diff --git a/platform_versioned_docs/version-4.9.0/_fragments/cli-steps/platform-add-cluster.mdx b/platform_versioned_docs/version-4.9.0/_fragments/cli-steps/platform-add-cluster.mdx
index 8775931403..927ac8d7af 100644
--- a/platform_versioned_docs/version-4.9.0/_fragments/cli-steps/platform-add-cluster.mdx
+++ b/platform_versioned_docs/version-4.9.0/_fragments/cli-steps/platform-add-cluster.mdx
@@ -1,6 +1,6 @@
- **Add Host Cluster to the Platform (Optional)**: If you want to add the host cluster to the platform, then
+ **Add Control Plane Cluster to the Platform (Optional)**: If you want to add the control plane cluster to the platform, then
run this command. Before running this command, be sure that your kubecontext is set to the
- host cluster.
+ control plane cluster.
```bash title="Connect host cluster to platform."
diff --git a/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/project-select.mdx b/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/project-select.mdx
index 6c716a2f11..ebddc47774 100644
--- a/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/project-select.mdx
+++ b/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/project-select.mdx
@@ -1,2 +1,2 @@
From the project drop-down menu (top left corner), select the project you'd like to create the
- virtual cluster in.
+ tenant cluster in.
diff --git a/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-new.mdx b/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-new.mdx
index 9374591227..d0c5647168 100644
--- a/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-new.mdx
+++ b/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-new.mdx
@@ -1,3 +1,3 @@
import Button from "@site/src/components/Button";
-Click the button.
+Click the button.
diff --git a/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-select.mdx b/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-select.mdx
index 42dfa891e7..d126abdd83 100644
--- a/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-select.mdx
+++ b/platform_versioned_docs/version-4.9.0/_fragments/ui-steps/virtual-cluster-select.mdx
@@ -1,3 +1,3 @@
import NavStep from "@site/src/components/NavStep";
-Click on Virtual Clusters.
\ No newline at end of file
+Click on Tenant Clusters.
\ No newline at end of file
diff --git a/platform_versioned_docs/version-4.9.0/reference/platform-annotations.mdx b/platform_versioned_docs/version-4.9.0/reference/platform-annotations.mdx
index be6429483c..3305243659 100644
--- a/platform_versioned_docs/version-4.9.0/reference/platform-annotations.mdx
+++ b/platform_versioned_docs/version-4.9.0/reference/platform-annotations.mdx
@@ -517,7 +517,7 @@ The project that owns the VirtualClusterInstance.
**Set by:** Platform
-The name of the virtual cluster an object is associated with.
+The name of the tenant cluster an object is associated with.
### platform.vcluster.com/vcluster-instance-namespace {#platform-vcluster-com-vcluster-instance-namespace}
@@ -529,7 +529,7 @@ The name of the virtual cluster an object is associated with.
**Set by:** Platform
-The namespace of the virtual cluster an object is associated with.
+The namespace of the tenant cluster an object is associated with.
### vcluster.loft.sh/managed-by {#vcluster-loft-sh-managed-by}
@@ -685,7 +685,35 @@ Identifies the Kubernetes name associated with the vCluster node.
**Set by:** Platform
-Indicates the original namespace of an object synced from the vCluster to the host cluster.
+Indicates the original namespace of an object synced from the vCluster to the control plane cluster.
+
+## Snapshot and restore {#snapshot-restore}
+
+These labels mark resources used for vCluster backup and restore operations.
+
+### vcluster.loft.sh/snapshot-request {#vcluster-loft-sh-snapshot-request}
+
+**Type:** Label
+
+**Example:** `vcluster.loft.sh/snapshot-request: "true"`
+
+**Used on:** ConfigMap, Secret
+
+**Set by:** Platform
+
+Marks ConfigMaps and Secrets as snapshot request resources for vCluster backup operations.
+
+### vcluster.loft.sh/restore-request {#vcluster-loft-sh-restore-request}
+
+**Type:** Label
+
+**Example:** `vcluster.loft.sh/restore-request: "true"`
+
+**Used on:** ConfigMap, Secret
+
+**Set by:** Platform
+
+Marks ConfigMaps and Secrets as restore request resources for vCluster restore operations.
## Auto sleep configuration {#sleep-mode-configuration}
@@ -1487,6 +1515,42 @@ Enables ArgoCD integration for this vCluster or cluster. When set, the platform
Tracks which ArgoCD AppProject destinations are managed by the loft project controller. This prevents the controller from removing destinations managed by vCluster instances when syncing project specifications.
+### loft.sh/argocd-connector {#loft-sh-argocd-connector}
+
+**Type:** Annotation
+
+**Example:** `loft.sh/argocd-connector: "my-argocd-connector"`
+
+**Used on:** ArgoCD application resources
+
+**Set by:** Platform
+
+Tracks the connector name last used to sync this ArgoCD application. A change in this value triggers cleanup on the old backend before the application is created on the new connector.
+
+### loft.sh/argocd-akuity-connector {#loft-sh-argocd-akuity-connector}
+
+**Type:** Annotation
+
+**Example:** `loft.sh/argocd-akuity-connector: "akuity-connector:small"`
+
+**Used on:** VirtualClusterInstance
+
+**Set by:** Platform
+
+Stores the Akuity connector name and agent size (format: "connectorName:agentSize") for the currently installed Akuity agent. A change in either component triggers full cleanup and re-registration of the ArgoCD integration.
+
+### loft.sh/argocd-akuity-manifest-hash {#loft-sh-argocd-akuity-manifest-hash}
+
+**Type:** Annotation
+
+**Example:** `loft.sh/argocd-akuity-manifest-hash: "a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890"`
+
+**Used on:** VirtualClusterInstance
+
+**Set by:** Platform
+
+The SHA-256 hash of the last applied Akuity agent manifest. Re-application is skipped when the hash is unchanged, preventing overwrites of manual or operator-driven patches.
+
### loft.sh/connector-type {#loft-sh-connector-type}
**Type:** Label
@@ -1887,6 +1951,18 @@ General cleanup finalizer ensuring proper resource deletion.
Ensures management resources are cleaned up when the parent resource is deleted.
+### loft.sh/cleanup-argocd-integration {#loft-sh-cleanup-argocd-integration}
+
+**Type:** Finalizer
+
+**Example:** `finalizers: ["loft.sh/cleanup-argocd-integration"]`
+
+**Used on:** VirtualClusterInstance
+
+**Set by:** Platform
+
+Blocks VirtualClusterInstance deletion until managed ArgoCD applications and cluster registrations are deleted through the ArgoCD API.
+
### loft.sh/cleanup-workload {#loft-sh-cleanup-workload}
**Type:** Finalizer
diff --git a/platform_versioned_docs/version-4.9.0/troubleshoot/tsnet-connectivity.mdx b/platform_versioned_docs/version-4.9.0/troubleshoot/tsnet-connectivity.mdx
index 0bcae5a01d..28790587ea 100644
--- a/platform_versioned_docs/version-4.9.0/troubleshoot/tsnet-connectivity.mdx
+++ b/platform_versioned_docs/version-4.9.0/troubleshoot/tsnet-connectivity.mdx
@@ -1,14 +1,14 @@
---
title: Resolve vCluster TSNet connection failures
sidebar_label: Resolve TSNet connection failures
-description: Fix TSNet connectivity issues that prevent virtual clusters from showing as ready in the platform UI.
+description: Fix TSNet connectivity issues that prevent tenant clusters from showing as ready in the platform UI.
---
import Flow, { Step } from "@site/src/components/Flow";
# Resolve vCluster TSNet connection failures
-The [TSNet (Tailscale Network)](https://tailscale.com/kb/1244/tsnet) connection failure prevents the vCluster Platform from properly marking virtual clusters as ready, even when they are running successfully. This occurs because TSNet cannot establish a stable connection with the platform, which blocks communication between the vCluster on the connected cluster and the platform. As a result, the vCluster appears to be running in the host cluster but shows as it is not ready in the platform UI, which prevents proper management and monitoring.
+The [TSNet (Tailscale Network)](https://tailscale.com/kb/1244/tsnet) connection failure prevents the vCluster Platform from properly marking tenant clusters as ready, even when they are running successfully. This occurs because TSNet cannot establish a stable connection with the platform, which blocks communication between the vCluster on the connected cluster and the platform. As a result, the vCluster appears to be running in the control plane cluster but shows as it is not ready in the platform UI, which prevents proper management and monitoring.
## Error message
@@ -26,7 +26,7 @@ ERROR ts-net-controller tsnet/tsnet.go:148 Check if TSNet is online {
When the TSNet connection fails, you might observe the following:
-- **vCluster status discrepancy**: The vCluster shows as `Running` in the remote host cluster but is not marked as ready in the vCluster Platform UI.
+- **vCluster status discrepancy**: The vCluster shows as `Running` in the remote control plane cluster but is not marked as ready in the vCluster Platform UI.
- **Successful local connection**: You can successfully connect to the vCluster using `vcluster connect` command.
@@ -45,7 +45,7 @@ Look for errors related to connection timeouts or relay server failures.
TSNet connection failures might occur due to the following:
-- **Restricted egress policies**: Host clusters with strict network policies (common in GKE, EKS, and other managed Kubernetes services) might block outbound connections to the coordination server.
+- **Restricted egress policies**: Control plane clusters with strict network policies (common in GKE, EKS, and other managed Kubernetes services) might block outbound connections to the coordination server.
- **Ingress controller interference**: Ingress controllers like Istio might block or interfere with WebSocket upgrades required for TSNet communication.
@@ -140,7 +140,7 @@ After completing the solution steps:
- Connect to the virtual cluster and check node access:
+ Connect to the tenant cluster and check node access:
```bash
vcluster connect -n
@@ -174,7 +174,7 @@ To ensure reliable TSNet connectivity in the platform:
- **Always disable direct connections**: Set `TS_DEBUG_DIAL_DIRECT=false` in environments to avoid connection issues.
-- **Monitor network policies**: Ensure your host cluster's network policies allow outbound connections to the platform coordination server.
+- **Monitor network policies**: Ensure your control plane cluster's network policies allow outbound connections to the platform coordination server.
- **Configure appropriate timeouts**: Set reasonable timeout values for network operations in restricted environments.
diff --git a/platform_versioned_docs/version-4.9.0/understand/auth-explanation.mdx b/platform_versioned_docs/version-4.9.0/understand/auth-explanation.mdx
index b594fe54cc..0726f81a8f 100644
--- a/platform_versioned_docs/version-4.9.0/understand/auth-explanation.mdx
+++ b/platform_versioned_docs/version-4.9.0/understand/auth-explanation.mdx
@@ -20,7 +20,7 @@ The platform uses several objects to manage access and permissions:
| **SSO Group** | A representation of a group from your [configured SSO provider](https://www.vcluster.com/docs/platform/configure/platform-configs/single-sign-on). These groups are imported during authentication and stored in User records. |
| **Team** | A collection of platform users. Users join teams either through explicit assignment or via SSO Group membership. Teams can have Management Roles. [API reference](https://www.vcluster.com/docs/platform/api/resources/team) |
| **Management Role** | Defines permissions granted to users or teams within specific scopes. [API reference](https://www.vcluster.com/docs/platform/api/resources/clusterroletemplate) |
-| **Project** | An organizational unit for resources such as virtual clusters. [Projects](https://www.vcluster.com/docs/platform/understand/what-are-projects) help enforce access control and resource quotas.|
+| **Project** | An organizational unit for resources such as tenant clusters. [Projects](https://www.vcluster.com/docs/platform/understand/what-are-projects) help enforce access control and resource quotas.|
## Setting up authentication with Microsoft Entra ID
@@ -47,8 +47,8 @@ This example shows how to implement a comprehensive security model using Microso
Create Management Roles aligned with your organization's needs. This example uses four distinct roles:
1. **Platform Operations** - Full platform management permissions
-2. **DevOps Engineers** - Create and manage virtual clusters within projects
-3. **Developers** - Connect to and use virtual clusters
+2. **DevOps Engineers** - Create and manage tenant clusters within projects
+3. **Developers** - Connect to and use tenant clusters
4. **Automation Service Account** - Programmatic access for GitOps workflows
### Team structure
diff --git a/platform_versioned_docs/version-4.9.0/understand/platform_communication.mdx b/platform_versioned_docs/version-4.9.0/understand/platform_communication.mdx
index b4fffa36ea..e0da020d60 100644
--- a/platform_versioned_docs/version-4.9.0/understand/platform_communication.mdx
+++ b/platform_versioned_docs/version-4.9.0/understand/platform_communication.mdx
@@ -11,7 +11,7 @@ Several background processes run when creating a vCluster that enable communicat
## Components in vCluster-platform communication
### The platform
-The control center for managing your virtual clusters. This includes the main dashboard where you can view, configure, and monitor all your virtual clusters.
+The control center for managing your tenant clusters. This includes the main dashboard where you can view, configure, and monitor all your tenant clusters.
### vCluster
Your virtual Kubernetes cluster that runs your applications. It connects securely to the platform.
@@ -29,7 +29,7 @@ A VPN tunnel creates a secure connection between endpoints and the internet that
## What is VPN Mesh?
-A VPN mesh forms a secure, decentralized network where devices connect directly to each other using encrypted tunnels. In cluster architecture, VPN mesh (Tailscale) secures communication between the vCluster platform and virtual clusters.
+A VPN mesh forms a secure, decentralized network where devices connect directly to each other using encrypted tunnels. In cluster architecture, VPN mesh (Tailscale) secures communication between the vCluster platform and tenant clusters.
## Register vCluster on the platform
diff --git a/platform_versioned_docs/version-4.9.0/understand/ranges-app-template.mdx b/platform_versioned_docs/version-4.9.0/understand/ranges-app-template.mdx
index 39117ce34b..c9563c4cf6 100644
--- a/platform_versioned_docs/version-4.9.0/understand/ranges-app-template.mdx
+++ b/platform_versioned_docs/version-4.9.0/understand/ranges-app-template.mdx
@@ -88,7 +88,7 @@ This configuration:
Setting numeric ranges is valuable for:
-- **Resource allocation**: Ensuring virtual clusters receive sufficient but not excessive resources.
+- **Resource allocation**: Ensuring tenant clusters receive sufficient but not excessive resources.
- **Configuration safety**: Preventing users from entering values that could cause performance issues.
- **Standardization**: Maintaining consistent deployments across your organization.
- **User guidance**: Helping users understand appropriate values for different parameters.
diff --git a/platform_versioned_docs/version-4.9.0/understand/what-are-apps.mdx b/platform_versioned_docs/version-4.9.0/understand/what-are-apps.mdx
index 1b1230b5a0..7bcfc0cbfa 100644
--- a/platform_versioned_docs/version-4.9.0/understand/what-are-apps.mdx
+++ b/platform_versioned_docs/version-4.9.0/understand/what-are-apps.mdx
@@ -9,15 +9,15 @@ sidebar_position: 6
Apps in vCluster Platform are a way for admins to package applications and scripts in consumable packages.
-These Apps can then be deployed into clusters, spaces, or virtual clusters.
+These Apps can then be deployed into clusters, spaces, or tenant clusters.
An example application, and one that comes packaged in a default vCluster Platform deployment, is the 'Cert
Manager' app. This app, as you may guess from the name, deploys the
[cert-manager](https://github.com/cert-manager/cert-manager) controller into a cluster, space or
-virtual cluster.
+tenant cluster.
Apps can be an existing or custom (user provided) Helm chart, a Kubernetes manifest, or a bash
-script that installs resources into a given destination (cluster, space, or virtual cluster).
+script that installs resources into a given destination (cluster, space, or tenant cluster).
Importantly, Apps can have _parameters_, that is, values that a user can provide to modify the
deployment of an application.
diff --git a/platform_versioned_docs/version-4.9.0/understand/what-are-secrets.mdx b/platform_versioned_docs/version-4.9.0/understand/what-are-secrets.mdx
index 451258deef..2560ea5919 100644
--- a/platform_versioned_docs/version-4.9.0/understand/what-are-secrets.mdx
+++ b/platform_versioned_docs/version-4.9.0/understand/what-are-secrets.mdx
@@ -6,12 +6,12 @@ sidebar_position: 9
## What are Secrets?
-Like [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/), vCluster Platform secrets are intended to hold confidential data in the form of key/value pairs. vCluster Platform extends Kubernetes secrets by allowing global or project level management of secret data, managing which users and teams can access secrets, and synchronizing secret data across multiple clusters and the spaces and virtual clusters on those clusters. After creating vCluster Platform secrets, native Kubernetes secrets can be created with labels that indicate to vCluster Platform that the secret data should be synchronized with vCluster Platform secrets. Once this secret synchronization is configured, the secret data can be mounted using the native secret as usual, but managed at the project or global level using vCluster Platform secrets.
+Like [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/), vCluster Platform secrets are intended to hold confidential data in the form of key/value pairs. vCluster Platform extends Kubernetes secrets by allowing global or project level management of secret data, managing which users and teams can access secrets, and synchronizing secret data across multiple clusters and the spaces and tenant clusters on those clusters. After creating vCluster Platform secrets, native Kubernetes secrets can be created with labels that indicate to vCluster Platform that the secret data should be synchronized with vCluster Platform secrets. Once this secret synchronization is configured, the secret data can be mounted using the native secret as usual, but managed at the project or global level using vCluster Platform secrets.
## Project Secrets
-Project secrets are scoped to a Project, and implicitly only allow access to members of the project. Once a project secret is created, native Kubernetes secrets that synchronize to the project secret can be created in spaces and virtual clusters that belong to the project. This provides a convenient way to manage secret data for all members of the project. For more information on creating project secrets, see [creating project secrets](../administer/secrets/project/create.mdx)
+Project secrets are scoped to a Project, and implicitly only allow access to members of the project. Once a project secret is created, native Kubernetes secrets that synchronize to the project secret can be created in spaces and tenant clusters that belong to the project. This provides a convenient way to manage secret data for all members of the project. For more information on creating project secrets, see [creating project secrets](../administer/secrets/project/create.mdx)
## Global Secrets
-Global secrets or shared secrets can be synchronized across all spaces in vCluster Platform registered clusters. Additionally, global secrets can be use to synchronize project secrets. This allows organization wide management of secrets shared across multiple projects. Like project secrets, native Kubernetes secrets can be synchronized directly to global secrets, however this synchronization only works for secrets defined in spaces and not virtual clusters. For more information on creating project secrets, see [creating global secrets](../administer/secrets/global/create.mdx)
+Global secrets or shared secrets can be synchronized across all spaces in vCluster Platform registered clusters. Additionally, global secrets can be use to synchronize project secrets. This allows organization wide management of secrets shared across multiple projects. Like project secrets, native Kubernetes secrets can be synchronized directly to global secrets, however this synchronization only works for secrets defined in spaces and not tenant clusters. For more information on creating project secrets, see [creating global secrets](../administer/secrets/global/create.mdx)
diff --git a/platform_versioned_docs/version-4.9.0/understand/what-are-users-and-teams.mdx b/platform_versioned_docs/version-4.9.0/understand/what-are-users-and-teams.mdx
index 03a5bae286..544c266374 100644
--- a/platform_versioned_docs/version-4.9.0/understand/what-are-users-and-teams.mdx
+++ b/platform_versioned_docs/version-4.9.0/understand/what-are-users-and-teams.mdx
@@ -9,5 +9,5 @@ sidebar_position: 10
Users and teams are entities that can interact with the vCluster Platform API. A user can
be a developer that develops applications or an administrator that manages the
vCluster Platform. Users can be assigned to teams, which set the permissions applied
-to all the team's members. For example, you can give virtual cluster access to a team, which
-gives all members of the team virtual cluster access.
+to all the team's members. For example, you can give tenant cluster access to a team, which
+gives all members of the team tenant cluster access.