docs(upgrade): add step to protect namespace before upgrading

content/en/docs/v1/operations/cluster/upgrade.md

@@ -39,7 +39,22 @@ Make sure that the Platform Package is healthy and contains the expected configu
 kubectl get packages.cozystack.io cozystack.cozystack-platform -o yaml
 ```
 
-### 2. Upgrade the Cozystack Operator
+### 2. Protect critical resources
+
+Before upgrading, annotate the `cozy-system` namespace and the `cozystack-version` ConfigMap
+with `helm.sh/resource-policy=keep` to prevent Helm from deleting them during the upgrade:
+
+```bash
+kubectl annotate namespace cozy-system helm.sh/resource-policy=keep --overwrite
+kubectl annotate configmap -n cozy-system cozystack-version helm.sh/resource-policy=keep --overwrite
+```
+
+{{% alert color="warning" %}}
+**This step is required.** Without these annotations, removing or upgrading the Helm installer
+release could delete the `cozy-system` namespace and all resources within it.
+{{% /alert %}}
+
+### 3. Upgrade the Cozystack Operator
 
 Upgrade the Cozystack operator Helm release to the target version:
 
@@ -57,7 +72,7 @@ You can read the logs of the operator:
 kubectl logs -n cozy-system deploy/cozystack-operator -f
 ```
 
-### 3. Check the cluster status after upgrading
+### 4. Check the cluster status after upgrading
 
 ```bash
 kubectl get pods -n cozy-system

content/en/docs/v1/operations/upgrades/_index.md

@@ -196,7 +196,22 @@ If any releases are not `Ready`, resolve those issues before proceeding.
 
 ## Upgrade Steps
 
-### Step 1. Install the Cozystack Operator
+### Step 1. Protect critical resources
+
+Annotate the `cozy-system` namespace and the `cozystack-version` ConfigMap to prevent
+Helm from deleting them when the installer release is upgraded:
+
+```bash
+kubectl annotate namespace cozy-system helm.sh/resource-policy=keep --overwrite
+kubectl annotate configmap -n cozy-system cozystack-version helm.sh/resource-policy=keep --overwrite
+```
+
+{{% alert color="warning" %}}
+**This step is required.** Without these annotations, upgrading the Helm installer release
+could delete the `cozy-system` namespace and all resources within it.
+{{% /alert %}}
+
+### Step 2. Install the Cozystack Operator
 
 Install the new operator using Helm from the OCI registry.
 This deploys the `cozystack-operator`, installs two new CRDs (`Package` and `PackageSource`),
@@ -218,7 +233,7 @@ Verify the operator is running:
 kubectl get pods -n cozy-system -l app=cozystack-operator
 ```
 
-### Step 2. Generate the Platform Package
+### Step 3. Generate the Platform Package
 
 The migration script reads your existing ConfigMaps (`cozystack`, `cozystack-branding`, `cozystack-scheduling`)
 from the `cozy-system` namespace and converts them into a `Package` resource with the new values structure.
@@ -247,7 +262,7 @@ chmod +x migrate-to-version-1.0.sh
 ```
 {{% /alert %}}
 
-### Step 3. Monitor the Migration
+### Step 4. Monitor the Migration
 
 As soon as the Platform Package is applied, the operator starts the migration process.
 Migrations remove the old installer deployment and assets server, transform existing manifests
@@ -261,7 +276,7 @@ kubectl get hr -A
 
 Wait until all releases show `READY: True`.
 
-### Step 4. Clean Up Old ConfigMaps
+### Step 5. Clean Up Old ConfigMaps
 
 After verifying that all components are healthy, delete the old ConfigMaps
 that are no longer used:
@@ -270,7 +285,7 @@ that are no longer used:
 kubectl delete configmap -n cozy-system cozystack cozystack-branding cozystack-scheduling
 ```
 
-### Step 5. Verify the Migration
+### Step 6. Verify the Migration
 
 Check that the Platform Package is reconciled: