Commit graph

2701 commits

Author SHA1 Message Date
Andrei Kvapil
ab26d71cc7
Release v1.0.0 (#2108)
This PR prepares the release `v1.0.0`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated container image versions from pre-release candidate tags to
stable v1.0.0 releases across core, system, and extra packages.
* Updated all associated container image digests to reflect the stable
release builds.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-26 17:39:08 +01:00
cozystack-bot
66a61bd63e Prepare release v1.0.0
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-02-26 15:17:04 +00:00
Andrey Kolkov
f887e34206
fix(dashboard): hide sidebar on cluster-level pages when no tenant selected (#2106)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does

In the current version, the sidebar incorrectly shows namespace-scoped
menu items on cluster-level pages (before a tenant is selected).
Clicking these items produces broken URLs with double `//` (e.g.
`default//api-table/backups.cozystack.io/...`) because the `{namespace}`
placeholder resolves to an empty string.

This PR fixes the issue by:
- Removing stock-instance-* sidebar resources that were populated with
the same namespace-scoped menu as stock-project-* sidebars
- Clearing the `CUSTOMIZATION_SIDEBAR_FALLBACK_ID` env var so the
frontend renders no sidebar when no matching sidebar resource exists
- Removing stock-instance-* from the expected resource set so orphan
cleanup removes stale instances on upgrade

Screenshot after changes
<img width="2560" height="1327" alt="dashboard screenshot with no tenant
selected"
src="https://github.com/user-attachments/assets/e0d795f7-55e9-471b-99b8-593b6fc145d8"
/>


### Test plan

- [x] On cluster list page (no tenant selected), sidebar is empty
- [x] After selecting a tenant, sidebar shows full menu
- [x] No double `//` in sidebar URLs
- [x] Existing tests pass: `go test ./internal/controller/dashboard/...`

### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[dashboard] fix: hide sidebar on cluster-level pages when no tenant selected
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Streamlined sidebar resource management by reducing the number of
static sidebar configurations generated by the system.
* Removed sidebar fallback behavior, resulting in simplified sidebar
customization defaults.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-26 15:26:55 +04:00
Kirill Ilin
7a107296e5
fix(dashboard): hide sidebar on cluster-level pages when no tenant selected
Remove stock-instance-* sidebars that were populated with namespace-scoped
menu items, causing the sidebar to incorrectly appear on cluster-level pages.
Clear the sidebar fallback ID so the frontend gracefully renders no sidebar
when no matching sidebar resource exists.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-02-26 13:43:07 +05:00
Andrei Kvapil
e16d987403
[dashboard] Hide Ingresses/Services/Secrets tabs when no selectors defined (#2087)
## What this PR does

Hide Ingresses, Services, and Secrets tabs in the dashboard when the
ApplicationDefinition has no resource selectors (Include/Exclude) for
the corresponding type. Previously all tabs were always hardcoded as
visible.

### Release note

```release-note
[dashboard] Hide Ingresses/Services/Secrets tabs when ApplicationDefinition has no resource selectors defined
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Dashboard tab visibility refined: Workloads tab remains always
visible; Ingresses, Services, and Secrets tabs now appear only when
corresponding resource selectors are configured, reducing clutter and
showing relevant tabs based on configured resources.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 21:58:29 +01:00
Andrei Kvapil
c63fcf50b3
docs: add changelog for v1.0.0-rc.2 (#2100)
This PR adds the changelog for release `v1.0.0-rc.2`.

 Changelog has been automatically generated in
`docs/changelogs/v1.0.0-rc.2.md`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v1.0.0-rc.2, documenting features,
improvements, bug fixes, and contributor acknowledgments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 19:14:55 +01:00
Andrei Kvapil
4417cc35a0
Release v1.0.0-rc.2 (#2099)
This PR prepares the release `v1.0.0-rc.2`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Updated numerous container images to v1.0.0-rc.2 across platform
services, controllers, dashboard components, migration/e2e tooling,
storage and networking components.
* Refreshed several image digests (including kubevirt CSI, s3manager and
Linstor components) and other image references.
  * Updated default tenant branding text used by the dashboard.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 19:12:46 +01:00
cozystack-bot
78cc4c0955 docs: add changelog for v1.0.0-rc.2
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-02-25 16:18:20 +00:00
cozystack-bot
65c6936e95 Prepare release v1.0.0-rc.2
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-02-25 16:09:50 +00:00
Andrei Kvapil
cd3643b8cc
fix(dashboard): backupjobs creation form fixes and category idetifier… (#2103)
… in sidebar

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
- fixed dashboard backupjobs creation form 
- fixed dashboard sidebar backup category id
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Updates**
  * Updated dashboard backups menu structure for improved organization
* Enhanced backup job management interface with new form configuration
including Name, Namespace, Plan Name, Application details, and Backup
Class selection

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 17:02:39 +01:00
Andrei Kvapil
2024ec3a8b
feat(keycloak): allow custom Ingress hostname via values (#2101)
## What this PR does

Add `ingress.host` field to cozy-keycloak values, allowing users to
override the default
`keycloak.<root-host>` Ingress hostname. The custom hostname is applied
to both the Ingress
resource and the `KC_HOSTNAME` environment variable in the StatefulSet.
When left empty,
behavior is unchanged (backward compatible).

### Release note

```release-note
[system] Add `ingress.host` option to cozy-keycloak for custom Ingress hostname override
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Keycloak ingress hostname is now configurable and automatically
defaults to "keycloak.<root-host>" when not explicitly specified.

* **Chores**
* Refactored hostname configuration across Keycloak templates to use
dynamic variable resolution instead of hard-coded values for improved
consistency and flexibility.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 16:57:53 +01:00
Andrei Kvapil
f282f19c1b
fix(platform): clean up orphaned -rd HelmReleases after application renames (#2102)
## What this PR does

After application renames (ferretdb→mongodb, mysql→mariadb,
virtual-machine→vm-disk+vm-instance),
the system-level `-rd` HelmReleases in `cozy-system` were left orphaned.
They reference
ExternalArtifacts that no longer exist, causing persistent
reconciliation failures:

- `ferretdb-rd` → no longer exists (replaced by `mongodb-rd`)
- `mysql-rd` → no longer exists (replaced by `mariadb-rd`)
- `virtual-machine-rd` → no longer exists (replaced by `vm-disk-rd` +
`vm-instance-rd`)

Migrations 28 and 29 handled user-facing HelmReleases but missed the
system-level `-rd` ones.

**Changes:**
- Add cleanup of `mysql-rd` to migration 28
- Add cleanup of `virtual-machine-rd` to migration 29
- Add migration 33 as a safety net for users who already passed
migrations 28/29
- Bump `targetVersion` from 33 to 34

### Release note

```release-note
[platform] Fix orphaned ferretdb-rd, mysql-rd, and virtual-machine-rd HelmReleases
that persist after upgrading, referencing non-existent ExternalArtifacts.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved cleanup procedures in platform migrations to properly remove
orphaned system resources. This enhancement helps maintain system
stability and prevents potential resource conflicts during platform
updates.

* **Chores**
  * Updated migration version target to latest.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 16:56:45 +01:00
Andrey Kolkov
7427bbdaa3 fix(dashboard): backupjobs creation form fixes and category idetifier in sidebar
Signed-off-by: Andrey Kolkov <androndo@gmail.com>
2026-02-25 19:56:13 +04:00
Andrei Kvapil
da89203a32
fix(platform): add migration 33 to clean up orphaned -rd HelmReleases
Add a safety-net migration for users who already passed migrations 28/29
and still have orphaned -rd HelmReleases in cozy-system:

- ferretdb-rd (replaced by mongodb-rd, never had a dedicated migration)
- mysql-rd (migration 28 only handled user HRs)
- virtual-machine-rd (migration 29 only handled user HRs)

These HRs reference ExternalArtifacts that no longer exist after the
application renames (ferretdb→mongodb, mysql→mariadb,
virtual-machine→vm-disk+vm-instance), causing persistent errors.

Bump targetVersion from 33 to 34.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-25 16:02:10 +01:00
Andrei Kvapil
e0dfc8a321
fix(platform): clean up orphaned -rd HelmReleases in migrations 28 and 29
Migrations 28 (mysql→mariadb) and 29 (virtual-machine→vm-disk+vm-instance)
only handled user-facing HelmReleases but left the system-level -rd
HelmReleases (mysql-rd, virtual-machine-rd) orphaned in cozy-system.
These HRs reference ExternalArtifacts that no longer exist, causing
persistent reconciliation failures.

Add cleanup steps to delete the orphaned -rd HRs and their Helm secrets.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-25 16:01:58 +01:00
Kirill Ilin
9cbd948b08
feat(keycloak): allow custom Ingress hostname via values
Add ingress.host field to values.yaml for cozy-keycloak. When set,
it overrides the default "keycloak.<root-host>" hostname in both the
Ingress resource and the KC_HOSTNAME environment variable. When left
empty, behavior is unchanged for backward compatibility.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-02-25 17:36:53 +05:00
Andrey Kolkov
e5f7bc5c53
fix(dashboard): updated legacy templating (#2093)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
fixed dashboard sidebar links to Backups and External IPs
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Standardized cluster identifier usage across dashboard menu links,
administration links, and API request paths for consistent link
generation.
* **Bug Fixes**
* Resolved issues causing incorrect or inconsistent link targets and
ensured backup-class options load correctly in the UI.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 14:46:25 +04:00
Andrei Kvapil
e89ba43c39
fix(platform): fix upgrade issues in migrations, etcd timeout, and migration script (#2096)
## What this PR does

Fixes multiple upgrade issues discovered during v0.41.1 → v1.0 upgrade
testing.

**Migration 26 (monitoring → monitoring-system):**
- Use `cozystack.io/ui=true` label with
`--field-selector=metadata.name=monitoring` instead of
`apps.cozystack.io/application.kind=Monitoring` to find monitoring
HelmReleases — the old label is guaranteed to exist on v0.41.1 clusters,
while the new one depends on migration 22 having run
- Add `delete_helm_secrets` function with fallback deletion by secret
name pattern and post-deletion verification

**Migrations 28 and 29 (mysql→mariadb, virtual-machine split):**
- Wrap `grep` in pipes with `{ ... || true; }` to prevent `pipefail`
exit when grep filters out all lines
- Fix reconcile annotation in migration 29 to use RFC3339 timestamp
format instead of Unix epoch
- Remove protection-webhook handling from migration 29 — it is an
external component and should not be managed by cozystack migrations

**Migration 27 (piraeus CRD ownership):**
- Skip CRDs that don't exist instead of failing the entire migration
- Add name-pattern fallback for helm secret deletion

**etcd HelmRelease:**
- Increase timeout from 10m to 30m to accommodate TLS cert rotation hook

**migrate-to-version-1.0.sh:**
- Add missing ConfigMap → Package field mappings: `bundle-disable`,
`bundle-enable`, `expose-ingress`, `expose-services`
- Remove redundant bundle enabled flags — the variant already determines
them via its values file

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Package generation now supports disabled/enabled package lists,
ingress name, and exposed services for customized publishing.

* **Bug Fixes**
* More robust secret cleanup with fallback deletions and post-deletion
verification.
  * Guarded pipelines to avoid failures when no resources match.
  * Reconciliation timestamps now use RFC3339 UTC.
  * Suspension failures are no longer silently suppressed.

* **Chores**
* Increased etcd upgrade timeout; improved namespace discovery,
relabeling behavior, and user-facing messaging.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 10:29:45 +01:00
Aleksei Sviridkin
a20951def3
chore: add @sircthulhu to CODEOWNERS (#2098)
## Summary

- Add @sircthulhu to the global CODEOWNERS list

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Updated repository maintenance configuration.

---

**Note:** This release contains only internal repository updates with no
user-facing changes.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-25 12:08:17 +03:00
Kirill Ilin
4c73ac54a0
chore: add @sircthulhu to CODEOWNERS
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
2026-02-25 13:09:21 +05:00
Andrei Kvapil
cfb5914cdd
fix(platform): remove protection-webhook handling from migration 29
The protection-webhook is not part of the cozystack platform and should
not be managed by the migration script. Old services are now deleted
directly instead of being batched through the webhook disable/enable cycle.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-25 00:30:54 +01:00
Andrei Kvapil
948346ef6d
fix(platform): use original cozystack.io/ui label in migration 26 and simplify migration script
Migration 26 was using apps.cozystack.io/application.kind=Monitoring label
which is added by migration 22 and may not be present on v0.41.1 clusters.
Switch to cozystack.io/ui=true (guaranteed on old HRs) with field-selector
for exact name match.

Also remove redundant bundle enabled flags from migrate-to-version-1.0.sh
since the variant already determines them via its values file.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-24 23:49:43 +01:00
Andrei Kvapil
da597225d1
fix(platform): add missing field mappings in migrate-to-version-1.0.sh
Add ConfigMap fields that were not converted to Package values:
- bundle-disable → bundles.disabledPackages
- bundle-enable → bundles.enabledPackages
- expose-ingress → publishing.ingressName
- expose-services → publishing.exposedServices

Remove incorrect bundles.system.type field that is not part of the
Package values schema.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-24 23:34:53 +01:00
Andrei Kvapil
7871d425dd
fix(etcd): increase HelmRelease timeout to 30m for cert rotation
The post-upgrade hook deletes TLS certificates and etcd pods to trigger
cert-manager regeneration. With 3 replicas and startup probes allowing
up to 25 minutes per pod, the previous 10m timeout was insufficient.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-24 23:34:47 +01:00
Andrei Kvapil
a9adda5e88
fix(platform): make migration 27 skip missing CRDs and add secret cleanup fallback
Migration 27 failed with set -e when Piraeus CRDs did not exist on
clusters without linstor. Add existence check before annotating CRDs.
Also add name-pattern fallback for helm secret deletion, consistent
with migration 26.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-24 23:34:40 +01:00
Andrei Kvapil
880b99f3f7
fix(platform): wrap grep in migrations 28 and 29 to prevent pipefail exits
grep returns exit code 1 when no lines match. With set -euo pipefail,
this kills the script when all secrets are helm-release secrets or when
no matching resources exist. Wrap grep calls with { ... || true; }.

Also fix reconcile annotation in migration 29 to use RFC3339 timestamp
format instead of Unix epoch, which Flux v2 expects.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-24 23:34:34 +01:00
Andrei Kvapil
c7290f3521
fix(platform): make migration 26 helm secret deletion robust
Migration 26 silently skipped namespace processing when kubectl
queries failed, leaving helm release secrets intact. This caused
helm to diff old vs new chart manifests during upgrade, deleting
VLogs/CNPG resources and their PVCs.

- Remove silent error suppression (2>/dev/null || true) from
  namespace discovery and HR suspend commands
- Add fallback secret deletion by name pattern when label selector
  does not match
- Add verification that all helm release secrets are deleted

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-24 23:05:03 +01:00
Andrey Kolkov
2b1b5e8fa9 fix(dashboard): updated legacy templating
Signed-off-by: Andrey Kolkov <androndo@gmail.com>
2026-02-24 17:54:08 +04:00
Andrei Kvapil
4f2578a32b
fix(dashboard): check only Include selectors for tab visibility
Only show Ingresses/Services/Secrets tabs when Include selectors are
defined. Exclude selectors alone don't make resources visible as tenant
resources, so tabs would be empty.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-23 20:20:03 +01:00
Andrei Kvapil
d8f5083c6d
fix(monitoring-agents): use global.clusterDomain for FQDN resolution (#2086)
## What this PR does

PR #2075 introduced `_cluster.cluster-domain` references in
monitoring-agents `values.yaml` for FQDN resolution in tenant clusters.
This broke the fluent-bit subchart because `_cluster` values are not
accessible from the Helm subchart context — only `global` values are
shared with subcharts.

This PR replaces `_cluster` references with a new `global.clusterDomain`
variable:
- Empty by default (management cluster uses short DNS names like
`service.namespace.svc`)
- Set to the management cluster domain (e.g. `cozy.local`) for tenant
clusters, enabling FQDN resolution for cross-cluster service discovery

Fixes #2084

### Release note

```release-note
[system] Fix monitoring-agents installation failure caused by inaccessible _cluster values in fluent-bit subchart context. Introduce global.clusterDomain for proper FQDN resolution in tenant workload clusters.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Monitoring agent configuration updated to support configurable cluster
domain names for greater flexibility.
* Remote write and log-forwarding endpoints adjusted to align with
cluster domain handling, improving compatibility when deploying across
different cluster DNS setups.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-23 20:16:36 +01:00
Andrei Kvapil
211e01bd87
fix(dashboard): hide Ingresses/Services/Secrets tabs when no selectors defined
Show these tabs only when the ApplicationDefinition has non-empty
Include or Exclude resource selectors for the corresponding type.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-23 16:33:27 +01:00
Andrei Kvapil
d8bb3527de
fix(monitoring-agents): revert _cluster FQDN and use cluster-domain in tenant HelmRelease
PR #2075 added _cluster.cluster-domain references to monitoring-agents
values.yaml for FQDN resolution. This broke fluent-bit because it is
a subchart where _cluster values are not accessible (only global
values are shared with subcharts), causing "index of untyped nil".

Revert values.yaml to short DNS names (.svc) for the management
cluster where they resolve locally, and add FQDN with cluster-domain
suffix in the tenant kubernetes HelmRelease where _cluster values are
available and cross-cluster DNS resolution is needed.

Closes #2084

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-23 16:15:36 +01:00
Andrei Kvapil
1fd1da45b9
docs: add changelog for v1.0.0-rc.1 (#2082)
This PR adds the changelog for release `v1.0.0-rc.1`.

 Changelog has been automatically generated in
`docs/changelogs/v1.0.0-rc.1.md`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added comprehensive release notes for v1.0.0-rc.1, documenting new
features, improvements, bug fixes, breaking changes, and upgrade
guidance.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-22 08:04:29 +01:00
Andrei Kvapil
2c82b22c5e
docs(changelogs): add missing changelogs for v0.40.5-v0.40.7 and v0.41.4-v0.41.9 (#2083)
## What this PR does

Add 9 missing patch release changelogs:
- **v0.40.x**: v0.40.5, v0.40.6, v0.40.7
- **v0.41.x**: v0.41.4, v0.41.5, v0.41.6, v0.41.7, v0.41.8, v0.41.9

All PR authors were verified via `gh pr view` (not from commit authors).
Format matches existing changelog files in the repository.

### Release note

```release-note
[docs] Add missing changelogs for v0.40.5-v0.40.7 and v0.41.4-v0.41.9
```
2026-02-22 08:04:08 +01:00
Andrei Kvapil
b61dc7c988
Release v1.0.0-rc.1 (#2081)
This PR prepares the release `v1.0.0-rc.1`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Chores**
* Upgraded container image versions from v1.0.0-beta.6 to v1.0.0-rc.1
across the entire platform. Updates span multiple critical components
including the core operator, platform migrations, dashboard and API
services, backup and storage controllers, networking components, and
various additional system infrastructure services. All updated images
include new SHA256 digests for ensuring integrity and verification.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-22 08:03:40 +01:00
Andrei Kvapil
473ac87d70
docs(changelogs): add missing changelogs for v0.40.5-v0.40.7 and v0.41.4-v0.41.9
Add 9 missing patch release changelogs covering changes from
January to February 2026. All PR authors verified via GitHub CLI.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-21 22:17:08 +01:00
cozystack-bot
9fa311e5ac docs: add changelog for v1.0.0-rc.1
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-02-21 21:07:45 +00:00
cozystack-bot
7994976052 Prepare release v1.0.0-rc.1
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-02-21 20:58:57 +00:00
Andrei Kvapil
e3a5933f7b
[kubevirt] Update kubevirt and CDI (#1833)
## What this PR does
Updates kubevirt to v1.6.3 and CDI to v1.64.0.
Please note that VMs would be live-migrated as a part of the update.

### Release note
```release-note
Updated kubevirt to v1.6.3 and CDI to v1.64.0
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* VM synchronization support with synchronization ports and address
reporting
  * Cluster profiler and synchronization controller developer options

* **Updates**
* CDI operator bumped to v1.64.0; filesystem overhead default increased
  * KubeVirt operator bumped to v1.6.3
  * Added liveness/readiness probes and health/metrics ports
  * Expanded operator tolerations for control-plane/master nodes
* Expanded operator permissions for synchronization and webhook-related
resources
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-21 21:43:57 +01:00
Andrei Kvapil
7dfb819a9c
fix(kubevirt): disable serial console log to fix VM pod initialization
KubeVirt v1.6.x has a known issue (#15989) where the guest-console-log
init container blocks virt-launcher pods from starting. The container
runs virt-tail as a long-running sidecar but fails to properly function
as a Kubernetes native sidecar, causing all VM pods to get stuck in
PodInitializing state indefinitely.

Disable serial console logging globally via the KubeVirt CR to prevent
the problematic init container from being created.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-21 20:46:31 +01:00
Aleksei Sviridkin
d95ea930b6
[kamaji] Revert premature update to post-edge-26.2.4 (#2080)
## What this PR does

Reverts #2079 — the Kamaji update was merged prematurely while marked
with `do-not-merge` label. The upstream commit (`309d9889`) has not been
released as an edge tag yet.

### Release note
```release-note
NONE
```
2026-02-21 20:27:06 +03:00
Aleksei Sviridkin
8dbd6d5167
Revert "[kamaji] Update to 309d9889 (post edge-26.2.4), drop disable-datastore-check patch"
This reverts commit 2c372ae378.
2026-02-21 20:26:18 +03:00
Aleksei Sviridkin
2c372ae378
[kamaji] Update to 309d9889 (post edge-26.2.4), drop disable-datastore-check patch
Upstream PR clastix/kamaji#1087 (refactor!: datastore conditions) removed
the startup datastore existence check that our disable-datastore-check.diff
patch was working around. Update to the merge commit and drop the now
redundant patch.

Remaining patches:
- fix-kubelet-config-compat.diff (pending upstream PR #1084)
- increase-startup-probe-threshold.diff (no upstream fix)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
2026-02-21 19:09:09 +03:00
Andrei Kvapil
02064888a4
feat(platform): make cluster issuer name and ACME solver configurable (#2077)
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does

Previously `_cluster.clusterissuer` controlled the ACME solver type
using
  values `http01` / `cloudflare`, and every ingress template hardcoded 
`cert-manager.io/cluster-issuer: letsencrypt-prod` with no way to
override it.

  This PR adds new parameters in platform chart:
  - `publishing.certificates.solver` (default `http01`)
  - `publishing.certificates.issuerName` (default: `letsencrypt-prod`)
  instead of single parameter before
  - `publishing.certificates.issuerType`
  
Previous `certificates.issuerType` was renamed to `certificates.solver`;
Also its possible value
`cloudflare` was renamed to `dns01` to use standard ACME terminology.

New `certificates.issuerName` (default: `letsencrypt-prod`) — propagated
as
`_cluster.issuer-name` to all packages via `cozystack-values` then its
value appears in
`cert-manager.io/cluster-issuer` annotation across 8 templates of
ingresses in system applications.

`publishing.certificates.solver` can be set empty to clearly support
`selfsigned-cluster-issuer`,
   or have any value, but it can be a bit confusing.

  Operators can now point ingresses at any ClusterIssuer (custom ACME,
  self-signed, internal CA) by setting `certificates.issuerName` without
  touching individual package templates.

  ## Breaking changes

  | What changed | Before | After |
  |---|---|---|
  | Solver key | `certificates.issuerType` | `certificates.solver` |
| Cloudflare solver value | `issuerType: cloudflare` | `solver: dns01` |

  This changes handled by migration when upgrading cozystack from v1 
  or by `migration-to-v1.0.sh` script (also checked by migration later)
  No actions from user needed.

### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[platform] Added publishing.certificates.solver (http01/dns01) and 
  publishing.certificates.issuerName fields to allow configuring ACME challenge 
  type and ClusterIssuer per installation, replacing the old implicit issuerType field
[platform] Migration script and upgrade hook (migration 32) convert old
  clusterissuer/issuerType fields to the new solver/issuerName fields
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Migrated certificate issuer configuration from legacy `issuerType`
field to new `solver` and `issuerName` fields system-wide.
* Automated migration script converts existing configurations, mapping
legacy values (cloudflare, http01) to new format.
* Updated all certificate-related templates to use new configurable
solver and issuer settings with sensible defaults.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-20 23:09:12 +01:00
Andrei Kvapil
4c3766a555
[system] Fix monitoring-agents FQDN resolution for tenant workload clusters (#2075)
## What this PR does

Monitoring agents (vmagent, fluent-bit) in tenant workload clusters
failed to deliver metrics and logs because service addresses used short
DNS names (e.g. `vminsert-longterm.tenant-root.svc`) without the cluster
domain suffix. Tenant CoreDNS could not resolve these names across
cluster boundaries.

This PR appends the configured cluster domain from
`_cluster.cluster-domain` to all vmagent remoteWrite URLs and fluent-bit
output hosts, with a fallback to `cluster.local` when not set.

### Release note

```release-note
[system] Fix monitoring-agents endpoints to use FQDN with configured cluster domain, resolving metrics and logs delivery failures in tenant workload clusters.
```
2026-02-20 20:41:25 +01:00
nbykov0
7bc93c5045
[kubevirt-operator] Update to v1.6.4
Co-authored-by: Andrei Kvapil <kvapss@gmail.com>
Signed-off-by: nbykov0 <166552198+nbykov0@users.noreply.github.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-20 20:16:34 +01:00
nbykov0
d2f7c9ab82
[cdi-operator] Update to v1.64.0
Signed-off-by: nbykov0 <166552198+nbykov0@users.noreply.github.com>
2026-02-20 20:16:33 +01:00
Andrei Kvapil
d856775961
feat(kubernetes): update supported versions to v1.30-v1.35 (#2073)
## What this PR does

Updates Kubernetes version support to match current release landscape
and Talos 1.12 compatibility:

- Update Kamaji from `edge-25.4.1` to `edge-26.2.4` (adds K8s 1.35
support)
- Update Kubernetes version matrix: v1.30, v1.31, v1.32, v1.33, v1.34,
v1.35
- Drop EOL versions v1.28 and v1.29
- Remove merged-upstream patch (992.diff — label preservation fix)
- Regenerate disable-datastore-check.diff for new Kamaji version

Changes:

- Default Kubernetes version is now v1.35
- E2E tests will validate v1.35 (latest) and v1.34 (previous)
- Patch versions updated to latest available (v1.35.0, v1.34.4, v1.33.8,
v1.32.12, v1.31.14, v1.30.14)

### Release note

```release-note
[kubernetes] Update supported Kubernetes versions to v1.30-v1.35
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a Kamaji CRDs Helm chart with DataStore and KubeconfigGenerator
resources, plus deployment templates and configurable
kubeconfigGenerator settings
* DataStore now supports multiple backends (etcd, MySQL, PostgreSQL,
NATS) with TLS/auth validations and status tracking (observedGeneration)

* **Chores**
* Bumped default Kubernetes version from v1.33 to v1.35 (added v1.34;
removed v1.28–v1.29)
* Updated charts, packaging metadata, README/docs and helm
ignore/Makefile entries; updated builder base image and chart
dependencies
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-20 20:12:56 +01:00
Myasnikov Daniil
17c2ea0e9c
feat(platform): Added migration to convert issuer configuration
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
2026-02-20 17:03:23 +05:00
Myasnikov Daniil
c98b6203a7
fix(platform): fix migrate script to account clusterissuer parameter
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
2026-02-20 16:41:41 +05:00