<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Cozystack Cluster Configuration on Cozystack</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/</link><description>Recent content in Cozystack Cluster Configuration on Cozystack</description><generator>Hugo</generator><language>en</language><atom:link href="https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/index.xml" rel="self" type="application/rss+xml"/><item><title>Platform Package Reference</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/platform-package/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/platform-package/</guid><description>&lt;p&gt;This page explains the role of the Cozystack Platform Package and provides a full reference for its values.&lt;/p&gt;
&lt;p&gt;Cozystack&amp;rsquo;s main configuration is defined by a &lt;code&gt;Package&lt;/code&gt; custom resource.
This Package includes the 
&lt;a href="https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/variants/" target="_blank"&gt;Cozystack variant&lt;/a&gt; and 
&lt;a href="https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/components/" target="_blank"&gt;component settings&lt;/a&gt;,
key network settings, exposed services, and other options.&lt;/p&gt;
&lt;h2 id="example"&gt;Example&lt;/h2&gt;
&lt;p&gt;Here&amp;rsquo;s an example of configuration for installing Cozystack with variant &lt;code&gt;isp-full&lt;/code&gt;, with root host &amp;ldquo;example.org&amp;rdquo;,
and Cozystack Dashboard and API exposed and available to users:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;apiVersion&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;cozystack.io/v1alpha1&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;kind&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;Package&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;metadata&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;name&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;cozystack.cozystack-platform&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;spec&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;variant&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;isp-full&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;components&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;platform&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;values&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;publishing&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;host&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#4070a0"&gt;&amp;#34;example.org&amp;#34;&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;apiServerEndpoint&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#4070a0"&gt;&amp;#34;https://api.example.org:443&amp;#34;&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;exposedServices&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;- dashboard&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;- api&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;networking&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;podCIDR&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#4070a0"&gt;&amp;#34;10.244.0.0/16&amp;#34;&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;podGateway&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#4070a0"&gt;&amp;#34;10.244.0.1&amp;#34;&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;serviceCIDR&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#4070a0"&gt;&amp;#34;10.96.0.0/16&amp;#34;&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;joinCIDR&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#4070a0"&gt;&amp;#34;100.64.0.0/16&amp;#34;&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="reference"&gt;Reference&lt;/h2&gt;
&lt;h3 id="package-level-fields"&gt;Package-level fields&lt;/h3&gt;
&lt;table&gt;
 &lt;thead&gt;
 &lt;tr&gt;
 &lt;th&gt;Field&lt;/th&gt;
 &lt;th&gt;Description&lt;/th&gt;
 &lt;/tr&gt;
 &lt;/thead&gt;
 &lt;tbody&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;spec.variant&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Variant to use for installation (e.g., &lt;code&gt;isp-full&lt;/code&gt;, &lt;code&gt;isp-full-generic&lt;/code&gt;, &lt;code&gt;isp-hosted&lt;/code&gt;, &lt;code&gt;distro-full&lt;/code&gt;).&lt;/td&gt;
 &lt;/tr&gt;
 &lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="platform-values-speccomponentsplatformvalues"&gt;Platform values (&lt;code&gt;spec.components.platform.values.*&lt;/code&gt;)&lt;/h3&gt;
&lt;h4 id="publishing"&gt;Publishing&lt;/h4&gt;
&lt;table&gt;
 &lt;thead&gt;
 &lt;tr&gt;
 &lt;th&gt;Value&lt;/th&gt;
 &lt;th&gt;Default&lt;/th&gt;
 &lt;th&gt;Description&lt;/th&gt;
 &lt;/tr&gt;
 &lt;/thead&gt;
 &lt;tbody&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.host&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;example.org&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;The main domain for all services created under Cozystack, such as the dashboard, Grafana, Keycloak, etc.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.apiServerEndpoint&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Used for generating kubeconfig files for your users. It is recommended to use a routable FQDN or IP address instead of local-only addresses. Example: &lt;code&gt;&amp;quot;https://api.example.org&amp;quot;&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.exposedServices&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;[api, dashboard, vm-exportproxy, cdi-uploadproxy]&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;List of services to expose. Possible values: &lt;code&gt;api&lt;/code&gt;, &lt;code&gt;dashboard&lt;/code&gt;, &lt;code&gt;cdi-uploadproxy&lt;/code&gt;, &lt;code&gt;vm-exportproxy&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.ingressName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;tenant-root&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Ingress controller to use for exposing services.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.externalIPs&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;[]&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;List of external IPs used for the specified ingress controller. If not specified, a LoadBalancer service is used by default.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.ingressNameAdmin&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Name of a &lt;strong&gt;separate&lt;/strong&gt; admin ingress that system components attach their admin routes to (currently only Keycloak) — for example one bound to a private IP and unreachable from the internet. On the Gateway path the value is a namespace (of a &lt;code&gt;Gateway&lt;/code&gt; named &lt;code&gt;cozystack&lt;/code&gt;); on the ingress-nginx path it is an &lt;code&gt;ingressClassName&lt;/code&gt;. The two coincide because Cozystack names each ingressClass after its tenant namespace. Empty (the default) keeps admin endpoints on &lt;code&gt;publishing.ingressName&lt;/code&gt;. Two caveats: Cozystack does &lt;strong&gt;not&lt;/strong&gt; create the admin Gateway — provision it out of band first, or the admin routes attach to nothing; and the admin routes render only when Keycloak&amp;rsquo;s &lt;code&gt;ingress.adminHost&lt;/code&gt; is set, so setting this key alone is a no-op.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.exposureClass.name&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Logical name of the cluster-scoped &lt;code&gt;ExposureClass&lt;/code&gt; to render. Empty (the default) leaves the &lt;code&gt;publishing.externalIPs&lt;/code&gt; path untouched. When set, the host ingress — with &lt;code&gt;publishing.externalIPs&lt;/code&gt; empty — publishes its Service as &lt;code&gt;type: LoadBalancer&lt;/code&gt;, and &lt;code&gt;cozystack-controller&lt;/code&gt; translates the class into the chosen backend&amp;rsquo;s VIP pool and announcer. This is the migration path off &lt;code&gt;Service.spec.externalIPs&lt;/code&gt;, deprecated in Kubernetes v1.36 (KEP-5707). The removal is phased: the &lt;code&gt;AllowServiceExternalIPs&lt;/code&gt; feature gate ships enabled in v1.36, then defaults to &lt;strong&gt;false&lt;/strong&gt; (KEP target: v1.40), at which point kube-proxy stops programming rules for the field — the API still accepts it, so the Service looks healthy while no traffic arrives. Later phases lock the gate off and strip kube-proxy&amp;rsquo;s support outright, and finally drop the gate and the &lt;code&gt;DenyServiceExternalIPs&lt;/code&gt; admission controller. The KEP gives those later releases as approximate and the v1.36 announcement commits only to &amp;ldquo;a future minor release&amp;rdquo;, so treat the default flipping to false as the deadline and migrate onto a class &lt;strong&gt;before&lt;/strong&gt; that upgrade rather than planning against a specific version.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.exposureClass.backend&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;externalIPs&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;LoadBalancer mechanism behind the class. &lt;code&gt;externalIPs&lt;/code&gt; pins node IPs with no pool or announcer (the historical behaviour); &lt;code&gt;metallb&lt;/code&gt; renders an &lt;code&gt;IPAddressPool&lt;/code&gt; + &lt;code&gt;L2Advertisement&lt;/code&gt;; &lt;code&gt;cilium&lt;/code&gt; renders a &lt;code&gt;CiliumLoadBalancerIPPool&lt;/code&gt; + &lt;code&gt;CiliumL2AnnouncementPolicy&lt;/code&gt;; &lt;code&gt;robotlb&lt;/code&gt; uses a cloud (Hetzner) load balancer, where allocation and announcement happen off-cluster. Once &lt;code&gt;publishing.exposureClass.name&lt;/code&gt; is set, a pool or cloud backend (&lt;code&gt;metallb&lt;/code&gt;, &lt;code&gt;cilium&lt;/code&gt;, &lt;code&gt;robotlb&lt;/code&gt;) is mutually exclusive with a non-empty &lt;code&gt;publishing.externalIPs&lt;/code&gt; — the platform render fails with an explicit error rather than shipping the dead end, because the host ingress Service would stay &lt;code&gt;ClusterIP&lt;/code&gt; + &lt;code&gt;externalIPs&lt;/code&gt;, never become &lt;code&gt;type: LoadBalancer&lt;/code&gt;, and the allocated pool would go unused.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.exposureClass.addresses&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;[]&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;VIP CIDRs or &lt;code&gt;start-end&lt;/code&gt; ranges for the pool-backed backends (&lt;code&gt;metallb&lt;/code&gt;, &lt;code&gt;cilium&lt;/code&gt;).&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.exposureClass.l2&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;true&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;L2 (ARP / NDP) announcement for the bare-metal backends.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.exposureClass.isDefault&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;true&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Make this the class used by any &lt;code&gt;ServiceExposure&lt;/code&gt; that names none. A &lt;code&gt;ServiceExposure&lt;/code&gt; is the cluster-internal resource &lt;code&gt;cozystack-controller&lt;/code&gt; reconciles to publish a Service through the class&amp;rsquo;s backend; workloads do not create one directly. Because this defaults to &lt;code&gt;true&lt;/code&gt;, hand-creating a second &lt;code&gt;ExposureClass&lt;/code&gt; without clearing its default flag leaves two default classes, and the controller then fails every unnamed &lt;code&gt;ServiceExposure&lt;/code&gt; with &lt;code&gt;AmbiguousDefaultClass&lt;/code&gt; — keep exactly one default.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.solver&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;http01&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;ACME challenge solver type for default letsencrypt issuer. Possible values: &lt;code&gt;http01&lt;/code&gt;, &lt;code&gt;dns01&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.issuerName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;letsencrypt-prod&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;ClusterIssuer&lt;/code&gt; name for TLS certificates used in system Helm releases.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.wildcard&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;false&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Opt-in shared wildcard certificate on the default ingress-nginx path (&lt;code&gt;gateway.enabled=false&lt;/code&gt;). When &lt;code&gt;true&lt;/code&gt; with &lt;code&gt;solver=dns01&lt;/code&gt; and no &lt;code&gt;publishing.certificates.wildcardSecretName&lt;/code&gt;, the platform issues one &lt;code&gt;*.&amp;lt;root-host&amp;gt;&lt;/code&gt; + &lt;code&gt;&amp;lt;root-host&amp;gt;&lt;/code&gt; &lt;code&gt;Certificate&lt;/code&gt; via the DNS-01 &lt;code&gt;ClusterIssuer&lt;/code&gt; and serves it as the ingress controller&amp;rsquo;s default SSL certificate, so system services stop minting a per-host ACME certificate each — avoiding Let&amp;rsquo;s Encrypt rate limits at scale, at parity with the Gateway API path. Ignored on &lt;code&gt;http01&lt;/code&gt; (cannot issue wildcards) and when &lt;code&gt;gateway.enabled=true&lt;/code&gt; (the &lt;code&gt;TenantGateway&lt;/code&gt; controller issues the wildcard there). Enabling it feeds the issued Secret name into the same cluster values channel as &lt;code&gt;publishing.certificates.wildcardSecretName&lt;/code&gt;, so it carries the same child-tenant hazard and the same open bug (
&lt;a href="https://github.com/cozystack/cozystack/issues/3296" target="_blank"&gt;cozystack/cozystack#3296&lt;/a&gt;): every tenant&amp;rsquo;s system ingresses drop their per-host ACME certificate cluster-wide, but the wildcard is served only by the publishing controller. A child tenant running its own ingress controller (&lt;code&gt;ingress: true&lt;/code&gt;) is then left with no certificate and serves ingress-nginx&amp;rsquo;s built-in self-signed one; an inheriting child on the shared controller instead gets a hostname mismatch, because a single-label &lt;code&gt;*.&amp;lt;root-host&amp;gt;&lt;/code&gt; wildcard does not cover a nested &lt;code&gt;&amp;lt;service&amp;gt;.&amp;lt;tenant&amp;gt;.&amp;lt;root-host&amp;gt;&lt;/code&gt; host or a custom &lt;code&gt;ingress.host&lt;/code&gt; on another domain. Only enable it when every exposed host is covered and no child tenant runs its own ingress controller. Off by default so a &lt;code&gt;dns01&lt;/code&gt; cluster is never switched silently on upgrade.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.wildcardSecretName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Operator-provided wildcard TLS Secret. When set, platform services and the root tenant&amp;rsquo;s ingress/Gateway serve this pre-existing Secret instead of minting per-host ACME certificates (only the NAME travels the values channel — never the key material), and takes precedence over &lt;code&gt;publishing.certificates.wildcard&lt;/code&gt;. The Secret must exist in the publishing namespace (&lt;code&gt;tenant-root&lt;/code&gt; by default), hold valid PEM under &lt;code&gt;tls.crt&lt;/code&gt; / &lt;code&gt;tls.key&lt;/code&gt; (created as &lt;code&gt;kubernetes.io/tls&lt;/code&gt;, though only the material is validated), and cover the served hosts. &lt;strong&gt;Scoped to the root tenant but not enforced&lt;/strong&gt; — the name reaches every tenant, so a child running its own ingress controller can be left serving a self-signed certificate (
&lt;a href="https://github.com/cozystack/cozystack/issues/3296" target="_blank"&gt;cozystack/cozystack#3296&lt;/a&gt;). See 
&lt;a href="https://deploy-preview-619--cozystack.netlify.app/docs/next/networking/gateway-api/#certificates" target="_blank"&gt;Gateway API → Certificates&lt;/a&gt; for the full behaviour and the three child-tenant cases. Leave empty to keep ACME issuance.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.provider&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;cloudflare&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;DNS-01 provider when &lt;code&gt;solver=dns01&lt;/code&gt;. Possible values: &lt;code&gt;cloudflare&lt;/code&gt;, &lt;code&gt;route53&lt;/code&gt;, &lt;code&gt;digitalocean&lt;/code&gt;, &lt;code&gt;rfc2136&lt;/code&gt;. Both the per-tenant Issuer (rendered by &lt;code&gt;cozystack-controller&lt;/code&gt; from the &lt;code&gt;TenantGateway&lt;/code&gt; CR) and the cluster-wide &lt;code&gt;letsencrypt-prod&lt;/code&gt; / &lt;code&gt;letsencrypt-stage&lt;/code&gt; &lt;code&gt;ClusterIssuer&lt;/code&gt;s used by the legacy ingress flow read this.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.cloudflare.secretName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;cloudflare-api-token-secret&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Secret name holding a Cloudflare API token with &lt;code&gt;Zone:Read&lt;/code&gt; + &lt;code&gt;Zone:DNS:Edit&lt;/code&gt; on the apex zone.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.cloudflare.secretKey&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;api-token&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Key inside the Secret holding the API token.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.route53.region&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;AWS region of the Route53 hosted zone. Required when &lt;code&gt;provider=route53&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.route53.accessKeyID&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;IAM access key ID. Optional when running with IRSA / instance profile.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.route53.secretName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Secret name holding the IAM secret access key. Optional when running with IRSA / instance profile.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.route53.secretKey&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;secret-access-key&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Key inside the Route53 Secret holding the secret access key.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.digitalocean.secretName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;digitalocean-api-token-secret&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Secret name holding a DigitalOcean API token with write access to the apex domain.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.digitalocean.secretKey&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;access-token&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Key inside the Secret holding the DigitalOcean token.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.rfc2136.nameserver&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;host:port&lt;/code&gt; of the authoritative nameserver accepting RFC 2136 dynamic updates. Required when &lt;code&gt;provider=rfc2136&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.rfc2136.tsigKeyName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;TSIG key name authorising the dynamic updates. Required when &lt;code&gt;provider=rfc2136&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.rfc2136.tsigAlgorithm&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;HMACSHA256&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;TSIG HMAC algorithm.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.rfc2136.secretName&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Secret name holding the TSIG key material. Required when &lt;code&gt;provider=rfc2136&lt;/code&gt;.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.certificates.dns01.rfc2136.secretKey&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;&amp;quot;tsig-secret-key&amp;quot;&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Key inside the Secret holding the TSIG key.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.proxyProtocol&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;false&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Enables PROXY-protocol on the host ingress-nginx and auto-deploys 
&lt;a href="https://deploy-preview-619--cozystack.netlify.app/docs/next/networking/hairpin-proxy-protocol/" target="_blank"&gt;ouroboros&lt;/a&gt; to fix the resulting hairpin-NAT problem. The upstream L4 LB in front of ingress-nginx must already be injecting PROXY-v1 headers before this flag flips on; see the linked page for verification recipes and the disable path.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;code&gt;publishing.proxyProtocolAcknowledgeUnclean&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;&lt;code&gt;false&lt;/code&gt;&lt;/td&gt;
 &lt;td&gt;Acknowledgement gate for the &lt;code&gt;helm.sh/resource-policy: keep&lt;/code&gt; asymmetry on the host disable path. Flipping &lt;code&gt;publishing.proxyProtocol&lt;/code&gt; from &lt;code&gt;true&lt;/code&gt; back to &lt;code&gt;false&lt;/code&gt; stops emitting the &lt;code&gt;cozystack.ouroboros&lt;/code&gt; Package CR but does not uninstall the existing one — the platform render fails until either the Package CR is deleted (which triggers the chart&amp;rsquo;s pre-delete cleanup hook) or this flag is set to &lt;code&gt;true&lt;/code&gt; to confirm the operator has handled the asymmetry. See 
&lt;a href="https://deploy-preview-619--cozystack.netlify.app/docs/next/networking/hairpin-proxy-protocol/#disable-path" target="_blank"&gt;hairpin-proxy-protocol → Disable path&lt;/a&gt; for the full sequence.&lt;/td&gt;
 &lt;/tr&gt;
 &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;code&gt;publishing.exposure&lt;/code&gt; is not listed above on purpose: the key existed in v1.4 only and was removed before v1.5 shipped. It still works on a v1.4 cluster, but has no effect from v1.5 onward — &lt;code&gt;publishing.exposureClass&lt;/code&gt; is its successor. Drop the key when upgrading from v1.4 — and check what the host ingress Service becomes. A v1.4 cluster running &lt;code&gt;publishing.exposure: loadBalancer&lt;/code&gt; had a &lt;code&gt;LoadBalancer&lt;/code&gt; Service with &lt;code&gt;externalTrafficPolicy: Local&lt;/code&gt;; from v1.5 the key is ignored, so a cluster with &lt;code&gt;publishing.externalIPs&lt;/code&gt; set silently falls back to a &lt;code&gt;ClusterIP&lt;/code&gt; Service with &lt;code&gt;externalTrafficPolicy: Cluster&lt;/code&gt; and stops preserving client source IPs.&lt;/p&gt;</description></item><item><title>Cozystack Variants: Overview and Comparison</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/variants/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/variants/</guid><description>&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Variants&lt;/strong&gt; are pre-defined configurations of Cozystack that determine which bundles and components are enabled.
Each variant is tested, versioned, and guaranteed to work as a unit.
They simplify installation, reduce the risk of misconfiguration, and make it easier to choose the right set of features for your deployment.&lt;/p&gt;
&lt;p&gt;This guide is for infrastructure engineers, DevOps teams, and platform architects planning to deploy Cozystack in different environments.
It explains how Cozystack variants help tailor the installation to specific needs—whether you&amp;rsquo;re building a fully featured platform-as-a-service
or need full manual control over installed packages.&lt;/p&gt;</description></item><item><title>Cozystack Components Reference</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/components/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/components/</guid><description>&lt;h3 id="overwriting-component-parameters"&gt;Overwriting Component Parameters&lt;/h3&gt;
&lt;p&gt;You might want to override specific options for the components.
To achieve this, modify the corresponding Package resource and specify values
in the &lt;code&gt;spec.components&lt;/code&gt; section. The values structure follows the

&lt;a href="https://github.com/cozystack/cozystack/tree/main/packages/system" target="_blank"&gt;values.yaml&lt;/a&gt;
of the respective system chart in the Cozystack repository.&lt;/p&gt;
&lt;p&gt;For example, if you want to enable FRR-K8s mode for MetalLB, look at its

&lt;a href="https://github.com/cozystack/cozystack/blob/main/packages/system/metallb/values.yaml" target="_blank"&gt;values.yaml&lt;/a&gt;
to understand the available parameters, then modify the &lt;code&gt;cozystack.metallb&lt;/code&gt; Package:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;apiVersion&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;cozystack.io/v1alpha1&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;kind&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;Package&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;metadata&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;name&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;cozystack.metallb&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;namespace&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;cozy-system&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;spec&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;variant&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;default&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;components&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;metallb&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;values&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;metallb&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;frrk8s&lt;/span&gt;:&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#062873;font-weight:bold"&gt;enabled&lt;/span&gt;:&lt;span style="color:#bbb"&gt; &lt;/span&gt;&lt;span style="color:#007020;font-weight:bold"&gt;true&lt;/span&gt;&lt;span style="color:#bbb"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="enabling-and-disabling-components"&gt;Enabling and Disabling Components&lt;/h3&gt;
&lt;p&gt;Bundles have optional components that need to be explicitly enabled (included) in the installation.
Regular bundle components can, on the other hand, be disabled (excluded) from the installation, when you don&amp;rsquo;t need them.&lt;/p&gt;</description></item><item><title>Licenses</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/licenses/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/licenses/</guid><description>&lt;p&gt;This page lists the open-source components Cozystack ships, grouped by their role in the platform.
Cozystack-maintained charts, CRDs, controllers, and application APIs are licensed under &lt;strong&gt;Apache-2.0&lt;/strong&gt; and are not listed individually below.
For each upstream component, the card links to the upstream license file.&lt;/p&gt;


&lt;div class="alert alert-info" role="alert"&gt;


 This reference is hand-curated against the current &lt;code&gt;next&lt;/code&gt; set of components.
Container images can include additional operating-system packages and library dependencies with their own licenses.
Pinned upstream versions of managed runtimes (PostgreSQL, MariaDB, Kafka, etc.) may change between Cozystack minor releases — check the version of Cozystack you run.

&lt;/div&gt;

&lt;h2 id="operating-system-and-kubernetes-runtime"&gt;Operating system and Kubernetes runtime&lt;/h2&gt;
&lt;div class="oss-cards-grid"&gt;

&lt;div class="oss-card"&gt;
 &lt;div class="oss-card-head"&gt;&lt;img class="oss-card-logo" src="https://deploy-preview-619--cozystack.netlify.app/img/logos/components/talos.svg" alt="Talos Linux logo" loading="lazy"&gt;&lt;div class="oss-card-titleblock"&gt;
 &lt;a class="oss-card-title" href="https://github.com/siderolabs/talos/blob/main/LICENSE" rel="noopener" target="_blank"&gt;Talos Linux&lt;/a&gt;&lt;/div&gt;
 &lt;/div&gt;&lt;p class="oss-card-desc"&gt;Immutable Linux distribution built for Kubernetes nodes.&lt;/p&gt;</description></item><item><title>The Lineage Controller Webhook</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/lineage-controller-webhook/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/lineage-controller-webhook/</guid><description>&lt;p&gt;The &lt;strong&gt;lineage controller webhook&lt;/strong&gt; is a mutating admission webhook shipped as
part of the &lt;code&gt;cozystack.cozystack-engine&lt;/code&gt; Package. On every CREATE and UPDATE
of a tenant &lt;code&gt;Pod&lt;/code&gt;, &lt;code&gt;Secret&lt;/code&gt;, &lt;code&gt;Service&lt;/code&gt;, &lt;code&gt;PersistentVolumeClaim&lt;/code&gt;,
&lt;code&gt;Ingress&lt;/code&gt;, or &lt;code&gt;WorkloadMonitor&lt;/code&gt; it walks up the ownership graph and stamps the
owning Cozystack &lt;code&gt;Application&lt;/code&gt;&amp;rsquo;s identity onto the resource as labels
(&lt;code&gt;apps.cozystack.io/application.{group,kind,name}&lt;/code&gt;). The Cozystack dashboard,
the aggregated API server, and the SchedulingClass mechanism all rely on those
labels.&lt;/p&gt;
&lt;p&gt;The webhook is registered with &lt;code&gt;failurePolicy: Fail&lt;/code&gt;, so the kube-apiserver
must be able to reach a healthy webhook pod for tenant CREATE/UPDATE traffic
to succeed.&lt;/p&gt;</description></item><item><title>White Labeling</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/white-labeling/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/white-labeling/</guid><description>&lt;p&gt;White labeling allows you to replace default Cozystack branding with your own logos and text across the Dashboard UI and Keycloak authentication pages.&lt;/p&gt;
&lt;h2 id="overview"&gt;Overview&lt;/h2&gt;
&lt;p&gt;Branding is configured through the &lt;code&gt;branding&lt;/code&gt; field in the Platform Package (&lt;code&gt;spec.components.platform.values.branding&lt;/code&gt;). The configuration propagates automatically to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Dashboard&lt;/strong&gt;: logo, page title, footer text, favicon, and tenant identifier&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Keycloak&lt;/strong&gt;: realm display name on authentication pages&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="configuration"&gt;Configuration&lt;/h2&gt;
&lt;p&gt;Edit your Platform Package to add or update the &lt;code&gt;branding&lt;/code&gt; section:&lt;/p&gt;</description></item><item><title>Telemetry</title><link>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/telemetry/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://deploy-preview-619--cozystack.netlify.app/docs/next/operations/configuration/telemetry/</guid><description>&lt;p&gt;This document outlines the telemetry feature within the Cozystack project, detailing the rationale behind data collection, the nature of the data collected, data handling practices, and instructions for opting out.&lt;/p&gt;
&lt;h2 id="why-we-collect-telemetry"&gt;Why We Collect Telemetry&lt;/h2&gt;
&lt;p&gt;Cozystack, as an open source project, thrives on community feedback and usage insights. Telemetry data allows maintainers to understand how Cozystack is being used in real-world scenarios. This data informs decisions related to feature prioritization, testing strategies, bug fixes, and overall project evolution. Without telemetry, decisions would rely on guesswork or limited feedback, which might slow down improvement cycles or introduce features that don’t align with users’ needs. Telemetry ensures that development is guided by actual usage patterns and community requirements, fostering a more robust and user-centric platform.&lt;/p&gt;</description></item></channel></rss>