<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
Introduce more accurate in-place backup/restores for VMDisk and VMInstance:
- keep IP/MAC of VM
- keep HR of VMDisk related to VMI volumes
- avoid Velero restore of DVs because it conflicts with DV from HR of VMDisk
- propagate to BackupJob/RestoreJob failure messages from Velero to be more clear for namespace users when some job fails
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Capture and persist underlying resource metadata (data volumes, OVN
IP/MAC) in Backup status and Velero annotations; use it to better scope
backups/restores.
* New Backup controller to ensure Velero cleanup for deleted backups.
* Pre-restore preparation: suspend releases, halt VMs, rename PVCs,
delete DataVolumes, and apply resource-modifier rules for claim adoption
and network annotations.
* **Bug Fixes**
* Improved Velero failure messages (includes hooks, async item ops, and
DataUpload failures).
* **Chores**
* Expanded RBAC and added RoleBinding to support Velero/restore
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Pin multusMasterCNI to `05-cilium.conflist` to prevent race condition
at boot
- Fixes issue where multus auto-detects wrong conflist, bypassing Cilium
CNI chain
## Problem
During node boot (e.g. Talos upgrade), multus auto-detects the master
CNI conflist by scanning
the CNI config directory. If kube-ovn writes `10-kube-ovn.conflist`
before Cilium writes
`05-cilium.conflist`, multus selects the wrong file. Pods on the
affected node then bypass
the Cilium chain entirely, have no Cilium endpoint, and their traffic
gets blocked by
cluster-wide network policies.
## Fix
Set `multusMasterCNI: "05-cilium.conflist"` in the multus daemon config
to explicitly
pin the master CNI file, eliminating the race condition.
## Upstream
- Issue: https://github.com/k8snetworkplumbingwg/multus-cni/issues/1499
- Tracking: https://github.com/cozystack/cozystack/issues/2310
## Test plan
- [x] Verified `multusMasterCNI` JSON key matches upstream struct tag
- [ ] Deploy and verify `00-multus.conf` points to `05-cilium.conflist`
after node reboot
Set multusMasterCNI to explicitly use 05-cilium.conflist instead of
auto-detecting the first available conflist at boot. This prevents a
race condition where multus picks 10-kube-ovn.conflist if it appears
before 05-cilium.conflist during node startup, bypassing the Cilium
CNI chain entirely.
Upstream issue: https://github.com/k8snetworkplumbingwg/multus-cni/issues/1499
Tracking issue: https://github.com/cozystack/cozystack/issues/2310
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
## Summary
- Build custom multus-cni image with a patch that fixes sandbox cleanup
deadlock
- When CNI ADD never completes, DEL now returns success instead of
failing
- Prevents stale sandbox name reservations from permanently blocking pod
creation
## Problem
After a node disruption (e.g. DRBD/kube-ovn issues during upgrade),
containerd accumulates
stale sandbox name reservations. Cleanup fails because multus calls
delegate plugins for DEL
without cached state, and they reject the incomplete config. This blocks
all new pods on the
affected node indefinitely.
## Changes
- Add `images/multus-cni/` with Dockerfile and patch for custom image
build
- Add `image` target to multus Makefile
- Add multus to root Makefile build targets
- Update DaemonSet template to use the custom image
## Upstream
- PR: https://github.com/k8snetworkplumbingwg/multus-cni/pull/1498
- Tracking: https://github.com/cozystack/cozystack/issues/2310
## Test plan
- [x] Built and pushed image to ghcr.io/cozystack/cozystack/multus-cni
- [x] Deployed to cluster, verified fix in multus logs ("no cache
found... skip DEL")
- [x] Force-deleted stuck pods, all 24 pods started successfully within
70s
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Multus CNI container image build process to the system.
* **Bug Fixes**
* Fixed delete operation behavior when cache is unavailable, improving
reliability of network cleanup operations.
* **Chores**
* Updated Multus CNI container image reference in deployment
configuration to latest version with build improvements.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
When CNI ADD never completes, multus DEL fails because delegate plugins
require runtime state that only exists after a successful ADD. This
creates a deadlock where containerd cannot release sandbox name
reservations, permanently blocking pod creation on the affected node.
Build a custom multus-cni image with a patch that returns success on
DEL when no cache file exists (ADD was never completed).
Upstream PR: https://github.com/k8snetworkplumbingwg/multus-cni/pull/1498
Tracking issue: https://github.com/cozystack/cozystack/issues/2310
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
## Summary
- Set `DrbdOptions/Net/verify-alg` to `crc32c` at the controller level
to prevent DRBD connection failures on kernels where `crct10dif` is
unavailable
- Fixes an issue where all DRBD resources become Diskless after
upgrading to Talos v1.12.6 (kernel 6.18.18)
## Why
LINSTOR's auto-verify algorithm selection picks `crct10dif` by default,
but this kernel crypto module is no longer available in newer kernels.
This causes DRBD peer connections to fail with `VERIFYAlgNotAvail:
failed to allocate crct10dif for verify`, resulting in lost quorum on
all nodes.
## Test plan
- [ ] Deploy to a cluster running Talos v1.12.6 (kernel 6.18.18)
- [ ] Verify DRBD resources connect and replicate normally
- [ ] Confirm `drbdsetup` uses `crc32c` as verify-alg
Closes#2302
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Configuration**
* Added network verification algorithm configuration option for DRBD
cluster setup.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add explicit PostgreSQL 17.7 image to Harbor, SeaweedFS, and Keycloak
databases to ensure consistent version across all system components.
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
Add migration 37 to backfill spec.version=v17 for existing PostgreSQL
resources without a version set.
Hardcode PostgreSQL 17.7 image in monitoring databases (Grafana and Alerta)
to ensure compatibility with monitoring queries that expect PostgreSQL 17
features (pg_stat_checkpointer, updated pg_stat_bgwriter).
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
The crct10dif kernel crypto module is no longer available in Talos
v1.12.6 (kernel 6.18.18). DRBD auto-verify selects crct10dif by
default, causing peer connections to fail with VERIFYAlgNotAvail.
Setting verify-alg explicitly to crc32c at the controller level
ensures all resources use an available algorithm.
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
## What this PR does
This patch lets Cozystack admins specify initContainers that will run
`cp -r /themes/ /opt/keycloak/themes/` on startup, effectively providing
an interface for operators to inject custom themes into the keycloak
deployment to customize the UI.
### Release note
```release-note
[keycloak] Enable injection of user-provided themes for Keycloak via
initContainers.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for custom Keycloak themes through configuration,
allowing users to customize the appearance of the authentication
interface.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Renames the misleading `subnets` field to `networks` in VMInstance. The
old field
name implied the VM was creating subnets, when in reality it attaches
the VM to
existing VPC network attachments (NetworkAttachmentDefinitions). This
change:
- Adds a new `networks` field as the primary way to attach VMs to VPC
networks
- Keeps `subnets` as deprecated with backward-compatible fallback via
Helm `default`
- Fails with a clear error if both `networks` and `subnets` are set
simultaneously
- Adds an API-backed dropdown selector for `networks[].name` listing
available
NetworkAttachmentDefinitions in the namespace
- Hides the deprecated `subnets` field from the dashboard UI
### Release note
```release-note
[vm-instance] Rename `subnets` field to `networks` in VMInstance for clarity.
The old `subnets` field is deprecated but still supported for backward compatibility.
A dropdown selector for available networks has been added to the dashboard.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added native networks field for VM attachments and a UI dropdown to
select network attachments; UI hides deprecated subnet fields for VM
instances.
* **Deprecations**
* subnets is deprecated; use networks moving forward (subnets retained
for backward compatibility).
* **Chores / Migration**
* Added a migration to copy existing subnets into networks and bumped
platform migration target version.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Updates the `fix-duplicate-tcp-ports` patch to preserve existing TCP
ports when DrbdRscData is recreated during toggle-disk operations.
Without this fix, `removeLayerData()` frees TCP ports from the number
pool, and `ensureStackDataExists()` may allocate different ports. If the
satellite misses the update (e.g. due to controller restart), it keeps
the old ports while peers receive the new ones, causing DRBD connections
to fail with StandAlone state.
The fix adds `copyDrbdTcpPortsIfExists()` which saves existing TCP ports
into the `LayerPayload` before `removeLayerData()` deletes them.
Also adds `dh_strip_nondeterminism` override in Dockerfile to fix build
failures on some JAR files.
Upstream:
https://github.com/LINBIT/linstor-server/pull/476#issuecomment-4147527442
### Release note
\`\`\`release-note
[linstor] Fix TCP port mismatches after toggle-disk operations that
could cause DRBD resources to enter StandAlone state
\`\`\`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where DRBD TCP ports were not correctly preserved
during disk toggle operations, which could result in TCP port mismatches
between the controller and satellite nodes.
* Improved robustness of the build and packaging process by addressing
non-determinism handling for Java library dependencies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add securityContext to theme init containers matching the main
container security posture. Add input validation for theme entries:
required fields, DNS-1123 name sanitization, duplicate detection,
and container name length limit. Add imagePullSecrets support for
private registries and sizeLimit on the emptyDir volume.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
## What this PR does
Update kamaji from edge-26.2.4 to 26.3.5-edge and remove two patches
that have been accepted upstream:
- `increase-startup-probe-threshold.diff` → upstream #1086 added
configurable startupProbeFailureThreshold
- `disable-datastore-check.diff` → upstream #1087 refactored
DataStore initialization
The remaining `fix-kubelet-config-compat.diff` (PR #1084) is still
needed — the maintainer has not accepted the upstream fix for kubelet
config compatibility with K8s < 1.35.
Also updates Makefile to match the new upstream tag format
(`26.x.x-edge` instead of `edge-26.x.x`) introduced in upstream
PR #1094.
Note: `make image` needs to be run to rebuild the container image
and update `values.yaml` with the new tag/digest.
Changes:
- Makefile: update tag grep pattern for new format
- Dockerfile: bump VERSION to 26.3.5-edge
- Remove 2 upstreamed patches
- Update vendored charts from 26.3.5-edge
### Release note
```release-note
[kamaji] Update to 26.3.5-edge, drop 2 upstreamed patches
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Configurable probe tuning for Control Plane components (API Server,
Controller Manager, Scheduler)
* DataStore readiness visible in kubectl and status conditions tracking
* **Improvements**
* Stronger networkProfile validation (CIDR checks, DNS/IP consistency)
* DataStore driver is immutable after creation
* **Chores**
* Removed two validating webhooks
* Updated default packaged manager version used for builds
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Update fix-duplicate-tcp-ports patch to preserve existing TCP ports when
DrbdRscData is recreated during toggle-disk operations. Without this,
removeLayerData() frees ports and ensureStackDataExists() may allocate
different ones, causing port mismatches between controller and satellites
if the satellite misses the update.
Also add dh_strip_nondeterminism override in Dockerfile to fix build
failures on some JAR files.
Upstream: https://github.com/LINBIT/linstor-server/pull/476#issuecomment-4147527442
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
## What this PR does
Fixes swapped `job` labels in the `cozy-linstor` VictoriaMetrics
`VMPodScrape` templates.
Before this change:
- `linstor-satellite` metrics were relabeled as `job=linstor-controller`
- `linstor-controller` metrics were relabeled as `job=linstor-satellite`
This caused `linstorControllerOffline` alerts to fire for satellite
endpoints such as `:9942` while reporting that the controller was
unreachable.
After this change:
- `linstor-satellite` metrics keep `job=linstor-satellite`
- `linstor-controller` metrics keep `job=linstor-controller`
This restores consistent alerting and dashboard semantics for LINSTOR
monitoring.
### Release note
```release-note
[linstor] Fix swapped VictoriaMetrics `VMPodScrape` job labels in `cozy-linstor` so `linstorControllerOffline` alerts target the controller instead of satellite endpoints.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Corrected Prometheus relabeling so Linstor controller and satellite
scrapes now receive the correct job labels.
* Ensures metrics are attributed to the proper components, improving
accuracy of monitoring and alerting.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
This fixes two issues in the LINSTOR alerts shipped by
`cozy-piraeus-operator`:
- `linstorSatelliteErrorRate` uses a non-existent `name` label in
annotations, which results in `Satellite ""` in notifications.
- `linstorSatelliteErrorRate` can produce false positives when the
`linstor-controller` scrape flaps and historical
`linstor_error_reports_count` counters reappear inside the alert window.
## Test plan
- Verified the rendered rule updates `{{ $labels.name }}` to `{{
$labels.hostname }}` for LINSTOR satellite alerts.
- Verified the `linstorSatelliteErrorRate` expression now requires
stable `up{job="linstor-controller"}` for the full 15 minute window.
- Applied the same logic in a live cluster and confirmed the
false-positive `linstorSatelliteErrorRate` alerts stopped firing once
controller scrape recovered.
## Release note
```release-note
Fix LINSTOR satellite alert annotations and reduce false positives when controller scraping flaps.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* Controller alert now evaluates deployment availability and waits 3
minutes before firing to reduce transient noise.
* Satellite error alerts include an additional check requiring the
controller to have been continuously up recently to avoid spurious
triggers.
* Notifications and dashboards now include hostnames for clearer
identification.
* **New Features**
* Added a dedicated warning for controller metrics scrape failures with
a 10-minute delay.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Fixes a crash on the Tenant details page when `resourceQuotas` are
configured. The dashboard renders a ResourceQuota table with a "Used"
column that references `$.status.used[_flatMapData_Key]`. When the
flatMap placeholder is not resolved during initial render, the raw
placeholder is passed to the JSONPath parser, causing:
```text
Parse error on line 1: $.status.used[_flatMapData_Key]
Expecting 'STAR', 'SCRIPT_EXPRESSION', 'INTEGER', ... got 'IDENTIFIER'
```
The original `flatmap-dynamic-key.diff` patch that handled this was
removed during the 1.4.0 dashboard upgrade, assuming upstream included
the fix. Upstream adopted the code reordering (flatMap expansion before
customFields resolution) but not the fallback protection for unresolved
placeholders.
Adds a patch to `openapi-k8s-toolkit` that checks for unresolved
`_flatMap*_Key` placeholders after regex substitution and returns `null`
instead of calling `jp.query()` with an invalid expression.
### Release note
```release-note
[dashboard] Fix crash on Tenant details page when resourceQuotas are configured
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Tables now gracefully handle unresolved placeholder fields by treating
them as empty/null instead of attempting lookup, preventing display
errors and preserving previously correct rendering of resolved fields.
* Reduces unexpected array-wrapping in single-value cells so values
display consistently.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Adds `discovery.k8s.io/endpointslices` read permissions (get, list,
watch) to `cozy:tenant:base` and `cozy:tenant:view:base` ClusterRoles.
Dashboard requests EndpointSlices to display the "Pod serving" section
on the Service details page. Without this permission, tenant users see a
403 error.
### Release note
```release-note
[system] Fix 403 error on Service details page by granting tenants read access to EndpointSlices
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Enhanced system permission configurations to improve platform
reliability and ensure proper access controls for core services.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Adds `get`/`list`/`watch` permissions for
`storage.k8s.io/storageclasses` to the `cozystack-dashboard-readonly`
ClusterRole.
The dashboard UI fetches StorageClasses to populate dropdowns (e.g. in
the Postgres form), but authenticated users lacked permissions on this
resource, causing "Error" to be displayed instead of the StorageClass
name.
### Release note
```release-note
[dashboard] Fix StorageClass dropdown showing "Error" by adding storageclasses read access to the dashboard readonly ClusterRole
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Enhanced dashboard read-only permissions to include access to storage
classes, improving visibility into cluster storage resources and
configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Switch kilo from the cozystack/kilo fork to the upstream squat/kilo
repository (v0.7.0).
All functional patches from the fork have been upstreamed:
- `--internal-cidr` flag for IP auto-detection filtering (#403)
- Allowed-location-ips overlap with node IPs fix (#404)
- Auto-detect WireGuard MTU from underlay interface (#406)
- Preferred source for WireGuard routes (#408)
- Cilium IPIP overlay support (#409)
The fork only retained rebranding and CI-specific commits beyond
upstream, which are no longer needed.
Changes:
- Makefile: point to `squat/kilo` repo and `ghcr.io/squat/kilo` image
- values.yaml: updated via `make update` to `0.7.0` with digest pin
### Release note
```release-note
[kilo] Switch from cozystack/kilo fork to upstream squat/kilo v0.7.0
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Updates**
* Updated the kilo component to use a different source repository and
new version configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The cozy:tenant:admin:base ClusterRole was missing several application
resources from apps.cozystack.io, preventing tenant admins from creating
them (the "Add" button was inactive in the dashboard).
Add the following resources: foundationdbs, harbors, mongodbs, openbaos,
opensearches, qdrants, vpns.
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
The dashboard UI fetches StorageClasses via the Kubernetes API to populate
dropdowns (e.g. in the Postgres form), but the cozystack-dashboard-readonly
ClusterRole did not include storage.k8s.io/storageclasses. This caused
authenticated users to see "Error" instead of the StorageClass name.
Add get/list/watch permissions for storageclasses to the dashboard readonly
role, consistent with the existing backupclasses entry.
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
## What this PR does
Update COSI controller/sidecar from commit `c2f6e65` to upstream
release `v0.2.2` and remove two patches that have been merged:
- `89-reconciliation.diff` — fix reconciliation logic for existing
and deleted objects (upstream PR #89)
- `90-bucket-name.diff` — prefix bucket names with `bucket-` using
UID only (upstream PR #90)
Both were contributed by kvaps and included in the v0.2.2 release
(2025-12-08).
Also removes `git` from Dockerfile dependencies as it was only
needed for applying patches.
Note: `make image` needs to be run to rebuild the container image
and update `values.yaml` with the new tag/digest.
### Release note
```release-note
[objectstorage-controller] Update to v0.2.2, drop upstreamed patches
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated object storage controller build configuration to streamline
upstream component retrieval and image build process.
* Modified resource deletion handling so deletion flows are centralized
and consistently enforced across create/update events.
* Changed bucket naming scheme—buckets will no longer include the bucket
class name in their identifier and follow the simplified naming pattern.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
Extends the `monitoring` system chart with additional optional
configuration for the Alerta Slack plugin, a VMAgent environment label,
and adds a Grafana plugin to the custom image build.
### Alerta — Slack plugin (`alerta.alerts.slack`)
| Value | Env var | Description |
|---|---|---|
| `dashboardUrl` | `DASHBOARD_URL` | Links Slack alert messages back to
the Alerta console |
| `summaryFmt` | `SLACK_SUMMARY_FMT` | Jinja2 template string for
customizing Slack message format |
All new fields are optional and default to empty, preserving existing
behavior when unset.
### VMAgent — external labels (`vmagent.externalLabels`)
- Added optional `environment` label that gets attached to all scraped
metrics (e.g. `Staging`, `Production`)
- When left empty, no label is added and Alerta falls back to its
built-in default of `"Production"`
### Grafana — custom image
- Added
[`marcusolsson-dynamictext-panel`](https://grafana.com/grafana/plugins/marcusolsson-dynamictext-panel/)
plugin to the Grafana image build
Added marcusolsson-dynamictext-panel plugin to the Grafana image build
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[monitoring] Add optional Slack DASHBOARD_URL and SLACK_SUMMARY_FMT configuration for Alerta, optional vmagent environment external label, and marcusolsson-dynamictext-panel Grafana plugin
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added an additional Grafana visualization panel to expand dashboard
options.
* Extended Slack alerting with optional dashboard URL and customizable
summary format.
* Added an optional environment label for external metric ingestion to
improve context and filtering.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The hunk header claimed 8/13 lines but only 6/11 were present,
causing "corrupt patch at line 18" during git apply in the
openapi-ui image build.
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
Replace commit hash with v0.2.2 tag for better readability.
GitHub archive URLs work with tags identically.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
Use -F/ with $NF (last field) instead of -F'[/^]' with $3.
The ^{} separator is unnecessary since the grep pattern already
filters out annotated tag dereferences.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
Update COSI controller/sidecar from commit c2f6e65 to v0.2.2
(f75d475) and remove two patches that have been merged upstream:
- 89-reconciliation.diff: fix reconciliation logic for existing
and deleted objects (PR #89)
- 90-bucket-name.diff: prefix bucket names with bucket- using
UID only (PR #90)
Both patches were contributed by kvaps and included in the
upstream v0.2.2 release (2025-12-08).
Also remove git from Dockerfile dependencies as it was only
needed for applying patches.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
Update kamaji from edge-26.2.4 to 26.3.5-edge and remove patches
that have been accepted upstream:
- increase-startup-probe-threshold.diff: upstream PR #1086 added
configurable startupProbeFailureThreshold field
- disable-datastore-check.diff: upstream PR #1087 refactored
DataStore initialization, removing the blocking startup check
The remaining fix-kubelet-config-compat.diff patch (PR #1084) is
still needed as the maintainer has not accepted the upstream fix
for kubelet config compatibility with K8s < 1.35.
Also update Makefile to match the new upstream tag format
(26.x.x-edge instead of edge-26.x.x) introduced in PR #1094.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
All functional patches from the cozystack/kilo fork have been
upstreamed and included in squat/kilo v0.7.0:
- --internal-cidr flag (PR #403)
- allowed-location-ips overlap fix (PR #404)
- Auto-detect WireGuard MTU (PR #406)
- Preferred source for WireGuard routes (PR #408)
- Cilium IPIP overlay support (PR #409)
The fork only contained rebranding and CI-specific commits beyond
upstream, which are no longer needed.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
Dashboard requests EndpointSlices from discovery.k8s.io API group
to display "Pod serving" section on Service details page. Without
this permission, tenant users see a 403 error.
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
## Summary
- Add bilateral VPC peering using Kube-OVN's native `vpcPeerings`
mechanism
- Auto-allocate link-local peering IPs (`169.254.0.0/16`)
deterministically from sorted VPC pair hash
- Add static routes support (`staticRoutes`) for fine-grained inter-VPC
routing
- Enrich ConfigMap with peer discovery info
- Add JSON Schema validation with `^tenant-` namespace pattern
enforcement
Closes#2151
## How it works
Each tenant independently declares peers in their VPC spec. The template
computes the remote VPC's internal ID using the same deterministic hash
formula, and derives complementary peering IPs from a sorted pair key.
Kube-OVN only activates the peering tunnel when **both sides** declare
each other — no custom controller needed.
Example (Tenant A):
```yaml
spec:
subnets:
- name: web
cidr: "172.16.0.0/24"
peers:
- vpcName: "backend-vpc"
tenantNamespace: "tenant-beta"
```
## Test plan
- [ ] `helm template` without peers → no `vpcPeerings` in output
(backward compatible)
- [ ] `helm template` with peers → correct `vpcPeerings` with
auto-allocated IPs
- [ ] Reciprocal peering: both sides reference each other with
complementary IPs in same /30
- [ ] Schema rejects `tenantNamespace` not matching `^tenant-`
- [ ] Deploy two VPCs with reciprocal peering on a live cluster →
Kube-OVN activates tunnel
- [ ] Remove one side → peering deactivated
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* VPC Peering: declare peer VPCs (tenant + name) to enable conditional
peering and automatic per-peer connection entries.
* Per-peer metadata: subnet/config outputs include peer-specific
connection details (remote VPC ID and local connect IP).
* Static Routes: optionally add custom CIDR routes with next-hop IPs for
a VPC.
* Values/schema: configuration and schema now accept peers and routes
arrays.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Use [^\]]+ (same as existing code in utils.ts) instead of [^[\]]+ for
consistency.
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
When viewing Tenant details with resourceQuotas, the "Used" column
references $.status.used[_flatMapData_Key]. If the flatMap placeholder
is not resolved (key missing from expanded row), the raw placeholder
is passed to the JSONPath parser which crashes with a parse error.
The original flatmap-dynamic-key.diff patch that handled this was
removed during the 1.4.0 upgrade, assuming upstream included the fix.
Upstream adopted the reordering (flatMap before customFields) but not
the fallback protection.
Add a patch that checks for unresolved _flatMap*_Key placeholders
after regex substitution and returns null instead of calling jp.query()
with an invalid expression.
Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
## What this PR does
Update the Cozystack scheduler to its latest version, supporting
automatic placement of label selectors for affinity and topology spread
constraints.
### Release note
```release-note
[cozystack-scheduler] Update Cozystack scheduler to v0.2.0 with support
for reusable affinity terms.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for configurable default label selector keys to
customize scheduler behavior.
* **Chores**
* Updated scheduler component to version 0.2.0 with refreshed container
image.
* Enhanced Kubernetes permissions for scheduling class access.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This patch lets Cozystack admins specify initContainers that will run
`cp -r /themes/ /opt/keycloak/themes/` on startup, effectively providing
an interface for operators to inject custom themes into the keycloak
deployment to customize the UI.
```release-note
[keycloak] Enable injection of user-provided themes for Keycloak via
initContainers.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>