Commit graph

2791 commits

Author SHA1 Message Date
Kirill Ilin
9e166300a7
fix(e2e): update VMCluster status field after operator upgrade
The victoria-metrics-operator v0.68.1 renamed VMCluster status field
from .status.clusterStatus to .status.updateStatus.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-11 09:30:41 +05:00
Kirill Ilin
b772475ad5
fix(e2e): update VLogs to VLCluster resource in tenant monitoring test
After migrating VictoriaLogs from VLogs to VLCluster, the e2e test
still waited for the old vlogs/generic resource which no longer exists.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-10 22:06:50 +05:00
Kirill Ilin
62d36ec4ee
feat(monitoring): migrate VictoriaLogs from VLogs to VLCluster
Replace deprecated single-node VLogs CR with VLCluster (cluster mode)
for reliability and horizontal scalability.

Changes:
- Replace VLogs (v1beta1) with VLCluster (v1) using vlinsert/vlselect/vlstorage
- Update fluent-bit outputs to vlinsert-generic:9481
- Update Grafana datasource to vlselect:9471
- Update ExternalName service from vlogs-generic to vlinsert-generic
- Add VPA for all VLCluster components
- Update WorkloadMonitors for three-component architecture
- Add migration 35 to preserve old VLogs resources with keep annotation

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-10 12:04:12 +05:00
Kirill Ilin
a3825314e6
feat(monitoring): upgrade victoria-metrics-operator to v0.68.1
Upgrade from v0.55.0 to v0.68.1 to add VLCluster CRD support,
which is required for migrating VictoriaLogs from single-node
to cluster mode.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-10 12:03:51 +05:00
Timofei Larkin
adacd44a29
docs: add changelog for v1.1.0 (#2164)
This PR adds the changelog for release `v1.1.0`.

 Changelog has been automatically generated in
`docs/changelogs/v1.1.0.md`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Published v1.1.0 changelog documenting major features: managed secrets
service, tiered storage pools, per-user bucket credentials with S3 UI
updates, RabbitMQ version selection, and monitoring dashboards
  * Included breaking changes and upgrade notes for v1.1.0

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-06 17:27:30 +04:00
IvanHunters
3736dd4285
Release v1.1.0 (#2163)
This PR prepares the release `v1.1.0`.
2026-03-06 16:21:32 +03:00
cozystack-bot
20d1343bd6 docs: add changelog for v1.1.0
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-03-06 12:13:09 +00:00
cozystack-bot
3c971d0e1b Prepare release v1.1.0
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-03-06 12:03:56 +00:00
IvanHunters
8166df23de
[system] Add MongoDB Grafana dashboards (#2158)
## What this PR does

Adds two Grafana dashboards for MongoDB monitoring, adapted to cozystack
conventions:

- **MongoDB Overview** — command operations, connections, cursors,
document operations, queued operations, query efficiency, scanned
objects, write time/operations, asserts, page faults
- **MongoDB InMemory Details** — WiredTiger cache size/capacity, dirty
pages, transactions, sessions, pages, concurrency tickets, cache
eviction, document changes, scanned objects, page faults

Key adaptations from the original PMM dashboards:
- Replaced hardcoded datasource UIDs with `${ds_prometheus}` variable
- Replaced PMM-specific variables with standard `job`-based service
filtering
- Removed Node Summary section (covered by existing node dashboards)
- Registered both dashboards in `dashboards.list` for automatic
GrafanaDashboard CRD generation

### Release note

```release-note
[system] Add MongoDB Overview and MongoDB InMemory Details Grafana dashboards to the monitoring stack
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added MongoDB InMemory dashboard providing detailed visibility into
in-memory metrics, cache performance, and data management.
* Added MongoDB Overview dashboard for monitoring operations,
connections, cursors, document activity, and query efficiency.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-06 14:53:40 +03:00
Timofei Larkin
c30a3cff13
docs: add changelog for v1.0.3 (#2160)
This PR adds the changelog for release `v1.0.3`.

 Changelog has been automatically generated in
`docs/changelogs/v1.0.3.md`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed migration script to correctly apply configuration prefixes
during v0.41 to v1.0 upgrade.

* **Documentation**
* Added white labeling guide covering branding customization and SVG
handling.
* Updated backup and recovery documentation with improved operator and
tenant workflow guidance and administration resources.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-06 15:45:12 +04:00
Andrei Kvapil
d8c96ecf50
[apps][system] Add -lock BucketClass, -readonly BucketAccessClass, and bucket user model (#2119)
## What this PR does

Combines and unifies COSI enhancements across seaweedfs and bucket
charts:

**SeaweedFS (extra + system charts):**
- Rename storage pool BucketClass suffix from `-worm` to `-lock`
- Rename parameter `disk` to `diskType` for consistency with COSI driver
- Reduce default object lock retention from 36500 to 365 days
- Add `-lock` BucketClass (COMPLIANCE mode, 365 days) for client and
system topologies
- Add `-readonly` BucketAccessClass with explicit `accessPolicy` for all
topologies
- Add explicit `accessPolicy: readwrite` on default BucketAccessClass
- Update pool name validation to reject `-lock` suffix (was `-worm`)

**Bucket app:**
- Add `locking` parameter: provisions from `-lock` BucketClass
- Add `storagePool` parameter: selects pool-specific BucketClass
- Replace hardcoded BucketAccess with `users` map — each entry creates a
BucketAccess with optional `readonly` flag
- Update dashboard RBAC to dynamically list user credential secrets
- Update ApplicationDefinition schema with new properties

**Breaking change:** empty `users: {}` (default) produces zero
BucketAccess resources. Existing buckets that relied on the implicit
default BucketAccess will need to define users explicitly.

### Release note

```release-note
[apps] Add locking, storagePool, and users configuration to bucket app; rename COSI BucketClass suffix from -worm to -lock
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Bucket locking with a shorter retention option, storage-pool
selectable bucket classes, and per-user access (per-user BucketAccess
and readonly controls)
* S3 Manager login mode: user login/logout, per-session credentials, and
new login UI

* **Behavior Changes**
* Credential handling changed to per-user secrets/label selection;
previously generated secrets removed; Ingress basic auth annotations
removed

* **Documentation**
* Added parameters: locking, storagePool, users (including per-user
readonly)

* **Updates**
  * Updated COSI driver and S3 manager images
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-06 09:17:53 +01:00
Andrei Kvapil
2731972129
fix(kubernetes): set explicit MTU for Cilium in tenant clusters (#2147)
## Summary

- Set explicit MTU 1350 for Cilium in KubeVirt-based tenant Kubernetes
clusters to prevent packet drops caused by VXLAN encapsulation overhead

## Problem

Cilium's MTU auto-detection does not account for VXLAN overhead when
running inside KubeVirt VMs. The VM network interface inherits MTU 1400
from the parent cluster's OVN/Geneve overlay (1500 - 100 Geneve
overhead). Cilium detects this MTU and applies it to all tunnel
interfaces without subtracting the 50-byte VXLAN encapsulation overhead.

This results in:
- Large packets (> 1350 bytes) being silently dropped when crossing
VXLAN tunnels between nodes
- Intermittent connectivity issues for services in tenant clusters (TLS
handshakes, HTTP responses with data)
- HTTP 499 errors and timeouts observed under load

## Fix

Explicitly set `MTU: 1350` (1400 - 50 VXLAN overhead) in the default
Cilium values for tenant clusters. This value can still be overridden
via `addons.cilium.valuesOverride` if needed.

## Test plan

- [ ] Deploy a tenant Kubernetes cluster and verify Cilium interfaces
use MTU 1350
- [ ] Verify large packet connectivity from pods inside the tenant
cluster
2026-03-06 09:10:37 +01:00
cozystack-bot
133a071d6b docs: add changelog for v1.0.3
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-03-06 01:42:51 +00:00
IvanHunters
c838358c26 feat(monitoring): register MongoDB dashboards in dashboards.list
Add mongodb/mongodb-overview and mongodb/mongodb-inmemory entries
to the monitoring dashboards list so GrafanaDashboard CRDs are
generated and dashboards are served by the grafana-dashboards
HTTP service.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-05 22:48:05 +03:00
IvanHunters
6408988115 feat(monitoring): add MongoDB Grafana dashboards
Add two MongoDB dashboards adapted for cozystack monitoring:
- mongodb-overview: command operations, connections, cursors,
  document operations, queued operations, query efficiency,
  scanned objects, write time, asserts, page faults
- mongodb-inmemory: WiredTiger InMemory cache details including
  data size, capacity, transactions, sessions, pages, concurrency
  tickets, cache eviction, document changes

Dashboards use ds_prometheus variable for datasource selection and
job-based service filtering compatible with Percona MongoDB exporter
metrics.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-05 22:47:53 +03:00
IvanHunters
e1b169d6a7 fix(test): replace bats-specific run command with shell negation
cozytest.sh executes .bats files as plain shell functions where bats
builtins like `run` are not available. Use `!` negation to assert that
readonly user upload fails.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-05 08:45:57 +03:00
IvanHunters
4e8733091d fix(test): add --insecure flag to all mc commands in bucket E2E test
The mc client requires --insecure on each command when connecting to
SeaweedFS S3 with self-signed certificates via port-forward.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 22:37:37 +03:00
IvanHunters
15ed534c25 test(bucket): update E2E test for user model and readonly access
Update bucket E2E test to match the new per-user access model:
- Create bucket with admin (readwrite) and viewer (readonly) users
- Test that readwrite user can upload, list, and download objects
- Test that readonly user can list and download but cannot upload
- Use per-user BucketAccess and credential secret names

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 21:13:46 +03:00
IvanHunters
72a91c7780 fix(seaweedfs): update COSI driver to v0.3.0
v0.1.2 ignores accessPolicy parameter from BucketAccessClass,
granting readwrite access to all users regardless of the
readonly flag. v0.3.0 includes support for readonly bucket
access, Object Lock, and improved error handling.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 20:15:03 +03:00
IvanHunters
fdb015458c build(bucket): rebuild s3manager image with login mode
Rebuild s3manager with auth.go login page support and push
to 999669/s3manager registry for testing.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 19:01:27 +03:00
IvanHunters
84da47a2ce refactor(bucket): replace basic auth with s3manager login page
Remove nginx basic auth and credential secret injection from the
bucket Helm chart. s3manager now always starts in login mode and
handles authentication via its own login page with encrypted
session cookies. This eliminates the dependency on the -credentials
and -ui-auth secrets for the UI layer.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 18:47:51 +03:00
IvanHunters
175b3badd2 feat(bucket): make credentials and basic auth conditional on users
deployment.yaml: use s3._namespace.host for ENDPOINT instead of
secret ref, inject ACCESS_KEY_ID/SECRET_ACCESS_KEY only when users
exist. Without users, s3manager starts in login mode.

ingress.yaml: nginx basic auth annotations only when users exist.
Without users, s3manager handles authentication via its login form.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 18:30:49 +03:00
IvanHunters
f777f659d5 feat(bucket): add login screen to s3manager for credentialless mode
When a bucket has no users configured, s3manager previously crashed
due to missing ACCESS_KEY_ID/SECRET_ACCESS_KEY env vars. This adds
a login mode where users enter their S3 credentials via a web form.

New Go code (via cozystack.patch):
- auth.go: session-based auth middleware, login/logout handlers,
  per-request S3 client from encrypted cookie session
- login.html.tmpl: Materialize CSS login form
- main.go: LoginMode toggle, conditional route setup
- Dependency: gorilla/sessions for AES-256 encrypted cookies

Dockerfile: add go mod tidy step for new dependency resolution.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 18:30:40 +03:00
IvanHunters
69e0320e3a fix(bucket): remove duplicate credentials from dashboard
Show only per-user credential secrets in the dashboard instead of
both the internal UI secret and per-user secrets.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 17:02:36 +03:00
Andrei Kvapil
f5b29e1182
Fixed packages name conversion in migration script (#2144)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
Fixed migrate-to-version-1.0.sh script to properly convert packages names.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated migration tooling to improve package configuration handling
during version upgrades.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-04 00:22:42 +01:00
IvanHunters
9e6c240d6e fix(bucket): use per-user COSI secret for UI credentials
The default BucketAccess was removed in favor of per-user access.
Update secret.yaml to look up the first user's COSI secret instead
of the non-existent default one, with nil-check for race conditions.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-04 00:34:33 +03:00
IvanHunters
79b2546e67 fix(kubernetes): set explicit MTU for Cilium in tenant clusters
Cilium's MTU auto-detection does not account for VXLAN overhead when
running inside KubeVirt VMs. The VM interface inherits MTU 1400 from
the parent OVN/Geneve overlay, and Cilium sets all interfaces
(cilium_vxlan, lxc*, cilium_host/net) to 1400 without subtracting
the 50-byte VXLAN encapsulation overhead.

This causes intermittent packet drops for large packets (TLS
handshakes, HTTP responses with data), resulting in timeouts and
499 errors for services running in tenant clusters.

Set MTU to 1350 (1400 - 50 VXLAN overhead) explicitly in the default
Cilium values for tenant Kubernetes clusters.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 21:35:39 +03:00
IvanHunters
1d41e270b9 fix(bucket): regenerate schema and docs from values.yaml annotations
Remove the yq strip of properties from Makefile that was clearing
the schema, and run make generate to sync all generated files.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
b4f1e96b98 feat(bucket): include COSI user credential secrets in dashboard
Create labeled secrets in the -system chart using lookup to copy
credentials from COSI-created secrets. The ApplicationDefinition
matchLabels selector exposes them in the dashboard.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
757f8b5699 Revert "fix(bucket): include COSI user credential secrets in dashboard"
This reverts commit 87b89d90e61283b60abe49cd004d49ce94e57cf5.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
70c6dfd704 fix(bucket): include COSI user credential secrets in dashboard
Add a catch-all include selector so that COSI-created user credential
secrets (dynamically named per user) are visible in the dashboard.

The lineage webhook already verifies ownership via the graph walk
(Secret -> BucketAccess -> HelmRelease -> Bucket), so an empty selector
safely matches only secrets belonging to this application.

This is needed because COSI sidecar creates secrets without custom
labels, making the matchLabels pattern (used by rabbitmq) inapplicable.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
d4043bd71c fix(seaweedfs): use correct COSI driver parameter name 'disk'
The seaweedfs-cosi-driver v0.3.0 expects the parameter key 'disk',
not 'diskType'. Restore the correct key to match the driver's
paramDisk constant.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
2dbc27075a feat(bucket): add locking, storagePool, and users configuration
Replace hardcoded BucketAccess with user-driven model:
- locking: provisions from -lock BucketClass (object lock enabled)
- storagePool: selects pool-specific BucketClass
- users: map of named users, each creating a BucketAccess with
  optional readonly flag

Empty users map produces zero BucketAccess resources (breaking change).
Update ApplicationDefinition schema and dashboard RBAC accordingly.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
96e27cbcab feat(seaweedfs): add -lock BucketClass and -readonly BucketAccessClass
Add COSI resources for object locking and read-only access to both
client topology and system chart:
- BucketClass with -lock suffix (COMPLIANCE mode, 365 days retention)
- BucketAccessClass with -readonly suffix
- Explicit accessPolicy: readwrite on default BucketAccessClass

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:32 +03:00
IvanHunters
e822768fcf feat(seaweedfs): rename -worm to -lock BucketClass and update pool COSI parameters
Rename storage pool COSI resources to use consistent naming:
- BucketClass suffix: -worm -> -lock
- Parameter name: disk -> diskType
- Retention days: 36500 -> 365
- Validation suffix check updated accordingly

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
2026-03-03 19:32:31 +03:00
Andrey Kolkov
1429b94f5d
fix(backups): rbac actualized (#2145)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
- fixed rbac for backup controllers 
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated backup controller permissions to focus on core backup
operations.
* Expanded backup strategy controller permissions to support enhanced
backup and restore capabilities, including Velero integration and status
management.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-03 19:36:06 +04:00
Andrey Kolkov
9ac8b2d291 fix(backups): rbac actualized
Signed-off-by: Andrey Kolkov <androndo@gmail.com>
2026-03-03 18:23:40 +04:00
Myasnikov Daniil
780af33ee1
Fixed packages name conversion in migration script
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
2026-03-03 19:10:39 +05:00
Andrei Kvapil
772fb4363a
docs: add changelog for v1.0.2 (#2141)
This PR adds the changelog for release `v1.0.2`.

 Changelog has been automatically generated in
`docs/changelogs/v1.0.2.md`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
  * Published v1.0.2 release notes.

* **Bug Fixes**
  * Fixed migration script to ensure all upgrade steps execute.
* Improved dashboard functionality for field clearing and secret
copying.
  * Restored sidebar navigation on namespace-level pages.
  * Updated proxy configurations for enhanced TLS handling.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 21:50:58 +01:00
Kirill Ilin
cb919f4c85
[dashboard] Add storageClass dropdown for stateful apps (#2131)
## What this PR does

Replaces the plain text input for `storageClass` fields with an
API-backed dropdown listing available StorageClasses from the cluster.
Follows the same pattern as the `instanceType` dropdown for VMInstance.

Affected applications:
- **Top-level `spec.storageClass`**: ClickHouse, Harbor, HTTPCache,
  Kubernetes, MariaDB, MongoDB, NATS, OpenBAO, Postgres, Qdrant,
  RabbitMQ, Redis, VMDisk
- **Nested `spec.storage.storageClass`**: FoundationDB
- **Nested `spec.kafka.storageClass` / `spec.zookeeper.storageClass`**:
Kafka

### Release note

```release-note
[dashboard] storageClass fields in stateful app forms now render as a
dropdown populated with available StorageClasses from the cluster,
instead of a free-text input.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* Storage class selection dropdowns now available in configuration forms
for multiple database, messaging, and storage services.

* **Tests**
* Added comprehensive test coverage for storage class configuration
handling.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 23:55:12 +05:00
cozystack-bot
aed46a8819 docs: add changelog for v1.0.2
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-03-02 18:45:19 +00:00
Andrei Kvapil
35e3eddeff
[dashboard] fix: restore stock-instance sidebars for namespace-level pages (#2136)
## What this PR does

Restores `stock-instance-api-form`, `stock-instance-api-table`,
`stock-instance-builtin-form`, and `stock-instance-builtin-table`
sidebar
resources that were removed in #2106, and adds them back to the orphan
cleanup allowlist.

PR #2106 removed these sidebars to fix broken URLs on the main page
before
namespace selection (`default//api-table/...`). However,
`stock-instance-*`
sidebars are required by the frontend for namespace-level
api-table/api-form
pages. Without them and with `CUSTOMIZATION_SIDEBAR_FALLBACK_ID=""`, the
frontend cannot find a sidebar for pages like Backup Plans and renders
an
empty page where no interaction is possible.

The broken-URL bug is already fully fixed by
`CUSTOMIZATION_SIDEBAR_FALLBACK_ID=""`
in `web.yaml`. Re-adding `stock-instance-*` does not reintroduce it,
since
these sidebars are only shown when the user is on a namespace-level page
where the `{namespace}` placeholder is filled.

### Release note

```release-note
[dashboard] fix empty page on Backup Plans and other namespace-level api-table pages
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added four new dashboard sidebar resources for stock instances: API
form, API table, built-in form, and built-in table views. These enable
expanded dashboard customization options for managing stock instance
configurations and data.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 19:28:18 +01:00
Andrei Kvapil
8d566a27ed
[dashboard] fix: allow clearing instanceType and preserve secret copy newlines (#2135)
## What this PR does

Updates the openapi-k8s-toolkit integration in the dashboard to fix two
UX issues:

**1. Allow clearing the instanceType field in VMInstance form**

When `instanceType` has a default value, clearing the field in the form
UI would
silently revert to the default, making it impossible to explicitly send
an empty
value. This blocked use of custom KubeVirt resources without a named
instance type.

Adds `allowEmpty: true` to the instanceType listInput field so the BFF
preserves
an explicit empty value. Also introduces a generic `persistType` prop
(`'str' | 'number' | 'arr' | 'obj'`) to the listInput component, so the
allow-empty behaviour works correctly for any field type, not just
strings.

Updates openapi-k8s-toolkit to release/1.4.0 (d6b9e4ad), which already
includes
the FormListInput layout refactor — the previous
formlistinput-value-binding.diff
patch is no longer needed.

Upstream PR:
https://github.com/PRO-Robotech/openapi-k8s-toolkit/pull/340

**2. Preserve newlines when copying secrets with CMD+C**

Native `input[type=text]` strips newlines on copy. Adds an `onCopy`
handler to
the SecretBase64Plain component that intercepts the copy event and
writes the full
decoded value (including newlines) to the clipboard.

Upstream PR:
https://github.com/PRO-Robotech/openapi-k8s-toolkit/pull/339

### Release note

```release-note
[dashboard] Fix clearing instanceType in VMInstance form: explicit empty value
is now correctly sent to the API instead of falling back to the schema default.
Fix CMD+C copying of secrets stripping newlines.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
  * Dropdown fields now support configuration to allow empty selections
* Enhanced empty value handling for form fields across multiple data
types (string, number, array, object)

* **Bug Fixes**
* Fixed secret field copy functionality to preserve plain-text format
when visible

* **Chores**
  * Updated base image dependencies for dashboard build

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 19:27:35 +01:00
Kirill Ilin
45b61f812d
fix(dashboard): restore stock-instance sidebars for namespace-level pages
PR #2106 removed stock-instance-* sidebar resources to fix broken URLs
on the main page before namespace selection. However, these sidebars are
required for rendering namespace-level pages (api-table, api-form, etc.)
such as the Backup Plans page.

Without stock-instance-api-table, the frontend cannot find the sidebar
for namespace-scoped api-table pages and renders an empty page instead.

The original bug (broken URLs with empty namespace placeholder) is already
fixed by CUSTOMIZATION_SIDEBAR_FALLBACK_ID="" in web.yaml, so re-adding
stock-instance-* sidebars does not reintroduce it.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-02 23:13:48 +05:00
Kirill Ilin
99ee0e34bf
fix(dashboard): preserve newlines when copying secrets with CMD+C
Add onCopy handler to SecretBase64Plain inputs to intercept native browser
copy events and explicitly write the full decoded text (including newlines)
to the clipboard. Without this, input[type=text] strips newlines on copy.

Upstream PR: https://github.com/PRO-Robotech/openapi-k8s-toolkit/pull/339

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-02 22:36:01 +05:00
Andrei Kvapil
0a461958ca
[system] Fix Keycloak proxy configuration for v26.x (#2125)
## What this PR does

Replace deprecated `KC_PROXY=edge` with `KC_PROXY_HEADERS=xforwarded`
and `KC_HTTP_ENABLED=true` in the Keycloak StatefulSet template.

`KC_PROXY` was removed in Keycloak 26.x, causing "Non-secure context
detected" warnings and broken cookie handling when running behind a
reverse proxy with TLS termination.

### Release note

```release-note
[system] Fix Keycloak proxy headers configuration for compatibility with Keycloak 26.x
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Chores**
* Updated system configuration to improve proxy header handling and
enable direct HTTP support for enhanced compatibility with reverse proxy
environments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 18:29:35 +01:00
Kirill Ilin
6e8ce65e49
feat(dashboard): set allowEmpty on instanceType and update openapi-ui toolkit
Update openapi-k8s-toolkit commit to d6b9e4ad (release/1.4.0) which
includes the FormListInput layout refactor, making formlistinput-value-binding.diff
obsolete.

Set allowEmpty: true on the VMInstance instanceType field so users can
explicitly clear the selection and override the default instance type.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-02 22:19:54 +05:00
Kirill Ilin
a3ccb4f87d
feat(dashboard): allow clearing instanceType field in VMInstance form
Update openapi-k8s-toolkit to release/1.4.0 (d6b9e4ad). The previous
value-binding layout refactor is already included upstream, so drop the
formlistinput-value-binding.diff patch.

Add formlistinput-allow-empty.diff patch which introduces two props to
the listInput component:
- allowEmpty: when set, auto-persists the field so BFF sends an empty
  value instead of falling back to the schema default
- persistType: controls the type of empty value ('str' | 'number' | 'arr'
  | 'obj'), allowing the feature to work correctly for any field type

Set allowEmpty: true on the VMInstance instanceType field so users can
explicitly clear the selection and override the default instance type.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-03-02 22:18:53 +05:00
Andrei Kvapil
20c91f25da
[platform] Fixed run-migrations script (#2126)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[platform] Fixed off-by-one error where the first required migration was always skipped.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Corrected migration range handling so upgrade steps run for the
intended version window, preventing skipped or duplicated migrations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 17:53:41 +01:00
Andrei Kvapil
ee36c50d69
Disable private key rotation in CA certs (#2113)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
Disabled private key rotation in every CA cert in cozystack system packages to prevent trustchain problems when CA cert reissued
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Disabled private-key rotation (set rotationPolicy: Never) for CA/root
certificates used by multiple system components (ingress-nginx, linstor,
linstor-scheduler, seaweedfs, victoria-metrics-operator,
kubeovn-webhook, lineage-controller-webhook, cozystack-api, etcd,
linstor API/internal, seaweedfs).
* Added patch application steps to relevant update workflows to ensure
the certificate template changes are applied during chart/update
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-02 17:48:21 +01:00