Commit graph

2004 commits

Author SHA1 Message Date
IvanHunters
573e7b19bc chore: remove inline comment from targetVersion
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-04-02 18:55:02 +03:00
IvanHunters
747a1745e9 fix(postgres): revert default PostgreSQL version to v17
The v1.2.0 release introduced PostgreSQL v18 as default, which causes
compatibility issues with existing v17 installations. This change:

- Sets default version back to v17 in values.yaml and schema
- Adjusts migration targetVersion to 38 to enable migration 37
- Migration 37 backfills version field for existing installations

This ensures existing PostgreSQL clusters continue working after upgrade.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-04-02 18:51:19 +03:00
Andrey Kolkov
16223dcffa fix(backup): abstract underlying resources by applicationRef.kind
Signed-off-by: Andrey Kolkov <androndo@gmail.com>
2026-04-01 21:39:47 +04:00
Andrey Kolkov
b4f760c1dc
feat(backups): no manual actions for restore VMI (#2251)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
Introduce more accurate in-place backup/restores for VMDisk and VMInstance:
- keep IP/MAC of VM
- keep HR of VMDisk related to VMI volumes
- avoid Velero restore of DVs because it conflicts with  DV from HR of VMDisk
- propagate to BackupJob/RestoreJob failure messages from Velero to be more clear for namespace users when some job fails
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Capture and persist underlying resource metadata (data volumes, OVN
IP/MAC) in Backup status and Velero annotations; use it to better scope
backups/restores.
  * New Backup controller to ensure Velero cleanup for deleted backups.
* Pre-restore preparation: suspend releases, halt VMs, rename PVCs,
delete DataVolumes, and apply resource-modifier rules for claim adoption
and network annotations.

* **Bug Fixes**
* Improved Velero failure messages (includes hooks, async item ops, and
DataUpload failures).

* **Chores**
* Expanded RBAC and added RoleBinding to support Velero/restore
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 18:07:29 +04:00
Andrei Kvapil
94d42749a7
fix(kubernetes): set explicit ephemeral-storage on virt-launcher pods
Without explicit ephemeral-storage resources on the VirtualMachine spec,
virt-launcher pods inherit default limits from the namespace LimitRange,
which can be much lower than the emptyDisk capacity. This causes kubelet
to evict the pod when the VM's containerd unpacks images exceeding the
limit.

Set domain.resources with ephemeral-storage calculated via cozy-lib
allocation ratio based on the configured ephemeralStorage value.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-31 12:48:07 +02:00
Andrei Kvapil
7c92c4ec2e
fix(multus): pin master CNI to 05-cilium.conflist (#2315)
## Summary
- Pin multusMasterCNI to `05-cilium.conflist` to prevent race condition
at boot
- Fixes issue where multus auto-detects wrong conflist, bypassing Cilium
CNI chain

## Problem
During node boot (e.g. Talos upgrade), multus auto-detects the master
CNI conflist by scanning
the CNI config directory. If kube-ovn writes `10-kube-ovn.conflist`
before Cilium writes
`05-cilium.conflist`, multus selects the wrong file. Pods on the
affected node then bypass
the Cilium chain entirely, have no Cilium endpoint, and their traffic
gets blocked by
cluster-wide network policies.

## Fix
Set `multusMasterCNI: "05-cilium.conflist"` in the multus daemon config
to explicitly
pin the master CNI file, eliminating the race condition.

## Upstream
- Issue: https://github.com/k8snetworkplumbingwg/multus-cni/issues/1499
- Tracking: https://github.com/cozystack/cozystack/issues/2310

## Test plan
- [x] Verified `multusMasterCNI` JSON key matches upstream struct tag
- [ ] Deploy and verify `00-multus.conf` points to `05-cilium.conflist`
after node reboot
2026-03-31 12:01:41 +02:00
Andrei Kvapil
e09cd0f37f
fix(multus): pin master CNI to 05-cilium.conflist
Set multusMasterCNI to explicitly use 05-cilium.conflist instead of
auto-detecting the first available conflist at boot. This prevents a
race condition where multus picks 10-kube-ovn.conflist if it appears
before 05-cilium.conflist during node startup, bypassing the Cilium
CNI chain entirely.

Upstream issue: https://github.com/k8snetworkplumbingwg/multus-cni/issues/1499
Tracking issue: https://github.com/cozystack/cozystack/issues/2310

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-31 11:30:25 +02:00
Andrei Kvapil
d94e71ee79
fix(multus): build custom image with DEL cache fix (#2313)
## Summary
- Build custom multus-cni image with a patch that fixes sandbox cleanup
deadlock
- When CNI ADD never completes, DEL now returns success instead of
failing
- Prevents stale sandbox name reservations from permanently blocking pod
creation

## Problem
After a node disruption (e.g. DRBD/kube-ovn issues during upgrade),
containerd accumulates
stale sandbox name reservations. Cleanup fails because multus calls
delegate plugins for DEL
without cached state, and they reject the incomplete config. This blocks
all new pods on the
affected node indefinitely.

## Changes
- Add `images/multus-cni/` with Dockerfile and patch for custom image
build
- Add `image` target to multus Makefile
- Add multus to root Makefile build targets
- Update DaemonSet template to use the custom image

## Upstream
- PR: https://github.com/k8snetworkplumbingwg/multus-cni/pull/1498
- Tracking: https://github.com/cozystack/cozystack/issues/2310

## Test plan
- [x] Built and pushed image to ghcr.io/cozystack/cozystack/multus-cni
- [x] Deployed to cluster, verified fix in multus logs ("no cache
found... skip DEL")
- [x] Force-deleted stuck pods, all 24 pods started successfully within
70s

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
  * Added Multus CNI container image build process to the system.

* **Bug Fixes**
* Fixed delete operation behavior when cache is unavailable, improving
reliability of network cleanup operations.

* **Chores**
* Updated Multus CNI container image reference in deployment
configuration to latest version with build improvements.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 11:22:16 +02:00
Andrei Kvapil
1cd564330c
chore: remove build artifact
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-31 11:15:45 +02:00
Andrei Kvapil
094b80ae16
fix(multus): build custom image with DEL cache fix
When CNI ADD never completes, multus DEL fails because delegate plugins
require runtime state that only exists after a successful ADD. This
creates a deadlock where containerd cannot release sandbox name
reservations, permanently blocking pod creation on the affected node.

Build a custom multus-cni image with a patch that returns success on
DEL when no cache file exists (ADD was never completed).

Upstream PR: https://github.com/k8snetworkplumbingwg/multus-cni/pull/1498
Tracking issue: https://github.com/cozystack/cozystack/issues/2310

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-31 11:15:40 +02:00
Andrei Kvapil
77aeef1f60
fix(linstor): set verify-alg to crc32c to avoid crct10dif unavailability (#2303)
## Summary
- Set `DrbdOptions/Net/verify-alg` to `crc32c` at the controller level
to prevent DRBD connection failures on kernels where `crct10dif` is
unavailable
- Fixes an issue where all DRBD resources become Diskless after
upgrading to Talos v1.12.6 (kernel 6.18.18)

## Why
LINSTOR's auto-verify algorithm selection picks `crct10dif` by default,
but this kernel crypto module is no longer available in newer kernels.
This causes DRBD peer connections to fail with `VERIFYAlgNotAvail:
failed to allocate crct10dif for verify`, resulting in lost quorum on
all nodes.

## Test plan
- [ ] Deploy to a cluster running Talos v1.12.6 (kernel 6.18.18)
- [ ] Verify DRBD resources connect and replicate normally
- [ ] Confirm `drbdsetup` uses `crc32c` as verify-alg

Closes #2302

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Configuration**
* Added network verification algorithm configuration option for DRBD
cluster setup.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-31 10:47:45 +02:00
Andrey Kolkov
15d319bfa1 feat(backup): no manual actions required to perform restorejob for
VMInstance

Signed-off-by: Andrey Kolkov <androndo@gmail.com>
2026-03-31 12:01:04 +04:00
IvanHunters
620c8fb3c0 feat(postgres): extend v17 hardcode to all system components
Add explicit PostgreSQL 17.7 image to Harbor, SeaweedFS, and Keycloak
databases to ensure consistent version across all system components.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-31 09:01:44 +03:00
IvanHunters
fd1714442e feat(postgres): hardcode PostgreSQL 17 for monitoring and add migration
Add migration 37 to backfill spec.version=v17 for existing PostgreSQL
resources without a version set.

Hardcode PostgreSQL 17.7 image in monitoring databases (Grafana and Alerta)
to ensure compatibility with monitoring queries that expect PostgreSQL 17
features (pg_stat_checkpointer, updated pg_stat_bgwriter).

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-31 00:46:47 +03:00
Andrei Kvapil
30616b73f3
fix(linstor): set verify-alg to crc32c to avoid crct10dif unavailability
The crct10dif kernel crypto module is no longer available in Talos
v1.12.6 (kernel 6.18.18). DRBD auto-verify selects crct10dif by
default, causing peer connections to fail with VERIFYAlgNotAvail.
Setting verify-alg explicitly to crc32c at the controller level
ensures all resources use an available algorithm.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-30 20:58:43 +02:00
Andrei Kvapil
7b9f308d18
[keycloak] Enable injecting themes (#2142)
## What this PR does

This patch lets Cozystack admins specify initContainers that will run
`cp -r /themes/ /opt/keycloak/themes/` on startup, effectively providing
an interface for operators to inject custom themes into the keycloak
deployment to customize the UI.

### Release note

```release-note
[keycloak] Enable injection of user-provided themes for Keycloak via
initContainers.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added support for custom Keycloak themes through configuration,
allowing users to customize the appearance of the authentication
interface.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 20:16:42 +02:00
Andrei Kvapil
acd1933bae
fix(platform): propagate resource allocation ratios to packages (#2296)
## What this PR does

Fixes a regression introduced in the bundle restructure (2d022e38) where
`cpuAllocationRatio`, `memoryAllocationRatio`, and
`ephemeralStorageAllocationRatio` from `platform/values.yaml` became
no-ops — never propagated to child packages.

The old monolithic bundles read these values from the cozystack
ConfigMap via `lookup` and passed them explicitly. After migration to
the Package CRD model, the bridge was lost: cozy-lib expects the ratios
in `_cluster` config (via `cozystack-values` Secret), but platform never
wrote them there, so the hardcoded defaults (10, 1, 40) were always used
regardless of what the user configured.

This commit restores the propagation by:
- Adding `cpu-allocation-ratio`, `memory-allocation-ratio`, and
`ephemeral-storage-allocation-ratio` to the `_cluster` section in the
`cozystack-values` Secret, so cozy-lib in all managed applications picks
them up
- Passing `cpuAllocationRatio` to the kubevirt Package component values,
so the KubeVirt CR gets the configured value

### Release note

```release-note
[platform] Fix propagation of resource allocation ratios (cpu, memory, ephemeral-storage) to managed applications and KubeVirt, which were silently ignored since the bundle restructure.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Added new resource allocation configuration fields to platform
templates for flexible resource management.
* Enhanced conditional handling of resource settings within container
infrastructure components.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 20:15:07 +02:00
Andrei Kvapil
d6b2b412f4
[vm-instance] Rename subnets to networks and add dropdown selector (#2263)
## What this PR does

Renames the misleading `subnets` field to `networks` in VMInstance. The
old field
name implied the VM was creating subnets, when in reality it attaches
the VM to
existing VPC network attachments (NetworkAttachmentDefinitions). This
change:

- Adds a new `networks` field as the primary way to attach VMs to VPC
networks
- Keeps `subnets` as deprecated with backward-compatible fallback via
Helm `default`
- Fails with a clear error if both `networks` and `subnets` are set
simultaneously
- Adds an API-backed dropdown selector for `networks[].name` listing
available
  NetworkAttachmentDefinitions in the namespace
- Hides the deprecated `subnets` field from the dashboard UI

### Release note

```release-note
[vm-instance] Rename `subnets` field to `networks` in VMInstance for clarity.
The old `subnets` field is deprecated but still supported for backward compatibility.
A dropdown selector for available networks has been added to the dashboard.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added native networks field for VM attachments and a UI dropdown to
select network attachments; UI hides deprecated subnet fields for VM
instances.

* **Deprecations**
* subnets is deprecated; use networks moving forward (subnets retained
for backward compatibility).

* **Chores / Migration**
* Added a migration to copy existing subnets into networks and bumped
platform migration target version.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 20:07:44 +02:00
Andrei Kvapil
68c7e81791
[mariadb] fix: always enable replication for consistent service naming (#2279)
## What this PR does

Enables replication unconditionally in the MariaDB CR, regardless of
replica count.

Previously, single-replica MariaDB instances created a general service
(`mariadb-<name>`) without `-primary`/`-secondary` suffixes. This
caused:
- Dashboard not displaying the service (both dashboard-resourcemap RBAC
and the ApplicationDefinition expect `-primary`/`-secondary`)
- Backup CronJob referencing non-existent `<name>-secondary` service

Also removes a duplicate `template` key in the backup-cronjob YAML that
was silently ignored by the parser.

**BREAKING CHANGE:** Single-replica MariaDB instances will now expose
services as `<name>-primary` and `<name>-secondary` instead of the bare
`<name>`. Applications connecting via the old service DNS name must
update their connection strings.

### Release note

```release-note
[mariadb] BREAKING: MariaDB now always enables replication, creating -primary/-secondary services even for single-replica instances. This fixes dashboard visibility and backup functionality for single-replica setups. Existing single-replica users must update connection strings from `<name>` to `<name>-primary`.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Removed a redundant backup job restart policy that could cause
conflicting behavior.
* Ensured replication is consistently enabled across all deployment
sizes.
* Made external service LoadBalancer settings apply more predictably for
external deployments.
* Adjusted database host selection so single-replica deployments target
the primary instance, improving connection correctness.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 20:07:15 +02:00
Andrei Kvapil
293ac2268e
[linstor] Preserve TCP ports during toggle-disk operations (#2292)
## What this PR does

Updates the `fix-duplicate-tcp-ports` patch to preserve existing TCP
ports when DrbdRscData is recreated during toggle-disk operations.

Without this fix, `removeLayerData()` frees TCP ports from the number
pool, and `ensureStackDataExists()` may allocate different ports. If the
satellite misses the update (e.g. due to controller restart), it keeps
the old ports while peers receive the new ones, causing DRBD connections
to fail with StandAlone state.

The fix adds `copyDrbdTcpPortsIfExists()` which saves existing TCP ports
into the `LayerPayload` before `removeLayerData()` deletes them.

Also adds `dh_strip_nondeterminism` override in Dockerfile to fix build
failures on some JAR files.

Upstream:
https://github.com/LINBIT/linstor-server/pull/476#issuecomment-4147527442

### Release note

\`\`\`release-note
[linstor] Fix TCP port mismatches after toggle-disk operations that
could cause DRBD resources to enter StandAlone state
\`\`\`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed an issue where DRBD TCP ports were not correctly preserved
during disk toggle operations, which could result in TCP port mismatches
between the controller and satellite nodes.
* Improved robustness of the build and packaging process by addressing
non-determinism handling for Java library dependencies.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 20:06:40 +02:00
myasnikovdaniil
364653508f
[platform] Prevent installed packages deletion (#2273)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does

Adds annotation `helm.sh/resource-policy: keep` to all packages to
prevent its automatic deletion when:
1, Package added to `disabledPackages` parameter in
`cozystack.cozystack-platform` package
2. Package removed form `enabledPackages` parameter in
`cozystack.cozystack-platform` package

This change bring back [docs explained
behavior](https://cozystack.io/docs/v1/operations/configuration/components/)
- platform administrator should manually delete package if needed.

### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[platform] Prevent installed packages deletion
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated Helm templates to configure resource-policy annotations on
package resources, ensuring proper resource lifecycle management and
retention policies during cluster deployments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 21:36:45 +05:00
Aleksei Sviridkin
ed51d3e16e
[keycloak] Harden theme injection with validation and security
Add securityContext to theme init containers matching the main
container security posture. Add input validation for theme entries:
required fields, DNS-1123 name sanitization, duplicate detection,
and container name length limit. Add imagePullSecrets support for
private registries and sizeLimit on the emptyDir volume.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
2026-03-30 17:01:10 +03:00
Andrei Kvapil
96567c1d24
[kamaji] Update to 26.3.5-edge, drop upstreamed patches (#2260)
## What this PR does

Update kamaji from edge-26.2.4 to 26.3.5-edge and remove two patches
that have been accepted upstream:

- `increase-startup-probe-threshold.diff` → upstream #1086 added
  configurable startupProbeFailureThreshold
- `disable-datastore-check.diff` → upstream #1087 refactored
  DataStore initialization

The remaining `fix-kubelet-config-compat.diff` (PR #1084) is still
needed — the maintainer has not accepted the upstream fix for kubelet
config compatibility with K8s < 1.35.

Also updates Makefile to match the new upstream tag format
(`26.x.x-edge` instead of `edge-26.x.x`) introduced in upstream
PR #1094.

Note: `make image` needs to be run to rebuild the container image
and update `values.yaml` with the new tag/digest.

Changes:
- Makefile: update tag grep pattern for new format
- Dockerfile: bump VERSION to 26.3.5-edge
- Remove 2 upstreamed patches
- Update vendored charts from 26.3.5-edge

### Release note

```release-note
[kamaji] Update to 26.3.5-edge, drop 2 upstreamed patches
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Configurable probe tuning for Control Plane components (API Server,
Controller Manager, Scheduler)
* DataStore readiness visible in kubectl and status conditions tracking

* **Improvements**
  * Stronger networkProfile validation (CIDR checks, DNS/IP consistency)
  * DataStore driver is immutable after creation

* **Chores**
  * Removed two validating webhooks
  * Updated default packaged manager version used for builds
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-30 13:35:43 +02:00
Kirill Ilin
c73f677c79
fix(vm-instance): remove fail on both networks and subnets set
After migration 36 copies subnets to networks, both fields are populated.
The fail guard would break Helm reconciliation. Instead, networks simply
takes priority via the existing default fallback.

Also handle missing VMInstance CRD gracefully in migration 36.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-30 11:11:56 +05:00
Kirill Ilin
149cb67692
feat(platform): add migration 36 to copy subnets to networks in VMInstance
Existing VMInstance resources store network attachments in the deprecated
spec.subnets field. This migration copies subnets to the new spec.networks
field so the dashboard UI correctly displays attached networks. The old
subnets field is kept intact because migrations run before the new CRD is
applied.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-30 10:59:03 +05:00
Kirill Ilin
cb79c5fac7
chore(vm-instance): regenerate CRD and schema via make generate
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-30 10:55:26 +05:00
Kirill Ilin
a56ef30df6
[vm-instance] Fix review issues: validation, DRY, and regenerate CRD
Add fail validation when both 'networks' and 'subnets' are set to
prevent silent data loss during migration. Compute $networks variable
once at template top level to eliminate DRY violation. Regenerate CRD
via make generate instead of manual editing.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-30 10:54:13 +05:00
Kirill Ilin
c27807952a
[vm-instance] Rename subnets to networks and add dropdown selector
Rename the misleading 'subnets' field to 'networks' in VMInstance to
better reflect that it attaches the VM to VPC network attachments, not
creates subnets. The old 'subnets' field is kept as deprecated with
fallback logic for backward compatibility.

Add an API-backed dropdown (listInput) for networks[].name that lists
available NetworkAttachmentDefinitions in the namespace, and hide the
deprecated subnets field from the dashboard UI.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-30 10:53:47 +05:00
Kirill Ilin
b42a8ed7e4
fix(platform): propagate resource allocation ratios to packages
Since the bundle restructure in 2d022e38, the cpuAllocationRatio,
memoryAllocationRatio and ephemeralStorageAllocationRatio values from
platform values.yaml were no longer propagated to child packages.

The old monolithic bundles read these values from the cozystack
ConfigMap via lookup and passed them explicitly. After migration to
the Package CRD model, the bridge was lost: cozy-lib expects the
ratios in _cluster config (via cozystack-values Secret), but platform
never wrote them there, so the hardcoded defaults were always used.

This commit restores the propagation by:
- Adding cpu/memory/ephemeral-storage allocation ratios to the
  _cluster section in the cozystack-values Secret, so cozy-lib in
  all managed applications picks them up.
- Passing cpuAllocationRatio to the kubevirt Package component, so
  the KubeVirt CR gets the configured value.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-30 09:50:08 +05:00
Andrei Kvapil
812d4138bb
fix(linstor): preserve TCP ports during toggle-disk operations
Update fix-duplicate-tcp-ports patch to preserve existing TCP ports when
DrbdRscData is recreated during toggle-disk operations. Without this,
removeLayerData() frees ports and ensureStackDataExists() may allocate
different ones, causing port mismatches between controller and satellites
if the satellite misses the update.

Also add dh_strip_nondeterminism override in Dockerfile to fix build
failures on some JAR files.

Upstream: https://github.com/LINBIT/linstor-server/pull/476#issuecomment-4147527442

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-28 08:31:56 +01:00
cozystack-bot
c652e1e0f9 Prepare release v1.2.0
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-03-27 14:00:46 +00:00
Kirill Ilin
de540d88f6
[linstor] Fix swapped VMPodScrape job labels (#2264)
## What this PR does

Fixes swapped `job` labels in the `cozy-linstor` VictoriaMetrics
`VMPodScrape` templates.

Before this change:
- `linstor-satellite` metrics were relabeled as `job=linstor-controller`
- `linstor-controller` metrics were relabeled as `job=linstor-satellite`

This caused `linstorControllerOffline` alerts to fire for satellite
endpoints such as `:9942` while reporting that the controller was
unreachable.

After this change:
- `linstor-satellite` metrics keep `job=linstor-satellite`
- `linstor-controller` metrics keep `job=linstor-controller`

This restores consistent alerting and dashboard semantics for LINSTOR
monitoring.

### Release note

```release-note
[linstor] Fix swapped VictoriaMetrics `VMPodScrape` job labels in `cozy-linstor` so `linstorControllerOffline` alerts target the controller instead of satellite endpoints.
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Corrected Prometheus relabeling so Linstor controller and satellite
scrapes now receive the correct job labels.
* Ensures metrics are attributed to the proper components, improving
accuracy of monitoring and alerting.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 17:50:46 +05:00
Kirill Ilin
24078dc4ad
[piraeus-operator] Fix LINSTOR satellite alert labels and scrape flapping false positives (#2265)
## Summary

This fixes two issues in the LINSTOR alerts shipped by
`cozy-piraeus-operator`:

- `linstorSatelliteErrorRate` uses a non-existent `name` label in
annotations, which results in `Satellite ""` in notifications.
- `linstorSatelliteErrorRate` can produce false positives when the
`linstor-controller` scrape flaps and historical
`linstor_error_reports_count` counters reappear inside the alert window.

## Test plan

- Verified the rendered rule updates `{{ $labels.name }}` to `{{
$labels.hostname }}` for LINSTOR satellite alerts.
- Verified the `linstorSatelliteErrorRate` expression now requires
stable `up{job="linstor-controller"}` for the full 15 minute window.
- Applied the same logic in a live cluster and confirmed the
false-positive `linstorSatelliteErrorRate` alerts stopped firing once
controller scrape recovered.

## Release note

```release-note
Fix LINSTOR satellite alert annotations and reduce false positives when controller scraping flaps.
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Improvements**
* Controller alert now evaluates deployment availability and waits 3
minutes before firing to reduce transient noise.
* Satellite error alerts include an additional check requiring the
controller to have been continuously up recently to avoid spurious
triggers.
* Notifications and dashboards now include hostnames for clearer
identification.

* **New Features**
* Added a dedicated warning for controller metrics scrape failures with
a 10-minute delay.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 17:50:40 +05:00
Kirill Ilin
4f22f075e0
[postgres] Fix database deletion lifecycle management (#2247)
## What this PR does

Previously, removing a database from `values.databases` had no effect —
the database and its associated roles (`<db>_admin`, `<db>_readonly`)
persisted in PostgreSQL indefinitely. This made it impossible to
declaratively manage database lifecycle via Helm values.

Added two cleanup stages to the init script, mirroring the existing user
deletion logic:
- **Delete databases** that have the `database managed by helm` comment
but are no longer listed in `values.databases` — active connections are
terminated before dropping
- **Delete orphaned roles** (`<db>_admin`, `<db>_readonly`) with proper
membership revocation (`REVOKE ... FROM`) before `REASSIGN OWNED` /
`DROP OWNED` / `DROP ROLE`

This also fixes the reported issue where creating a database, removing
it, and creating it again would silently retain stale data from the
first instance.

### Release note

```release-note
[postgres] Databases removed from `values.databases` are now properly dropped along with their associated roles. Previously removed databases and roles would persist indefinitely.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Enhanced database initialization to automatically remove databases and
roles that were removed from your Helm configuration, avoiding orphaned
resources.
* Now force-terminates active sessions, reassigns owned objects, and
cleans up role memberships to ensure reliable removals.
* Improves consistency of database state during upgrades and
configuration changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 17:49:15 +05:00
Kirill Ilin
1b0251ad0f
[dashboard] Fix JSONPath crash on Tenant details with resourceQuotas (#2249)
## What this PR does

Fixes a crash on the Tenant details page when `resourceQuotas` are
configured. The dashboard renders a ResourceQuota table with a "Used"
column that references `$.status.used[_flatMapData_Key]`. When the
flatMap placeholder is not resolved during initial render, the raw
placeholder is passed to the JSONPath parser, causing:

```text
Parse error on line 1: $.status.used[_flatMapData_Key]
Expecting 'STAR', 'SCRIPT_EXPRESSION', 'INTEGER', ... got 'IDENTIFIER'
```

The original `flatmap-dynamic-key.diff` patch that handled this was
removed during the 1.4.0 dashboard upgrade, assuming upstream included
the fix. Upstream adopted the code reordering (flatMap expansion before
customFields resolution) but not the fallback protection for unresolved
placeholders.

Adds a patch to `openapi-k8s-toolkit` that checks for unresolved
`_flatMap*_Key` placeholders after regex substitution and returns `null`
instead of calling `jp.query()` with an invalid expression.

### Release note

```release-note
[dashboard] Fix crash on Tenant details page when resourceQuotas are configured
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Tables now gracefully handle unresolved placeholder fields by treating
them as empty/null instead of attempting lookup, preventing display
errors and preserving previously correct rendering of resolved fields.
* Reduces unexpected array-wrapping in single-value cells so values
display consistently.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 17:49:07 +05:00
Kirill Ilin
86595b99e4
[system] Fix tenant RBAC for endpointslices read access (#2257)
## What this PR does

Adds `discovery.k8s.io/endpointslices` read permissions (get, list,
watch) to `cozy:tenant:base` and `cozy:tenant:view:base` ClusterRoles.

Dashboard requests EndpointSlices to display the "Pod serving" section
on the Service details page. Without this permission, tenant users see a
403 error.

### Release note

```release-note
[system] Fix 403 error on Service details page by granting tenants read access to EndpointSlices
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Enhanced system permission configurations to improve platform
reliability and ensure proper access controls for core services.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 17:48:46 +05:00
Andrei Kvapil
73ad82a00c
[talos] Bump Talos to v1.12.6 (#2254)
## What this PR does

Bumps Talos OS from v1.12.1 to v1.12.6 across all image build profiles
(initramfs, installer, iso, kernel, metal, nocloud). Updates all system
extension image references and digests accordingly:

- amd-ucode: 20251125 → 20260309
- amdgpu: 20251125-v1.12.1 → 20260309-v1.12.6
- bnx2-bnx2x: 20251125 → 20260309
- intel-ice-firmware: 20251125 → 20260309
- i915: 20251125-v1.12.1 → 20260309-v1.12.6
- intel-ucode: 20251111 → 20260227
- qlogic-firmware: 20251125 → 20260309
- drbd: 9.2.16-v1.12.1 → 9.2.16-v1.12.6
- zfs: 2.4.0-v1.12.1 → 2.4.1-v1.12.6

### Release note

```release-note
[talos] Bump Talos to v1.12.6
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Chores

* Updated Talos image profiles from v1.12.1 to v1.12.6 across all
deployment configurations (initramfs, installer, ISO, kernel, metal, and
Nocloud).
* Updated hardware drivers and firmware extensions to latest pinned
versions, including AMD/Intel microcode, GPU drivers, network adapters,
and storage modules.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 09:59:23 +01:00
Kirill Ilin
1d58c18ff7
fix(mariadb): use primary service for backups with single replica
When replicas=1, the secondary service has no endpoints because the
only pod is the primary. Route backups to the primary service in this
case to ensure they work correctly.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-27 11:47:32 +05:00
Kirill Ilin
d2030bef87
fix(mariadb): always enable replication for consistent service naming
Enable replication unconditionally regardless of replica count.
Previously, single-replica instances created a general service
without -primary/-secondary suffixes, causing dashboard and
backup-cronjob to reference non-existent services.

Also fix duplicate YAML key in backup-cronjob template.

BREAKING CHANGE: Single-replica MariaDB instances will now have
service names with -primary/-secondary suffixes instead of the
bare instance name. Applications connecting via the old service
DNS name need to be updated.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-27 11:03:23 +05:00
Kirill Ilin
7c26bea81e
[dashboard] Fix StorageClass "Error" in forms by granting RBAC read access (#2267)
## What this PR does

Adds `get`/`list`/`watch` permissions for
`storage.k8s.io/storageclasses` to the `cozystack-dashboard-readonly`
ClusterRole.

The dashboard UI fetches StorageClasses to populate dropdowns (e.g. in
the Postgres form), but authenticated users lacked permissions on this
resource, causing "Error" to be displayed instead of the StorageClass
name.

### Release note

```release-note
[dashboard] Fix StorageClass dropdown showing "Error" by adding storageclasses read access to the dashboard readonly ClusterRole
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Enhanced dashboard read-only permissions to include access to storage
classes, improving visibility into cluster storage resources and
configuration.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-26 19:57:55 +05:00
Myasnikov Daniil
a243f3d72a
[platform] Added resource-policy to keep installed packages
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
2026-03-26 19:06:04 +05:00
Kirill Ilin
f13e68a19e
[kilo] Switch from fork to upstream squat/kilo (#2259)
## What this PR does

Switch kilo from the cozystack/kilo fork to the upstream squat/kilo
repository (v0.7.0).

All functional patches from the fork have been upstreamed:
- `--internal-cidr` flag for IP auto-detection filtering (#403)
- Allowed-location-ips overlap with node IPs fix (#404)
- Auto-detect WireGuard MTU from underlay interface (#406)
- Preferred source for WireGuard routes (#408)
- Cilium IPIP overlay support (#409)

The fork only retained rebranding and CI-specific commits beyond
upstream, which are no longer needed.

Changes:
- Makefile: point to `squat/kilo` repo and `ghcr.io/squat/kilo` image
- values.yaml: updated via `make update` to `0.7.0` with digest pin

### Release note

```release-note
[kilo] Switch from cozystack/kilo fork to upstream squat/kilo v0.7.0
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Updates**
* Updated the kilo component to use a different source repository and
new version configuration.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-26 19:03:30 +05:00
Kirill Ilin
8e01eb5f7e
fix(platform): add missing apps to tenant admin RBAC
The cozy:tenant:admin:base ClusterRole was missing several application
resources from apps.cozystack.io, preventing tenant admins from creating
them (the "Add" button was inactive in the dashboard).

Add the following resources: foundationdbs, harbors, mongodbs, openbaos,
opensearches, qdrants, vpns.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-26 16:38:12 +05:00
Kirill Ilin
a7a80a7628
fix(dashboard): grant read access to storageclasses for authenticated users
The dashboard UI fetches StorageClasses via the Kubernetes API to populate
dropdowns (e.g. in the Postgres form), but the cozystack-dashboard-readonly
ClusterRole did not include storage.k8s.io/storageclasses. This caused
authenticated users to see "Error" instead of the StorageClass name.

Add get/list/watch permissions for storageclasses to the dashboard readonly
role, consistent with the existing backupclasses entry.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-26 16:25:18 +05:00
Kirill Ilin
c29d501be3
[objectstorage-controller] Update to v0.2.2, drop upstreamed patches (#2261)
## What this PR does

Update COSI controller/sidecar from commit `c2f6e65` to upstream
release `v0.2.2` and remove two patches that have been merged:

- `89-reconciliation.diff` — fix reconciliation logic for existing
  and deleted objects (upstream PR #89)
- `90-bucket-name.diff` — prefix bucket names with `bucket-` using
  UID only (upstream PR #90)

Both were contributed by kvaps and included in the v0.2.2 release
(2025-12-08).

Also removes `git` from Dockerfile dependencies as it was only
needed for applying patches.

Note: `make image` needs to be run to rebuild the container image
and update `values.yaml` with the new tag/digest.

### Release note

```release-note
[objectstorage-controller] Update to v0.2.2, drop upstreamed patches
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Updated object storage controller build configuration to streamline
upstream component retrieval and image build process.
* Modified resource deletion handling so deletion flows are centralized
and consistently enforced across create/update events.
* Changed bucket naming scheme—buckets will no longer include the bucket
class name in their identifier and follow the simplified naming pattern.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-26 13:52:33 +05:00
Kirill Ilin
2253a7ebc7
[monitoring] Add slack dashboard url and vmagent env label and dynamictext-panel to Grafna (#2210)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does

Extends the `monitoring` system chart with additional optional
configuration for the Alerta Slack plugin, a VMAgent environment label,
and adds a Grafana plugin to the custom image build.

### Alerta — Slack plugin (`alerta.alerts.slack`)

| Value | Env var | Description |
|---|---|---|
| `dashboardUrl` | `DASHBOARD_URL` | Links Slack alert messages back to
the Alerta console |
| `summaryFmt` | `SLACK_SUMMARY_FMT` | Jinja2 template string for
customizing Slack message format |

All new fields are optional and default to empty, preserving existing
behavior when unset.

### VMAgent — external labels (`vmagent.externalLabels`)

- Added optional `environment` label that gets attached to all scraped
metrics (e.g. `Staging`, `Production`)
- When left empty, no label is added and Alerta falls back to its
built-in default of `"Production"`

### Grafana — custom image

- Added
[`marcusolsson-dynamictext-panel`](https://grafana.com/grafana/plugins/marcusolsson-dynamictext-panel/)
plugin to the Grafana image build


Added marcusolsson-dynamictext-panel plugin to the Grafana image build

### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[monitoring] Add optional Slack DASHBOARD_URL and SLACK_SUMMARY_FMT configuration for Alerta, optional vmagent environment external label, and marcusolsson-dynamictext-panel Grafana plugin
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added an additional Grafana visualization panel to expand dashboard
options.
* Extended Slack alerting with optional dashboard URL and customizable
summary format.
* Added an optional environment label for external metric ingestion to
improve context and filtering.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-26 13:44:17 +05:00
sasha-sup
bad59103f4
[linstor] Fix swapped VMPodScrape job labels
Signed-off-by: sasha-sup <alexsup4ik@gmail.com>
2026-03-26 11:11:00 +03:00
Kirill Ilin
2a6c4a7154
fix(dashboard): correct hunk header in flatmap patch
The hunk header claimed 8/13 lines but only 6/11 were present,
causing "corrupt patch at line 18" during git apply in the
openapi-ui image build.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-26 10:40:14 +05:00
sasha-sup
a052a650b0 [piraeus-operator] Split LINSTOR controller availability and metrics alerts
Signed-off-by: sasha-sup <alexsup4ik@gmail.com>
2026-03-25 16:11:14 +03:00
sasha-sup
4a92d7753c [piraeus-operator] Add hold time to LINSTOR controller offline alert
Signed-off-by: sasha-sup <alexsup4ik@gmail.com>
2026-03-25 16:02:59 +03:00