Skip to content

[platform] Add PackageSources for cozystack-operator #1760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kvaps merged 1 commit into from
Dec 30, 2025
Merged

[platform] Add PackageSources for cozystack-operator #1760

kvaps merged 1 commit into from
Dec 30, 2025

Conversation

@kvaps
Copy link
Member

@kvaps kvaps commented Dec 25, 2025
edited by coderabbitai bot
Loading

Signed-off-by: Andrei Kvapil kvapss@gmail.com

What this PR does

dependencies

Release note

[platform] Add PackageSources for cozystack-operator

Summary by CodeRabbit

  • New Features
    • Added support for 76 new package sources, including operators, applications, and system components for the CozyStack platform ecosystem (e.g., backup controller, database operators, monitoring tools, networking, storage, and virtualization packages).
    • Introduced a template aggregation mechanism to manage package source definitions.

✏️ Tip: You can customize this high-level summary in your review settings.

@kvaps
[platform] Add PackageSources for cozystack-operator
fe9fca6 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. enhancement New feature or request labels Dec 25, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 25, 2025
edited
Loading

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds approximately 75 new Kubernetes PackageSource manifest files and an aggregation template. Each PackageSource defines a containerized package sourced from an OCI repository with variants, components, libraries, and installation configurations for system operators, databases, applications, networking, and monitoring tools in the CozyStack platform.

Changes

Cohort / File(s) Summary
Core Networking & Infrastructure
packages/core/platform/sources/networking.yaml, multus.yaml, kubeovn-*.yaml, metallb.yaml, cozy-proxy.yaml, external-dns.yaml, hetzner-robotlb.yaml, nfs-driver.yaml		 PackageSource definitions for network plugins (Cilium, KubeOVN), load balancing, and DNS resolution with OCIRepository source refs and install configurations specifying namespaces and release names.
Database & Data Storage Operators
packages/core/platform/sources/*-operator.yaml (postgres, mariadb, mysql, redis, kafka, rabbitmq, etcd, foundationdb), *-application.yaml (postgres, mysql, redis, kafka, rabbitmq, etcd, foundationdb)		 PackageSource definitions for database and data store operators and applications with OCIRepository refs, dependencies on networking and certificate managers, library references (cozy-lib), and installation namespace/release configurations.
Kubernetes Cluster API & Virtualization
packages/core/platform/sources/capi-*.yaml, kubevirt*.yaml, kamaji.yaml, gpu-operator.yaml		 PackageSource manifests for cluster API providers (bootstrap, core, infrastructure, cpprovider), KubeVirt components (operator, CDI, instance types), and cluster-level tools with privileged install settings in dedicated namespaces.
Monitoring, Logging & Security
packages/core/platform/sources/prometheus-operator-crds.yaml, victoria-metrics-operator.yaml, cert-manager.yaml, external-secrets-operator.yaml, grafana-operator.yaml, monitoring-agents.yaml, goldpinger.yaml, monitoring-application.yaml		 PackageSource definitions for observability and security components (Prometheus, Grafana, Victoria Metrics), certificate management, and secret handling with dependencies on networking and inter-component relationships.
Applications & Services
packages/core/platform/sources/*-application.yaml (bootbox, bucket, clickhouse, ferretdb, http-cache, info, ingress, seaweedfs, tcp-balancer, telepresence, tenant, vm-disk, vm-instance, virtual-machine, virtualprivatecloud, vpn); packages/core/platform/sources/backup-controller.yaml, cozystack-basics.yaml, cozystack-engine.yaml, reloader.yaml, snapshot-controller.yaml, linstor.yaml, velero.yaml, vertical-pod-autoscaler.yaml		 PackageSource definitions for user-facing applications and platform utilities sourced from OCI repositories, with library dependencies (cozy-lib), component paths, and install namespace/release configurations. Many include "-rd" (resource definition) components.
Aggregation Template
packages/core/platform/templates/sources.yaml		 Template file that iterates over all PackageSource files in sources/ directory, concatenates them with YAML document separators for packaging.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Review involves validating ~75 highly homogeneous YAML manifests following consistent patterns: OCIRepository sourceRef, variants with dependencies, components with paths, and installation metadata (namespace/releaseName). Large volume is offset by repetitive structure and no complex logic.

Poem

🐰 Seventy sources spring from the warren today,
Each package and operator finds its own way,
With libraries linked and components aligned,
The CozyStack ecosystem's beautifully designed!
From databases deep to the clouds up high,
Our tunnel of templates makes bundles fly. 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The PR title '[platform] Add PackageSources for cozystack-operator' accurately describes the main change: adding multiple PackageSource manifests to the platform module.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Dec 25, 2025

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the Cozystack platform by implementing a new PackageSource mechanism. This change centralizes the definition and management of all platform components, from core infrastructure to various applications and operators. By introducing these declarative package sources, the PR aims to improve the modularity, maintainability, and automated deployment capabilities of the Cozystack system, ensuring that all components are correctly configured and their interdependencies are clearly defined.

Highlights

  • Standardized Package Definitions: Introduces PackageSource custom resources to uniformly define and manage various platform components and applications within the Cozystack ecosystem.
  • Extensive Component Integration: Adds over 50 new PackageSource definitions covering a wide range of functionalities, including storage (Linstor, SeaweedFS), databases (Postgres, MySQL, Redis, ClickHouse, FoundationDB, FerretDB), networking (Cilium, Kube-OVN, MetalLB, Multus), virtualization (KubeVirt, CAPI), monitoring (Prometheus, VictoriaMetrics, Grafana), security (Cert-Manager, Keycloak), and various application operators.
  • Declarative Dependency Management: Each PackageSource explicitly outlines its dependencies on other Cozystack packages, ensuring correct installation order and integration.
  • Automated Component Discovery: A new sources.yaml template is added to dynamically include all PackageSource definitions, simplifying their registration and management.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 25, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a comprehensive set of PackageSource definitions for various cozystack-operator components. The changes are extensive and foundational for package management. My review focuses on ensuring consistency, maintainability, and correctness across these new configuration files. I've identified several areas with code duplication and inconsistent styling that could be improved. Specifically, there are opportunities to reduce redundancy in cozystack-engine.yaml and networking.yaml using YAML anchors, and to standardize formatting across all new source files. I've also pointed out a potentially redundant component definition and a commented-out template file that might need attention.

coderabbitai[bot]
coderabbitai bot reviewed Dec 25, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (5)
packages/core/platform/sources/virtualprivatecloud-application.yaml (1)

12-28: Minor: Indentation style differs from other PackageSource manifests.

This file uses 4-space indentation for lists under variants, while other manifests in this PR (e.g., keycloak.yaml, multus.yaml) use 2-space indentation. While both are valid YAML, consistent formatting across manifests improves maintainability.

🔎 Suggested formatting alignment 
   variants:
-    - name: kubevirt
-      dependsOn:
-        - cozystack.networking
-        - cozystack.multus
-      libraries:
-        - name: cozy-lib
-          path: library/cozy-lib
-      components:
-        - name: virtualprivatecloud
-          path: apps/vpc
-          libraries: [cozy-lib]
-        - name: virtualprivatecloud-rd
-          path: system/virtualprivatecloud-rd
-          install:
-            namespace: cozy-system
-            releaseName: virtualprivatecloud-rd
+  - name: kubevirt
+    dependsOn:
+    - cozystack.networking
+    - cozystack.multus
+    libraries:
+    - name: cozy-lib
+      path: library/cozy-lib
+    components:
+    - name: virtualprivatecloud
+      path: apps/vpc
+      libraries: [cozy-lib]
+    - name: virtualprivatecloud-rd
+      path: system/virtualprivatecloud-rd
+      install:
+        namespace: cozy-system
+        releaseName: virtualprivatecloud-rd
packages/core/platform/sources/grafana-operator.yaml (1)

14-15: Consider if cert-manager dependency is needed.

The victoria-metrics-operator manifest includes a dependency on cozystack.cert-manager (lines 14-16 in victoria-metrics-operator.yaml), which is typical for operators that use webhooks or TLS. If grafana-operator requires certificate management, consider adding this dependency.

#!/bin/bash
# Check if grafana-operator requires cert-manager

echo "=== Checking if other operators depend on cert-manager ==="
rg -n -A2 "kind: PackageSource" packages/core/platform/sources/*-operator.yaml | rg -B2 "cert-manager"

echo -e "\n=== Checking grafana-operator path for webhook or cert references ==="
echo "Note: This requires access to the actual component files in the OCI repository"
echo "Manual verification recommended: Check if system/grafana-operator uses webhooks/certificates"
packages/core/platform/sources/networking.yaml (1)

1-65: LGTM! Well-structured multi-variant networking package.

The manifest provides appropriate flexibility with three variants (noop, cilium, kubeovn-cilium) and correctly handles component dependencies and privileged installation for CNI components.

Consider removing explicit empty dependsOn: [] arrays (lines 16, 27, 37, 49) if the empty array is the default behavior for the PackageSource CRD schema. This would reduce verbosity without changing semantics.

🔎 Optional simplification 
  - name: cilium
-    dependsOn: []
    components:
    - name: cilium
      path: system/cilium
      valuesFiles:
      - values.yaml
      - values-talos.yaml
      install:
        privileged: true
        namespace: cozy-cilium
        releaseName: cilium
-        dependsOn: []

Apply similar changes to lines 37 and 49 in the kubeovn-cilium variant.

packages/core/platform/sources/etcd-application.yaml (1)

20-22: LGTM! Etcd component configured correctly.

The etcd component uses path extra/etcd rather than the apps/ prefix seen in other application manifests (kafka, foundationdb, tenant). This appears intentional and may reflect a categorization between core apps and extra/optional components.

For consistency, consider documenting the distinction between apps/, system/, and extra/ path prefixes in your PackageSource organization, or standardize on apps/ for all user-facing applications if the categorization is not semantically meaningful.

packages/core/platform/sources/cozystack-engine.yaml (1)

108-108: Consider omitting empty dependsOn array.

The empty dependsOn: [] array can be omitted entirely in YAML, simplifying the manifest.

🔎 Proposed refactor 
     - name: keycloak-configure
       path: system/keycloak-configure
       install:
         namespace: cozy-keycloak
         releaseName: keycloak-configure
-        dependsOn: []
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7931fd and fe9fca6.

📒 Files selected for processing (72)
  • packages/core/platform/sources/backup-controller.yaml
  • packages/core/platform/sources/bootbox-application.yaml
  • packages/core/platform/sources/bootbox.yaml
  • packages/core/platform/sources/bucket-application.yaml
  • packages/core/platform/sources/capi-operator.yaml
  • packages/core/platform/sources/capi-providers-bootstrap.yaml
  • packages/core/platform/sources/capi-providers-core.yaml
  • packages/core/platform/sources/capi-providers-cpprovider.yaml
  • packages/core/platform/sources/capi-providers-infraprovider.yaml
  • packages/core/platform/sources/cert-manager.yaml
  • packages/core/platform/sources/clickhouse-application.yaml
  • packages/core/platform/sources/clickhouse-operator.yaml
  • packages/core/platform/sources/cozy-proxy.yaml
  • packages/core/platform/sources/cozystack-basics.yaml
  • packages/core/platform/sources/cozystack-engine.yaml
  • packages/core/platform/sources/etcd-application.yaml
  • packages/core/platform/sources/etcd-operator.yaml
  • packages/core/platform/sources/external-dns.yaml
  • packages/core/platform/sources/external-secrets-operator.yaml
  • packages/core/platform/sources/ferretdb-application.yaml
  • packages/core/platform/sources/foundationdb-application.yaml
  • packages/core/platform/sources/foundationdb-operator.yaml
  • packages/core/platform/sources/goldpinger.yaml
  • packages/core/platform/sources/gpu-operator.yaml
  • packages/core/platform/sources/grafana-operator.yaml
  • packages/core/platform/sources/hetzner-robotlb.yaml
  • packages/core/platform/sources/http-cache-application.yaml
  • packages/core/platform/sources/info-application.yaml
  • packages/core/platform/sources/ingress-application.yaml
  • packages/core/platform/sources/kafka-application.yaml
  • packages/core/platform/sources/kafka-operator.yaml
  • packages/core/platform/sources/kamaji.yaml
  • packages/core/platform/sources/keycloak-operator.yaml
  • packages/core/platform/sources/keycloak.yaml
  • packages/core/platform/sources/kubeovn-plunger.yaml
  • packages/core/platform/sources/kubeovn-webhook.yaml
  • packages/core/platform/sources/kubernetes-application.yaml
  • packages/core/platform/sources/kubevirt-cdi.yaml
  • packages/core/platform/sources/kubevirt.yaml
  • packages/core/platform/sources/linstor.yaml
  • packages/core/platform/sources/mariadb-operator.yaml
  • packages/core/platform/sources/metallb.yaml
  • packages/core/platform/sources/monitoring-agents.yaml
  • packages/core/platform/sources/monitoring-application.yaml
  • packages/core/platform/sources/multus.yaml
  • packages/core/platform/sources/mysql-application.yaml
  • packages/core/platform/sources/nats-application.yaml
  • packages/core/platform/sources/networking.yaml
  • packages/core/platform/sources/nfs-driver.yaml
  • packages/core/platform/sources/objectstorage-controller.yaml
  • packages/core/platform/sources/postgres-application.yaml
  • packages/core/platform/sources/postgres-operator.yaml
  • packages/core/platform/sources/prometheus-operator-crds.yaml
  • packages/core/platform/sources/rabbitmq-application.yaml
  • packages/core/platform/sources/rabbitmq-operator.yaml
  • packages/core/platform/sources/redis-application.yaml
  • packages/core/platform/sources/redis-operator.yaml
  • packages/core/platform/sources/reloader.yaml
  • packages/core/platform/sources/seaweedfs-application.yaml
  • packages/core/platform/sources/snapshot-controller.yaml
  • packages/core/platform/sources/tcp-balancer-application.yaml
  • packages/core/platform/sources/telepresence.yaml
  • packages/core/platform/sources/tenant-application.yaml
  • packages/core/platform/sources/velero.yaml
  • packages/core/platform/sources/vertical-pod-autoscaler.yaml
  • packages/core/platform/sources/victoria-metrics-operator.yaml
  • packages/core/platform/sources/virtual-machine-application.yaml
  • packages/core/platform/sources/virtualprivatecloud-application.yaml
  • packages/core/platform/sources/vm-disk-application.yaml
  • packages/core/platform/sources/vm-instance-application.yaml
  • packages/core/platform/sources/vpn-application.yaml
  • packages/core/platform/templates/sources.yaml
🧰 Additional context used
📓 Path-based instructions (2)
packages/core/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

  • packages/core/platform/sources/cozy-proxy.yaml
  • packages/core/platform/sources/http-cache-application.yaml
  • packages/core/platform/sources/virtual-machine-application.yaml
  • packages/core/platform/sources/kafka-application.yaml
  • packages/core/platform/sources/bootbox.yaml
  • packages/core/platform/sources/etcd-operator.yaml
  • packages/core/platform/sources/objectstorage-controller.yaml
  • packages/core/platform/sources/capi-providers-core.yaml
  • packages/core/platform/sources/foundationdb-application.yaml
  • packages/core/platform/sources/snapshot-controller.yaml
  • packages/core/platform/sources/ingress-application.yaml
  • packages/core/platform/sources/foundationdb-operator.yaml
  • packages/core/platform/sources/kubevirt-cdi.yaml
  • packages/core/platform/sources/keycloak.yaml
  • packages/core/platform/sources/cert-manager.yaml
  • packages/core/platform/sources/linstor.yaml
  • packages/core/platform/sources/victoria-metrics-operator.yaml
  • packages/core/platform/sources/redis-operator.yaml
  • packages/core/platform/sources/telepresence.yaml
  • packages/core/platform/sources/monitoring-agents.yaml
  • packages/core/platform/sources/tenant-application.yaml
  • packages/core/platform/sources/kamaji.yaml
  • packages/core/platform/sources/prometheus-operator-crds.yaml
  • packages/core/platform/sources/monitoring-application.yaml
  • packages/core/platform/templates/sources.yaml
  • packages/core/platform/sources/rabbitmq-operator.yaml
  • packages/core/platform/sources/vpn-application.yaml
  • packages/core/platform/sources/redis-application.yaml
  • packages/core/platform/sources/multus.yaml
  • packages/core/platform/sources/nats-application.yaml
  • packages/core/platform/sources/ferretdb-application.yaml
  • packages/core/platform/sources/grafana-operator.yaml
  • packages/core/platform/sources/cozystack-basics.yaml
  • packages/core/platform/sources/cozystack-engine.yaml
  • packages/core/platform/sources/tcp-balancer-application.yaml
  • packages/core/platform/sources/mariadb-operator.yaml
  • packages/core/platform/sources/hetzner-robotlb.yaml
  • packages/core/platform/sources/kubevirt.yaml
  • packages/core/platform/sources/capi-providers-infraprovider.yaml
  • packages/core/platform/sources/info-application.yaml
  • packages/core/platform/sources/velero.yaml
  • packages/core/platform/sources/external-dns.yaml
  • packages/core/platform/sources/virtualprivatecloud-application.yaml
  • packages/core/platform/sources/kubeovn-webhook.yaml
  • packages/core/platform/sources/vm-instance-application.yaml
  • packages/core/platform/sources/postgres-application.yaml
  • packages/core/platform/sources/capi-providers-cpprovider.yaml
  • packages/core/platform/sources/etcd-application.yaml
  • packages/core/platform/sources/capi-operator.yaml
  • packages/core/platform/sources/kubernetes-application.yaml
  • packages/core/platform/sources/external-secrets-operator.yaml
  • packages/core/platform/sources/rabbitmq-application.yaml
  • packages/core/platform/sources/gpu-operator.yaml
  • packages/core/platform/sources/reloader.yaml
  • packages/core/platform/sources/backup-controller.yaml
  • packages/core/platform/sources/postgres-operator.yaml
  • packages/core/platform/sources/bootbox-application.yaml
  • packages/core/platform/sources/bucket-application.yaml
  • packages/core/platform/sources/networking.yaml
  • packages/core/platform/sources/goldpinger.yaml
  • packages/core/platform/sources/mysql-application.yaml
  • packages/core/platform/sources/clickhouse-application.yaml
  • packages/core/platform/sources/capi-providers-bootstrap.yaml
  • packages/core/platform/sources/kafka-operator.yaml
  • packages/core/platform/sources/vm-disk-application.yaml
  • packages/core/platform/sources/nfs-driver.yaml
  • packages/core/platform/sources/seaweedfs-application.yaml
  • packages/core/platform/sources/clickhouse-operator.yaml
  • packages/core/platform/sources/kubeovn-plunger.yaml
  • packages/core/platform/sources/metallb.yaml
  • packages/core/platform/sources/vertical-pod-autoscaler.yaml
  • packages/core/platform/sources/keycloak-operator.yaml
**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

  • packages/core/platform/sources/cozy-proxy.yaml
  • packages/core/platform/sources/http-cache-application.yaml
  • packages/core/platform/sources/virtual-machine-application.yaml
  • packages/core/platform/sources/kafka-application.yaml
  • packages/core/platform/sources/bootbox.yaml
  • packages/core/platform/sources/etcd-operator.yaml
  • packages/core/platform/sources/objectstorage-controller.yaml
  • packages/core/platform/sources/capi-providers-core.yaml
  • packages/core/platform/sources/foundationdb-application.yaml
  • packages/core/platform/sources/snapshot-controller.yaml
  • packages/core/platform/sources/ingress-application.yaml
  • packages/core/platform/sources/foundationdb-operator.yaml
  • packages/core/platform/sources/kubevirt-cdi.yaml
  • packages/core/platform/sources/keycloak.yaml
  • packages/core/platform/sources/cert-manager.yaml
  • packages/core/platform/sources/linstor.yaml
  • packages/core/platform/sources/victoria-metrics-operator.yaml
  • packages/core/platform/sources/redis-operator.yaml
  • packages/core/platform/sources/telepresence.yaml
  • packages/core/platform/sources/monitoring-agents.yaml
  • packages/core/platform/sources/tenant-application.yaml
  • packages/core/platform/sources/kamaji.yaml
  • packages/core/platform/sources/prometheus-operator-crds.yaml
  • packages/core/platform/sources/monitoring-application.yaml
  • packages/core/platform/templates/sources.yaml
  • packages/core/platform/sources/rabbitmq-operator.yaml
  • packages/core/platform/sources/vpn-application.yaml
  • packages/core/platform/sources/redis-application.yaml
  • packages/core/platform/sources/multus.yaml
  • packages/core/platform/sources/nats-application.yaml
  • packages/core/platform/sources/ferretdb-application.yaml
  • packages/core/platform/sources/grafana-operator.yaml
  • packages/core/platform/sources/cozystack-basics.yaml
  • packages/core/platform/sources/cozystack-engine.yaml
  • packages/core/platform/sources/tcp-balancer-application.yaml
  • packages/core/platform/sources/mariadb-operator.yaml
  • packages/core/platform/sources/hetzner-robotlb.yaml
  • packages/core/platform/sources/kubevirt.yaml
  • packages/core/platform/sources/capi-providers-infraprovider.yaml
  • packages/core/platform/sources/info-application.yaml
  • packages/core/platform/sources/velero.yaml
  • packages/core/platform/sources/external-dns.yaml
  • packages/core/platform/sources/virtualprivatecloud-application.yaml
  • packages/core/platform/sources/kubeovn-webhook.yaml
  • packages/core/platform/sources/vm-instance-application.yaml
  • packages/core/platform/sources/postgres-application.yaml
  • packages/core/platform/sources/capi-providers-cpprovider.yaml
  • packages/core/platform/sources/etcd-application.yaml
  • packages/core/platform/sources/capi-operator.yaml
  • packages/core/platform/sources/kubernetes-application.yaml
  • packages/core/platform/sources/external-secrets-operator.yaml
  • packages/core/platform/sources/rabbitmq-application.yaml
  • packages/core/platform/sources/gpu-operator.yaml
  • packages/core/platform/sources/reloader.yaml
  • packages/core/platform/sources/backup-controller.yaml
  • packages/core/platform/sources/postgres-operator.yaml
  • packages/core/platform/sources/bootbox-application.yaml
  • packages/core/platform/sources/bucket-application.yaml
  • packages/core/platform/sources/networking.yaml
  • packages/core/platform/sources/goldpinger.yaml
  • packages/core/platform/sources/mysql-application.yaml
  • packages/core/platform/sources/clickhouse-application.yaml
  • packages/core/platform/sources/capi-providers-bootstrap.yaml
  • packages/core/platform/sources/kafka-operator.yaml
  • packages/core/platform/sources/vm-disk-application.yaml
  • packages/core/platform/sources/nfs-driver.yaml
  • packages/core/platform/sources/seaweedfs-application.yaml
  • packages/core/platform/sources/clickhouse-operator.yaml
  • packages/core/platform/sources/kubeovn-plunger.yaml
  • packages/core/platform/sources/metallb.yaml
  • packages/core/platform/sources/vertical-pod-autoscaler.yaml
  • packages/core/platform/sources/keycloak-operator.yaml
🧠 Learnings (3)
📚 Learning: 2025-07-11T06:11:25.438Z 
Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1130
File: hack/e2e-apps/kubernetes.bats:101-101
Timestamp: 2025-07-11T06:11:25.438Z
Learning: In cozystack, the plural form for the Kubernetes custom resource is `kuberneteses.apps.cozystack.io`, not `kubernetes.apps.cozystack.io`. This is defined in the API schema even though it's not grammatically perfect.

Applied to files:

  • packages/core/platform/sources/cozystack-basics.yaml
📚 Learning: 2025-07-23T09:15:09.658Z 
Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1233
File: packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml:33-35
Timestamp: 2025-07-23T09:15:09.658Z
Learning: The `./charts/robotlb/` directory in the hetzner-robotlb package contains vendored code, and the team generally avoids modifying vendored code to maintain clean separation from upstream dependencies.

Applied to files:

  • packages/core/platform/sources/hetzner-robotlb.yaml
📚 Learning: 2025-11-28T21:26:10.771Z 
Learnt from: kvaps
Repo: cozystack/cozystack PR: 1671
File: packages/apps/postgres/files/versions.yaml:1-6
Timestamp: 2025-11-28T21:26:10.771Z
Learning: In packages/apps/postgres/files/versions.yaml, the version mappings are sourced from the CloudNativePG container registry (ghcr.io/cloudnative-pg/postgresql), not from PostgreSQL project releases. The versions should reflect what's actually published in the CloudNativePG registry, which is automatically fetched by the hack/update-versions.sh script.

Applied to files:

  • packages/core/platform/sources/postgres-application.yaml
  • packages/core/platform/sources/postgres-operator.yaml
🪛 YAMLlint (1.37.1)
packages/core/platform/templates/sources.yaml

[error] 2-2: syntax error: expected ',' or '}', but got '{'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Build
🔇 Additional comments (65)
packages/core/platform/sources/kafka-operator.yaml (1)

1-22: LGTM! Kafka operator manifest follows the standard pattern.

The manifest is properly structured with appropriate dependencies on networking and Prometheus operator CRDs for metrics integration.

packages/core/platform/sources/kamaji.yaml (1)

1-21: LGTM! Kamaji manifest follows the standard pattern.

The manifest is properly structured for the Kamaji control plane manager with appropriate networking dependency.

packages/core/platform/sources/clickhouse-operator.yaml (1)

1-22: LGTM! ClickHouse operator manifest follows the standard pattern.

The manifest is properly structured with appropriate dependencies on networking and Prometheus operator CRDs for observability integration.

packages/core/platform/sources/redis-operator.yaml (1)

1-21: Manual verification is required. The original review approves the code but does not address the mandatory coding guidelines requiring files in packages/core/** to follow a Helm Chart umbrella pattern with vendored upstream charts. Before approval, verify: (1) that cozystack.networking dependency exists, (2) that system/redis-operator path is valid, and (3) that this manifest complies with the Helm Chart umbrella pattern requirement.

packages/core/platform/sources/keycloak.yaml (1)

1-22: LGTM!

The PackageSource manifest is well-structured. The dependencies on cozystack.networking and cozystack.postgres-operator are appropriate for Keycloak, which requires database connectivity. The naming conventions and install configuration follow the established patterns.

packages/core/platform/sources/snapshot-controller.yaml (1)

14-16: Verify if cert-manager dependency is required for snapshot-controller.

Snapshot controllers typically manage CSI volume snapshots and don't usually require cert-manager directly. If the snapshot-controller implementation uses admission webhooks with TLS certificates managed by cert-manager, this dependency is appropriate. Otherwise, consider if this dependency is necessary.

packages/core/platform/sources/cozy-proxy.yaml (1)

19-21: Verify: releaseName differs from component name.

The component is named cozy-proxy but releaseName is set to cozystack. Other PackageSource manifests in this PR use matching names (e.g., keycloak/keycloak, reloader/reloader). If this is intentional for the core proxy component, please disregard; otherwise, consider aligning the releaseName with the component name.

packages/core/platform/sources/keycloak-operator.yaml (1)

1-22: LGTM!

The manifest correctly establishes the dependency chain with cozystack.keycloak and appropriately places both the operator and Keycloak instance in the same cozy-keycloak namespace.

packages/core/platform/sources/bootbox.yaml (1)

1-23: LGTM!

The manifest correctly establishes the dependency on cozystack.bootbox-application for staged installation. The privileged: true flag is appropriate for bootbox, which typically requires elevated host access for network boot services.

packages/core/platform/sources/reloader.yaml (1)

1-21: LGTM!

The manifest is well-structured with appropriate minimal dependencies for the reloader component.

packages/core/platform/sources/multus.yaml (1)

1-22: LGTM!

The manifest is correctly structured. The privileged: true flag is appropriate for Multus, which operates as a CNI meta-plugin requiring host network access.

packages/core/platform/sources/virtualprivatecloud-application.yaml (1)

20-23: Verify: virtualprivatecloud component lacks an install configuration.

The virtualprivatecloud component (lines 21-23) references a library but has no install block, while virtualprivatecloud-rd does. If virtualprivatecloud is intended as an application template that users instantiate on demand (rather than a pre-installed component), this is appropriate. Otherwise, consider adding the install configuration.

packages/core/platform/sources/kubeovn-plunger.yaml (1)

1-23: LGTM!

The PackageSource manifest follows the established pattern with appropriate dependencies for a KubeOVN component. The namespace cozy-kubeovn and component path system/kubeovn-plunger are consistent with the naming conventions used across the PR.

packages/core/platform/sources/tcp-balancer-application.yaml (1)

1-27: LGTM!

The manifest correctly declares the cozy-lib library and appropriately references it in the tcp-balancer component. The separation of the application component (tcp-balancer) from the resource definition component (tcp-balancer-rd) follows a sensible pattern.

packages/core/platform/templates/sources.yaml (1)

1-6: Template is entirely commented out and will produce no output.

The entire Helm template logic is wrapped in {{/* ... */}} comment markers, which means no PackageSource manifests will be rendered. If this is intentional (e.g., a placeholder for future use), consider adding a brief comment explaining why. If the template should be active, remove the comment markers:

Proposed fix if the template should be active 
-{{/*
 {{- range $path, $_ := .Files.Glob "sources/*.yaml" }}
 ---
 {{ $.Files.Get $path }}
 {{- end }}
-*/}}

Note: The YAMLlint syntax error is a false positive—static analyzers often misinterpret Helm templating syntax.

packages/core/platform/sources/postgres-operator.yaml (1)

1-23: LGTM!

The dependencies on cozystack.networking, cozystack.prometheus-operator-crds, and cozystack.cert-manager are appropriate for a database operator that requires networking, metrics integration, and TLS certificate management.

packages/core/platform/sources/mariadb-operator.yaml (1)

1-23: LGTM!

The manifest structure and dependencies mirror postgres-operator.yaml, which is consistent for database operators requiring similar infrastructure components.

packages/core/platform/sources/capi-providers-core.yaml (1)

1-23: LGTM!

The privileged: true flag is appropriate for CAPI providers that require elevated permissions to manage cluster infrastructure. The dependency chain (capi-operatorcapi-providers-core) correctly reflects the installation order.

packages/core/platform/sources/seaweedfs-application.yaml (1)

1-29: LGTM!

The manifest correctly structures three components with appropriate separation: seaweedfs-system for system-level configuration, seaweedfs as the user-facing application with library support, and seaweedfs-rd for resource definitions installed in cozy-system.

packages/core/platform/sources/vm-disk-application.yaml (1)

1-28: LGTM!

The use of the kubevirt variant name (instead of default) appropriately indicates that this PackageSource is specifically designed for KubeVirt environments. The dependency on cozystack.kubevirt-cdi correctly ensures CDI (Containerized Data Importer) is available for VM disk operations.

packages/core/platform/sources/rabbitmq-application.yaml (1)

1-28: LGTM! Follows best practices for application PackageSource.

The manifest correctly declares dependencies on both networking and the rabbitmq-operator, includes the shared cozy-lib library, and properly configures the installation namespace for the system component.

packages/core/platform/sources/victoria-metrics-operator.yaml (1)

1-22: LGTM! Operator manifest follows correct pattern.

The operator PackageSource correctly omits library dependencies and includes cert-manager as a dependency, which is appropriate for operator installations that typically require TLS/webhook configurations.

packages/core/platform/sources/bucket-application.yaml (1)

1-30: LGTM! Application manifest properly structured.

The manifest correctly declares dependencies on networking and the objectstorage-controller, includes the shared cozy-lib library, and follows the established pattern for application PackageSources with multiple components.

packages/core/platform/sources/capi-providers-infraprovider.yaml (1)

1-24: LGTM! Infrastructure provider manifest appropriately configured.

The use of a kubevirt-specific variant name and the privileged installation flag are appropriate for a CAPI infrastructure provider that requires elevated permissions and KubeVirt integration.

packages/core/platform/sources/vpn-application.yaml (1)

14-15: No action required. The cozystack.vpn-operator does not exist in the repository. The vpn-application dependency pattern (only cozystack.networking) is consistent with nats-application and is correct. Unlike rabbitmq-application (which includes an operator dependency), vpn and nats applications are designed without separate operator packages.

packages/core/platform/sources/bootbox-application.yaml (1)

20-27: Verify intentional install configuration for bootbox-system.

The manifest has one notable difference from comparable application manifests:

  • bootbox-system has explicit install configuration (lines 20-24), while comparable components like bucket-system and nats-system in other files don't have install blocks.

The use of extra/bootbox path (line 26) is not unusual; five other applications also use the extra/ prefix (seaweedfs, monitoring, ingress, info, etcd), so this is a valid alternative pattern alongside apps/.

Confirm whether the install block on bootbox-system is intentional and necessary.

packages/core/platform/sources/nats-application.yaml (1)

14-15: The assumption about nats-operator is unfounded. A cozystack.nats-operator PackageSource does not exist in the repository, and the architectural pattern varies across applications. For example, postgres-application.yaml contains only the cozystack.networking dependency despite a postgres-operator.yaml file existing separately. The current dependency configuration in nats-application.yaml is consistent with this pattern and does not require modification.

Likely an incorrect or invalid review comment.

packages/core/platform/sources/gpu-operator.yaml (1)

1-25: LGTM!

The PackageSource manifest is well-structured. The privileged flag is appropriate for GPU operator operations requiring hardware access, and the namespace naming follows the established cozy-<component> convention.

packages/core/platform/sources/cert-manager.yaml (1)

1-35: LGTM!

The dependency chain is correctly structured: CRDs are installed first, followed by the core cert-manager, and finally the issuers. This ensures proper installation order for cert-manager components.

packages/core/platform/sources/ferretdb-application.yaml (1)

1-27: LGTM!

The manifest follows the application pattern where the main component references the shared cozy-lib library, and the resource definition component (ferretdb-rd) contains the installation configuration. This structure is consistent with other application manifests in the PR.

packages/core/platform/sources/nfs-driver.yaml (1)

1-22: LGTM!

The PackageSource manifest is well-structured. The privileged flag is appropriate for NFS driver operations requiring filesystem and storage access, and the naming conventions are consistent with other manifests.

packages/core/platform/sources/capi-providers-bootstrap.yaml (1)

1-23: LGTM!

The manifest is well-structured with appropriate dependencies on cozystack.networking and cozystack.capi-operator. The kubevirt variant aligns with the CAPI provider configuration, and the shared namespace cozy-cluster-api is consistent with the CAPI architecture.

packages/core/platform/sources/capi-providers-cpprovider.yaml (1)

1-24: LGTM!

The manifest correctly defines the control plane provider with the kamaji variant. The dependencies properly include cozystack.kamaji in addition to the CAPI operator and networking, which is appropriate for a Kamaji-based control plane provider.

packages/core/platform/sources/kubernetes-application.yaml (1)

24-68: No action needed. Components without install configurations are intentional. Most components in this file are library dependencies, operators, and CRD definitions that don't require individual install blocks—only kubernetes-rd needs explicit installation configuration. This follows the Helm Chart umbrella pattern with vendored upstream charts referenced by their path field.

packages/core/platform/sources/telepresence.yaml (1)

17-21: The releaseName: traffic-manager is correct. This is the conventional upstream Helm chart name for Telepresence and aligns with established patterns in the codebase (e.g., linstor component uses the Piraeus operator release name). No action needed.

packages/core/platform/sources/virtual-machine-application.yaml (1)

1-29: LGTM! Well-structured PackageSource manifest.

The manifest correctly defines a kubevirt-based virtual machine application with appropriate dependencies on networking and kubevirt components. The library and component structure follows the established patterns.

packages/core/platform/sources/cozystack-basics.yaml (1)

6-21: Manifest structure looks correct.

The spec configuration, variant definition, and component installation settings are properly structured and follow the established patterns.

packages/core/platform/sources/mysql-application.yaml (1)

1-28: LGTM! Well-configured MySQL application PackageSource.

The manifest correctly defines a MySQL application with appropriate dependencies on networking and mariadb-operator. The library reference and component structure follow the established patterns.

packages/core/platform/sources/vm-instance-application.yaml (1)

1-28: LGTM! VM instance application PackageSource is correctly structured.

The manifest properly defines a kubevirt-based VM instance application. Note that this depends only on cozystack.kubevirt (without cozystack.kubevirt-cdi), which differs from the virtual-machine-application that includes both dependencies. This appears intentional based on different feature requirements.

packages/core/platform/sources/kubevirt.yaml (1)

1-38: LGTM! Well-architected multi-component KubeVirt PackageSource.

The manifest correctly defines a layered component structure with:

  • kubevirt-operator as the foundation
  • kubevirt (privileged) depending on the operator
  • kubevirt-instancetypes depending on both operator and core kubevirt

The inter-component dependencies and privileged flag for the core kubevirt component are appropriate for virtualization infrastructure.

packages/core/platform/sources/info-application.yaml (1)

1-27: LGTM! Info application PackageSource is correctly structured.

The manifest follows the established patterns. Note that the info component uses the extra/info path rather than apps/*, which appears intentional to distinguish it as an extra/optional component.

packages/core/platform/sources/etcd-operator.yaml (1)

1-22: LGTM! Etcd operator PackageSource is properly configured.

The manifest correctly defines the etcd-operator with appropriate dependencies on networking and cert-manager. The dedicated namespace cozy-etcd-operator follows the naming convention for operator deployments.

packages/core/platform/sources/backup-controller.yaml (1)

1-22: LGTM! Backup controller PackageSource is properly configured.

The manifest correctly defines the backup-controller with the privileged: true flag, which is appropriate for a backup controller that needs elevated permissions to access cluster resources. The dedicated namespace cozy-backup-controller follows the naming convention.

packages/core/platform/sources/foundationdb-application.yaml (1)

1-28: LGTM! Clean PackageSource manifest.

The manifest follows the standard CozyStack PackageSource pattern with appropriate dependency ordering (networking → foundationdb-operator → foundationdb-application) and clear component separation between the application (apps/foundationdb) and resource definitions (system/foundationdb-rd).

packages/core/platform/sources/objectstorage-controller.yaml (1)

1-21: LGTM! Standard controller PackageSource.

The manifest correctly defines the objectstorage-controller with networking dependency and dedicated namespace isolation.

packages/core/platform/sources/tenant-application.yaml (1)

1-32: LGTM! Comprehensive tenant application package.

The tenant application correctly declares dependencies on all required infrastructure components (networking, ingress, seaweedfs, info, monitoring, etcd) with appropriate component definitions.

packages/core/platform/sources/foundationdb-operator.yaml (1)

1-22: LGTM! Proper operator dependency chain.

The operator correctly depends on cert-manager (likely for admission webhooks) and networking, with appropriate namespace isolation.

packages/core/platform/sources/kafka-application.yaml (1)

1-28: LGTM! Standard Kafka application package.

The manifest follows the established pattern with correct operator dependency and component structure.

packages/core/platform/sources/vertical-pod-autoscaler.yaml (1)

23-32: The configuration is intentional and properly designed. Both vpa-for-vpa and vertical-pod-autoscaler reference the same chart path because they serve different deployment roles from that chart:

  • vpa-for-vpa (without install block): References the chart and uses its built-in vpa-for-vpa.yaml template, which conditionally creates a separate VPA instance (via its own HelmRelease) with modified configuration (admission controller disabled, recommender-name override) for monitoring the main VPA deployment itself.
  • vertical-pod-autoscaler (with install block): The primary VPA instance deployed through the PackageSource install mechanism.

This follows the Helm Chart umbrella pattern correctly, where a single chart contains multiple template-based deployments that can be controlled and configured independently. The absence of an install block for vpa-for-vpa is correct—it's generated by the chart's conditional templates rather than the PackageSource install mechanism.

Likely an incorrect or invalid review comment.

packages/core/platform/sources/external-secrets-operator.yaml (1)

1-21: LGTM! Clean PackageSource definition.

The manifest follows a consistent structure with appropriate dependencies, namespace isolation, and clear component paths.

packages/core/platform/sources/hetzner-robotlb.yaml (1)

1-21: LGTM! Consistent PackageSource definition.

The manifest is well-structured with proper dependencies and namespace isolation. The shorter releaseName "robotlb" compared to the component name is a reasonable choice for brevity.

packages/core/platform/sources/metallb.yaml (1)

20-20: Verify the privileged flag is required.

MetalLB typically needs elevated privileges for network operations (IP assignment, ARP/NDP), so this flag is likely necessary. Please confirm that the metallb component requires privileged access for its operations.

packages/core/platform/sources/cozystack-engine.yaml (1)

1-107: LGTM! Well-structured component orchestration.

The two variants (default and oidc) with their dependency chains ensure proper component startup sequencing. The use of a shared cozy-lib library and explicit inter-component dependencies is a robust approach.

packages/core/platform/sources/clickhouse-application.yaml (1)

1-27: LGTM! Clean application-level PackageSource.

The manifest properly declares library dependencies and separates the application component (clickhouse) from the resource definition component (clickhouse-rd). The dependency on cozystack.clickhouse-operator ensures the operator is available before application deployment.

packages/core/platform/sources/linstor.yaml (1)

1-33: LGTM! Well-structured storage component definition.

The manifest properly establishes a dependency chain with piraeus-operator installed before linstor, and includes comprehensive prerequisites (networking, cert-manager, metrics, reloader, snapshot-controller).

Please confirm that the linstor component requires privileged access for storage operations (line 29). LINSTOR typically needs elevated privileges for disk management and DRBD operations.

packages/core/platform/sources/external-dns.yaml (1)

1-21: LGTM! Clean and consistent PackageSource definition.

The manifest follows established patterns with appropriate dependencies and namespace isolation.

packages/core/platform/sources/ingress-application.yaml (1)

1-29: LGTM! Appropriate mix of component types.

The manifest correctly differentiates between system components (ingress-system, ingress) and resource definitions (ingress-rd). The absence of install sections for ingress-system and ingress components suggests they may be deployed differently or are optional extras, while ingress-rd as a resource definition requires explicit installation configuration.

packages/core/platform/sources/monitoring-agents.yaml (1)

1-24: LGTM!

The PackageSource manifest is well-structured. The dependencies on cozystack.victoria-metrics-operator and cozystack.vertical-pod-autoscaler are appropriate for monitoring agents, and the privileged: true flag is correctly set for components that require host-level access for metrics collection.

packages/core/platform/sources/kubevirt-cdi.yaml (1)

1-28: LGTM!

The manifest correctly defines the component-level dependency chain where kubevirt-cdi depends on kubevirt-cdi-operator, ensuring proper installation order. Both components correctly target the same namespace cozy-kubevirt-cdi.

packages/core/platform/sources/http-cache-application.yaml (1)

1-27: LGTM!

The manifest follows the correct application pattern: http-cache is a user-deployable component (no install block) that uses the cozy-lib library, while http-cache-rd is a system component with explicit install configuration. The structure is consistent with other application PackageSource definitions in the PR.

packages/core/platform/sources/kubeovn-webhook.yaml (1)

1-22: LGTM!

The dependency on cozystack.cert-manager is appropriate since webhooks require TLS certificates. The privileged: true flag is correctly set for a networking-related webhook component.

packages/core/platform/sources/postgres-application.yaml (1)

1-27: LGTM!

The manifest correctly follows the application pattern with postgres as a user-deployable component using the cozy-lib library, and postgres-rd as the system resource definition component. The structure aligns with the pattern used across other application PackageSource definitions.

packages/core/platform/sources/rabbitmq-operator.yaml (1)

1-21: LGTM!

The manifest correctly defines the RabbitMQ operator PackageSource with appropriate namespace isolation in cozy-rabbitmq-operator. The structure follows the operator pattern used consistently across other operator PackageSource definitions in the PR.

packages/core/platform/sources/monitoring-application.yaml (1)

1-27: LGTM!

The manifest follows the application pattern correctly. The monitoring component is located at extra/monitoring (rather than apps/), which appears to be intentional categorization for extra/optional packages. The monitoring-rd component correctly installs to cozy-system.

packages/core/platform/sources/prometheus-operator-crds.yaml (1)

1-20: LGTM!

The manifest correctly defines the Prometheus Operator CRDs package. Installing to cozy-victoria-metrics-operator namespace is appropriate since Victoria Metrics Operator uses these CRDs for compatibility. The explicit dependsOn: [] clearly indicates no dependencies, though it could be omitted entirely for consistency with other no-dependency manifests.

packages/core/platform/sources/capi-operator.yaml
Comment on lines +19 to +22
install:
privileged: true
namespace: cozy-cluster-api
releaseName: capi-operator
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's see the full file to understand its context
cat -n packages/core/platform/sources/capi-operator.yaml

Repository: cozystack/cozystack

Length of output: 685

🏁 Script executed:

# Check the directory structure to understand the Helm chart pattern
ls -la packages/core/platform/

Repository: cozystack/cozystack

Length of output: 582

🏁 Script executed:

# Search for other Helm chart references and vendored charts
fd -t d charts packages/core/

Repository: cozystack/cozystack

Length of output: 45

🌐 Web query:

Cluster API operator Kubernetes privileged access requirements

💡 Result:

Short answer

  • The Cluster API Operator and CAPI controllers require cluster-scoped privileges (ClusterRoles / ClusterRoleBindings) to manage Cluster/Machine/Provider CRs, Secrets, ConfigMaps, Pods, Nodes, Events, Leases, CSRs, ServiceAccounts, Role/RoleBindings, etc. — i.e., wide RBAC over cluster-scoped and namespaced resources so the controllers can create/watch/update/delete clusters and machines. [1][2]
  • They do NOT normally require container "privileged: true" / host-level privileged mode. Running the operator/controllers in privileged containers is not a standard CAPI requirement; kernel-level privileged access is only needed for components that manipulate host devices or the network stack (CSI drivers, some CNI/host tooling). If you see privileged=true in a provider/operand image that’s a provider-specific requirement, not a CAPI core requirement. See Kubernetes docs on privileged containers for implications. [3]

What to check / action items

  1. Inspect the actual ClusterRole/ClusterRoleBinding applied by your operator installation (the bundled cluster-api-components/clusterrole YAML in the release) and scope to least privilege where possible. The official manifests are published with each CAPI release. [2][1]
  2. Review any infrastructure provider (AWS/Azure/vSphere/… ) provider manifests — providers commonly need additional cloud credentials and provider-specific RBAC/Secrets, but still normally do not require privileged containers. [4]
  3. Enforce Pod Security Admission / admission policies to block privileged containers unless explicitly needed; prefer granting specific Linux capabilities instead of privileged mode. [3]

References

  • Cluster API Operator project & docs. [1]
  • Cluster API release artifacts (component manifests / clusterrole in release assets). [2]
  • Kubernetes privileged container / securityContext documentation. [3]
  • Example: Cluster API provider repos (e.g., CAPA) for provider-specific RBAC and credential requirements. [4]

🏁 Script executed:

# Check how other operators/components are configured with install settings
rg -A 3 "install:" packages/core/platform/sources/ -t yaml

Repository: cozystack/cozystack

Length of output: 26777

🏁 Script executed:

# Look for CozySstack documentation or schema definitions
fd -t f "values.yaml\|schema\|README" packages/core/

Repository: cozystack/cozystack

Length of output: 45

🌐 Web query:

CozySstack PackageSource privileged install configuration

💡 Result:

Do you mean Cozystack (cozystack) or cozy-stack (Cozy Home / cozy.io)? Also clarify what you mean by "PackageSource privileged install configuration" — are you asking about a Kubernetes PackageSource CRD, the Cozystack ConfigMap option, or OS package repo (apt/PackageSource) needing privileged installation?

Remove the unnecessary privileged: true flag from the CAPI operator installation.

The Cluster API Operator requires only cluster-scoped RBAC permissions, not container-level privileged mode. This flag grants unnecessary host-level access and violates the principle of least privilege. Verify your deployment works without it and remove this setting to improve security posture.

🤖 Prompt for AI Agents 
In packages/core/platform/sources/capi-operator.yaml around lines 19 to 22,
remove the unnecessary privileged: true field from the install block so the CAPI
operator is not deployed with container-level privileged mode; update the
manifest to omit that key (or set it to false) and then redeploy/verify the
operator functions with only cluster-scoped RBAC permissions and no privileged
container to ensure no regressions.

@lllamnyp lllamnyp self-assigned this Dec 29, 2025
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 30, 2025
@kvaps kvaps merged commit a902eae into main Dec 30, 2025
28 checks passed
@kvaps kvaps deleted the package-sources branch December 30, 2025 10:56
kvaps added a commit that referenced this pull request Jan 8, 2026
@kvaps
[platform] Add PackageSources for cozystack-operator (#1760)
e9d6f9a 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


![dependencies](https://github.com/user-attachments/assets/b3cfac33-6543-4f73-85c5-1d21c35f8eab)

### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[platform] Add PackageSources for cozystack-operator 
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added support for 76 new package sources, including operators,
applications, and system components for the CozyStack platform ecosystem
(e.g., backup controller, database operators, monitoring tools,
networking, storage, and virtualization packages).
* Introduced a template aggregation mechanism to manage package source
definitions.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@kvaps kvaps mentioned this pull request Jan 16, 2026
Merged
kvaps added a commit that referenced this pull request Jan 16, 2026
@kvaps
[docs] Update changelog for v1.0.0-alpha.1: add cozystack-operator an…
f6b2b16 
…d backup system (#1867)

## What this PR does

Update changelog for v1.0.0-alpha.1 to include missing features:
- **Cozystack Operator**: New operator for Package and PackageSource
management (#1740, #1741, #1755, #1756, #1760, #1761)
- **Backup System**: Comprehensive backup functionality with Velero
integration (#1640, #1685, #1687, #1708, #1719, #1720, #1737, #1762)
- Add @androndo to contributors
- Update Full Changelog link to v0.38.0...v1.0.0-alpha.1

### Release note

```release-note
[docs] Update changelog for v1.0.0-alpha.1: add cozystack-operator and backup system
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@lllamnyp lllamnyp lllamnyp approved these changes

@nbykov0 nbykov0 Awaiting requested review from nbykov0 nbykov0 is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@lllamnyp lllamnyp

Labels

enhancement New feature or request lgtm This PR has been approved by a maintainer size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kvaps @lllamnyp