[linstor] Add linstor-affinity-controller

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/backport.yaml

@@ -2,7 +2,7 @@ name: Automatic Backport
 
 on:
   pull_request_target:
-    types: [closed]   # fires when PR is closed (merged)
+    types: [closed, labeled]   # fires when PR is closed (merged) or labeled
 
 concurrency:
   group: backport-${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -13,22 +13,46 @@ permissions:
   pull-requests: write
 
 jobs:
-  backport:
+  # Determine which backports are needed
+  prepare:
     if: |
       github.event.pull_request.merged == true &&
-      contains(github.event.pull_request.labels.*.name, 'backport')
+      (
+        contains(github.event.pull_request.labels.*.name, 'backport') ||
+        contains(github.event.pull_request.labels.*.name, 'backport-previous') ||
+        (github.event.action == 'labeled' && (github.event.label.name == 'backport' || github.event.label.name == 'backport-previous'))
+      )
     runs-on: [self-hosted]
-
+    outputs:
+      backport_current: ${{ steps.labels.outputs.backport }}
+      backport_previous: ${{ steps.labels.outputs.backport_previous }}
+      current_branch: ${{ steps.branches.outputs.current_branch }}
+      previous_branch: ${{ steps.branches.outputs.previous_branch }}
     steps:
-      # 1. Decide which maintenance branch should receive the back‑port
-      - name: Determine target maintenance branch
-        id: target
+      - name: Check which labels are present
+        id: labels
         uses: actions/github-script@v7
         with:
           script: |
-            let rel;
+            const pr = context.payload.pull_request;
+            const labels = pr.labels.map(l => l.name);
+            const isBackport = labels.includes('backport');
+            const isBackportPrevious = labels.includes('backport-previous');
+            
+            core.setOutput('backport', isBackport ? 'true' : 'false');
+            core.setOutput('backport_previous', isBackportPrevious ? 'true' : 'false');
+            
+            console.log(`backport label: ${isBackport}, backport-previous label: ${isBackportPrevious}`);
+      
+      - name: Determine target branches
+        id: branches
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Get latest release
+            let latestRelease;
             try {
-              rel = await github.rest.repos.getLatestRelease({
+              latestRelease = await github.rest.repos.getLatestRelease({
                 owner: context.repo.owner,
                 repo: context.repo.repo
               });
@@ -36,18 +60,70 @@ jobs:
               core.setFailed('No existing releases found; cannot determine backport target.');
               return;
             }
-            const [maj, min] = rel.data.tag_name.replace(/^v/, '').split('.');
-            const branch = `release-${maj}.${min}`;
-            core.setOutput('branch', branch);
-            console.log(`Latest release ${rel.data.tag_name}; backporting to ${branch}`);
+            
+            const [maj, min] = latestRelease.data.tag_name.replace(/^v/, '').split('.');
+            const currentBranch = `release-${maj}.${min}`;
+            const prevMin = parseInt(min) - 1;
+            const previousBranch = prevMin >= 0 ? `release-${maj}.${prevMin}` : '';
+            
+            core.setOutput('current_branch', currentBranch);
+            core.setOutput('previous_branch', previousBranch);
+            
+            console.log(`Current branch: ${currentBranch}, Previous branch: ${previousBranch || 'N/A'}`);
+            
+            // Verify previous branch exists if we need it
+            if (previousBranch && '${{ steps.labels.outputs.backport_previous }}' === 'true') {
+              try {
+                await github.rest.repos.getBranch({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  branch: previousBranch
+                });
+                console.log(`Previous branch ${previousBranch} exists`);
+              } catch (e) {
+                core.setFailed(`Previous branch ${previousBranch} does not exist.`);
+                return;
+              }
+            }
+
+  backport:
+    needs: prepare
+    if: |
+      github.event.pull_request.merged == true &&
+      (needs.prepare.outputs.backport_current == 'true' || needs.prepare.outputs.backport_previous == 'true')
+    runs-on: [self-hosted]
+    strategy:
+      matrix:
+        backport_type: [current, previous]
+    steps:
+      # 1. Determine target branch based on matrix
+      - name: Set target branch
+        id: target
+        if: |
+          (matrix.backport_type == 'current' && needs.prepare.outputs.backport_current == 'true') ||
+          (matrix.backport_type == 'previous' && needs.prepare.outputs.backport_previous == 'true')
+        run: |
+          if [ "${{ matrix.backport_type }}" == "current" ]; then
+            echo "branch=${{ needs.prepare.outputs.current_branch }}" >> $GITHUB_OUTPUT
+            echo "Target branch: ${{ needs.prepare.outputs.current_branch }}"
+          else
+            echo "branch=${{ needs.prepare.outputs.previous_branch }}" >> $GITHUB_OUTPUT
+            echo "Target branch: ${{ needs.prepare.outputs.previous_branch }}"
+          fi
+      
       # 2. Checkout (required by backport‑action)
       - name: Checkout repository
+        if: steps.target.outcome == 'success'
         uses: actions/checkout@v4
 
       # 3. Create the back‑port pull request
       - name: Create back‑port PR
-        uses: korthout/backport-action@v3
+        id: backport
+        if: steps.target.outcome == 'success'
+        uses: korthout/backport-action@v3.2.1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           label_pattern: '' # don't read labels for targets
           target_branches: ${{ steps.target.outputs.branch }}
+          merge_commits: skip
+          conflict_resolution: draft_commit_conflicts

Makefile

@@ -15,6 +15,7 @@ build: build-deps
 	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
 	make -C packages/system/cozystack-controller image
+	make -C packages/system/backup-controller image
 	make -C packages/system/lineage-controller-webhook image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn-webhook image
@@ -25,6 +26,7 @@ build: build-deps
 	make -C packages/system/bucket image
 	make -C packages/system/objectstorage-controller image
 	make -C packages/core/testing image
+	make -C packages/core/platform image
 	make -C packages/core/installer image
 	make manifests
 

api/.gitattributes

@@ -0,0 +1 @@
+zz_generated_deepcopy.go linguist-generated

api/backups/strategy/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=strategy.backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "strategy.backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

api/backups/strategy/v1alpha1/job_types.go

@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines strategy.backups.cozystack.io API types.
+//
+// Group: strategy.backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Job{},
+			&JobList{},
+		)
+		return nil
+	})
+}
+
+const (
+	JobStrategyKind = "Job"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// Job defines a backup strategy using a one-shot Job
+type Job struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   JobSpec   `json:"spec,omitempty"`
+	Status JobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// JobList contains a list of backup Jobs.
+type JobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Job `json:"items"`
+}
+
+// JobSpec specifies the desired behavior of a backup job.
+type JobSpec struct {
+	// Template holds a PodTemplateSpec with the right shape to
+	// run a single pod to completion and create a tarball with
+	// a given apps data. Helm-like Go templates are supported.
+	// The values of the source application are available under
+	// `.Values`. `.Release.Name` and `.Release.Namespace` are
+	// also exported.
+	Template corev1.PodTemplateSpec `json:"template"`
+}
+
+type JobStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/backups/strategy/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,123 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Job) DeepCopyInto(out *Job) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Job.
+func (in *Job) DeepCopy() *Job {
+	if in == nil {
+		return nil
+	}
+	out := new(Job)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Job) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobList) DeepCopyInto(out *JobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Job, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobList.
+func (in *JobList) DeepCopy() *JobList {
+	if in == nil {
+		return nil
+	}
+	out := new(JobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobSpec) DeepCopyInto(out *JobSpec) {
+	*out = *in
+	in.Template.DeepCopyInto(&out.Template)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobSpec.
+func (in *JobSpec) DeepCopy() *JobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobStatus) DeepCopyInto(out *JobStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobStatus.
+func (in *JobStatus) DeepCopy() *JobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JobStatus)
+	in.DeepCopyInto(out)
+	return out
+}

api/backups/v1alpha1/DESIGN.md

@@ -0,0 +1,421 @@
+# Cozystack Backups – Core API & Contracts (Draft)
+
+## 1. Overview
+
+Cozystack’s backup subsystem provides a generic, composable way to back up and restore managed applications:
+
+* Every **application instance** can have one or more **backup plans**.
+* Backups are stored in configurable **storage locations**.
+* The mechanics of *how* a backup/restore is performed are delegated to **strategy drivers**, each implementing driver-specific **BackupStrategy** CRDs.
+
+The core API:
+
+* Orchestrates **when** backups happen and **where** they’re stored.
+* Tracks **what** backups exist and their status.
+* Defines contracts with drivers via shared resources (`BackupJob`, `Backup`, `RestoreJob`).
+
+It does **not** implement the backup logic itself.
+
+This document covers only the **core** API and its contracts with drivers, not driver implementations.
+
+---
+
+## 2. Goals and non-goals
+
+### Goals
+
+* Provide a **stable core API** for:
+
+  * Declaring **backup plans** per application.
+  * Configuring **storage targets** (S3, in-cluster bucket, etc.).
+  * Tracking **backup artifacts**.
+  * Initiating and tracking **restores**.
+* Allow multiple **strategy drivers** to plug in, each supporting specific kinds of applications and strategies.
+* Let application/product authors implement backup for their kinds by:
+
+  * Creating **Plan** objects referencing a **driver-specific strategy**.
+  * Not having to write a backup engine themselves.
+
+### Non-goals
+
+* Implement backup logic for any specific application or storage backend.
+* Define the internal structure of driver-specific strategy CRDs.
+* Handle tenant-facing UI/UX (that’s built on top of these APIs).
+
+---
+
+## 3. Architecture
+
+High-level components:
+
+* **Core backups controller(s)** (Cozystack-owned):
+
+  * Group: `backups.cozystack.io`
+  * Own:
+
+    * `Plan`
+    * `BackupJob`
+    * `Backup`
+    * `RestoreJob`
+  * Responsibilities:
+
+    * Schedule backups based on `Plan`.
+    * Create `BackupJob` objects when due.
+    * Provide stable contracts for drivers to:
+
+      * Perform backups and create `Backup`s.
+      * Perform restores based on `Backup`s.
+
+* **Strategy drivers** (pluggable, possibly third-party):
+
+  * Their own API groups, e.g. `jobdriver.backups.cozystack.io`.
+  * Own **strategy CRDs** (e.g. `JobBackupStrategy`).
+  * Implement controllers that:
+
+    * Watch `BackupJob` / `RestoreJob`.
+    * Match runs whose `strategyRef` GVK they support.
+    * Execute backup/restore logic.
+    * Create and update `Backup` and run statuses.
+
+Strategy drivers and core communicate entirely via Kubernetes objects; there are no webhook/HTTP calls between them.
+
+* **Storage drivers** (pluggable, possibly third-party):
+
+  * **TBD**
+
+---
+
+## 4. Core API resources
+
+### 4.1 Plan
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Plan`
+
+**Purpose**
+Describe **when**, **how**, and **where** to back up a specific managed application.
+
+**Key fields (spec)**
+
+```go
+type PlanSpec struct {
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Where backups should be stored.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // When backups should run.
+    Schedule PlanSchedule `json:"schedule"`
+}
+```
+
+`PlanSchedule` (initially) supports only cron:
+
+```go
+type PlanScheduleType string
+
+const (
+    PlanScheduleTypeEmpty PlanScheduleType = ""
+    PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+```
+
+```go
+type PlanSchedule struct {
+    // Type is the schedule type. Currently only "cron" is supported.
+    // Defaults to "cron".
+    Type PlanScheduleType `json:"type,omitempty"`
+
+    // Cron expression (required for cron type).
+    Cron string `json:"cron,omitempty"`
+}
+```
+
+**Plan reconciliation contract**
+
+Core Plan controller:
+
+1. **Read schedule** from `spec.schedule` and compute the next fire time.
+2. When due:
+
+   * Create a `BackupJob` in the same namespace:
+
+     * `spec.planRef.name = plan.Name`
+     * `spec.applicationRef = plan.spec.applicationRef`
+     * `spec.storageRef = plan.spec.storageRef`
+     * `spec.strategyRef = plan.spec.strategyRef`
+     * `spec.triggeredBy = "Plan"`
+   * Set `ownerReferences` so the `BackupJob` is owned by the `Plan`.
+
+The Plan controller does **not**:
+
+* Execute backups itself.
+* Modify driver resources or `Backup` objects.
+* Touch `BackupJob.spec` after creation.
+
+---
+
+### 4.2 Storage
+
+**API Shape**
+
+TBD
+
+**Storage usage**
+
+* `Plan` and `BackupJob` reference `Storage` via `TypedLocalObjectReference`.
+* Drivers read `Storage` to know how/where to store or read artifacts.
+* Core treats `Storage` spec as opaque; it does not directly talk to S3 or buckets.
+
+---
+
+### 4.3 BackupJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=BackupJob`
+
+**Purpose**
+Represent a single **execution** of a backup operation, typically created when a `Plan` fires or when a user triggers an ad-hoc backup.
+
+**Key fields (spec)**
+
+```go
+type BackupJobSpec struct {
+    // Plan that triggered this run, if any.
+    PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+    // Application to back up.
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+    // Storage to use.
+    StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+    // Driver-specific BackupStrategy to use.
+    StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+    // Informational: what triggered this run ("Plan", "Manual", etc.).
+    TriggeredBy string `json:"triggeredBy,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupJobStatus struct {
+    Phase       BackupJobPhase         `json:"phase,omitempty"`
+    BackupRef   *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+    StartedAt   *metav1.Time           `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time           `json:"completedAt,omitempty"`
+    Message     string                 `json:"message,omitempty"`
+    Conditions  []metav1.Condition     `json:"conditions,omitempty"`
+}
+```
+
+`BackupJobPhase` is one of: `Pending`, `Running`, `Succeeded`, `Failed`.
+
+**BackupJob contract with drivers**
+
+* Core **creates** `BackupJob` and must treat `spec` as immutable afterwards.
+* Each driver controller:
+
+  * Watches `BackupJob`.
+  * Reconciles runs where `spec.strategyRef.apiGroup/kind` matches its **strategy type(s)**.
+* Driver responsibilities:
+
+  1. On first reconcile:
+
+     * Set `status.startedAt` if unset.
+     * Set `status.phase = Running`.
+  2. Resolve inputs:
+
+     * Read `Strategy` (driver-owned CRD), `Storage`, `Application`, optionally `Plan`.
+  3. Execute backup logic (implementation-specific).
+  4. On success:
+
+     * Create a `Backup` resource (see below).
+     * Set `status.backupRef` to the created `Backup`.
+     * Set `status.completedAt`.
+     * Set `status.phase = Succeeded`.
+  5. On failure:
+
+     * Set `status.completedAt`.
+     * Set `status.phase = Failed`.
+     * Set `status.message` and conditions.
+
+Drivers must **not** modify `BackupJob.spec` or delete `BackupJob` themselves.
+
+---
+
+### 4.4 Backup
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=Backup`
+
+**Purpose**
+Represent a single **backup artifact** for a given application, decoupled from a particular run. usable as a stable, listable “thing you can restore from”.
+
+**Key fields (spec)**
+
+```go
+type BackupSpec struct {
+    ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+    PlanRef        *corev1.LocalObjectReference     `json:"planRef,omitempty"`
+    StorageRef     corev1.TypedLocalObjectReference `json:"storageRef"`
+    StrategyRef    corev1.TypedLocalObjectReference `json:"strategyRef"`
+    TakenAt        metav1.Time                      `json:"takenAt"`
+    DriverMetadata map[string]string                `json:"driverMetadata,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type BackupStatus struct {
+    Phase      BackupPhase       `json:"phase,omitempty"` // Pending, Ready, Failed, etc.
+    Artifact   *BackupArtifact   `json:"artifact,omitempty"`
+    Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+`BackupArtifact` describes the artifact (URI, size, checksum).
+
+**Backup contract with drivers**
+
+* On successful completion of a `BackupJob`, the **driver**:
+
+  * Creates a `Backup` in the same namespace (typically owned by the `BackupJob`).
+  * Populates `spec` fields with:
+
+    * The application, storage, strategy references.
+    * `takenAt`.
+    * Optional `driverMetadata`.
+  * Sets `status` with:
+
+    * `phase = Ready` (or equivalent when fully usable).
+    * `artifact` describing the stored object.
+* Core:
+
+  * Treats `Backup` spec as mostly immutable and opaque.
+  * Uses it to:
+
+    * List backups for a given application/plan.
+    * Anchor `RestoreJob` operations.
+    * Implement higher-level policies (retention) if needed.
+
+---
+
+### 4.5 RestoreJob
+
+**Group/Kind**
+`backups.cozystack.io/v1alpha1, Kind=RestoreJob`
+
+**Purpose**
+Represent a single **restore operation** from a `Backup`, either back into the same application or into a new target application.
+
+**Key fields (spec)**
+
+```go
+type RestoreJobSpec struct {
+    // Backup to restore from.
+    BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+    // Target application; if omitted, drivers SHOULD restore into
+    // backup.spec.applicationRef.
+    TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+```
+
+**Key fields (status)**
+
+```go
+type RestoreJobStatus struct {
+    Phase       RestoreJobPhase   `json:"phase,omitempty"` // Pending, Running, Succeeded, Failed
+    StartedAt   *metav1.Time      `json:"startedAt,omitempty"`
+    CompletedAt *metav1.Time      `json:"completedAt,omitempty"`
+    Message     string            `json:"message,omitempty"`
+    Conditions  []metav1.Condition `json:"conditions,omitempty"`
+}
+```
+
+**RestoreJob contract with drivers**
+
+* RestoreJob is created either manually or by core.
+* Driver controller:
+
+  1. Watches `RestoreJob`.
+  2. On reconcile:
+
+     * Fetches the referenced `Backup`.
+     * Determines effective:
+
+       * **Strategy**: `backup.spec.strategyRef`.
+       * **Storage**: `backup.spec.storageRef`.
+       * **Target application**: `spec.targetApplicationRef` or `backup.spec.applicationRef`.
+     * If effective strategy’s GVK is one of its supported strategy types → driver is responsible.
+  3. Behaviour:
+
+     * On first reconcile, set `status.startedAt` and `phase = Running`.
+     * Resolve `Backup`, `Storage`, `Strategy`, target application.
+     * Execute restore logic (implementation-specific).
+     * On success:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Succeeded`.
+     * On failure:
+
+       * Set `status.completedAt`.
+       * Set `status.phase = Failed`.
+       * Set `status.message` and conditions.
+
+Drivers must not modify `RestoreJob.spec` or delete `RestoreJob`.
+
+---
+
+## 5. Strategy drivers (high-level)
+
+Strategy drivers are separate controllers that:
+
+* Define their own **strategy CRDs** (e.g. `JobBackupStrategy`) in their own API groups:
+
+  * e.g. `jobdriver.backups.cozystack.io/v1alpha1, Kind=JobBackupStrategy`
+* Implement the **BackupJob contract**:
+
+  * Watch `BackupJob`.
+  * Filter by `spec.strategyRef.apiGroup/kind`.
+  * Execute backup logic.
+  * Create/update `Backup`.
+* Implement the **RestoreJob contract**:
+
+  * Watch `RestoreJob`.
+  * Resolve `Backup`, then effective `strategyRef`.
+  * Filter by effective strategy GVK.
+  * Execute restore logic.
+
+The core backups API **does not** dictate:
+
+* The fields and structure of driver strategy specs.
+* How drivers implement backup/restore internally (Jobs, snapshots, native operator CRDs, etc.).
+
+Drivers are interchangeable as long as they respect:
+
+* The `BackupJob` and `RestoreJob` contracts.
+* The shapes and semantics of `Backup` objects.
+
+---
+
+## 6. Summary
+
+The Cozystack backups core API:
+
+* Uses a single group, `backups.cozystack.io`, for all core CRDs.
+* Cleanly separates:
+
+  * **When & where** (Plan + Storage) – core-owned.
+  * **What backup artifacts exist** (Backup) – driver-created but cluster-visible.
+  * **Execution lifecycle** (BackupJob, RestoreJob) – shared contract boundary.
+* Allows multiple strategy drivers to implement backup/restore logic without entangling their implementation with the core API.
+

api/backups/v1alpha1/backup_types.go

@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Backup{},
+			&BackupList{},
+		)
+		return nil
+	})
+}
+
+// BackupPhase represents the lifecycle phase of a Backup.
+type BackupPhase string
+
+const (
+	BackupPhaseEmpty   BackupPhase = ""
+	BackupPhasePending BackupPhase = "Pending"
+	BackupPhaseReady   BackupPhase = "Ready"
+	BackupPhaseFailed  BackupPhase = "Failed"
+)
+
+// BackupArtifact describes the stored backup object (tarball, snapshot, etc.).
+type BackupArtifact struct {
+	// URI is a driver-/storage-specific URI pointing to the backup artifact.
+	// For example: s3://bucket/prefix/file.tar.gz
+	URI string `json:"uri"`
+
+	// SizeBytes is the size of the artifact in bytes, if known.
+	// +optional
+	SizeBytes int64 `json:"sizeBytes,omitempty"`
+
+	// Checksum is the checksum of the artifact, if computed.
+	// For example: "sha256:<hex>".
+	// +optional
+	Checksum string `json:"checksum,omitempty"`
+}
+
+// BackupSpec describes an immutable backup artifact produced by a BackupJob.
+type BackupSpec struct {
+	// ApplicationRef refers to the application that was backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// PlanRef refers to the Plan that produced this backup, if any.
+	// For manually triggered backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// StorageRef refers to the Storage object that describes where the backup
+	// artifact is stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef refers to the driver-specific BackupStrategy that was used
+	// to create this backup. This allows the driver to later perform restores.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// TakenAt is the time at which the backup was taken (as reported by the
+	// driver). It may differ slightly from metadata.creationTimestamp.
+	TakenAt metav1.Time `json:"takenAt"`
+
+	// DriverMetadata holds driver-specific, opaque metadata associated with
+	// this backup (for example snapshot IDs, schema versions, etc.).
+	// This data is not interpreted by the core backup controllers.
+	// +optional
+	DriverMetadata map[string]string `json:"driverMetadata,omitempty"`
+}
+
+// BackupStatus represents the observed state of a Backup.
+type BackupStatus struct {
+	// Phase is a simple, high-level summary of the backup's state.
+	// Typical values are: Pending, Ready, Failed.
+	// +optional
+	Phase BackupPhase `json:"phase,omitempty"`
+
+	// Artifact describes the stored backup object, if available.
+	// +optional
+	Artifact *BackupArtifact `json:"artifact,omitempty"`
+
+	// Conditions represents the latest available observations of a Backup's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Backup represents a single backup artifact for a given application.
+type Backup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupSpec   `json:"spec,omitempty"`
+	Status BackupStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupList contains a list of Backups.
+type BackupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Backup `json:"items"`
+}

api/backups/v1alpha1/backupjob_types.go

@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&BackupJob{},
+			&BackupJobList{},
+		)
+		return nil
+	})
+}
+
+// BackupJobPhase represents the lifecycle phase of a BackupJob.
+type BackupJobPhase string
+
+const (
+	BackupJobPhaseEmpty     BackupJobPhase = ""
+	BackupJobPhasePending   BackupJobPhase = "Pending"
+	BackupJobPhaseRunning   BackupJobPhase = "Running"
+	BackupJobPhaseSucceeded BackupJobPhase = "Succeeded"
+	BackupJobPhaseFailed    BackupJobPhase = "Failed"
+)
+
+// BackupJobSpec describes the execution of a single backup operation.
+type BackupJobSpec struct {
+	// PlanRef refers to the Plan that requested this backup run.
+	// For ad-hoc/manual backups, this can be omitted.
+	// +optional
+	PlanRef *corev1.LocalObjectReference `json:"planRef,omitempty"`
+
+	// ApplicationRef holds a reference to the managed application whose state
+	// is being backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that describes where
+	// the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the driver-specific BackupStrategy object
+	// that describes how the backup should be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+}
+
+// BackupJobStatus represents the observed state of a BackupJob.
+type BackupJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase BackupJobPhase `json:"phase,omitempty"`
+
+	// BackupRef refers to the Backup object created by this run, if any.
+	// +optional
+	BackupRef *corev1.LocalObjectReference `json:"backupRef,omitempty"`
+
+	// StartedAt is the time at which the backup run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the backup run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// backup run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a BackupJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// BackupJob represents a single execution of a backup.
+// It is typically created by a Plan controller when a schedule fires.
+type BackupJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BackupJobSpec   `json:"spec,omitempty"`
+	Status BackupJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BackupJobList contains a list of BackupJobs.
+type BackupJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BackupJob `json:"items"`
+}

api/backups/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=backups.cozystack.io
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "backups.cozystack.io", Version: "v1alpha1"}
+	SchemeBuilder = runtime.NewSchemeBuilder(addGroupVersion)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addGroupVersion(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+	return nil
+}

api/backups/v1alpha1/plan_types.go

@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&Plan{},
+			&PlanList{},
+		)
+		return nil
+	})
+}
+
+type PlanScheduleType string
+
+const (
+	PlanScheduleTypeEmpty PlanScheduleType = ""
+	PlanScheduleTypeCron  PlanScheduleType = "cron"
+)
+
+// Condtions
+const (
+	PlanConditionError = "Error"
+)
+
+// The field indexing on applicationRef will be needed later to display per-app backup resources.
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.apiGroup`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.kind`
+// +kubebuilder:selectablefield:JSONPath=`.spec.applicationRef.name`
+
+// Plan describes the schedule, method and storage location for the
+// backup of a given target application.
+type Plan struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PlanSpec   `json:"spec,omitempty"`
+	Status PlanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PlanList contains a list of backup Plans.
+type PlanList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Plan `json:"items"`
+}
+
+// PlanSpec references the storage, the strategy, the application to be
+// backed up and specifies the timetable on which the backups will run.
+type PlanSpec struct {
+	// ApplicationRef holds a reference to the managed application,
+	// whose state and configuration must be backed up.
+	ApplicationRef corev1.TypedLocalObjectReference `json:"applicationRef"`
+
+	// StorageRef holds a reference to the Storage object that
+	// describes the location where the backup will be stored.
+	StorageRef corev1.TypedLocalObjectReference `json:"storageRef"`
+
+	// StrategyRef holds a reference to the Strategy object that
+	// describes, how a backup copy is to be created.
+	StrategyRef corev1.TypedLocalObjectReference `json:"strategyRef"`
+
+	// Schedule specifies when backup copies are created.
+	Schedule PlanSchedule `json:"schedule"`
+}
+
+// PlanSchedule specifies when backup copies are created.
+type PlanSchedule struct {
+	// Type is the type of schedule specification. Supported values are
+	// [`cron`]. If omitted, defaults to `cron`.
+	// +optional
+	Type PlanScheduleType `json:"type,omitempty"`
+
+	// Cron contains the cron spec for scheduling backups. Must be
+	// specified if the schedule type is `cron`. Since only `cron` is
+	// supported, omitting this field is not allowed.
+	// +optional
+	Cron string `json:"cron,omitempty"`
+}
+
+type PlanStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}

api/backups/v1alpha1/restorejob_types.go

@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: Apache-2.0
+// Package v1alpha1 defines backups.cozystack.io API types.
+//
+// Group: backups.cozystack.io
+// Version: v1alpha1
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() {
+	SchemeBuilder.Register(func(s *runtime.Scheme) error {
+		s.AddKnownTypes(GroupVersion,
+			&RestoreJob{},
+			&RestoreJobList{},
+		)
+		return nil
+	})
+}
+
+// RestoreJobPhase represents the lifecycle phase of a RestoreJob.
+type RestoreJobPhase string
+
+const (
+	RestoreJobPhaseEmpty     RestoreJobPhase = ""
+	RestoreJobPhasePending   RestoreJobPhase = "Pending"
+	RestoreJobPhaseRunning   RestoreJobPhase = "Running"
+	RestoreJobPhaseSucceeded RestoreJobPhase = "Succeeded"
+	RestoreJobPhaseFailed    RestoreJobPhase = "Failed"
+)
+
+// RestoreJobSpec describes the execution of a single restore operation.
+type RestoreJobSpec struct {
+	// BackupRef refers to the Backup that should be restored.
+	BackupRef corev1.LocalObjectReference `json:"backupRef"`
+
+	// TargetApplicationRef refers to the application into which the backup
+	// should be restored. If omitted, the driver SHOULD restore into the same
+	// application as referenced by backup.spec.applicationRef.
+	// +optional
+	TargetApplicationRef *corev1.TypedLocalObjectReference `json:"targetApplicationRef,omitempty"`
+}
+
+// RestoreJobStatus represents the observed state of a RestoreJob.
+type RestoreJobStatus struct {
+	// Phase is a high-level summary of the run's state.
+	// Typical values: Pending, Running, Succeeded, Failed.
+	// +optional
+	Phase RestoreJobPhase `json:"phase,omitempty"`
+
+	// StartedAt is the time at which the restore run started.
+	// +optional
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+
+	// CompletedAt is the time at which the restore run completed (successfully
+	// or otherwise).
+	// +optional
+	CompletedAt *metav1.Time `json:"completedAt,omitempty"`
+
+	// Message is a human-readable message indicating details about why the
+	// restore run is in its current phase, if any.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// Conditions represents the latest available observations of a RestoreJob's state.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJob represents a single execution of a restore from a Backup.
+type RestoreJob struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RestoreJobSpec   `json:"spec,omitempty"`
+	Status RestoreJobStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RestoreJobList contains a list of RestoreJobs.
+type RestoreJobList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RestoreJob `json:"items"`
+}

api/backups/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,501 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Backup) DeepCopyInto(out *Backup) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Backup.
+func (in *Backup) DeepCopy() *Backup {
+	if in == nil {
+		return nil
+	}
+	out := new(Backup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Backup) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupArtifact) DeepCopyInto(out *BackupArtifact) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupArtifact.
+func (in *BackupArtifact) DeepCopy() *BackupArtifact {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupArtifact)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJob) DeepCopyInto(out *BackupJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJob.
+func (in *BackupJob) DeepCopy() *BackupJob {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobList) DeepCopyInto(out *BackupJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]BackupJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobList.
+func (in *BackupJobList) DeepCopy() *BackupJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobSpec) DeepCopyInto(out *BackupJobSpec) {
+	*out = *in
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobSpec.
+func (in *BackupJobSpec) DeepCopy() *BackupJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupJobStatus) DeepCopyInto(out *BackupJobStatus) {
+	*out = *in
+	if in.BackupRef != nil {
+		in, out := &in.BackupRef, &out.BackupRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupJobStatus.
+func (in *BackupJobStatus) DeepCopy() *BackupJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupList) DeepCopyInto(out *BackupList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Backup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupList.
+func (in *BackupList) DeepCopy() *BackupList {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BackupList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupSpec) DeepCopyInto(out *BackupSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	if in.PlanRef != nil {
+		in, out := &in.PlanRef, &out.PlanRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	in.TakenAt.DeepCopyInto(&out.TakenAt)
+	if in.DriverMetadata != nil {
+		in, out := &in.DriverMetadata, &out.DriverMetadata
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupSpec.
+func (in *BackupSpec) DeepCopy() *BackupSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackupStatus) DeepCopyInto(out *BackupStatus) {
+	*out = *in
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(BackupArtifact)
+		**out = **in
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupStatus.
+func (in *BackupStatus) DeepCopy() *BackupStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BackupStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Plan) DeepCopyInto(out *Plan) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Plan.
+func (in *Plan) DeepCopy() *Plan {
+	if in == nil {
+		return nil
+	}
+	out := new(Plan)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Plan) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanList) DeepCopyInto(out *PlanList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Plan, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanList.
+func (in *PlanList) DeepCopy() *PlanList {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PlanList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSchedule) DeepCopyInto(out *PlanSchedule) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSchedule.
+func (in *PlanSchedule) DeepCopy() *PlanSchedule {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSchedule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanSpec) DeepCopyInto(out *PlanSpec) {
+	*out = *in
+	in.ApplicationRef.DeepCopyInto(&out.ApplicationRef)
+	in.StorageRef.DeepCopyInto(&out.StorageRef)
+	in.StrategyRef.DeepCopyInto(&out.StrategyRef)
+	out.Schedule = in.Schedule
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanSpec.
+func (in *PlanSpec) DeepCopy() *PlanSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PlanStatus) DeepCopyInto(out *PlanStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlanStatus.
+func (in *PlanStatus) DeepCopy() *PlanStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PlanStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJob) DeepCopyInto(out *RestoreJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJob.
+func (in *RestoreJob) DeepCopy() *RestoreJob {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobList) DeepCopyInto(out *RestoreJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RestoreJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobList.
+func (in *RestoreJobList) DeepCopy() *RestoreJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RestoreJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobSpec) DeepCopyInto(out *RestoreJobSpec) {
+	*out = *in
+	out.BackupRef = in.BackupRef
+	if in.TargetApplicationRef != nil {
+		in, out := &in.TargetApplicationRef, &out.TargetApplicationRef
+		*out = new(v1.TypedLocalObjectReference)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobSpec.
+func (in *RestoreJobSpec) DeepCopy() *RestoreJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestoreJobStatus) DeepCopyInto(out *RestoreJobStatus) {
+	*out = *in
+	if in.StartedAt != nil {
+		in, out := &in.StartedAt, &out.StartedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.CompletedAt != nil {
+		in, out := &in.CompletedAt, &out.CompletedAt
+		*out = (*in).DeepCopy()
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreJobStatus.
+func (in *RestoreJobStatus) DeepCopy() *RestoreJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RestoreJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}

cmd/backup-controller/main.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "core.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.PlanReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Plan")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

cmd/backupstrategy-controller/main.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(backupsv1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "strategy.backups.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&backupcontroller.BackupJobStrategyReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Job")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

go.mod

@@ -6,11 +6,16 @@ go 1.23.0
 
 require (
 	github.com/fluxcd/helm-controller/api v1.1.0
+	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/zapr v1.3.0
 	github.com/google/gofuzz v1.2.0
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
+	github.com/prometheus/client_golang v1.19.1
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
+	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
@@ -44,9 +49,7 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -74,7 +77,6 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -94,7 +96,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.33.0 // indirect
@@ -119,3 +120,6 @@ require (
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+// See: issues.k8s.io/135537
+replace k8s.io/apimachinery => github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614

go.sum

@@ -18,6 +18,8 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614 h1:jH9elECUvhiIs3IMv3oS5k1JgCLVsSK6oU4dmq5gyW8=
+github.com/cozystack/apimachinery v0.0.0-20251201201312-18e522a87614/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -145,6 +147,8 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -291,8 +295,6 @@ k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
 k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
 k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0=
 k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM=
-k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
-k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
 k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
 k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=

hack/e2e-test-openapi.bats

@@ -21,14 +21,33 @@
 }
 
 @test "Test kinds" {
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/tenants | jq -r '.kind')
+  if [ "$val" != "TenantList" ]; then
+    echo "Expected kind to be TenantList, got $val"
+    exit 1
+  fi
   val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/tenants | jq -r '.items[0].kind')
   if [ "$val" != "Tenant" ]; then
     echo "Expected kind to be Tenant, got $val"
     exit 1
   fi
+  val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/ingresses | jq -r '.kind')
+  if [ "$val" != "IngressList" ]; then
+    echo "Expected kind to be IngressList, got $val"
+    exit 1
+  fi
   val=$(kubectl get --raw /apis/apps.cozystack.io/v1alpha1/ingresses | jq -r '.items[0].kind')
   if [ "$val" != "Ingress" ]; then
     echo "Expected kind to be Ingress, got $val"
     exit 1
   fi
 }
+
+@test "Create and delete namespace" {
+  kubectl create ns cozy-test-create-and-delete-namespace --dry-run=client -o yaml | kubectl apply -f -
+  if ! kubectl delete ns cozy-test-create-and-delete-namespace; then
+    echo "Failed to delete namespace"
+    kubectl describe ns cozy-test-create-and-delete-namespace
+    exit 1
+  fi
+}

hack/update-codegen.sh

@@ -23,6 +23,13 @@ CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-
 API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
 CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
+TMPDIR=$(mktemp -d)
+COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/crds
+COZY_RD_CRDDIR=packages/system/cozystack-resource-definition-crd/definition
+BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
+BACKUPSTRATEGY_CRDDIR=packages/system/backupstrategy-controller/definitions
+
+trap 'rm -rf ${TMPDIR}' EXIT
 
 source "${CODEGEN_PKG}/kube_codegen.sh"
 
@@ -53,6 +60,12 @@ kube::codegen::gen_openapi \
     "${SCRIPT_ROOT}/pkg/apis"
 
 $CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=packages/system/cozystack-controller/crds
-mv packages/system/cozystack-controller/crds/cozystack.io_cozystackresourcedefinitions.yaml \
-        packages/system/cozystack-resource-definition-crd/definition/cozystack.io_cozystackresourcedefinitions.yaml
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=${TMPDIR} 
+
+mv ${TMPDIR}/cozystack.io_cozystackresourcedefinitions.yaml \
+        ${COZY_RD_CRDDIR}/cozystack.io_cozystackresourcedefinitions.yaml
+
+mv ${TMPDIR}/backups.cozystack.io*.yaml ${BACKUPS_CORE_CRDDIR}/
+mv ${TMPDIR}/strategy.backups.cozystack.io*.yaml ${BACKUPSTRATEGY_CRDDIR}/
+
+mv ${TMPDIR}/*.yaml ${COZY_CONTROLLER_CRDDIR}/

internal/backupcontroller/factory/backupjob.go

@@ -0,0 +1,28 @@
+package factory
+
+import (
+	"fmt"
+	"time"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func BackupJob(p *backupsv1alpha1.Plan, scheduledFor time.Time) *backupsv1alpha1.BackupJob {
+	job := &backupsv1alpha1.BackupJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-%d", p.Name, scheduledFor.Unix()/60),
+			Namespace: p.Namespace,
+		},
+		Spec: backupsv1alpha1.BackupJobSpec{
+			PlanRef: &corev1.LocalObjectReference{
+				Name: p.Name,
+			},
+			ApplicationRef: *p.Spec.ApplicationRef.DeepCopy(),
+			StorageRef:     *p.Spec.StorageRef.DeepCopy(),
+			StrategyRef:    *p.Spec.StrategyRef.DeepCopy(),
+		},
+	}
+	return job
+}

internal/backupcontroller/jobstrategy_controller.go

@@ -0,0 +1,31 @@
+package backupcontroller
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+)
+
+// BackupJobStrategyReconciler reconciles BackupJob with a strategy referencing
+// Job.strategy.backups.cozystack.io objects.
+type BackupJobStrategyReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *BackupJobStrategyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ = log.FromContext(ctx)
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *BackupJobStrategyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.BackupJob{}).
+		Complete(r)
+}

internal/backupcontroller/plan_controller.go

@@ -0,0 +1,104 @@
+package backupcontroller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	cron "github.com/robfig/cron/v3"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	backupsv1alpha1 "github.com/cozystack/cozystack/api/backups/v1alpha1"
+	"github.com/cozystack/cozystack/internal/backupcontroller/factory"
+)
+
+const (
+	minRequeueDelay         = 30 * time.Second
+	startingDeadlineSeconds = 300 * time.Second
+)
+
+// PlanReconciler reconciles a Plan object
+type PlanReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *PlanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	log.V(2).Info("reconciling")
+
+	p := &backupsv1alpha1.Plan{}
+
+	if err := r.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: req.Name}, p); err != nil {
+		if apierrors.IsNotFound(err) {
+			log.V(3).Info("Plan not found")
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	tCheck := time.Now().Add(-startingDeadlineSeconds)
+	sch, err := cron.ParseStandard(p.Spec.Schedule.Cron)
+	if err != nil {
+		errWrapped := fmt.Errorf("could not parse cron %s: %w", p.Spec.Schedule.Cron, err)
+		log.Error(err, "could not parse cron", "cron", p.Spec.Schedule.Cron)
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionTrue,
+			Reason:  "Failed to parse cron spec",
+			Message: errWrapped.Error(),
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// Clear error condition if cron parsing succeeds
+	if condition := meta.FindStatusCondition(p.Status.Conditions, backupsv1alpha1.PlanConditionError); condition != nil && condition.Status == metav1.ConditionTrue {
+		meta.SetStatusCondition(&p.Status.Conditions, metav1.Condition{
+			Type:    backupsv1alpha1.PlanConditionError,
+			Status:  metav1.ConditionFalse,
+			Reason:  "Cron spec is valid",
+			Message: "The cron schedule has been successfully parsed",
+		})
+		if err := r.Status().Update(ctx, p); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
+	tNext := sch.Next(tCheck)
+
+	if time.Now().Before(tNext) {
+		return ctrl.Result{RequeueAfter: tNext.Sub(time.Now())}, nil
+	}
+
+	job := factory.BackupJob(p, tNext)
+	if err := controllerutil.SetControllerReference(p, job, r.Scheme); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if err := r.Create(ctx, job); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{RequeueAfter: startingDeadlineSeconds}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *PlanReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&backupsv1alpha1.Plan{}).
+		Complete(r)
+}

internal/controller/dashboard/customformsoverride.go

@@ -105,8 +105,26 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
 		"properties": map[string]any{},
 	}
 
+	// Check if there's a spec property
+	specProp, ok := props["spec"].(map[string]any)
+	if !ok {
+		return map[string]any{}, nil
+	}
+
+	specProps, ok := specProp["properties"].(map[string]any)
+	if !ok {
+		return map[string]any{}, nil
+	}
+
+	// Create spec.properties structure in schema
+	schemaProps := schema["properties"].(map[string]any)
+	specSchema := map[string]any{
+		"properties": map[string]any{},
+	}
+	schemaProps["spec"] = specSchema
+
 	// Process spec properties recursively
-	processSpecProperties(props, schema["properties"].(map[string]any))
+	processSpecProperties(specProps, specSchema["properties"].(map[string]any))
 
 	return schema, nil
 }

internal/controller/dashboard/customformsoverride_test.go

@@ -9,41 +9,46 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	// Test OpenAPI schema with various field types
 	openAPISchema := `{
 		"properties": {
-			"simpleString": {
-				"type": "string",
-				"description": "A simple string field"
-			},
-			"stringWithEnum": {
-				"type": "string",
-				"enum": ["option1", "option2"],
-				"description": "String with enum should be skipped"
-			},
-			"numberField": {
-				"type": "number",
-				"description": "Number field should be skipped"
-			},
-			"nestedObject": {
+			"spec": {
 				"type": "object",
 				"properties": {
-					"nestedString": {
+					"simpleString": {
 						"type": "string",
-						"description": "Nested string should get multilineString"
+						"description": "A simple string field"
 					},
-					"nestedStringWithEnum": {
+					"stringWithEnum": {
 						"type": "string",
-						"enum": ["a", "b"],
-						"description": "Nested string with enum should be skipped"
-					}
-				}
-			},
-			"arrayOfObjects": {
-				"type": "array",
-				"items": {
-					"type": "object",
-					"properties": {
-						"itemString": {
-							"type": "string",
-							"description": "String in array item"
+						"enum": ["option1", "option2"],
+						"description": "String with enum should be skipped"
+					},
+					"numberField": {
+						"type": "number",
+						"description": "Number field should be skipped"
+					},
+					"nestedObject": {
+						"type": "object",
+						"properties": {
+							"nestedString": {
+								"type": "string",
+								"description": "Nested string should get multilineString"
+							},
+							"nestedStringWithEnum": {
+								"type": "string",
+								"enum": ["a", "b"],
+								"description": "Nested string with enum should be skipped"
+							}
+						}
+					},
+					"arrayOfObjects": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"itemString": {
+									"type": "string",
+									"description": "String in array item"
+								}
+							}
 						}
 					}
 				}
@@ -70,33 +75,44 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 		t.Fatal("schema.properties is not a map")
 	}
 
-	// Check simpleString
-	simpleString, ok := props["simpleString"].(map[string]any)
+	// Check spec property exists
+	spec, ok := props["spec"].(map[string]any)
 	if !ok {
-		t.Fatal("simpleString not found in properties")
+		t.Fatal("spec not found in properties")
+	}
+
+	specProps, ok := spec["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("spec.properties is not a map")
+	}
+
+	// Check simpleString
+	simpleString, ok := specProps["simpleString"].(map[string]any)
+	if !ok {
+		t.Fatal("simpleString not found in spec.properties")
 	}
 	if simpleString["type"] != "multilineString" {
 		t.Errorf("simpleString should have type multilineString, got %v", simpleString["type"])
 	}
 
 	// Check stringWithEnum should not be present (or should not have multilineString)
-	if stringWithEnum, ok := props["stringWithEnum"].(map[string]any); ok {
+	if stringWithEnum, ok := specProps["stringWithEnum"].(map[string]any); ok {
 		if stringWithEnum["type"] == "multilineString" {
 			t.Error("stringWithEnum should not have multilineString type")
 		}
 	}
 
 	// Check numberField should not be present
-	if numberField, ok := props["numberField"].(map[string]any); ok {
+	if numberField, ok := specProps["numberField"].(map[string]any); ok {
 		if numberField["type"] != nil {
 			t.Error("numberField should not have any type override")
 		}
 	}
 
 	// Check nested object
-	nestedObject, ok := props["nestedObject"].(map[string]any)
+	nestedObject, ok := specProps["nestedObject"].(map[string]any)
 	if !ok {
-		t.Fatal("nestedObject not found in properties")
+		t.Fatal("nestedObject not found in spec.properties")
 	}
 	nestedProps, ok := nestedObject["properties"].(map[string]any)
 	if !ok {
@@ -113,9 +129,9 @@ func TestBuildMultilineStringSchema(t *testing.T) {
 	}
 
 	// Check array of objects
-	arrayOfObjects, ok := props["arrayOfObjects"].(map[string]any)
+	arrayOfObjects, ok := specProps["arrayOfObjects"].(map[string]any)
 	if !ok {
-		t.Fatal("arrayOfObjects not found in properties")
+		t.Fatal("arrayOfObjects not found in spec.properties")
 	}
 	items, ok := arrayOfObjects["items"].(map[string]any)
 	if !ok {

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -27,7 +27,11 @@
 {{- if and $existingPVC $desiredStorage -}}
   {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
   {{- if not (eq $currentStorage $desiredStorage) -}}
-    {{- $needResizePVC = true -}}
+    {{- $oldSize := (include "cozy-lib.resources.toFloat" $currentStorage) | float64 -}}
+    {{- $newSize := (include "cozy-lib.resources.toFloat" $desiredStorage) | float64 -}}
+    {{- if gt $newSize $oldSize -}}
+      {{- $needResizePVC = true -}}
+    {{- end -}}
   {{- end -}}
 {{- end -}}
 

packages/apps/vm-disk/templates/pvc-resize-hook.yaml

@@ -1,5 +1,17 @@
 {{- $existingPVC := lookup "v1" "PersistentVolumeClaim" .Release.Namespace .Release.Name }}
-{{- if and $existingPVC (ne ($existingPVC.spec.resources.requests.storage | toString) .Values.storage) -}}
+{{- $shouldResize := false -}}
+{{- if and $existingPVC .Values.storage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if ne $currentStorage .Values.storage -}}
+    {{- $oldSize := (include "cozy-lib.resources.toFloat" $currentStorage) | float64 -}}
+    {{- $newSize := (include "cozy-lib.resources.toFloat" .Values.storage) | float64 -}}
+    {{- if gt $newSize $oldSize -}}
+      {{- $shouldResize = true -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if $shouldResize -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -23,6 +35,7 @@ spec:
           command: ["sh", "-xec"]
           args:
             - |
+              echo "Resizing PVC to {{ .Values.storage }}..."
               kubectl patch pvc {{ .Release.Name }} -p '{"spec":{"resources":{"requests":{"storage":"{{ .Values.storage }}"}}}}'
 ---
 apiVersion: v1

packages/core/flux-aio/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-fluxcd
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/core/flux-aio/Makefile

@@ -0,0 +1,22 @@
+NAME=flux-aio
+NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/common-envs.mk
+
+show:
+	cozypkg show -n $(NAMESPACE) $(NAME) --plain
+
+apply:
+	cozypkg show -n $(NAMESPACE) $(NAME) --plain | kubectl apply -f- --server-side --force-conflicts
+
+diff:
+	cozypkg show -n $(NAMESPACE) $(NAME) --plain | kubectl diff -f-
+
+update:
+	timoni bundle build -f flux-aio.cue > templates/fluxcd.yaml
+	yq eval '(select(.kind == "Namespace") | .metadata.labels."pod-security.kubernetes.io/enforce") = "privileged"' -i templates/fluxcd.yaml
+	sed -i templates/fluxcd.yaml \
+		-e '/timoni/d' \
+		-e 's|\.cluster\.local\.,||g' -e 's|\.cluster\.local\,||g' -e 's|\.cluster\.local\.||g' \
+		-e '/value: .svc/a \            {{- include "cozy.kubernetes_envs" . | nindent 12 }}' \
+		-e '/hostNetwork: true/i \      dnsPolicy: ClusterFirstWithHostNet'

packages/core/flux-aio/flux-aio.cue

@@ -0,0 +1,16 @@
+bundle: {
+	apiVersion: "v1alpha1"
+	name:       "flux-aio"
+	instances: {
+		"flux": {
+			module: {
+				url:     "oci://ghcr.io/stefanprodan/modules/flux-aio"
+				version: "latest"
+			}
+			namespace: "cozy-fluxcd"
+			values: {
+				securityProfile: "privileged"
+			}
+		}
+	}
+}

packages/core/flux-aio/templates/_helpers.tpl

@@ -0,0 +1,13 @@
+{{- define "cozy.kubernetes_envs" }}
+{{- $cozyDeployment := lookup "apps/v1" "Deployment" "cozy-system" "cozystack" }}
+{{- $cozyContainers := dig "spec" "template" "spec" "containers" dict $cozyDeployment }}
+{{- range $cozyContainers }}
+{{- if eq .name "cozystack" }}
+{{- range .env }}
+{{- if has .name (list "KUBERNETES_SERVICE_HOST" "KUBERNETES_SERVICE_PORT") }}
+- {{ toJson . }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

packages/core/installer/images/cozystack/Dockerfile

@@ -26,23 +26,16 @@ WORKDIR /src
 
 RUN go mod download
 
-RUN go build -o /cozystack-assets-server -ldflags '-extldflags "-static" -w -s' ./cmd/cozystack-assets-server
-
-RUN make repos
-
 FROM alpine:3.22
 
 RUN wget -O- https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh | sh -s -- -v 1.2.0
 
-RUN apk add --no-cache make kubectl helm coreutils git jq
+RUN apk add --no-cache make kubectl helm coreutils git jq openssl
 
 COPY --from=builder /src/scripts /cozystack/scripts
 COPY --from=builder /src/packages/core /cozystack/packages/core
 COPY --from=builder /src/packages/system /cozystack/packages/system
-COPY --from=builder /src/_out/repos /cozystack/assets/repos
-COPY --from=builder /cozystack-assets-server /usr/bin/cozystack-assets-server
 COPY --from=k8s-await-election-builder /k8s-await-election /usr/bin/k8s-await-election
-COPY --from=builder /src/dashboards /cozystack/assets/dashboards
 
 WORKDIR /cozystack
 ENTRYPOINT ["/usr/bin/k8s-await-election", "/cozystack/scripts/installer.sh" ]

packages/core/installer/templates/cozystack.yaml

@@ -54,6 +54,8 @@ spec:
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
+        - name: INSTALL_FLUX
+          value: "true"
         - name: KUBERNETES_SERVICE_PORT
           value: "7445"
         - name: K8S_AWAIT_ELECTION_ENABLED
@@ -68,15 +70,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-      - name: assets
-        image: "{{ .Values.cozystack.image }}"
-        command:
-        - /usr/bin/cozystack-assets-server
-        - "-dir=/cozystack/assets"
-        - "-address=:8123"
-        ports:
-        - name: http
-          containerPort: 8123
       tolerations:
       - key: "node.kubernetes.io/not-ready"
         operator: "Exists"
@@ -84,17 +77,3 @@ spec:
       - key: "node.cilium.io/agent-not-ready"
         operator: "Exists"
         effect: "NoSchedule"
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: cozystack
-  namespace: cozy-system
-spec:
-  ports:
-  - name: http
-    port: 80
-    targetPort: 8123
-  selector:
-    app: cozystack
-  type: ClusterIP

packages/core/platform/Makefile

@@ -1,6 +1,8 @@
 NAME=platform
 NAMESPACE=cozy-system
 
+include ../../../scripts/common-envs.mk
+
 show:
 	cozypkg show -n $(NAMESPACE) $(NAME) --plain
 
@@ -18,3 +20,15 @@ namespaces-apply:
 
 diff:
 	cozypkg show -n $(NAMESPACE) $(NAME) --plain | kubectl diff -f-
+
+image: image-assets
+image-assets:
+	docker buildx build -f images/cozystack-assets/Dockerfile ../../.. \
+		--tag $(REGISTRY)/cozystack-assets:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/cozystack-assets:latest \
+		--cache-to type=inline \
+		--metadata-file images/cozystack-assets.json \
+		$(BUILDX_ARGS)
+	IMAGE="$(REGISTRY)/cozystack-assets:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/cozystack-assets.json -o json -r)" \
+		yq -i '.assets.image = strenv(IMAGE)' values.yaml
+	rm -f images/cozystack-assets.json

packages/core/platform/bundles/distro-full.yaml

@@ -2,24 +2,6 @@
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator,cilium]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium
@@ -74,6 +56,18 @@ releases:
   namespace: cozy-system
   dependsOn: [cozystack-controller,cilium,cert-manager]
 
+- name: cozystack-resource-definition-crd
+  releaseName: cozystack-resource-definition-crd
+  chart: cozystack-resource-definition-crd
+  namespace: cozy-system
+  dependsOn: [cilium]
+
+- name: cozystack-resource-definitions
+  releaseName: cozystack-resource-definitions
+  chart: cozystack-resource-definitions
+  namespace: cozy-system
+  dependsOn: [cilium,cozystack-controller,cozystack-resource-definition-crd]
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -84,7 +78,6 @@ releases:
   releaseName: cert-manager-issuers
   chart: cozy-cert-manager-issuers
   namespace: cozy-cert-manager
-  optional: true
   dependsOn: [cilium,cert-manager]
 
 - name: prometheus-operator-crds
@@ -204,7 +197,7 @@ releases:
   releaseName: snapshot-controller
   chart: cozy-snapshot-controller
   namespace: cozy-snapshot-controller
-  dependsOn: [cilium]
+  dependsOn: [cilium,cert-manager-issuers]
 
 - name: objectstorage-controller
   releaseName: objectstorage-controller

packages/core/platform/bundles/distro-hosted.yaml

@@ -2,24 +2,6 @@
 {{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cert-manager-crds
   releaseName: cert-manager-crds
   chart: cozy-cert-manager-crds

packages/core/platform/bundles/paas-full.yaml

@@ -11,24 +11,6 @@
 {{- end }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator,cilium,kubeovn]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium
@@ -112,6 +94,12 @@ releases:
       disableTelemetry: true
   {{- end }}
 
+- name: backup-controller
+  releaseName: backup-controller
+  chart: cozy-backup-controller
+  namespace: cozy-backup-controller
+  dependsOn: [cilium,kubeovn]
+
 - name: lineage-controller-webhook
   releaseName: lineage-controller-webhook
   chart: cozy-lineage-controller-webhook

packages/core/platform/bundles/paas-hosted.yaml

@@ -11,24 +11,6 @@
 {{- end }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator]
-  values:
-    flux-instance:
-      instance:
-        cluster:
-          domain: {{ $clusterDomain }}
-
 - name: cert-manager-crds
   releaseName: cert-manager-crds
   chart: cozy-cert-manager-crds
@@ -56,6 +38,11 @@ releases:
       disableTelemetry: true
   {{- end }}
 
+- name: backup-controller
+  releaseName: backup-controller
+  chart: cozy-backup-controller
+  namespace: cozy-backup-controller
+
 - name: lineage-controller-webhook
   releaseName: lineage-controller-webhook
   chart: cozy-lineage-controller-webhook

packages/core/platform/images/cozystack-assets/Dockerfile

@@ -0,0 +1,25 @@
+FROM golang:1.24-alpine AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN apk add --no-cache make git
+RUN apk add helm --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community
+
+COPY . /src/
+WORKDIR /src
+
+RUN go mod download
+
+RUN go build -o /cozystack-assets-server -ldflags '-extldflags "-static" -w -s' ./cmd/cozystack-assets-server
+
+RUN make repos
+
+FROM alpine:3.22
+
+COPY --from=builder /src/_out/repos /cozystack/assets/repos
+COPY --from=builder /cozystack-assets-server /usr/bin/cozystack-assets-server
+COPY --from=builder /src/dashboards /cozystack/assets/dashboards
+
+WORKDIR /cozystack
+ENTRYPOINT ["/usr/bin/cozystack-assets-server"]

packages/core/platform/templates/_helpers.tpl

@@ -17,6 +17,36 @@ Get IP-addresses of master nodes
 {{ join "," $ips }}
 {{- end -}}
 
+{{/*
+Get Kubernetes API Endpoint from cozystack deployment
+Returns host:port format
+*/}}
+{{- define "cozystack.kubernetesAPIEndpoint" -}}
+{{- $cozyDeployment := lookup "apps/v1" "Deployment" "cozy-system" "cozystack" }}
+{{- $cozyContainers := dig "spec" "template" "spec" "containers" list $cozyDeployment }}
+{{- $kubernetesServiceHost := "" }}
+{{- $kubernetesServicePort := "" }}
+{{- range $cozyContainers }}
+{{- if eq .name "cozystack" }}
+{{- range .env }}
+{{- if eq .name "KUBERNETES_SERVICE_HOST" }}
+{{- $kubernetesServiceHost = .value }}
+{{- end }}
+{{- if eq .name "KUBERNETES_SERVICE_PORT" }}
+{{- $kubernetesServicePort = .value }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if eq $kubernetesServiceHost "" }}
+{{- $kubernetesServiceHost = "kubernetes.default.svc" }}
+{{- end }}
+{{- if eq $kubernetesServicePort "" }}
+{{- $kubernetesServicePort = "443" }}
+{{- end }}
+{{- printf "%s:%s" $kubernetesServiceHost $kubernetesServicePort }}
+{{- end -}}
+
 {{- define "cozystack.defaultDashboardValues" -}}
 kubeapps:
 {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}

packages/core/platform/templates/cozystack-assets.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: cozystack-assets
+  namespace: cozy-system
+  labels:
+    app: cozystack-assets
+spec:
+  serviceName: cozystack-assets
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cozystack-assets
+  template:
+    metadata:
+      labels:
+        app: cozystack-assets
+    spec:
+      hostNetwork: true
+      containers:
+      - name: assets-server
+        image: "{{ .Values.assets.image }}"
+        args:
+        - "-dir=/cozystack/assets"
+        - "-address=:8123"
+        ports:
+        - name: http
+          containerPort: 8123
+          hostPort: 8123
+      tolerations:
+      - operator: Exists
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozystack-assets-reader
+  namespace: cozy-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods/proxy
+    resourceNames:
+      - cozystack-assets-0
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozystack-assets-reader
+  namespace: cozy-system
+subjects:
+  - kind: User
+    name: cozystack-assets-reader
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: cozystack-assets-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cozystack-assets
+  namespace: cozy-system
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8123
+  selector:
+    app: cozystack-assets
+  type: ClusterIP

packages/core/platform/templates/helmrepos.yaml

@@ -8,7 +8,9 @@ metadata:
     cozystack.io/repository: system
 spec:
   interval: 5m0s
-  url: http://cozystack.cozy-system.svc/repos/system
+  url: https://{{ include "cozystack.kubernetesAPIEndpoint" . }}/api/v1/namespaces/cozy-system/pods/cozystack-assets-0/proxy/repos/system
+  certSecretRef:
+    name: cozystack-assets-tls
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
@@ -20,7 +22,9 @@ metadata:
     cozystack.io/repository: apps
 spec:
   interval: 5m0s
-  url: http://cozystack.cozy-system.svc/repos/apps
+  url: https://{{ include "cozystack.kubernetesAPIEndpoint" . }}/api/v1/namespaces/cozy-system/pods/cozystack-assets-0/proxy/repos/apps
+  certSecretRef:
+    name: cozystack-assets-tls
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
@@ -31,4 +35,6 @@ metadata:
     cozystack.io/repository: extra
 spec:
   interval: 5m0s
-  url: http://cozystack.cozy-system.svc/repos/extra
+  url: https://{{ include "cozystack.kubernetesAPIEndpoint" . }}/api/v1/namespaces/cozy-system/pods/cozystack-assets-0/proxy/repos/extra
+  certSecretRef:
+    name: cozystack-assets-tls

packages/core/platform/values.yaml

@@ -0,0 +1,2 @@
+assets:
+  image: ghcr.io/cozystack/cozystack/cozystack-assets:latest@sha256:19b166819d0205293c85d8351a3e038dc4c146b876a8e2ae21dce1d54f0b9e33

packages/extra/monitoring/templates/dashboards.yaml

@@ -11,6 +11,6 @@ spec:
   instanceSelector:
     matchLabels:
       dashboards: grafana
-  url: http://cozystack.cozy-system.svc/dashboards/{{ . }}.json
+  url: http://cozystack-assets.cozy-system.svc/dashboards/{{ . }}.json
 {{- end }}
 {{- end }}

packages/system/backup-controller/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-backup-controller
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/backup-controller/Makefile

@@ -0,0 +1,18 @@
+NAME=backup-controller
+NAMESPACE=cozy-backup-controller
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
+image: image-backup-controller
+
+image-backup-controller:
+	docker buildx build -f images/backup-controller/Dockerfile ../../.. \
+		--tag $(REGISTRY)/backup-controller:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/backup-controller:latest \
+		--cache-to type=inline \
+		--metadata-file images/backup-controller.json \
+		$(BUILDX_ARGS)
+	IMAGE="$(REGISTRY)/backup-controller:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/backup-controller.json -o json -r)" \
+		yq -i '.backupController.image = strenv(IMAGE)' values.yaml
+	rm -f images/backup-controller.json

packages/system/backup-controller/definitions/.gitattributes

@@ -0,0 +1,2 @@
+* linguist-generated
+.gitattributes -linguist-generated

packages/system/backup-controller/definitions/backups.cozystack.io_backupjobs.yaml

@@ -0,0 +1,235 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: backupjobs.backups.cozystack.io
+spec:
+  group: backups.cozystack.io
+  names:
+    kind: BackupJob
+    listKind: BackupJobList
+    plural: backupjobs
+    singular: backupjob
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          BackupJob represents a single execution of a backup.
+          It is typically created by a Plan controller when a schedule fires.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BackupJobSpec describes the execution of a single backup
+              operation.
+            properties:
+              applicationRef:
+                description: |-
+                  ApplicationRef holds a reference to the managed application whose state
+                  is being backed up.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              planRef:
+                description: |-
+                  PlanRef refers to the Plan that requested this backup run.
+                  For ad-hoc/manual backups, this can be omitted.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              storageRef:
+                description: |-
+                  StorageRef holds a reference to the Storage object that describes where
+                  the backup will be stored.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              strategyRef:
+                description: |-
+                  StrategyRef holds a reference to the driver-specific BackupStrategy object
+                  that describes how the backup should be created.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+            required:
+            - applicationRef
+            - storageRef
+            - strategyRef
+            type: object
+          status:
+            description: BackupJobStatus represents the observed state of a BackupJob.
+            properties:
+              backupRef:
+                description: BackupRef refers to the Backup object created by this
+                  run, if any.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              completedAt:
+                description: |-
+                  CompletedAt is the time at which the backup run completed (successfully
+                  or otherwise).
+                format: date-time
+                type: string
+              conditions:
+                description: Conditions represents the latest available observations
+                  of a BackupJob's state.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              message:
+                description: |-
+                  Message is a human-readable message indicating details about why the
+                  backup run is in its current phase, if any.
+                type: string
+              phase:
+                description: |-
+                  Phase is a high-level summary of the run's state.
+                  Typical values: Pending, Running, Succeeded, Failed.
+                type: string
+              startedAt:
+                description: StartedAt is the time at which the backup run started.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    selectableFields:
+    - jsonPath: .spec.applicationRef.apiGroup
+    - jsonPath: .spec.applicationRef.kind
+    - jsonPath: .spec.applicationRef.name
+    served: true
+    storage: true

packages/system/backup-controller/definitions/backups.cozystack.io_backups.yaml

@@ -0,0 +1,238 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: backups.backups.cozystack.io
+spec:
+  group: backups.cozystack.io
+  names:
+    kind: Backup
+    listKind: BackupList
+    plural: backups
+    singular: backup
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Backup represents a single backup artifact for a given application.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BackupSpec describes an immutable backup artifact produced
+              by a BackupJob.
+            properties:
+              applicationRef:
+                description: ApplicationRef refers to the application that was backed
+                  up.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              driverMetadata:
+                additionalProperties:
+                  type: string
+                description: |-
+                  DriverMetadata holds driver-specific, opaque metadata associated with
+                  this backup (for example snapshot IDs, schema versions, etc.).
+                  This data is not interpreted by the core backup controllers.
+                type: object
+              planRef:
+                description: |-
+                  PlanRef refers to the Plan that produced this backup, if any.
+                  For manually triggered backups, this can be omitted.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              storageRef:
+                description: |-
+                  StorageRef refers to the Storage object that describes where the backup
+                  artifact is stored.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              strategyRef:
+                description: |-
+                  StrategyRef refers to the driver-specific BackupStrategy that was used
+                  to create this backup. This allows the driver to later perform restores.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              takenAt:
+                description: |-
+                  TakenAt is the time at which the backup was taken (as reported by the
+                  driver). It may differ slightly from metadata.creationTimestamp.
+                format: date-time
+                type: string
+            required:
+            - applicationRef
+            - storageRef
+            - strategyRef
+            - takenAt
+            type: object
+          status:
+            description: BackupStatus represents the observed state of a Backup.
+            properties:
+              artifact:
+                description: Artifact describes the stored backup object, if available.
+                properties:
+                  checksum:
+                    description: |-
+                      Checksum is the checksum of the artifact, if computed.
+                      For example: "sha256:<hex>".
+                    type: string
+                  sizeBytes:
+                    description: SizeBytes is the size of the artifact in bytes, if
+                      known.
+                    format: int64
+                    type: integer
+                  uri:
+                    description: |-
+                      URI is a driver-/storage-specific URI pointing to the backup artifact.
+                      For example: s3://bucket/prefix/file.tar.gz
+                    type: string
+                required:
+                - uri
+                type: object
+              conditions:
+                description: Conditions represents the latest available observations
+                  of a Backup's state.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              phase:
+                description: |-
+                  Phase is a simple, high-level summary of the backup's state.
+                  Typical values are: Pending, Ready, Failed.
+                type: string
+            type: object
+        type: object
+    selectableFields:
+    - jsonPath: .spec.applicationRef.apiGroup
+    - jsonPath: .spec.applicationRef.kind
+    - jsonPath: .spec.applicationRef.name
+    served: true
+    storage: true

packages/system/backup-controller/definitions/backups.cozystack.io_plans.yaml

@@ -0,0 +1,200 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: plans.backups.cozystack.io
+spec:
+  group: backups.cozystack.io
+  names:
+    kind: Plan
+    listKind: PlanList
+    plural: plans
+    singular: plan
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          Plan describes the schedule, method and storage location for the
+          backup of a given target application.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              PlanSpec references the storage, the strategy, the application to be
+              backed up and specifies the timetable on which the backups will run.
+            properties:
+              applicationRef:
+                description: |-
+                  ApplicationRef holds a reference to the managed application,
+                  whose state and configuration must be backed up.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              schedule:
+                description: Schedule specifies when backup copies are created.
+                properties:
+                  cron:
+                    description: |-
+                      Cron contains the cron spec for scheduling backups. Must be
+                      specified if the schedule type is `cron`. Since only `cron` is
+                      supported, omitting this field is not allowed.
+                    type: string
+                  type:
+                    description: |-
+                      Type is the type of schedule specification. Supported values are
+                      [`cron`]. If omitted, defaults to `cron`.
+                    type: string
+                type: object
+              storageRef:
+                description: |-
+                  StorageRef holds a reference to the Storage object that
+                  describes the location where the backup will be stored.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+              strategyRef:
+                description: |-
+                  StrategyRef holds a reference to the Strategy object that
+                  describes, how a backup copy is to be created.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+            required:
+            - applicationRef
+            - schedule
+            - storageRef
+            - strategyRef
+            type: object
+          status:
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    selectableFields:
+    - jsonPath: .spec.applicationRef.apiGroup
+    - jsonPath: .spec.applicationRef.kind
+    - jsonPath: .spec.applicationRef.name
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/backup-controller/definitions/backups.cozystack.io_restorejobs.yaml

@@ -0,0 +1,168 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: restorejobs.backups.cozystack.io
+spec:
+  group: backups.cozystack.io
+  names:
+    kind: RestoreJob
+    listKind: RestoreJobList
+    plural: restorejobs
+    singular: restorejob
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: RestoreJob represents a single execution of a restore from a
+          Backup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RestoreJobSpec describes the execution of a single restore
+              operation.
+            properties:
+              backupRef:
+                description: BackupRef refers to the Backup that should be restored.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              targetApplicationRef:
+                description: |-
+                  TargetApplicationRef refers to the application into which the backup
+                  should be restored. If omitted, the driver SHOULD restore into the same
+                  application as referenced by backup.spec.applicationRef.
+                properties:
+                  apiGroup:
+                    description: |-
+                      APIGroup is the group for the resource being referenced.
+                      If APIGroup is not specified, the specified Kind must be in the core API group.
+                      For any other third-party types, APIGroup is required.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
+            required:
+            - backupRef
+            type: object
+          status:
+            description: RestoreJobStatus represents the observed state of a RestoreJob.
+            properties:
+              completedAt:
+                description: |-
+                  CompletedAt is the time at which the restore run completed (successfully
+                  or otherwise).
+                format: date-time
+                type: string
+              conditions:
+                description: Conditions represents the latest available observations
+                  of a RestoreJob's state.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              message:
+                description: |-
+                  Message is a human-readable message indicating details about why the
+                  restore run is in its current phase, if any.
+                type: string
+              phase:
+                description: |-
+                  Phase is a high-level summary of the run's state.
+                  Typical values: Pending, Running, Succeeded, Failed.
+                type: string
+              startedAt:
+                description: StartedAt is the time at which the restore run started.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true

packages/system/backup-controller/images/backup-controller/Dockerfile

@@ -0,0 +1,23 @@
+FROM golang:1.24-alpine AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+
+COPY go.mod go.sum ./
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download
+
+COPY api api/
+COPY pkg pkg/
+COPY cmd cmd/
+COPY internal internal/
+
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /backup-controller cmd/backup-controller/main.go
+
+FROM scratch
+
+COPY --from=builder /backup-controller /backup-controller
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
+ENTRYPOINT ["/backup-controller"]

packages/system/backup-controller/templates/crds.yaml

@@ -0,0 +1,4 @@
+{{- range $path, $_ := .Files.Glob "definitions/*.yaml" }}
+---
+{{ $.Files.Get $path }}
+{{- end }}

packages/system/backup-controller/templates/deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backup-controller
+  labels:
+    app: backup-controller
+spec:
+  replicas: {{ .Values.backupController.replicas }}
+  selector:
+    matchLabels:
+      app: backup-controller
+  template:
+    metadata:
+      labels:
+        app: backup-controller
+    spec:
+      tolerations:
+      - key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+      serviceAccountName: backup-controller
+      containers:
+      - name: backup-controller
+        image: "{{ .Values.backupController.image }}"
+        args:
+        - --leader-elect
+        {{- if .Values.backupController.metrics.enable }}
+        - --metrics-bind-address={{ .Values.backupController.metrics.bindAddress }}
+        {{- end }}
+        {{- if .Values.backupController.debug }}
+        - --zap-log-level=debug
+        {{- else }}
+        - --zap-log-level=info
+        {{- end }}
+        ports:
+        - name: metrics
+          containerPort: {{ splitList ":" .Values.backupController.metrics.bindAddress | mustLast }}
+        - name: health
+          containerPort: 8081
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: health
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: health
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        {{- with .Values.backupController.resources }}
+        resources: {{- . | toYaml | nindent 10 }}
+        {{- end }}

packages/system/backup-controller/templates/rbac-bind.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backups.cozystack.io:core-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backups.cozystack.io:core-controller
+subjects:
+- kind: ServiceAccount
+  name: backup-controller
+  namespace: {{ .Release.Namespace }}

packages/system/backup-controller/templates/rbac.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: backups.cozystack.io:core-controller
+rules:
+- apiGroups: ["backups.cozystack.io"]
+  resources: ["plans"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["backups.cozystack.io"]
+  resources: ["backupjobs"]
+  verbs: ["create", "get", "list", "watch"]

packages/system/backup-controller/templates/sa.yaml

@@ -0,0 +1,4 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: backup-controller

packages/system/backup-controller/values.yaml

@@ -0,0 +1,14 @@
+backupController:
+  image: ""
+  replicas: 2
+  debug: false
+  metrics:
+    enabled: true
+    bindAddress: ":8443"
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+    limits:
+      cpu: 500m
+      memory: 128Mi

packages/system/backupstrategy-controller/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-backup-controller
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/backupstrategy-controller/Makefile

@@ -0,0 +1,18 @@
+NAME=backupstrategy-controller
+NAMESPACE=cozy-backup-controller
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
+image: image-backupstrategy-controller
+
+image-backupstrategy-controller:
+	docker buildx build -f images/backupstrategy-controller/Dockerfile ../../.. \
+		--tag $(REGISTRY)/backupstrategy-controller:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/backupstrategy-controller:latest \
+		--cache-to type=inline \
+		--metadata-file images/backupstrategy-controller.json \
+		$(BUILDX_ARGS)
+	IMAGE="$(REGISTRY)/backupstrategy-controller:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/backupstrategy-controller.json -o json -r)" \
+		yq -i '.backupStrategyController.image = strenv(IMAGE)' values.yaml
+	rm -f images/backupstrategy-controller.json

packages/system/backupstrategy-controller/definitions/.gitattributes

@@ -0,0 +1 @@
+*.yaml linguist-generated

packages/system/backupstrategy-controller/images/backupstrategy-controller/Dockerfile

@@ -0,0 +1,23 @@
+FROM golang:1.24-alpine AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+
+COPY go.mod go.sum ./
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download
+
+COPY api api/
+COPY pkg pkg/
+COPY cmd cmd/
+COPY internal internal/
+
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /backupstrategy-controller cmd/backupstrategy-controller/main.go
+
+FROM scratch
+
+COPY --from=builder /backupstrategy-controller /backupstrategy-controller
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
+ENTRYPOINT ["/backupstrategy-controller"]

packages/system/backupstrategy-controller/templates/crds.yaml

@@ -0,0 +1,4 @@
+{{- range $path, $_ := .Files.Glob "definitions/*.yaml" }}
+---
+{{ $.Files.Get $path }}
+{{- end }}

packages/system/backupstrategy-controller/templates/deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backupstrategy-controller
+  labels:
+    app: backupstrategy-controller
+spec:
+  replicas: {{ .Values.backupStrategyController.replicas }}
+  selector:
+    matchLabels:
+      app: backupstrategy-controller
+  template:
+    metadata:
+      labels:
+        app: backupstrategy-controller
+    spec:
+      tolerations:
+      - key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+      serviceAccountName: backupstrategy-controller
+      containers:
+      - name: backupstrategy-controller
+        image: "{{ .Values.backupStrategyController.image }}"
+        args:
+        - --leader-elect
+        {{- if .Values.backupStrategyController.metrics.enable }}
+        - --metrics-bind-address={{ .Values.backupStrategyController.metrics.bindAddress }}
+        {{- end }}
+        {{- if .Values.backupStrategyController.debug }}
+        - --zap-log-level=debug
+        {{- else }}
+        - --zap-log-level=info
+        {{- end }}
+        ports:
+        - name: metrics
+          containerPort: {{ splitList ":" .Values.backupStrategyController.metrics.bindAddress | mustLast }}
+        - name: health
+          containerPort: 8081
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: health
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: health
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        {{- with .Values.backupStrategyController.resources }}
+        resources: {{- . | toYaml | nindent 10 }}
+        {{- end }}

packages/system/backupstrategy-controller/templates/rbac-bind.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backups.cozystack.io:strategy-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backups.cozystack.io:strategy-controller
+subjects:
+- kind: ServiceAccount
+  name: backupstrategy-controller
+  namespace: {{ .Release.Namespace }}

packages/system/backupstrategy-controller/templates/rbac.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: backups.cozystack.io:strategy-controller
+rules:
+- apiGroups: ["strategy.backups.cozystack.io"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["backups.cozystack.io"]
+  resources: ["backupjobs", "restorejobs"]
+  verbs: ["get", "list", "watch"]

packages/system/backupstrategy-controller/templates/sa.yaml

@@ -0,0 +1,4 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: backupstrategy-controller

packages/system/backupstrategy-controller/values.yaml

@@ -0,0 +1,14 @@
+backupStrategyController:
+  image: ""
+  replicas: 2
+  debug: false
+  metrics:
+    enabled: true
+    bindAddress: ":8443"
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+    limits:
+      cpu: 500m
+      memory: 128Mi

packages/system/fluxcd/values.yaml

@@ -9,6 +9,7 @@ flux-instance:
       registry: ghcr.io/fluxcd
     components:
       - source-controller
+      - source-watcher
       - kustomize-controller
       - helm-controller
       - notification-controller
@@ -38,12 +39,16 @@ flux-instance:
             - op: add
               path: /spec/template/spec/containers/0/args/-
               value: --storage-adv-addr=source-controller.cozy-fluxcd.svc
-            - op: add
-              path: /spec/template/spec/containers/0/args/-
-              value: --events-addr=http://notification-controller.cozy-fluxcd.svc/
         - target:
             kind: Deployment
-            name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller)
+            name: source-watcher
+          patch: |
+            - op: add
+              path: /spec/template/spec/containers/0/args/-
+              value: --storage-adv-addr=source-watcher.cozy-fluxcd.svc
+        - target:
+            kind: Deployment
+            name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller|source-controller|source-watcher)
           patch: |
             - op: add
               path: /spec/template/spec/containers/0/args/-

packages/system/linstor-affinity-controller/.helmignore

@@ -0,0 +1 @@
+examples

packages/system/linstor-affinity-controller/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-linstor
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/linstor-affinity-controller/Makefile

@@ -0,0 +1,10 @@
+export NAME=linstor-affinity-controller
+export NAMESPACE=cozy-linstor
+
+include ../../../hack/package.mk
+
+update:
+	rm -rf charts
+	helm repo add piraeus-charts https://piraeus.io/helm-charts/
+	helm repo update piraeus-charts
+	helm pull piraeus-charts/linstor-affinity-controller --untar --untardir charts

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+appVersion: v1.2.0
+description: 'Deploys the LINSTOR Affinity Controller. It periodically checks the
+  state of Piraeus/LINSTOR volumes compared to PersistentVolumes (PV), and updates
+  the PV Affinity if changes are detected. '
+home: https://github.com/piraeusdatastore/helm-charts
+icon: https://raw.githubusercontent.com/piraeusdatastore/piraeus/master/artwork/sandbox-artwork/icon/color.svg
+keywords:
+- storage
+maintainers:
+- name: The Piraeus Maintainers
+  url: https://github.com/piraeusdatastore/
+name: linstor-affinity-controller
+sources:
+- https://github.com/piraeusdatastore/linstor-affinity-controller
+type: application
+version: 1.5.0

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/README.md

@@ -0,0 +1,72 @@
+# LINSTOR Affinity Controller
+
+The LINSTOR Affinity Controller keeps the affinity of your volumes in sync between Kubernetes and LINSTOR.
+
+Affinity is used by Kubernetes to track on which node a specific resource can be accessed. For example, you can use
+affinity to restrict access to a volume to a specific zone. While this is all supported by Piraeus and LINSTOR, and you
+could tune your volumes to support almost any cluster topology, there was one important thing missing: updating affinity
+after volume migration.
+
+After the initial PersistentVolume (PV) object in Kubernetes is created, it is not possible to alter the affinity
+later[^1]. This becomes a problem if your volumes need to migrate, for example if using ephemeral infrastructure, where
+nodes are created and discard on demand. Using a strict affinity setting could mean that your volume is not accessible
+from where you want it to: the LINSTOR resource might be there, but Kubernetes will see the volume as only accessible on
+some other nodes. So you had to specify a rather relaxed affinity setting for your volumes, at the cost of less optimal
+workload placement.
+
+There is one other solution (or rather workaround): recreating your PersistentVolume whenever the backing LINSTOR
+resource changed. This is where the LINSTOR Affinity Controller comes in: it automates these required steps, so that
+using strict affinity just works. With strict affinity, the Kubernetes scheduler can place workloads on the same nodes
+as the volumes they are using, benefiting from local data access for increased read performance.
+
+It also enables strict affinity settings should you use ephemeral infrastructure: even if you rotate out all nodes,
+your PV affinity will always match the actual volume placement in LINSTOR.
+
+## Deployment
+
+The best way to deploy the LINSTOR Affinity Controller is by helm chart. If deployed to the same namespace
+as [our operator](https://github.com/piraeusdatastore/piraeus-operator) this is quite simple:
+
+```
+helm repo add piraeus-charts https://piraeus.io/helm-charts/
+helm install linstor-affinity-controller piraeus-charts/linstor-affinity-controller
+```
+
+If deploying to a different namespace, ensure that `linstor.endpoint` and `linstor.clientSecret` are set appropriately.
+For more information on the available options, see below.
+
+### Options
+
+The following options can be set on the chart:
+
+| Option                        | Usage                                                                                        | Default                                                       |
+|-------------------------------|----------------------------------------------------------------------------------------------|---------------------------------------------------------------|
+| `replicaCount`                | Number of replicas to deploy.                                                                | `1`                                                           |
+| `options.v`                   | Set verbosity for controller                                                                 | `1`                                                           |
+| `options.leaderElection`      | Enable leader election to coordinate betwen multiple replicas.                               | `true`                                                        |
+| `options.reconcileRate`       | Set the reconcile rate, i.e. how often the cluster state will be checked and updated         | `15s`                                                         |
+| `options.resyncRate`          | How often the controller will resync it's internal cache of Kubernetes resources             | `15m`                                                         |
+| `options.propertyNamespace`   | Namespace used by LINSTOR CSI to search for node labels.                                     | `""` (auto-detected based on existing node labels on startup) |
+| `linstor.endpoint`            | URL of the LINSTOR Controller API.                                                           | `""` (auto-detected when using Piraeus-Operator)              |
+| `linstor.clientSecret`        | TLS secret to use to authenticate with the LINSTOR API                                       | `""` (auto-detected when using Piraeus-Operator)              |
+| `image.repository`            | Repository to pull the linstor-affinity-controller image from.                               | `quay.io/piraeusdatastore/linstor-affinity-controller`        |
+| `image.pullPolicy`            | Pull policy to use. Possible values: `IfNotPresent`, `Always`, `Never`                       | `IfNotPresent`                                                |
+| `image.tag`                   | Override the tag to pull. If not given, defaults to charts `AppVersion`.                     | `""`                                                          |
+| `resources`                   | Resources to request and limit on the container.                                             | `{requests: {cpu: 50m, mem: 100Mi}}`                          |
+| `securityContext`             | Configure container security context.                                                        | `{capabilities: {drop: [ALL]}, readOnlyRootFilesystem: true}` |
+| `podSecurityContext`          | Security context to set on the pod.                                                          | `{runAsNonRoot: true, runAsUser: 1000}`                       |
+| `imagePullSecrets`            | Image pull secrets to add to the deployment.                                                 | `[]`                                                          |
+| `podAnnotations`              | Annotations to add to every pod in the deployment.                                           | `{}`                                                          |
+| `nodeSelector`                | Node selector to add to a pod.                                                               | `{}`                                                          |
+| `tolerations`                 | Tolerations to add to a pod.                                                                 | `[]`                                                          |
+| `affinity`                    | Affinity to set on a pod.                                                                    | `{}`                                                          |
+| `rbac.create`                 | Create the necessary roles and bindings for the controller.                                  | `true`                                                        |
+| `serviceAccount.create`       | Create the service account resource                                                          | `true`                                                        |
+| `serviceAccount.name`         | Sets the name of the service account. If left empty, will use the release name as default    | `""`                                                          |
+| `podDisruptionBudget.enabled` | Enable creation of a pod disruption budget to protect the availability of the scheduler      | `true`                                                        |
+| `autoscaling.enabled`         | Enable creation of a horizontal pod autoscaler to ensure availability in case of high usage` | `"false`                                                      |
+| `monitoring.enabled`          | Enable creation of resources for monitoring via Prometheus Operator                          | `"false"`                                                     |
+
+***
+
+[^1]: That is not 100% true: you can _add_ affinity if it was previously unset, but once set, it can't be modified.

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/NOTES.txt

@@ -0,0 +1,3 @@
+LINSTOR Affinity Controller deployed.
+
+Used LINSTOR URL: {{ include "linstor-affinity-controller.linstorEndpoint" .}}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/_helpers.tpl

@@ -0,0 +1,160 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "linstor-affinity-controller.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "linstor-affinity-controller.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "linstor-affinity-controller.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "linstor-affinity-controller.labels" -}}
+helm.sh/chart: {{ include "linstor-affinity-controller.chart" . }}
+{{ include "linstor-affinity-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "linstor-affinity-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "linstor-affinity-controller.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "linstor-affinity-controller.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "linstor-affinity-controller.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Find the linstor client secret containing TLS certificates
+*/}}
+{{- define "linstor-affinity-controller.linstorClientSecretName" -}}
+{{- if .Values.linstor.clientSecret }}
+{{- .Values.linstor.clientSecret }}
+{{- else if .Capabilities.APIVersions.Has "piraeus.io/v1/LinstorCluster" }}
+{{- $crs := (lookup "piraeus.io/v1" "LinstorCluster" "" "").items }}
+{{- if $crs }}
+{{- if eq (len $crs) 1 }}
+{{- $item := index $crs 0 }}
+{{- if hasKey $item.spec "apiTLS" }}
+{{- default "linstor-client-tls" $item.spec.apiTLS.clientSecretName }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- else if .Capabilities.APIVersions.Has "piraeus.linbit.com/v1/LinstorController" }}
+{{- $crs := (lookup "piraeus.linbit.com/v1" "LinstorController" .Release.Namespace "").items }}
+{{- if $crs }}
+{{- if eq (len $crs) 1 }}
+{{- $item := index $crs 0 }}
+{{- $item.spec.linstorHttpsClientSecret }}
+{{- end }}
+{{- end }}
+{{- else if .Capabilities.APIVersions.Has "linstor.linbit.com/v1/LinstorController" }}
+{{- $crs := (lookup "linstor.linbit.com/v1" "LinstorController" .Release.Namespace "").items }}
+{{- if $crs }}
+{{- if eq (len $crs) 1 }}
+{{- $item := index $crs 0 }}
+{{- $item.spec.linstorHttpsClientSecret }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Find the linstor URL by operator resources
+*/}}
+{{- define "linstor-affinity-controller.linstorEndpointFromCRD" -}}
+{{- if .Capabilities.APIVersions.Has "piraeus.io/v1/LinstorCluster" }}
+{{- $crs := (lookup "piraeus.io/v1" "LinstorCluster" "" "").items }}
+{{- if $crs }}
+{{- if eq (len $crs) 1 }}
+{{- $item := index $crs 0 }}
+{{- range $index, $service := (lookup "v1" "Service" "" "").items }}
+{{- if and (eq (dig "metadata" "labels" "app.kubernetes.io/component" "" $service) "linstor-controller") (eq (dig "metadata" "labels" "app.kubernetes.io/instance" "" $service) $item.metadata.name) }}
+{{- if include "linstor-affinity-controller.linstorClientSecretName" $ }}
+{{- printf "https://%s.%s.svc:3371" $service.metadata.name $service.metadata.namespace }}
+{{- else }}
+{{- printf "http://%s.%s.svc:3370" $service.metadata.name $service.metadata.namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- else if .Capabilities.APIVersions.Has "piraeus.linbit.com/v1/LinstorController" }}
+{{- $crs := (lookup "piraeus.linbit.com/v1" "LinstorController" .Release.Namespace "").items }}
+{{- if $crs }}
+{{- if eq (len $crs) 1 }}
+{{- $item := index $crs 0 }}
+{{- if include "linstor-affinity-controller.linstorClientSecretName" . }}
+{{- printf "https://%s.%s.svc:3371" $item.metadata.name $item.metadata.namespace }}
+{{- else }}
+{{- printf "http://%s.%s.svc:3370" $item.metadata.name $item.metadata.namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- else if .Capabilities.APIVersions.Has "linstor.linbit.com/v1/LinstorController" }}
+{{- $crs := (lookup "linstor.linbit.com/v1" "LinstorController" .Release.Namespace "").items }}
+{{- if $crs }}
+{{- if eq (len $crs) 1 }}
+{{- $item := index $crs 0 }}
+{{- if include "linstor-affinity-controller.linstorClientSecretName" . }}
+{{- printf "https://%s.%s.svc:3371" $item.metadata.name $item.metadata.namespace }}
+{{- else }}
+{{- printf "http://%s.%s.svc:3370" $item.metadata.name $item.metadata.namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Find the linstor URL either by override or cluster resources
+*/}}
+{{- define "linstor-affinity-controller.linstorEndpoint" -}}
+{{- if .Values.linstor.endpoint }}
+{{- .Values.linstor.endpoint }}
+{{- else }}
+{{- $piraeus := include "linstor-affinity-controller.linstorEndpointFromCRD" . }}
+{{- if $piraeus }}
+{{- $piraeus }}
+{{- else }}
+{{- fail "Please specify linstor.endpoint, no default URL could be determined" }}
+{{- end }}
+{{- end }}
+{{- end }}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/deployment.yaml

@@ -0,0 +1,98 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "linstor-affinity-controller.fullname" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "linstor-affinity-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "linstor-affinity-controller.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          args:
+            - /linstor-affinity-controller
+            {{- if .Values.monitoring }}
+            - --metrics-address=:8001
+            {{- end }}
+            {{- range $opt, $val := .Values.options }}
+            - --{{ $opt | kebabcase }}={{ $val }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.monitoring }}
+          ports:
+          - name: metrics
+            protocol: TCP
+            containerPort: 8001
+          {{- end }}
+          env:
+            - name: LEASE_LOCK_NAME
+              value: {{ include "linstor-affinity-controller.fullname" . }}
+            - name: LEASE_HOLDER_IDENTITY
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+                  apiVersion: v1
+            - name: LS_CONTROLLERS
+              value: {{ include "linstor-affinity-controller.linstorEndpoint" . }}
+            {{- if include "linstor-affinity-controller.linstorClientSecretName" . }}
+            - name: LS_USER_CERTIFICATE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "linstor-affinity-controller.linstorClientSecretName" . }}
+                  key: tls.crt
+            - name: LS_USER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "linstor-affinity-controller.linstorClientSecretName" . }}
+                  key: tls.key
+            - name: LS_ROOT_CA
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "linstor-affinity-controller.linstorClientSecretName" . }}
+                  key: ca.crt
+            {{- end }}
+          readinessProbe:
+            httpGet:
+              port: 8000
+              path: /readyz
+          livenessProbe:
+            httpGet:
+              port: 8000
+              path: /healthz
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "linstor-affinity-controller.fullname" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "linstor-affinity-controller.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/monitoring.yaml

@@ -0,0 +1,30 @@
+{{ if .Values.monitoring.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "linstor-affinity-controller.fullname" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+spec:
+  endpoints:
+  - port: metrics
+  selector:
+    matchLabels:
+      {{- include "linstor-affinity-controller.selectorLabels" . | nindent 6 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "linstor-affinity-controller.fullname" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+spec:
+  selector:
+    {{- include "linstor-affinity-controller.selectorLabels" . | nindent 4 }}
+  ports:
+  - name: metrics
+    port: 8001
+    targetPort: metrics
+    protocol: TCP
+{{ end }}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/poddisruptionbudget.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "linstor-affinity-controller.fullname" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "linstor-affinity-controller.selectorLabels" . | nindent 6 }}
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end -}}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/rbac.yaml

@@ -0,0 +1,99 @@
+{{- if .Values.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - "storage.k8s.io"
+    resources:
+      - storageclasses
+    verbs:
+      - get
+  - apiGroups:
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- if .Values.options.leaderElection }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "linstor-affinity-controller.serviceAccountName" . }}
+  labels:
+    {{- include "linstor-affinity-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/linstor-affinity-controller/charts/linstor-affinity-controller/values.yaml

@@ -0,0 +1,73 @@
+replicaCount: 1
+
+linstor:
+  endpoint: ""
+  clientSecret: ""
+
+image:
+  repository: quay.io/piraeusdatastore/linstor-affinity-controller
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: [ ]
+nameOverride: ""
+fullnameOverride: ""
+
+options:
+  v: 1
+  leaderElection: true
+  #propertyNamespace: ""
+  #reconcileRate: 15s
+  #resyncRate: 15m
+  #workers: 10
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: { }
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+podAnnotations: { }
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 100Mi
+
+nodeSelector: { }
+
+tolerations: []
+affinity: { }
+
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+  # maxUnavailable: 1
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 3
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+monitoring:
+  enabled: false

packages/system/linstor-affinity-controller/values.yaml

@@ -0,0 +1,4 @@
+linstor-affinity-controller:
+  linstor:
+    endpoint: "https://linstor-controller.cozy-linstor.svc:3371"
+    clientSecret: "linstor-client-tls"

packages/system/piraeus-operator/charts/piraeus/Chart.yaml

@@ -3,8 +3,8 @@ name: piraeus
 description: |
   The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.10.1
-appVersion: "v2.10.1"
+version: 2.10.2
+appVersion: "v2.10.2"
 maintainers:
   - name: Piraeus Datastore
     url: https://piraeus.io

packages/system/piraeus-operator/charts/piraeus/templates/config.yaml

@@ -23,10 +23,10 @@ data:
         tag: v1.32.3
         image: piraeus-server
       linstor-csi:
-        tag: v1.10.2
+        tag: v1.10.3
         image: piraeus-csi
       nfs-server:
-        tag: v1.10.2
+        tag: v1.10.3
         image: piraeus-csi-nfs-server
       drbd-reactor:
         tag: v1.10.0
@@ -44,7 +44,7 @@ data:
         tag: v1.3.0
         image: linstor-affinity-controller
       drbd-module-loader:
-        tag: v9.2.15
+        tag: v9.2.16
         # The special "match" attribute is used to select an image based on the node's reported OS.
         # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
         # here. If one matches, that specific image name will be used instead of the fallback image.
@@ -99,7 +99,7 @@ data:
         tag: v2.17.0
         image: livenessprobe
       csi-provisioner:
-        tag: v6.0.0
+        tag: v6.1.0
         image: csi-provisioner
       csi-snapshotter:
         tag: v8.4.0

packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml

@@ -993,6 +993,24 @@ spec:
                 - Retain
                 - Delete
                 type: string
+              evacuationStrategy:
+                description: EvacuationStrategy configures the evacuation of volumes
+                  from a Satellite when DeletionPolicy "Evacuate" is used.
+                nullable: true
+                properties:
+                  attachedVolumeReattachTimeout:
+                    default: 5m
+                    description: |-
+                      AttachedVolumeReattachTimeout configures how long evacuation waits for attached volumes to reattach on
+                      different nodes. Setting this to 0 disable this evacuation step.
+                    type: string
+                  unattachedVolumeAttachTimeout:
+                    default: 5m
+                    description: |-
+                      UnattachedVolumeAttachTimeout configures how long evacuation waits for unattached volumes to attach on
+                      different nodes. Setting this to 0 disable this evacuation step.
+                    type: string
+                type: object
               internalTLS:
                 description: |-
                   InternalTLS configures secure communication for the LINSTOR Satellite.
@@ -1683,6 +1701,23 @@ spec:
                 - Retain
                 - Delete
                 type: string
+              evacuationStrategy:
+                description: EvacuationStrategy configures the evacuation of volumes
+                  from a Satellite when DeletionPolicy "Evacuate" is used.
+                properties:
+                  attachedVolumeReattachTimeout:
+                    default: 5m
+                    description: |-
+                      AttachedVolumeReattachTimeout configures how long evacuation waits for attached volumes to reattach on
+                      different nodes. Setting this to 0 disable this evacuation step.
+                    type: string
+                  unattachedVolumeAttachTimeout:
+                    default: 5m
+                    description: |-
+                      UnattachedVolumeAttachTimeout configures how long evacuation waits for unattached volumes to attach on
+                      different nodes. Setting this to 0 disable this evacuation step.
+                    type: string
+                type: object
               internalTLS:
                 description: |-
                   InternalTLS configures secure communication for the LINSTOR Satellite.

pkg/registry/apps/application/rest.go

@@ -28,7 +28,6 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	fields "k8s.io/apimachinery/pkg/fields"
 	labels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -142,17 +141,9 @@ func (r *REST) GetSingularName() string {
 // Create handles the creation of a new Application by converting it to a HelmRelease
 func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
 	// Assert the object is of type Application
-	us, ok := obj.(*unstructured.Unstructured)
+	app, ok := obj.(*appsv1alpha1.Application)
 	if !ok {
-		return nil, fmt.Errorf("expected unstructured.Unstructured object, got %T", obj)
-	}
-
-	app := &appsv1alpha1.Application{}
-
-	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
-		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
-		klog.Errorf(errMsg)
-		return nil, fmt.Errorf(errMsg)
+		return nil, fmt.Errorf("expected *appsv1alpha1.Application object, got %T", obj)
 	}
 
 	// Convert Application to HelmRelease
@@ -186,15 +177,8 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 
 	klog.V(6).Infof("Successfully created and converted HelmRelease %s to Application", helmRelease.GetName())
 
-	// Convert Application to unstructured format
-	unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedApp)
-	if err != nil {
-		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", convertedApp.GetName(), err)
-		return nil, fmt.Errorf("failed to convert Application to unstructured: %v", err)
-	}
-
-	klog.V(6).Infof("Successfully retrieved and converted resource %s of type %s to unstructured", convertedApp.GetName(), r.gvr.Resource)
-	return &unstructured.Unstructured{Object: unstructuredApp}, nil
+	klog.V(6).Infof("Successfully retrieved and converted resource %s of type %s", convertedApp.GetName(), r.gvr.Resource)
+	return &convertedApp, nil
 }
 
 // Get retrieves an Application by converting the corresponding HelmRelease
@@ -238,25 +222,8 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 		return nil, fmt.Errorf("conversion error: %v", err)
 	}
 
-	// Explicitly set apiVersion and kind for Application
-	convertedApp.TypeMeta = metav1.TypeMeta{
-		APIVersion: "apps.cozystack.io/v1alpha1",
-		Kind:       r.kindName,
-	}
-
-	// Convert Application to unstructured format
-	unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedApp)
-	if err != nil {
-		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", name, err)
-		return nil, fmt.Errorf("failed to convert Application to unstructured: %v", err)
-	}
-
-	// Explicitly set apiVersion and kind in unstructured object
-	unstructuredApp["apiVersion"] = "apps.cozystack.io/v1alpha1"
-	unstructuredApp["kind"] = r.kindName
-
-	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s to unstructured", name, r.gvr.Resource)
-	return &unstructured.Unstructured{Object: unstructuredApp}, nil
+	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s", name, r.gvr.Resource)
+	return &convertedApp, nil
 }
 
 // List retrieves a list of Applications by converting HelmReleases
@@ -339,8 +306,8 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 		return nil, err
 	}
 
-	// Initialize unstructured items array
-	items := make([]unstructured.Unstructured, 0)
+	// Initialize Application items array
+	items := make([]appsv1alpha1.Application, 0, len(hrList.Items))
 
 	// Iterate over HelmReleases and convert to Applications
 	for i := range hrList.Items {
@@ -387,17 +354,11 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 			}
 		}
 
-		// Convert Application to unstructured
-		unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&app)
-		if err != nil {
-			klog.Errorf("Error converting Application %s to unstructured: %v", app.Name, err)
-			continue
-		}
-		items = append(items, unstructured.Unstructured{Object: unstructuredApp})
+		items = append(items, app)
 	}
 
-	// Explicitly set apiVersion and kind in unstructured object
-	appList := r.NewList().(*unstructured.UnstructuredList)
+	// Create ApplicationList with proper kind
+	appList := r.NewList().(*appsv1alpha1.ApplicationList)
 	appList.SetResourceVersion(hrList.GetResourceVersion())
 	appList.Items = items
 
@@ -447,16 +408,9 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 	}
 
 	// Assert the new object is of type Application
-	us, ok := newObj.(*unstructured.Unstructured)
+	app, ok := newObj.(*appsv1alpha1.Application)
 	if !ok {
-		errMsg := fmt.Sprintf("expected unstructured.Unstructured object, got %T", newObj)
-		klog.Errorf(errMsg)
-		return nil, false, fmt.Errorf(errMsg)
-	}
-	app := &appsv1alpha1.Application{}
-
-	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(us.Object, app); err != nil {
-		errMsg := fmt.Sprintf("returned unstructured.Unstructured object was not an Application")
+		errMsg := fmt.Sprintf("expected *appsv1alpha1.Application object, got %T", newObj)
 		klog.Errorf(errMsg)
 		return nil, false, fmt.Errorf(errMsg)
 	}
@@ -517,24 +471,9 @@ func (r *REST) Update(ctx context.Context, name string, objInfo rest.UpdatedObje
 
 	klog.V(6).Infof("Successfully updated and converted HelmRelease %s to Application", helmRelease.GetName())
 
-	// Explicitly set apiVersion and kind for Application
-	convertedApp.TypeMeta = metav1.TypeMeta{
-		APIVersion: "apps.cozystack.io/v1alpha1",
-		Kind:       r.kindName,
-	}
+	klog.V(6).Infof("Returning updated Application object: %+v", convertedApp)
 
-	// Convert Application to unstructured format
-	unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedApp)
-	if err != nil {
-		klog.Errorf("Failed to convert Application to unstructured for resource %s: %v", convertedApp.GetName(), err)
-		return nil, false, fmt.Errorf("failed to convert Application to unstructured: %v", err)
-	}
-	obj := &unstructured.Unstructured{Object: unstructuredApp}
-	obj.SetGroupVersionKind(r.gvk)
-
-	klog.V(6).Infof("Returning patched Application object: %+v", unstructuredApp)
-
-	return obj, false, nil
+	return &convertedApp, false, nil
 }
 
 // Delete removes an Application by deleting the corresponding HelmRelease
@@ -728,19 +667,10 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 					}
 				}
 
-				// Convert Application to unstructured
-				unstructuredApp, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&app)
-				if err != nil {
-					klog.Errorf("Failed to convert Application to unstructured: %v", err)
-					continue
-				}
-				obj := &unstructured.Unstructured{Object: unstructuredApp}
-				obj.SetGroupVersionKind(r.gvk)
-
 				// Create watch event with Application object
 				appEvent := watch.Event{
 					Type:   event.Type,
-					Object: obj,
+					Object: &app,
 				}
 
 				// Send event to custom watcher
@@ -766,8 +696,8 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 
 // Helper function to get HelmRelease name from object
 func helmReleaseName(obj runtime.Object) string {
-	if u, ok := obj.(*unstructured.Unstructured); ok {
-		return u.GetName()
+	if app, ok := obj.(*appsv1alpha1.Application); ok {
+		return app.GetName()
 	}
 	return "<unknown>"
 }
@@ -1059,56 +989,6 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO
 	case *appsv1alpha1.Application:
 		table = r.buildTableFromApplication(*obj)
 		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
-	case *unstructured.UnstructuredList:
-		apps := make([]appsv1alpha1.Application, 0, len(obj.Items))
-		for _, u := range obj.Items {
-			var a appsv1alpha1.Application
-			err := runtime.DefaultUnstructuredConverter.FromUnstructured(u.Object, &a)
-			if err != nil {
-				klog.Errorf("Failed to convert Unstructured to Application: %v", err)
-				continue
-			}
-			apps = append(apps, a)
-		}
-		table = r.buildTableFromApplications(apps)
-		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
-	case *unstructured.Unstructured:
-		var apps []appsv1alpha1.Application
-		for {
-			var items interface{}
-			var ok bool
-			var objects []unstructured.Unstructured
-			if items, ok = obj.Object["items"]; !ok {
-				break
-			}
-			if objects, ok = items.([]unstructured.Unstructured); !ok {
-				break
-			}
-			apps = make([]appsv1alpha1.Application, 0, len(objects))
-			var a appsv1alpha1.Application
-			for i := range objects {
-				err := runtime.DefaultUnstructuredConverter.FromUnstructured(objects[i].Object, &a)
-				if err != nil {
-					klog.Errorf("Failed to convert Unstructured to Application: %v", err)
-					continue
-				}
-				apps = append(apps, a)
-			}
-			break
-		}
-		if apps != nil {
-			table = r.buildTableFromApplications(apps)
-			table.ListMeta.ResourceVersion = obj.GetResourceVersion()
-			break
-		}
-		var app appsv1alpha1.Application
-		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &app)
-		if err != nil {
-			klog.Errorf("Failed to convert Unstructured to Application: %v", err)
-			return nil, fmt.Errorf("failed to convert Unstructured to Application: %v", err)
-		}
-		table = r.buildTableFromApplication(app)
-		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
 	default:
 		resource := schema.GroupResource{}
 		if info, ok := request.RequestInfoFrom(ctx); ok {
@@ -1147,10 +1027,11 @@ func (r *REST) buildTableFromApplications(apps []appsv1alpha1.Application) metav
 	}
 	now := time.Now()
 
-	for _, app := range apps {
+	for i := range apps {
+		app := &apps[i]
 		row := metav1.TableRow{
 			Cells:  []interface{}{app.GetName(), getReadyStatus(app.Status.Conditions), computeAge(app.GetCreationTimestamp().Time, now), getVersion(app.Status.Version)},
-			Object: runtime.RawExtension{Object: &app},
+			Object: runtime.RawExtension{Object: app},
 		}
 		table.Rows = append(table.Rows, row)
 	}
@@ -1171,9 +1052,10 @@ func (r *REST) buildTableFromApplication(app appsv1alpha1.Application) metav1.Ta
 	}
 	now := time.Now()
 
+	a := app
 	row := metav1.TableRow{
 		Cells:  []interface{}{app.GetName(), getReadyStatus(app.Status.Conditions), computeAge(app.GetCreationTimestamp().Time, now), getVersion(app.Status.Version)},
-		Object: runtime.RawExtension{Object: &app},
+		Object: runtime.RawExtension{Object: &a},
 	}
 	table.Rows = append(table.Rows, row)
 
@@ -1237,15 +1119,21 @@ func (r *REST) Destroy() {
 
 // New creates a new instance of Application
 func (r *REST) New() runtime.Object {
-	obj := &unstructured.Unstructured{}
-	obj.SetGroupVersionKind(r.gvk)
+	obj := &appsv1alpha1.Application{}
+	obj.TypeMeta = metav1.TypeMeta{
+		APIVersion: r.gvk.GroupVersion().String(),
+		Kind:       r.kindName,
+	}
 	return obj
 }
 
 // NewList returns an empty list of Application objects
 func (r *REST) NewList() runtime.Object {
-	obj := &unstructured.UnstructuredList{}
-	obj.SetGroupVersionKind(r.gvk.GroupVersion().WithKind(r.kindName + "List"))
+	obj := &appsv1alpha1.ApplicationList{}
+	obj.TypeMeta = metav1.TypeMeta{
+		APIVersion: r.gvk.GroupVersion().String(),
+		Kind:       r.kindName + "List",
+	}
 	return obj
 }
 

pkg/registry/core/tenantmodule/rest.go

@@ -26,7 +26,6 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	fields "k8s.io/apimachinery/pkg/fields"
 	labels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -147,25 +146,8 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 		return nil, fmt.Errorf("conversion error: %v", err)
 	}
 
-	// Explicitly set apiVersion and kind for TenantModule
-	convertedModule.TypeMeta = metav1.TypeMeta{
-		APIVersion: "core.cozystack.io/v1alpha1",
-		Kind:       r.kindName,
-	}
-
-	// Convert TenantModule to unstructured format
-	unstructuredModule, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&convertedModule)
-	if err != nil {
-		klog.Errorf("Failed to convert TenantModule to unstructured for resource %s: %v", name, err)
-		return nil, fmt.Errorf("failed to convert TenantModule to unstructured: %v", err)
-	}
-
-	// Explicitly set apiVersion and kind in unstructured object
-	unstructuredModule["apiVersion"] = "core.cozystack.io/v1alpha1"
-	unstructuredModule["kind"] = r.kindName
-
-	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s to unstructured", name, r.gvr.Resource)
-	return &unstructured.Unstructured{Object: unstructuredModule}, nil
+	klog.V(6).Infof("Successfully retrieved and converted resource %s of kind %s", name, r.gvr.Resource)
+	return &convertedModule, nil
 }
 
 // List retrieves a list of TenantModules by converting HelmReleases
@@ -245,8 +227,8 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 		return nil, err
 	}
 
-	// Initialize unstructured items array
-	items := make([]unstructured.Unstructured, 0)
+	// Initialize TenantModule items array
+	items := make([]corev1alpha1.TenantModule, 0, len(hrList.Items))
 
 	// Iterate over HelmReleases and convert to TenantModules
 	for i := range hrList.Items {
@@ -294,19 +276,15 @@ func (r *REST) List(ctx context.Context, options *metainternalversion.ListOption
 			}
 		}
 
-		// Convert TenantModule to unstructured
-		unstructuredModule, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&module)
-		if err != nil {
-			klog.Errorf("Error converting TenantModule %s to unstructured: %v", module.Name, err)
-			continue
-		}
-		items = append(items, unstructured.Unstructured{Object: unstructuredModule})
+		items = append(items, module)
 	}
 
-	// Explicitly set apiVersion and kind in unstructured object
-	moduleList := &unstructured.UnstructuredList{}
-	moduleList.SetAPIVersion("core.cozystack.io/v1alpha1")
-	moduleList.SetKind(r.kindName + "List")
+	// Create TenantModuleList with proper kind
+	moduleList := &corev1alpha1.TenantModuleList{}
+	moduleList.TypeMeta = metav1.TypeMeta{
+		APIVersion: "core.cozystack.io/v1alpha1",
+		Kind:       r.kindName + "List",
+	}
 	moduleList.SetResourceVersion(hrList.GetResourceVersion())
 	moduleList.Items = items
 
@@ -455,17 +433,10 @@ func (r *REST) Watch(ctx context.Context, options *metainternalversion.ListOptio
 					}
 				}
 
-				// Convert TenantModule to unstructured
-				unstructuredModule, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&module)
-				if err != nil {
-					klog.Errorf("Failed to convert TenantModule to unstructured: %v", err)
-					continue
-				}
-
 				// Create watch event with TenantModule object
 				moduleEvent := watch.Event{
 					Type:   event.Type,
-					Object: &unstructured.Unstructured{Object: unstructuredModule},
+					Object: &module,
 				}
 
 				// Send event to custom watcher
@@ -620,27 +591,11 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO
 	var table metav1.Table
 
 	switch obj := object.(type) {
-	case *unstructured.UnstructuredList:
-		modules := make([]corev1alpha1.TenantModule, 0, len(obj.Items))
-		for _, u := range obj.Items {
-			var m corev1alpha1.TenantModule
-			err := runtime.DefaultUnstructuredConverter.FromUnstructured(u.Object, &m)
-			if err != nil {
-				klog.Errorf("Failed to convert Unstructured to TenantModule: %v", err)
-				continue
-			}
-			modules = append(modules, m)
-		}
-		table = r.buildTableFromTenantModules(modules)
-		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
-	case *unstructured.Unstructured:
-		var module corev1alpha1.TenantModule
-		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &module)
-		if err != nil {
-			klog.Errorf("Failed to convert Unstructured to TenantModule: %v", err)
-			return nil, fmt.Errorf("failed to convert Unstructured to TenantModule: %v", err)
-		}
-		table = r.buildTableFromTenantModule(module)
+	case *corev1alpha1.TenantModuleList:
+		table = r.buildTableFromTenantModules(obj.Items)
+		table.ListMeta.ResourceVersion = obj.ListMeta.ResourceVersion
+	case *corev1alpha1.TenantModule:
+		table = r.buildTableFromTenantModule(*obj)
 		table.ListMeta.ResourceVersion = obj.GetResourceVersion()
 	default:
 		resource := schema.GroupResource{}
@@ -680,10 +635,11 @@ func (r *REST) buildTableFromTenantModules(modules []corev1alpha1.TenantModule)
 	}
 	now := time.Now()
 
-	for _, module := range modules {
+	for i := range modules {
+		module := &modules[i]
 		row := metav1.TableRow{
 			Cells:  []interface{}{module.GetName(), getReadyStatus(module.Status.Conditions), computeAge(module.GetCreationTimestamp().Time, now), getVersion(module.Status.Version)},
-			Object: runtime.RawExtension{Object: &module},
+			Object: runtime.RawExtension{Object: module},
 		}
 		table.Rows = append(table.Rows, row)
 	}
@@ -704,9 +660,10 @@ func (r *REST) buildTableFromTenantModule(module corev1alpha1.TenantModule) meta
 	}
 	now := time.Now()
 
+	m := module
 	row := metav1.TableRow{
 		Cells:  []interface{}{module.GetName(), getReadyStatus(module.Status.Conditions), computeAge(module.GetCreationTimestamp().Time, now), getVersion(module.Status.Version)},
-		Object: runtime.RawExtension{Object: &module},
+		Object: runtime.RawExtension{Object: &m},
 	}
 	table.Rows = append(table.Rows, row)
 
@@ -751,12 +708,22 @@ func (r *REST) Destroy() {
 
 // New creates a new instance of TenantModule
 func (r *REST) New() runtime.Object {
-	return &corev1alpha1.TenantModule{}
+	obj := &corev1alpha1.TenantModule{}
+	obj.TypeMeta = metav1.TypeMeta{
+		APIVersion: r.gvk.GroupVersion().String(),
+		Kind:       r.kindName,
+	}
+	return obj
 }
 
 // NewList returns an empty list of TenantModule objects
 func (r *REST) NewList() runtime.Object {
-	return &corev1alpha1.TenantModuleList{}
+	obj := &corev1alpha1.TenantModuleList{}
+	obj.TypeMeta = metav1.TypeMeta{
+		APIVersion: r.gvk.GroupVersion().String(),
+		Kind:       r.kindName + "List",
+	}
+	return obj
 }
 
 // Kind returns the resource kind used for API discovery

scripts/installer.sh

@@ -19,29 +19,11 @@ run_migrations() {
   done
 }
 
-flux_is_ok() {
-  kubectl wait --for=condition=available -n cozy-fluxcd deploy/source-controller deploy/helm-controller --timeout=1s
-  kubectl wait --for=condition=ready -n cozy-fluxcd helmrelease/fluxcd --timeout=1s # to call "apply resume" below
-}
-
-ensure_fluxcd() {
-  if flux_is_ok; then
+install_flux() {
+  if [ "$INSTALL_FLUX" != "true" ]; then
     return
   fi
-  # Install fluxcd-operator
-  if kubectl get helmreleases.helm.toolkit.fluxcd.io  -n cozy-fluxcd fluxcd-operator; then
-    make -C packages/system/fluxcd-operator apply resume
-  else
-    make -C packages/system/fluxcd-operator apply-locally
-  fi
-  wait_for_crds fluxinstances.fluxcd.controlplane.io
-
-   # Install fluxcd
-  if kubectl get helmreleases.helm.toolkit.fluxcd.io  -n cozy-fluxcd fluxcd; then
-    make -C packages/system/fluxcd apply resume
-  else
-    make -C packages/system/fluxcd apply-locally
-  fi
+  make -C packages/core/flux-aio apply
   wait_for_crds helmreleases.helm.toolkit.fluxcd.io helmrepositories.source.toolkit.fluxcd.io
 }
 
@@ -49,15 +31,6 @@ wait_for_crds() {
   timeout 60 sh -c "until kubectl get crd $*; do sleep 1; done"
 }
 
-install_basic_charts() {
-  if [ "$BUNDLE" = "paas-full" ] || [ "$BUNDLE" = "distro-full" ]; then
-  make -C packages/system/cilium apply resume
-  fi
-  if [ "$BUNDLE" = "paas-full" ]; then
-    make -C packages/system/kubeovn apply resume
-  fi
-}
-
 cd "$(dirname "$0")/.."
 
 # Run migrations
@@ -67,16 +40,14 @@ run_migrations
 make -C packages/core/platform namespaces-apply
 
 # Install fluxcd
-ensure_fluxcd
+install_flux
+
+# Install fluxcd certificates
+./scripts/issue-flux-certificates.sh
 
 # Install platform chart
 make -C packages/core/platform reconcile
 
-# Install basic charts
-if ! flux_is_ok; then
-  install_basic_charts
-fi
-
 # Reconcile Helm repositories
 kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
 

scripts/issue-flux-certificates.sh

@@ -0,0 +1,63 @@
+#!/bin/sh
+set -e
+
+if kubectl get secret -n cozy-system cozystack-assets-tls >/dev/null 2>&1 && kubectl get secret -n cozy-public cozystack-assets-tls >/dev/null 2>&1; then
+  echo "Secret cozystack-assets-tls already exists in both cozy-system and cozy-public namespaces. Exiting."
+  exit 0
+fi
+
+USER_CN="cozystack-assets-reader"
+CSR_NAME="csr-${USER_CN}-$(date +%s)"
+
+# make temp directory and cleanup handler
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "$TMPDIR"' EXIT
+
+# move into tmpdir
+cd "$TMPDIR"
+
+openssl genrsa -out tls.key 2048
+openssl req -new -key tls.key -subj "/CN=${USER_CN}" -out tls.csr
+
+CSR_B64=$(base64 < tls.csr | tr -d '\n')
+
+cat <<EOF | kubectl apply -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: ${CSR_NAME}
+spec:
+  signerName: kubernetes.io/kube-apiserver-client
+  request: ${CSR_B64}
+  usages:
+    - client auth
+EOF
+
+kubectl certificate approve "${CSR_NAME}"
+
+echo "Waiting for .status.certificate..."
+kubectl wait csr "${CSR_NAME}" \
+  --for=jsonpath='{.status.certificate}' \
+  --timeout=120s
+
+kubectl get csr "${CSR_NAME}" \
+  -o jsonpath='{.status.certificate}' | base64 -d > tls.crt
+
+kubectl get -n kube-public configmap kube-root-ca.crt \
+  -o jsonpath='{.data.ca\.crt}' > ca.crt
+
+kubectl create secret generic "cozystack-assets-tls" \
+  --namespace='cozy-system' \
+  --type='kubernetes.io/tls' \
+  --from-file=tls.crt \
+  --from-file=tls.key \
+  --from-file=ca.crt \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+kubectl create secret generic "cozystack-assets-tls" \
+  --namespace='cozy-public' \
+  --type='kubernetes.io/tls' \
+  --from-file=tls.crt \
+  --from-file=tls.key \
+  --from-file=ca.crt \
+  --dry-run=client -o yaml | kubectl apply -f -

scripts/migrations/21

@@ -0,0 +1,10 @@
+#!/bin/sh
+# Migration 21 --> 22
+
+set -euo pipefail
+
+kubectl delete hr -n cozy-fluxcd fluxcd --ignore-not-found
+
+# Stamp version
+kubectl create configmap -n cozy-system cozystack-version \
+  --from-literal=version=22 --dry-run=client -o yaml | kubectl apply -f-