Cozystack v1.0.0 — "Stable"

We are thrilled to announce Cozystack v1.0.0, the first stable major release of the Cozystack platform. This milestone represents a fundamental architectural evolution from the v0.x series, introducing a fully operator-driven package management system, a comprehensive backup and restore framework, a redesigned virtual machine architecture, and a rich set of new managed applications — all hardened through an extensive alpha, beta, and release-candidate cycle.

Feature Highlights

Package-Based Architecture with Cozystack Operator

The most significant architectural change in v1.0.0 is the replacement of HelmRelease bundle deployments with a declarative Package and PackageSource model managed by the new cozystack-operator. Operators now define their platform configuration in a structured values.yaml and the operator reconciles the desired state by managing Package and PackageSource resources across the cluster.

The operator also takes ownership of CRD lifecycle — installing and updating CRDs from embedded manifests at every startup — eliminating the stale-CRD problem that affected Helm-only installations. Flux sharding has been added to distribute tenant HelmRelease reconciliation across multiple Flux controllers, providing horizontal scalability in large multi-tenant environments.

A migration script (hack/migrate-to-version-1.0.sh) is provided for upgrading existing v0.x clusters, along with 33 incremental migration steps that automate resource renaming, secret cleanup, and configuration conversion.

Comprehensive Backup and Restore System

v1.0.0 ships a fully featured, production-ready backup and restore framework built on Velero integration. Users can define BackupClass resources to describe backup storage targets, create BackupPlan schedules, and trigger RestoreJob resources for end-to-end application recovery.

Virtual machine backups are supported natively via the Velero KubeVirt plugin, which captures consistent VM disk snapshots alongside metadata. The backup controller and the backup strategy sub-controllers (including the VM-specific strategy) are installed by default, and a full dashboard UI allows users to monitor backup status, view backup job history, and initiate restore workflows.

Redesigned Virtual Machine Architecture

The legacy virtual-machine application has been replaced with a two-resource architecture: vm-disk for managing persistent disks and vm-instance for managing VM lifecycle. This separation provides cleaner disk/instance management, allows disks to be reused across VM instances, and aligns with modern KubeVirt patterns.

New capabilities include: a cpuModel field for direct CPU model specification without using an instanceType; the ability to switch between instanceType-based and custom resource-based configurations; migration from the deprecated running field to runStrategy; and native RWX (NFS) filesystem support in the KubeVirt CSI driver, enabling multiple pods to mount the same persistent volume simultaneously.

New Managed Applications

v1.0.0 expands the application catalog significantly:

• MongoDB: A fully managed MongoDB replica set with persistent storage, monitoring integration, and unified user/database configuration API.
• Qdrant: A high-performance vector database for AI and machine learning workloads, supporting single-replica and clustered modes with API key authentication and optional external LoadBalancer access.
• Harbor: A fully managed OCI container registry backed by CloudNativePG, Redis operator, and COSI BucketClaim (SeaweedFS). Includes Trivy vulnerability scanner, auto-generated admin credentials, and TLS via cert-manager.
• NATS: Enhanced with full Grafana monitoring dashboards for JetStream and server metrics, Prometheus support with TLS-aware configuration, and updated image customization options.
• MariaDB: The mysql application is renamed to mariadb, accurately reflecting the underlying engine. An automatic migration (migration 27) converts all existing MySQL resources to use the mariadb naming.

FerretDB has been removed from the catalog as it is superseded by native MongoDB support.

Multi-Location Networking with Kilo and cilium-kilo

Cozystack v1.0.0 introduces first-class support for multi-location clusters via the Kilo WireGuard mesh networking package. Kilo automatically establishes encrypted WireGuard tunnels between nodes in different network segments, enabling seamless cross-region communication.

A new integrated cilium-kilo networking variant combines Cilium eBPF CNI with Kilo's WireGuard overlay in a single platform configuration selection. This variant enables enable-ipip-termination in Cilium and deploys Kilo with --compatibility=cilium, allowing Cilium network policies to function correctly over the WireGuard mesh — without any manual configuration of the two components.

Flux Sharding for Scalable Multi-Tenancy

Tenant HelmRelease reconciliation is now distributed across multiple Flux controllers via sharding labels. Each tenant workload is assigned to a shard based on a deterministic hash, preventing a single Flux controller from becoming a bottleneck in large multi-tenant environments. The platform operator manages the shard assignment automatically, and new shards can be added by scaling the Flux deployment.

Major Features and Improvements

Cozystack Operator

• [cozystack-operator] Introduce Package and PackageSource APIs: Added new CRDs for declarative package management, defining the full API for Package and PackageSource resources (@kvaps in [#1740], [#1741], [#1755], [#1756], [#1760], [#1761]).
• [platform] Migrate from HelmRelease bundles to Package-based deployment: Replaced HelmRelease bundle system with Package resources managed by cozystack-operator, including restructured values.yaml with full configuration support for networking, publishing, authentication, scheduling, branding, and resources (@kvaps in [#1816]).
• [cozystack-operator] Add automatic CRD installation at startup: Added --install-crds flag to install embedded CRD manifests on every startup via server-side apply, ensuring CRDs and the PackageSource are always up to date (@lexfrei in [#2060]).
• [installer] Remove CRDs from Helm chart, delegate lifecycle to operator: The cozy-installer Helm chart no longer ships CRDs; CRD lifecycle is fully managed by the Cozystack operator (@lexfrei in [#2074]).
• [cozystack-operator] Preserve existing suspend field in package reconciler: Fixed package reconciler to properly preserve the suspend field state during reconciliation (@sircthulhu in [#2043]).
• [cozystack-operator] Fix namespace privileged flag resolution and field ownership: Fixed operator to correctly check all Packages in a namespace when determining privileged status, and resolved SSA field ownership conflicts (@kvaps in [#2046]).
• [platform] Add flux-plunger controller: Added flux-plunger controller to automatically fix stuck HelmRelease errors by cleaning up failed resources and retrying reconciliation (@kvaps in [#1843]).
• [installer] Add variant-aware templates for generic Kubernetes support: Extended the installer to support generic and hosted Kubernetes deployments via the cozystackOperator.variant=generic parameter (@lexfrei in [#2010]).
• [installer] Unify operator templates: Merged separate operator templates into a single variant-based template supporting Talos and non-Talos deployments (@kvaps in [#2034]).

API and Platform

• [api] Rename CozystackResourceDefinition to ApplicationDefinition: Renamed CRD and all related types for clarity and consistency, with migration 24 handling the transition automatically (@kvaps in [#1864]).
• [platform] Add DNS-1035 validation for Application names: Added dynamic DNS-1035 label validation for Application names at creation time, preventing resources with invalid names that would fail downstream (@lexfrei in [#1771]).
• [platform] Make cluster issuer name and ACME solver configurable: Added publishing.certificates.solver and publishing.certificates.issuerName parameters to allow pointing all ingress TLS annotations at any ClusterIssuer (@myasnikovdaniil in [#2077]).
• [platform] Add cilium-kilo networking variant: Added integrated cilium-kilo networking variant combining Cilium CNI with Kilo WireGuard mesh overlay (@kvaps in [#2064]).
• [cozystack-api] Switch from DaemonSet to Deployment: Migrated cozystack-api to a Deployment with PreferClose topology spread constraints, reducing resource consumption while maintaining high availability (@kvaps in [#2041], [#2048]).

Virtual Machines

• [vm-instance] Complete migration from virtual-machine to vm-disk and vm-instance: Fully migrated from virtual-machine to the new vm-disk and vm-instance architecture, with automatic migration script (migration 28) for existing VMs (@kvaps in [#2040]).
• [kubevirt-csi-driver] Add RWX Filesystem (NFS) support: Added Read-Write-Many filesystem support to kubevirt-csi-driver via automatic NFS server deployment per PVC (@kvaps in [#2042]).
• [vm] Add cpuModel field to specify CPU model without instanceType: Added cpuModel field to VirtualMachine API for granular CPU control (@sircthulhu in [#2007]).
• [vm] Allow switching between instancetype and custom resources: Implemented atomic upgrade hook for switching between instanceType-based and custom resource VM configurations (@sircthulhu in [#2008]).
• [vm] Migrate to runStrategy instead of running: Migrated VirtualMachine API from deprecated running field to runStrategy (@sircthulhu in [#2004]).
• [vm] Always expose VMs with a service: Virtual machines are now always exposed with at least a ClusterIP service, ensuring in-cluster DNS names (@lllamnyp in [#1738], [#1751]).
• [dashboard] VMInstance dropdowns for disks and instanceType: VM instance creation form now renders API-backed dropdowns for instanceType and disk name fields (@sircthulhu in [#2071]).

Backup System

• [backups] Implement comprehensive backup and restore functionality: Core backup Plan controller, Velero strategy controller, RestoreJob resource with end-to-end restore workflows, and enhanced backup plans UI (@lllamnyp in [#1640], [#1685], [#1687], [#1719], [#1720], [#1737], [#1967]; @androndo in [#1762], [#1967], [#1968], [#1811]).
• [backups] Add kubevirt plugin to velero: Added KubeVirt plugin to Velero for consistent VM state and data snapshots (@lllamnyp in [#2017]).
• [backups] Install backupstrategy controller by default: Enabled backupstrategy controller by default for automatic backup scheduling (@lllamnyp in [#2020]).
• [backups] Better selectors for VM strategy: Improved VM backup strategy selectors for accurate and reliable backup targeting (@lllamnyp in [#2023]).
• [backups] Create RBAC for backup resources: Added comprehensive RBAC configuration for backup operations and restore jobs (@lllamnyp in [#2018]).

Networking

• [kilo] Introduce Kilo WireGuard mesh networking: Added Kilo as a system package providing secure WireGuard-based VPN mesh for connecting Kubernetes nodes across different networks and regions (@kvaps in [#1691]).
• [kilo] Add Cilium compatibility variant: Added cilium variant enabling Cilium-aware IPIP encapsulation for full network policy enforcement with Kilo mesh (@kvaps in [#2055]).
• [kilo] Update to v0.8.0 with configurable MTU: Updated Kilo to v0.8.0 with configurable MTU parameter and performance improvements (@kvaps in [#2003], [#2049], [#2053]).
• [local-ccm] Add local-ccm package: Added local cloud controller manager for managing load balancer services in bare-metal environments (@kvaps in [#1831]).
• [local-ccm] Add node-lifecycle-controller component: Added optional node-lifecycle-controller that automatically deletes unreachable NotReady nodes, solving the "zombie" node problem in autoscaled clusters (@IvanHunters in [#1992]).
• [tenant] Allow egress to parent ingress pods: Updated tenant network policies to allow egress traffic to parent cluster ingress pods (@lexfrei in [#1765], [#1776]).

New Applications

• [mongodb] Add MongoDB managed application: Added MongoDB as a fully managed database with replica sets, persistent storage, and unified user/database configuration (@lexfrei in [#1822]; @kvaps in [#1923]).
• [qdrant] Add Qdrant vector database: Added Qdrant as a high-performance vector database for AI/ML workloads with API key authentication and optional LoadBalancer access (@lexfrei in [#1987]).
• [harbor] Add managed Harbor container registry: Added Harbor v2.14.2 as a managed tenant-level container registry with CloudNativePG, Redis operator, COSI BucketClaim storage, and Trivy scanner (@lexfrei in [#2058]).
• [nats] Add monitoring: Added Grafana dashboards for NATS JetStream and server metrics, Prometheus monitoring with TLS support (@klinch0 in [#1381]).
• [mariadb] Rename mysql application to mariadb: Renamed MySQL application to MariaDB with automatic migration (migration 27) for all existing resources (@kvaps in [#2026]).
• [ferretdb] Remove FerretDB application: Removed FerretDB, superseded by native MongoDB support (@kvaps in [#2028]).

Kubernetes and System Components

• [kubernetes] Update supported Kubernetes versions to v1.30–v1.35: Updated the tenant Kubernetes version matrix, with v1.35 as the new default. Kamaji updated to edge-26.2.4 and CAPI Kamaji provider to v0.16.0 (@lexfrei in [#2073]).
• [kubernetes] Auto-enable Gateway API support in cert-manager: Added automatic Gateway API support in cert-manager for tenant clusters (@kvaps in [#1997]).
• [kubernetes] Use ingress-nginx nodeport service: Changed tenant Kubernetes clusters to use ingress-nginx NodePort service for improved compatibility (@sircthulhu in [#1948]).
• [system] Add cluster-autoscaler for Hetzner and Azure: Added cluster-autoscaler system package for automatically scaling management cluster nodes on Hetzner and Azure (@kvaps in [#1964]).
• [cluster-autoscaler] Enable enforce-node-group-min-size by default: Ensures node groups are always scaled up to their configured minimum size (@kvaps in [#2050]).
• [system] Add clustersecret-operator package: Added clustersecret-operator for managing secrets across multiple namespaces (@sircthulhu in [#2025]).

Monitoring

• [monitoring] Enable monitoring for core components: Enhanced monitoring capabilities with dashboards and metrics for core Cozystack components (@IvanHunters in [#1937]).
• [monitoring] Add SLACK_SEVERITY_FILTER and VMAgent for tenant monitoring: Added SLACK_SEVERITY_FILTER for Slack alert filtering and VMAgent for tenant namespace metrics scraping (@IvanHunters in [#1712]).
• [monitoring-agents] Fix FQDN resolution for tenant workload clusters: Fixed monitoring agents in tenant clusters to use full DNS names with cluster domain suffix (@IvanHunters in [#2075]; @kvaps in [#2086]).

Storage

• [linstor] Move CRDs to dedicated piraeus-operator-crds chart: Moved LINSTOR CRDs to a dedicated chart, ensuring reliable installation of all CRDs including linstorsatellites.io (@kvaps in [#2036]; @IvanHunters in [#1991]).
• [seaweedfs] Increase certificate duration to 10 years: Increased SeaweedFS certificate validity to 10 years to reduce rotation overhead (@IvanHunters in [#1986]).

Improvements

• [dashboard] Upgrade dashboard to version 1.4.0: Updated Cozystack dashboard to v1.4.0 with new features and improvements (@sircthulhu in [#2051]).
• [dashboard] Hide Ingresses/Services/Secrets tabs when no selectors defined: Tabs are now conditionally shown based on whether the ApplicationDefinition has resource selectors configured, reducing UI clutter (@kvaps in [#2087]).
• [dashboard] Add startupProbe to prevent container restarts on slow hardware: Added startup probe to dashboard pods to prevent unnecessary restarts (@kvaps in [#1996]).
• [keycloak] Allow custom Ingress hostname via values: Added ingress.host field to cozy-keycloak chart values for overriding the default keycloak.<root-host> hostname (@sircthulhu in [#2101]).
• [branding] Separate values for Keycloak: Separated Keycloak branding values for better customization capabilities (@nbykov0 in [#1947]).
• [rbac] Use hierarchical naming scheme: Refactored RBAC to use hierarchical naming for cluster roles and role bindings (@lllamnyp in [#2019]).
• [tenant,rbac] Use shared clusterroles: Refactored tenant RBAC to use shared ClusterRoles for improved consistency (@lllamnyp in [#1999]).
• [kubernetes] Increase default apiServer resourcesPreset to large: Increased kube-apiserver resource preset to large for more reliable operation under higher workloads (@kvaps in [#1875]).
• [kubernetes] Increase kube-apiserver startup probe threshold: Increased startup probe threshold to allow more time for API server readiness (@kvaps in [#1876]).
• [etcd] Increase probe thresholds for better recovery: Increased etcd probe thresholds to improve cluster resilience during temporary slowdowns (@kvaps in [#1874]).
• [etcd-operator] Add vertical-pod-autoscaler dependency: Added VPA as a dependency to etcd-operator for proper resource scaling (@sircthulhu in [#2047]).
• [cilium] Change cilium-operator replicas to 1: Reduced Cilium operator replicas to decrease resource consumption in smaller deployments (@IvanHunters in [#1784]).
• [keycloak-configure,dashboard] Enable insecure TLS verification by default: Made SSL certificate verification configurable with insecure mode enabled by default for local development (@IvanHunters in [#2005]).
• [platform] Split telemetry between operator and controller: Separated telemetry collection for better metrics isolation (@kvaps in [#1869]).
• [system] Add resource requests and limits to etcd-defrag: Added resource requests and limits to etcd-defrag job to prevent resource contention (@matthieu-robin in [#1785], [#1786]).

Fixes

• [dashboard] Fix sidebar visibility on cluster-level pages: Fixed broken URLs with double // on cluster-level pages by hiding namespace-scoped sidebar items when no tenant is selected (@sircthulhu in [#2106]).
• [platform] Fix upgrade issues in migrations, etcd timeout, and migration script: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing, including migration 26-29 fixes, RFC3339 format for annotations, and extended etcd HelmRelease timeout to 30m (@kvaps in [#2096]).
• [platform] Fix orphaned -rd HelmReleases after application renames: Migrations 28-29 updated to remove orphaned -rd HelmReleases in cozy-system after ferretdb→mongodb, mysql→mariadb, and virtual-machine→vm-disk+vm-instance renames, with migration 33 as a safety net (@kvaps in [#2102]).
• [platform] Adopt tenant-root into cozystack-basics during migration: Added migration 31 to adopt existing tenant-root Namespace and HelmRelease into cozystack-basics for a safe v0.41.x → v1.0 upgrade path (@kvaps in [#2065]).
• [platform] Preserve tenant-root HelmRelease during migration: Fixed data-loss risk during migration where tenant-root HelmRelease could be deleted (@sircthulhu in [#2063]).
• [platform] Fix cozystack-values secret race condition: Fixed race condition in cozystack-values secret creation that could cause initialization failures (@lllamnyp in [#2024]).
• [cozystack-basics] Preserve existing HelmRelease values during reconciliations: Fixed data-loss bug where changes to tenant-root HelmRelease were dropped on the next reconciliation (@sircthulhu in [#2068]).
• [cozystack-basics] Deny resourcequotas deletion for tenant admin: Fixed cozy:tenant:admin:base ClusterRole to explicitly deny deletion of ResourceQuota objects (@myasnikovdaniil in [#2076]).
• [dashboard] Fix legacy templating and cluster identifier in sidebar links: Standardized cluster identifier across dashboard menu links resolving broken link targets for Backups and External IPs (@androndo in [#2093]).
• [dashboard] Fix backupjobs creation form and sidebar backup category identifier: Fixed backup job creation form fields and fixed sidebar backup category identifier (@androndo in [#2103]).
• [kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization: Updated KubeVirt and CDI and disabled serial console logging globally to fix the guest-console-log init container blocking virt-launcher pods (@nbykov0 in [#1833]; @kvaps).
• [linstor] Fix DRBD+LUKS+STORAGE resource creation failure: Applied upstream fix for all newly created encrypted volumes failing due to missing setExists(true) call in LuksLayer (@kvaps in [#2072]).
• [platform] Clean up Helm secrets for removed releases: Added cleanup logic to migration 23 to remove orphaned Helm secrets from removed -rd releases (@kvaps in [#2035]).
• [monitoring] Fix YAML parse error in vmagent template: Fixed YAML parsing error in monitoring-agents vmagent template (@kvaps in [#2037]).
• [monitoring] Remove cozystack-controller dependency: Fixed monitoring package to remove unnecessary cozystack-controller dependency (@IvanHunters in [#1990]).
• [monitoring] Remove duplicate dashboards.list: Fixed duplicate dashboards.list configuration in extra/monitoring package (@IvanHunters in [#2016]).
• [linstor] Update piraeus-server patches with critical fixes: Backported critical patches fixing edge cases in device management and DRBD resource handling (@kvaps in [#1850]).
• [apiserver] Fix Watch resourceVersion and bookmark handling: Fixed Watch API handling of resourceVersion and bookmarks for proper event streaming (@kvaps in [#1860]).
• [bootbox] Auto-create bootbox-application as dependency: Fixed bootbox package to automatically create required bootbox-application dependency (@kvaps in [#1974]).
• [postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert: Fixed incorrect PromQL syntax in the CNPGClusterOffline Prometheus alert (@mattia-eleuteri in [#1981]).
• [coredns] Fix serviceaccount to match kubernetes bootstrap RBAC: Fixed CoreDNS service account to correctly match Kubernetes bootstrap RBAC requirements (@mattia-eleuteri in [#1958]).
• [dashboard] Verify JWT token: Added JWT token verification to dashboard for improved security (@lllamnyp in [#1980]).
• [codegen] Fix missing gen_client in update-codegen.sh: Fixed build error in pkg/generated/applyconfiguration/utils.go by including gen_client in the codegen script (@lexfrei in [#2061]).
• [kubevirt-operator] Fix typo in VMNotRunningFor10Minutes alert: Fixed typo in VM alert name ensuring proper alert triggering (@lexfrei in [#1770], [#1775]).

Security

• [dashboard] Verify JWT token: Added JWT token verification to the dashboard for improved authentication security (@lllamnyp in [#1980]).

Dependencies

• [cilium] Update to v1.18.6: Updated Cilium CNI to v1.18.6 with security fixes and performance improvements (@sircthulhu in [#1868]).
• [kube-ovn] Update to v1.15.3: Updated Kube-OVN CNI to v1.15.3 with performance improvements and bug fixes (@kvaps in [#2022]).
• [kilo] Update to v0.8.0: Updated Kilo WireGuard mesh to v0.8.0 with performance improvements and new compatibility features (@kvaps in [#2053]).
• Update Talos Linux to v1.12.1: Updated Talos Linux to v1.12.1 with latest features and security patches (@kvaps in [#1877]).

System Configuration

• [vpc] Migrate subnets definition from map to array format: Migrated VPC subnets from map[string]Subnet to []Subnet with explicit name field, with automatic migration via migration 30 (@kvaps in [#2052]).
• [migrations] Add migrations 23-33 for v1.0 upgrade path: Added 11 incremental migrations handling CRD ownership, resource renaming, secret cleanup, Helm adoption, and configuration conversion for the v0.41.x → v1.0.0 upgrade path (@kvaps in [#1975], [#2035], [#2036], [#2040], [#2026], [#2065], [#2052], [#2102]).
• [tenant] Run cleanup job from system namespace: Moved tenant cleanup job to system namespace for improved security and resource isolation (@lllamnyp in [#1774], [#1777]).

Development, Testing, and CI/CD

• [ci] Use GitHub Copilot CLI for changelog generation: Automated changelog generation using GitHub Copilot CLI (@androndo in [#1753]).
• [ci] Choose runner conditional on label: Added conditional runner selection in CI based on PR labels (@lllamnyp in [#1998]).
• [e2e] Use helm install instead of kubectl apply for cozystack installation: Replaced static YAML apply flow with direct helm upgrade --install of the installer chart in E2E tests (@lexfrei in [#2060]).
• [e2e] Make kubernetes test retries effective by cleaning up stale resources: Fixed E2E test retries by adding pre-creation cleanup and increasing deployment wait timeout to 300s (@lexfrei in [#2062]).
• [e2e] Increase HelmRelease readiness timeout for kubernetes test: Increased HelmRelease readiness timeout to prevent false failures on slower hardware (@lexfrei in [#2033]).
• [ci] Improve cozyreport functionality: Enhanced cozyreport tool with improved reporting for CI/CD pipelines (@lllamnyp in [#2032]).
• feat(cozypkg): add cross-platform build targets with version injection: Added cross-platform build targets for cozypkg/cozyhr tool for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64 (@kvaps in [#1862]).
• refactor: move scripts to hack directory: Reorganized scripts to the standard hack/ location (@kvaps in [#1863]).
• Update CODEOWNERS: Updated CODEOWNERS to include new maintainers (@lllamnyp in [#1972]; @IvanHunters in [#2015]).
• [talm] Skip config loading for completion subcommands: Fixed talm CLI to skip config loading for shell completion commands (@kitsunoff in cozystack/talm#109).
• [talm] Fix metadata.id type casting in physical_links_info: Fixed Prometheus query to properly cast metadata.id to string for regexMatch operations (@kvaps in cozystack/talm#110).

Documentation

• [website] Add documentation versioning: Implemented comprehensive documentation versioning with separate v0 and v1 documentation trees and a version selector in the UI (@IvanStukov in cozystack/website#415).
• [website] Describe upgrade to v1.0: Added detailed upgrade instructions for migrating from v0.x to v1.0 (@nbykov0 in cozystack/website@21bbe84).
• [website] Migrate ConfigMap references to Platform Package in v1 docs: Updated entire v1 documentation to replace legacy ConfigMap-based configuration with the new Platform Package API (@sircthulhu in cozystack/website#426).
• [website] Add generic Kubernetes deployment guide for v1: Added installation guide for deploying Cozystack on any generic Kubernetes cluster (@lexfrei in cozystack/website#408).
• [website] Describe operator-based and HelmRelease-based package patterns: Added development documentation explaining operator-based and HelmRelease-based package patterns (@kvaps in cozystack/website#413).
• [website] Add Helm chart development principles guide: Added developer guide documenting Cozystack's four core Helm chart principles (@kvaps in cozystack/website#418).
• [website] Add network architecture overview: Added comprehensive network architecture documentation covering the multi-layered networking stack with Mermaid diagrams (@IvanHunters in cozystack/website#422).
• [website] Add LINSTOR disk preparation guide: Added comprehensive documentation for preparing disks for LINSTOR storage (@IvanHunters in cozystack/website#411).
• [website] Add Proxmox VM migration guide: Added detailed guide for migrating virtual machines from Proxmox to Cozystack (@IvanHunters in cozystack/website#410).
• [website] Add cluster autoscaler documentation: Added documentation for Hetzner setup with Talos, vSwitch, and Kilo mesh integration (@kvaps in [#1964]).
• [website] Improve Azure autoscaling troubleshooting guide: Enhanced Azure autoscaling documentation with serial console instructions and az vmss update --custom-data guidance (@kvaps in cozystack/website#424).
• [website] Update multi-location documentation for cilium-kilo variant: Updated multi-location networking docs to reflect the integrated cilium-kilo variant selection (@kvaps in cozystack/website@02d63f0).
• [website] Update documentation to use jsonpatch for service exposure: Improved kubectl patch commands to use JSON Patch add operations (@sircthulhu in cozystack/website#427).
• [website] Update certificates section in Platform Package documentation: Updated certificate configuration docs to reflect new solver and issuerName fields (@myasnikovdaniil in cozystack/website#429).
• [website] Add tenant Kubernetes cluster log querying guide: Added documentation for querying logs from tenant clusters in Grafana using VictoriaLogs labels (@IvanHunters in cozystack/website#430).
• [website] Replace non-idempotent commands with idempotent alternatives: Updated helm install to helm upgrade --install and kubectl create to kubectl apply across all installation guides (@lexfrei in cozystack/website#431).
• [website] Fix broken documentation links with .md suffix: Fixed incorrect internal links across virtualization guides for v0 and v1 documentation (@cheese in cozystack/website#432).
• [website] Refactor resource planning documentation: Improved resource planning guide with clearer structure and more comprehensive coverage (@IvanStukov in cozystack/website#423).
• [website] Add ServiceAccount API access documentation and update FAQ: Added documentation for ServiceAccount API access token configuration and updated FAQ (@IvanStukov in cozystack/website#421).
• [website] Update networking-mesh allowed-location-ips example: Replaced provider-specific CLI with standard kubectl commands in multi-location networking guide (@kvaps in cozystack/website#425).
• [website] docs(storage): simplify NFS driver setup instructions: Simplified NFS driver setup documentation (@kvaps in cozystack/website#399).
• [website] Add Hetzner RobotLB documentation: Added documentation for configuring public IP with Hetzner RobotLB (@kvaps in cozystack/website#394).
• [website] Add documentation for creating and managing cloned VMs: Added comprehensive guide for VM cloning operations (@sircthulhu in cozystack/website#401).
• [website] Update Talos installation docs for Hetzner and Servers.com: Updated installation documentation for Hetzner and Servers.com environments (@kvaps in cozystack/website#395).
• [website] Add Hidora organization support details: Added Hidora to the support page (@matthieu-robin in cozystack/website#397, cozystack/website#398).
• [website] Check quotas before an upgrade: Added troubleshooting documentation for checking resource quotas before upgrades (@nbykov0 in cozystack/website#405).
• [website] Update support documentation: Updated support documentation with current contact information (@xrmtech-isk in cozystack/website#420).
• [website] Correct typo in kubeconfig reference in Kubernetes installation guide: Fixed documentation typo in kubeconfig reference (@shkarface in cozystack/website#414).

Breaking Changes & Upgrade Notes

• [api] CozystackResourceDefinition renamed to ApplicationDefinition: The CozystackResourceDefinition CRD has been renamed to ApplicationDefinition. Migration 24 handles the transition automatically during upgrade (@kvaps in [#1864]).

• [platform] Certificate issuer configuration parameters renamed: The publishing.certificates.issuerType field is renamed to publishing.certificates.solver, and the value cloudflare is renamed to dns01. A new publishing.certificates.issuerName field (default: letsencrypt-prod) is added. Migration 32 automatically converts existing configurations — no manual action required (@myasnikovdaniil in [#2077]).

• [vpc] VPC subnets definition migrated from map to array format: VPC subnets are now defined as []Subnet with an explicit name field instead of map[string]Subnet. Migration 30 handles the conversion automatically (@kvaps in [#2052]).

• [vm] virtual-machine application replaced by vm-disk and vm-instance: The legacy virtual-machine application has been fully replaced. Migration 28 automatically converts existing VMs to the new architecture (@kvaps in [#2040]).

• [mysql] mysql application renamed to mariadb: Existing MySQL deployments are automatically renamed to MariaDB via migration 27 (@kvaps in [#2026]).

Upgrade Guide

To upgrade from v0.41.x to v1.0.0:

1. Backup your cluster before upgrading.
2. Run the provided migration script: hack/migrate-to-version-1.0.sh.
3. The 33 incremental migration steps will automatically handle all resource renaming, configuration conversion, CRD adoption, and secret cleanup.
4. Refer to the upgrade documentation for detailed instructions and troubleshooting.

Contributors

We'd like to thank all contributors who made this release possible:

• @androndo
• @cheese
• @IvanHunters
• @IvanStukov
• @kitsunoff
• @klinch0
• @kvaps
• @lexfrei
• @lllamnyp
• @matthieu-robin
• @mattia-eleuteri
• @myasnikovdaniil
• @nbykov0
• @shkarface
• @sircthulhu
• @xrmtech-isk

New Contributors

We're excited to welcome our first-time contributors:

• @cheese - First contribution!
• @IvanStukov - First contribution!
• @kitsunoff - First contribution!
• @shkarface - First contribution!
• @xrmtech-isk - First contribution!

Full Changelog: https://github.com/cozystack/cozystack/compare/v0.41.0...v1.0.0