
+		}
+
+		n := g.Node(node)
+
+		// Style nodes based on type
+		if strings.Contains(node, ".") && !strings.HasPrefix(node, "cozystack.") {
+			// Component node
+			n.Attr("shape", "box")
+			n.Attr("style", "rounded,filled")
+			n.Attr("fillcolor", "lightyellow")
+			n.Attr("label", strings.Split(node, ".")[len(strings.Split(node, "."))-1])
+		} else {
+			// Package node
+			n.Attr("shape", "box")
+			n.Attr("style", "rounded,filled")
+			n.Attr("fillcolor", "lightblue")
+			n.Attr("label", node)
+		}
+	}
+
+	// Add edges
+	for source, targets := range graph {
+		if packagesOnly && strings.Contains(source, ".") && !strings.HasPrefix(source, "cozystack.") {
+			// Skip component edges when packages-only is enabled
+			continue
+		}
+
+		for _, target := range targets {
+			if packagesOnly && strings.Contains(target, ".") && !strings.HasPrefix(target, "cozystack.") {
+				// Skip component edges when packages-only is enabled
+				continue
+			}
+
+			// Only add edge if both nodes exist
+			if allNodes[source] && allNodes[target] {
+				g.Edge(g.Node(source), g.Node(target))
+			}
+		}
+	}
+
+	return g
+}
+

cmd/cozypkg/cmd/list.go

@@ -0,0 +1,201 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+)
+
+var listCmdFlags struct {
+	installed   bool
+	components  bool
+	kubeconfig  string
+}
+
+var listCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List PackageSource or Package resources",
+	Long: `List PackageSource or Package resources in table format.
+
+By default, lists PackageSource resources. Use --installed flag to list installed Package resources.
+Use --components flag to show components on separate lines.`,
+	Args: cobra.NoArgs,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := context.Background()
+
+		// Create Kubernetes client config
+		var config *rest.Config
+		var err error
+
+		if listCmdFlags.kubeconfig != "" {
+			config, err = clientcmd.BuildConfigFromFlags("", listCmdFlags.kubeconfig)
+			if err != nil {
+				return fmt.Errorf("failed to load kubeconfig from %s: %w", listCmdFlags.kubeconfig, err)
+			}
+		} else {
+			config, err = ctrl.GetConfig()
+			if err != nil {
+				return fmt.Errorf("failed to get kubeconfig: %w", err)
+			}
+		}
+
+		scheme := runtime.NewScheme()
+		utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+		utilruntime.Must(cozyv1alpha1.AddToScheme(scheme))
+
+		k8sClient, err := client.New(config, client.Options{Scheme: scheme})
+		if err != nil {
+			return fmt.Errorf("failed to create k8s client: %w", err)
+		}
+
+		if listCmdFlags.installed {
+			return listPackages(ctx, k8sClient, listCmdFlags.components)
+		}
+		return listPackageSources(ctx, k8sClient, listCmdFlags.components)
+	},
+}
+
+func listPackageSources(ctx context.Context, k8sClient client.Client, showComponents bool) error {
+	var psList cozyv1alpha1.PackageSourceList
+	if err := k8sClient.List(ctx, &psList); err != nil {
+		return fmt.Errorf("failed to list PackageSources: %w", err)
+	}
+
+	// Print header
+	fmt.Fprintf(os.Stdout, "%-50s %-30s %-10s %s\n", "NAME", "VARIANTS", "READY", "STATUS")
+	fmt.Fprintf(os.Stdout, "%-50s %-30s %-10s %s\n", strings.Repeat("-", 50), strings.Repeat("-", 30), strings.Repeat("-", 10), strings.Repeat("-", 50))
+
+		// Print rows
+		for _, ps := range psList.Items {
+			// Get variants
+			var variants []string
+			for _, variant := range ps.Spec.Variants {
+				variants = append(variants, variant.Name)
+			}
+			variantsStr := strings.Join(variants, ",")
+			if len(variantsStr) > 28 {
+				variantsStr = variantsStr[:25] + "..."
+			}
+
+			// Get Ready condition
+			ready := "Unknown"
+			status := ""
+			for _, condition := range ps.Status.Conditions {
+				if condition.Type == "Ready" {
+					ready = string(condition.Status)
+					status = condition.Message
+					if len(status) > 48 {
+						status = status[:45] + "..."
+					}
+					break
+				}
+			}
+
+			fmt.Fprintf(os.Stdout, "%-50s %-30s %-10s %s\n", ps.Name, variantsStr, ready, status)
+
+			// Show components if requested
+			if showComponents {
+				for _, variant := range ps.Spec.Variants {
+					for _, component := range variant.Components {
+						fmt.Fprintf(os.Stdout, "  %-48s %-30s %-10s %s\n", 
+							fmt.Sprintf("%s.%s", ps.Name, component.Name), 
+							variant.Name, "", "")
+					}
+				}
+			}
+		}
+
+	return nil
+}
+
+func listPackages(ctx context.Context, k8sClient client.Client, showComponents bool) error {
+	var pkgList cozyv1alpha1.PackageList
+	if err := k8sClient.List(ctx, &pkgList); err != nil {
+		return fmt.Errorf("failed to list Packages: %w", err)
+	}
+
+	// Print header
+	fmt.Fprintf(os.Stdout, "%-50s %-20s %-10s %s\n", "NAME", "VARIANT", "READY", "STATUS")
+	fmt.Fprintf(os.Stdout, "%-50s %-20s %-10s %s\n", strings.Repeat("-", 50), strings.Repeat("-", 20), strings.Repeat("-", 10), strings.Repeat("-", 50))
+
+	// Print rows
+	for _, pkg := range pkgList.Items {
+		variant := pkg.Spec.Variant
+		if variant == "" {
+			variant = "default"
+		}
+
+		// Get Ready condition
+		ready := "Unknown"
+		status := ""
+		for _, condition := range pkg.Status.Conditions {
+			if condition.Type == "Ready" {
+				ready = string(condition.Status)
+				status = condition.Message
+				if len(status) > 48 {
+					status = status[:45] + "..."
+				}
+				break
+			}
+		}
+
+		fmt.Fprintf(os.Stdout, "%-50s %-20s %-10s %s\n", pkg.Name, variant, ready, status)
+
+		// Show components if requested
+		if showComponents {
+			// Get PackageSource to show components
+			ps := &cozyv1alpha1.PackageSource{}
+			if err := k8sClient.Get(ctx, client.ObjectKey{Name: pkg.Name}, ps); err == nil {
+				// Find the variant
+				for _, v := range ps.Spec.Variants {
+					if v.Name == variant {
+						for _, component := range v.Components {
+							fmt.Fprintf(os.Stdout, "  %-48s %-20s %-10s %s\n", 
+								fmt.Sprintf("%s.%s", pkg.Name, component.Name), 
+								variant, "", "")
+						}
+						break
+					}
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+func init() {
+	rootCmd.AddCommand(listCmd)
+	listCmd.Flags().BoolVarP(&listCmdFlags.installed, "installed", "i", false, "list installed Package resources instead of PackageSource resources")
+	listCmd.Flags().BoolVar(&listCmdFlags.components, "components", false, "show components on separate lines")
+	listCmd.Flags().StringVar(&listCmdFlags.kubeconfig, "kubeconfig", "", "Path to kubeconfig file (defaults to ~/.kube/config or KUBECONFIG env var)")
+}
+

cmd/cozypkg/cmd/root.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+// rootCmd represents the base command when called without any subcommands.
+var rootCmd = &cobra.Command{
+	Use:               "cozypkg",
+	Short:             "A CLI for managing Cozystack packages",
+	Long:              ``,
+	SilenceErrors:     true,
+	SilenceUsage:      true,
+	DisableAutoGenTag: true,
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() error {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Fprintln(os.Stderr, err.Error())
+		return err
+	}
+	return nil
+}
+
+func init() {
+	// Commands are registered in their respective init() functions
+}
+

cmd/cozypkg/main.go

@@ -1,4 +1,5 @@
-Copyright 2019 Paul Czarkowski <username.taken@gmail.com>
+/*
+Copyright 2025 The Cozystack Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -10,4 +11,20 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+
+	"github.com/cozystack/cozystack/cmd/cozypkg/cmd"
+)
+
+func main() {
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+

cmd/cozystack-controller/main.go

@@ -200,6 +200,22 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err = (&controller.TenantHelmReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "TenantHelmReconciler")
+		os.Exit(1)
+	}
+
+	if err = (&controller.CozystackConfigReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackConfigReconciler")
+		os.Exit(1)
+	}
+
 	cozyAPIKind := "DaemonSet"
 	if reconcileDeployment {
 		cozyAPIKind = "Deployment"
@@ -213,14 +229,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = (&controller.CozystackResourceDefinitionHelmReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "CozystackResourceDefinitionHelmReconciler")
-		os.Exit(1)
-	}
-
 	dashboardManager := &dashboard.Manager{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),

cmd/cozystack-operator/main.go

@@ -0,0 +1,481 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcewatcherv1beta1 "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	"github.com/cozystack/cozystack/internal/fluxinstall"
+	"github.com/cozystack/cozystack/internal/operator"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+// stringSliceFlag is a custom flag type that allows multiple values
+type stringSliceFlag []string
+
+func (f *stringSliceFlag) String() string {
+	return strings.Join(*f, ",")
+}
+
+func (f *stringSliceFlag) Set(value string) error {
+	*f = append(*f, value)
+	return nil
+}
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
+	utilruntime.Must(cozyv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(helmv2.AddToScheme(scheme))
+	utilruntime.Must(sourcev1.AddToScheme(scheme))
+	utilruntime.Must(sourcewatcherv1beta1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var installFlux bool
+	var cozystackVersion string
+	var installFluxResources stringSliceFlag
+	var platformSource string
+	var platformSourceName string
+
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", false,
+		"If set the metrics endpoint is served securely")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.BoolVar(&installFlux, "install-flux", false, "Install Flux components before starting reconcile loop")
+	flag.Var(&installFluxResources, "install-flux-resource", "Install Flux resource (JSON format). Can be specified multiple times. Applied after Flux installation.")
+	flag.StringVar(&cozystackVersion, "cozystack-version", "unknown",
+		"Version of Cozystack")
+	flag.StringVar(&platformSource, "platform-source", "", "Platform source URL (oci:// or git://). If specified, generates OCIRepository or GitRepository resource.")
+	flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-packages", "Name for the generated platform source resource (default: cozystack-packages)")
+
+	opts := zap.Options{
+		Development: true,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	config := ctrl.GetConfigOrDie()
+
+	// Start the controller manager
+	setupLog.Info("Starting controller manager")
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme: scheme,
+		Metrics: metricsserver.Options{
+			BindAddress:   metricsAddr,
+			SecureServing: secureMetrics,
+		},
+		WebhookServer: webhook.NewServer(webhook.Options{
+			Port: 9443,
+		}),
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "cozystack-operator.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, setting this significantly speeds up voluntary
+		// leader transitions as the new leader don't have to wait LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	// Install Flux before starting reconcile loop
+	if installFlux {
+		setupLog.Info("Installing Flux components before starting reconcile loop")
+		installCtx, installCancel := context.WithTimeout(context.Background(), 5*time.Minute)
+		defer installCancel()
+
+		// The namespace will be automatically extracted from the embedded manifests
+		if err := fluxinstall.Install(installCtx, mgr.GetClient(), fluxinstall.WriteEmbeddedManifests); err != nil {
+			setupLog.Error(err, "failed to install Flux, continuing anyway")
+			// Don't exit - allow operator to start even if Flux install fails
+			// This allows the operator to work in environments where Flux is already installed
+		} else {
+			setupLog.Info("Flux installation completed successfully")
+		}
+	}
+
+	// Install Flux resources after Flux installation
+	if len(installFluxResources) > 0 {
+		setupLog.Info("Installing Flux resources", "count", len(installFluxResources))
+		installCtx, installCancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		defer installCancel()
+
+		if err := installFluxResourcesFunc(installCtx, mgr.GetClient(), installFluxResources); err != nil {
+			setupLog.Error(err, "failed to install Flux resources, continuing anyway")
+			// Don't exit - allow operator to start even if resource installation fails
+		} else {
+			setupLog.Info("Flux resources installation completed successfully")
+		}
+	}
+
+	// Generate and install platform source resource if specified
+	if platformSource != "" {
+		setupLog.Info("Generating platform source resource", "source", platformSource, "name", platformSourceName)
+		installCtx, installCancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		defer installCancel()
+
+		if err := installPlatformSourceResource(installCtx, mgr.GetClient(), platformSource, platformSourceName); err != nil {
+			setupLog.Error(err, "failed to install platform source resource")
+			os.Exit(1)
+		} else {
+			setupLog.Info("Platform source resource installation completed successfully")
+		}
+	}
+
+	// Setup PackageSource reconciler
+	if err := (&operator.PackageSourceReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "PackageSource")
+		os.Exit(1)
+	}
+
+	// Setup Package reconciler
+	if err := (&operator.PackageReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Package")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("Starting controller manager")
+	mgrCtx := ctrl.SetupSignalHandler()
+	if err := mgr.Start(mgrCtx); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}
+
+// installFluxResourcesFunc installs Flux resources from JSON strings
+func installFluxResourcesFunc(ctx context.Context, k8sClient client.Client, resources []string) error {
+	logger := log.FromContext(ctx)
+
+	for i, resourceJSON := range resources {
+		logger.Info("Installing Flux resource", "index", i+1, "total", len(resources))
+
+		// Parse JSON into unstructured object
+		var obj unstructured.Unstructured
+		if err := json.Unmarshal([]byte(resourceJSON), &obj.Object); err != nil {
+			return fmt.Errorf("failed to parse resource JSON at index %d: %w", i, err)
+		}
+
+		// Validate that it has required fields
+		if obj.GetAPIVersion() == "" {
+			return fmt.Errorf("resource at index %d missing apiVersion", i)
+		}
+		if obj.GetKind() == "" {
+			return fmt.Errorf("resource at index %d missing kind", i)
+		}
+		if obj.GetName() == "" {
+			return fmt.Errorf("resource at index %d missing metadata.name", i)
+		}
+
+		// Apply the resource (create or update)
+		logger.Info("Applying Flux resource",
+			"apiVersion", obj.GetAPIVersion(),
+			"kind", obj.GetKind(),
+			"name", obj.GetName(),
+			"namespace", obj.GetNamespace(),
+		)
+
+		// Use server-side apply or create/update
+		existing := &unstructured.Unstructured{}
+		existing.SetGroupVersionKind(obj.GroupVersionKind())
+		key := client.ObjectKey{
+			Name:      obj.GetName(),
+			Namespace: obj.GetNamespace(),
+		}
+
+		err := k8sClient.Get(ctx, key, existing)
+		if err != nil {
+			if client.IgnoreNotFound(err) == nil {
+				// Resource doesn't exist, create it
+				if err := k8sClient.Create(ctx, &obj); err != nil {
+					return fmt.Errorf("failed to create resource %s/%s: %w", obj.GetKind(), obj.GetName(), err)
+				}
+				logger.Info("Created Flux resource", "kind", obj.GetKind(), "name", obj.GetName())
+			} else {
+				return fmt.Errorf("failed to check if resource exists: %w", err)
+			}
+		} else {
+			// Resource exists, update it
+			obj.SetResourceVersion(existing.GetResourceVersion())
+			if err := k8sClient.Update(ctx, &obj); err != nil {
+				return fmt.Errorf("failed to update resource %s/%s: %w", obj.GetKind(), obj.GetName(), err)
+			}
+			logger.Info("Updated Flux resource", "kind", obj.GetKind(), "name", obj.GetName())
+		}
+	}
+
+	return nil
+}
+
+// installPlatformSourceResource generates and installs a Flux source resource (OCIRepository or GitRepository)
+// based on the platform source URL
+func installPlatformSourceResource(ctx context.Context, k8sClient client.Client, sourceURL, resourceName string) error {
+	logger := log.FromContext(ctx)
+
+	// Parse the source URL to determine type
+	sourceType, repoURL, ref, err := parsePlatformSource(sourceURL)
+	if err != nil {
+		return fmt.Errorf("failed to parse platform source URL: %w", err)
+	}
+
+	var obj *unstructured.Unstructured
+	switch sourceType {
+	case "oci":
+		obj, err = generateOCIRepository(resourceName, repoURL, ref)
+		if err != nil {
+			return fmt.Errorf("failed to generate OCIRepository: %w", err)
+		}
+	case "git":
+		obj, err = generateGitRepository(resourceName, repoURL, ref)
+		if err != nil {
+			return fmt.Errorf("failed to generate GitRepository: %w", err)
+		}
+	default:
+		return fmt.Errorf("unsupported source type: %s (expected oci:// or git://)", sourceType)
+	}
+
+	// Apply the resource (create or update)
+	logger.Info("Applying platform source resource",
+		"apiVersion", obj.GetAPIVersion(),
+		"kind", obj.GetKind(),
+		"name", obj.GetName(),
+		"namespace", obj.GetNamespace(),
+	)
+
+	existing := &unstructured.Unstructured{}
+	existing.SetGroupVersionKind(obj.GroupVersionKind())
+	key := client.ObjectKey{
+		Name:      obj.GetName(),
+		Namespace: obj.GetNamespace(),
+	}
+
+	err = k8sClient.Get(ctx, key, existing)
+	if err != nil {
+		if client.IgnoreNotFound(err) == nil {
+			// Resource doesn't exist, create it
+			if err := k8sClient.Create(ctx, obj); err != nil {
+				return fmt.Errorf("failed to create resource %s/%s: %w", obj.GetKind(), obj.GetName(), err)
+			}
+			logger.Info("Created platform source resource", "kind", obj.GetKind(), "name", obj.GetName())
+		} else {
+			return fmt.Errorf("failed to check if resource exists: %w", err)
+		}
+	} else {
+		// Resource exists, update it
+		obj.SetResourceVersion(existing.GetResourceVersion())
+		if err := k8sClient.Update(ctx, obj); err != nil {
+			return fmt.Errorf("failed to update resource %s/%s: %w", obj.GetKind(), obj.GetName(), err)
+		}
+		logger.Info("Updated platform source resource", "kind", obj.GetKind(), "name", obj.GetName())
+	}
+
+	return nil
+}
+
+// parsePlatformSource parses the source URL and returns the type, repository URL, and reference
+// Supports formats:
+//   - oci://registry.example.com/repo@sha256:digest
+//   - oci://registry.example.com/repo (ref will be empty)
+//   - git://github.com/user/repo@branch
+//   - git://github.com/user/repo (ref will default to "main")
+//   - https://github.com/user/repo@branch (treated as git)
+func parsePlatformSource(sourceURL string) (sourceType, repoURL, ref string, err error) {
+	// Normalize the URL by trimming whitespace
+	sourceURL = strings.TrimSpace(sourceURL)
+
+	// Check for oci:// prefix
+	if strings.HasPrefix(sourceURL, "oci://") {
+		// Remove oci:// prefix
+		rest := strings.TrimPrefix(sourceURL, "oci://")
+
+		// Check for @sha256: digest (look for @ followed by sha256:)
+		// We need to find the last @ before sha256: to handle paths with @ symbols
+		sha256Idx := strings.Index(rest, "@sha256:")
+		if sha256Idx != -1 {
+			repoURL = "oci://" + rest[:sha256Idx]
+			ref = rest[sha256Idx+1:] // sha256:digest
+		} else {
+			// Check for @ without sha256: (might be a tag)
+			if atIdx := strings.LastIndex(rest, "@"); atIdx != -1 {
+				// Could be a tag, but for OCI we expect sha256: digest
+				// For now, treat everything after @ as the ref
+				repoURL = "oci://" + rest[:atIdx]
+				ref = rest[atIdx+1:]
+			} else {
+				repoURL = "oci://" + rest
+				ref = "" // No digest specified
+			}
+		}
+		return "oci", repoURL, ref, nil
+	}
+
+	// Check for git:// prefix or treat as git for http/https
+	if strings.HasPrefix(sourceURL, "git://") || strings.HasPrefix(sourceURL, "http://") || strings.HasPrefix(sourceURL, "https://") || strings.HasPrefix(sourceURL, "ssh://") {
+		// Parse URL to extract ref if present
+		parsedURL, err := url.Parse(sourceURL)
+		if err != nil {
+			return "", "", "", fmt.Errorf("invalid URL: %w", err)
+		}
+
+		// Check for @ref in the path (e.g., git://host/path@branch)
+		path := parsedURL.Path
+		if idx := strings.LastIndex(path, "@"); idx != -1 {
+			repoURL = fmt.Sprintf("%s://%s%s", parsedURL.Scheme, parsedURL.Host, path[:idx])
+			if parsedURL.RawQuery != "" {
+				repoURL += "?" + parsedURL.RawQuery
+			}
+			ref = path[idx+1:]
+		} else {
+			// Default to main branch if no ref specified
+			repoURL = sourceURL
+			ref = "main"
+		}
+
+		// Normalize git:// to https:// for GitRepository
+		if strings.HasPrefix(repoURL, "git://") {
+			repoURL = strings.Replace(repoURL, "git://", "https://", 1)
+		}
+
+		return "git", repoURL, ref, nil
+	}
+
+	return "", "", "", fmt.Errorf("unsupported source URL scheme (expected oci:// or git://): %s", sourceURL)
+}
+
+// generateOCIRepository creates an OCIRepository resource
+func generateOCIRepository(name, repoURL, digest string) (*unstructured.Unstructured, error) {
+	obj := &unstructured.Unstructured{}
+	obj.SetAPIVersion("source.toolkit.fluxcd.io/v1")
+	obj.SetKind("OCIRepository")
+	obj.SetName(name)
+	obj.SetNamespace("cozy-system")
+
+	spec := map[string]interface{}{
+		"interval": "5m0s",
+		"url":      repoURL,
+	}
+
+	if digest != "" {
+		// Ensure digest starts with sha256:
+		if !strings.HasPrefix(digest, "sha256:") {
+			digest = "sha256:" + digest
+		}
+		spec["ref"] = map[string]interface{}{
+			"digest": digest,
+		}
+	}
+
+	if err := unstructured.SetNestedField(obj.Object, spec, "spec"); err != nil {
+		return nil, fmt.Errorf("failed to set spec: %w", err)
+	}
+
+	return obj, nil
+}
+
+// generateGitRepository creates a GitRepository resource
+func generateGitRepository(name, repoURL, ref string) (*unstructured.Unstructured, error) {
+	obj := &unstructured.Unstructured{}
+	obj.SetAPIVersion("source.toolkit.fluxcd.io/v1")
+	obj.SetKind("GitRepository")
+	obj.SetName(name)
+	obj.SetNamespace("cozy-system")
+
+	spec := map[string]interface{}{
+		"interval": "5m0s",
+		"url":      repoURL,
+		"ref": map[string]interface{}{
+			"branch": ref,
+		},
+	}
+
+	if err := unstructured.SetNestedField(obj.Object, spec, "spec"); err != nil {
+		return nil, fmt.Errorf("failed to set spec: %w", err)
+	}
+
+	return obj, nil
+}

docs/agents/changelog.md

@@ -22,7 +22,7 @@ When the user asks to generate a changelog, follow these steps in the specified
 - [ ] Step 5: Get the list of commits for the release period
 - [ ] Step 6: Check additional repositories (website is REQUIRED, optional repos if tags exist)
   - [ ] **MANDATORY**: Check website repository for documentation changes WITH authors and PR links via GitHub CLI
-  - [ ] **MANDATORY**: Check ALL optional repositories (talm, boot-to-talos, cozyhr, cozy-proxy) for tags during release period
+  - [ ] **MANDATORY**: Check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy) for tags during release period
   - [ ] **MANDATORY**: For ALL commits from additional repos, get GitHub username via CLI, prioritizing PR author over commit author.
 - [ ] Step 7: Analyze commits (extract PR numbers, authors, user impact)
   - [ ] **MANDATORY**: For EVERY PR in main repo, get PR author via `gh pr view <PR_NUMBER> --json author --jq .author.login` (do NOT skip this step)
@@ -146,7 +146,7 @@ Cozystack release may include changes from related repositories. Check and inclu
 **Optional repositories (MUST check ALL of them for tags during release period):**
 - [https://github.com/cozystack/talm](https://github.com/cozystack/talm)
 - [https://github.com/cozystack/boot-to-talos](https://github.com/cozystack/boot-to-talos)
-- [https://github.com/cozystack/cozyhr](https://github.com/cozystack/cozyhr)
+- [https://github.com/cozystack/cozypkg](https://github.com/cozystack/cozypkg)
 - [https://github.com/cozystack/cozy-proxy](https://github.com/cozystack/cozy-proxy)
 
 **⚠️ IMPORTANT**: You MUST check ALL optional repositories for tags created during the release period. Do NOT skip this step even if you think there might not be any tags. Use the process below to verify.
@@ -195,7 +195,7 @@ Cozystack release may include changes from related repositories. Check and inclu
 
 3. **For optional repositories, check if tags exist during release period:**
 
-   **⚠️ MANDATORY: You MUST check ALL optional repositories (talm, boot-to-talos, cozyhr, cozy-proxy). Do NOT skip any repository!**
+   **⚠️ MANDATORY: You MUST check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy). Do NOT skip any repository!**
 
    **Use the helper script:**
    ```bash
@@ -208,7 +208,7 @@ Cozystack release may include changes from related repositories. Check and inclu
    ```
    
    The script will:
-   - Check ALL optional repositories (talm, boot-to-talos, cozyhr, cozy-proxy)
+   - Check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy)
    - Look for tags created during the release period
    - Get commits between tags (if tags exist) or by date range (if no tags)
    - Extract PR numbers from commit messages
@@ -569,7 +569,7 @@ Create a new changelog file in the format matching previous versions:
 - [ ] Step 5 completed: **ALL commits included** (including merge commits and backports) - do not skip any commits
 - [ ] Step 5 completed: **Backports identified and handled correctly** - original PR author used, both original and backport PR numbers included
 - [ ] Step 6 completed: Website repository checked for documentation changes WITH authors and PR links via GitHub CLI
-- [ ] Step 6 completed: **ALL** optional repositories (talm, boot-to-talos, cozyhr, cozy-proxy) checked for tags during release period
+- [ ] Step 6 completed: **ALL** optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy) checked for tags during release period
 - [ ] Step 6 completed: For ALL commits from additional repos, GitHub username obtained via GitHub CLI (not skipped). For commits with PR numbers, PR author used via `gh pr view` (not commit author)
 - [ ] Step 7 completed: For EVERY PR in main repo (including backports), PR author obtained via `gh pr view <PR_NUMBER> --json author --jq .author.login` (not skipped or assumed). Commit author NOT used - always use PR author
 - [ ] Step 7 completed: **Backports verified** - for each backport PR, original PR found and original PR author used in changelog
@@ -628,7 +628,7 @@ Save the changelog to file `docs/changelogs/v<version>.md` according to the vers
 
 - **Additional repositories (Step 6) - MANDATORY**: 
   - **⚠️ CRITICAL**: Always check the **website** repository for documentation changes during the release period. This is a required step and MUST NOT be skipped.
-  - **⚠️ CRITICAL**: You MUST check ALL optional repositories (talm, boot-to-talos, cozyhr, cozy-proxy) for tags during the release period. Do NOT skip any repository even if you think there might not be tags.
+  - **⚠️ CRITICAL**: You MUST check ALL optional repositories (talm, boot-to-talos, cozypkg, cozy-proxy) for tags during the release period. Do NOT skip any repository even if you think there might not be tags.
   - **CRITICAL**: For ALL entries from additional repositories (website and optional), you MUST:
     - **MANDATORY**: Extract PR number from commit message first
     - **MANDATORY**: For commits with PR numbers, ALWAYS use `gh pr view <PR_NUMBER> --repo cozystack/<repo> --json author --jq .author.login` to get PR author (not commit author)
@@ -637,7 +637,7 @@ Save the changelog to file `docs/changelogs/v<version>.md` according to the vers
     - **MANDATORY**: Do NOT use commit author for PRs - always use PR author
     - Include PR link or commit hash reference
     - Format: `* **[repo] Description**: details ([**@username**](https://github.com/username) in cozystack/repo#123)`
-  - For **optional repositories** (talm, boot-to-talos, cozyhr, cozy-proxy), you MUST check ALL of them for tags during the release period. Use the loop provided in Step 6 to check each repository systematically.
+  - For **optional repositories** (talm, boot-to-talos, cozypkg, cozy-proxy), you MUST check ALL of them for tags during the release period. Use the loop provided in Step 6 to check each repository systematically.
   - When including changes from additional repositories, use the format: `[repo-name] Description` and link to the repository's PR/issue if available
   - **Prefer PR numbers over commit hashes**: For commits from additional repositories, extract PR number from commit message using GitHub API. Use PR format (`cozystack/website#123`) instead of commit hash (`cozystack/website@abc1234`) when available
   - **Never add entries without author and PR/commit reference**: Every entry from additional repositories must have both author and link

docs/agents/contributing.md

@@ -155,91 +155,6 @@ git diff
 
 The user will commit and push when ready.
 
-## Code Review Comments
-
-When asked to fix code review comments, **always work only with unresolved (open) comments**. Resolved comments should be ignored as they have already been addressed.
-
-### Getting Unresolved Review Comments
-
-Use GitHub GraphQL API to fetch only unresolved review comments from a pull request:
-
-```bash
-gh api graphql -F owner=cozystack -F repo=cozystack -F pr=<PR_NUMBER> -f query='
-query($owner: String!, $repo: String!, $pr: Int!) {
-  repository(owner: $owner, name: $repo) {
-    pullRequest(number: $pr) {
-      reviewThreads(first: 100) {
-        nodes {
-          isResolved
-          comments(first: 100) {
-            nodes {
-              id
-              path
-              line
-              author { login }
-              bodyText
-              url
-              createdAt
-            }
-          }
-        }
-      }
-    }
-  }
-}' --jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false) | .comments.nodes[]'
-```
-
-### Filtering for Unresolved Comments
-
-The key filter is `select(.isResolved == false)` which ensures only unresolved review threads are processed. Each thread can contain multiple comments, but if the thread is resolved, all its comments should be ignored.
-
-### Working with Review Comments
-
-1. **Fetch unresolved comments** using the GraphQL query above
-2. **Parse the results** to identify:
-   - File path (`path`)
-   - Line number (`line` or `originalLine`)
-   - Comment text (`bodyText`)
-   - Author (`author.login`)
-3. **Address each unresolved comment** by:
-   - Locating the relevant code section
-   - Making the requested changes
-   - Ensuring the fix addresses the concern raised
-4. **Do NOT process resolved comments** - they have already been handled
-
-### Example: Compact List of Unresolved Comments
-
-For a quick overview of unresolved comments:
-
-```bash
-gh api graphql -F owner=cozystack -F repo=cozystack -F pr=<PR_NUMBER> -f query='
-query($owner: String!, $repo: String!, $pr: Int!) {
-  repository(owner: $owner, name: $repo) {
-    pullRequest(number: $pr) {
-      reviewThreads(first: 100) {
-        nodes {
-          isResolved
-          comments(first: 100) {
-            nodes {
-              path
-              line
-              author { login }
-              bodyText
-            }
-          }
-        }
-      }
-    }
-  }
-}' --jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false) | .comments.nodes[] | "\(.path):\(.line // "N/A") - \(.author.login): \(.bodyText[:150])"'
-```
-
-### Important Notes
-
-- **REST API limitation**: The REST endpoint `/pulls/{pr}/reviews` returns review summaries, not individual review comments. Use GraphQL API for accessing `reviewThreads` with `isResolved` status.
-- **Thread-based resolution**: Comments are organized in threads. If a thread is resolved (`isResolved: true`), ignore all comments in that thread.
-- **Always filter**: Never process comments from resolved threads, even if they appear in the results.
-
 ### Example Workflow
 
 ```bash

docs/agents/overview.md

@@ -10,7 +10,7 @@ Cozystack is an open-source Kubernetes-based platform and framework for building
 - **Multi-tenancy**: Full isolation and self-service for tenants
 - **GitOps-driven**: FluxCD-based continuous delivery
 - **Modular Architecture**: Extensible with custom packages and services
-- **Developer Experience**: Simplified local development with cozyhr tool
+- **Developer Experience**: Simplified local development with cozypkg tool
 
 The platform exposes infrastructure services via the Kubernetes API with ready-made configs, built-in monitoring, and alerts.
 

docs/changelogs/v0.36.2.md

@@ -5,13 +5,10 @@ https://github.com/cozystack/cozystack/releases/tag/v0.36.2
 
 ## Features and Improvements
 
-* [vm-disk] New SVG icon for VM disk application. (@kvaps and @kvapsova in https://github.com/cozystack/cozystack/pull/1435)
+## Security
 
 ## Fixes
 
-* [kubernetes] Pin CoreDNS image tag to v1.12.4 for consistent, reproducible deployments. (@kvaps in https://github.com/cozystack/cozystack/pull/1469)
-* [dashboard] Fix FerretDB spec typo that prevented deploy/display in the web UI. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1440)
-
 ## Dependencies
 
 ## Development, Testing, and CI/CD

docs/changelogs/v0.38.3.md

@@ -1,14 +0,0 @@
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.38.3
--->
-
-## Improvements
-
-* **[core:installer] Address buildx warnings for installer image builds**: Aligns Dockerfile syntax casing to remove buildx warnings, keeping installer builds clean ([**@nbykov0**](https://github.com/nbykov0) in #1682).
-* **[system:coredns] Align CoreDNS app labels with Talos defaults**: Matches CoreDNS labels to Talos conventions so services select pods consistently across platform and tenant clusters ([**@nbykov0**](https://github.com/nbykov0) in #1675).
-* **[system:monitoring-agents] Rename CoreDNS metrics service to avoid conflicts**: Renames the metrics service so it no longer clashes with the CoreDNS service used for name resolution in tenant clusters ([**@nbykov0**](https://github.com/nbykov0) in #1676).
-
----
-
-**Full Changelog**: [v0.38.2...v0.38.3](https://github.com/cozystack/cozystack/compare/v0.38.2...v0.38.3)
-

docs/changelogs/v0.38.4.md

@@ -1,18 +0,0 @@
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.38.4
--->
-
-## Fixes
-
-* **[linstor] Update piraeus-operator v2.10.2 to handle fsck checks reliably**: Upgrades LINSTOR CSI to avoid failed mounts when fsck sees mounted volumes, improving volume publish reliability ([**@kvaps**](https://github.com/kvaps) in #1689, #1697).
-* **[dashboard] Nest CustomFormsOverride properties under spec.properties**: Fixes schema generation so custom form properties are placed under `spec.properties`, preventing mis-rendered or missing form fields ([**@kvaps**](https://github.com/kvaps) in #1692, #1700).
-* **[virtual-machine] Guard PVC resize to only expand storage**: Ensures resize jobs run only when storage size increases, avoiding unintended shrink attempts during VM updates ([**@kvaps**](https://github.com/kvaps) in #1688, #1701).
-
-## Documentation
-
-* **[website] Clarify GPU check command**: Makes the kubectl command for validating GPU binding more explicit, including namespace context ([**@nbykov0**](https://github.com/nbykov0) in cozystack/website#379).
-
----
-
-**Full Changelog**: [v0.38.3...v0.38.4](https://github.com/cozystack/cozystack/compare/v0.38.3...v0.38.4)
-

docs/changelogs/v0.39.0.md

@@ -1,95 +0,0 @@
-# Cozystack v0.39 — "Enhanced Networking & Monitoring"
-
-This release introduces topology-aware routing for Cilium services, automatic pod rollouts on configuration changes, improved monitoring capabilities, and numerous bug fixes and improvements across the platform.
-
-## Highlights
-
-* **Topology-Aware Routing**: Enabled topology-aware routing for Cilium services, improving traffic distribution and reducing latency by routing traffic to endpoints in the same zone when possible ([**@nbykov0**](https://github.com/nbykov0) in #1734).
-* **Automatic Pod Rollouts**: Cilium and Cilium operator pods now automatically restart when configuration changes, ensuring configuration updates are applied immediately ([**@kvaps**](https://github.com/kvaps) in #1728).
-* **Windows VM Scheduling**: Added nodeAffinity configuration for Windows VMs based on scheduling config, enabling dedicated nodes for Windows workloads ([**@kvaps**](https://github.com/kvaps) in #1693).
-* **SeaweedFS Updates**: Updated to SeaweedFS v4.02 with improved S3 daemon performance and fixes ([**@kvaps**](https://github.com/kvaps) in #1725).
-
----
-
-## Major Features and Improvements
-
-### Networking
-
-* **[system/cilium] Enable topology-aware routing for services**: Enabled topology-aware routing for services, improving traffic distribution and reducing latency by routing traffic to endpoints in the same zone when possible. This feature helps optimize network performance in multi-zone deployments ([**@nbykov0**](https://github.com/nbykov0) in #1734).
-* **[cilium] Enable automatic pod rollout on configmap updates**: Cilium and Cilium operator pods now automatically restart when the cilium-config ConfigMap is updated, ensuring configuration changes are applied immediately without manual intervention ([**@kvaps**](https://github.com/kvaps) in #1728).
-
-### Virtual Machines
-
-* **[virtual-machine,vm-instance] Add nodeAffinity for Windows VMs based on scheduling config**: Added nodeAffinity configuration to virtual-machine and vm-instance charts to support dedicated nodes for Windows VMs. When `dedicatedNodesForWindowsVMs` is enabled in the `cozystack-scheduling` ConfigMap, Windows VMs are scheduled on nodes with label `scheduling.cozystack.io/vm-windows=true`, while non-Windows VMs prefer nodes without this label ([**@kvaps**](https://github.com/kvaps) in #1693).
-
-### Storage
-
-* **Update SeaweedFS v4.02**: Updated SeaweedFS to version 4.02 with improved performance for S3 daemon and fixes for known issues. This update includes better S3 compatibility and performance improvements ([**@kvaps**](https://github.com/kvaps) in #1725).
-
-### Tools
-
-* **[talm] feat(init)!: require --name flag for cluster name**: Breaking change: The `talm init` command now requires the `--name` flag to specify the cluster name. This ensures consistent cluster naming and prevents accidental initialization without a name ([**@lexfrei**](https://github.com/lexfrei) in cozystack/talm#86).
-* **[talm] feat(template): preserve extra YAML documents in output**: Templates now preserve extra YAML documents in the output, allowing for more flexible template processing ([**@lexfrei**](https://github.com/lexfrei) in cozystack/talm#87).
-* **[talm] feat: add directory expansion for -f flag**: Added directory expansion support for the `-f` flag, allowing users to specify directories instead of individual files ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@ca5713e).
-* **[talm] Introduce automatic root detection**: Added automatic root detection logic to simplify talm usage and reduce manual configuration ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@d165162).
-* **[talm] Introduce talm kubeconfig --login command**: Added new `talm kubeconfig --login` command for easier kubeconfig management ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@5f7e05b).
-* **[talm] Introduce encryption**: Added encryption support to talm for secure configuration management ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#81).
-* **[talm] Replace code-generation with wrapper on talosctl**: Refactored talm to use a wrapper on talosctl instead of code generation, simplifying the codebase and improving maintainability ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#80).
-* **[talm] Use go embed instead of code generation**: Migrated from code generation to go embed for better build performance and simpler dependency management ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#79).
-* **[boot-to-talos] Cozystack: Update Talos Linux v1.11.3**: Updated boot-to-talos to use Talos Linux v1.11.3 ([**@kvaps**](https://github.com/kvaps) in cozystack/boot-to-talos#7).
-
-## Improvements
-
-* **[seaweedfs] Extended CA certificate duration to reduce disruptive CA rotations**: Extended CA certificate duration to reduce disruptive CA rotations, improving long-term certificate management and reducing operational overhead ([**@IvanHunters**](https://github.com/IvanHunters) in #1657).
-* **[dashboard] Add config hash annotations to restart pods on config changes**: Added config hash annotations to dashboard deployment templates to ensure pods are automatically restarted when their configuration changes, ensuring configuration updates are applied immediately ([**@kvaps**](https://github.com/kvaps) in #1662).
-* **[tenant][kubernetes] Introduce better cleanup logic**: Improved cleanup logic for tenant Kubernetes resources, ensuring proper resource cleanup when tenants are deleted or updated. Added automated pre-delete cleanup job for tenant namespaces to remove tenant-related releases during uninstall ([**@kvaps**](https://github.com/kvaps) in #1661).
-* **[system:coredns] update coredns app labels to match Talos coredns labels**: Updated coredns app labels to match Talos coredns labels, ensuring consistency across the platform ([**@nbykov0**](https://github.com/nbykov0) in #1675).
-* **[system:monitoring-agents] rename coredns metrics service**: Renamed coredns metrics service to avoid interference with coredns service used for name resolution in tenant k8s clusters ([**@nbykov0**](https://github.com/nbykov0) in #1676).
-* **[core:installer] Address buildx warnings**: Fixed Dockerfile syntax warnings from buildx, ensuring clean builds without warnings ([**@nbykov0**](https://github.com/nbykov0) in #1682).
-* **[talm] Refactor root detection logic into single file**: Improved code organization by consolidating root detection logic into a single file ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@487b479).
-* **[talm] Refactor init logic, better upgrade**: Improved initialization logic and upgrade process for better reliability ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@c512777).
-* **[talm] Sugar for kubeconfig command**: Added convenience features to the kubeconfig command for improved usability ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@a4010b3).
-* **[talm] wrap upgrade command**: Wrapped upgrade command for better integration and error handling ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@2e1afbf).
-* **[talm] docs(readme): add Homebrew installation option**: Added Homebrew installation option to the README for easier installation on macOS ([**@lexfrei**](https://github.com/lexfrei) in cozystack/talm@12bd4f2).
-* **[talm] cozystack: disable nodeCIDRs allocation**: Disabled nodeCIDRs allocation in talm for better network configuration control ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#82).
-* **[talm] Update license to Apache2.0**: Updated license to Apache 2.0 for better compatibility and clarity ([**@kvaps**](https://github.com/kvaps) in cozystack/talm@eda1032).
-
-## Fixes
-
-* **[apps] Refactor apiserver to use typed objects and fix UnstructuredList GVK**: Refactored the apiserver REST handlers to use typed objects (`appsv1alpha1.Application`) instead of `unstructured.Unstructured`, eliminating the need for runtime conversions and simplifying the codebase. Additionally, fixed an issue where `UnstructuredList` objects were using the first registered kind from `typeToGVK` instead of the kind from the object's field when multiple kinds are registered with the same Go type. This fix includes the upstream fix from kubernetes/kubernetes#135537 ([**@kvaps**](https://github.com/kvaps) in #1679).
-* **[dashboard] Fix CustomFormsOverride schema to nest properties under spec.properties**: Fixed the logic for generating CustomFormsOverride schema to properly nest properties under `spec.properties` instead of directly under `properties`, ensuring correct form schema generation ([**@kvaps**](https://github.com/kvaps) in #1692).
-* **[virtual-machine] Improve check for resizing job**: Improved storage resize logic to only expand persistent volume claims when storage is being increased, preventing unintended storage reduction operations. Added validation to accurately compare current and desired storage sizes before triggering resize operations ([**@kvaps**](https://github.com/kvaps) in #1688).
-* **[linstor] Update piraeus-operator v2.10.2**: Updated LINSTOR CSI to fix issues with the new fsck behaviour, resolving mount failures when fsck attempts to run on mounted devices ([**@kvaps**](https://github.com/kvaps) in #1689).
-* **[api] Revert dynamic list kinds representation fix (fixes namespace deletion regression)**: Reverted changes from #1630 that caused a regression affecting namespace deletion and upgrades from previous versions. The regression caused namespace deletion failures with errors like "content is not a list: []unstructured.Unstructured" during namespace finalization. This revert restores compatibility with namespace deletion controller and fixes upgrade issues from previous versions ([**@kvaps**](https://github.com/kvaps) in #1677).
-* **[talm] fix: normalize template paths for Windows compatibility**: Fixed template path handling to ensure Windows compatibility by normalizing paths ([**@lexfrei**](https://github.com/lexfrei) in cozystack/talm#88).
-
-## Dependencies
-
-* **Update SeaweedFS v4.02**: Updated SeaweedFS to version 4.02 ([**@kvaps**](https://github.com/kvaps) in #1725).
-* **[linstor] Update piraeus-operator v2.10.2**: Updated piraeus-operator to version 2.10.2 ([**@kvaps**](https://github.com/kvaps) in #1689).
-* **[talm] Cozystack: Update Talos Linux v1.11.3**: Updated talm to use Talos Linux v1.11.3 ([**@kvaps**](https://github.com/kvaps) in cozystack/talm#83).
-
-## Documentation
-
-* **[website] Add article: Talm v0.17: Built-in Age Encryption for Secrets Management**: Added comprehensive blog post announcing Talm v0.17 and its built-in age-based encryption for secrets. Covers initial setup and key generation, encryption/decryption workflows, idempotent encryption behavior, automatic .gitignore handling, file permission safeguards, security best practices, and guidance for GitOps and CI/CD integration ([**@kvaps**](https://github.com/kvaps) in [cozystack/website#384](https://github.com/cozystack/website/pull/384)).
-* **[website] docs(talm): update talm init syntax for mandatory --preset and --name flags**: Updated documentation to reflect breaking changes in talm, adding mandatory `--preset` and `--name` flags to the talm init command ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#386).
-
----
-
-## Contributors
-
-We'd like to thank all contributors who made this release possible:
-
-* [**@IvanHunters**](https://github.com/IvanHunters)
-* [**@kvaps**](https://github.com/kvaps)
-* [**@lexfrei**](https://github.com/lexfrei)
-* [**@nbykov0**](https://github.com/nbykov0)
-
----
-
-**Full Changelog**: [v0.38.0...v0.39.0](https://github.com/cozystack/cozystack/compare/v0.38.0...v0.39.0)
-
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.39.0
--->
-

docs/changelogs/v0.39.1.md

@@ -1,12 +0,0 @@
-<!--
-https://github.com/cozystack/cozystack/releases/tag/v0.39.1
--->
-
-## Features and Improvements
-
-* **[monitoring] Add SLACK_SEVERITY_FILTER field and VMAgent for tenant monitoring**: Introduced the SLACK_SEVERITY_FILTER environment variable in the Alerta deployment to enable filtering of alert severities for Slack notifications based on the disabledSeverity configuration. Additionally, added a VMAgent resource template for scraping metrics within tenant namespaces, improving monitoring granularity and control. This enhancement allows administrators to configure which alert severities are sent to Slack and enables tenant-specific metrics collection for better observability ([**@IvanHunters**](https://github.com/IvanHunters) in #1712).
-
----
-
-**Full Changelog**: [v0.39.0...v0.39.1](https://github.com/cozystack/cozystack/compare/v0.39.0...v0.39.1)
-

go.mod

@@ -5,7 +5,10 @@ module github.com/cozystack/cozystack
 go 1.25.0
 
 require (
+	github.com/emicklei/dot v1.10.0
 	github.com/fluxcd/helm-controller/api v1.4.3
+	github.com/fluxcd/source-controller/api v1.6.2
+	github.com/fluxcd/source-watcher/api/v2 v2.0.2
 	github.com/go-logr/logr v1.4.3
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/gofuzz v1.2.0
@@ -16,6 +19,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.34.1
 	k8s.io/apiextensions-apiserver v0.34.1
 	k8s.io/apimachinery v0.34.1
@@ -44,6 +48,7 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fluxcd/pkg/apis/acl v0.9.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.13.0 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.22.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
@@ -116,7 +121,6 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/kms v0.34.1 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect

go.sum

@@ -27,6 +27,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/dot v1.10.0 h1:z17n0ce/FBMz3QbShSzVGhiW447Qhu7fljzvp3Gs6ig=
+github.com/emicklei/dot v1.10.0/go.mod h1:DeV7GvQtIw4h2u73RKBkkFdvVAz0D9fzeJrgPW6gy/s=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
@@ -37,10 +39,16 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluxcd/helm-controller/api v1.4.3 h1:CdZwjL1liXmYCWyk2jscmFEB59tICIlnWB9PfDDW5q4=
 github.com/fluxcd/helm-controller/api v1.4.3/go.mod h1:0XrBhKEaqvxyDj/FziG1Q8Fmx2UATdaqLgYqmZh6wW4=
+github.com/fluxcd/pkg/apis/acl v0.9.0 h1:wBpgsKT+jcyZEcM//OmZr9RiF8klL3ebrDp2u2ThsnA=
+github.com/fluxcd/pkg/apis/acl v0.9.0/go.mod h1:TttNS+gocsGLwnvmgVi3/Yscwqrjc17+vhgYfqkfrV4=
 github.com/fluxcd/pkg/apis/kustomize v1.13.0 h1:GGf0UBVRIku+gebY944icVeEIhyg1P/KE3IrhOyJJnE=
 github.com/fluxcd/pkg/apis/kustomize v1.13.0/go.mod h1:TLKVqbtnzkhDuhWnAsN35977HvRfIjs+lgMuNro/LEc=
 github.com/fluxcd/pkg/apis/meta v1.22.0 h1:EHWQH5ZWml7i8eZ/AMjm1jxid3j/PQ31p+hIwCt6crM=
 github.com/fluxcd/pkg/apis/meta v1.22.0/go.mod h1:Kc1+bWe5p0doROzuV9XiTfV/oL3ddsemYXt8ZYWdVVg=
+github.com/fluxcd/source-controller/api v1.6.2 h1:UmodAeqLIeF29HdTqf2GiacZyO+hJydJlepDaYsMvhc=
+github.com/fluxcd/source-controller/api v1.6.2/go.mod h1:ZJcAi0nemsnBxjVgmJl0WQzNvB0rMETxQMTdoFosmMw=
+github.com/fluxcd/source-watcher/api/v2 v2.0.2 h1:fWSxsDqYN7My2AEpQwbP7O6Qjix8nGBX+UE/qWHtZfM=
+github.com/fluxcd/source-watcher/api/v2 v2.0.2/go.mod h1:Hs6ueayPt23jlkIr/d1pGPZ+OHiibQwWjxvU6xqljzg=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=

hack/check-optional-repos.sh

@@ -48,7 +48,7 @@ echo "  End: $RELEASE_END"
 echo ""
 
 # Loop through ALL optional repositories
-for repo_name in talm boot-to-talos cozyhr cozy-proxy; do
+for repo_name in talm boot-to-talos cozypkg cozy-proxy; do
   echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
   echo "Checking repository: $repo_name"
   echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

hack/e2e-apps/mongodb.bats

@@ -1,31 +0,0 @@
-#!/usr/bin/env bats
-
-@test "Create DB MongoDB" {
-  name='test'
-  kubectl apply -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: MongoDB
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  external: false
-  size: 10Gi
-  replicas: 1
-  storageClass: ""
-  resourcesPreset: "nano"
-  backup:
-    enabled: false
-EOF
-  sleep 5
-  # Wait for HelmRelease
-  kubectl -n tenant-test wait hr mongodb-$name --timeout=60s --for=condition=ready
-  # Wait for MongoDB service (port 27017)
-  timeout 120 sh -ec "until kubectl -n tenant-test get svc mongodb-$name-rs0 -o jsonpath='{.spec.ports[0].port}' | grep -q '27017'; do sleep 10; done"
-  # Wait for endpoints
-  timeout 180 sh -ec "until kubectl -n tenant-test get endpoints mongodb-$name-rs0 -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  # Wait for StatefulSet replicas
-  kubectl -n tenant-test wait statefulset.apps/mongodb-$name-rs0 --timeout=300s --for=jsonpath='{.status.replicas}'=1
-  # Cleanup
-  kubectl -n tenant-test delete mongodbs.apps.cozystack.io $name
-}

hack/e2e-apps/run-kubernetes.sh

@@ -72,7 +72,7 @@ EOF
   kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-${test_name} --timeout=4m
 
   # Wait for Kubernetes resources to be ready (timeout after 2 minutes)
-  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=5m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  kubectl wait tcp -n tenant-test kubernetes-${test_name} --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
 
   # Wait for all required deployments to be available (timeout after 4 minutes)
   kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-${test_name} kubernetes-${test_name}-cluster-autoscaler kubernetes-${test_name}-kccm kubernetes-${test_name}-kcsi-controller
@@ -87,7 +87,7 @@ EOF
 
 
   # Set up port forwarding to the Kubernetes API server for a 200 second timeout
-  bash -c 'timeout 500s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
+  bash -c 'timeout 300s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
   # Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
   timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
 
@@ -124,100 +124,6 @@ EOF
     exit 1
   fi
 
-
-  kubectl --kubeconfig tenantkubeconfig-${test_name} apply -f - <<EOF
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tenant-test
-EOF
-
-  # Backend 1
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "${test_name}-backend"
-  namespace: tenant-test
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: backend
-      backend: "${test_name}-backend"
-  template:
-    metadata:
-      labels:
-        app: backend
-        backend: "${test_name}-backend"
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:alpine
-        ports:
-        - containerPort: 80
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 80
-          initialDelaySeconds: 2
-          periodSeconds: 2
-EOF
-
-  # LoadBalancer Service
-  kubectl apply --kubeconfig tenantkubeconfig-${test_name} -f- <<EOF
-apiVersion: v1
-kind: Service
-metadata:
-  name: "${test_name}-backend"
-  namespace: tenant-test
-spec:
-  type: LoadBalancer
-  selector:
-    app: backend
-    backend: "${test_name}-backend"
-  ports:
-  - port: 80
-    targetPort: 80
-EOF
-
-  # Wait for pods readiness
-  kubectl wait deployment --kubeconfig tenantkubeconfig-${test_name} ${test_name}-backend -n tenant-test --for=condition=Available --timeout=90s
-  
-  # Wait for LoadBalancer to be provisioned (IP or hostname)
-  timeout 90 sh -ec "
-    until kubectl get svc ${test_name}-backend --kubeconfig tenantkubeconfig-${test_name} -n tenant-test \
-      -o jsonpath='{.status.loadBalancer.ingress[0]}' | grep -q .; do
-      sleep 5
-    done
-  "
-
-LB_ADDR=$(
-  kubectl get svc --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" \
-    -n tenant-test \
-    -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}'
-)
-
-if [ -z "$LB_ADDR" ]; then
-  echo "LoadBalancer address is empty" >&2
-  exit 1
-fi
-
-  for i in $(seq 1 20); do
-    echo "Attempt $i"
-    curl --silent --fail "http://${LB_ADDR}" && break
-    sleep 3
-  done
-
-  if [ "$i" -eq 20 ]; then
-    echo "LoadBalancer not reachable" >&2
-    exit 1
-  fi
-
-  # Cleanup
-  kubectl delete deployment --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-  kubectl delete service --kubeconfig tenantkubeconfig-${test_name} "${test_name}-backend" -n tenant-test
-
   # Wait for all machine deployment replicas to be ready (timeout after 10 minutes)
   kubectl wait machinedeployment kubernetes-${test_name}-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
 

hack/update-codegen.sh

@@ -23,6 +23,15 @@ CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-
 API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
 CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
+TMPDIR=$(mktemp -d)
+OPERATOR_CRDDIR=packages/core/installer/crds
+BACKUPSTRATEGY_CRDDIR=packages/system/backupstrategy-controller/definitions
+COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/crds
+COZY_RD_CRDDIR=packages/system/cozystack-resource-definition-crd/definition
+BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
+BACKUPSTRATEGY_CRDDIR=packages/system/backupstrategy-controller/definitions
+
+trap 'rm -rf ${TMPDIR}' EXIT
 
 source "${CODEGEN_PKG}/kube_codegen.sh"
 
@@ -53,6 +62,15 @@ kube::codegen::gen_openapi \
     "${SCRIPT_ROOT}/pkg/apis"
 
 $CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=packages/system/cozystack-controller/crds
-mv packages/system/cozystack-controller/crds/cozystack.io_cozystackresourcedefinitions.yaml \
-        packages/system/cozystack-resource-definition-crd/definition/cozystack.io_cozystackresourcedefinitions.yaml
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR} 
+
+mv ${TMPDIR}/cozystack.io_packages.yaml ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml
+mv ${TMPDIR}/cozystack.io_packagesources.yaml ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml
+
+mv ${TMPDIR}/cozystack.io_cozystackresourcedefinitions.yaml \
+        ${COZY_RD_CRDDIR}/cozystack.io_cozystackresourcedefinitions.yaml
+
+mv ${TMPDIR}/backups.cozystack.io*.yaml ${BACKUPS_CORE_CRDDIR}/
+mv ${TMPDIR}/strategy.backups.cozystack.io*.yaml ${BACKUPSTRATEGY_CRDDIR}/
+
+mv ${TMPDIR}/*.yaml ${COZY_CONTROLLER_CRDDIR}/

hack/update-crd.sh

@@ -8,6 +8,7 @@ need yq; need jq; need base64
 CHART_YAML="${CHART_YAML:-Chart.yaml}"
 VALUES_YAML="${VALUES_YAML:-values.yaml}"
 SCHEMA_JSON="${SCHEMA_JSON:-values.schema.json}"
+CRD_DIR="../../system/cozystack-resource-definitions/cozyrds"
 
 [[ -f "$CHART_YAML" ]] || { echo "No $CHART_YAML found"; exit 1; }
 [[ -f "$SCHEMA_JSON" ]] || { echo "No $SCHEMA_JSON found"; exit 1; }
@@ -21,8 +22,6 @@ if [[ -z "$NAME" ]]; then
   echo "Chart.yaml: .name is empty"; exit 1
 fi
 
-CRD_DIR="../../system/${NAME}-rd/cozyrds"
-
 # Resolve icon path
 # Accepts:
 #   /logos/foo.svg  -> ./logos/foo.svg

internal/backupcontroller/factory/backupjob.go

@@ -0,0 +1,28 @@
+package factory
+
+import (
+	"fmt"
+	"time"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func BackupJob(p *backupsv1alpha1.Plan, scheduledFor time.Time) *backupsv1alpha1.BackupJob {
+	job := &backupsv1alpha1.BackupJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-%d", p.Name, scheduledFor.Unix()/60),
+			Namespace: p.Namespace,
+		},
+		Spec: backupsv1alpha1.BackupJobSpec{
+			PlanRef: &corev1.LocalObjectReference{
+				Name: p.Name,
+			},
+			ApplicationRef: *p.Spec.ApplicationRef.DeepCopy(),
+			StorageRef:     *p.Spec.StorageRef.DeepCopy(),
+			StrategyRef:    *p.Spec.StrategyRef.DeepCopy(),
+		},
+	}
+	return job
+}

internal/backupcontroller/jobstrategy_controller.go

@@ -0,0 +1,31 @@
+package backupcontroller
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+)
+
+// BackupJobStrategyReconciler reconciles BackupJob with a strategy referencing
+// Job.strategy.backups.cozystack.io objects.
+type BackupJobStrategyReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *BackupJobStrategyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ = log.FromContext(ctx)
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *BackupJobStrategyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.BackupJob{}).
+		Complete(r)
+}

internal/backupcontroller/plan_controller.go

@@ -0,0 +1,104 @@
+package backupcontroller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	cron "github.com/robfig/cron/v3"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller/factory"
+)
+
+const (
+	minRequeueDelay         = 30 * time.Second
+	startingDeadlineSeconds = 300 * time.Second
+)
+
+// PlanReconciler reconciles a Plan object
+type PlanReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *PlanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	log.V(2).Info("reconciling")
+
+	p := &backupsv1alpha1.Plan{}
+
+	if err := r.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, p); err != nil {
+		if apierrors.IsNotFound(err) {
+			log.V(3).Info("Plan not found")
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	tCheck := time.Now().Add(-startingDeadlineSeconds)
+	sch, err := cron.ParseStandard(p.Spec.Schedule.Cron)
+	if err != nil {
+		errWrapped := fmt.Errorf("could not parse cron %s: %w", p.Spec.Schedule.Cron, err)
+		log.Error(err, "could not parse cron", "cron", p.Spec.Schedule.Cron)
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionTrue,
+			Reason:  "Failed to parse cron spec",
+			Message: errWrapped.Error(),
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// Clear error condition if cron parsing succeeds
+	if condition := meta.FindStatusCondition(p.Status.Conditions, backupsv1alpha1.PlanConditionError); condition != nil && condition.Status == metav1.ConditionTrue {
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionFalse,
+			Reason:  "Cron spec is valid",
+			Message: "The cron schedule has been successfully parsed",
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
+	tNext := sch.Next(tCheck)
+
+	if time.Now().Before(tNext) {
+		return ctrl.Result{RequeueAfter: tNext.Sub(time.Now())}, nil
+	}
+
+	job := factory.BackupJob(p, tNext)
+	if err := controllerutil.SetControllerReference(p, job, r.Scheme); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if err := r.Create(ctx, job); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *PlanReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.Plan{}).
+		Complete(r)
+}

internal/controller/cozystackresource_controller.go

@@ -5,11 +5,13 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"slices"
 	"sync"
 	"time"
 
 	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -37,8 +39,11 @@ type CozystackResourceDefinitionReconciler struct {
 }
 
 func (r *CozystackResourceDefinitionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	// Only handle debounced restart logic
-	// HelmRelease reconciliation is handled by CozystackResourceDefinitionHelmReconciler
+	if err := r.reconcileCozyRDAndUpdateHelmReleases(ctx); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	// Continue with debounced restart logic
 	return r.debouncedRestart(ctx)
 }
 
@@ -187,3 +192,138 @@ func sortCozyRDs(a, b cozyv1alpha1.CozystackResourceDefinition) int {
 	}
 	return 1
 }
+
+// reconcileCozyRDAndUpdateHelmReleases reconciles all CozystackResourceDefinitions and updates HelmReleases from them
+func (r *CozystackResourceDefinitionReconciler) reconcileCozyRDAndUpdateHelmReleases(ctx context.Context) error {
+	logger := log.FromContext(ctx)
+
+	// List all CozystackResourceDefinitions
+	crdList := &cozyv1alpha1.CozystackResourceDefinitionList{}
+	if err := r.List(ctx, crdList); err != nil {
+		logger.Error(err, "failed to list CozystackResourceDefinitions")
+		return err
+	}
+
+	// Update HelmReleases for each CRD
+	for i := range crdList.Items {
+		crd := &crdList.Items[i]
+		if err := r.updateHelmReleasesForCRD(ctx, crd); err != nil {
+			logger.Error(err, "failed to update HelmReleases for CRD", "crd", crd.Name)
+			// Continue with other CRDs even if one fails
+		}
+	}
+
+	return nil
+}
+
+// updateHelmReleasesForCRD updates all HelmReleases that match the application labels from CozystackResourceDefinition
+func (r *CozystackResourceDefinitionReconciler) updateHelmReleasesForCRD(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
+	logger := log.FromContext(ctx)
+
+	// Use application labels to find HelmReleases
+	// Labels: apps.cozystack.io/application.kind and apps.cozystack.io/application.group
+	applicationKind := crd.Spec.Application.Kind
+	
+	// Validate that applicationKind is non-empty
+	if applicationKind == "" {
+		logger.Error(fmt.Errorf("Application.Kind is empty"), "Skipping HelmRelease update: invalid CozystackResourceDefinition", "crd", crd.Name)
+		return nil
+	}
+	
+	applicationGroup := "apps.cozystack.io" // All applications use this group
+
+	// Build label selector for HelmReleases
+	// Only reconcile HelmReleases with cozystack.io/ui=true label
+	labelSelector := client.MatchingLabels{
+		"apps.cozystack.io/application.kind":  applicationKind,
+		"apps.cozystack.io/application.group": applicationGroup,
+		"cozystack.io/ui":                      "true",
+	}
+
+	// List all HelmReleases with matching labels
+	hrList := &helmv2.HelmReleaseList{}
+	if err := r.List(ctx, hrList, labelSelector); err != nil {
+		logger.Error(err, "failed to list HelmReleases", "kind", applicationKind, "group", applicationGroup)
+		return err
+	}
+
+	logger.V(4).Info("Found HelmReleases to update", "crd", crd.Name, "kind", applicationKind, "count", len(hrList.Items))
+
+	// Update each HelmRelease
+	for i := range hrList.Items {
+		hr := &hrList.Items[i]
+		if err := r.updateHelmReleaseChart(ctx, hr, crd); err != nil {
+			logger.Error(err, "failed to update HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			continue
+		}
+	}
+
+	return nil
+}
+
+// updateHelmReleaseChart updates the chart in HelmRelease based on CozystackResourceDefinition
+func (r *CozystackResourceDefinitionReconciler) updateHelmReleaseChart(ctx context.Context, hr *helmv2.HelmRelease, crd *cozyv1alpha1.CozystackResourceDefinition) error {
+	logger := log.FromContext(ctx)
+	hrCopy := hr.DeepCopy()
+	updated := false
+
+	// Validate Chart configuration exists
+	if crd.Spec.Release.Chart.Name == "" {
+		logger.V(4).Info("Skipping HelmRelease chart update: Chart.Name is empty", "crd", crd.Name)
+		return nil
+	}
+
+	// Validate SourceRef fields
+	if crd.Spec.Release.Chart.SourceRef.Kind == "" ||
+		crd.Spec.Release.Chart.SourceRef.Name == "" ||
+		crd.Spec.Release.Chart.SourceRef.Namespace == "" {
+		logger.Error(fmt.Errorf("invalid SourceRef in CRD"), "Skipping HelmRelease chart update: SourceRef fields are incomplete",
+			"crd", crd.Name,
+			"kind", crd.Spec.Release.Chart.SourceRef.Kind,
+			"name", crd.Spec.Release.Chart.SourceRef.Name,
+			"namespace", crd.Spec.Release.Chart.SourceRef.Namespace)
+		return nil
+	}
+
+	// Get version and reconcileStrategy from CRD or use defaults
+	version := ">= 0.0.0-0"
+	reconcileStrategy := "Revision"
+	// TODO: Add Version and ReconcileStrategy fields to CozystackResourceDefinitionChart if needed
+
+	// Build expected SourceRef
+	expectedSourceRef := helmv2.CrossNamespaceObjectReference{
+		Kind:      crd.Spec.Release.Chart.SourceRef.Kind,
+		Name:      crd.Spec.Release.Chart.SourceRef.Name,
+		Namespace: crd.Spec.Release.Chart.SourceRef.Namespace,
+	}
+
+	if hrCopy.Spec.Chart == nil {
+		// Need to create Chart spec
+		hrCopy.Spec.Chart = &helmv2.HelmChartTemplate{
+			Spec: helmv2.HelmChartTemplateSpec{
+				Chart:             crd.Spec.Release.Chart.Name,
+				Version:           version,
+				ReconcileStrategy: reconcileStrategy,
+				SourceRef:         expectedSourceRef,
+			},
+		}
+		updated = true
+	} else {
+		// Update existing Chart spec
+		if hrCopy.Spec.Chart.Spec.Chart != crd.Spec.Release.Chart.Name ||
+			hrCopy.Spec.Chart.Spec.SourceRef != expectedSourceRef {
+			hrCopy.Spec.Chart.Spec.Chart = crd.Spec.Release.Chart.Name
+			hrCopy.Spec.Chart.Spec.SourceRef = expectedSourceRef
+			updated = true
+		}
+	}
+
+	if updated {
+		logger.V(4).Info("Updating HelmRelease chart", "name", hr.Name, "namespace", hr.Namespace)
+		if err := r.Update(ctx, hrCopy); err != nil {
+			return fmt.Errorf("failed to update HelmRelease: %w", err)
+		}
+	}
+
+	return nil
+}

internal/controller/cozystackresourcedefinition_helmreconciler.go

@@ -1,201 +0,0 @@
-package controller
-
-import (
-	"context"
-	"fmt"
-
-	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-
-	"k8s.io/apimachinery/pkg/runtime"
-
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-// +kubebuilder:rbac:groups=cozystack.io,resources=cozystackresourcedefinitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;update;patch
-
-// CozystackResourceDefinitionHelmReconciler reconciles CozystackResourceDefinitions
-// and updates related HelmReleases when a CozyRD changes.
-// This controller does NOT watch HelmReleases to avoid mutual reconciliation storms
-// with Flux's helm-controller.
-type CozystackResourceDefinitionHelmReconciler struct {
-	client.Client
-	Scheme *runtime.Scheme
-}
-
-func (r *CozystackResourceDefinitionHelmReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	logger := log.FromContext(ctx)
-
-	// Get the CozystackResourceDefinition that triggered this reconciliation
-	crd := &cozyv1alpha1.CozystackResourceDefinition{}
-	if err := r.Get(ctx, req.NamespacedName, crd); err != nil {
-		logger.Error(err, "failed to get CozystackResourceDefinition", "name", req.Name)
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	// Update HelmReleases related to this specific CozyRD
-	if err := r.updateHelmReleasesForCRD(ctx, crd); err != nil {
-		logger.Error(err, "failed to update HelmReleases for CRD", "crd", crd.Name)
-		return ctrl.Result{}, err
-	}
-
-	return ctrl.Result{}, nil
-}
-
-func (r *CozystackResourceDefinitionHelmReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cozystackresourcedefinition-helm-reconciler").
-		For(&cozyv1alpha1.CozystackResourceDefinition{}).
-		Complete(r)
-}
-
-// updateHelmReleasesForCRD updates all HelmReleases that match the application labels from CozystackResourceDefinition
-func (r *CozystackResourceDefinitionHelmReconciler) updateHelmReleasesForCRD(ctx context.Context, crd *cozyv1alpha1.CozystackResourceDefinition) error {
-	logger := log.FromContext(ctx)
-
-	// Use application labels to find HelmReleases
-	// Labels: apps.cozystack.io/application.kind and apps.cozystack.io/application.group
-	applicationKind := crd.Spec.Application.Kind
-
-	// Validate that applicationKind is non-empty
-	if applicationKind == "" {
-		logger.V(4).Info("Skipping HelmRelease update: Application.Kind is empty", "crd", crd.Name)
-		return nil
-	}
-
-	applicationGroup := "apps.cozystack.io" // All applications use this group
-
-	// Build label selector for HelmReleases
-	// Only reconcile HelmReleases with cozystack.io/ui=true label
-	labelSelector := client.MatchingLabels{
-		"apps.cozystack.io/application.kind":  applicationKind,
-		"apps.cozystack.io/application.group": applicationGroup,
-		"cozystack.io/ui":                      "true",
-	}
-
-	// List all HelmReleases with matching labels
-	hrList := &helmv2.HelmReleaseList{}
-	if err := r.List(ctx, hrList, labelSelector); err != nil {
-		logger.Error(err, "failed to list HelmReleases", "kind", applicationKind, "group", applicationGroup)
-		return err
-	}
-
-	logger.V(4).Info("Found HelmReleases to update", "crd", crd.Name, "kind", applicationKind, "count", len(hrList.Items))
-
-	// Update each HelmRelease
-	for i := range hrList.Items {
-		hr := &hrList.Items[i]
-		if err := r.updateHelmReleaseChart(ctx, hr, crd); err != nil {
-			logger.Error(err, "failed to update HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
-			continue
-		}
-	}
-
-	return nil
-}
-
-// expectedValuesFrom returns the expected valuesFrom configuration for HelmReleases
-func expectedValuesFrom() []helmv2.ValuesReference {
-	return []helmv2.ValuesReference{
-		{
-			Kind: "Secret",
-			Name: "cozystack-values",
-		},
-	}
-}
-
-// valuesFromEqual compares two ValuesReference slices
-func valuesFromEqual(a, b []helmv2.ValuesReference) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := range a {
-		if a[i].Kind != b[i].Kind ||
-			a[i].Name != b[i].Name ||
-			a[i].ValuesKey != b[i].ValuesKey ||
-			a[i].TargetPath != b[i].TargetPath ||
-			a[i].Optional != b[i].Optional {
-			return false
-		}
-	}
-	return true
-}
-
-// updateHelmReleaseChart updates the chart and valuesFrom in HelmRelease based on CozystackResourceDefinition
-func (r *CozystackResourceDefinitionHelmReconciler) updateHelmReleaseChart(ctx context.Context, hr *helmv2.HelmRelease, crd *cozyv1alpha1.CozystackResourceDefinition) error {
-	logger := log.FromContext(ctx)
-	hrCopy := hr.DeepCopy()
-	updated := false
-
-	// Validate Chart configuration exists
-	if crd.Spec.Release.Chart.Name == "" {
-		logger.V(4).Info("Skipping HelmRelease chart update: Chart.Name is empty", "crd", crd.Name)
-		return nil
-	}
-
-	// Validate SourceRef fields
-	if crd.Spec.Release.Chart.SourceRef.Kind == "" ||
-		crd.Spec.Release.Chart.SourceRef.Name == "" ||
-		crd.Spec.Release.Chart.SourceRef.Namespace == "" {
-		logger.Error(fmt.Errorf("invalid SourceRef in CRD"), "Skipping HelmRelease chart update: SourceRef fields are incomplete",
-			"crd", crd.Name,
-			"kind", crd.Spec.Release.Chart.SourceRef.Kind,
-			"name", crd.Spec.Release.Chart.SourceRef.Name,
-			"namespace", crd.Spec.Release.Chart.SourceRef.Namespace)
-		return nil
-	}
-
-	// Get version and reconcileStrategy from CRD or use defaults
-	version := ">= 0.0.0-0"
-	reconcileStrategy := "Revision"
-	// TODO: Add Version and ReconcileStrategy fields to CozystackResourceDefinitionChart if needed
-
-	// Build expected SourceRef
-	expectedSourceRef := helmv2.CrossNamespaceObjectReference{
-		Kind:      crd.Spec.Release.Chart.SourceRef.Kind,
-		Name:      crd.Spec.Release.Chart.SourceRef.Name,
-		Namespace: crd.Spec.Release.Chart.SourceRef.Namespace,
-	}
-
-	if hrCopy.Spec.Chart == nil {
-		// Need to create Chart spec
-		hrCopy.Spec.Chart = &helmv2.HelmChartTemplate{
-			Spec: helmv2.HelmChartTemplateSpec{
-				Chart:             crd.Spec.Release.Chart.Name,
-				Version:           version,
-				ReconcileStrategy: reconcileStrategy,
-				SourceRef:         expectedSourceRef,
-			},
-		}
-		updated = true
-	} else {
-		// Update existing Chart spec
-		if hrCopy.Spec.Chart.Spec.Chart != crd.Spec.Release.Chart.Name ||
-			hrCopy.Spec.Chart.Spec.SourceRef != expectedSourceRef {
-			hrCopy.Spec.Chart.Spec.Chart = crd.Spec.Release.Chart.Name
-			hrCopy.Spec.Chart.Spec.SourceRef = expectedSourceRef
-			updated = true
-		}
-	}
-
-	// Check and update valuesFrom configuration
-	expected := expectedValuesFrom()
-	if !valuesFromEqual(hrCopy.Spec.ValuesFrom, expected) {
-		logger.V(4).Info("Updating HelmRelease valuesFrom", "name", hr.Name, "namespace", hr.Namespace)
-		hrCopy.Spec.ValuesFrom = expected
-		updated = true
-	}
-
-	if updated {
-		logger.V(4).Info("Updating HelmRelease chart", "name", hr.Name, "namespace", hr.Namespace)
-		if err := r.Update(ctx, hrCopy); err != nil {
-			return fmt.Errorf("failed to update HelmRelease: %w", err)
-		}
-	}
-
-	return nil
-}
-

internal/controller/dashboard/static_refactored.go

@@ -134,7 +134,7 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 		createCustomColumnsOverride("factory-details-v1.services", []any{
 			createCustomColumnWithSpecificColor("Name", "Service", "", "/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/kube-service-details/{reqsJsonPath[0]['.metadata.name']['-']}"),
 			createStringColumn("ClusterIP", ".spec.clusterIP"),
-			createStringColumn("LoadbalancerIP", ".status.loadBalancer.ingress[0].ip"),
+			createStringColumn("LoadbalancerIP", ".spec.loadBalancerIP"),
 			createTimestampColumn("Created", ".metadata.creationTimestamp"),
 		}),
 

internal/controller/system_helm_reconciler.go

@@ -0,0 +1,140 @@
+package controller
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"time"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+type CozystackConfigReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+var configMapNames = []string{"cozystack", "cozystack-branding", "cozystack-scheduling"}
+
+const configMapNamespace = "cozy-system"
+const digestAnnotation = "cozystack.io/cozy-config-digest"
+const forceReconcileKey = "reconcile.fluxcd.io/forceAt"
+const requestedAt = "reconcile.fluxcd.io/requestedAt"
+
+func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+	time.Sleep(2 * time.Second)
+
+	digest, err := r.computeDigest(ctx)
+	if err != nil {
+		log.Error(err, "failed to compute config digest")
+		return ctrl.Result{}, nil
+	}
+
+	var helmList helmv2.HelmReleaseList
+	if err := r.List(ctx, &helmList); err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to list HelmReleases: %w", err)
+	}
+
+	now := time.Now().Format(time.RFC3339Nano)
+	updated := 0
+
+	for _, hr := range helmList.Items {
+		isSystemApp := hr.Labels["cozystack.io/system-app"] == "true"
+		isTenantRoot := hr.Namespace == "tenant-root" && hr.Name == "tenant-root"
+		if !isSystemApp && !isTenantRoot {
+			continue
+		}
+		patchTarget := hr.DeepCopy()
+
+		if hr.Annotations == nil {
+			hr.Annotations = map[string]string{}
+		}
+
+		if hr.Annotations[digestAnnotation] == digest {
+			continue
+		}
+		patchTarget.Annotations[digestAnnotation] = digest
+		patchTarget.Annotations[forceReconcileKey] = now
+		patchTarget.Annotations[requestedAt] = now
+
+		patch := client.MergeFrom(hr.DeepCopy())
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
+			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			continue
+		}
+		updated++
+		log.Info("patched HelmRelease with new config digest", "name", hr.Name, "namespace", hr.Namespace)
+	}
+
+	log.Info("finished reconciliation", "updatedHelmReleases", updated)
+	return ctrl.Result{}, nil
+}
+
+func (r *CozystackConfigReconciler) computeDigest(ctx context.Context) (string, error) {
+	hash := sha256.New()
+
+	for _, name := range configMapNames {
+		var cm corev1.ConfigMap
+		err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: name}, &cm)
+		if err != nil {
+			if kerrors.IsNotFound(err) {
+				continue // ignore missing
+			}
+			return "", err
+		}
+
+		// Sort keys for consistent hashing
+		var keys []string
+		for k := range cm.Data {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			v := cm.Data[k]
+			fmt.Fprintf(hash, "%s:%s=%s\n", name, k, v)
+		}
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+func (r *CozystackConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		WithEventFilter(predicate.Funcs{
+			UpdateFunc: func(e event.UpdateEvent) bool {
+				cm, ok := e.ObjectNew.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			CreateFunc: func(e event.CreateEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			DeleteFunc: func(e event.DeleteEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+		}).
+		For(&corev1.ConfigMap{}).
+		Complete(r)
+}
+
+func contains(slice []string, val string) bool {
+	for _, s := range slice {
+		if s == val {
+			return true
+		}
+	}
+	return false
+}

internal/controller/tenant_helm_reconciler.go

@@ -0,0 +1,159 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	e "errors"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	"gopkg.in/yaml.v2"
+	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+type TenantHelmReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *TenantHelmReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+	time.Sleep(2 * time.Second)
+
+	hr := &helmv2.HelmRelease{}
+	if err := r.Get(ctx, req.NamespacedName, hr); err != nil {
+		if errors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+		logger.Error(err, "unable to fetch HelmRelease")
+		return ctrl.Result{}, err
+	}
+
+	if !strings.HasPrefix(hr.Name, "tenant-") {
+		return ctrl.Result{}, nil
+	}
+
+	if len(hr.Status.Conditions) == 0 || hr.Status.Conditions[0].Type != "Ready" {
+		return ctrl.Result{}, nil
+	}
+
+	if len(hr.Status.History) == 0 {
+		logger.Info("no history in HelmRelease status", "name", hr.Name)
+		return ctrl.Result{}, nil
+	}
+
+	if hr.Status.History[0].Status != "deployed" {
+		return ctrl.Result{}, nil
+	}
+
+	newDigest := hr.Status.History[0].Digest
+	var hrList helmv2.HelmReleaseList
+	childNamespace := getChildNamespace(hr.Namespace, hr.Name)
+	if childNamespace == "tenant-root" && hr.Name == "tenant-root" {
+		if hr.Spec.Values == nil {
+			logger.Error(e.New("hr.Spec.Values is nil"), "cant annotate tenant-root ns")
+			return ctrl.Result{}, nil
+		}
+		err := annotateTenantRootNs(*hr.Spec.Values, r.Client)
+		if err != nil {
+			logger.Error(err, "cant annotate tenant-root ns")
+			return ctrl.Result{}, nil
+		}
+		logger.Info("namespace 'tenant-root' annotated")
+	}
+
+	if err := r.List(ctx, &hrList, client.InNamespace(childNamespace)); err != nil {
+		logger.Error(err, "unable to list HelmReleases in namespace", "namespace", hr.Name)
+		return ctrl.Result{}, err
+	}
+
+	for _, item := range hrList.Items {
+		if item.Name == hr.Name {
+			continue
+		}
+		oldDigest := item.GetAnnotations()["cozystack.io/tenant-config-digest"]
+		if oldDigest == newDigest {
+			continue
+		}
+		patchTarget := item.DeepCopy()
+
+		if patchTarget.Annotations == nil {
+			patchTarget.Annotations = map[string]string{}
+		}
+		ts := time.Now().Format(time.RFC3339Nano)
+
+		patchTarget.Annotations["cozystack.io/tenant-config-digest"] = newDigest
+		patchTarget.Annotations["reconcile.fluxcd.io/forceAt"] = ts
+		patchTarget.Annotations["reconcile.fluxcd.io/requestedAt"] = ts
+
+		patch := client.MergeFrom(item.DeepCopy())
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
+			logger.Error(err, "failed to patch HelmRelease", "name", patchTarget.Name)
+			continue
+		}
+
+		logger.Info("patched HelmRelease with new digest", "name", patchTarget.Name, "digest", newDigest, "version", hr.Status.History[0].Version)
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *TenantHelmReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&helmv2.HelmRelease{}).
+		Complete(r)
+}
+
+func getChildNamespace(currentNamespace, hrName string) string {
+	tenantName := strings.TrimPrefix(hrName, "tenant-")
+
+	switch {
+	case currentNamespace == "tenant-root" && hrName == "tenant-root":
+		// 1) root tenant inside root namespace
+		return "tenant-root"
+
+	case currentNamespace == "tenant-root":
+		// 2) any other tenant in root namespace
+		return fmt.Sprintf("tenant-%s", tenantName)
+
+	default:
+		// 3) tenant in a dedicated namespace
+		return fmt.Sprintf("%s-%s", currentNamespace, tenantName)
+	}
+}
+
+func annotateTenantRootNs(values apiextensionsv1.JSON, c client.Client) error {
+	var data map[string]interface{}
+	if err := yaml.Unmarshal(values.Raw, &data); err != nil {
+		return fmt.Errorf("failed to parse HelmRelease values: %w", err)
+	}
+
+	host, ok := data["host"].(string)
+	if !ok || host == "" {
+		return fmt.Errorf("host field not found or not a string")
+	}
+
+	var ns corev1.Namespace
+	if err := c.Get(context.TODO(), client.ObjectKey{Name: "tenant-root"}, &ns); err != nil {
+		return fmt.Errorf("failed to get namespace tenant-root: %w", err)
+	}
+
+	if ns.Annotations == nil {
+		ns.Annotations = map[string]string{}
+	}
+	ns.Annotations["namespace.cozystack.io/host"] = host
+
+	if err := c.Update(context.TODO(), &ns); err != nil {
+		return fmt.Errorf("failed to update namespace: %w", err)
+	}
+
+	return nil
+}

internal/fluxinstall/install.go

@@ -0,0 +1,352 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fluxinstall
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/yaml"
+	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// Install installs Flux components using embedded manifests.
+// It extracts the manifests and applies them to the cluster.
+// The namespace is automatically determined from the Namespace object in the manifests.
+func Install(ctx context.Context, k8sClient client.Client, writeEmbeddedManifests func(string) error) error {
+	logger := log.FromContext(ctx)
+
+	// Create temporary directory for manifests
+	tmpDir, err := os.MkdirTemp("", "flux-install-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temp directory: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Extract embedded manifests (generated by cozypkg)
+	manifestsDir := filepath.Join(tmpDir, "manifests")
+	if err := os.MkdirAll(manifestsDir, 0755); err != nil {
+		return fmt.Errorf("failed to create manifests directory: %w", err)
+	}
+
+	if err := writeEmbeddedManifests(manifestsDir); err != nil {
+		return fmt.Errorf("failed to extract embedded manifests: %w", err)
+	}
+
+	// Find the manifest file (should be fluxcd.yaml from cozypkg)
+	manifestPath := filepath.Join(manifestsDir, "fluxcd.yaml")
+	if _, err := os.Stat(manifestPath); err != nil {
+		// Try to find any YAML file if fluxcd.yaml doesn't exist
+		entries, err := os.ReadDir(manifestsDir)
+		if err != nil {
+			return fmt.Errorf("failed to read manifests directory: %w", err)
+		}
+		for _, entry := range entries {
+			if strings.HasSuffix(entry.Name(), ".yaml") {
+				manifestPath = filepath.Join(manifestsDir, entry.Name())
+				break
+			}
+		}
+	}
+
+	// Parse and apply manifests
+	objects, err := parseManifests(manifestPath)
+	if err != nil {
+		return fmt.Errorf("failed to parse manifests: %w", err)
+	}
+
+	if len(objects) == 0 {
+		return fmt.Errorf("no objects found in manifests")
+	}
+
+	// Inject KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT if set in operator environment
+	if err := injectKubernetesServiceEnv(objects); err != nil {
+		logger.Info("Failed to inject KUBERNETES_SERVICE_* env vars, continuing anyway", "error", err)
+	}
+
+	// Extract namespace from Namespace object in manifests
+	namespace, err := extractNamespace(objects)
+	if err != nil {
+		return fmt.Errorf("failed to extract namespace from manifests: %w", err)
+	}
+
+	logger.Info("Installing Flux components", "namespace", namespace)
+
+	// Apply manifests using server-side apply
+	logger.Info("Applying Flux manifests", "count", len(objects), "manifest", manifestPath, "namespace", namespace)
+	if err := applyManifests(ctx, k8sClient, objects); err != nil {
+		return fmt.Errorf("failed to apply manifests: %w", err)
+	}
+
+	logger.Info("Flux installation completed successfully")
+	return nil
+}
+
+// parseManifests parses YAML manifests into unstructured objects.
+func parseManifests(manifestPath string) ([]*unstructured.Unstructured, error) {
+	data, err := os.ReadFile(manifestPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read manifest file: %w", err)
+	}
+
+	return readYAMLObjects(bytes.NewReader(data))
+}
+
+// readYAMLObjects parses multi-document YAML into unstructured objects.
+func readYAMLObjects(reader io.Reader) ([]*unstructured.Unstructured, error) {
+	var objects []*unstructured.Unstructured
+	yamlReader := k8syaml.NewYAMLReader(bufio.NewReader(reader))
+
+	for {
+		doc, err := yamlReader.Read()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, fmt.Errorf("failed to read YAML document: %w", err)
+		}
+
+		// Skip empty documents
+		if len(bytes.TrimSpace(doc)) == 0 {
+			continue
+		}
+
+		obj := &unstructured.Unstructured{}
+		decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewReader(doc), len(doc))
+		if err := decoder.Decode(obj); err != nil {
+			// Skip documents that can't be decoded (might be comments or empty)
+			if err == io.EOF {
+				continue
+			}
+			return nil, fmt.Errorf("failed to decode YAML document: %w", err)
+		}
+
+		// Skip empty objects (no kind)
+		if obj.GetKind() == "" {
+			continue
+		}
+
+		objects = append(objects, obj)
+	}
+
+	return objects, nil
+}
+
+// applyManifests applies Kubernetes objects using server-side apply.
+func applyManifests(ctx context.Context, k8sClient client.Client, objects []*unstructured.Unstructured) error {
+	logger := log.FromContext(ctx)
+	decoder := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
+
+	// Separate CRDs and namespaces from other resources
+	var stageOne []*unstructured.Unstructured // CRDs and Namespaces
+	var stageTwo []*unstructured.Unstructured // Everything else
+
+	for _, obj := range objects {
+		if isClusterDefinition(obj) {
+			stageOne = append(stageOne, obj)
+		} else {
+			stageTwo = append(stageTwo, obj)
+		}
+	}
+
+	// Apply stage one (CRDs and Namespaces) first
+	if len(stageOne) > 0 {
+		logger.Info("Applying cluster definitions", "count", len(stageOne))
+		if err := applyObjects(ctx, k8sClient, decoder, stageOne); err != nil {
+			return fmt.Errorf("failed to apply cluster definitions: %w", err)
+		}
+
+		// Wait a bit for CRDs to be registered
+		time.Sleep(2 * time.Second)
+	}
+
+	// Apply stage two (everything else)
+	if len(stageTwo) > 0 {
+		logger.Info("Applying resources", "count", len(stageTwo))
+		if err := applyObjects(ctx, k8sClient, decoder, stageTwo); err != nil {
+			return fmt.Errorf("failed to apply resources: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// applyObjects applies a list of objects using server-side apply.
+func applyObjects(ctx context.Context, k8sClient client.Client, decoder runtime.Decoder, objects []*unstructured.Unstructured) error {
+	for _, obj := range objects {
+		// Use server-side apply with force ownership and field manager
+		// FieldManager is required for apply patch operations
+		patchOptions := &client.PatchOptions{
+			FieldManager: "cozystack-operator",
+			Force:        func() *bool { b := true; return &b }(),
+		}
+
+		if err := k8sClient.Patch(ctx, obj, client.Apply, patchOptions); err != nil {
+			return fmt.Errorf("failed to apply object %s/%s: %w", obj.GetKind(), obj.GetName(), err)
+		}
+	}
+	return nil
+}
+
+
+// extractNamespace extracts the namespace name from the Namespace object in the manifests.
+func extractNamespace(objects []*unstructured.Unstructured) (string, error) {
+	for _, obj := range objects {
+		if obj.GetKind() == "Namespace" {
+			namespace := obj.GetName()
+			if namespace == "" {
+				return "", fmt.Errorf("Namespace object has no name")
+			}
+			return namespace, nil
+		}
+	}
+	return "", fmt.Errorf("no Namespace object found in manifests")
+}
+
+// isClusterDefinition checks if an object is a CRD or Namespace.
+func isClusterDefinition(obj *unstructured.Unstructured) bool {
+	kind := obj.GetKind()
+	return kind == "CustomResourceDefinition" || kind == "Namespace"
+}
+
+// injectKubernetesServiceEnv injects KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT
+// environment variables into all containers of Deployment, StatefulSet, and DaemonSet objects
+// if these variables are set in the operator's environment.
+func injectKubernetesServiceEnv(objects []*unstructured.Unstructured) error {
+	kubernetesHost := os.Getenv("KUBERNETES_SERVICE_HOST")
+	kubernetesPort := os.Getenv("KUBERNETES_SERVICE_PORT")
+
+	// If neither variable is set, nothing to do
+	if kubernetesHost == "" && kubernetesPort == "" {
+		return nil
+	}
+
+	for _, obj := range objects {
+		kind := obj.GetKind()
+		if kind != "Deployment" && kind != "StatefulSet" && kind != "DaemonSet" {
+			continue
+		}
+
+		// Navigate to spec.template.spec.containers
+		spec, found, err := unstructured.NestedMap(obj.Object, "spec", "template", "spec")
+		if !found || err != nil {
+			continue
+		}
+
+		// Update containers
+		containers, found, err := unstructured.NestedSlice(spec, "containers")
+		if found && err == nil {
+			containers = updateContainersEnv(containers, kubernetesHost, kubernetesPort)
+			if err := unstructured.SetNestedSlice(spec, containers, "containers"); err != nil {
+				continue
+			}
+		}
+
+		// Update initContainers
+		initContainers, found, err := unstructured.NestedSlice(spec, "initContainers")
+		if found && err == nil {
+			initContainers = updateContainersEnv(initContainers, kubernetesHost, kubernetesPort)
+			if err := unstructured.SetNestedSlice(spec, initContainers, "initContainers"); err != nil {
+				continue
+			}
+		}
+
+		// Update spec in the object
+		if err := unstructured.SetNestedMap(obj.Object, spec, "spec", "template", "spec"); err != nil {
+			continue
+		}
+	}
+
+	return nil
+}
+
+// updateContainersEnv updates environment variables for a slice of containers.
+func updateContainersEnv(containers []interface{}, kubernetesHost, kubernetesPort string) []interface{} {
+	for i, container := range containers {
+		containerMap, ok := container.(map[string]interface{})
+		if !ok {
+			continue
+		}
+
+		env, found, err := unstructured.NestedSlice(containerMap, "env")
+		if err != nil {
+			continue
+		}
+
+		if !found {
+			env = []interface{}{}
+		}
+
+		// Update or add KUBERNETES_SERVICE_HOST
+		if kubernetesHost != "" {
+			env = setEnvVar(env, "KUBERNETES_SERVICE_HOST", kubernetesHost)
+		}
+
+		// Update or add KUBERNETES_SERVICE_PORT
+		if kubernetesPort != "" {
+			env = setEnvVar(env, "KUBERNETES_SERVICE_PORT", kubernetesPort)
+		}
+
+		// Update the container's env
+		if err := unstructured.SetNestedSlice(containerMap, env, "env"); err != nil {
+			continue
+		}
+
+		// Update the container in the slice
+		containers[i] = containerMap
+	}
+
+	return containers
+}
+
+// setEnvVar updates or adds an environment variable in the env slice.
+func setEnvVar(env []interface{}, name, value string) []interface{} {
+	// Check if variable already exists
+	for i, envVar := range env {
+		envVarMap, ok := envVar.(map[string]interface{})
+		if !ok {
+			continue
+		}
+
+		if envVarMap["name"] == name {
+			// Update existing variable
+			envVarMap["value"] = value
+			env[i] = envVarMap
+			return env
+		}
+	}
+
+	// Add new variable
+	env = append(env, map[string]interface{}{
+		"name":  name,
+		"value": value,
+	})
+
+	return env
+}
+

internal/fluxinstall/manifests.embed.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fluxinstall
+
+import (
+	"embed"
+	"fmt"
+	"io/fs"
+	"os"
+	"path"
+)
+
+//go:embed manifests/*.yaml
+var embeddedFluxManifests embed.FS
+
+// WriteEmbeddedManifests extracts embedded Flux manifests to a temporary directory.
+func WriteEmbeddedManifests(dir string) error {
+	manifests, err := fs.ReadDir(embeddedFluxManifests, "manifests")
+	if err != nil {
+		return fmt.Errorf("failed to read embedded manifests: %w", err)
+	}
+
+	for _, manifest := range manifests {
+		data, err := fs.ReadFile(embeddedFluxManifests, path.Join("manifests", manifest.Name()))
+		if err != nil {
+			return fmt.Errorf("failed to read file %s: %w", manifest.Name(), err)
+		}
+
+		outputPath := path.Join(dir, manifest.Name())
+		if err := os.WriteFile(outputPath, data, 0666); err != nil {
+			return fmt.Errorf("failed to write file %s: %w", outputPath, err)
+		}
+	}
+
+	return nil
+}
+

internal/fluxinstall/manifests/fluxcd.yaml

@@ -11623,7 +11623,6 @@ spec:
               value: /tmp/.sigstore
             - name: NO_PROXY
               value: .svc
-            {{- include "cozy.kubernetes_envs" . | nindent 12 }}
           image: ghcr.io/fluxcd/source-controller:v1.7.3
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -11694,7 +11693,6 @@ spec:
               value: /tmp/.sigstore
             - name: NO_PROXY
               value: .svc
-            {{- include "cozy.kubernetes_envs" . | nindent 12 }}
           image: ghcr.io/fluxcd/kustomize-controller:v1.7.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -11760,7 +11758,6 @@ spec:
               value: /tmp/.sigstore
             - name: NO_PROXY
               value: .svc
-            {{- include "cozy.kubernetes_envs" . | nindent 12 }}
           image: ghcr.io/fluxcd/helm-controller:v1.4.3
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -11823,7 +11820,6 @@ spec:
               value: /tmp/.sigstore
             - name: NO_PROXY
               value: .svc
-            {{- include "cozy.kubernetes_envs" . | nindent 12 }}
           image: ghcr.io/fluxcd/notification-controller:v1.7.4
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -11894,7 +11890,6 @@ spec:
               value: /tmp/.sigstore
             - name: NO_PROXY
               value: .svc
-            {{- include "cozy.kubernetes_envs" . | nindent 12 }}
           image: ghcr.io/fluxcd/source-watcher:v2.0.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -11936,7 +11931,6 @@ spec:
               name: data
             - mountPath: /tmp
               name: tmp
-      dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       priorityClassName: system-cluster-critical
       securityContext:

internal/operator/package_reconciler.go

@@ -0,0 +1,889 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package operator
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+// PackageReconciler reconciles Package resources
+type PackageReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=cozystack.io,resources=packages,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cozystack.io,resources=packages/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cozystack.io,resources=packagesources,verbs=get;list;watch
+// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch
+
+// Reconcile is part of the main kubernetes reconciliation loop
+func (r *PackageReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	pkg := &cozyv1alpha1.Package{}
+	if err := r.Get(ctx, req.NamespacedName, pkg); err != nil {
+		if apierrors.IsNotFound(err) {
+			// Resource not found, return (ownerReference will handle cleanup)
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	// Get PackageSource with the same name
+	packageSource := &cozyv1alpha1.PackageSource{}
+	if err := r.Get(ctx, types.NamespacedName{Name: pkg.Name}, packageSource); err != nil {
+		if apierrors.IsNotFound(err) {
+			meta.SetStatusCondition(&pkg.Status.Conditions, metav1.Condition{
+				Type:    "Ready",
+				Status:  metav1.ConditionFalse,
+				Reason:  "PackageSourceNotFound",
+				Message: fmt.Sprintf("PackageSource %s not found", pkg.Name),
+			})
+			if err := r.Status().Update(ctx, pkg); err != nil {
+				return ctrl.Result{}, err
+			}
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	// Determine variant (default to "default" if not specified)
+	variantName := pkg.Spec.Variant
+	if variantName == "" {
+		variantName = "default"
+	}
+
+	// Find the variant in PackageSource
+	var variant *cozyv1alpha1.Variant
+	for i := range packageSource.Spec.Variants {
+		if packageSource.Spec.Variants[i].Name == variantName {
+			variant = &packageSource.Spec.Variants[i]
+			break
+		}
+	}
+
+	if variant == nil {
+		meta.SetStatusCondition(&pkg.Status.Conditions, metav1.Condition{
+			Type:    "Ready",
+			Status:  metav1.ConditionFalse,
+			Reason:  "VariantNotFound",
+			Message: fmt.Sprintf("Variant %s not found in PackageSource %s", variantName, pkg.Name),
+		})
+		if err := r.Status().Update(ctx, pkg); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// Reconcile namespaces from components
+	if err := r.reconcileNamespaces(ctx, pkg, variant); err != nil {
+		logger.Error(err, "failed to reconcile namespaces")
+		return ctrl.Result{}, err
+	}
+
+	// Validate variant dependencies before creating HelmReleases
+	// If dependencies are missing, we don't create new HelmReleases but don't delete existing ones
+	if err := r.validateVariantDependencies(ctx, pkg, variant); err != nil {
+		logger.Info("variant dependencies not ready, skipping HelmRelease creation", "package", pkg.Name, "error", err)
+		meta.SetStatusCondition(&pkg.Status.Conditions, metav1.Condition{
+			Type:    "Ready",
+			Status:  metav1.ConditionFalse,
+			Reason:  "DependenciesNotReady",
+			Message: fmt.Sprintf("Variant dependencies not ready: %v", err),
+		})
+		if err := r.Status().Update(ctx, pkg); err != nil {
+			return ctrl.Result{}, err
+		}
+		// Return success to avoid requeue, but don't create HelmReleases
+		return ctrl.Result{}, nil
+	}
+
+	// Create HelmReleases for components with Install section
+	helmReleaseCount := 0
+	for _, component := range variant.Components {
+		// Skip components without Install section
+		if component.Install == nil {
+			continue
+		}
+
+		// Check if component is disabled via Package spec
+		if pkgComponent, ok := pkg.Spec.Components[component.Name]; ok {
+			if pkgComponent.Enabled != nil && !*pkgComponent.Enabled {
+				logger.V(1).Info("skipping disabled component", "package", pkg.Name, "component", component.Name)
+				continue
+			}
+		}
+
+		// Build artifact name: <packagesource>-<variant>-<componentname> (with dots replaced by dashes)
+		artifactName := fmt.Sprintf("%s-%s-%s",
+			strings.ReplaceAll(packageSource.Name, ".", "-"),
+			strings.ReplaceAll(variantName, ".", "-"),
+			strings.ReplaceAll(component.Name, ".", "-"))
+
+		// Determine namespace (from Install or default to cozy-system)
+		namespace := component.Install.Namespace
+		if namespace == "" {
+			namespace = "cozy-system"
+		}
+
+		// Determine release name (from Install or use component name)
+		releaseName := component.Install.ReleaseName
+		if releaseName == "" {
+			releaseName = component.Name
+		}
+
+		// Build labels
+		labels := make(map[string]string)
+		labels["cozystack.io/package"] = pkg.Name
+		if component.Install.Privileged {
+			labels["cozystack.io/privileged"] = "true"
+		}
+
+		// Create HelmRelease
+		hr := &helmv2.HelmRelease{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      releaseName,
+				Namespace: namespace,
+				Labels:    labels,
+			},
+			Spec: helmv2.HelmReleaseSpec{
+				Interval: metav1.Duration{Duration: 5 * 60 * 1000000000}, // 5m
+				ChartRef: &helmv2.CrossNamespaceSourceReference{
+					Kind:      "ExternalArtifact",
+					Name:      artifactName,
+					Namespace: "cozy-system",
+				},
+				Install: &helmv2.Install{
+					Remediation: &helmv2.InstallRemediation{
+						Retries: -1,
+					},
+				},
+				Upgrade: &helmv2.Upgrade{
+					Remediation: &helmv2.UpgradeRemediation{
+						Retries: -1,
+					},
+				},
+			},
+		}
+
+		// Set ownerReference
+		hr.OwnerReferences = []metav1.OwnerReference{
+			{
+				APIVersion: pkg.APIVersion,
+				Kind:       pkg.Kind,
+				Name:       pkg.Name,
+				UID:        pkg.UID,
+				Controller: func() *bool { b := true; return &b }(),
+			},
+		}
+
+		// Merge values from Package spec if provided
+		if pkgComponent, ok := pkg.Spec.Components[component.Name]; ok && pkgComponent.Values != nil {
+			hr.Spec.Values = pkgComponent.Values
+		}
+
+		// Build DependsOn from component Install and variant DependsOn
+		dependsOn, err := r.buildDependsOn(ctx, pkg, packageSource, variant, &component)
+		if err != nil {
+			logger.Error(err, "failed to build DependsOn", "component", component.Name)
+			meta.SetStatusCondition(&pkg.Status.Conditions, metav1.Condition{
+				Type:    "Ready",
+				Status:  metav1.ConditionFalse,
+				Reason:  "DependsOnFailed",
+				Message: fmt.Sprintf("Failed to build DependsOn for component %s: %v", component.Name, err),
+			})
+			if err := r.Status().Update(ctx, pkg); err != nil {
+				return ctrl.Result{}, err
+			}
+			return ctrl.Result{}, err
+		}
+		if len(dependsOn) > 0 {
+			hr.Spec.DependsOn = dependsOn
+		}
+
+		if err := r.createOrUpdateHelmRelease(ctx, hr); err != nil {
+			logger.Error(err, "failed to reconcile HelmRelease", "name", releaseName, "namespace", namespace)
+			meta.SetStatusCondition(&pkg.Status.Conditions, metav1.Condition{
+				Type:    "Ready",
+				Status:  metav1.ConditionFalse,
+				Reason:  "HelmReleaseFailed",
+				Message: fmt.Sprintf("Failed to create HelmRelease %s: %v", releaseName, err),
+			})
+			if err := r.Status().Update(ctx, pkg); err != nil {
+				return ctrl.Result{}, err
+			}
+			return ctrl.Result{}, err
+		}
+
+		helmReleaseCount++
+		logger.Info("reconciled HelmRelease", "package", pkg.Name, "component", component.Name, "releaseName", releaseName, "namespace", namespace)
+	}
+
+	// Cleanup orphaned HelmReleases
+	if err := r.cleanupOrphanedHelmReleases(ctx, pkg, variant); err != nil {
+		logger.Error(err, "failed to cleanup orphaned HelmReleases")
+		// Don't return error, continue with status update
+	}
+
+	// Update status with success message
+	message := fmt.Sprintf("reconciliation succeeded, generated %d helmrelease(s)", helmReleaseCount)
+	meta.SetStatusCondition(&pkg.Status.Conditions, metav1.Condition{
+		Type:    "Ready",
+		Status:  metav1.ConditionTrue,
+		Reason:  "ReconciliationSucceeded",
+		Message: message,
+	})
+
+	if err := r.Status().Update(ctx, pkg); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	logger.Info("reconciled Package", "name", pkg.Name, "helmReleaseCount", helmReleaseCount)
+
+	// Trigger reconcile for Packages that depend on this Package
+	if err := r.triggerDependentPackages(ctx, pkg.Name); err != nil {
+		logger.Error(err, "failed to trigger dependent Packages", "package", pkg.Name)
+		// Don't return error, this is best-effort
+	}
+
+	return ctrl.Result{}, nil
+}
+
+// createOrUpdateHelmRelease creates or updates a HelmRelease
+func (r *PackageReconciler) createOrUpdateHelmRelease(ctx context.Context, hr *helmv2.HelmRelease) error {
+	existing := &helmv2.HelmRelease{}
+	key := types.NamespacedName{
+		Name:      hr.Name,
+		Namespace: hr.Namespace,
+	}
+
+	err := r.Get(ctx, key, existing)
+	if apierrors.IsNotFound(err) {
+		return r.Create(ctx, hr)
+	} else if err != nil {
+		return err
+	}
+
+	// Preserve resource version
+	hr.SetResourceVersion(existing.GetResourceVersion())
+
+	// Merge labels
+	labels := hr.GetLabels()
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	for k, v := range existing.GetLabels() {
+		if _, ok := labels[k]; !ok {
+			labels[k] = v
+		}
+	}
+	hr.SetLabels(labels)
+
+	// Merge annotations
+	annotations := hr.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	for k, v := range existing.GetAnnotations() {
+		if _, ok := annotations[k]; !ok {
+			annotations[k] = v
+		}
+	}
+	hr.SetAnnotations(annotations)
+
+	// Update Spec
+	existing.Spec = hr.Spec
+	existing.SetLabels(hr.GetLabels())
+	existing.SetAnnotations(hr.GetAnnotations())
+	existing.SetOwnerReferences(hr.GetOwnerReferences())
+
+	return r.Update(ctx, existing)
+}
+
+// buildDependsOn builds DependsOn list for a component
+// Includes:
+// 1. Dependencies from component.Install.DependsOn (with namespace from referenced component)
+// 2. Dependencies from variant.DependsOn (all components with Install from referenced Package)
+func (r *PackageReconciler) buildDependsOn(ctx context.Context, pkg *cozyv1alpha1.Package, packageSource *cozyv1alpha1.PackageSource, variant *cozyv1alpha1.Variant, component *cozyv1alpha1.Component) ([]helmv2.DependencyReference, error) {
+	logger := log.FromContext(ctx)
+	dependsOn := []helmv2.DependencyReference{}
+
+	// Build map of component names to their release names and namespaces in current variant
+	componentMap := make(map[string]struct {
+		releaseName string
+		namespace   string
+	})
+	for _, comp := range variant.Components {
+		if comp.Install == nil {
+			continue
+		}
+		compNamespace := comp.Install.Namespace
+		if compNamespace == "" {
+			compNamespace = "cozy-system"
+		}
+		compReleaseName := comp.Install.ReleaseName
+		if compReleaseName == "" {
+			compReleaseName = comp.Name
+		}
+		componentMap[comp.Name] = struct {
+			releaseName string
+			namespace   string
+		}{
+			releaseName: compReleaseName,
+			namespace:   compNamespace,
+		}
+	}
+
+	// Add dependencies from component.Install.DependsOn
+	if len(component.Install.DependsOn) > 0 {
+		for _, depName := range component.Install.DependsOn {
+			depComp, ok := componentMap[depName]
+			if !ok {
+				return nil, fmt.Errorf("component %s not found in variant for dependency %s", depName, component.Name)
+			}
+			dependsOn = append(dependsOn, helmv2.DependencyReference{
+				Name:      depComp.releaseName,
+				Namespace: depComp.namespace,
+			})
+			logger.V(1).Info("added component dependency", "component", component.Name, "dependsOn", depName, "releaseName", depComp.releaseName, "namespace", depComp.namespace)
+		}
+	}
+
+	// Add dependencies from variant.DependsOn
+	if len(variant.DependsOn) > 0 {
+		for _, depPackageName := range variant.DependsOn {
+			// Check if dependency is in IgnoreDependencies
+			ignore := false
+			for _, ignoreDep := range pkg.Spec.IgnoreDependencies {
+				if ignoreDep == depPackageName {
+					ignore = true
+					break
+				}
+			}
+			if ignore {
+				logger.V(1).Info("ignoring dependency", "package", pkg.Name, "dependency", depPackageName)
+				continue
+			}
+
+			// Get the Package
+			depPackage := &cozyv1alpha1.Package{}
+			if err := r.Get(ctx, types.NamespacedName{Name: depPackageName}, depPackage); err != nil {
+				if apierrors.IsNotFound(err) {
+					return nil, fmt.Errorf("dependent Package %s not found", depPackageName)
+				}
+				return nil, fmt.Errorf("failed to get dependent Package %s: %w", depPackageName, err)
+			}
+
+			// Get the variant from dependent Package
+			depVariantName := depPackage.Spec.Variant
+			if depVariantName == "" {
+				depVariantName = "default"
+			}
+
+			// Get the PackageSource
+			depPackageSource := &cozyv1alpha1.PackageSource{}
+			if err := r.Get(ctx, types.NamespacedName{Name: depPackageName}, depPackageSource); err != nil {
+				if apierrors.IsNotFound(err) {
+					return nil, fmt.Errorf("dependent PackageSource %s not found", depPackageName)
+				}
+				return nil, fmt.Errorf("failed to get dependent PackageSource %s: %w", depPackageName, err)
+			}
+
+			// Find the variant in PackageSource
+			var depVariant *cozyv1alpha1.Variant
+			for i := range depPackageSource.Spec.Variants {
+				if depPackageSource.Spec.Variants[i].Name == depVariantName {
+					depVariant = &depPackageSource.Spec.Variants[i]
+					break
+				}
+			}
+
+			if depVariant == nil {
+				return nil, fmt.Errorf("dependent variant %s not found in PackageSource %s", depVariantName, depPackageName)
+			}
+
+			// Add all components with Install from dependent variant
+			for _, depComp := range depVariant.Components {
+				if depComp.Install == nil {
+					continue
+				}
+
+				// Check if component is disabled in dependent Package
+				if depPkgComponent, ok := depPackage.Spec.Components[depComp.Name]; ok {
+					if depPkgComponent.Enabled != nil && !*depPkgComponent.Enabled {
+						continue
+					}
+				}
+
+				depCompNamespace := depComp.Install.Namespace
+				if depCompNamespace == "" {
+					depCompNamespace = "cozy-system"
+				}
+				depCompReleaseName := depComp.Install.ReleaseName
+				if depCompReleaseName == "" {
+					depCompReleaseName = depComp.Name
+				}
+
+				dependsOn = append(dependsOn, helmv2.DependencyReference{
+					Name:      depCompReleaseName,
+					Namespace: depCompNamespace,
+				})
+				logger.V(1).Info("added variant dependency", "package", pkg.Name, "dependency", depPackageName, "component", depComp.Name, "releaseName", depCompReleaseName, "namespace", depCompNamespace)
+			}
+		}
+	}
+
+	return dependsOn, nil
+}
+
+// validateVariantDependencies validates that all variant dependencies exist
+// Returns error if any dependency is missing
+func (r *PackageReconciler) validateVariantDependencies(ctx context.Context, pkg *cozyv1alpha1.Package, variant *cozyv1alpha1.Variant) error {
+	logger := log.FromContext(ctx)
+
+	if len(variant.DependsOn) == 0 {
+		return nil
+	}
+
+	for _, depPackageName := range variant.DependsOn {
+		// Check if dependency is in IgnoreDependencies
+		ignore := false
+		for _, ignoreDep := range pkg.Spec.IgnoreDependencies {
+			if ignoreDep == depPackageName {
+				ignore = true
+				break
+			}
+		}
+		if ignore {
+			logger.V(1).Info("ignoring dependency", "package", pkg.Name, "dependency", depPackageName)
+			continue
+		}
+
+		// Get the Package
+		depPackage := &cozyv1alpha1.Package{}
+		if err := r.Get(ctx, types.NamespacedName{Name: depPackageName}, depPackage); err != nil {
+			if apierrors.IsNotFound(err) {
+				return fmt.Errorf("dependent Package %s not found", depPackageName)
+			}
+			return fmt.Errorf("failed to get dependent Package %s: %w", depPackageName, err)
+		}
+
+		// Get the PackageSource
+		depPackageSource := &cozyv1alpha1.PackageSource{}
+		if err := r.Get(ctx, types.NamespacedName{Name: depPackageName}, depPackageSource); err != nil {
+			if apierrors.IsNotFound(err) {
+				return fmt.Errorf("dependent PackageSource %s not found", depPackageName)
+			}
+			return fmt.Errorf("failed to get dependent PackageSource %s: %w", depPackageName, err)
+		}
+
+		// Get the variant from dependent Package
+		depVariantName := depPackage.Spec.Variant
+		if depVariantName == "" {
+			depVariantName = "default"
+		}
+
+		// Find the variant in PackageSource
+		var depVariant *cozyv1alpha1.Variant
+		for i := range depPackageSource.Spec.Variants {
+			if depPackageSource.Spec.Variants[i].Name == depVariantName {
+				depVariant = &depPackageSource.Spec.Variants[i]
+				break
+			}
+		}
+
+		if depVariant == nil {
+			return fmt.Errorf("dependent variant %s not found in PackageSource %s", depVariantName, depPackageName)
+		}
+	}
+
+	return nil
+}
+
+// reconcileNamespaces creates or updates namespaces based on components in the variant
+func (r *PackageReconciler) reconcileNamespaces(ctx context.Context, pkg *cozyv1alpha1.Package, variant *cozyv1alpha1.Variant) error {
+	logger := log.FromContext(ctx)
+
+	// Collect namespaces from components
+	// Map: namespace -> {isPrivileged}
+	type namespaceInfo struct {
+		privileged bool
+	}
+	namespacesMap := make(map[string]namespaceInfo)
+
+	for _, component := range variant.Components {
+		// Skip components without Install section
+		if component.Install == nil {
+			continue
+		}
+
+		// Check if component is disabled via Package spec
+		if pkgComponent, ok := pkg.Spec.Components[component.Name]; ok {
+			if pkgComponent.Enabled != nil && !*pkgComponent.Enabled {
+				continue
+			}
+		}
+
+		// Namespace must be set
+		namespace := component.Install.Namespace
+		if namespace == "" {
+			return fmt.Errorf("component %s has empty namespace in Install section", component.Name)
+		}
+
+		info, exists := namespacesMap[namespace]
+		if !exists {
+			info = namespaceInfo{
+				privileged: false,
+			}
+		}
+
+		// If component is privileged, mark namespace as privileged
+		if component.Install.Privileged {
+			info.privileged = true
+		}
+
+		namespacesMap[namespace] = info
+	}
+
+	// Create or update all namespaces
+	for nsName, info := range namespacesMap {
+		namespace := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   nsName,
+				Labels: make(map[string]string),
+				Annotations: map[string]string{
+					"helm.sh/resource-policy": "keep",
+				},
+			},
+		}
+
+		// Add system label only for non-tenant namespaces
+		if !strings.HasPrefix(nsName, "tenant-") {
+			namespace.Labels["cozystack.io/system"] = "true"
+		}
+
+		// Add privileged label if needed
+		if info.privileged {
+			namespace.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
+		}
+
+		if err := r.createOrUpdateNamespace(ctx, namespace); err != nil {
+			logger.Error(err, "failed to reconcile namespace", "name", nsName, "privileged", info.privileged)
+			return fmt.Errorf("failed to reconcile namespace %s: %w", nsName, err)
+		}
+		logger.Info("reconciled namespace", "name", nsName, "privileged", info.privileged)
+	}
+
+	return nil
+}
+
+// createOrUpdateNamespace creates or updates a namespace
+func (r *PackageReconciler) createOrUpdateNamespace(ctx context.Context, namespace *corev1.Namespace) error {
+	existing := &corev1.Namespace{}
+	key := types.NamespacedName{Name: namespace.Name}
+
+	err := r.Get(ctx, key, existing)
+	if apierrors.IsNotFound(err) {
+		return r.Create(ctx, namespace)
+	} else if err != nil {
+		return err
+	}
+
+	// Preserve resource version
+	namespace.SetResourceVersion(existing.GetResourceVersion())
+
+	// Merge labels
+	labels := namespace.GetLabels()
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	for k, v := range existing.GetLabels() {
+		if _, ok := labels[k]; !ok {
+			labels[k] = v
+		}
+	}
+	namespace.SetLabels(labels)
+
+	// Merge annotations
+	annotations := namespace.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	for k, v := range existing.GetAnnotations() {
+		if _, ok := annotations[k]; !ok {
+			annotations[k] = v
+		}
+	}
+	namespace.SetAnnotations(annotations)
+
+	return r.Update(ctx, namespace)
+}
+
+// cleanupOrphanedHelmReleases removes HelmReleases that are no longer needed
+func (r *PackageReconciler) cleanupOrphanedHelmReleases(ctx context.Context, pkg *cozyv1alpha1.Package, variant *cozyv1alpha1.Variant) error {
+	logger := log.FromContext(ctx)
+
+	// Build map of desired HelmRelease names (from components with Install)
+	desiredReleases := make(map[types.NamespacedName]bool)
+	for _, component := range variant.Components {
+		if component.Install == nil {
+			continue
+		}
+
+		// Check if component is disabled via Package spec
+		if pkgComponent, ok := pkg.Spec.Components[component.Name]; ok {
+			if pkgComponent.Enabled != nil && !*pkgComponent.Enabled {
+				continue
+			}
+		}
+
+		namespace := component.Install.Namespace
+		if namespace == "" {
+			namespace = "cozy-system"
+		}
+
+		releaseName := component.Install.ReleaseName
+		if releaseName == "" {
+			releaseName = component.Name
+		}
+
+		desiredReleases[types.NamespacedName{
+			Name:      releaseName,
+			Namespace: namespace,
+		}] = true
+	}
+
+	// Find all HelmReleases owned by this Package
+	hrList := &helmv2.HelmReleaseList{}
+	if err := r.List(ctx, hrList, client.MatchingLabels{
+		"cozystack.io/package": pkg.Name,
+	}); err != nil {
+		return err
+	}
+
+	// Delete HelmReleases that are not in desired list
+	for _, hr := range hrList.Items {
+		key := types.NamespacedName{
+			Name:      hr.Name,
+			Namespace: hr.Namespace,
+		}
+		if !desiredReleases[key] {
+			logger.Info("deleting orphaned HelmRelease", "name", hr.Name, "namespace", hr.Namespace, "package", pkg.Name)
+			if err := r.Delete(ctx, &hr); err != nil && !apierrors.IsNotFound(err) {
+				logger.Error(err, "failed to delete orphaned HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			}
+		}
+	}
+
+	return nil
+}
+
+// triggerDependentPackages triggers reconcile for all Packages that depend on the given Package
+func (r *PackageReconciler) triggerDependentPackages(ctx context.Context, packageName string) error {
+	logger := log.FromContext(ctx)
+
+	// Get all Packages
+	packageList := &cozyv1alpha1.PackageList{}
+	if err := r.List(ctx, packageList); err != nil {
+		return fmt.Errorf("failed to list Packages: %w", err)
+	}
+
+	// For each Package, check if it depends on the given Package
+	for _, pkg := range packageList.Items {
+		// Skip the Package itself
+		if pkg.Name == packageName {
+			continue
+		}
+
+		// Get PackageSource
+		packageSource := &cozyv1alpha1.PackageSource{}
+		if err := r.Get(ctx, types.NamespacedName{Name: pkg.Name}, packageSource); err != nil {
+			if apierrors.IsNotFound(err) {
+				continue
+			}
+			logger.V(1).Error(err, "failed to get PackageSource", "package", pkg.Name)
+			continue
+		}
+
+		// Determine variant
+		variantName := pkg.Spec.Variant
+		if variantName == "" {
+			variantName = "default"
+		}
+
+		// Find variant
+		var variant *cozyv1alpha1.Variant
+		for i := range packageSource.Spec.Variants {
+			if packageSource.Spec.Variants[i].Name == variantName {
+				variant = &packageSource.Spec.Variants[i]
+				break
+			}
+		}
+
+		if variant == nil {
+			continue
+		}
+
+		// Check if this Package depends on the given Package
+		dependsOn := false
+		for _, dep := range variant.DependsOn {
+			// Check if dependency is in IgnoreDependencies
+			ignore := false
+			for _, ignoreDep := range pkg.Spec.IgnoreDependencies {
+				if ignoreDep == dep {
+					ignore = true
+					break
+				}
+			}
+			if ignore {
+				continue
+			}
+
+			if dep == packageName {
+				dependsOn = true
+				break
+			}
+		}
+
+		if dependsOn {
+			logger.V(1).Info("triggering reconcile for dependent Package", "package", pkg.Name, "dependency", packageName)
+			// Trigger reconcile by updating the Package (add annotation or just requeue)
+			// We can't directly requeue from here, but we can update the Package to trigger reconcile
+			// Actually, we can use the client to trigger an update, but that might cause infinite loop
+			// Better approach: use event handler or just log and let the watch handle it
+			// For now, we'll just log - the watch on PackageSource should handle it
+			// But we need a way to trigger reconcile...
+			// Let's add an annotation to trigger reconcile
+			if pkg.Annotations == nil {
+				pkg.Annotations = make(map[string]string)
+			}
+			pkg.Annotations["cozystack.io/trigger-reconcile"] = fmt.Sprintf("%d", metav1.Now().Unix())
+			if err := r.Update(ctx, &pkg); err != nil {
+				logger.V(1).Error(err, "failed to trigger reconcile for dependent Package", "package", pkg.Name)
+			}
+		}
+	}
+
+	return nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *PackageReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		Named("cozystack-package").
+		For(&cozyv1alpha1.Package{}).
+		Watches(
+			&cozyv1alpha1.PackageSource{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				ps, ok := obj.(*cozyv1alpha1.PackageSource)
+				if !ok {
+					return nil
+				}
+				// Find Package with the same name as PackageSource
+				// PackageSource and Package share the same name
+				pkg := &cozyv1alpha1.Package{}
+				if err := mgr.GetClient().Get(ctx, types.NamespacedName{Name: ps.Name}, pkg); err != nil {
+					// Package not found, that's ok - it might not exist yet
+					return nil
+				}
+				// Trigger reconcile for the corresponding Package
+				return []reconcile.Request{{
+					NamespacedName: types.NamespacedName{
+						Name: pkg.Name,
+					},
+				}}
+			}),
+		).
+		Watches(
+			&cozyv1alpha1.Package{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				updatedPkg, ok := obj.(*cozyv1alpha1.Package)
+				if !ok {
+					return nil
+				}
+				// Find all Packages that depend on this Package
+				packageList := &cozyv1alpha1.PackageList{}
+				if err := mgr.GetClient().List(ctx, packageList); err != nil {
+					return nil
+				}
+				var requests []reconcile.Request
+				for _, pkg := range packageList.Items {
+					if pkg.Name == updatedPkg.Name {
+						continue // Skip the Package itself
+					}
+					// Get PackageSource to check dependencies
+					packageSource := &cozyv1alpha1.PackageSource{}
+					if err := mgr.GetClient().Get(ctx, types.NamespacedName{Name: pkg.Name}, packageSource); err != nil {
+						continue
+					}
+					// Determine variant
+					variantName := pkg.Spec.Variant
+					if variantName == "" {
+						variantName = "default"
+					}
+					// Find variant
+					for _, variant := range packageSource.Spec.Variants {
+						if variant.Name == variantName {
+							// Check if this variant depends on updatedPkg
+							for _, dep := range variant.DependsOn {
+								// Check if dependency is in IgnoreDependencies
+								ignore := false
+								for _, ignoreDep := range pkg.Spec.IgnoreDependencies {
+									if ignoreDep == dep {
+										ignore = true
+										break
+									}
+								}
+								if ignore {
+									continue
+								}
+								if dep == updatedPkg.Name {
+									requests = append(requests, reconcile.Request{
+										NamespacedName: types.NamespacedName{
+											Name: pkg.Name,
+										},
+									})
+									break
+								}
+							}
+							break
+						}
+					}
+				}
+				return requests
+			}),
+		).
+		Complete(r)
+}

internal/operator/packagesource_reconciler.go

@@ -0,0 +1,468 @@
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package operator
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	sourcewatcherv1beta1 "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+// PackageSourceReconciler reconciles PackageSource resources
+type PackageSourceReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=cozystack.io,resources=packagesources,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cozystack.io,resources=packagesources/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=source.extensions.fluxcd.io,resources=artifactgenerators,verbs=get;list;watch;create;update;patch;delete
+
+// Reconcile is part of the main kubernetes reconciliation loop
+func (r *PackageSourceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	packageSource := &cozyv1alpha1.PackageSource{}
+	if err := r.Get(ctx, req.NamespacedName, packageSource); err != nil {
+		if apierrors.IsNotFound(err) {
+			// Resource not found, return (ownerReference will handle cleanup)
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	// Generate ArtifactGenerator for package source
+	if err := r.reconcileArtifactGenerators(ctx, packageSource); err != nil {
+		logger.Error(err, "failed to reconcile ArtifactGenerator")
+		return ctrl.Result{}, err
+	}
+
+	// Update PackageSource status (variants and conditions from ArtifactGenerator)
+	if err := r.updateStatus(ctx, packageSource); err != nil {
+		logger.Error(err, "failed to update status")
+		// Don't return error, status update is not critical
+	}
+
+	return ctrl.Result{}, nil
+}
+
+// reconcileArtifactGenerators generates a single ArtifactGenerator for the package source
+// Creates one ArtifactGenerator per package source with all OutputArtifacts from components
+func (r *PackageSourceReconciler) reconcileArtifactGenerators(ctx context.Context, packageSource *cozyv1alpha1.PackageSource) error {
+	logger := log.FromContext(ctx)
+
+	// Check if SourceRef is set
+	if packageSource.Spec.SourceRef == nil {
+		logger.Info("skipping ArtifactGenerator creation, SourceRef not set", "packageSource", packageSource.Name)
+		return nil
+	}
+
+	// Build library map from all variants
+	// Map key is the library name (from lib.Name or extracted from path)
+	// This allows components to reference libraries by name
+	libraryMap := make(map[string]cozyv1alpha1.Library)
+	for _, variant := range packageSource.Spec.Variants {
+		for _, lib := range variant.Libraries {
+			libName := lib.Name
+			if libName == "" {
+				// If library name is not set, extract from path
+				libName = r.getPackageNameFromPath(lib.Path)
+			}
+			if libName != "" {
+				// Store library with the resolved name
+				libraryMap[libName] = lib
+			}
+		}
+	}
+
+	// Namespace is always cozy-system
+	namespace := "cozy-system"
+	// ArtifactGenerator name is the package source name
+	agName := packageSource.Name
+
+	// Collect all OutputArtifacts
+	outputArtifacts := []sourcewatcherv1beta1.OutputArtifact{}
+
+	// Process all variants and their components
+	for _, variant := range packageSource.Spec.Variants {
+		for _, component := range variant.Components {
+			// Skip components without path
+			if component.Path == "" {
+				logger.V(1).Info("skipping component without path", "packageSource", packageSource.Name, "variant", variant.Name, "component", component.Name)
+				continue
+			}
+
+			logger.V(1).Info("processing component", "packageSource", packageSource.Name, "variant", variant.Name, "component", component.Name, "path", component.Path)
+
+			// Extract component name from path (last component)
+			componentPathName := r.getPackageNameFromPath(component.Path)
+			if componentPathName == "" {
+				logger.Info("skipping component with invalid path", "packageSource", packageSource.Name, "variant", variant.Name, "component", component.Name, "path", component.Path)
+				continue
+			}
+
+			// Get basePath with default values
+			basePath := r.getBasePath(packageSource)
+
+			// Build copy operations
+			copyOps := []sourcewatcherv1beta1.CopyOperation{
+				{
+					From: r.buildSourcePath(packageSource.Spec.SourceRef.Name, basePath, component.Path),
+					To:   fmt.Sprintf("@artifact/%s/", componentPathName),
+				},
+			}
+
+			// Add libraries if specified
+			for _, libName := range component.Libraries {
+				if lib, ok := libraryMap[libName]; ok {
+					copyOps = append(copyOps, sourcewatcherv1beta1.CopyOperation{
+						From: r.buildSourcePath(packageSource.Spec.SourceRef.Name, basePath, lib.Path),
+						To:   fmt.Sprintf("@artifact/%s/charts/%s/", componentPathName, libName),
+					})
+				}
+			}
+
+			// Add valuesFiles if specified
+			for i, valuesFile := range component.ValuesFiles {
+				strategy := "Merge"
+				if i == 0 {
+					strategy = "Overwrite"
+				}
+				copyOps = append(copyOps, sourcewatcherv1beta1.CopyOperation{
+					From:     r.buildSourceFilePath(packageSource.Spec.SourceRef.Name, basePath, fmt.Sprintf("%s/%s", component.Path, valuesFile)),
+					To:       fmt.Sprintf("@artifact/%s/values.yaml", componentPathName),
+					Strategy: strategy,
+				})
+			}
+
+			// Artifact name: <packagesource>-<variant>-<componentname>
+			// Replace dots with dashes to comply with Kubernetes naming requirements
+			artifactName := fmt.Sprintf("%s-%s-%s",
+				strings.ReplaceAll(packageSource.Name, ".", "-"),
+				strings.ReplaceAll(variant.Name, ".", "-"),
+				strings.ReplaceAll(component.Name, ".", "-"))
+
+			outputArtifacts = append(outputArtifacts, sourcewatcherv1beta1.OutputArtifact{
+				Name: artifactName,
+				Copy: copyOps,
+			})
+
+			logger.Info("added OutputArtifact for component", "packageSource", packageSource.Name, "variant", variant.Name, "component", component.Name, "artifactName", artifactName)
+		}
+	}
+
+	// If there are no OutputArtifacts, return (ownerReference will handle cleanup if needed)
+	if len(outputArtifacts) == 0 {
+		logger.Info("no OutputArtifacts to generate, skipping ArtifactGenerator creation", "packageSource", packageSource.Name)
+		return nil
+	}
+
+	// Build labels
+	labels := make(map[string]string)
+	labels["cozystack.io/packagesource"] = packageSource.Name
+
+	// Create single ArtifactGenerator for the package source
+	ag := &sourcewatcherv1beta1.ArtifactGenerator{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      agName,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Spec: sourcewatcherv1beta1.ArtifactGeneratorSpec{
+			Sources: []sourcewatcherv1beta1.SourceReference{
+				{
+					Alias:     packageSource.Spec.SourceRef.Name,
+					Kind:      packageSource.Spec.SourceRef.Kind,
+					Name:      packageSource.Spec.SourceRef.Name,
+					Namespace: packageSource.Spec.SourceRef.Namespace,
+				},
+			},
+			OutputArtifacts: outputArtifacts,
+		},
+	}
+
+	// Set ownerReference
+	ag.OwnerReferences = []metav1.OwnerReference{
+		{
+			APIVersion: packageSource.APIVersion,
+			Kind:       packageSource.Kind,
+			Name:       packageSource.Name,
+			UID:        packageSource.UID,
+			Controller: func() *bool { b := true; return &b }(),
+		},
+	}
+
+	logger.Info("creating ArtifactGenerator for package source", "packageSource", packageSource.Name, "agName", agName, "namespace", namespace, "outputArtifactCount", len(outputArtifacts))
+
+	if err := r.createOrUpdate(ctx, ag); err != nil {
+		return fmt.Errorf("failed to reconcile ArtifactGenerator %s: %w", agName, err)
+	}
+
+	logger.Info("reconciled ArtifactGenerator for package source", "name", agName, "namespace", namespace, "outputArtifactCount", len(outputArtifacts))
+
+	return nil
+}
+
+// Helper functions
+func (r *PackageSourceReconciler) getPackageNameFromPath(path string) string {
+	parts := strings.Split(path, "/")
+	if len(parts) > 0 {
+		return parts[len(parts)-1]
+	}
+	return ""
+}
+
+// getBasePath returns the basePath with default values based on source kind
+func (r *PackageSourceReconciler) getBasePath(packageSource *cozyv1alpha1.PackageSource) string {
+	// If path is explicitly set in SourceRef, use it (but normalize "/" to empty)
+	if packageSource.Spec.SourceRef.Path != "" {
+		path := strings.Trim(packageSource.Spec.SourceRef.Path, "/")
+		// If path is "/" or empty after trim, return empty string
+		if path == "" {
+			return ""
+		}
+		return path
+	}
+	// Default values based on kind
+	if packageSource.Spec.SourceRef.Kind == "OCIRepository" {
+		return "" // Root for OCI
+	}
+	// Default for GitRepository
+	return "packages"
+}
+
+// buildSourcePath builds the full source path using basePath with glob pattern
+func (r *PackageSourceReconciler) buildSourcePath(sourceName, basePath, path string) string {
+	// Remove leading/trailing slashes and combine
+	parts := []string{}
+	if basePath != "" {
+		trimmed := strings.Trim(basePath, "/")
+		if trimmed != "" {
+			parts = append(parts, trimmed)
+		}
+	}
+	if path != "" {
+		trimmed := strings.Trim(path, "/")
+		if trimmed != "" {
+			parts = append(parts, trimmed)
+		}
+	}
+
+	fullPath := strings.Join(parts, "/")
+	if fullPath == "" {
+		return fmt.Sprintf("@%s/**", sourceName)
+	}
+	return fmt.Sprintf("@%s/%s/**", sourceName, fullPath)
+}
+
+// buildSourceFilePath builds the full source path for a specific file (without glob pattern)
+func (r *PackageSourceReconciler) buildSourceFilePath(sourceName, basePath, path string) string {
+	// Remove leading/trailing slashes and combine
+	parts := []string{}
+	if basePath != "" {
+		trimmed := strings.Trim(basePath, "/")
+		if trimmed != "" {
+			parts = append(parts, trimmed)
+		}
+	}
+	if path != "" {
+		trimmed := strings.Trim(path, "/")
+		if trimmed != "" {
+			parts = append(parts, trimmed)
+		}
+	}
+
+	fullPath := strings.Join(parts, "/")
+	if fullPath == "" {
+		return fmt.Sprintf("@%s", sourceName)
+	}
+	return fmt.Sprintf("@%s/%s", sourceName, fullPath)
+}
+
+// createOrUpdate creates or updates a resource
+func (r *PackageSourceReconciler) createOrUpdate(ctx context.Context, obj client.Object) error {
+	existing := obj.DeepCopyObject().(client.Object)
+	key := client.ObjectKeyFromObject(obj)
+
+	err := r.Get(ctx, key, existing)
+	if apierrors.IsNotFound(err) {
+		return r.Create(ctx, obj)
+	} else if err != nil {
+		return err
+	}
+
+	// Preserve resource version
+	obj.SetResourceVersion(existing.GetResourceVersion())
+	// Merge labels and annotations
+	labels := obj.GetLabels()
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	for k, v := range existing.GetLabels() {
+		if _, ok := labels[k]; !ok {
+			labels[k] = v
+		}
+	}
+	obj.SetLabels(labels)
+
+	annotations := obj.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	for k, v := range existing.GetAnnotations() {
+		if _, ok := annotations[k]; !ok {
+			annotations[k] = v
+		}
+	}
+	obj.SetAnnotations(annotations)
+
+	// For ArtifactGenerator, explicitly update Spec (OutputArtifacts and Sources)
+	if ag, ok := obj.(*sourcewatcherv1beta1.ArtifactGenerator); ok {
+		if existingAG, ok := existing.(*sourcewatcherv1beta1.ArtifactGenerator); ok {
+			logger := log.FromContext(ctx)
+			logger.V(1).Info("updating ArtifactGenerator Spec", "name", ag.Name, "namespace", ag.Namespace,
+				"outputArtifactCount", len(ag.Spec.OutputArtifacts))
+			// Update Spec from obj (which contains the desired state with all OutputArtifacts)
+			existingAG.Spec = ag.Spec
+			// Preserve metadata updates we made above
+			existingAG.SetLabels(ag.GetLabels())
+			existingAG.SetAnnotations(ag.GetAnnotations())
+			existingAG.SetOwnerReferences(ag.GetOwnerReferences())
+			// Use existingAG for Update
+			obj = existingAG
+		}
+	}
+
+	return r.Update(ctx, obj)
+}
+
+// updateStatus updates PackageSource status (variants and conditions from ArtifactGenerator)
+func (r *PackageSourceReconciler) updateStatus(ctx context.Context, packageSource *cozyv1alpha1.PackageSource) error {
+	logger := log.FromContext(ctx)
+
+	// Update variants in status from spec
+	variantNames := make([]string, 0, len(packageSource.Spec.Variants))
+	for _, variant := range packageSource.Spec.Variants {
+		variantNames = append(variantNames, variant.Name)
+	}
+	packageSource.Status.Variants = strings.Join(variantNames, ",")
+
+	// Check if SourceRef is set
+	if packageSource.Spec.SourceRef == nil {
+		// Set status to unknown if SourceRef is not set
+		meta.SetStatusCondition(&packageSource.Status.Conditions, metav1.Condition{
+			Type:    "Ready",
+			Status:  metav1.ConditionUnknown,
+			Reason:  "SourceRefNotSet",
+			Message: "SourceRef is not configured",
+		})
+		return r.Status().Update(ctx, packageSource)
+	}
+
+	// Get ArtifactGenerator
+	ag := &sourcewatcherv1beta1.ArtifactGenerator{}
+	agKey := types.NamespacedName{
+		Name:      packageSource.Name,
+		Namespace: "cozy-system",
+	}
+
+	if err := r.Get(ctx, agKey, ag); err != nil {
+		if apierrors.IsNotFound(err) {
+			// ArtifactGenerator not found, set status to unknown
+			meta.SetStatusCondition(&packageSource.Status.Conditions, metav1.Condition{
+				Type:    "Ready",
+				Status:  metav1.ConditionUnknown,
+				Reason:  "ArtifactGeneratorNotFound",
+				Message: "ArtifactGenerator not found",
+			})
+			return r.Status().Update(ctx, packageSource)
+		}
+		return fmt.Errorf("failed to get ArtifactGenerator: %w", err)
+	}
+
+	// Find Ready condition in ArtifactGenerator
+	readyCondition := meta.FindStatusCondition(ag.Status.Conditions, "Ready")
+	if readyCondition == nil {
+		// No Ready condition in ArtifactGenerator, set status to unknown
+		meta.SetStatusCondition(&packageSource.Status.Conditions, metav1.Condition{
+			Type:    "Ready",
+			Status:  metav1.ConditionUnknown,
+			Reason:  "ArtifactGeneratorNotReady",
+			Message: "ArtifactGenerator Ready condition not found",
+		})
+		return r.Status().Update(ctx, packageSource)
+	}
+
+	// Copy Ready condition from ArtifactGenerator to PackageSource
+	meta.SetStatusCondition(&packageSource.Status.Conditions, metav1.Condition{
+		Type:               "Ready",
+		Status:             readyCondition.Status,
+		Reason:             readyCondition.Reason,
+		Message:            readyCondition.Message,
+		ObservedGeneration: packageSource.Generation,
+		LastTransitionTime: readyCondition.LastTransitionTime,
+	})
+
+	logger.V(1).Info("updated PackageSource status from ArtifactGenerator",
+		"packageSource", packageSource.Name,
+		"status", readyCondition.Status,
+		"reason", readyCondition.Reason)
+
+	return r.Status().Update(ctx, packageSource)
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *PackageSourceReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		Named("cozystack-packagesource").
+		For(&cozyv1alpha1.PackageSource{}).
+		Watches(
+			&sourcewatcherv1beta1.ArtifactGenerator{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				ag, ok := obj.(*sourcewatcherv1beta1.ArtifactGenerator)
+				if !ok {
+					return nil
+				}
+				// Find the PackageSource that owns this ArtifactGenerator by ownerReference
+				for _, ownerRef := range ag.OwnerReferences {
+					if ownerRef.Kind == "PackageSource" {
+						return []reconcile.Request{{
+							NamespacedName: types.NamespacedName{
+								Name: ownerRef.Name,
+							},
+						}}
+					}
+				}
+				return nil
+			}),
+		).
+		Complete(r)
+}
+

packages/apps/bucket/templates/bucketclaim.yaml

@@ -1,4 +1,5 @@
-{{- $seaweedfs := .Values._namespace.seaweedfs }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $seaweedfs := index $myNS.metadata.annotations "namespace.cozystack.io/seaweedfs" }}
 apiVersion: objectstorage.k8s.io/v1alpha1
 kind: BucketClaim
 metadata:

packages/apps/bucket/templates/helmrelease.yaml

@@ -3,15 +3,10 @@ kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-system
 spec:
-  chart:
-    spec:
-      chart: cozy-bucket
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-bucket-application-default-bucket-system
+    namespace: cozy-system
   interval: 5m
   timeout: 10m
   install:
@@ -21,8 +16,5 @@ spec:
     force: true
     remediation:
       retries: -1
-  valuesFrom:
-  - kind: Secret
-    name: cozystack-values
   values:
     bucketName: {{ .Release.Name }}

packages/apps/clickhouse/templates/chkeeper.yaml

@@ -1,4 +1,5 @@
-{{- $clusterDomain := (index .Values._cluster "cluster-domain") | default "cozy.local" }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 
 {{- if .Values.clickhouseKeeper.enabled }}
 apiVersion: "clickhouse-keeper.altinity.com/v1"

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,4 +1,5 @@
-{{- $clusterDomain := (index .Values._cluster "cluster-domain") | default "cozy.local" }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
 {{- $users := .Values.users }}

packages/apps/ferretdb/templates/postgres.yaml

@@ -50,8 +50,9 @@ spec:
   postgresUID: 999
   postgresGID: 999
   enableSuperuserAccess: true
-  {{- if .Values._cluster.scheduling }}
-  {{- $rawConstraints := get .Values._cluster.scheduling "globalAppTopologySpreadConstraints" }}
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
   {{- if $rawConstraints }}
   {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
     labelSelector:

packages/apps/foundationdb/templates/cluster.yaml

@@ -1,4 +1,5 @@
-{{- $clusterDomain := index .Values._cluster "cluster-domain" | default "cozy.local" }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" | default (dict "data" (dict)) }}
+{{- $clusterDomain := index $cozyConfig.data "cluster-domain" | default "cozy.local" }}
 ---
 apiVersion: apps.foundationdb.org/v1beta2
 kind: FoundationDBCluster

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:9e34fd50393b418d9516aadb488067a3a63675b045811beb1c0afc9c61e149e8
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15

packages/apps/kubernetes/README.md

@@ -145,31 +145,31 @@ See the reference for components utilized in this service:
 
 ### Kubernetes Control Plane Configuration
 
-| Name                                                | Description                                      | Type       | Value   |
-| --------------------------------------------------- | ------------------------------------------------ | ---------- | ------- |
-| `controlPlane`                                      | Kubernetes control-plane configuration.          | `object`   | `{}`    |
-| `controlPlane.replicas`                             | Number of control-plane replicas.                | `int`      | `2`     |
-| `controlPlane.apiServer`                            | API Server configuration.                        | `object`   | `{}`    |
-| `controlPlane.apiServer.resources`                  | CPU and memory resources for API Server.         | `object`   | `{}`    |
-| `controlPlane.apiServer.resources.cpu`              | CPU available.                                   | `quantity` | `""`    |
-| `controlPlane.apiServer.resources.memory`           | Memory (RAM) available.                          | `quantity` | `""`    |
-| `controlPlane.apiServer.resourcesPreset`            | Preset if `resources` omitted.                   | `string`   | `large` |
-| `controlPlane.controllerManager`                    | Controller Manager configuration.                | `object`   | `{}`    |
-| `controlPlane.controllerManager.resources`          | CPU and memory resources for Controller Manager. | `object`   | `{}`    |
-| `controlPlane.controllerManager.resources.cpu`      | CPU available.                                   | `quantity` | `""`    |
-| `controlPlane.controllerManager.resources.memory`   | Memory (RAM) available.                          | `quantity` | `""`    |
-| `controlPlane.controllerManager.resourcesPreset`    | Preset if `resources` omitted.                   | `string`   | `micro` |
-| `controlPlane.scheduler`                            | Scheduler configuration.                         | `object`   | `{}`    |
-| `controlPlane.scheduler.resources`                  | CPU and memory resources for Scheduler.          | `object`   | `{}`    |
-| `controlPlane.scheduler.resources.cpu`              | CPU available.                                   | `quantity` | `""`    |
-| `controlPlane.scheduler.resources.memory`           | Memory (RAM) available.                          | `quantity` | `""`    |
-| `controlPlane.scheduler.resourcesPreset`            | Preset if `resources` omitted.                   | `string`   | `micro` |
-| `controlPlane.konnectivity`                         | Konnectivity configuration.                      | `object`   | `{}`    |
-| `controlPlane.konnectivity.server`                  | Konnectivity Server configuration.               | `object`   | `{}`    |
-| `controlPlane.konnectivity.server.resources`        | CPU and memory resources for Konnectivity.       | `object`   | `{}`    |
-| `controlPlane.konnectivity.server.resources.cpu`    | CPU available.                                   | `quantity` | `""`    |
-| `controlPlane.konnectivity.server.resources.memory` | Memory (RAM) available.                          | `quantity` | `""`    |
-| `controlPlane.konnectivity.server.resourcesPreset`  | Preset if `resources` omitted.                   | `string`   | `micro` |
+| Name                                                | Description                                      | Type       | Value    |
+| --------------------------------------------------- | ------------------------------------------------ | ---------- | -------- |
+| `controlPlane`                                      | Kubernetes control-plane configuration.          | `object`   | `{}`     |
+| `controlPlane.replicas`                             | Number of control-plane replicas.                | `int`      | `2`      |
+| `controlPlane.apiServer`                            | API Server configuration.                        | `object`   | `{}`     |
+| `controlPlane.apiServer.resources`                  | CPU and memory resources for API Server.         | `object`   | `{}`     |
+| `controlPlane.apiServer.resources.cpu`              | CPU available.                                   | `quantity` | `""`     |
+| `controlPlane.apiServer.resources.memory`           | Memory (RAM) available.                          | `quantity` | `""`     |
+| `controlPlane.apiServer.resourcesPreset`            | Preset if `resources` omitted.                   | `string`   | `medium` |
+| `controlPlane.controllerManager`                    | Controller Manager configuration.                | `object`   | `{}`     |
+| `controlPlane.controllerManager.resources`          | CPU and memory resources for Controller Manager. | `object`   | `{}`     |
+| `controlPlane.controllerManager.resources.cpu`      | CPU available.                                   | `quantity` | `""`     |
+| `controlPlane.controllerManager.resources.memory`   | Memory (RAM) available.                          | `quantity` | `""`     |
+| `controlPlane.controllerManager.resourcesPreset`    | Preset if `resources` omitted.                   | `string`   | `micro`  |
+| `controlPlane.scheduler`                            | Scheduler configuration.                         | `object`   | `{}`     |
+| `controlPlane.scheduler.resources`                  | CPU and memory resources for Scheduler.          | `object`   | `{}`     |
+| `controlPlane.scheduler.resources.cpu`              | CPU available.                                   | `quantity` | `""`     |
+| `controlPlane.scheduler.resources.memory`           | Memory (RAM) available.                          | `quantity` | `""`     |
+| `controlPlane.scheduler.resourcesPreset`            | Preset if `resources` omitted.                   | `string`   | `micro`  |
+| `controlPlane.konnectivity`                         | Konnectivity configuration.                      | `object`   | `{}`     |
+| `controlPlane.konnectivity.server`                  | Konnectivity Server configuration.               | `object`   | `{}`     |
+| `controlPlane.konnectivity.server.resources`        | CPU and memory resources for Konnectivity.       | `object`   | `{}`     |
+| `controlPlane.konnectivity.server.resources.cpu`    | CPU available.                                   | `quantity` | `""`     |
+| `controlPlane.konnectivity.server.resources.memory` | Memory (RAM) available.                          | `quantity` | `""`     |
+| `controlPlane.konnectivity.server.resourcesPreset`  | Preset if `resources` omitted.                   | `string`   | `micro`  |
 
 
 ## Parameter examples and reference

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:6f2b1d6b0b2bdc66f1cbb30c59393369cbf070cb8f5fec748f176952273483cc
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:2d39989846c3579dd020b9f6c77e6e314cc81aa344eaac0f6d633e723c17196d

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.0.0@sha256:dee69d15fa8616aa6a1e5a67fc76370e7698a7f58b25e30650eb39c9fb826de8
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.0.0@sha256:5335c044313b69ee13b30ca4941687e509005e55f4ae25723861edbf2fbd6dd2

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/354.diff

@@ -1,5 +1,5 @@
 diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
-index 53388eb8e..873060251 100644
+index 53388eb8e..28644236f 100644
 --- a/pkg/controller/kubevirteps/kubevirteps_controller.go
 +++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
 @@ -12,7 +12,6 @@ import (
@@ -10,17 +10,12 @@ index 53388eb8e..873060251 100644
  	"k8s.io/apimachinery/pkg/runtime"
  	"k8s.io/apimachinery/pkg/runtime/schema"
  	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-@@ -666,38 +665,62 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
- 		// for extracting the nodes it does not matter what type of address we are dealing with
- 		// all nodes with an endpoint for a corresponding slice will be selected.
- 		nodeSet := sets.Set[string]{}
-+		hasEndpointsWithoutNodeName := false
+@@ -669,35 +668,50 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
  		for _, slice := range tenantSlices {
  			for _, endpoint := range slice.Endpoints {
  				// find all unique nodes that correspond to an endpoint in a tenant slice
 +				if endpoint.NodeName == nil {
 +					klog.Warningf("Skipping endpoint without NodeName in slice %s/%s", slice.Namespace, slice.Name)
-+					hasEndpointsWithoutNodeName = true
 +					continue
 +				}
  				nodeSet.Insert(*endpoint.NodeName)
@@ -28,13 +23,6 @@ index 53388eb8e..873060251 100644
  		}
  
 -		klog.Infof("Desired nodes for service %s in namespace %s: %v", service.Name, service.Namespace, sets.List(nodeSet))
-+		// Fallback: if no endpoints with NodeName were found, but there are endpoints without NodeName,
-+		// distribute traffic to all VMIs (similar to ExternalTrafficPolicy=Cluster behavior)
-+		if nodeSet.Len() == 0 && hasEndpointsWithoutNodeName {
-+			klog.Infof("No endpoints with NodeName found for service %s/%s, falling back to all VMIs", service.Namespace, service.Name)
-+			return c.getAllVMIEndpoints()
-+		}
-+
 +		klog.Infof("Desired nodes for service %s/%s: %v", service.Namespace, service.Name, sets.List(nodeSet))
  
  		for _, node := range sets.List(nodeSet) {
@@ -80,7 +68,7 @@ index 53388eb8e..873060251 100644
  					desiredEndpoints = append(desiredEndpoints, &discovery.Endpoint{
  						Addresses: []string{i.IP},
  						Conditions: discovery.EndpointConditions{
-@@ -705,9 +728,9 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
+@@ -705,9 +719,9 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
  							Serving:     &serving,
  							Terminating: &terminating,
  						},
@@ -92,71 +80,6 @@ index 53388eb8e..873060251 100644
  				}
  			}
  		}
-@@ -716,6 +739,64 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
- 	return desiredEndpoints
- }
- 
-+// getAllVMIEndpoints returns endpoints for all VMIs in the infra namespace.
-+// This is used as a fallback when tenant endpoints don't have NodeName specified,
-+// similar to ExternalTrafficPolicy=Cluster behavior where traffic is distributed to all nodes.
-+func (c *Controller) getAllVMIEndpoints() []*discovery.Endpoint {
-+	var endpoints []*discovery.Endpoint
-+
-+	// List all VMIs in the infra namespace
-+	vmiList, err := c.infraDynamic.
-+		Resource(kubevirtv1.VirtualMachineInstanceGroupVersionKind.GroupVersion().WithResource("virtualmachineinstances")).
-+		Namespace(c.infraNamespace).
-+		List(context.TODO(), metav1.ListOptions{})
-+	if err != nil {
-+		klog.Errorf("Failed to list VMIs in namespace %q: %v", c.infraNamespace, err)
-+		return endpoints
-+	}
-+
-+	for _, obj := range vmiList.Items {
-+		vmi := &kubevirtv1.VirtualMachineInstance{}
-+		err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, vmi)
-+		if err != nil {
-+			klog.Errorf("Failed to convert Unstructured to VirtualMachineInstance: %v", err)
-+			continue
-+		}
-+
-+		if vmi.Status.NodeName == "" {
-+			klog.Warningf("Skipping VMI %s/%s: NodeName is empty", vmi.Namespace, vmi.Name)
-+			continue
-+		}
-+		nodeNamePtr := &vmi.Status.NodeName
-+
-+		ready := vmi.Status.Phase == kubevirtv1.Running
-+		serving := vmi.Status.Phase == kubevirtv1.Running
-+		terminating := vmi.Status.Phase == kubevirtv1.Failed || vmi.Status.Phase == kubevirtv1.Succeeded
-+
-+		for _, i := range vmi.Status.Interfaces {
-+			if i.Name == "default" {
-+				if i.IP == "" {
-+					klog.Warningf("VMI %s/%s interface %q has no IP, skipping", vmi.Namespace, vmi.Name, i.Name)
-+					continue
-+				}
-+				endpoints = append(endpoints, &discovery.Endpoint{
-+					Addresses: []string{i.IP},
-+					Conditions: discovery.EndpointConditions{
-+						Ready:       &ready,
-+						Serving:     &serving,
-+						Terminating: &terminating,
-+					},
-+					NodeName: nodeNamePtr,
-+				})
-+				break
-+			}
-+		}
-+	}
-+
-+	klog.Infof("Fallback: created %d endpoints from all VMIs in namespace %s", len(endpoints), c.infraNamespace)
-+	return endpoints
-+}
-+
- func (c *Controller) ensureEndpointSliceLabels(slice *discovery.EndpointSlice, svc *v1.Service) (map[string]string, bool) {
- 	labels := make(map[string]string)
- 	labelsChanged := false
 diff --git a/pkg/controller/kubevirteps/kubevirteps_controller_test.go b/pkg/controller/kubevirteps/kubevirteps_controller_test.go
 index 1c97035b4..d205d0bed 100644
 --- a/pkg/controller/kubevirteps/kubevirteps_controller_test.go

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:15b94dca216b73336e7f39f4ea1b76b7656890d6be8a8cf0d9a786b4006781f9
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:d5c836ba33cf5dbed7e6f866784f668f80ffe69179e7c75847b680111984eefb

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:71a74ca30f75967bae309be2758f19aa3d37c60b19426b9b622ff1c33a80362f
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:a09724a7f95283f9130b3da2a89d81c4c6051c6edf0392a81b6fc90f404b76b6

packages/apps/kubernetes/templates/cluster.yaml

@@ -1,6 +1,7 @@
-{{- $etcd := .Values._namespace.etcd }}
-{{- $ingress := .Values._namespace.ingress }}
-{{- $host := .Values._namespace.host }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 {{- $kubevirtmachinetemplateNames := list }}
 {{- define "kubevirtmachinetemplate" -}}
 spec:
@@ -30,8 +31,9 @@ spec:
             {{- end }}
             cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ .groupName }}
         spec:
-          {{- if .Values._cluster.scheduling }}
-          {{- $rawConstraints := get .Values._cluster.scheduling "globalAppTopologySpreadConstraints" }}
+          {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+          {{- if $configMap }}
+          {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
           {{- if $rawConstraints }}
           {{- $rawConstraints | fromYaml | toYaml | nindent 10 }}
             labelSelector:

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cert-manager-crds
-  chart:
-    spec:
-      chart: cozy-cert-manager-crds
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-cert-manager-crds
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cert-manager
-  chart:
-    spec:
-      chart: cozy-cert-manager
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-cert-manager
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -22,15 +22,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cilium
-  chart:
-    spec:
-      chart: cozy-cilium
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-cilium
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/coredns.yaml

@@ -13,15 +13,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: coredns
-  chart:
-    spec:
-      chart: cozy-coredns
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-coredns
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -8,15 +8,10 @@ metadata:
 spec:
   interval: 5m
   releaseName: csi
-  chart:
-    spec:
-      chart: cozy-kubevirt-csi-node
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-kubevirt-csi-node
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: fluxcd-operator
-  chart:
-    spec:
-      chart: cozy-fluxcd-operator
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-fluxcd-operator
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig
@@ -56,15 +51,10 @@ metadata:
 spec:
   interval: 5m
   releaseName: fluxcd
-  chart:
-    spec:
-      chart: cozy-fluxcd
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-fluxcd
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-kubeconfig

packages/apps/kubernetes/templates/helmreleases/gateway-api-crds.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: gateway-api-crds
-  chart:
-    spec:
-      chart: cozy-gateway-api-crds
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-gateway-api-crds
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/gpu-operator.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: gpu-operator
-  chart:
-    spec:
-      chart: cozy-gpu-operator
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-gpu-operator
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml

@@ -27,15 +27,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: ingress-nginx
-  chart:
-    spec:
-      chart: cozy-ingress-nginx
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-ingress-nginx
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/metrics-server.yaml

@@ -7,15 +7,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: metrics-server
-  chart:
-    spec:
-      chart: cozy-metrics-server
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-metrics-server
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

@@ -1,4 +1,5 @@
-{{- $targetTenant := .Values._namespace.monitoring }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 {{- if .Values.addons.monitoringAgents.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -9,15 +10,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cozy-monitoring-agents
-  chart:
-    spec:
-      chart: cozy-monitoring-agents
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-monitoring-agents
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/prometheus-operator-crds.yaml

@@ -7,15 +7,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: prometheus-operator-crds
-  chart:
-    spec:
-      chart: cozy-prometheus-operator-crds
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-prometheus-operator-crds
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/velero.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: velero
-  chart:
-    spec:
-      chart: cozy-velero
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-velero
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler-crds.yaml

@@ -9,15 +9,10 @@ metadata:
 spec:
   interval: 5m
   releaseName: vertical-pod-autoscaler-crds
-  chart:
-    spec:
-      chart: cozy-vertical-pod-autoscaler-crds
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-vertical-pod-autoscaler-crds
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml

@@ -1,6 +1,8 @@
 {{- define "cozystack.defaultVPAValues" -}}
-{{- $clusterDomain := (index .Values._cluster "cluster-domain") | default "cozy.local" }}
-{{- $targetTenant := .Values._namespace.monitoring }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 vpaForVPA: false
 vertical-pod-autoscaler:
   recommender:
@@ -34,15 +36,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: vertical-pod-autoscaler
-  chart:
-    spec:
-      chart: cozy-vertical-pod-autoscaler
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-vertical-pod-autoscaler
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

@@ -8,15 +8,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: cozy-victoria-metrics-operator
-  chart:
-    spec:
-      chart: cozy-victoria-metrics-operator
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-victoria-metrics-operator
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/volumesnapshot-crd.yaml

@@ -7,15 +7,10 @@ metadata:
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   releaseName: vsnap-crd
-  chart:
-    spec:
-      chart: cozy-vsnap-crd
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '>= 0.0.0-0'
+  chartRef:
+    kind: ExternalArtifact
+    name: cozystack-kubernetes-application-kubevirt-kubernetes-volumesnapshot-crd
+    namespace: cozy-system
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/ingress.yaml

@@ -1,4 +1,5 @@
-{{- $ingress := .Values._namespace.ingress }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- if and (eq .Values.addons.ingressNginx.exposeMethod "Proxied") .Values.addons.ingressNginx.hosts }}
 ---
 apiVersion: networking.k8s.io/v1

packages/apps/kubernetes/values.schema.json

@@ -287,7 +287,7 @@
             "resourcesPreset": {
               "description": "Preset if `resources` omitted.",
               "type": "string",
-              "default": "large",
+              "default": "medium",
               "enum": [
                 "nano",
                 "micro",

packages/apps/kubernetes/values.yaml

@@ -153,7 +153,7 @@ addons:
 
 ## @typedef {struct} APIServer - API Server configuration.
 ## @field {Resources} resources - CPU and memory resources for API Server.
-## @field {ResourcesPreset} resourcesPreset="large" - Preset if `resources` omitted.
+## @field {ResourcesPreset} resourcesPreset="medium" - Preset if `resources` omitted.
 
 ## @typedef {struct} ControllerManager - Controller Manager configuration.
 ## @field {Resources} resources - CPU and memory resources for Controller Manager.
@@ -182,7 +182,7 @@ controlPlane:
   replicas: 2
   apiServer:
     resources: {}
-    resourcesPreset: "large"
+    resourcesPreset: "medium"
   controllerManager:
     resources: {}
     resourcesPreset: "micro"

packages/apps/mongodb/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

packages/apps/mongodb/Chart.yaml

@@ -1,7 +0,0 @@
-apiVersion: v2
-name: mongodb
-description: Managed MongoDB service
-icon: /logos/mongodb.svg
-type: application
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
-appVersion: "8.0"

packages/apps/mongodb/Makefile

@@ -1,11 +0,0 @@
-include ../../../scripts/package.mk
-
-.PHONY: generate update
-
-generate:
-	cozyvalues-gen -v values.yaml -s values.schema.json -r README.md
-	../../../hack/update-crd.sh
-
-update:
-	hack/update-versions.sh
-	make generate

packages/apps/mongodb/README.md

@@ -1,113 +0,0 @@
-# Managed MongoDB Service
-
-MongoDB is a popular document-oriented NoSQL database known for its flexibility and scalability.
-The Managed MongoDB Service provides a self-healing replicated cluster managed by the Percona Operator for MongoDB.
-
-## Deployment Details
-
-This managed service is controlled by the Percona Operator for MongoDB, ensuring efficient management and seamless operation.
-
-- Docs: <https://docs.percona.com/percona-operator-for-mongodb/>
-- Github: <https://github.com/percona/percona-server-mongodb-operator>
-
-## Deployment Modes
-
-### Replica Set Mode (default)
-
-By default, MongoDB deploys as a replica set with the specified number of replicas.
-This mode is suitable for most use cases requiring high availability.
-
-### Sharded Cluster Mode
-
-Enable `sharding: true` for horizontal scaling across multiple shards.
-Each shard is a replica set, and mongos routers handle query routing.
-
-## Notes
-
-### External Access
-
-When `external: true` is enabled:
-- **Replica Set mode**: Traffic is load-balanced across all replica set members. This works well for read operations, but write operations require connecting to the primary. MongoDB drivers handle primary discovery automatically using the replica set connection string.
-- **Sharded mode**: Traffic is routed through mongos routers, which handle both reads and writes correctly.
-
-### Credentials
-
-On first install, the credentials secret will be empty until the Percona operator initializes the cluster.
-Run `helm upgrade` after MongoDB is ready to populate the credentials secret with the actual password.
-
-## Parameters
-
-### Common parameters
-
-| Name               | Description                                                                                                                       | Type       | Value   |
-| ------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------- |
-| `replicas`         | Number of MongoDB replicas in replica set.                                                                                        | `int`      | `3`     |
-| `resources`        | Explicit CPU and memory configuration for each MongoDB replica. When omitted, the preset defined in `resourcesPreset` is applied. | `object`   | `{}`    |
-| `resources.cpu`    | CPU available to each replica.                                                                                                    | `quantity` | `""`    |
-| `resources.memory` | Memory (RAM) available to each replica.                                                                                           | `quantity` | `""`    |
-| `resourcesPreset`  | Default sizing preset used when `resources` is omitted.                                                                           | `string`   | `small` |
-| `size`             | Persistent Volume Claim size available for application data.                                                                      | `quantity` | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data.                                                                                              | `string`   | `""`    |
-| `external`         | Enable external access from outside the cluster.                                                                                  | `bool`     | `false` |
-| `version`          | MongoDB major version to deploy.                                                                                                  | `string`   | `v8`    |
-
-
-### Image configuration
-
-| Name            | Description                            | Type     | Value                                   |
-| --------------- | -------------------------------------- | -------- | --------------------------------------- |
-| `images`        | Container images used by the operator. | `object` | `{}`                                    |
-| `images.pmm`    | PMM client image for monitoring.       | `string` | `percona/pmm-client:2.44.1`             |
-| `images.backup` | Percona Backup for MongoDB image.      | `string` | `percona/percona-backup-mongodb:2.11.0` |
-
-
-### Sharding configuration
-
-| Name                                | Description                                                        | Type       | Value   |
-| ----------------------------------- | ------------------------------------------------------------------ | ---------- | ------- |
-| `sharding`                          | Enable sharded cluster mode. When disabled, deploys a replica set. | `bool`     | `false` |
-| `shardingConfig`                    | Configuration for sharded cluster mode.                            | `object`   | `{}`    |
-| `shardingConfig.configServers`      | Number of config server replicas.                                  | `int`      | `3`     |
-| `shardingConfig.configServerSize`   | PVC size for config servers.                                       | `quantity` | `3Gi`   |
-| `shardingConfig.mongos`             | Number of mongos router replicas.                                  | `int`      | `2`     |
-| `shardingConfig.shards`             | List of shard configurations.                                      | `[]object` | `[...]` |
-| `shardingConfig.shards[i].name`     | Shard name.                                                        | `string`   | `""`    |
-| `shardingConfig.shards[i].replicas` | Number of replicas in this shard.                                  | `int`      | `0`     |
-| `shardingConfig.shards[i].size`     | PVC size for this shard.                                           | `quantity` | `""`    |
-
-
-### Users configuration
-
-| Name                        | Description                                         | Type                | Value |
-| --------------------------- | --------------------------------------------------- | ------------------- | ----- |
-| `users`                     | Custom MongoDB users configuration map.             | `map[string]object` | `{}`  |
-| `users[name].password`      | Password for the user (auto-generated if omitted).  | `string`            | `""`  |
-| `users[name].db`            | Database to authenticate against.                   | `string`            | `""`  |
-| `users[name].roles`         | List of MongoDB roles with database scope.          | `[]object`          | `[]`  |
-| `users[name].roles[i].name` | Role name (e.g., readWrite, dbAdmin, clusterAdmin). | `string`            | `""`  |
-| `users[name].roles[i].db`   | Database the role applies to.                       | `string`            | `""`  |
-
-
-### Backup parameters
-
-| Name                     | Description                                            | Type     | Value                               |
-| ------------------------ | ------------------------------------------------------ | -------- | ----------------------------------- |
-| `backup`                 | Backup configuration.                                  | `object` | `{}`                                |
-| `backup.enabled`         | Enable regular backups.                                | `bool`   | `false`                             |
-| `backup.schedule`        | Cron schedule for automated backups.                   | `string` | `0 2 * * *`                         |
-| `backup.retentionPolicy` | Retention policy (e.g. "30d").                         | `string` | `30d`                               |
-| `backup.destinationPath` | Destination path for backups (e.g. s3://bucket/path/). | `string` | `s3://bucket/path/to/folder/`       |
-| `backup.endpointURL`     | S3 endpoint URL for uploads.                           | `string` | `http://minio-gateway-service:9000` |
-| `backup.s3AccessKey`     | Access key for S3 authentication.                      | `string` | `""`                                |
-| `backup.s3SecretKey`     | Secret key for S3 authentication.                      | `string` | `""`                                |
-
-
-### Bootstrap (recovery) parameters
-
-| Name                     | Description                                               | Type     | Value   |
-| ------------------------ | --------------------------------------------------------- | -------- | ------- |
-| `bootstrap`              | Bootstrap configuration.                                  | `object` | `{}`    |
-| `bootstrap.enabled`      | Whether to restore from a backup.                         | `bool`   | `false` |
-| `bootstrap.recoveryTime` | Timestamp for point-in-time recovery; empty means latest. | `string` | `""`    |
-| `bootstrap.backupName`   | Name of backup to restore from.                           | `string` | `""`    |
-