From 8e009c50f0e5d0f8afe5bafb5cb559b3b0a4927f Mon Sep 17 00:00:00 2001
From: Carson Yang <yangchuansheng33@gmail.com>
Date: Thu, 11 Dec 2025 22:32:09 +0800
Subject: [PATCH 1/9] Add Grafana OpenTelemetry Stack template (#550)

---
 template/grafana-otel/README.md  | 172 +++++++++++
 template/grafana-otel/index.yaml | 487 +++++++++++++++++++++++++++++++
 template/grafana-otel/logo.svg   |  51 ++++
 3 files changed, 710 insertions(+)
 create mode 100644 template/grafana-otel/README.md
 create mode 100644 template/grafana-otel/index.yaml
 create mode 100644 template/grafana-otel/logo.svg

diff --git a/template/grafana-otel/README.md b/template/grafana-otel/README.md
new file mode 100644
index 00000000..51f14a6f
--- /dev/null
+++ b/template/grafana-otel/README.md
@@ -0,0 +1,172 @@
+# Deploy and Host Grafana OpenTelemetry Stack on Sealos
+
+Grafana OpenTelemetry Stack is a pre-configured observability solution that combines Grafana's powerful visualization capabilities with OpenTelemetry Collector's data collection and Prometheus's metrics storage. This template provides one-click deployment of a complete OTLP-based monitoring stack, enabling comprehensive application observability with minimal setup on Sealos Cloud.
+
+## About Hosting Grafana OpenTelemetry Stack
+
+The Grafana OpenTelemetry Stack runs as a unified observability platform that receives, processes, and visualizes telemetry data from your applications. The OpenTelemetry Collector serves as the central data ingestion point, accepting metrics via OTLP (gRPC on port 4317, HTTP on port 4318) and exporting them to Prometheus for storage. Grafana provides the visualization layer with pre-configured Prometheus datasource, allowing you to build dashboards and explore your metrics immediately after deployment.
+
+The Sealos template automatically provisions persistent storage for both Prometheus time-series data and Grafana configuration, ensuring your metrics history and custom dashboards survive restarts and updates.
+
+## Common Use Cases
+
+- **Application Performance Monitoring**: Collect and visualize application metrics from services instrumented with OpenTelemetry SDKs
+- **Microservices Observability**: Monitor distributed systems with centralized metrics collection and correlation
+- **Infrastructure Monitoring**: Track system-level metrics from containerized workloads
+- **Custom Metrics Dashboards**: Build tailored visualizations for business-specific KPIs and operational metrics
+- **Development and Testing**: Quickly spin up observability infrastructure for development environments
+
+## Dependencies for Grafana OpenTelemetry Stack Hosting
+
+The Sealos template includes all required components: OpenTelemetry Collector, Prometheus, and Grafana with pre-configured datasources.
+
+### Deployment Dependencies
+
+- [OpenTelemetry Collector Documentation](https://opentelemetry.io/docs/collector/) - Official collector documentation
+- [OpenTelemetry SDK Instrumentation](https://opentelemetry.io/docs/instrumentation/) - Guide for instrumenting your applications
+- [Grafana Documentation](https://grafana.com/docs/grafana/latest/) - Grafana visualization and dashboard creation
+- [Prometheus Documentation](https://prometheus.io/docs/) - Metrics storage and querying
+
+## Implementation Details
+
+### Architecture Components
+
+This template deploys three interconnected services:
+
+- **OpenTelemetry Collector**: Central telemetry data receiver and processor
+  - OTLP gRPC endpoint: Port 4317
+  - OTLP HTTP endpoint: Port 4318
+  - Prometheus metrics export: Port 8889
+  - zPages debugging: Port 55679
+  
+- **Prometheus**: Time-series database for metrics storage
+  - HTTP API: Port 9090
+  - 365-day data retention
+  - Persistent storage: 100Mi
+  
+- **Grafana**: Visualization and dashboarding platform
+  - Web UI: Port 3000 (exposed via Ingress with SSL)
+  - Pre-configured Prometheus datasource
+  - Persistent storage: 100Mi
+
+**Resource Allocation:**
+
+| Component | CPU Request | CPU Limit | Memory Request | Memory Limit |
+|-----------|-------------|-----------|----------------|--------------|
+| OTel Collector | 200m | 1000m | 400Mi | 2Gi |
+| Prometheus | 20m | 200m | 25Mi | 256Mi |
+| Grafana | 20m | 200m | 25Mi | 256Mi |
+
+### Configuring Your Applications
+
+To send telemetry data to this stack, configure your applications with these environment variables:
+
+```bash
+# For OTLP HTTP protocol
+OTEL_EXPORTER_OTLP_ENDPOINT="http://<app-name>.<namespace>.svc.cluster.local:4318"
+OTEL_EXPORTER_OTLP_PROTOCOL="http/protobuf"
+OTEL_TRACES_EXPORTER="otlp"
+OTEL_METRICS_EXPORTER="otlp"
+OTEL_SERVICE_NAME="your-service-name"
+```
+
+```bash
+# For OTLP gRPC protocol
+OTEL_EXPORTER_OTLP_ENDPOINT="http://<app-name>.<namespace>.svc.cluster.local:4317"
+OTEL_EXPORTER_OTLP_PROTOCOL="grpc"
+```
+
+Replace `<app-name>` with your deployment's app name and `<namespace>` with your Sealos namespace.
+
+**Example: Java Application with OpenTelemetry Agent**
+
+```dockerfile
+FROM openjdk:17-jdk-slim
+ARG OTEL_VERSION=v1.32.0
+
+WORKDIR /app
+COPY target/*.jar app.jar
+
+RUN apt-get update && \
+    apt-get install -y curl && \
+    curl -L https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/${OTEL_VERSION}/opentelemetry-javaagent.jar \
+    -o opentelemetry-javaagent.jar && \
+    apt-get purge -y --auto-remove curl && \
+    rm -rf /var/lib/apt/lists/*
+
+CMD ["java", "-javaagent:opentelemetry-javaagent.jar", "-jar", "app.jar"]
+```
+
+## Why Deploy Grafana OpenTelemetry Stack on Sealos?
+
+Sealos is an AI-assisted Cloud Operating System built on Kubernetes that unifies the entire application lifecycle, from development in cloud IDEs to production deployment and management. By deploying Grafana OpenTelemetry Stack on Sealos, you get:
+
+- **One-Click Deployment**: Deploy a complete observability stack with Grafana, Prometheus, and OpenTelemetry Collector in seconds. No complex configuration or Kubernetes expertise required.
+- **Pre-Configured Integration**: All components are pre-wired together. Prometheus automatically scrapes metrics from the collector, and Grafana comes with the Prometheus datasource ready to use.
+- **Persistent Storage**: Built-in persistent storage ensures your metrics history and Grafana dashboards survive restarts and updates.
+- **Secure Public Access**: Grafana gets automatic public URL with SSL certificate, allowing secure access from anywhere.
+- **Easy Scaling**: Adjust resources through intuitive forms as your monitoring needs grow.
+- **Internal Service Discovery**: Your applications can easily send telemetry to the collector using Kubernetes internal DNS.
+
+Deploy Grafana OpenTelemetry Stack on Sealos and focus on building great applications instead of managing monitoring infrastructure.
+
+## Deployment Guide
+
+1. Visit [Sealos Cloud](https://os.sealos.io/?openapp=system-brain?trial=true)
+2. Click "From Template"
+3. Search for "Grafana OpenTelemetry" in the App Store
+4. Click "Deploy" (no configuration required for basic deployment)
+5. Wait for deployment to complete (typically 1-2 minutes)
+6. Access Grafana via the provided URL (shown in the canvas)
+7. Default Grafana credentials: admin / admin (you'll be prompted to change on first login)
+
+## Configuration
+
+After deployment, you can customize your stack tin the canvas:
+
+- **Resource Scaling**: Adjust CPU and Memory for each component based on your telemetry volume
+- **Storage Expansion**: Increase Prometheus storage for longer retention periods
+- **Grafana Dashboards**: Import community dashboards or create custom ones for your specific needs
+
+### Service Endpoints
+
+| Service | Internal Endpoint | Purpose |
+|---------|-------------------|---------|
+| OTel Collector | `<app-name>.<namespace>.svc.cluster.local:4317` | OTLP gRPC ingestion |
+| OTel Collector | `<app-name>.<namespace>.svc.cluster.local:4318` | OTLP HTTP ingestion |
+| Prometheus | `<app-name>-prometheus.<namespace>.svc.cluster.local:9090` | Metrics query API |
+| Grafana | `https://<app-host>.<domain>` | Web UI (public) |
+
+## Troubleshooting
+
+### Common Issues
+
+**Issue 1: Metrics Not Appearing in Grafana**
+- Cause: Application not sending data to the correct endpoint
+- Solution: Verify your application's OTEL_EXPORTER_OTLP_ENDPOINT points to the collector service. Check that your application is properly instrumented with OpenTelemetry SDK.
+
+**Issue 2: Prometheus Storage Full**
+- Cause: High cardinality metrics or extended retention period
+- Solution: Increase storage allocation in the canvas, or adjust the retention period in Prometheus configuration.
+
+**Issue 3: Cannot Access Grafana**
+- Cause: Ingress or certificate issues
+- Solution: Verify the Ingress resource is created and the SSL certificate is provisioned. Check App Launchpad for the correct public URL.
+
+### Getting Help
+
+- [OpenTelemetry Documentation](https://opentelemetry.io/docs/)
+- [Grafana Community](https://community.grafana.com/)
+- [Prometheus Community](https://prometheus.io/community/)
+- [Sealos Discord Community](https://discord.gg/wdUn538zVP)
+
+## Additional Resources
+
+- [OpenTelemetry Collector Configuration](https://opentelemetry.io/docs/collector/configuration/)
+- [Grafana Dashboard Gallery](https://grafana.com/grafana/dashboards/)
+- [OpenTelemetry Demo Application](https://opentelemetry.io/docs/demo/) - Reference implementation for testing
+- [PromQL Query Language](https://prometheus.io/docs/prometheus/latest/querying/basics/)
+
+## License
+
+This Sealos template is provided under MIT License. The included components (OpenTelemetry Collector, Prometheus, Grafana) are provided under their respective licenses - Apache 2.0 for OpenTelemetry and Prometheus, AGPL-3.0 for Grafana.
diff --git a/template/grafana-otel/index.yaml b/template/grafana-otel/index.yaml
new file mode 100644
index 00000000..b7b9b6ef
--- /dev/null
+++ b/template/grafana-otel/index.yaml
@@ -0,0 +1,487 @@
+apiVersion: app.sealos.io/v1
+kind: Template
+metadata:
+  name: grafana-otel
+spec:
+  title: "Grafana OpenTelemetry Stack"
+  description: "One-click Grafana/OTLP stack deployment"
+  url: "https://github.com/labring-actions/templates/tree/main/template/grafana-otel"
+  gitRepo: "https://github.com/labring-actions/templates/tree/main/template/grafana-otel"
+  author: "Sealos"
+  readme: "https://raw.githubusercontent.com/labring-actions/templates/main/template/grafana-otel/README.md"
+  icon: "https://raw.githubusercontent.com/labring-actions/templates/main/template/grafana-otel/logo.svg"
+  templateType: inline
+  locale: en
+  categories:
+    - monitor
+    - dev-ops
+  defaults:
+    app_host:
+      type: string
+      value: grafana-otel-${{ random(8) }}
+    app_name:
+      type: string
+      value: grafana-otel-${{ random(8) }}
+
+---
+# ConfigMap
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ${{ defaults.app_name }}
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+data:
+  vn-confvn-otelvn-collectorvn-configvn-yaml: |
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            endpoint: ${env:MY_POD_IP}:4317
+          http:
+            endpoint: ${env:MY_POD_IP}:4318
+    processors:
+      batch:
+    extensions:
+      zpages: {}
+    exporters:
+      prometheus:
+        endpoint: 0.0.0.0:8889
+    service:
+      extensions: [zpages]
+      pipelines:
+        metrics:
+          receivers: [otlp]
+          processors: [batch]
+          exporters: [prometheus]
+
+---
+# Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${{ defaults.app_name }}
+  annotations:
+    originImageName: otel/opentelemetry-collector:0.99.0
+    deploy.cloud.sealos.io/minReplicas: "1"
+    deploy.cloud.sealos.io/maxReplicas: "1"
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+    app: opentelemetry
+    component: otel-collector
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: ${{ defaults.app_name }}
+  template:
+    metadata:
+      labels:
+        app: ${{ defaults.app_name }}
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: ${{ defaults.app_name }}
+          image: otel/opentelemetry-collector:0.99.0
+          imagePullPolicy: IfNotPresent
+          command:
+            - "/otelcol"
+            - "--config=/conf/otel-collector-config.yaml"
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 12Mi
+          ports:
+            - containerPort: 55679
+              name: zpages
+            - containerPort: 4317
+              name: otlp-grpc
+            - containerPort: 4318
+              name: otlp-http
+            - containerPort: 14250
+              name: jaeger-grpc
+            - containerPort: 14268
+              name: jaeger-http
+            - containerPort: 9411
+              name: zipkin
+            - containerPort: 8889
+              name: metrics
+          env:
+            - name: MY_POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          volumeMounts:
+            - name: vn-confvn-otelvn-collectorvn-configvn-yaml
+              mountPath: /conf/otel-collector-config.yaml
+              subPath: ./conf/otel-collector-config.yaml
+      volumes:
+        - name: vn-confvn-otelvn-collectorvn-configvn-yaml
+          configMap:
+            name: ${{ defaults.app_name }}
+            items:
+              - key: vn-confvn-otelvn-collectorvn-configvn-yaml
+                path: ./conf/otel-collector-config.yaml
+            defaultMode: 420
+
+---
+# Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${{ defaults.app_name }}
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+spec:
+  ports:
+    - name: otlp-grpc
+      port: 4317
+      protocol: TCP
+      targetPort: 4317
+    - name: otlp-http
+      port: 4318
+      protocol: TCP
+      targetPort: 4318
+    - name: metrics
+      port: 8889
+      protocol: TCP
+      targetPort: 8889
+    - name: zpages
+      port: 55679
+      protocol: TCP
+      targetPort: 55679
+  selector:
+    app: ${{ defaults.app_name }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ${{ defaults.app_name }}-prometheus
+data:
+  vn-etcvn-prometheusvn-prometheusvn-yml: >-
+    # my global config
+
+    global:
+      scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+      evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+      # scrape_timeout is set to the global default (10s).
+
+    # Alertmanager configuration
+
+    alerting:
+      alertmanagers:
+        - static_configs:
+            - targets:
+              # - alertmanager:9093
+
+    # Load rules once and periodically evaluate them according to the global
+    'evaluation_interval'.
+
+    rule_files:
+      # - "first_rules.yml"
+      # - "second_rules.yml"
+
+    # A scrape configuration containing exactly one endpoint to scrape:
+
+    # Here it's Prometheus itself.
+
+    scrape_configs:
+      # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+      - job_name: "prometheus"
+
+        # metrics_path defaults to '/metrics'
+        # scheme defaults to 'http'.
+
+        static_configs:
+          - targets: ["localhost:9090"]
+           # The label name is added as a label `label_name=<label_value>` to any timeseries scraped from this config.
+            labels:
+              app: "prometheus"
+          - targets: ["${{ defaults.app_name }}.${{ SEALOS_NAMESPACE }}.svc.cluster.local:8889"]
+           # The label name is added as a label `label_name=<label_value>` to any timeseries scraped from this config.
+            labels:
+              app: "otel-collector"
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ${{ defaults.app_name }}-prometheus
+  annotations:
+    originImageName: prom/prometheus:v3.8.0
+    deploy.cloud.sealos.io/minReplicas: "1"
+    deploy.cloud.sealos.io/maxReplicas: "1"
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-prometheus
+    app: ${{ defaults.app_name }}-prometheus
+spec:
+  serviceName: ${{ defaults.app_name }}-prometheus
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: ${{ defaults.app_name }}-prometheus
+  template:
+    metadata:
+      labels:
+        app: ${{ defaults.app_name }}-prometheus
+    spec:
+      automountServiceAccountToken: false
+      initContainers:
+        - name: init-step
+          image: busybox
+          command:
+            - sh
+            - -c
+            - |
+              chown -R 65534:65534 /prometheus
+          volumeMounts:
+            - name: vn-prometheus
+              mountPath: /prometheus
+          imagePullPolicy: IfNotPresent
+      containers:
+        - name: ${{ defaults.app_name }}-prometheus
+          image: prom/prometheus:v3.8.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - --config.file=/etc/prometheus/prometheus.yml
+            - --storage.tsdb.path=/prometheus
+            - --storage.tsdb.retention.time=365d
+            - --web.console.libraries=/usr/share/prometheus/console_libraries
+            - --web.console.templates=/usr/share/prometheus/consoles
+            - --web.external-url=http://0.0.0.0:9090
+            - --log.level=info
+          ports:
+            - name: http
+              containerPort: 9090
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 12Mi
+          volumeMounts:
+            - name: prometheus-cm
+              mountPath: /etc/prometheus/prometheus.yml
+              subPath: vn-etcvn-prometheusvn-prometheusvn-yml
+            - name: vn-prometheus
+              mountPath: /prometheus
+
+      volumes:
+        - name: prometheus-cm
+          configMap:
+            name: ${{ defaults.app_name }}-prometheus
+  volumeClaimTemplates:
+    - metadata:
+        annotations:
+          path: /prometheus
+          value: "0.1"
+        name: vn-prometheus
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 100Mi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${{ defaults.app_name }}-prometheus
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-prometheus
+spec:
+  ports:
+    - name: http
+      port: 9090
+      protocol: TCP
+      targetPort: 9090
+  selector:
+    app: ${{ defaults.app_name }}-prometheus
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ${{ defaults.app_name }}-grafana
+data:
+  vn-etcvn-grafanavn-provisioningvn-datasourcesvn-datasourcesvn-yml: >-
+    # Configuration file version
+    # See here fore more information on configuration:
+    # https://grafana.com/docs/grafana/latest/administration/provisioning/#example-data-source-configuration-file
+
+    apiVersion: 1
+
+    # Mark provisioned data sources for deletion if they are no longer in a provisioning file.
+
+    prune: false
+
+    # List of data sources to insert/update depending on what's available.
+
+    datasources:
+      - name: Prometheus
+        type: prometheus
+        access: proxy
+        orgId: 1
+        uid: grafana_prometheus
+        url: http://${{ defaults.app_name }}-prometheus.${{ SEALOS_NAMESPACE }}.svc.cluster.local:9090
+        basicAuth: false
+        editable: false
+        isDefault: false
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ${{ defaults.app_name }}-grafana
+  annotations:
+    originImageName: grafana/grafana:12.3.0
+    deploy.cloud.sealos.io/minReplicas: "1"
+    deploy.cloud.sealos.io/maxReplicas: "1"
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-grafana
+    app: ${{ defaults.app_name }}-grafana
+spec:
+  serviceName: ${{ defaults.app_name }}-grafana
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: ${{ defaults.app_name }}-grafana
+  template:
+    metadata:
+      labels:
+        app: ${{ defaults.app_name }}-grafana
+    spec:
+      automountServiceAccountToken: false
+      initContainers:
+        - name: init-step
+          image: busybox
+          command:
+            - sh
+            - -c
+            - |
+              chown -R 472:0 /var/lib/grafana
+          volumeMounts:
+            - name: vn-varvn-libvn-grafana
+              mountPath: /var/lib/grafana
+          imagePullPolicy: IfNotPresent
+      containers:
+        - name: ${{ defaults.app_name }}-grafana
+          image: grafana/grafana:12.3.0
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 12Mi
+          volumeMounts:
+            - name: grafana-cm
+              mountPath: /etc/grafana/provisioning/datasources/datasources.yml
+              subPath: vn-etcvn-grafanavn-provisioningvn-datasourcesvn-datasourcesvn-yml
+            - name: vn-varvn-libvn-grafana
+              mountPath: /var/lib/grafana
+
+      volumes:
+        - name: grafana-cm
+          configMap:
+            name: ${{ defaults.app_name }}-grafana
+  volumeClaimTemplates:
+    - metadata:
+        annotations:
+          path: /var/lib/grafana
+          value: "0.1"
+        name: vn-varvn-libvn-grafana
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 100Mi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${{ defaults.app_name }}-grafana
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-grafana
+spec:
+  ports:
+    - name: http
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+  selector:
+    app: ${{ defaults.app_name }}-grafana
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ${{ defaults.app_name }}-grafana
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-grafana
+    cloud.sealos.io/app-deploy-manager-domain: ${{ defaults.app_host }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 32m
+    nginx.ingress.kubernetes.io/server-snippet: |
+      client_header_buffer_size 64k;
+      large_client_header_buffers 4 128k;
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      if ($request_uri ~* \.(js|css|gif|jpe?g|png)) {
+        expires 30d;
+        add_header Cache-Control "public";
+      }
+spec:
+  rules:
+    - host: ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-grafana
+                port:
+                  number: 3000
+  tls:
+    - hosts:
+        - ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+      secretName: ${{ SEALOS_CERT_SECRET_NAME }}
+
+---
+apiVersion: app.sealos.io/v1
+kind: App
+metadata:
+  name: ${{ defaults.app_name }}
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+spec:
+  data:
+    url: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+  displayType: normal
+  icon: "https://raw.githubusercontent.com/labring-actions/templates/main/template/grafana-otel/logo.svg"
+  name: "Grafana OpenTelemetry Stack"
+  type: link
diff --git a/template/grafana-otel/logo.svg b/template/grafana-otel/logo.svg
new file mode 100644
index 00000000..fcc9cab6
--- /dev/null
+++ b/template/grafana-otel/logo.svg
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.2.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 85.1 92.5" style="enable-background:new 0 0 85.1 92.5;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:url(#SVGID_1_);}
+</style>
+<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="42.562" y1="113.2595" x2="42.562" y2="28.7828">
+	<stop  offset="0" style="stop-color:#FFF200"/>
+	<stop  offset="1" style="stop-color:#F15A29"/>
+</linearGradient>
+<path class="st0" d="M85,40.8c-0.1-1.6-0.4-3.3-0.9-5.3c-0.5-2-1.3-4.1-2.4-6.4c-1.1-2.2-2.6-4.6-4.5-6.8c-0.7-0.9-1.5-1.8-2.4-2.6
+	c1.3-5.2-1.6-9.7-1.6-9.7c-5-0.3-8.1,1.5-9.3,2.4c-0.2-0.1-0.4-0.2-0.6-0.2c-0.8-0.3-1.7-0.7-2.6-0.9c-0.9-0.3-1.8-0.5-2.7-0.8
+	c-0.9-0.2-1.9-0.4-2.9-0.6c-0.2,0-0.3,0-0.5-0.1C52.4,2.9,46.2,0,46.2,0c-6.9,4.4-8.3,10.6-8.3,10.6s0,0.1-0.1,0.4
+	c-0.4,0.1-0.8,0.2-1.2,0.3c-0.5,0.2-1.1,0.4-1.6,0.5c-0.5,0.2-1.1,0.4-1.6,0.6c-1,0.5-2.1,1-3.1,1.5c-1,0.6-2,1.2-2.9,1.8
+	c-0.1-0.1-0.2-0.1-0.2-0.1C17.6,12,9.1,16.5,9.1,16.5c-0.8,10.2,3.8,16.7,4.8,17.9c-0.2,0.6-0.4,1.3-0.6,1.9
+	c-0.7,2.3-1.2,4.7-1.6,7.2c0,0.4-0.1,0.7-0.1,1.1C2.6,48.8,0,57.8,0,57.8c7.4,8.5,16.1,9.1,16.1,9.1c0,0,0,0,0,0
+	c1.1,2,2.4,3.8,3.8,5.6c0.6,0.7,1.2,1.4,1.9,2.1c-2.7,7.7,0.4,14.2,0.4,14.2c8.3,0.3,13.7-3.6,14.8-4.5c0.8,0.3,1.7,0.5,2.5,0.7
+	c2.5,0.7,5.1,1,7.7,1.2c0.6,0,1.3,0,1.9,0l0.3,0l0.2,0l0.4,0l0.4,0l0,0c3.9,5.6,10.7,6.3,10.7,6.3c4.9-5.1,5.1-10.2,5.1-11.3l0,0
+	c0,0,0,0,0-0.1c0-0.1,0-0.2,0-0.2s0,0,0,0c0-0.1,0-0.2,0-0.2c1-0.7,2-1.5,2.9-2.3c1.9-1.8,3.7-3.8,5.1-5.9c0.1-0.2,0.3-0.4,0.4-0.6
+	c5.5,0.3,9.4-3.4,9.4-3.4c-0.9-5.7-4.2-8.5-4.9-9.1l0,0c0,0,0,0-0.1-0.1c0,0-0.1,0-0.1,0l0,0c0,0-0.1,0-0.1-0.1c0-0.3,0.1-0.7,0.1-1
+	c0-0.6,0.1-1.2,0.1-1.9l0-0.5l0-0.2l0-0.1c0-0.2,0-0.1,0-0.2l0-0.4l0-0.5c0-0.2,0-0.3,0-0.5c0-0.2,0-0.3,0-0.5L79,52.9l-0.1-0.5
+	c-0.1-0.6-0.2-1.3-0.4-1.9c-0.6-2.5-1.5-4.8-2.8-6.9c-1.3-2.1-2.9-4-4.7-5.6c-1.8-1.6-3.8-2.8-5.9-3.8c-2.1-0.9-4.3-1.6-6.5-1.8
+	c-1.1-0.1-2.2-0.2-3.3-0.2l-0.4,0l-0.1,0c0,0-0.2,0-0.1,0l-0.2,0l-0.4,0c-0.2,0-0.3,0-0.4,0c-0.6,0.1-1.1,0.1-1.7,0.2
+	c-2.2,0.4-4.2,1.2-6.1,2.3c-1.8,1.1-3.4,2.4-4.7,4c-1.3,1.5-2.3,3.2-3,5c-0.7,1.8-1.1,3.6-1.2,5.4c0,0.4,0,0.9,0,1.3
+	c0,0.1,0,0.2,0,0.3l0,0.4c0,0.2,0,0.4,0,0.6c0.1,0.9,0.3,1.8,0.5,2.6c0.5,1.7,1.2,3.2,2.2,4.4c0.9,1.3,2.1,2.3,3.3,3.2
+	c1.2,0.8,2.5,1.4,3.8,1.8c1.3,0.4,2.5,0.5,3.7,0.5c0.1,0,0.3,0,0.4,0c0.1,0,0.2,0,0.2,0c0.1,0,0.2,0,0.2,0c0.1,0,0.3,0,0.4,0
+	c0,0,0.1,0,0.1,0l0.1,0c0.1,0,0.2,0,0.2,0c0.2,0,0.3,0,0.4-0.1c0.1,0,0.3-0.1,0.4-0.1c0.3-0.1,0.5-0.1,0.8-0.2
+	c0.5-0.2,1-0.4,1.5-0.6c0.5-0.2,0.9-0.5,1.3-0.8c0.1-0.1,0.2-0.2,0.3-0.2c0.4-0.3,0.5-0.9,0.1-1.3c-0.3-0.4-0.8-0.5-1.2-0.2
+	c-0.1,0.1-0.2,0.1-0.3,0.2c-0.3,0.2-0.7,0.3-1.1,0.4c-0.4,0.1-0.8,0.2-1.2,0.3c-0.2,0-0.4,0.1-0.6,0.1c-0.1,0-0.2,0-0.3,0
+	c-0.1,0-0.2,0-0.3,0c-0.1,0-0.2,0-0.3,0c-0.1,0-0.3,0-0.4,0c0,0-0.1,0,0,0l0,0l-0.1,0c-0.1,0-0.1,0-0.2,0c-0.1,0-0.2,0-0.3,0
+	c-0.9-0.1-1.9-0.4-2.8-0.8c-0.9-0.4-1.8-1-2.6-1.7c-0.8-0.7-1.5-1.6-2-2.5c-0.5-1-0.9-2-1.1-3.2c-0.1-0.6-0.1-1.1-0.1-1.7
+	c0-0.2,0-0.3,0-0.5c0,0,0,0,0,0l0-0.1l0-0.1c0-0.1,0-0.2,0-0.2c0-0.3,0.1-0.6,0.1-0.9c0.4-2.4,1.7-4.8,3.6-6.6
+	c0.5-0.5,1-0.9,1.5-1.2c0.5-0.4,1.1-0.7,1.7-1c0.6-0.3,1.2-0.5,1.9-0.7c0.6-0.2,1.3-0.3,2-0.3c0.3,0,0.7,0,1,0c0.1,0,0.2,0,0.2,0
+	l0.3,0l0.2,0c0.1,0,0,0,0,0l0.1,0l0.3,0c0.7,0.1,1.5,0.2,2.2,0.3c1.4,0.3,2.8,0.8,4.1,1.6c2.6,1.4,4.8,3.7,6.2,6.4
+	c0.7,1.4,1.2,2.8,1.4,4.3c0.1,0.4,0.1,0.8,0.1,1.1l0,0.3l0,0.3c0,0.1,0,0.2,0,0.3c0,0.1,0,0.2,0,0.3l0,0.2l0,0.3c0,0.2,0,0.5,0,0.7
+	c0,0.4-0.1,0.8-0.1,1.2c0,0.4-0.1,0.8-0.2,1.2c-0.1,0.4-0.2,0.8-0.3,1.2c-0.2,0.8-0.5,1.6-0.8,2.4c-0.6,1.5-1.4,3-2.4,4.4
+	c-2,2.7-4.6,4.9-7.7,6.3c-1.5,0.7-3.1,1.2-4.8,1.5c-0.8,0.1-1.7,0.2-2.5,0.3l-0.2,0l-0.1,0l-0.3,0l-0.4,0l-0.2,0c0.1,0,0,0,0,0
+	l-0.1,0c-0.4,0-0.9,0-1.3-0.1c-1.8-0.1-3.6-0.5-5.3-1c-1.7-0.5-3.4-1.2-4.9-2c-3.1-1.7-6-4-8.2-6.8c-1.1-1.4-2.1-2.9-2.9-4.4
+	c-0.8-1.6-1.4-3.2-1.9-4.9c-0.5-1.7-0.7-3.4-0.9-5.1l0-0.3l0-0.1l0-0.1l0-0.1l0-0.3l0-0.1l0-0.1l0-0.2l0-0.4l0-0.1c0,0,0,0,0,0
+	l0-0.2c0-0.2,0-0.4,0-0.6c0-0.9,0.1-1.7,0.2-2.6c0.1-0.9,0.3-1.8,0.4-2.6c0.2-0.9,0.4-1.7,0.6-2.6c0.5-1.7,1.1-3.4,1.8-4.9
+	c1.4-3.1,3.3-5.9,5.6-8.1c0.6-0.6,1.2-1.1,1.8-1.6c0.6-0.5,1.2-0.9,1.9-1.4c0.6-0.4,1.3-0.8,2-1.2c0.3-0.2,0.7-0.3,1-0.5
+	c0.2-0.1,0.4-0.2,0.5-0.2c0.2-0.1,0.4-0.2,0.5-0.2c0.7-0.3,1.5-0.6,2.2-0.8c0.2-0.1,0.4-0.1,0.6-0.2c0.2-0.1,0.4-0.1,0.6-0.2
+	c0.4-0.1,0.8-0.2,1.1-0.3c0.2-0.1,0.4-0.1,0.6-0.1c0.2,0,0.4-0.1,0.6-0.1c0.2,0,0.4-0.1,0.6-0.1l0.3-0.1l0.3,0
+	c0.2,0,0.4-0.1,0.6-0.1c0.2,0,0.4-0.1,0.7-0.1c0.2,0,0.5-0.1,0.7-0.1c0.1,0,0.3,0,0.4,0l0.3,0l0.1,0l0.2,0c0.2,0,0.4,0,0.7,0l0.3,0
+	c0,0,0.1,0,0,0l0.1,0l0.1,0c0.2,0,0.4,0,0.6,0c0.8,0,1.5,0,2.2,0c1.5,0.1,2.9,0.2,4.3,0.5c2.8,0.5,5.5,1.4,7.9,2.6
+	c2.4,1.2,4.6,2.6,6.4,4.2c0.1,0.1,0.2,0.2,0.3,0.3c0.1,0.1,0.2,0.2,0.3,0.3c0.2,0.2,0.4,0.4,0.7,0.6c0.2,0.2,0.4,0.4,0.6,0.6
+	c0.2,0.2,0.4,0.4,0.6,0.6c0.8,0.8,1.5,1.7,2.2,2.6c1.3,1.7,2.4,3.4,3.2,5.1c0.1,0.1,0.1,0.2,0.2,0.3c0.1,0.1,0.1,0.2,0.1,0.3
+	c0.1,0.2,0.2,0.4,0.3,0.6c0.1,0.2,0.2,0.4,0.3,0.6c0.1,0.2,0.2,0.4,0.3,0.6c0.3,0.8,0.6,1.5,0.8,2.2c0.4,1.1,0.7,2.1,0.9,3
+	c0.1,0.3,0.4,0.6,0.8,0.5c0.4,0,0.7-0.3,0.7-0.7C85.1,43.1,85.1,42,85,40.8z"/>
+</svg>

From e5adb53278f2ed593a1aa68a388e255743994586 Mon Sep 17 00:00:00 2001
From: zzjin <tczzjin@gmail.com>
Date: Tue, 16 Dec 2025 16:55:48 +0800
Subject: [PATCH 2/9] Fix dify new version with CVE fix; and fix csrf token
 header. (#551)

* FIx template service label.

Signed-off-by: zzjin <tczzjin@gmail.com>

* fix svc usage.

Signed-off-by: zzjin <tczzjin@gmail.com>

* update Dify template to use version 1.11.1; enhance CORS headers

Signed-off-by: zzjin <tczzjin@gmail.com>

---------

Signed-off-by: zzjin <tczzjin@gmail.com>
---
 template/budibase/index.yaml |  1 -
 template/dify.yaml           | 12 ++++++------
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/template/budibase/index.yaml b/template/budibase/index.yaml
index 185ed3cc..0fe048ef 100644
--- a/template/budibase/index.yaml
+++ b/template/budibase/index.yaml
@@ -227,7 +227,6 @@ data:
     bind_address = any
     require_valid_user = false
 
-
     [couchdb]
     uuid = ${{ defaults.app_name }}-couchdb
 
diff --git a/template/dify.yaml b/template/dify.yaml
index 3d16dc9c..614ca27a 100644
--- a/template/dify.yaml
+++ b/template/dify.yaml
@@ -50,7 +50,7 @@ kind: StatefulSet
 metadata:
   name: ${{ defaults.app_name }}-api
   annotations:
-    originImageName: langgenius/dify-api:1.10.1-fix.1
+    originImageName: langgenius/dify-api:1.11.1
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -109,7 +109,7 @@ spec:
               echo "Dify database is ready"
       containers:
         - name: ${{ defaults.app_name }}-api
-          image: langgenius/dify-api:1.10.1-fix.1
+          image: langgenius/dify-api:1.11.1
           env:
             - name: MODE
               value: api
@@ -261,7 +261,7 @@ spec:
             - name: vn-appvn-apivn-storage
               mountPath: /app/api/storage
         - name: ${{ defaults.app_name }}-worker
-          image: langgenius/dify-api:1.10.1-fix.1
+          image: langgenius/dify-api:1.11.1
           env:
             - name: MODE
               value: worker
@@ -429,7 +429,7 @@ metadata:
     nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, DELETE, PATCH, OPTIONS"
     nginx.ingress.kubernetes.io/cors-allow-origin: "https://${{ SEALOS_CLOUD_DOMAIN }}, https://*.${{ SEALOS_CLOUD_DOMAIN }}"
     nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization, X-App-Code"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization, X-App-Code, X-App-Passport, X-CSRF-TOKEN"
     nginx.ingress.kubernetes.io/cors-max-age: "600"
 spec:
   rules:
@@ -455,7 +455,7 @@ kind: Deployment
 metadata:
   name: ${{ defaults.app_name }}-web
   annotations:
-    originImageName: langgenius/dify-web:1.10.1-fix.1
+    originImageName: langgenius/dify-web:1.11.1
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -511,7 +511,7 @@ spec:
               echo "Dify database is ready"
       containers:
         - name: ${{ defaults.app_name }}-web
-          image: langgenius/dify-web:1.10.1-fix.1
+          image: langgenius/dify-web:1.11.1
           env:
             - name: EDITION
               value: SELF_HOSTED

From 8c1b2ebc651712e46052759b735e09b07b427fc1 Mon Sep 17 00:00:00 2001
From: cuisongliu <cuisongliu@qq.com>
Date: Mon, 22 Dec 2025 11:36:37 +0800
Subject: [PATCH 3/9] Remove unnecessary line breaks in matrixgorilla.yaml
 image definitions for clarity (#553)

---
 template/matrixgorilla.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/template/matrixgorilla.yaml b/template/matrixgorilla.yaml
index 40752c36..da20a795 100644
--- a/template/matrixgorilla.yaml
+++ b/template/matrixgorilla.yaml
@@ -51,8 +51,7 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: ${{ defaults.app_name }}-web
-          image: >-
-            registry.cn-beijing.aliyuncs.com/juliangxingqiu/sealos-java-web:latest
+          image: registry.cn-beijing.aliyuncs.com/juliangxingqiu/sealos-java-web:latest
           resources:
             requests:
               cpu: 100m
@@ -95,8 +94,7 @@ spec:
       terminationGracePeriodSeconds: 10
       containers:
         - name: ${{ defaults.app_name }}-api
-          image: >-
-            registry.cn-beijing.aliyuncs.com/juliangxingqiu/sealos-java-api:latest
+          image: registry.cn-beijing.aliyuncs.com/juliangxingqiu/sealos-java-api:latest
           env:
             - name: ANSWER_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}/#/answer

From 10b0187196ce7e8cf2a424c3ce3d739b33f97bcf Mon Sep 17 00:00:00 2001
From: cuisongliu <cuisongliu@qq.com>
Date: Mon, 22 Dec 2025 17:28:05 +0800
Subject: [PATCH 4/9] Update image references in index.yaml to use version
 v1.9.0 (#554)

---
 template/surveyking/index.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/template/surveyking/index.yaml b/template/surveyking/index.yaml
index f8358b55..53f777df 100644
--- a/template/surveyking/index.yaml
+++ b/template/surveyking/index.yaml
@@ -161,7 +161,7 @@ kind: StatefulSet
 metadata:
   name: ${{ defaults.app_name }}
   annotations:
-    originImageName: surveyking/surveyking@sha256:da6f3bfd418f0f425e7a06949058ea8230140912cb20b5fade22a5ec6a63e2a4
+    originImageName: surveyking/surveyking:v1.9.0
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -184,7 +184,7 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: ${{ defaults.app_name }}
-          image: surveyking/surveyking@sha256:da6f3bfd418f0f425e7a06949058ea8230140912cb20b5fade22a5ec6a63e2a4
+          image: surveyking/surveyking:v1.9.0
           env:
             - name: PROFILE
               value: mysql

From c0b88101c3de4f2516c0462318e157bebad9a8c9 Mon Sep 17 00:00:00 2001
From: Carson Yang <yangchuansheng33@gmail.com>
Date: Tue, 23 Dec 2025 15:28:14 +0800
Subject: [PATCH 5/9] Update strapi to 5.33.0 (#556)

---
 template/strapi.yaml       | 386 ----------------
 template/strapi/README.md  | 227 ++++++++++
 template/strapi/index.yaml | 889 +++++++++++++++++++++++++++++++++++++
 3 files changed, 1116 insertions(+), 386 deletions(-)
 delete mode 100644 template/strapi.yaml
 create mode 100644 template/strapi/README.md
 create mode 100644 template/strapi/index.yaml

diff --git a/template/strapi.yaml b/template/strapi.yaml
deleted file mode 100644
index afb60a04..00000000
--- a/template/strapi.yaml
+++ /dev/null
@@ -1,386 +0,0 @@
-apiVersion: app.sealos.io/v1
-kind: Template
-metadata:
-  name: strapi
-spec:
-  title: 'Strapi'
-  url: 'https://strapi.io/'
-  gitRepo: 'https://github.com/strapi/strapi'
-  author: 'Sealos'
-  description: 'Strapi is the leading open-source headless CMS. 100% JavaScript/TypeScript and fully customizable.'
-  readme: 'https://raw.githubusercontent.com/strapi/strapi/refs/heads/develop/README.md'
-  icon: 'https://avatars.githubusercontent.com/u/19872173?s=48&v=4'
-  templateType: inline
-  locale: en
-  i18n:
-    zh:
-      title: 'Strapi'
-      description: 'Strapi 是领先的开源无头 CMS。100% JavaScript/TypeScript，完全可定制。'
-  categories:
-    - backend
-    - low-code
-  defaults:
-    app_name:
-      type: string
-      value: strapi-${{ random(8) }}
-    app_host:
-      type: string
-      value: ${{ random(8) }}
-  inputs:
-    JWT_SECRET:
-      description: 'JWT Secret for authentication'
-      type: string
-      default: ${{ random(32) }}
-      required: true
-    ADMIN_JWT_SECRET:
-      description: 'Admin JWT Secret for admin authentication'
-      type: string
-      default: ${{ random(32) }}
-      required: true
-    APP_KEYS:
-      description: 'App keys for encryption (comma separated)'
-      type: string
-      default: ${{ random(16) }},${{ random(16) }},${{ random(16) }},${{ random(16) }}
-      required: true
-    NODE_ENV:
-      description: 'Node environment'
-      type: choice
-      default: 'production'
-      options:
-        - production
-        - development
-      required: true
-
----
-# PostgreSQL ServiceAccount
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
-    app.kubernetes.io/instance: ${{ defaults.app_name }}-pg
-    app.kubernetes.io/managed-by: kbcli
-  name: ${{ defaults.app_name }}-pg
-
----
-# PostgreSQL Role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
-    app.kubernetes.io/instance: ${{ defaults.app_name }}-pg
-    app.kubernetes.io/managed-by: kbcli
-  name: ${{ defaults.app_name }}-pg
-rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - '*'
-
----
-# PostgreSQL RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
-    app.kubernetes.io/instance: ${{ defaults.app_name }}-pg
-    app.kubernetes.io/managed-by: kbcli
-  name: ${{ defaults.app_name }}-pg
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ${{ defaults.app_name }}-pg
-subjects:
-  - kind: ServiceAccount
-    name: ${{ defaults.app_name }}-pg
-
----
-# PostgreSQL Cluster
-apiVersion: apps.kubeblocks.io/v1alpha1
-kind: Cluster
-metadata:
-  finalizers:
-    - cluster.kubeblocks.io/finalizer
-  labels:
-    clusterdefinition.kubeblocks.io/name: postgresql
-    clusterversion.kubeblocks.io/name: postgresql-14.8.0
-    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
-  annotations: {}
-  name: ${{ defaults.app_name }}-pg
-spec:
-  affinity:
-    nodeLabels: {}
-    podAntiAffinity: Preferred
-    tenancy: SharedNode
-    topologyKeys: []
-  clusterDefinitionRef: postgresql
-  clusterVersionRef: postgresql-14.8.0
-  componentSpecs:
-    - componentDefRef: postgresql
-      monitor: true
-      name: postgresql
-      replicas: 1
-      resources:
-        limits:
-          cpu: 1000m
-          memory: 1024Mi
-        requests:
-          cpu: 100m
-          memory: 102Mi
-      serviceAccountName: ${{ defaults.app_name }}-pg
-      switchPolicy:
-        type: Noop
-      volumeClaimTemplates:
-        - name: data
-          spec:
-            accessModes:
-              - ReadWriteOnce
-            resources:
-              requests:
-                storage: 5Gi
-            storageClassName: openebs-backup
-  terminationPolicy: Delete
-  tolerations: []
-
----
-# PostgreSQL Database Init Job
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: ${{ defaults.app_name }}-pg-init
-spec:
-  completions: 1
-  template:
-    spec:
-      containers:
-        - name: pgsql-init
-          image: postgres:14-alpine
-          env:
-            - name: PG_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: ${{ defaults.app_name }}-pg-conn-credential
-                  key: password
-            - name: DATABASE_URL
-              value: postgresql://postgres:$(PG_PASSWORD)@${{ defaults.app_name }}-pg-postgresql.${{ SEALOS_NAMESPACE }}.svc:5432
-          command:
-            - /bin/sh
-            - -c
-            - |
-              until psql ${DATABASE_URL} -c 'CREATE DATABASE strapi;' &>/dev/null; do sleep 1; done
-      restartPolicy: Never
-  backoffLimit: 0
-  ttlSecondsAfterFinished: 300
-
----
-# Strapi StatefulSet
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: ${{ defaults.app_name }}
-  annotations:
-    originImageName: strapi/strapi:3.6.8
-    deploy.cloud.sealos.io/minReplicas: '1'
-    deploy.cloud.sealos.io/maxReplicas: '1'
-  labels:
-    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
-    app: ${{ defaults.app_name }}
-spec:
-  replicas: 1
-  revisionHistoryLimit: 1
-  serviceName: ${{ defaults.app_name }}
-  selector:
-    matchLabels:
-      app: ${{ defaults.app_name }}
-  template:
-    metadata:
-      labels:
-        app: ${{ defaults.app_name }}
-    spec:
-      automountServiceAccountToken: false
-      containers:
-        - name: ${{ defaults.app_name }}
-          image: strapi/strapi:3.6.8
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: DATABASE_CLIENT
-              value: postgres
-            - name: DATABASE_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: ${{ defaults.app_name }}-pg-conn-credential
-                  key: host
-            - name: DATABASE_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: ${{ defaults.app_name }}-pg-conn-credential
-                  key: port
-            - name: DATABASE_NAME
-              value: strapi
-            - name: DATABASE_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: ${{ defaults.app_name }}-pg-conn-credential
-                  key: username
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: ${{ defaults.app_name }}-pg-conn-credential
-                  key: password
-            - name: JWT_SECRET
-              value: ${{ inputs.JWT_SECRET }}
-            - name: ADMIN_JWT_SECRET
-              value: ${{ inputs.ADMIN_JWT_SECRET }}
-            - name: APP_KEYS
-              value: ${{ inputs.APP_KEYS }}
-            - name: NODE_ENV
-              value: ${{ inputs.NODE_ENV }}
-            - name: HOST
-              value: 0.0.0.0
-            - name: PORT
-              value: '1337'
-            - name: npm_config_cache
-              value: /srv/app/.npm
-          ports:
-            - containerPort: 1337
-          resources:
-            requests:
-              cpu: 50m
-              memory: 102Mi
-            limits:
-              cpu: 500m
-              memory: 1024Mi
-          volumeMounts:
-            - name: vn-srvvn-app
-              mountPath: /srv/app
-  volumeClaimTemplates:
-    - metadata:
-        annotations:
-          path: /srv/app
-          value: '1'
-        name: vn-srvvn-app
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 5Gi
-
----
-# Service
-apiVersion: v1
-kind: Service
-metadata:
-  name: ${{ defaults.app_name }}
-  labels:
-    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
-spec:
-  ports:
-    - port: 1337
-  selector:
-    app: ${{ defaults.app_name }}
-
----
-# Ingress
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ${{ defaults.app_name }}
-  labels:
-    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
-    cloud.sealos.io/app-deploy-manager-domain: ${{ defaults.app_host }}
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/proxy-body-size: 32m
-    nginx.ingress.kubernetes.io/server-snippet: |
-      client_header_buffer_size 64k;
-      large_client_header_buffers 4 128k;
-    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
-    nginx.ingress.kubernetes.io/proxy-send-timeout: '300'
-    nginx.ingress.kubernetes.io/proxy-read-timeout: '300'
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($request_uri ~* \.(js|css|gif|jpe?g|png)) {
-        expires 30d;
-        add_header Cache-Control "public";
-      }
-spec:
-  rules:
-    - host: ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
-      http:
-        paths:
-          - pathType: Prefix
-            path: /
-            backend:
-              service:
-                name: ${{ defaults.app_name }}
-                port:
-                  number: 1337
-  tls:
-    - hosts:
-        - ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
-      secretName: ${{ SEALOS_CERT_SECRET_NAME }}
-
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ${{ defaults.app_name }}-redirect
-  labels:
-    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
-  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: "/admin"
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/proxy-body-size: 32m
-    nginx.ingress.kubernetes.io/server-snippet: |
-      client_header_buffer_size 64k;
-      large_client_header_buffers 4 128k;
-    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
-    nginx.ingress.kubernetes.io/proxy-send-timeout: '300'
-    nginx.ingress.kubernetes.io/proxy-read-timeout: '300'
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($request_uri ~* \.(js|css|gif|jpe?g|png)) {
-        expires 30d;
-        add_header Cache-Control "public";
-      }
-spec:
-  rules:
-    - host: ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
-      http:
-        paths:
-          - pathType: Exact
-            path: /
-            backend:
-              service:
-                name: ${{ defaults.app_name }}
-                port:
-                  number: 1337
-  tls:
-    - hosts:
-        - ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
-      secretName: ${{ SEALOS_CERT_SECRET_NAME }}
-
----
-# App CR
-apiVersion: app.sealos.io/v1
-kind: App
-metadata:
-  name: ${{ defaults.app_name }}
-  labels:
-    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
-spec:
-  data:
-    url: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
-  displayType: normal
-  icon: 'https://avatars.githubusercontent.com/u/19872173?s=48&v=4'
-  name: Strapi
-  type: iframe
\ No newline at end of file
diff --git a/template/strapi/README.md b/template/strapi/README.md
new file mode 100644
index 00000000..78db0021
--- /dev/null
+++ b/template/strapi/README.md
@@ -0,0 +1,227 @@
+# Deploy and Host Strapi on Sealos
+
+Strapi is the leading open-source headless CMS, built with 100% JavaScript/TypeScript and fully customizable. This template provides one-click deployment of a production-ready Strapi instance with PostgreSQL database backend, enabling you to build powerful content management systems and APIs with minimal setup on Sealos Cloud.
+
+## About Hosting Strapi
+
+Strapi runs as a Node.js application that provides both a powerful admin panel for content management and RESTful/GraphQL APIs for content delivery. The headless architecture separates content management from presentation, allowing you to use Strapi as a backend for websites, mobile apps, IoT devices, or any other platform that consumes content via APIs.
+
+The Sealos template automatically provisions a PostgreSQL database for persistent content storage, configures all necessary environment variables including security tokens, and sets up persistent storage for uploaded media files and application data. The deployment includes an init container that handles the initial build process, ensuring your Strapi admin panel is ready to use immediately after deployment.
+
+## Common Use Cases
+
+- **Headless CMS for Websites**: Power modern JAMstack websites with a flexible content backend
+- **Mobile App Backend**: Provide content APIs for iOS, Android, and cross-platform mobile applications
+- **Multi-Channel Content Delivery**: Manage content once and deliver it across web, mobile, IoT, and other platforms
+- **Custom API Development**: Build RESTful or GraphQL APIs with a visual content type builder
+- **E-commerce Product Management**: Manage product catalogs, descriptions, and media assets
+- **Blog and Publication Platforms**: Create content-rich publishing systems with custom workflows
+- **Internal Tools and Dashboards**: Build admin panels and internal applications with rapid development
+
+## Dependencies for Strapi Hosting
+
+The Sealos template includes all required components: Strapi application server and PostgreSQL database with automatic initialization.
+
+### Deployment Dependencies
+
+- [Strapi Documentation](https://docs.strapi.io/) - Official Strapi documentation
+- [Strapi Quickstart Guide](https://docs.strapi.io/dev-docs/quick-start) - Getting started with Strapi development
+- [Strapi API Reference](https://docs.strapi.io/dev-docs/api/rest) - REST and GraphQL API documentation
+- [PostgreSQL Documentation](https://www.postgresql.org/docs/) - Database backend documentation
+
+## Implementation Details
+
+### Architecture Components
+
+This template deploys two interconnected services:
+
+- **PostgreSQL Database**: Persistent data storage for content and configuration
+  - Version: PostgreSQL 14.8.0
+  - Persistent storage: 1Gi
+  - Automatic database initialization with 'strapi' database
+  - Connection credentials managed via Kubernetes secrets
+
+- **Strapi Application**: Headless CMS server with admin panel
+  - Version: Strapi 5.33.0
+  - Web UI: Port 1337 (exposed via Ingress with SSL)
+  - Admin panel: `/admin` path
+  - API endpoints: `/api` path
+  - Persistent storage: 2Gi for application data, 1Gi for npm cache
+  - Init container for automatic build process
+
+**Resource Allocation:**
+
+| Component | CPU Request | CPU Limit | Memory Request | Memory Limit |
+|-----------|-------------|-----------|----------------|--------------|
+| Strapi (Runtime) | 100m | 1000m | 25Mi | 256Mi |
+| Strapi (Init Build) | 200m | 2000m | 307Mi | 3072Mi |
+| PostgreSQL | 50m | 500m | 51Mi | 512Mi |
+
+### Environment Configuration
+
+The template automatically configures Strapi with the following settings:
+
+**Database Configuration:**
+- Client: PostgreSQL
+- Connection: Automatic via Kubernetes secrets
+- Database name: `strapi`
+- SSL: Disabled (internal cluster communication)
+
+**Security Tokens:**
+All security tokens are automatically generated with cryptographically secure random values:
+- JWT Secret: 32-character random string
+- Admin JWT Secret: 32-character random string
+- App Keys: 4 x 32-character random strings
+- API Token Salt: 32-character random string
+- Transfer Token Salt: 32-character random string
+
+**Public URLs:**
+- Admin URL: `https://<app-host>.<domain>/admin`
+- Public URL: `https://<app-host>.<domain>`
+- CORS: Configured for your deployment domain
+
+### Deployment Process
+
+The deployment includes a two-stage initialization:
+
+1. **Database Initialization Job**: Creates the `strapi` database in PostgreSQL
+2. **Application Init Container**: Builds the Strapi admin panel before the main container starts
+3. **Main Container**: Runs Strapi in production or development mode
+
+This ensures your Strapi instance is fully ready to use immediately after deployment completes.
+
+## Why Deploy Strapi on Sealos?
+
+Sealos is an AI-assisted Cloud Operating System built on Kubernetes that unifies the entire application lifecycle, from development in cloud IDEs to production deployment and management. By deploying Strapi on Sealos, you get:
+
+- **One-Click Deployment**: Deploy a complete Strapi CMS with PostgreSQL database in seconds. No complex configuration or Kubernetes expertise required.
+- **Pre-Configured Database**: PostgreSQL is automatically provisioned, initialized, and connected to Strapi with secure credentials.
+- **Automatic Build Process**: The init container handles the Strapi admin panel build, so you can start creating content immediately.
+- **Persistent Storage**: Built-in persistent storage ensures your content, media uploads, and configuration survive restarts and updates.
+- **Secure Public Access**: Strapi gets automatic public URL with SSL certificate, allowing secure access to both admin panel and APIs.
+- **Environment Flexibility**: Choose between production and development modes to match your workflow.
+- **Easy Scaling**: Adjust resources through intuitive forms as your content and traffic grow.
+- **Automatic Security**: All security tokens are generated automatically with cryptographically secure random values.
+
+Deploy Strapi on Sealos and focus on building great content experiences instead of managing infrastructure.
+
+## Deployment Guide
+
+1. Visit [Sealos Cloud](https://os.sealos.io/?openapp=system-brain?trial=true)
+2. Click "From Template"
+3. Search for "Strapi" in the App Store
+4. Select your Node environment mode:
+   - **Production** (recommended): Optimized for performance and stability
+   - **Development**: Enables hot-reload and development features
+5. Click "Deploy"
+6. Wait for deployment to complete (typically 2-3 minutes, including build process)
+7. Access Strapi via the provided URL (shown in the canvas)
+8. Create your admin account on first access to the admin panel
+
+## Configuration
+
+After deployment, you can customize your Strapi instance:
+
+### Initial Setup
+
+1. **Create Admin Account**: On first access to `/admin`, you'll be prompted to create an administrator account
+2. **Configure Content Types**: Use the Content-Type Builder to define your data models
+3. **Set Permissions**: Configure role-based access control for API endpoints
+4. **Upload Media**: Use the Media Library to manage images, videos, and other assets
+
+### Resource Scaling
+
+Adjust resources in the canvas based on your needs:
+- **CPU/Memory**: Increase for better performance with high traffic or complex content types
+- **Storage**: Expand application storage for more media uploads and content
+
+### API Configuration
+
+Strapi provides both REST and GraphQL APIs:
+- REST API: `https://<app-host>.<domain>/api`
+- GraphQL API: `https://<app-host>.<domain>/graphql` (requires GraphQL plugin)
+
+### Service Endpoints
+
+| Service | Endpoint | Purpose |
+|---------|----------|---------|
+| Admin Panel | `https://<app-host>.<domain>/admin` | Content management interface |
+| REST API | `https://<app-host>.<domain>/api` | RESTful API endpoints |
+| GraphQL | `https://<app-host>.<domain>/graphql` | GraphQL API (if enabled) |
+| PostgreSQL | `<app-name>-pg-postgresql.<namespace>.svc:5432` | Database (internal) |
+
+## Troubleshooting
+
+### Common Issues
+
+**Issue 1: Admin Panel Not Loading**
+- Cause: Build process may still be running or failed
+- Solution: Check the init container logs in the Terminal. The build process can take 1-2 minutes on first deployment. If the build failed, check resource limits and try redeploying.
+
+**Issue 2: Database Connection Errors**
+- Cause: PostgreSQL not ready or connection credentials incorrect
+- Solution: Verify the PostgreSQL cluster is running in the canvas. Check that the `strapi` database was created by examining the init job logs. The connection is automatic via Kubernetes secrets.
+
+**Issue 3: Media Upload Failures**
+- Cause: Storage full or permission issues
+- Solution: Increase the application storage allocation in the canvas. Default is 2Gi for application data.
+
+**Issue 4: API Endpoints Return 403 Forbidden**
+- Cause: Permissions not configured for public access
+- Solution: In the Strapi admin panel, go to Settings → Roles → Public, and enable permissions for the endpoints you want to expose publicly.
+
+**Issue 5: Slow Performance**
+- Cause: Insufficient resources for your content volume
+- Solution: Increase CPU and memory allocation in the canvas. Consider upgrading from the default 1000m CPU / 256Mi memory limits.
+
+### Getting Help
+
+- [Strapi Documentation](https://docs.strapi.io/)
+- [Strapi Community Forum](https://forum.strapi.io/)
+- [Strapi Discord](https://discord.strapi.io/)
+- [Sealos Discord Community](https://discord.gg/wdUn538zVP)
+
+## Additional Resources
+
+- [Strapi Content-Type Builder](https://docs.strapi.io/user-docs/content-type-builder) - Creating custom content types
+- [Strapi API Documentation](https://docs.strapi.io/dev-docs/api/rest) - REST and GraphQL API reference
+- [Strapi Plugins](https://market.strapi.io/) - Extend Strapi with community plugins
+- [Strapi Deployment Guide](https://docs.strapi.io/dev-docs/deployment) - Advanced deployment configurations
+- [PostgreSQL Best Practices](https://wiki.postgresql.org/wiki/Don%27t_Do_This) - Database optimization tips
+
+## Development Workflow
+
+### Connecting Your Frontend
+
+To connect your frontend application to Strapi APIs:
+
+```javascript
+// Example: Fetching content from Strapi REST API
+const response = await fetch('https://<app-host>.<domain>/api/articles?populate=*', {
+  headers: {
+    'Authorization': 'Bearer YOUR_API_TOKEN'
+  }
+});
+const data = await response.json();
+```
+
+### Creating API Tokens
+
+1. Go to Settings → API Tokens in the admin panel
+2. Click "Create new API Token"
+3. Set token name, type (Read-only, Full access, Custom), and duration
+4. Copy the generated token (shown only once)
+5. Use the token in your application's API requests
+
+### Custom Development
+
+For custom plugin development or extending Strapi:
+
+1. Switch to development mode by updating the `node_env` input to `development`
+2. Access the application storage via the canvas to modify code
+3. Changes will hot-reload automatically in development mode
+4. Switch back to production mode for optimal performance
+
+## License
+
+This Sealos template is provided under MIT License. Strapi is provided under its own license - see [Strapi License](https://github.com/strapi/strapi/blob/develop/LICENSE) for details.
diff --git a/template/strapi/index.yaml b/template/strapi/index.yaml
new file mode 100644
index 00000000..6f5ef278
--- /dev/null
+++ b/template/strapi/index.yaml
@@ -0,0 +1,889 @@
+apiVersion: app.sealos.io/v1
+kind: Template
+metadata:
+  name: strapi
+spec:
+  title: "Strapi"
+  url: "https://strapi.io/"
+  gitRepo: "https://github.com/strapi/strapi"
+  author: "Sealos"
+  description: "Strapi is the leading open-source headless CMS. 100% JavaScript/TypeScript and fully customizable."
+  readme: "https://raw.githubusercontent.com/labring-actions/templates/main/template/strapi/README.md"
+  icon: "https://avatars.githubusercontent.com/u/19872173?s=48&v=4"
+  templateType: inline
+  locale: en
+  i18n:
+    zh:
+      description: "Strapi 是领先的开源无头 CMS。100% JavaScript/TypeScript，完全可定制。"
+  categories:
+    - backend
+    - low-code
+  defaults:
+    app_name:
+      type: string
+      value: strapi-${{ random(8) }}
+    app_host:
+      type: string
+      value: strapi-${{ random(8) }}
+    jwt_secret:
+      type: string
+      value: ${{ random(32) }}
+    admin_jwt_secret:
+      type: string
+      value: ${{ random(32) }}
+    app_keys:
+      type: string
+      value: ${{ random(32) }},${{ random(32) }},${{ random(32) }},${{ random(32) }}
+    api_token_salt:
+      type: string
+      value: ${{ random(32) }}
+    transfer_token_salt:
+      type: string
+      value: ${{ random(32) }}
+  inputs:
+    node_env:
+      description: "Node environment mode"
+      type: choice
+      default: "production"
+      options:
+        - production
+        - development
+      required: true
+
+---
+# PostgreSQL ServiceAccount
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
+    app.kubernetes.io/instance: ${{ defaults.app_name }}-pg
+    app.kubernetes.io/managed-by: kbcli
+  name: ${{ defaults.app_name }}-pg
+
+---
+# PostgreSQL Role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
+    app.kubernetes.io/instance: ${{ defaults.app_name }}-pg
+    app.kubernetes.io/managed-by: kbcli
+  name: ${{ defaults.app_name }}-pg
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+
+---
+# PostgreSQL RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
+    app.kubernetes.io/instance: ${{ defaults.app_name }}-pg
+    app.kubernetes.io/managed-by: kbcli
+  name: ${{ defaults.app_name }}-pg
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ${{ defaults.app_name }}-pg
+subjects:
+  - kind: ServiceAccount
+    name: ${{ defaults.app_name }}-pg
+
+---
+# PostgreSQL Cluster
+apiVersion: apps.kubeblocks.io/v1alpha1
+kind: Cluster
+metadata:
+  finalizers:
+    - cluster.kubeblocks.io/finalizer
+  labels:
+    clusterdefinition.kubeblocks.io/name: postgresql
+    clusterversion.kubeblocks.io/name: postgresql-14.8.0
+    sealos-db-provider-cr: ${{ defaults.app_name }}-pg
+  annotations: {}
+  name: ${{ defaults.app_name }}-pg
+spec:
+  affinity:
+    nodeLabels: {}
+    podAntiAffinity: Preferred
+    tenancy: SharedNode
+    topologyKeys: []
+  clusterDefinitionRef: postgresql
+  clusterVersionRef: postgresql-14.8.0
+  componentSpecs:
+    - componentDefRef: postgresql
+      monitor: true
+      name: postgresql
+      replicas: 1
+      resources:
+        limits:
+          cpu: 500m
+          memory: 512Mi
+        requests:
+          cpu: 50m
+          memory: 51Mi
+      serviceAccountName: ${{ defaults.app_name }}-pg
+      switchPolicy:
+        type: Noop
+      volumeClaimTemplates:
+        - name: data
+          spec:
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 1Gi
+            storageClassName: openebs-backup
+  terminationPolicy: Delete
+  tolerations: []
+
+---
+# PostgreSQL Database Init Job
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ${{ defaults.app_name }}-pg-init
+spec:
+  completions: 1
+  template:
+    spec:
+      containers:
+        - name: pgsql-init
+          image: postgres:14-alpine
+          env:
+            - name: PG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: password
+            - name: DATABASE_URL
+              value: postgresql://postgres:$(PG_PASSWORD)@${{ defaults.app_name }}-pg-postgresql.${{ SEALOS_NAMESPACE }}.svc:5432
+          command:
+            - /bin/sh
+            - -c
+            - |
+              until psql ${DATABASE_URL} -c 'CREATE DATABASE strapi;' &>/dev/null; do sleep 1; done
+      restartPolicy: Never
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 300
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ${{ defaults.app_name }}
+data:
+  vn-usrvn-localvn-binvn-docker-entrypointvn-sh: |
+    #!/bin/sh
+    set -ea
+
+    # ============================================================
+    # Check if running in initialization mode
+    # ============================================================
+    INIT_MODE=false
+    if [ "$1" = "strapi-init" ]; then
+      INIT_MODE=true
+      shift
+      set -- "strapi" "$@"
+    fi
+
+    if [ "$1" = "strapi" ]; then
+
+      DATABASE_CLIENT=${DATABASE_CLIENT:-sqlite}
+
+      if [ ! -f "package.json" ]; then
+
+        EXTRA_ARGS=${EXTRA_ARGS}
+
+        echo "Using Strapi v$STRAPI_VERSION"
+        echo "No project found at /srv/app. Creating a new Strapi project ..."
+
+        if [ "${STRAPI_VERSION#5}" != "$STRAPI_VERSION" ]; then
+          DOCKER=true printf "n\n" | npx create-strapi-app@${STRAPI_VERSION} . --no-run \
+            --js \
+            --install \
+            --no-git-init \
+            --no-example \
+            --skip-cloud \
+            --skip-db \
+            $EXTRA_ARGS
+        elif [ "${STRAPI_VERSION%%.*}" = "4" ] && [ "$(echo "$STRAPI_VERSION" | cut -d. -f2)" -ge 25 ]; then
+          DOCKER=true npx create-strapi-app@${STRAPI_VERSION} . --no-run \
+            --skip-cloud \
+            --dbclient=$DATABASE_CLIENT \
+            --dbhost=$DATABASE_HOST \
+            --dbport=$DATABASE_PORT \
+            --dbname=$DATABASE_NAME \
+            --dbusername=$DATABASE_USERNAME \
+            --dbpassword=$DATABASE_PASSWORD \
+            --dbssl=$DATABASE_SSL \
+            $EXTRA_ARGS
+        else
+          DOCKER=true npx create-strapi-app@${STRAPI_VERSION} . --no-run \
+            --dbclient=$DATABASE_CLIENT \
+            --dbhost=$DATABASE_HOST \
+            --dbport=$DATABASE_PORT \
+            --dbname=$DATABASE_NAME \
+            --dbusername=$DATABASE_USERNAME \
+            --dbpassword=$DATABASE_PASSWORD \
+            --dbssl=$DATABASE_SSL \
+            $EXTRA_ARGS
+        fi
+
+        echo "" >| 'config/server.js'
+        echo "" >| 'config/admin.js'
+        echo "" >| 'config/middlewares.js'
+
+        cat <<-EOT >> 'config/server.js'
+    module.exports = ({ env }) => ({
+      host: env('HOST', '0.0.0.0'),
+      port: env.int('PORT', 1337),
+      url: env('PUBLIC_URL', 'http://localhost:1337'),
+      app: {
+        keys: env.array('APP_KEYS'),
+      },
+      webhooks: {
+        populateRelations: env.bool('WEBHOOKS_POPULATE_RELATIONS', false),
+      },
+    });
+    EOT
+
+        cat <<-EOT >> 'config/admin.js'
+    module.exports = ({ env }) => ({
+      url: env('ADMIN_URL', 'http://localhost:1337/admin'),
+      auth: {
+        secret: env('ADMIN_JWT_SECRET'),
+      },
+      apiToken: {
+        salt: env('API_TOKEN_SALT'),
+      },
+      transfer: {
+        token: {
+          salt: env('TRANSFER_TOKEN_SALT'),
+        },
+      },
+    });
+    EOT
+
+        cat <<-EOT >> 'config/middlewares.js'
+    module.exports = ({env}) => ([
+      'strapi::logger',
+      'strapi::errors',
+      {
+        name: 'strapi::security',
+        config: {
+          contentSecurityPolicy: {
+            useDefaults: true,
+            directives: {
+              'connect-src': ["'self'", 'http:', 'https:'],
+              'img-src': env('IMG_ORIGIN', "'self',data:,blob:,market-assets.strapi.io").split(','),
+              upgradeInsecureRequests: null,
+            },
+          },
+        },
+      },
+      {
+        name: 'strapi::cors',
+        config: {
+          origin: env('CORS_ORIGIN', '*').split(','),
+          methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
+          headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],
+          keepHeaderOnError: true,
+        }
+      },
+      'strapi::poweredBy',
+      'strapi::query',
+      'strapi::body',
+      'strapi::session',
+      'strapi::favicon',
+      'strapi::public',
+    ]);
+    EOT
+
+      elif [ ! -d "node_modules" ] || [ ! "$(ls -qAL node_modules 2>/dev/null)" ]; then
+        echo "Node modules not installed. Installing ..."
+        if [ -f "yarn.lock" ]; then
+          yarn install --prod
+        else
+          npm install --only=prod
+        fi
+      fi
+
+      if [ "$ENABLE_VITE_ALLOWED_HOSTS" = "true" ] && [ ! -f "src/admin/vite.config.js" ] && [ ! -f "src/admin/vite.config.ts" ]; then
+        echo "Creating vite.config with allowedHosts configuration..."
+        mkdir -p src/admin
+
+        if [ -f "tsconfig.json" ] || [ -f "package.json" ] && grep -q "\"typescript\"" package.json; then
+          echo "Detected TypeScript project, creating vite.config.ts..."
+          cat <<-EOT > 'src/admin/vite.config.ts'
+    import { mergeConfig, type UserConfig } from 'vite';
+
+    export default (config: UserConfig) => {
+      return mergeConfig(config, {
+        resolve: {
+          alias: {
+            '@': '/src',
+          },
+        },
+        server: {
+          allowedHosts: true
+        },
+      });
+    };
+    EOT
+        else
+          echo "Detected JavaScript project, creating vite.config.js..."
+          cat <<-EOT > 'src/admin/vite.config.js'
+    const { mergeConfig } = require('vite');
+
+    module.exports = (config) => {
+      return mergeConfig(config, {
+        resolve: {
+          alias: {
+            '@': '/src',
+          },
+        },
+        server: {
+          allowedHosts: true
+        },
+      });
+    };
+    EOT
+        fi
+      fi
+
+      if [ -f "yarn.lock" ]; then
+        current_strapi_version="$(yarn list --pattern strapi --depth=0 | grep @strapi/strapi | cut -d @ -f 3)"
+      else
+        current_strapi_version="$(npm list | grep @strapi/strapi | cut -d @ -f 3)"
+      fi
+
+      get_version_parts() {
+        echo "$1" | awk -F. '{print $1, $2, $3}'
+      }
+
+      if [ "${STRAPI_VERSION#5}" != "$STRAPI_VERSION" ]; then
+
+        version_parts=$(get_version_parts "$current_strapi_version")
+        set -- $version_parts
+        current_major=$1
+        current_minor=$2
+        current_patch=$3
+
+        version_parts=$(get_version_parts "$STRAPI_VERSION")
+        set -- $version_parts
+        image_major=$1
+        image_minor=$2
+        image_patch=$3
+
+        if [ "$image_major" -eq "$current_major" ] && [ "$image_minor" -eq "$current_minor" ] && [ "$image_patch" -gt "$current_patch" ]; then
+          echo "Patch upgrade needed: v${current_strapi_version} to v${image_major}.${image_minor}.${image_patch}. Upgrading..."
+          NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} patch -y || { echo "Patch upgrade failed"; exit 1; }
+        fi
+
+        if [ "$image_major" -eq "$current_major" ] && [ "$image_minor" -gt "$current_minor" ]; then
+          echo "Minor upgrade needed: v${current_strapi_version} to v${image_major}.${image_minor}.${image_patch}. Upgrading..."
+          NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} minor -y || { echo "Minor upgrade failed"; exit 1; }
+        fi
+
+        if [ "$image_major" -gt "$current_major" ]; then
+          echo "Major upgrade needed: v${current_strapi_version} to v${image_major}.${image_minor}.${image_patch}. Upgrading..."
+          echo "Ensuring the current version of Strapi is on the latest minor and patch before major upgrade..."
+
+          echo "Performing pre-upgrade patch updates..."
+          NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} patch -y || echo "Pre-upgrade patch update failed or not needed. Check the logs. Continuing..."
+          echo "Performing pre-upgrade minor updates..."
+          NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} minor -y || echo "Pre-upgrade minor update failed or not needed. Check the logs. Continuing..."
+          echo "Performing major upgrade..."
+          NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} major -y || { echo "Major upgrade failed"; exit 1; }
+
+          if [ -f "yarn.lock" ]; then
+            updated_strapi_version="$(yarn list --pattern strapi --depth=0 | grep @strapi/strapi | cut -d @ -f 3)"
+          else
+            updated_strapi_version="$(npm list | grep @strapi/strapi | cut -d @ -f 3)"
+          fi
+
+          version_parts=$(get_version_parts "$updated_strapi_version")
+          set -- $version_parts
+          updated_major=$1
+          updated_minor=$2
+          updated_patch=$3
+
+          if [ "$image_major" -eq "$updated_major" ] && [ "$image_minor" -eq "$updated_minor" ] && [ "$image_patch" -gt "$updated_patch" ]; then
+            echo "Post-upgrade patch update needed: v${updated_strapi_version} to v${image_major}.${image_minor}.${image_patch}. Updating..."
+            NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} patch -y || { echo "Post-upgrade patch update failed"; exit 1; }
+          fi
+
+          if [ "$image_major" -eq "$updated_major" ] && [ "$image_minor" -gt "$updated_minor" ]; then
+            echo "Post-upgrade minor update needed: v${updated_strapi_version} to v${image_major}.${image_minor}.${image_patch}. Updating..."
+            NPM_REGISTRY_URL=https://registry.npmjs.org/ npx @strapi/upgrade@${STRAPI_VERSION} minor -y || { echo "Post-upgrade minor update failed"; exit 1; }
+          fi
+
+        fi
+      else
+        current_strapi_code="$(echo "${current_strapi_version}" | tr -d "." )"
+        image_strapi_code="$(echo "${STRAPI_VERSION}" | tr -d "." )"
+        if [ "${image_strapi_code}" -gt "${current_strapi_code}" ]; then
+          echo "Strapi update needed: v${current_strapi_version} to v${STRAPI_VERSION}. Updating ..."
+          if [ -f "yarn.lock" ]; then
+            yarn add "@strapi/strapi@${STRAPI_VERSION}" "@strapi/plugin-users-permissions@${STRAPI_VERSION}" "@strapi/plugin-i18n@${STRAPI_VERSION}" "@strapi/plugin-cloud@${STRAPI_VERSION}" --prod || { echo "Upgrade failed"; exit 1; }
+          else
+            npm install @strapi/strapi@"${STRAPI_VERSION}" @strapi/plugin-users-permissions@"${STRAPI_VERSION}" @strapi/plugin-i18n@"${STRAPI_VERSION}" @strapi/plugin-cloud@"${STRAPI_VERSION}" --only=prod || { echo "Upgrade failed"; exit 1; }
+          fi
+        fi
+      fi
+
+      if ! grep -q "\"react\"" package.json; then
+        echo "Adding React and Styled Components..."
+        if [ -f "yarn.lock" ]; then
+          yarn add "react@^18.0.0" "react-dom@^18.0.0" "react-router-dom@^5.3.4" "styled-components@^5.3.3" --prod || { echo "Adding React and Styled Components failed"; exit 1; }
+        else
+          npm install react@"^18.0.0" react-dom@"^18.0.0" react-router-dom@"^5.3.4" styled-components@"^5.3.3" --only=prod || { echo "Adding React and Styled Components failed"; exit 1; }
+        fi
+      fi
+
+      if [ "${DATABASE_CLIENT}" = "postgres" ] && ! grep -q "\"pg\"" package.json; then
+        echo "Adding Postgres packages..."
+        if [ -f "yarn.lock" ]; then
+          yarn add "pg@^8.13.0" --prod || { echo "Adding Postgres packages failed"; exit 1; }
+        else
+          npm install pg@"^8.13.0" --only=prod || { echo "Adding Postgres packages failed"; exit 1; }
+        fi
+      fi
+
+      if [ "${DATABASE_CLIENT}" = "mysql" ]; then
+        if [ "${STRAPI_VERSION#5}" != "$STRAPI_VERSION" ]; then
+          if ! grep -q "\"mysql2\"" package.json; then
+            echo "Adding MySQL2 package for Strapi v5..."
+            if [ -f "yarn.lock" ]; then
+              yarn add "mysql2@^3.12.0" --prod || { echo "Adding MySQL2 package failed"; exit 1; }
+            else
+              npm install mysql2@"^3.12.0" --only=prod || { echo "Adding MySQL2 package failed"; exit 1; }
+            fi
+          fi
+        else
+          if ! grep -q "\"mysql\"" package.json; then
+            echo "Adding MySQL package for Strapi v4..."
+            if [ -f "yarn.lock" ]; then
+              yarn add "mysql@^2.18.1" --prod || { echo "Adding MySQL package failed"; exit 1; }
+            else
+              npm install mysql@"^2.18.1" --only=prod || { echo "Adding MySQL package failed"; exit 1; }
+            fi
+          fi
+        fi
+      elif [ "${DATABASE_CLIENT}" = "mysql2" ] && ! grep -q "\"mysql2\"" package.json; then
+        echo "Adding MySQL2 package..."
+        if [ -f "yarn.lock" ]; then
+          yarn add "mysql2@^3.12.0" --prod || { echo "Adding MySQL2 package failed"; exit 1; }
+        else
+          npm install mysql2@"^3.12.0" --only=prod || { echo "Adding MySQL2 package failed"; exit 1; }
+        fi
+      fi
+
+      # ============================================================
+      # Initialization mode: build and exit
+      # ============================================================
+      if [ "$INIT_MODE" = "true" ]; then
+        echo "============================================"
+        echo "Running in INIT MODE"
+        echo "============================================"
+
+        BUILD_MARKER="node_modules/@strapi/admin/dist/server/build/index.html"
+
+        if [ ! -f "$BUILD_MARKER" ]; then
+          echo "Build files not found. Building Strapi admin panel..."
+          if [ -f "yarn.lock" ]; then
+            yarn build
+          else
+            npm run build
+          fi
+          echo "Build completed successfully!"
+        else
+          echo "Build files already exist. Skipping build."
+        fi
+
+        echo "============================================"
+        echo "Initialization completed. Exiting."
+        echo "============================================"
+        exit 0
+      fi
+
+      # ============================================================
+      echo "Initialization completed. Exiting."
+      # ============================================================
+      BUILD=${BUILD:-false}
+
+      if [ "$BUILD" = "true" ]; then
+        echo "Building Strapi admin..."
+        if [ -f "yarn.lock" ]; then
+          yarn build
+        else
+          npm run build
+        fi
+      fi
+
+      if [ "$NODE_ENV" = "production" ]; then
+        STRAPI_MODE="start"
+      elif [ "$NODE_ENV" = "development" ]; then
+        STRAPI_MODE="develop"
+      fi
+
+      echo "Starting your app (with ${STRAPI_MODE:-develop})..."
+
+      if [ "$GITHUB_ACTIONS" = "1" ]; then
+        rm -f pipe
+        mkfifo pipe
+
+        if [ -f "yarn.lock" ]; then
+          yarn "${STRAPI_MODE:-develop}" > pipe & pid=$!
+        else
+          npm run "${STRAPI_MODE:-develop}" > pipe & pid=$!
+        fi
+
+        exec 3<pipe
+        while IFS= read -r line <&3; do
+          lower_line=$(echo "$line" | tr '[:upper:]' '[:lower:]')
+          printf '%s\n' "$lower_line"
+
+          if [ "${lower_line#*http://localhost:1337/admin}" != "$lower_line" ]; then
+            if [ -f "yarn.lock" ]; then
+              running_strapi_version="$(yarn list --pattern strapi --depth=0 | grep @strapi/strapi | cut -d @ -f 3)"
+            else
+              running_strapi_version="$(npm list | grep @
+
+    strapi/strapi | cut -d @ -f 3)"
+            fi
+            if [ "$running_strapi_version" = "$STRAPI_VERSION" ]; then
+              echo -e "\nSuccessfully launched Strapi with version $running_strapi_version. Exiting container with code 0..."
+              exec 3<&-
+              kill "$pid"
+              rm -f pipe
+              exit 0
+            else
+              echo -e "\nStrapi launched with version $running_strapi_version, but expected version was $STRAPI_VERSION. Exiting container with code 1..."
+              exec 3<&-
+              kill "$pid"
+              rm -f pipe
+              exit 1
+            fi
+          fi
+
+          if [ "${lower_line#*error}" != "$lower_line" ]; then
+            exec 3<&-
+            kill "$pid"
+            echo -e "\nFailed to launch Strapi. Exiting container with code 1..."
+            rm -f pipe
+            exit 1
+          fi
+
+        done
+      else
+        if [ -f "yarn.lock" ]; then
+          exec yarn "${STRAPI_MODE:-develop}"
+        else
+          exec npm run "${STRAPI_MODE:-develop}"
+        fi
+      fi
+
+    else
+      exec "$@"
+    fi
+
+---
+# Strapi StatefulSet
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ${{ defaults.app_name }}
+  annotations:
+    originImageName: vshadbolt/strapi:5.33.0
+    deploy.cloud.sealos.io/minReplicas: "1"
+    deploy.cloud.sealos.io/maxReplicas: "1"
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+    app: ${{ defaults.app_name }}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  serviceName: ${{ defaults.app_name }}
+  selector:
+    matchLabels:
+      app: ${{ defaults.app_name }}
+  template:
+    metadata:
+      labels:
+        app: ${{ defaults.app_name }}
+    spec:
+      automountServiceAccountToken: false
+      initContainers:
+        - name: strapi-build
+          image: vshadbolt/strapi:5.33.0
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -c
+            - |
+              if [ ! -d "/srv/app/build" ]; then
+                echo "Build files not found, running npm run build..."
+                cd /srv/app
+                bash /usr/local/bin/docker-entrypoint.sh strapi-init
+              else
+                echo "Build files already exist, skipping build."
+              fi
+          env:
+            # Database Configuration (needed for build)
+            - name: DATABASE_CLIENT
+              value: postgres
+            - name: DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: host
+            - name: DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: port
+            - name: DATABASE_NAME
+              value: strapi
+            - name: DATABASE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: username
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: password
+            - name: DATABASE_SSL
+              value: "false"
+
+            # Strapi Secrets (needed for build)
+            - name: JWT_SECRET
+              value: ${{ defaults.jwt_secret }}
+            - name: ADMIN_JWT_SECRET
+              value: ${{ defaults.admin_jwt_secret }}
+            - name: APP_KEYS
+              value: ${{ defaults.app_keys }}
+            - name: API_TOKEN_SALT
+              value: ${{ defaults.api_token_salt }}
+            - name: TRANSFER_TOKEN_SALT
+              value: ${{ defaults.transfer_token_salt }}
+
+            # Node Environment
+            - name: NODE_ENV
+              value: production
+          volumeMounts:
+            - name: ${{ defaults.app_name }}-cm
+              mountPath: /usr/local/bin/docker-entrypoint.sh
+              subPath: vn-usrvn-localvn-binvn-docker-entrypointvn-sh
+            - name: vn-srvvn-app
+              mountPath: /srv/app
+            - name: vn-rootvn-vn-npm
+              mountPath: /root/.npm
+          resources:
+            requests:
+              cpu: 200m
+              memory: 307Mi
+            limits:
+              cpu: 2000m
+              memory: 3072Mi
+      containers:
+        - name: ${{ defaults.app_name }}
+          image: vshadbolt/strapi:5.33.0
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+          args:
+            - /usr/local/bin/docker-entrypoint.sh
+            - strapi
+          env:
+            # Admin and Public URLs (auto-configured with Sealos domain)
+            - name: ADMIN_URL
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}/admin
+            - name: PUBLIC_URL
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+            - name: IMG_ORIGIN
+              value: "'self',data:,blob:,market-assets.strapi.io,${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}"
+            - name: CORS_ORIGIN
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+            - name: ENABLE_VITE_ALLOWED_HOSTS
+              value: "true"
+
+            # Database Configuration
+            - name: DATABASE_CLIENT
+              value: postgres
+            - name: DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: host
+            - name: DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: port
+            - name: DATABASE_NAME
+              value: strapi
+            - name: DATABASE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: username
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ${{ defaults.app_name }}-pg-conn-credential
+                  key: password
+            - name: DATABASE_SSL
+              value: "false"
+
+            # Strapi Secrets
+            - name: JWT_SECRET
+              value: ${{ defaults.jwt_secret }}
+            - name: ADMIN_JWT_SECRET
+              value: ${{ defaults.admin_jwt_secret }}
+            - name: APP_KEYS
+              value: ${{ defaults.app_keys }}
+            - name: API_TOKEN_SALT
+              value: ${{ defaults.api_token_salt }}
+            - name: TRANSFER_TOKEN_SALT
+              value: ${{ defaults.transfer_token_salt }}
+
+            # Node Environment
+            - name: NODE_ENV
+              value: ${{ inputs.node_env }}
+
+            # Server Configuration
+            - name: HOST
+              value: 0.0.0.0
+            - name: PORT
+              value: "1337"
+            - name: BUILD
+              value: false
+          ports:
+            - containerPort: 1337
+          resources:
+            requests:
+              cpu: 100m
+              memory: 25Mi
+            limits:
+              cpu: 1000m
+              memory: 256Mi
+          volumeMounts:
+            - name: ${{ defaults.app_name }}-cm
+              mountPath: /usr/local/bin/docker-entrypoint.sh
+              subPath: vn-usrvn-localvn-binvn-docker-entrypointvn-sh
+            - name: vn-srvvn-app
+              mountPath: /srv/app
+            - name: vn-rootvn-vn-npm
+              mountPath: /root/.npm
+      volumes:
+        - name: ${{ defaults.app_name }}-cm
+          configMap:
+            name: ${{ defaults.app_name }}
+  volumeClaimTemplates:
+    - metadata:
+        annotations:
+          path: /srv/app
+          value: "2"
+        name: vn-srvvn-app
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 2Gi
+    - metadata:
+        annotations:
+          path: /root/.npm
+          value: "1"
+        name: vn-rootvn-vn-npm
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+
+---
+# Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${{ defaults.app_name }}
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+spec:
+  ports:
+    - port: 1337
+  selector:
+    app: ${{ defaults.app_name }}
+
+---
+# Ingress
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ${{ defaults.app_name }}
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+    cloud.sealos.io/app-deploy-manager-domain: ${{ defaults.app_host }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 100m
+    nginx.ingress.kubernetes.io/server-snippet: |
+      client_header_buffer_size 64k;
+      large_client_header_buffers 4 128k;
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      if ($request_uri ~* \.(js|css|gif|jpe?g|png|svg|ico|woff|woff2|ttf|eot)) {
+        expires 30d;
+        add_header Cache-Control "public";
+      }
+spec:
+  rules:
+    - host: ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: ${{ defaults.app_name }}
+                port:
+                  number: 1337
+  tls:
+    - hosts:
+        - ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+      secretName: ${{ SEALOS_CERT_SECRET_NAME }}
+
+---
+# App CR
+apiVersion: app.sealos.io/v1
+kind: App
+metadata:
+  name: ${{ defaults.app_name }}
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
+spec:
+  data:
+    url: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
+  displayType: normal
+  icon: "https://avatars.githubusercontent.com/u/19872173?s=48&v=4"
+  name: Strapi
+  type: link

From 49500f55eef9c2396ebaeaef1b6a83b0dea9fe0c Mon Sep 17 00:00:00 2001
From: Carson Yang <yangchuansheng33@gmail.com>
Date: Wed, 24 Dec 2025 16:03:35 +0800
Subject: [PATCH 6/9] Update N8N (#557)

---
 template/n8n/README.md    | 388 ++++++++++++++++++++++++++++++++++++++
 template/n8n/README_zh.md | 388 ++++++++++++++++++++++++++++++++++++++
 template/n8n/index.yaml   |  11 +-
 3 files changed, 782 insertions(+), 5 deletions(-)
 create mode 100644 template/n8n/README.md
 create mode 100644 template/n8n/README_zh.md

diff --git a/template/n8n/README.md b/template/n8n/README.md
new file mode 100644
index 00000000..07a90e1b
--- /dev/null
+++ b/template/n8n/README.md
@@ -0,0 +1,388 @@
+# Deploy and Host n8n on Sealos
+
+n8n is a powerful workflow automation platform that combines the flexibility of code with the speed of no-code, enabling technical teams to build complex automation workflows with ease. This template provides one-click deployment of a production-ready n8n instance with optional PostgreSQL database and Redis queue mode, allowing you to create sophisticated automation workflows and integrations on Sealos Cloud.
+
+## About Hosting n8n
+
+n8n runs as a Node.js application that provides a visual workflow editor and execution engine for automating tasks across hundreds of different services and APIs. The platform supports both simple automations and complex multi-step workflows with conditional logic, loops, and data transformations.
+
+The Sealos template offers flexible deployment options: you can start with a lightweight SQLite-based setup for testing, upgrade to PostgreSQL for production workloads with better performance and data persistence, or enable queue mode with Redis for improved scalability and parallel execution. The deployment includes automatic initialization, persistent storage for workflow data, and secure public access with SSL certificates.
+
+## Common Use Cases
+
+- **API Integration and Data Sync**: Connect different services and sync data between platforms automatically
+- **Business Process Automation**: Automate repetitive tasks like data entry, report generation, and notifications
+- **Data Processing Pipelines**: Build ETL workflows to extract, transform, and load data between systems
+- **Webhook Processing**: Receive and process webhooks from external services with custom logic
+- **Scheduled Tasks**: Run workflows on schedules using cron expressions for periodic automation
+- **Customer Communication**: Automate email campaigns, notifications, and customer support workflows
+- **DevOps Automation**: Integrate CI/CD pipelines, monitoring alerts, and deployment workflows
+- **Content Management**: Automate content publishing, social media posting, and content aggregation
+
+## Dependencies for n8n Hosting
+
+The Sealos template includes all required components: n8n application server with optional PostgreSQL database and Redis for queue mode.
+
+### Deployment Dependencies
+
+- [n8n Documentation](https://docs.n8n.io/) - Official n8n documentation
+- [n8n Quickstart Guide](https://docs.n8n.io/try-it-out/) - Getting started with n8n
+- [n8n Workflow Examples](https://n8n.io/workflows) - Community workflow templates
+- [n8n Node Reference](https://docs.n8n.io/integrations/) - Available integrations and nodes
+- [PostgreSQL Documentation](https://www.postgresql.org/docs/) - Database backend documentation
+- [Redis Documentation](https://redis.io/docs/) - Queue backend documentation
+
+## Implementation Details
+
+### Architecture Components
+
+This template supports three deployment modes:
+
+**1. Basic Mode (Default):**
+- **n8n Application**: Workflow automation server with SQLite database
+  - Version: n8n 1.123.9
+  - Web UI: Port 5678 (exposed via Ingress with SSL)
+  - Persistent storage: 1Gi for workflow data and SQLite database
+  - Suitable for: Testing, development, and light production workloads
+
+**2. PostgreSQL Mode:**
+- **PostgreSQL Database**: Persistent data storage for workflows and executions
+  - Version: PostgreSQL 14.8.0
+  - Persistent storage: 1Gi
+  - Automatic database initialization with 'n8n' database
+  - Connection credentials managed via Kubernetes secrets
+- **n8n Application**: Connected to PostgreSQL for better performance
+  - Suitable for: Production workloads with high reliability requirements
+
+**3. Queue Mode (Requires PostgreSQL):**
+- **PostgreSQL Database**: Same as PostgreSQL mode
+- **Redis**: Message queue for workflow execution
+  - Version: Redis 7.0.6
+  - Persistent storage: 1Gi
+  - Includes Redis Sentinel for high availability
+- **n8n Main Process**: Workflow editor and API server
+- **n8n Worker**: Dedicated workflow execution worker
+  - Supports parallel execution of workflows
+  - Scalable for high-volume automation
+  - Suitable for: High-traffic production environments with many concurrent workflows
+
+**Resource Allocation:**
+
+| Component | CPU Request | CPU Limit | Memory Request | Memory Limit |
+|-----------|-------------|-----------|----------------|--------------|
+| n8n (Basic/PostgreSQL) | 50m | 500m | 51Mi | 512Mi |
+| n8n Worker (Queue Mode) | 20m | 200m | 25Mi | 256Mi |
+| PostgreSQL | 50m | 500m | 51Mi | 512Mi |
+| Redis | 50m | 500m | 51Mi | 512Mi |
+| Redis Sentinel | 100m | 100m | 100Mi | 100Mi |
+
+### Environment Configuration
+
+The template automatically configures n8n with the following settings:
+
+**Basic Configuration:**
+- Port: 5678
+- Webhook URL: Automatic (based on your deployment domain)
+- Timezone: Configurable (default: America/New_York)
+- Encryption Key: Automatically generated 32-character random string
+
+**Database Configuration (when PostgreSQL is enabled):**
+- Client: PostgreSQL
+- Connection: Automatic via Kubernetes secrets
+- Database name: `n8n`
+- SSL: Disabled (internal cluster communication)
+
+**Queue Configuration (when queue mode is enabled):**
+- Execution Mode: Queue
+- Redis Connection: Automatic via Kubernetes secrets
+- Worker Concurrency: 10 concurrent workflow executions
+- Health Checks: Enabled for both main process and workers
+
+**Public URLs:**
+- Web UI: `https://<app-host>.<domain>/`
+- Webhook Endpoint: `https://<app-host>.<domain>/webhook/`
+- Production Webhook: `https://<app-host>.<domain>/webhook-test/`
+
+### Deployment Process
+
+The deployment process varies by mode:
+
+**Basic Mode:**
+1. **Application Deployment**: n8n starts with SQLite database
+2. **Persistent Storage**: Workflow data stored in persistent volume
+
+**PostgreSQL Mode:**
+1. **Database Initialization Job**: Creates the `n8n` database in PostgreSQL
+2. **Application Deployment**: n8n connects to PostgreSQL and initializes schema
+
+**Queue Mode:**
+1. **Redis Deployment**: Redis cluster with Sentinel for high availability
+2. **PostgreSQL Deployment**: Database for persistent storage
+3. **Database Initialization Job**: Creates the `n8n` database
+4. **Main Process Deployment**: n8n web UI and API server
+5. **Worker Deployment**: Dedicated workflow execution worker
+
+All deployments include automatic health checks and are ready to use immediately after completion.
+
+## Why Deploy n8n on Sealos?
+
+Sealos is an AI-assisted Cloud Operating System built on Kubernetes that unifies the entire application lifecycle, from development in cloud IDEs to production deployment and management. By deploying n8n on Sealos, you get:
+
+- **One-Click Deployment**: Deploy n8n with optional PostgreSQL and Redis in seconds. No complex configuration or Kubernetes expertise required.
+- **Flexible Architecture**: Choose between SQLite for simplicity, PostgreSQL for production reliability, or queue mode for high-scale automation.
+- **Pre-Configured Databases**: PostgreSQL and Redis are automatically provisioned, initialized, and connected with secure credentials.
+- **Persistent Storage**: Built-in persistent storage ensures your workflows, credentials, and execution history survive restarts and updates.
+- **Secure Public Access**: n8n gets automatic public URL with SSL certificate, allowing secure access to the web UI and webhook endpoints.
+- **Timezone Support**: Configure your instance timezone for accurate scheduled workflow execution.
+- **Easy Scaling**: Adjust resources through intuitive forms as your automation needs grow.
+- **Automatic Security**: Encryption keys and database credentials are generated automatically with cryptographically secure random values.
+- **Worker Scalability**: Queue mode enables horizontal scaling of workflow execution for high-volume automation.
+
+Deploy n8n on Sealos and focus on building powerful automation workflows instead of managing infrastructure.
+
+## Deployment Guide
+
+1. Visit [Sealos Cloud](https://os.sealos.io/?openapp=system-brain?trial=true)
+2. Click "From Template"
+3. Search for "n8n" in the App Store
+4. Configure your deployment options:
+   - **Use PostgreSQL**: Enable for production workloads (recommended for better performance and data persistence)
+   - **Timezone**: Select your timezone for accurate scheduled workflow execution
+   - **Use Queue Mode**: Enable for high-scale automation with parallel execution (requires PostgreSQL)
+5. Click "Deploy"
+6. Wait for deployment to complete (typically 1-2 minutes)
+7. Access n8n via the provided URL (shown in the canvas)
+8. Create your admin account on first access
+
+## Configuration
+
+After deployment, you can customize your n8n instance:
+
+### Initial Setup
+
+1. **Create Owner Account**: On first access, you'll be prompted to create an owner account with email and password
+2. **Explore Workflow Templates**: Browse the template library to get started quickly
+3. **Configure Credentials**: Add credentials for the services you want to integrate
+4. **Create Your First Workflow**: Use the visual editor to build your first automation
+
+### Deployment Modes
+
+**When to use each mode:**
+
+- **Basic Mode (SQLite)**:
+  - ✅ Testing and development
+  - ✅ Personal automation projects
+  - ✅ Low-volume workflows (< 100 executions/day)
+  - ❌ Not recommended for production with multiple users
+
+- **PostgreSQL Mode**:
+  - ✅ Production deployments
+  - ✅ Multi-user environments
+  - ✅ Medium-volume workflows (100-1000 executions/day)
+  - ✅ When you need reliable data persistence
+
+- **Queue Mode**:
+  - ✅ High-volume automation (> 1000 executions/day)
+  - ✅ Workflows that need parallel execution
+  - ✅ When you need to scale workflow execution independently
+  - ✅ Production environments with high reliability requirements
+
+### Resource Scaling
+
+Adjust resources in the canvas based on your needs:
+- **CPU/Memory (Main Process)**: Increase for better UI performance and handling more concurrent users
+- **CPU/Memory (Worker)**: Increase for faster workflow execution and more concurrent workflows
+- **Storage**: Expand for more workflow history and execution data
+
+### Timezone Configuration
+
+The timezone setting is critical for scheduled workflows:
+- Affects all Cron nodes and scheduled triggers
+- Can be changed after deployment by updating the deployment environment variables
+- Supported timezones include major cities across all continents
+
+### Service Endpoints
+
+| Service | Endpoint | Purpose |
+|---------|----------|---------|
+| Web UI | `https://<app-host>.<domain>` | Workflow editor and management interface |
+| Webhook | `https://<app-host>.<domain>/webhook/<workflow-id>` | Production webhook endpoints |
+| Test Webhook | `https://<app-host>.<domain>/webhook-test/<workflow-id>` | Test webhook endpoints |
+| PostgreSQL | `<app-name>-pg-postgresql.<namespace>.svc:5432` | Database (internal, if enabled) |
+| Redis | `<app-name>-redis-redis.<namespace>.svc:6379` | Queue (internal, if queue mode enabled) |
+
+## Troubleshooting
+
+### Common Issues
+
+**Issue 1: Cannot Create Owner Account**
+- Cause: First-time setup not completed
+- Solution: Access the web UI URL and follow the owner account creation wizard. This is required on first deployment.
+
+**Issue 2: Scheduled Workflows Running at Wrong Time**
+- Cause: Timezone configuration mismatch
+- Solution: Verify the timezone setting in the deployment configuration matches your expected timezone. Update the `GENERIC_TIMEZONE` and `TZ` environment variables if needed.
+
+**Issue 3: Workflows Failing with Database Errors (PostgreSQL Mode)**
+- Cause: Database not initialized or connection issues
+- Solution: Check that the PostgreSQL cluster is running in the canvas. Verify the init job completed successfully by examining its logs. The database connection is automatic via Kubernetes secrets.
+
+**Issue 4: Worker Not Processing Workflows (Queue Mode)**
+- Cause: Redis connection issues or worker not running
+- Solution: Verify both Redis and the worker deployment are running in the canvas. Check worker logs for connection errors. Ensure PostgreSQL mode is enabled (queue mode requires it).
+
+**Issue 5: Webhook Endpoints Not Responding**
+- Cause: Workflow not activated or incorrect webhook URL
+- Solution: Ensure the workflow is activated (toggle in the workflow editor). Verify you're using the correct webhook URL format. Check Ingress configuration for routing issues.
+
+**Issue 6: High Memory Usage**
+- Cause: Large workflow executions or many concurrent workflows
+- Solution: Increase memory allocation in the canvas. Consider enabling queue mode to offload execution to dedicated workers. Review workflow efficiency and optimize data processing.
+
+**Issue 7: Credentials Not Persisting**
+- Cause: Storage not properly mounted or encryption key changed
+- Solution: Verify persistent storage is attached. Never change the `N8N_ENCRYPTION_KEY` after initial deployment as it will invalidate all stored credentials.
+
+### Getting Help
+
+- [n8n Documentation](https://docs.n8n.io/)
+- [n8n Community Forum](https://community.n8n.io/)
+- [n8n Discord](https://discord.gg/n8n)
+- [Sealos Discord Community](https://discord.gg/wdUn538zVP)
+
+## Additional Resources
+
+- [n8n Workflow Examples](https://n8n.io/workflows) - Browse community-created workflow templates
+- [n8n Node Documentation](https://docs.n8n.io/integrations/) - Complete reference for all available nodes
+- [n8n Expression Reference](https://docs.n8n.io/code/expressions/) - Guide to using expressions in workflows
+- [n8n Best Practices](https://docs.n8n.io/workflows/best-practices/) - Tips for building efficient workflows
+- [PostgreSQL Best Practices](https://wiki.postgresql.org/wiki/Don%27t_Do_This) - Database optimization tips
+- [Redis Best Practices](https://redis.io/docs/management/optimization/) - Queue optimization guide
+
+## Development Workflow
+
+### Creating Workflows
+
+To create your first workflow:
+
+1. **Access the Editor**: Navigate to your n8n URL and log in
+2. **Create New Workflow**: Click "Add Workflow" in the top menu
+3. **Add Nodes**: Drag and drop nodes from the left panel
+4. **Configure Nodes**: Click on each node to configure its settings
+5. **Connect Nodes**: Draw connections between nodes to define the flow
+6. **Test Execution**: Use the "Execute Workflow" button to test
+7. **Activate**: Toggle the workflow to "Active" to enable automatic execution
+
+### Using Webhooks
+
+n8n provides two types of webhook endpoints:
+
+**Production Webhooks:**
+```
+https://<app-host>.<domain>/webhook/<workflow-id>
+```
+- Used when workflow is activated
+- Stable URL that doesn't change
+- Use for production integrations
+
+**Test Webhooks:**
+```
+https://<app-host>.<domain>/webhook-test/<workflow-id>
+```
+- Used during workflow development
+- Only works when workflow editor is open
+- Use for testing before activation
+
+### Managing Credentials
+
+1. Go to **Credentials** in the left menu
+2. Click **Add Credential**
+3. Select the service type (e.g., Gmail, Slack, GitHub)
+4. Enter the required authentication details
+5. Test the connection
+6. Save the credential
+7. Use the credential in your workflow nodes
+
+**Important**: Credentials are encrypted using the `N8N_ENCRYPTION_KEY`. Never change this key after initial deployment, or all credentials will become inaccessible.
+
+### Workflow Best Practices
+
+1. **Error Handling**: Always add error workflows to handle failures gracefully
+2. **Data Validation**: Validate input data before processing to prevent errors
+3. **Execution Limits**: Set reasonable limits on loop iterations and data processing
+4. **Logging**: Use the "Set" node to log important data points for debugging
+5. **Testing**: Thoroughly test workflows with various input scenarios before activation
+6. **Documentation**: Add notes to complex workflows explaining the logic
+7. **Modular Design**: Break complex automations into smaller, reusable workflows
+
+### Queue Mode Optimization
+
+When using queue mode, consider these optimization strategies:
+
+1. **Worker Scaling**: Increase worker replicas for higher throughput
+2. **Concurrency**: Adjust `N8N_CONCURRENCY` environment variable (default: 10)
+3. **Workflow Design**: Design workflows to be stateless for better parallel execution
+4. **Resource Allocation**: Monitor worker resource usage and adjust CPU/memory limits
+5. **Redis Tuning**: For very high volumes, consider increasing Redis resources
+
+### Monitoring and Maintenance
+
+**Execution History:**
+- View all workflow executions in the "Executions" tab
+- Filter by status (success, error, waiting)
+- Inspect execution data and error messages
+
+**Performance Monitoring:**
+- Monitor resource usage in the Sealos canvas
+- Check execution times in the workflow execution history
+- Review worker logs for queue mode deployments
+
+**Backup and Recovery:**
+- Workflow definitions are stored in the database
+- Regular database backups are recommended for production
+- Export important workflows as JSON for version control
+
+### Upgrading n8n
+
+To upgrade to a newer version of n8n:
+
+1. Update the image tag in the StatefulSet/Deployment
+2. Apply the changes through the Sealos canvas
+3. n8n will automatically run database migrations on startup
+4. Verify all workflows still function correctly after upgrade
+
+**Note**: Always review the [n8n release notes](https://docs.n8n.io/release-notes/) before upgrading, especially for major version changes.
+
+## Security Considerations
+
+### Credential Management
+
+- All credentials are encrypted at rest using the `N8N_ENCRYPTION_KEY`
+- Never share or expose the encryption key
+- Use environment-specific credentials for different deployments
+- Regularly rotate API keys and tokens used in credentials
+
+### Webhook Security
+
+- Use webhook authentication when possible (HTTP Basic Auth, Header Auth)
+- Validate webhook payloads to prevent injection attacks
+- Use HTTPS (automatically provided by Sealos)
+- Consider IP whitelisting for sensitive webhooks
+
+### Access Control
+
+- Use strong passwords for owner and user accounts
+- Limit user access based on roles (owner, member, viewer)
+- Regularly review user access and remove inactive accounts
+- Enable two-factor authentication if available in your n8n version
+
+### Network Security
+
+- All external communication uses HTTPS with SSL certificates
+- Internal service communication uses Kubernetes service networking
+- Database and Redis are not exposed externally
+- Webhook endpoints are the only public-facing entry points
+
+## License
+
+This Sealos template is provided under MIT License. n8n is provided under the [Sustainable Use License](https://github.com/n8n-io/n8n/blob/master/LICENSE.md) - see the license for details regarding commercial use.
diff --git a/template/n8n/README_zh.md b/template/n8n/README_zh.md
new file mode 100644
index 00000000..a56038b2
--- /dev/null
+++ b/template/n8n/README_zh.md
@@ -0,0 +1,388 @@
+# 在 Sealos 上部署 n8n 工作流自动化平台
+
+n8n 是一款强大的工作流自动化平台，兼具代码的灵活性与低代码的便捷性，让技术团队轻松构建复杂的自动化流程。本模板支持一键部署生产级 n8n 实例，可选配 PostgreSQL 数据库和 Redis 队列模式，助你在 Sealos Cloud 上快速搭建强大的自动化工作流。
+
+## 关于 n8n
+
+n8n 是一个基于 Node.js 的应用，提供可视化工作流编辑器和执行引擎，能够对接数百种服务和 API，实现任务自动化。无论是简单的自动化操作，还是包含条件逻辑、循环和数据转换的复杂多步骤工作流，n8n 都能胜任。
+
+Sealos 模板提供灵活的部署选项：可以先用轻量级的 SQLite 方案进行测试，再升级到 PostgreSQL 以获得更好的性能和数据持久化，或启用 Redis 队列模式实现更高的可扩展性和并行执行能力。部署过程包含自动初始化、工作流数据持久存储，以及带 SSL 证书的安全公网访问。
+
+## 典型应用场景
+
+- **API 集成与数据同步**：连接不同服务，自动同步平台间的数据
+- **业务流程自动化**：将数据录入、报表生成、通知发送等重复性工作交给机器
+- **数据处理管道**：构建 ETL 工作流，在系统间进行数据的提取、转换和加载
+- **Webhook 处理**：接收外部服务的 Webhook 请求，执行自定义逻辑
+- **定时任务**：通过 Cron 表达式按计划运行工作流
+- **客户沟通**：自动化邮件营销、通知推送和客服流程
+- **DevOps 自动化**：集成 CI/CD 流水线、监控告警和部署工作流
+- **内容管理**：自动化内容发布、社交媒体推送和内容聚合
+
+## 依赖组件
+
+Sealos 模板已包含所有必需组件：n8n 应用服务器，以及可选的 PostgreSQL 数据库和 Redis 队列服务。
+
+### 相关文档
+
+- [n8n 官方文档](https://docs.n8n.io/) - n8n 使用指南
+- [n8n 快速入门](https://docs.n8n.io/try-it-out/) - 新手上路
+- [n8n 工作流示例](https://n8n.io/workflows) - 社区工作流模板
+- [n8n 节点参考](https://docs.n8n.io/integrations/) - 可用集成和节点
+- [PostgreSQL 文档](https://www.postgresql.org/docs/) - 数据库后端文档
+- [Redis 文档](https://redis.io/docs/) - 队列后端文档
+
+## 技术架构
+
+### 架构组件
+
+本模板支持三种部署模式：
+
+**1. 基础模式（默认）：**
+- **n8n 应用**：使用 SQLite 数据库的工作流自动化服务器
+  - 版本：n8n 1.123.9
+  - Web 界面：端口 5678（通过 Ingress 暴露，带 SSL）
+  - 持久存储：1Gi，用于工作流数据和 SQLite 数据库
+  - 适用场景：测试、开发和轻量级生产环境
+
+**2. PostgreSQL 模式：**
+- **PostgreSQL 数据库**：为工作流和执行记录提供持久化存储
+  - 版本：PostgreSQL 14.8.0
+  - 持久存储：1Gi
+  - 自动初始化 'n8n' 数据库
+  - 通过 Kubernetes Secrets 管理连接凭据
+- **n8n 应用**：连接 PostgreSQL，性能更佳
+  - 适用场景：对可靠性要求较高的生产环境
+
+**3. 队列模式（需启用 PostgreSQL）：**
+- **PostgreSQL 数据库**：与 PostgreSQL 模式相同
+- **Redis**：工作流执行的消息队列
+  - 版本：Redis 7.0.6
+  - 持久存储：1Gi
+  - 包含 Redis Sentinel 实现高可用
+- **n8n 主进程**：工作流编辑器和 API 服务器
+- **n8n Worker**：专用的工作流执行进程
+  - 支持工作流并行执行
+  - 可扩展以应对高并发场景
+  - 适用场景：高流量生产环境，需处理大量并发工作流
+
+**资源配置：**
+
+| 组件 | CPU 请求 | CPU 限制 | 内存请求 | 内存限制 |
+|------|----------|----------|----------|----------|
+| n8n（基础/PostgreSQL 模式） | 50m | 500m | 51Mi | 512Mi |
+| n8n Worker（队列模式） | 20m | 200m | 25Mi | 256Mi |
+| PostgreSQL | 50m | 500m | 51Mi | 512Mi |
+| Redis | 50m | 500m | 51Mi | 512Mi |
+| Redis Sentinel | 100m | 100m | 100Mi | 100Mi |
+
+### 环境配置
+
+模板会自动为 n8n 配置以下设置：
+
+**基础配置：**
+- 端口：5678
+- Webhook URL：自动配置（基于部署域名）
+- 时区：可配置（默认：America/New_York）
+- 加密密钥：自动生成 32 位随机字符串
+
+**数据库配置（启用 PostgreSQL 时）：**
+- 客户端：PostgreSQL
+- 连接：通过 Kubernetes Secrets 自动配置
+- 数据库名：`n8n`
+- SSL：禁用（集群内部通信）
+
+**队列配置（启用队列模式时）：**
+- 执行模式：队列
+- Redis 连接：通过 Kubernetes Secrets 自动配置
+- Worker 并发数：10 个并发工作流执行
+- 健康检查：主进程和 Worker 均已启用
+
+**公网访问地址：**
+- Web 界面：`https://<app-host>.<domain>/`
+- Webhook 端点：`https://<app-host>.<domain>/webhook/`
+- 生产 Webhook：`https://<app-host>.<domain>/webhook-test/`
+
+### 部署流程
+
+部署流程因模式而异：
+
+**基础模式：**
+1. **应用部署**：n8n 使用 SQLite 数据库启动
+2. **持久存储**：工作流数据存储在持久卷中
+
+**PostgreSQL 模式：**
+1. **数据库初始化任务**：在 PostgreSQL 中创建 `n8n` 数据库
+2. **应用部署**：n8n 连接 PostgreSQL 并初始化表结构
+
+**队列模式：**
+1. **Redis 部署**：部署带 Sentinel 的 Redis 集群实现高可用
+2. **PostgreSQL 部署**：部署持久化存储数据库
+3. **数据库初始化任务**：创建 `n8n` 数据库
+4. **主进程部署**：n8n Web 界面和 API 服务器
+5. **Worker 部署**：专用的工作流执行进程
+
+所有部署均包含自动健康检查，完成后即可立即使用。
+
+## 为什么选择在 Sealos 上部署 n8n？
+
+Sealos 是基于 Kubernetes 构建的 AI 云操作系统，从云端 IDE 开发到生产部署和运维，覆盖应用全生命周期。在 Sealos 上部署 n8n，你将获得：
+
+- **一键部署**：秒级部署 n8n 及可选的 PostgreSQL 和 Redis，无需复杂配置，无需 Kubernetes 专业知识
+- **灵活架构**：可选择 SQLite 追求简洁、PostgreSQL 确保生产可靠性，或队列模式应对高并发场景
+- **数据库开箱即用**：PostgreSQL 和 Redis 自动创建、初始化并配置安全凭据
+- **持久存储**：内置持久存储确保工作流、凭据和执行历史在重启和更新后依然保留
+- **安全公网访问**：自动分配带 SSL 证书的公网 URL，安全访问 Web 界面和 Webhook 端点
+- **时区支持**：可配置实例时区，确保定时工作流准确执行
+- **弹性扩展**：通过直观的表单界面，按需调整资源
+- **自动安全配置**：加密密钥和数据库凭据均使用密码学安全的随机值自动生成
+- **Worker 可扩展**：队列模式支持工作流执行的水平扩展，应对高并发自动化需求
+
+在 Sealos 上部署 n8n，让你专注于构建强大的自动化工作流，而非折腾基础设施。
+
+## 部署指南
+
+1. 访问 [Sealos Cloud](https://os.sealos.io/?openapp=system-brain?trial=true)
+2. 点击「从模板创建」
+3. 在应用商店搜索「n8n」
+4. 配置部署选项：
+   - **使用 PostgreSQL**：生产环境建议启用（性能更好、数据持久化）
+   - **时区**：选择你的时区，确保定时工作流准确执行
+   - **使用队列模式**：需要高并发并行执行时启用（需先启用 PostgreSQL）
+5. 点击「部署」
+6. 等待部署完成（通常 1-2 分钟）
+7. 通过画布中显示的 URL 访问 n8n
+8. 首次访问时创建管理员账号
+
+## 配置说明
+
+部署完成后，你可以对 n8n 实例进行个性化配置：
+
+### 初始设置
+
+1. **创建管理员账号**：首次访问时，系统会提示你创建管理员账号（邮箱和密码）
+2. **浏览工作流模板**：在模板库中快速找到入门案例
+3. **配置凭据**：添加你要集成的服务的凭据
+4. **创建首个工作流**：使用可视化编辑器构建你的第一个自动化流程
+
+### 部署模式选择
+
+**各模式适用场景：**
+
+- **基础模式（SQLite）**：
+  - ✅ 测试和开发
+  - ✅ 个人自动化项目
+  - ✅ 低频工作流（每天 < 100 次执行）
+  - ❌ 不建议用于多用户生产环境
+
+- **PostgreSQL 模式**：
+  - ✅ 生产环境部署
+  - ✅ 多用户场景
+  - ✅ 中等频率工作流（每天 100-1000 次执行）
+  - ✅ 需要可靠数据持久化
+
+- **队列模式**：
+  - ✅ 高频自动化（每天 > 1000 次执行）
+  - ✅ 需要并行执行的工作流
+  - ✅ 需要独立扩展工作流执行能力
+  - ✅ 高可靠性要求的生产环境
+
+### 资源调整
+
+在画布中根据需求调整资源：
+- **CPU/内存（主进程）**：增加以提升界面性能和并发用户处理能力
+- **CPU/内存（Worker）**：增加以加速工作流执行和提高并发处理能力
+- **存储**：扩展以保存更多工作流历史和执行数据
+
+### 时区配置
+
+时区设置对定时工作流至关重要：
+- 影响所有 Cron 节点和定时触发器
+- 部署后可通过更新 Deployment 环境变量修改
+- 支持全球主要城市时区
+
+### 服务端点
+
+| 服务 | 端点 | 用途 |
+|------|------|------|
+| Web 界面 | `https://<app-host>.<domain>` | 工作流编辑器和管理界面 |
+| Webhook | `https://<app-host>.<domain>/webhook/<workflow-id>` | 生产 Webhook 端点 |
+| 测试 Webhook | `https://<app-host>.<domain>/webhook-test/<workflow-id>` | 测试用 Webhook 端点 |
+| PostgreSQL | `<app-name>-pg-postgresql.<namespace>.svc:5432` | 数据库（内部访问，如已启用） |
+| Redis | `<app-name>-redis-redis.<namespace>.svc:6379` | 队列（内部访问，如已启用队列模式） |
+
+## 故障排查
+
+### 常见问题
+
+**问题 1：无法创建管理员账号**
+- 原因：首次设置未完成
+- 解决方案：访问 Web 界面 URL，按照管理员账号创建向导操作。首次部署必须完成此步骤。
+
+**问题 2：定时工作流执行时间不对**
+- 原因：时区配置不匹配
+- 解决方案：检查部署配置中的时区设置是否与预期一致。如需修改，更新 `GENERIC_TIMEZONE` 和 `TZ` 环境变量。
+
+**问题 3：工作流报数据库错误（PostgreSQL 模式）**
+- 原因：数据库未初始化或连接问题
+- 解决方案：在画布中确认 PostgreSQL 集群正在运行。检查初始化 Job 的日志确认是否成功完成。数据库连接通过 Kubernetes Secrets 自动配置。
+
+**问题 4：Worker 不处理工作流（队列模式）**
+- 原因：Redis 连接问题或 Worker 未运行
+- 解决方案：在画布中确认 Redis 和 Worker Deployment 都在运行。查看 Worker 日志排查连接错误。确保已启用 PostgreSQL 模式（队列模式依赖它）。
+
+**问题 5：Webhook 端点无响应**
+- 原因：工作流未激活或 Webhook URL 不正确
+- 解决方案：确保工作流已激活（工作流编辑器中的开关）。检查 Webhook URL 格式是否正确。排查 Ingress 配置的路由问题。
+
+**问题 6：内存占用过高**
+- 原因：大型工作流执行或并发工作流过多
+- 解决方案：在画布中增加内存配额。考虑启用队列模式将执行任务分流到专用 Worker。优化工作流效率和数据处理逻辑。
+
+**问题 7：凭据未持久化**
+- 原因：存储未正确挂载或加密密钥已变更
+- 解决方案：确认持久存储已挂载。切记：初始部署后绝不能修改 `N8N_ENCRYPTION_KEY`，否则所有已存储的凭据都将失效。
+
+### 获取帮助
+
+- [n8n 官方文档](https://docs.n8n.io/)
+- [n8n 社区论坛](https://community.n8n.io/)
+- [n8n Discord](https://discord.gg/n8n)
+- [Sealos Discord 社区](https://discord.gg/wdUn538zVP)
+
+## 更多资源
+
+- [n8n 工作流示例](https://n8n.io/workflows) - 浏览社区创建的工作流模板
+- [n8n 节点文档](https://docs.n8n.io/integrations/) - 所有可用节点的完整参考
+- [n8n 表达式参考](https://docs.n8n.io/code/expressions/) - 工作流中使用表达式的指南
+- [n8n 最佳实践](https://docs.n8n.io/workflows/best-practices/) - 构建高效工作流的技巧
+- [PostgreSQL 最佳实践](https://wiki.postgresql.org/wiki/Don%27t_Do_This) - 数据库优化建议
+- [Redis 最佳实践](https://redis.io/docs/management/optimization/) - 队列优化指南
+
+## 开发工作流
+
+### 创建工作流
+
+创建你的第一个工作流：
+
+1. **进入编辑器**：访问 n8n URL 并登录
+2. **新建工作流**：点击顶部菜单的「Add Workflow」
+3. **添加节点**：从左侧面板拖拽节点到画布
+4. **配置节点**：点击每个节点进行设置
+5. **连接节点**：在节点之间绘制连线定义流程
+6. **测试执行**：点击「Execute Workflow」按钮进行测试
+7. **激活**：将工作流切换为「Active」状态以启用自动执行
+
+### 使用 Webhook
+
+n8n 提供两种 Webhook 端点：
+
+**生产 Webhook：**
+```
+https://<app-host>.<domain>/webhook/<workflow-id>
+```
+- 工作流激活后使用
+- URL 固定不变
+- 用于生产环境集成
+
+**测试 Webhook：**
+```
+https://<app-host>.<domain>/webhook-test/<workflow-id>
+```
+- 工作流开发阶段使用
+- 仅在工作流编辑器打开时有效
+- 用于激活前的测试
+
+### 管理凭据
+
+1. 进入左侧菜单的 **Credentials**
+2. 点击 **Add Credential**
+3. 选择服务类型（如 Gmail、Slack、GitHub）
+4. 填写所需的认证信息
+5. 测试连接
+6. 保存凭据
+7. 在工作流节点中使用该凭据
+
+**重要提示**：凭据使用 `N8N_ENCRYPTION_KEY` 进行加密。初始部署后切勿修改此密钥，否则所有凭据都将无法访问。
+
+### 工作流最佳实践
+
+1. **错误处理**：始终添加错误处理工作流，优雅地处理失败情况
+2. **数据验证**：处理前验证输入数据，防止错误发生
+3. **执行限制**：为循环迭代和数据处理设置合理限制
+4. **日志记录**：使用「Set」节点记录关键数据点，便于调试
+5. **充分测试**：激活前用各种输入场景彻底测试工作流
+6. **文档说明**：为复杂工作流添加注释说明逻辑
+7. **模块化设计**：将复杂自动化拆分为更小的可复用工作流
+
+### 队列模式优化
+
+使用队列模式时，考虑以下优化策略：
+
+1. **Worker 扩展**：增加 Worker 副本数以提高吞吐量
+2. **并发配置**：调整 `N8N_CONCURRENCY` 环境变量（默认：10）
+3. **工作流设计**：将工作流设计为无状态，以便更好地并行执行
+4. **资源分配**：监控 Worker 资源使用情况，调整 CPU/内存限制
+5. **Redis 调优**：对于超高并发场景，考虑增加 Redis 资源
+
+### 监控与维护
+
+**执行历史：**
+- 在「Executions」标签页查看所有工作流执行记录
+- 按状态筛选（成功、错误、等待中）
+- 检查执行数据和错误信息
+
+**性能监控：**
+- 在 Sealos 画布中监控资源使用情况
+- 在工作流执行历史中查看执行耗时
+- 查看队列模式部署的 Worker 日志
+
+**备份与恢复：**
+- 工作流定义存储在数据库中
+- 生产环境建议定期备份数据库
+- 将重要工作流导出为 JSON 进行版本控制
+
+### 升级 n8n
+
+升级到新版本的步骤：
+
+1. 更新 StatefulSet/Deployment 中的镜像标签
+2. 通过 Sealos 画布应用更改
+3. n8n 启动时会自动运行数据库迁移
+4. 升级后验证所有工作流是否正常运行
+
+**注意**：升级前务必查阅 [n8n 发布说明](https://docs.n8n.io/release-notes/)，尤其是大版本更新。
+
+## 安全注意事项
+
+### 凭据管理
+
+- 所有凭据使用 `N8N_ENCRYPTION_KEY` 静态加密存储
+- 切勿共享或暴露加密密钥
+- 不同部署环境使用独立的凭据
+- 定期轮换凭据中使用的 API 密钥和令牌
+
+### Webhook 安全
+
+- 尽可能使用 Webhook 认证（HTTP Basic Auth、Header Auth）
+- 验证 Webhook 载荷，防止注入攻击
+- 使用 HTTPS（Sealos 自动提供）
+- 敏感 Webhook 考虑 IP 白名单
+
+### 访问控制
+
+- 为管理员和用户账号使用强密码
+- 根据角色限制用户访问权限（owner、member、viewer）
+- 定期审查用户访问权限，移除不活跃账号
+- 如你的 n8n 版本支持，启用双因素认证
+
+### 网络安全
+
+- 所有外部通信使用带 SSL 证书的 HTTPS
+- 内部服务通信使用 Kubernetes 服务网络
+- 数据库和 Redis 不对外暴露
+- Webhook 端点是唯一面向公网的入口
+
+## 许可证
+
+本 Sealos 模板采用 MIT 许可证。n8n 采用 [Sustainable Use License](https://github.com/n8n-io/n8n/blob/master/LICENSE.md)——商业使用请参阅许可证详情。
diff --git a/template/n8n/index.yaml b/template/n8n/index.yaml
index 40ecd0d3..8472fc48 100644
--- a/template/n8n/index.yaml
+++ b/template/n8n/index.yaml
@@ -8,13 +8,14 @@ spec:
   gitRepo: 'https://github.com/n8n-io/n8n'
   author: 'Sealos'
   description: 'n8n is a workflow automation platform that gives technical teams the flexibility of code with the speed of no-code.'
-  readme: 'https://raw.githubusercontent.com/n8n-io/n8n/master/README.md'
+  readme: 'https://raw.githubusercontent.com/labring-actions/templates/main/template/n8n/README.md'
   icon: 'https://n8n.io/favicon.ico'
   templateType: inline
   locale: en
   i18n:
     zh:
       description: 'n8n 是一个工作流自动化平台，通过将代码的灵活性与无代码的速度相结合，帮助技术团队构建自动化流程。'
+      readme: 'https://raw.githubusercontent.com/labring-actions/templates/main/template/n8n/README_zh.md'
   categories:
     - ai
     - low-code
@@ -295,7 +296,7 @@ kind: StatefulSet
 metadata:
   name: ${{ defaults.app_name }}
   annotations:
-    originImageName: n8nio/n8n:1.115.1
+    originImageName: n8nio/n8n:1.123.9
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -326,7 +327,7 @@ spec:
               mountPath: /data
       containers:
         - name: ${{ defaults.app_name }}
-          image: n8nio/n8n:1.115.1
+          image: n8nio/n8n:1.123.9
           env:
             - name: N8N_PORT
               value: "5678"
@@ -427,7 +428,7 @@ kind: Deployment
 metadata:
   name: ${{ defaults.app_name }}-worker
   annotations:
-    originImageName: n8nio/n8n:1.115.1
+    originImageName: n8nio/n8n:1.123.9
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -447,7 +448,7 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: ${{ defaults.app_name }}-worker
-          image: n8nio/n8n:1.115.1
+          image: n8nio/n8n:1.123.9
           command:
             - tini
             - --

From 44179288a863465977a74dba7fab957a4d3ee388 Mon Sep 17 00:00:00 2001
From: Carson Yang <yangchuansheng33@gmail.com>
Date: Wed, 24 Dec 2025 17:57:35 +0800
Subject: [PATCH 7/9] Update n8n to v2 (#558)

---
 template/n8n/README.md    |  12 +++-
 template/n8n/README_zh.md |  12 +++-
 template/n8n/index.yaml   | 141 +++++++++++++++++++++++++++++++++++---
 3 files changed, 149 insertions(+), 16 deletions(-)

diff --git a/template/n8n/README.md b/template/n8n/README.md
index 07a90e1b..5dbdbdaf 100644
--- a/template/n8n/README.md
+++ b/template/n8n/README.md
@@ -40,7 +40,7 @@ This template supports three deployment modes:
 
 **1. Basic Mode (Default):**
 - **n8n Application**: Workflow automation server with SQLite database
-  - Version: n8n 1.123.9
+  - Version: n8n 2.1.4
   - Web UI: Port 5678 (exposed via Ingress with SSL)
   - Persistent storage: 1Gi for workflow data and SQLite database
   - Suitable for: Testing, development, and light production workloads
@@ -64,6 +64,9 @@ This template supports three deployment modes:
 - **n8n Worker**: Dedicated workflow execution worker
   - Supports parallel execution of workflows
   - Scalable for high-volume automation
+- **n8n Runners**: External task runners for isolated code execution
+  - Separate runners for main process and worker
+  - Enhanced security through isolated execution environment
   - Suitable for: High-traffic production environments with many concurrent workflows
 
 **Resource Allocation:**
@@ -71,7 +74,8 @@ This template supports three deployment modes:
 | Component | CPU Request | CPU Limit | Memory Request | Memory Limit |
 |-----------|-------------|-----------|----------------|--------------|
 | n8n (Basic/PostgreSQL) | 50m | 500m | 51Mi | 512Mi |
-| n8n Worker (Queue Mode) | 20m | 200m | 25Mi | 256Mi |
+| n8n Worker (Queue Mode) | 20m | 200m | 51Mi | 512Mi |
+| n8n Runners (Queue Mode) | 20m | 200m | 25Mi | 256Mi |
 | PostgreSQL | 50m | 500m | 51Mi | 512Mi |
 | Redis | 50m | 500m | 51Mi | 512Mi |
 | Redis Sentinel | 100m | 100m | 100Mi | 100Mi |
@@ -120,7 +124,9 @@ The deployment process varies by mode:
 2. **PostgreSQL Deployment**: Database for persistent storage
 3. **Database Initialization Job**: Creates the `n8n` database
 4. **Main Process Deployment**: n8n web UI and API server
-5. **Worker Deployment**: Dedicated workflow execution worker
+5. **Runners Deployment**: External task runners for main process
+6. **Worker Deployment**: Dedicated workflow execution worker
+7. **Worker Runners Deployment**: External task runners for worker
 
 All deployments include automatic health checks and are ready to use immediately after completion.
 
diff --git a/template/n8n/README_zh.md b/template/n8n/README_zh.md
index a56038b2..26d308f6 100644
--- a/template/n8n/README_zh.md
+++ b/template/n8n/README_zh.md
@@ -40,7 +40,7 @@ Sealos 模板已包含所有必需组件：n8n 应用服务器，以及可选的
 
 **1. 基础模式（默认）：**
 - **n8n 应用**：使用 SQLite 数据库的工作流自动化服务器
-  - 版本：n8n 1.123.9
+  - 版本：n8n 2.1.4
   - Web 界面：端口 5678（通过 Ingress 暴露，带 SSL）
   - 持久存储：1Gi，用于工作流数据和 SQLite 数据库
   - 适用场景：测试、开发和轻量级生产环境
@@ -64,6 +64,9 @@ Sealos 模板已包含所有必需组件：n8n 应用服务器，以及可选的
 - **n8n Worker**：专用的工作流执行进程
   - 支持工作流并行执行
   - 可扩展以应对高并发场景
+- **n8n Runners**：外部任务执行器，用于隔离代码执行
+  - 主进程和 Worker 各有独立的 Runners
+  - 通过隔离执行环境增强安全性
   - 适用场景：高流量生产环境，需处理大量并发工作流
 
 **资源配置：**
@@ -71,7 +74,8 @@ Sealos 模板已包含所有必需组件：n8n 应用服务器，以及可选的
 | 组件 | CPU 请求 | CPU 限制 | 内存请求 | 内存限制 |
 |------|----------|----------|----------|----------|
 | n8n（基础/PostgreSQL 模式） | 50m | 500m | 51Mi | 512Mi |
-| n8n Worker（队列模式） | 20m | 200m | 25Mi | 256Mi |
+| n8n Worker（队列模式） | 20m | 200m | 51Mi | 512Mi |
+| n8n Runners（队列模式） | 20m | 200m | 25Mi | 256Mi |
 | PostgreSQL | 50m | 500m | 51Mi | 512Mi |
 | Redis | 50m | 500m | 51Mi | 512Mi |
 | Redis Sentinel | 100m | 100m | 100Mi | 100Mi |
@@ -120,7 +124,9 @@ Sealos 模板已包含所有必需组件：n8n 应用服务器，以及可选的
 2. **PostgreSQL 部署**：部署持久化存储数据库
 3. **数据库初始化任务**：创建 `n8n` 数据库
 4. **主进程部署**：n8n Web 界面和 API 服务器
-5. **Worker 部署**：专用的工作流执行进程
+5. **Runners 部署**：主进程的外部任务执行器
+6. **Worker 部署**：专用的工作流执行进程
+7. **Worker Runners 部署**：Worker 的外部任务执行器
 
 所有部署均包含自动健康检查，完成后即可立即使用。
 
diff --git a/template/n8n/index.yaml b/template/n8n/index.yaml
index 8472fc48..52962335 100644
--- a/template/n8n/index.yaml
+++ b/template/n8n/index.yaml
@@ -29,6 +29,9 @@ spec:
     N8N_ENCRYPTION_KEY:
       type: string
       value: ${{ random(32) }}
+    N8N_RUNNERS_AUTH_TOKEN:
+      type: string
+      value: ${{ random(32) }}
   inputs:
     use_postgresql:
       description: 'Use PostgreSQL database for production workloads (recommended for better performance and data persistence)'
@@ -296,7 +299,7 @@ kind: StatefulSet
 metadata:
   name: ${{ defaults.app_name }}
   annotations:
-    originImageName: n8nio/n8n:1.123.9
+    originImageName: n8nio/n8n:2.1.4
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -327,7 +330,7 @@ spec:
               mountPath: /data
       containers:
         - name: ${{ defaults.app_name }}
-          image: n8nio/n8n:1.123.9
+          image: n8nio/n8n:2.1.4
           env:
             - name: N8N_PORT
               value: "5678"
@@ -337,8 +340,6 @@ spec:
               value: "true"
             - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
               value: "true"
-            - name: N8N_RUNNERS_ENABLED
-              value: "true"
             - name: GENERIC_TIMEZONE
               value: ${{ inputs.timezone }}
             - name: TZ
@@ -372,6 +373,14 @@ spec:
               value: 'n8n'
             ${{ endif() }}
             ${{ if(inputs.use_queue_mode === 'true') }}
+            - name: N8N_RUNNERS_ENABLED
+              value: "true"
+            - name: N8N_RUNNERS_MODE
+              value: "external"
+            - name: N8N_RUNNERS_BROKER_LISTEN_ADDRESS
+              value: "0.0.0.0"
+            - name: N8N_RUNNERS_AUTH_TOKEN
+              value: ${{ defaults.N8N_RUNNERS_AUTH_TOKEN }}
             - name: EXECUTIONS_MODE
               value: 'queue'
             - name: N8N_ENCRYPTION_KEY
@@ -386,7 +395,9 @@ spec:
                   name: ${{ defaults.app_name }}-redis-conn-credential
                   key: password
             - name: N8N_DISABLE_PRODUCTION_MAIN_PROCESS
-              value: 'false'
+              value: 'true'
+            - name: OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS
+              value: true
             ${{ endif() }}
           resources:
             requests:
@@ -422,13 +433,54 @@ spec:
             storage: 1Gi
 
 ${{ if(inputs.use_queue_mode === 'true') }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${{ defaults.app_name }}-runners
+  annotations:
+    originImageName: n8nio/runners:2.1.4
+    deploy.cloud.sealos.io/minReplicas: '1'
+    deploy.cloud.sealos.io/maxReplicas: '1'
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-runners
+    app: ${{ defaults.app_name }}-runners
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: ${{ defaults.app_name }}-runners
+  template:
+    metadata:
+      labels:
+        app: ${{ defaults.app_name }}-runners
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: ${{ defaults.app_name }}-runners
+          image: n8nio/runners:2.1.4
+          env:
+            - name: N8N_RUNNERS_TASK_BROKER_URI
+              value: "http://${{ defaults.app_name }}:5679"
+            - name: N8N_RUNNERS_AUTH_TOKEN
+              value: ${{ defaults.N8N_RUNNERS_AUTH_TOKEN }}
+          resources:
+            requests:
+              cpu: 20m
+              memory: 25Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          imagePullPolicy: IfNotPresent
+
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ${{ defaults.app_name }}-worker
   annotations:
-    originImageName: n8nio/n8n:1.123.9
+    originImageName: n8nio/n8n:2.1.4
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -448,7 +500,7 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: ${{ defaults.app_name }}-worker
-          image: n8nio/n8n:1.123.9
+          image: n8nio/n8n:2.1.4
           command:
             - tini
             - --
@@ -503,13 +555,21 @@ spec:
               value: 'n8n'
             - name: N8N_PROXY_HOPS
               value: "1"
+            - name: N8N_RUNNERS_ENABLED
+              value: "true"
+            - name: N8N_RUNNERS_MODE
+              value: "external"
+            - name: N8N_RUNNERS_BROKER_LISTEN_ADDRESS
+              value: "0.0.0.0"
+            - name: N8N_RUNNERS_AUTH_TOKEN
+              value: ${{ defaults.N8N_RUNNERS_AUTH_TOKEN }}
           resources:
             requests:
               cpu: 20m
-              memory: 25Mi
+              memory: 51Mi
             limits:
               cpu: 200m
-              memory: 256Mi
+              memory: 512Mi
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet:
@@ -523,6 +583,47 @@ spec:
               port: 5678
             initialDelaySeconds: 10
             periodSeconds: 10
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${{ defaults.app_name }}-worker-runners
+  annotations:
+    originImageName: n8nio/runners:2.1.4
+    deploy.cloud.sealos.io/minReplicas: '1'
+    deploy.cloud.sealos.io/maxReplicas: '1'
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-worker-runners
+    app: ${{ defaults.app_name }}-worker-runners
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: ${{ defaults.app_name }}-worker-runners
+  template:
+    metadata:
+      labels:
+        app: ${{ defaults.app_name }}-worker-runners
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: ${{ defaults.app_name }}-worker-runners
+          image: n8nio/runners:2.1.4
+          env:
+            - name: N8N_RUNNERS_TASK_BROKER_URI
+              value: "http://${{ defaults.app_name }}-worker:5679"
+            - name: N8N_RUNNERS_AUTH_TOKEN
+              value: ${{ defaults.N8N_RUNNERS_AUTH_TOKEN }}
+          resources:
+            requests:
+              cpu: 20m
+              memory: 25Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          imagePullPolicy: IfNotPresent
 ${{ endif() }}
 
 ---
@@ -534,10 +635,30 @@ metadata:
     cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}
 spec:
   ports:
-    - port: 5678
+    - name: http
+      port: 5678
+      protocol: TCP
+    - name: broker
+      port: 5679
+      protocol: TCP
   selector:
     app: ${{ defaults.app_name }}
 
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${{ defaults.app_name }}-worker
+  labels:
+    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-worker
+spec:
+  ports:
+    - name: broker
+      port: 5679
+      protocol: TCP
+  selector:
+    app: ${{ defaults.app_name }}-worker
+
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress

From d3df06fc7bcb72eb908b5668c3fe3a5a8daec7ad Mon Sep 17 00:00:00 2001
From: zzjin <tczzjin@gmail.com>
Date: Fri, 26 Dec 2025 15:06:31 +0800
Subject: [PATCH 8/9] Fix dify multi subdomain error,merge to one ingress.
 (#560)

Signed-off-by: zzjin <tczzjin@gmail.com>
---
 template/dify.yaml | 176 ++++++++++++++++++++++++---------------------
 1 file changed, 95 insertions(+), 81 deletions(-)

diff --git a/template/dify.yaml b/template/dify.yaml
index 614ca27a..960b3aa8 100644
--- a/template/dify.yaml
+++ b/template/dify.yaml
@@ -25,9 +25,6 @@ spec:
     app_host:
       type: string
       value: ${{ random(8) }}
-    app_host_api:
-      type: string
-      value: ${{ random(8) }}
     secret_key:
       type: string
       value: sk-${{ random(45) }}
@@ -50,7 +47,7 @@ kind: StatefulSet
 metadata:
   name: ${{ defaults.app_name }}-api
   annotations:
-    originImageName: langgenius/dify-api:1.11.1
+    originImageName: langgenius/dify-api:1.11.2
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -107,9 +104,27 @@ spec:
                 sleep 5
               done
               echo "Dify database is ready"
+        - name: init-permissions
+          image: busybox:1.37.0
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              FLAG_FILE="/app/api/storage/.init_permissions"
+              if [ -f "$${FLAG_FILE}" ]; then
+                echo "Permissions already initialized. Exiting."
+                exit 0
+              fi
+              echo "Initializing permissions for /app/api/storage"
+              chown -R 1001:1001 /app/api/storage && touch "$${FLAG_FILE}"
+              echo "Permissions initialized. Exiting."
+          volumeMounts:
+            - name: vn-appvn-apivn-storage
+              mountPath: /app/api/storage
       containers:
         - name: ${{ defaults.app_name }}-api
-          image: langgenius/dify-api:1.11.1
+          image: langgenius/dify-api:1.11.2
           env:
             - name: MODE
               value: api
@@ -122,11 +137,11 @@ spec:
             - name: INIT_PASSWORD
               value: ${{ inputs.init_password }}
             - name: CONSOLE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: SERVICE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: APP_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: FILES_URL
               value: ''
             - name: MIGRATION_ENABLED
@@ -226,13 +241,13 @@ spec:
             - name: CODE_MAX_NUMBER_ARRAY_LENGTH
               value: '1000'
             - name: CONSOLE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: CONSOLE_WEB_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: APP_WEB_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: SERVICE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: PLUGIN_DAEMON_URL
               value: http://${{ defaults.app_name }}-plugin-daemon:5002
             - name: PLUGIN_DAEMON_KEY
@@ -261,7 +276,7 @@ spec:
             - name: vn-appvn-apivn-storage
               mountPath: /app/api/storage
         - name: ${{ defaults.app_name }}-worker
-          image: langgenius/dify-api:1.11.1
+          image: langgenius/dify-api:1.11.2
           env:
             - name: MODE
               value: worker
@@ -346,13 +361,13 @@ spec:
             - name: WEAVIATE_API_KEY
               value: ""
             - name: CONSOLE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: CONSOLE_WEB_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: APP_WEB_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: SERVICE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: PLUGIN_DAEMON_URL
               value: http://${{ defaults.app_name }}-plugin-daemon:5002
             - name: PLUGIN_DAEMON_KEY
@@ -407,55 +422,12 @@ spec:
     app: ${{ defaults.app_name }}-api
 
 ---
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ${{ defaults.app_name }}-api
-  labels:
-    cloud.sealos.io/app-deploy-manager: ${{ defaults.app_name }}-api
-    cloud.sealos.io/app-deploy-manager-domain: ${{ defaults.app_host_api }}
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    higress.io/response-header-control-remove: X-Frame-Options
-    higress.io/response-header-control-update: |
-      Content-Security-Policy "default-src * blob: data: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }}; img-src * data: blob: resource: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }} resource: *.baidu.com *.bdstatic.com; frame-src 'self' *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }} mailto: tel: weixin: mtt: *.baidu.com; frame-ancestors 'self' https://${{ SEALOS_CLOUD_DOMAIN }} https://*.${{ SEALOS_CLOUD_DOMAIN }}"
-      X-Xss-Protection "1; mode=block"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      more_clear_headers "X-Frame-Options:";
-      more_set_headers "Content-Security-Policy: default-src * blob: data: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }}; img-src * data: blob: resource: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }}; connect-src * wss: blob: resource:; style-src 'self' 'unsafe-inline' blob: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }} resource:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }} resource: *.baidu.com *.bdstatic.com; frame-src 'self' *.${{ SEALOS_CLOUD_DOMAIN }} ${{ SEALOS_CLOUD_DOMAIN }} mailto: tel: weixin: mtt: *.baidu.com; frame-ancestors 'self' https://${{ SEALOS_CLOUD_DOMAIN }} https://*.${{ SEALOS_CLOUD_DOMAIN }}";
-      more_set_headers "X-Xss-Protection: 1; mode=block";
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, DELETE, PATCH, OPTIONS"
-    nginx.ingress.kubernetes.io/cors-allow-origin: "https://${{ SEALOS_CLOUD_DOMAIN }}, https://*.${{ SEALOS_CLOUD_DOMAIN }}"
-    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization, X-App-Code, X-App-Passport, X-CSRF-TOKEN"
-    nginx.ingress.kubernetes.io/cors-max-age: "600"
-spec:
-  rules:
-    - host: ${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
-      http:
-        paths:
-          - pathType: Prefix
-            path: /
-            backend:
-              service:
-                name: ${{ defaults.app_name }}-api
-                port:
-                  number: 5001
-  tls:
-    - hosts:
-        - ${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
-      secretName: ${{ SEALOS_CERT_SECRET_NAME }}
-
----
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ${{ defaults.app_name }}-web
   annotations:
-    originImageName: langgenius/dify-web:1.11.1
+    originImageName: langgenius/dify-web:1.11.2
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -511,20 +483,20 @@ spec:
               echo "Dify database is ready"
       containers:
         - name: ${{ defaults.app_name }}-web
-          image: langgenius/dify-web:1.11.1
+          image: langgenius/dify-web:1.11.2
           env:
             - name: EDITION
               value: SELF_HOSTED
             - name: CONSOLE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: CONSOLE_WEB_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: APP_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: APP_WEB_URL
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: SERVICE_API_URL
-              value: https://${{ defaults.app_host_api }}.${{ SEALOS_CLOUD_DOMAIN }}
+              value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
             - name: MARKETPLACE_API_URL
               value: https://marketplace.dify.ai
             - name: MARKETPLACE_URL
@@ -539,6 +511,7 @@ spec:
           ports:
             - containerPort: 3000
           imagePullPolicy: IfNotPresent
+
 ---
 apiVersion: v1
 kind: Service
@@ -553,7 +526,6 @@ spec:
     app: ${{ defaults.app_name }}-web
 
 ---
-
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -575,13 +547,68 @@ spec:
                 name: ${{ defaults.app_name }}-web
                 port:
                   number: 3000
+          - pathType: Prefix
+            path: /explore
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-web
+                port:
+                  number: 3000
+          - pathType: Prefix
+            path: /console/api
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-api
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: /api
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-api
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: /v1
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-api
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: /files
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-api
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: /mcp
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-api
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: /triggers
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-api
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: /e
+            backend:
+              service:
+                name: ${{ defaults.app_name }}-plugin-daemon
+                port:
+                  number: 5002
   tls:
     - hosts:
         - ${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
       secretName: ${{ SEALOS_CERT_SECRET_NAME }}
 
 ---
-
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -624,11 +651,11 @@ spec:
             requests:
               cpu: 100m
               memory: 128Mi
-              ephemeral-storage: 200Mi
+              ephemeral-storage: 300Mi
             limits:
               cpu: 1
               memory: 1Gi
-              ephemeral-storage: 200Mi
+              ephemeral-storage: 300Mi
           ports:
             - containerPort: 8194
           imagePullPolicy: IfNotPresent
@@ -647,8 +674,8 @@ spec:
         resources:
           requests:
             storage: 1Gi
----
 
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -667,7 +694,7 @@ kind: StatefulSet
 metadata:
   name: ${{ defaults.app_name }}-plugin-daemon
   annotations:
-    originImageName: langgenius/dify-plugin-daemon:0.4.1-local
+    originImageName: langgenius/dify-plugin-daemon:0.5.2-local
     deploy.cloud.sealos.io/minReplicas: '1'
     deploy.cloud.sealos.io/maxReplicas: '1'
   labels:
@@ -726,7 +753,7 @@ spec:
               echo "Dify database is ready"
       containers:
         - name: ${{ defaults.app_name }}-plugin-daemon
-          image: langgenius/dify-plugin-daemon:0.4.1-local
+          image: langgenius/dify-plugin-daemon:0.5.2-local
           env:
             - name: DB_USERNAME
               valueFrom:
@@ -848,7 +875,6 @@ spec:
     app: ${{ defaults.app_name }}-plugin-daemon
 
 ---
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -859,7 +885,6 @@ metadata:
   name: ${{ defaults.app_name }}-pg
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -877,7 +902,6 @@ rules:
       - '*'
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -895,7 +919,6 @@ subjects:
     name: ${{ defaults.app_name }}-pg
 
 ---
-
 apiVersion: apps.kubeblocks.io/v1alpha1
 kind: Cluster
 metadata:
@@ -949,7 +972,6 @@ spec:
   tolerations: []
 
 ---
-
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -997,7 +1019,6 @@ spec:
   ttlSecondsAfterFinished: 300
 
 ---
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -1008,7 +1029,6 @@ metadata:
   name: ${{ defaults.app_name }}-redis
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -1026,7 +1046,6 @@ rules:
       - '*'
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -1044,7 +1063,6 @@ subjects:
     name: ${{ defaults.app_name }}-redis
 
 ---
-
 apiVersion: apps.kubeblocks.io/v1alpha1
 kind: Cluster
 metadata:
@@ -1104,7 +1122,6 @@ spec:
   tolerations: []
 
 ---
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -1115,7 +1132,6 @@ metadata:
   name: ${{ defaults.app_name }}-weaviate
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -1133,7 +1149,6 @@ rules:
       - '*'
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -1151,7 +1166,6 @@ subjects:
     name: ${{ defaults.app_name }}-weaviate
 
 ---
-
 apiVersion: apps.kubeblocks.io/v1alpha1
 kind: Cluster
 metadata:

From 2b743a087b3f84ed64115b80b06d3b876e87827f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=B0=A2=E9=87=91=E8=99=8E?= <1050780355@qq.com>
Date: Sun, 4 Jan 2026 14:26:33 +0800
Subject: [PATCH 9/9] fix redis connections

---
 template/affine/index.yaml        | 12 ++++++------
 template/budibase/index.yaml      |  4 ++--
 template/chatnio.yaml             |  6 +++---
 template/chatwoot/index.yaml      |  6 +++---
 template/coze-studio/index.yaml   |  8 ++++----
 template/dify.yaml                | 24 ++++++++++++------------
 template/fastgpt-milvus.yaml      |  2 +-
 template/fastgpt-pro.yaml         |  4 ++--
 template/fastgpt.yaml             |  2 +-
 template/featbit/index.yaml       | 20 ++++++++++----------
 template/formbricks/index.yaml    | 12 ++++++------
 template/glitchtip.yaml           | 18 +++++++++---------
 template/happy-server/index.yaml  |  2 +-
 template/heyform/index.yaml       |  2 +-
 template/immich/index.yaml        |  2 +-
 template/kodcloud/index.yaml      |  4 ++--
 template/liebianbao.yaml          |  6 +++---
 template/mindoc/index.yaml        |  6 +++---
 template/n8n/index.yaml           |  4 ++--
 template/new-api.yaml             |  8 ++++----
 template/outline/index.yaml       |  2 +-
 template/overleaf/index.yaml      |  2 +-
 template/paperless-ngx/index.yaml |  2 +-
 template/penpot/index.yaml        | 12 ++++++------
 template/plane/index.yaml         | 24 ++++++++++++------------
 template/postiz/index.yaml        |  8 ++++----
 template/refly/index.yaml         |  8 ++++----
 template/rsshub.yaml              |  6 +++---
 template/tailchat.yaml            |  6 +++---
 template/teable.yaml              |  8 ++++----
 template/twenty/index.yaml        | 12 ++++++------
 31 files changed, 121 insertions(+), 121 deletions(-)

diff --git a/template/affine/index.yaml b/template/affine/index.yaml
index a8cd703b..0cc2e801 100644
--- a/template/affine/index.yaml
+++ b/template/affine/index.yaml
@@ -180,17 +180,17 @@ spec:
             - name: REDIS_SERVER_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_SERVER_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_SERVER_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: PG_HOST
               valueFrom:
@@ -387,17 +387,17 @@ spec:
             - name: REDIS_SERVER_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_SERVER_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_SERVER_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: PG_PASSWORD
               valueFrom:
diff --git a/template/budibase/index.yaml b/template/budibase/index.yaml
index 0fe048ef..9497d64f 100644
--- a/template/budibase/index.yaml
+++ b/template/budibase/index.yaml
@@ -466,7 +466,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc.cluster.local:6379
@@ -664,7 +664,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://default:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc.cluster.local:6379
diff --git a/template/chatnio.yaml b/template/chatnio.yaml
index 8338a6f8..4b247e34 100644
--- a/template/chatnio.yaml
+++ b/template/chatnio.yaml
@@ -78,17 +78,17 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_DB
               value: '0'
diff --git a/template/chatwoot/index.yaml b/template/chatwoot/index.yaml
index 6a98d5b4..4325339e 100644
--- a/template/chatwoot/index.yaml
+++ b/template/chatwoot/index.yaml
@@ -193,7 +193,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:6379
@@ -401,7 +401,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:6379
@@ -525,7 +525,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:6379
diff --git a/template/coze-studio/index.yaml b/template/coze-studio/index.yaml
index 9e7f2211..20e838a1 100644
--- a/template/coze-studio/index.yaml
+++ b/template/coze-studio/index.yaml
@@ -106,22 +106,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_ADDR
               value: $(REDIS_HOST).${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)
diff --git a/template/dify.yaml b/template/dify.yaml
index 960b3aa8..9609f3dc 100644
--- a/template/dify.yaml
+++ b/template/dify.yaml
@@ -171,22 +171,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_USE_SSL
               value: 'false'
@@ -309,22 +309,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_USE_SSL
               value: 'false'
@@ -780,22 +780,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_USE_SSL
               value: 'false'
diff --git a/template/fastgpt-milvus.yaml b/template/fastgpt-milvus.yaml
index 791ba30b..4d720b4a 100644
--- a/template/fastgpt-milvus.yaml
+++ b/template/fastgpt-milvus.yaml
@@ -125,7 +125,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: FE_DOMAIN
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
diff --git a/template/fastgpt-pro.yaml b/template/fastgpt-pro.yaml
index 8cf0be98..f2503ef0 100644
--- a/template/fastgpt-pro.yaml
+++ b/template/fastgpt-pro.yaml
@@ -122,7 +122,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: FE_DOMAIN
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
@@ -288,7 +288,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: ROOT_KEY
               value: ${{ defaults.root_key }}
diff --git a/template/fastgpt.yaml b/template/fastgpt.yaml
index bf4adf2a..b9569efa 100644
--- a/template/fastgpt.yaml
+++ b/template/fastgpt.yaml
@@ -115,7 +115,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: FE_DOMAIN
               value: https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }}
diff --git a/template/featbit/index.yaml b/template/featbit/index.yaml
index a06c32bd..77efa853 100644
--- a/template/featbit/index.yaml
+++ b/template/featbit/index.yaml
@@ -1055,17 +1055,17 @@ spec:
             - name: REDIS_ENDPOINT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: endpoint
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: Redis__ConnectionString
               value: $(REDIS_ENDPOINT),password=$(REDIS_PASSWORD),user=$(REDIS_USERNAME)
@@ -1171,22 +1171,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_DB
               value: "0"
@@ -1291,17 +1291,17 @@ spec:
             - name: REDIS_ENDPOINT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: endpoint
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: Redis__ConnectionString
               value: $(REDIS_ENDPOINT),password=$(REDIS_PASSWORD),user=$(REDIS_USERNAME)
diff --git a/template/formbricks/index.yaml b/template/formbricks/index.yaml
index 9eaaa344..76fb34e0 100644
--- a/template/formbricks/index.yaml
+++ b/template/formbricks/index.yaml
@@ -318,17 +318,17 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@$(REDIS_HOST):$(REDIS_PORT)
@@ -454,17 +454,17 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@$(REDIS_HOST):$(REDIS_PORT)
diff --git a/template/glitchtip.yaml b/template/glitchtip.yaml
index a4eaf525..982602b7 100644
--- a/template/glitchtip.yaml
+++ b/template/glitchtip.yaml
@@ -100,17 +100,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
@@ -192,17 +192,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
@@ -285,17 +285,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
diff --git a/template/happy-server/index.yaml b/template/happy-server/index.yaml
index f419a3d7..4af25205 100644
--- a/template/happy-server/index.yaml
+++ b/template/happy-server/index.yaml
@@ -702,7 +702,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:6379
diff --git a/template/heyform/index.yaml b/template/heyform/index.yaml
index d3ddc434..8fbe69b8 100644
--- a/template/heyform/index.yaml
+++ b/template/heyform/index.yaml
@@ -68,7 +68,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: MONGO_URI
               value: >-
diff --git a/template/immich/index.yaml b/template/immich/index.yaml
index 56161f44..7899ff1b 100644
--- a/template/immich/index.yaml
+++ b/template/immich/index.yaml
@@ -282,7 +282,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             # Database Configuration
             - name: DB_HOSTNAME
diff --git a/template/kodcloud/index.yaml b/template/kodcloud/index.yaml
index 2919da3c..2c3e9f56 100644
--- a/template/kodcloud/index.yaml
+++ b/template/kodcloud/index.yaml
@@ -86,12 +86,12 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: MYSQL_HOST
               valueFrom:
diff --git a/template/liebianbao.yaml b/template/liebianbao.yaml
index 9c33773e..3040862c 100644
--- a/template/liebianbao.yaml
+++ b/template/liebianbao.yaml
@@ -199,17 +199,17 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_CACHE_DB
               value: 1
diff --git a/template/mindoc/index.yaml b/template/mindoc/index.yaml
index 559ccbda..0079fab9 100644
--- a/template/mindoc/index.yaml
+++ b/template/mindoc/index.yaml
@@ -306,17 +306,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: MINDOC_CACHE_REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: MINDOC_SESSION_PROVIDER
               value: redis
diff --git a/template/n8n/index.yaml b/template/n8n/index.yaml
index 52962335..36e6c740 100644
--- a/template/n8n/index.yaml
+++ b/template/n8n/index.yaml
@@ -392,7 +392,7 @@ spec:
             - name: QUEUE_BULL_REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: N8N_DISABLE_PRODUCTION_MAIN_PROCESS
               value: 'true'
@@ -523,7 +523,7 @@ spec:
             - name: QUEUE_BULL_REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: N8N_CONCURRENCY
               value: '10'
diff --git a/template/new-api.yaml b/template/new-api.yaml
index dd8bf8e0..3a3a9ab7 100644
--- a/template/new-api.yaml
+++ b/template/new-api.yaml
@@ -84,22 +84,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_CONN_STRING
               value: redis://$(REDIS_USERNAME):$(REDIS_PASSWORD)@$(REDIS_HOST).${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)
diff --git a/template/outline/index.yaml b/template/outline/index.yaml
index 8d34bf22..4bbb7336 100644
--- a/template/outline/index.yaml
+++ b/template/outline/index.yaml
@@ -461,7 +461,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:6379
diff --git a/template/overleaf/index.yaml b/template/overleaf/index.yaml
index caf1a257..3e0a2071 100644
--- a/template/overleaf/index.yaml
+++ b/template/overleaf/index.yaml
@@ -94,7 +94,7 @@ spec:
             - name: OVERLEAF_REDIS_PASS
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: OVERLEAF_LISTEN_IP
               value: "0.0.0.0"
diff --git a/template/paperless-ngx/index.yaml b/template/paperless-ngx/index.yaml
index 50dedf60..a8b51c3a 100644
--- a/template/paperless-ngx/index.yaml
+++ b/template/paperless-ngx/index.yaml
@@ -328,7 +328,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: PAPERLESS_REDIS
               value: redis://:$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:6379
diff --git a/template/penpot/index.yaml b/template/penpot/index.yaml
index 3e871317..c4e2f4e3 100644
--- a/template/penpot/index.yaml
+++ b/template/penpot/index.yaml
@@ -316,17 +316,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: PENPOT_REDIS_URI
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)/0"
@@ -438,17 +438,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: PENPOT_REDIS_URI
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)/0"
diff --git a/template/plane/index.yaml b/template/plane/index.yaml
index 7d5ae832..529b54b9 100644
--- a/template/plane/index.yaml
+++ b/template/plane/index.yaml
@@ -177,17 +177,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
@@ -469,17 +469,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
@@ -609,17 +609,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
@@ -727,17 +727,17 @@ spec:
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USER
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: "redis://$(REDIS_USER):$(REDIS_PASSWORD)@${{ defaults.app_name }}-redis-redis.${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)"
diff --git a/template/postiz/index.yaml b/template/postiz/index.yaml
index 142924bc..b1b0a032 100644
--- a/template/postiz/index.yaml
+++ b/template/postiz/index.yaml
@@ -332,21 +332,21 @@ spec:
                   key: password
             - name: DATABASE_URL
               value: postgresql://$(DB_USERNAME):$(DB_PASSWORD)@$(DB_HOSTNAME):$(DB_PORT)/postiz
-            # Redis (KubeBlocks secret: <app>-redis-conn-credential)
+            # Redis (KubeBlocks secret: <app>-redis-redis-account-default)
             - name: REDIS_HOSTNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@$(REDIS_HOSTNAME):$(REDIS_PORT)/0
diff --git a/template/refly/index.yaml b/template/refly/index.yaml
index a716fd4d..23f637d5 100644
--- a/template/refly/index.yaml
+++ b/template/refly/index.yaml
@@ -559,22 +559,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: QDRANT_HOST
               value: ${{ defaults.app_name }}-qdrant
diff --git a/template/rsshub.yaml b/template/rsshub.yaml
index 3da28fec..c921daa7 100644
--- a/template/rsshub.yaml
+++ b/template/rsshub.yaml
@@ -70,17 +70,17 @@ spec:
             - name: REDIS_ENDPOINT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: endpoint
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://$(REDIS_USERNAME):$(REDIS_PASSWORD)@$(REDIS_ENDPOINT)
diff --git a/template/tailchat.yaml b/template/tailchat.yaml
index 2cfd3e4c..1fb77a64 100644
--- a/template/tailchat.yaml
+++ b/template/tailchat.yaml
@@ -96,17 +96,17 @@ spec:
             - name: REDIS_ENDPOINT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: endpoint
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_URL
               value: redis://$(REDIS_USERNAME):$(REDIS_PASSWORD)@$(REDIS_ENDPOINT)
diff --git a/template/teable.yaml b/template/teable.yaml
index 5eaf019c..9d20d072 100644
--- a/template/teable.yaml
+++ b/template/teable.yaml
@@ -158,22 +158,22 @@ spec:
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: username
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: BACKEND_CACHE_REDIS_URI
               value: redis://$(REDIS_USERNAME):$(REDIS_PASSWORD)@$(REDIS_HOST).${{ SEALOS_NAMESPACE }}.svc:$(REDIS_PORT)/1
diff --git a/template/twenty/index.yaml b/template/twenty/index.yaml
index 9eb94b37..0bde821e 100644
--- a/template/twenty/index.yaml
+++ b/template/twenty/index.yaml
@@ -337,17 +337,17 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@$(REDIS_HOST):$(REDIS_PORT)
@@ -469,17 +469,17 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: password
             - name: REDIS_HOST
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: host
             - name: REDIS_PORT
               valueFrom:
                 secretKeyRef:
-                  name: ${{ defaults.app_name }}-redis-conn-credential
+                  name: ${{ defaults.app_name }}-redis-redis-account-default
                   key: port
             - name: REDIS_URL
               value: redis://:$(REDIS_PASSWORD)@$(REDIS_HOST):$(REDIS_PORT)