Commit graph

3012 commits

Author SHA1 Message Date
Andrei Kvapil
93ad9366e2
Release v1.2.2 (#2379)
This PR prepares the release `v1.2.2`.
2026-04-14 09:53:15 +02:00
cozystack-ci[bot]
6ccdcf8d55 Prepare release v1.2.2
Signed-off-by: cozystack-ci[bot] <274107086+cozystack-ci[bot]@users.noreply.github.com>
2026-04-14 01:37:02 +00:00
Andrei Kvapil
161d4fe17e
[Backport release-1.2] ci: use cozystack org noreply email for bot commits (#2393)
# Description
Backport of #2392 to `release-1.2`.
2026-04-13 16:36:37 +02:00
Andrei Kvapil
14c652c8eb ci: use cozystack org noreply email for bot commits
The cozystack-ci[bot] noreply email with brackets is rejected by DCO
probot as an invalid email address, causing release PRs to fail DCO
checks.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit ce0e709be8)
2026-04-13 14:31:28 +00:00
Andrei Kvapil
626ba21122
[Backport release-1.2] fix(build): filter git describe to match only v* tags (#2389)
# Description
Backport of #2386 to `release-1.2`.
2026-04-13 15:27:12 +02:00
Andrei Kvapil
a8b11eea7b fix(build): filter git describe to match only v* tags
The api/apps/v1alpha1/* subtags share the same commit as the release
tags. git describe --exact-match picks the first match alphabetically,
returning api/apps/v1alpha1/vX.Y.Z instead of vX.Y.Z, which produces
invalid Docker image tags.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit fbbccdbb7b)
2026-04-13 13:26:45 +00:00
myasnikovdaniil
6ba8309617
Fix system postgresql images to 17.7-standard-trixie (#2369)
(cherry picked from commit a3f50ba2bd)

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[]
```
2026-04-13 15:52:25 +05:00
Andrei Kvapil
82a6b48314
[Backport release-1.2] ci(pull-requests): replace GH_PAT with cozystack-ci GitHub App token (#2384)
# Description
Backport of #2383 to `release-1.2`.
2026-04-13 10:07:37 +02:00
Andrei Kvapil
1c78614bbf ci(pull-requests): replace GH_PAT with cozystack-ci GitHub App token
The GH_PAT secret tied to cozystack-bot is no longer valid after
migrating release workflows to the cozystack-ci GitHub App in #2351.
This broke the resolve_assets and e2e jobs for release PRs.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit 1144211a85)
2026-04-13 08:02:26 +00:00
Andrei Kvapil
8b1f29975c
Replace cozystack-bot PAT with cozystack-ci GitHub App (#2351)
## Summary

Replaces the `cozystack-bot` user account + personal access token
(`GH_PAT`) with the `cozystack-ci` GitHub App across all CI/CD release
workflows.

### Why

- **Security**: GitHub App tokens are short-lived (1h) and scoped, vs. a
long-lived PAT tied to a user account
- **Auditability**: App actions are clearly attributed to
`cozystack-ci[bot]`
- **No 2FA issue**: The bot account lacked 2FA; GitHub Apps don't
require it
- **Best practice**: GitHub recommends Apps over PATs for automation

### Changes

| Workflow | What changed |
|---|---|
| `tags.yaml` | App token in all 3 jobs: prepare-release,
generate-changelog, update-website-docs |
| `auto-release.yaml` | App token for daily auto-patch tagging |
| `pull-requests-release.yaml` | App token for release PR finalization |

All `cozystack-bot` git identity replaced with `cozystack-ci[bot]`.

### New secrets (already configured at org level)

- `COZYSTACK_CI_APP_ID` — GitHub App ID
- `COZYSTACK_CI_PRIVATE_KEY` — GitHub App private key

### After merge

- [ ] Delete `GH_PAT` repo-level secret
- [ ] Remove `cozystack-bot` from the cozystack org

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated CI/CD automation authentication mechanisms across release and
tagging workflows for improved security practices.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-04-12 12:08:09 +02:00
Andrei Kvapil
94f5b79390
[Backport release-1.2] [cilium] Opt-out of cri-containerd.apparmor.d for nsenter init containers (#2378)
# Description
Backport of #2370 to `release-1.2`.
2026-04-12 11:40:54 +02:00
Aleksei Sviridkin
5fc12d44b7 [cilium] Move AppArmor podAnnotations to a non-Talos-only values file
E2E revealed that the kube-apiserver rejects a DaemonSet carrying a
per-container AppArmor annotation for a container that is not present
in the pod spec:

    DaemonSet.apps 'cilium' is invalid:
    spec.template.annotations[container.apparmor.security.beta.kubernetes.io/mount-cgroup]:
    Invalid value: 'mount-cgroup': container not found

On Talos (isp-full bundle) values-talos.yaml sets
cgroup.autoMount.enabled=false, so the upstream chart does not render
the mount-cgroup init container, and our unconditional podAnnotations
entry for it becomes an invalid reference.

Move the podAnnotations block from the shared values.yaml into a new
values-apparmor.yaml and include it only in the cilium-generic and
kubeovn-cilium-generic PackageSource variants, where
cgroup.autoMount.enabled is explicitly true. Talos variants
(cilium, cilium-kilo, kubeovn-cilium) get no AppArmor annotations,
which is safe because the Talos kernel does not load the AppArmor
LSM anyway.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit abd6667eb3)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
b0ca7ce577 [cilium] Harden vendoring guard and clarify Talos annotation comment
- Broaden the grep guard in the Makefile update: target to match any
  container.apparmor.security.beta.kubernetes.io key, not only the
  quoted cilium-agent line. The previous pattern would silently pass
  if upstream switched to an unquoted annotation value, masking a
  failed perl patch; grepping for the prefix catches any residual
  hardcoded AppArmor annotation regardless of format.

- Rewrite the values.yaml comment to distinguish the two Talos-safe
  reasons: mount-cgroup is simply not rendered when
  cgroup.autoMount.enabled is false (Talos default), while the other
  annotations are harmless because kubelet ignores AppArmor metadata
  on nodes without the LSM loaded.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit fc9ef55c42)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
caacf92507 [cilium] Clarify nsenter/AppArmor comment wording
Replace the misleading 'nsenter --ptrace' shorthand with an accurate
description: nsenter joins the host cgroup/mount namespace, and the
cri-containerd.apparmor.d profile reports the denial as a blocked
'ptrace' operation (operation name, not an nsenter CLI flag).

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 0b0d3de99d)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
016fe585b5 [cilium] Add fail-fast guard for the vendored daemonset patch
The perl multi-line delete in the update: target silently becomes a
no-op if the upstream template is ever reformatted. Verify the patch
applied by grepping for one of the stripped annotation keys after the
perl runs; fail the update: target loudly if it still exists, so a
future upstream reformat is caught instead of silently reintroducing
the duplicate-key rendering on k8s < 1.30.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 39cd2658b5)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
b23775dc7b [cilium] Strip the entire k8s<1.30 AppArmor block from vendored daemonset
The previous sed patch removed only the four annotation lines and
left an empty nested '{{- if ... }}{{- end }}{{- end }}{{- end }}'
skeleton behind. That skeleton was dead code, but it also meant that
the next make update would re-fetch the upstream chart with the
annotations back inside the same block, and the sed would strip them
again — leaving the skeleton behind forever.

Replace the per-line sed patch with a single perl -i -0pe multi-line
delete that removes the entire <1.30 AppArmor block in one step, and
apply the same patch to the currently vendored copy for consistency.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 5a50df800d)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
d093ec2eb0 [cilium] Strip hardcoded AppArmor annotations from vendored daemonset
The upstream chart emits per-container AppArmor unconfined annotations
inside a k8s<1.30 branch of cilium-agent/daemonset.yaml. Cozystack now
owns these annotations via cilium.podAnnotations in values.yaml so they
also take effect on k8s>=1.30 (where upstream drops them in favour of
the containerd-broken podSecurityContext.appArmorProfile). Having both
sources emit the same keys produced a duplicate mapping on k8s<1.30.

Add a new SED_INPLACE invocation to the package Makefile that removes
the four hardcoded annotation lines from the vendored template, and
apply the patch to the currently vendored copy so make update will
reproduce the same state on future refreshes.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 182fc0b52d)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
1433adf88f [cilium] Document duplicate-key rendering on unsupported k8s < 1.30
On Kubernetes versions below 1.30 the upstream cilium chart still emits
the deprecated per-container AppArmor annotations from its own
semverCompare '<1.30.0' branch. Our podAnnotations override then emits
the same keys again, yielding a YAML mapping with duplicate entries
(identical values, last-wins by kubernetes API server JSON semantics).

Cozystack's supported Kubernetes matrix starts at 1.30
(packages/apps/kubernetes/files/versions.yaml), so this rendering
quirk never affects any shipped version. Document the behaviour in a
comment so future readers are not surprised.

No functional change.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 703dbca734)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
5bf0112bed [cilium] Drop mount-bpf-fs from AppArmor unconfined annotations
mount-bpf-fs runs as privileged in the vendored chart, and the Linux
kernel does not apply AppArmor profiles to privileged containers. The
per-container unconfined annotation for this container is a no-op and
only widens the pod's admission-policy surface for no reason.

Keep the four meaningful annotations (cilium-agent, clean-cilium-state,
mount-cgroup, apply-sysctl-overwrites) which target unprivileged agent
and init containers actually affected by the cri-containerd.apparmor.d
profile.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 2531ab661a)
2026-04-12 09:32:15 +00:00
Aleksei Sviridkin
06dce029c9 [cilium] Opt-out of cri-containerd.apparmor.d for nsenter init containers
Cilium 1.19 init containers mount-cgroup, apply-sysctl-overwrites,
mount-bpf-fs and clean-cilium-state call nsenter --ptrace, which is
denied by the cri-containerd.apparmor.d profile on Ubuntu 22.04+ and
any other distro loading this AppArmor profile. As a result cilium
agent pods land in Init:CrashLoopBackOff and downstream HelmReleases
cascade into "dependency not ready".

The modern k8s >= 1.30 pod-level appArmorProfile: Unconfined field is
accepted into the DaemonSet spec but not honoured by containerd CRI
at runtime (kubernetes/kubernetes#125069), so the deprecated
per-container AppArmor annotations remain the only reliable opt-out.

Add the annotations via podAnnotations in the wrapper values.yaml.
The change is harmless on systems without AppArmor (Talos,
RHEL/Rocky/AlmaLinux with SELinux) because kubelet silently ignores
unknown AppArmor annotations when the LSM is not loaded.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
(cherry picked from commit 6c0ae2570e)
2026-04-12 09:32:15 +00:00
Andrei Kvapil
5674ce73e6
[Backport release-1.2] linstor: update piraeus-server to v1.33.2 with selected backports (#2377)
# Description
Backport of #2331 to `release-1.2`.
2026-04-12 11:22:13 +02:00
Andrei Kvapil
69ccaa772e linstor: bump piraeus-server from v1.33.1 to v1.33.2
All existing patches (allow-toggle-disk-retry, fix-duplicate-tcp-ports,
fix-luks-header-size, retry-adjust-after-stale-bitmap) apply cleanly on
the new version without modifications.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit 7fb0c575c0)
2026-04-12 09:20:47 +00:00
Andrei Kvapil
198c57c1ea linstor: add stale bitmap adjust retry patch
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit fd6bae62b2)
2026-04-12 09:20:47 +00:00
Andrei Kvapil
8d1628df49 linstor: update piraeus-server patches for v1.33.1
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit e4468148f6)
2026-04-12 09:20:47 +00:00
Myasnikov Daniil
0726e1aa51
Fix system postgresql images to 17.7-standard-trixie
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
(cherry picked from commit a3f50ba2bd)
2026-04-10 19:05:10 +05:00
Andrei Kvapil
168ebe1a3e
[Backport release-1.2] [monitoring] Fix infra dashboards missing in default variant (#2367)
# Description
Backport of #2365 to `release-1.2`.
2026-04-10 02:12:39 +02:00
mattia-eleuteri
3b2d6a6325 [monitoring] Fix infra dashboards missing in default variant
The default variant deploys monitoring to the cozy-monitoring namespace,
but the infra dashboards condition only checked for tenant-root. This
adds cozy-monitoring to the condition, consistent with the existing
pattern in vmagent.yaml.

Fixes cozystack/cozystack#2349

Signed-off-by: mattia-eleuteri <mattia@hidora.io>
(cherry picked from commit b8d48ad711)
2026-04-09 23:23:18 +00:00
Andrei Kvapil
ec480b0617
[Backport release-1.2] [virtual-machine] Exclude external VM services from Cilium BPF LB (#2361)
# Description
Backport of #2357 to `release-1.2`.
2026-04-08 16:54:49 +02:00
mattia-eleuteri
a0209327b4 [virtual-machine] Exclude external VM services from Cilium BPF LB
Add service.kubernetes.io/service-proxy-name label to LoadBalancer
services when external: true. This prevents Cilium from adding the
service to its BPF service map, fixing two issues:

1. Inter-tenant connectivity via public LB IPs: Cilium's kube-proxy
   replacement DNATs traffic to LB IPs before policy evaluation,
   causing the CiliumClusterwideNetworkPolicy to block legitimate
   cross-tenant traffic through public IPs.

2. WholeIP broken on Cilium 1.19+ (#2327): wildcard service drop
   entries block all ports not declared in the Service spec before
   traffic reaches cozy-proxy's nftables rules.

With this label, Cilium completely ignores the Service. Routing is
handled by kube-ovn (via the wholeIP annotation) and MetalLB
continues to advertise the IP via L2 unaffected.

Tested on Cilium 1.18.6 and 1.19.1: inter-tenant via LB IP works,
pod IP isolation preserved, external access unaffected.

Signed-off-by: mattia-eleuteri <mattia@hidora.io>
(cherry picked from commit 026b1c7811)
2026-04-08 14:44:34 +00:00
Andrei Kvapil
1b32142ce3
Release v1.2.1 (#2306)
This PR prepares the release `v1.2.1`.
2026-03-31 14:59:27 +02:00
cozystack-bot
27638a14b5 Prepare release v1.2.1
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
2026-03-31 11:32:30 +00:00
Andrei Kvapil
52a16dc518
fix(ci): force-update API subtag on re-runs
Always force-create and force-push the API submodule tag so it stays
in sync with the main version tag, even when re-tagging.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-31 13:25:26 +02:00
Andrei Kvapil
d68f56ae19
fix(ci): make tags workflow idempotent on re-runs
- Remove broken `git push origin HEAD` in detached HEAD state (commit
  artifacts are already pushed via the "Create release branch" step)
- Make subtag push idempotent: use explicit refs/tags/ prefix and
  tolerate already-existing remote tags after verifying they point to
  the correct commit

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-03-31 13:25:26 +02:00
Andrei Kvapil
6de6ca1abf
[Backport release-1.2] fix(multus): pin master CNI to 05-cilium.conflist (#2316)
# Description
Backport of #2315 to `release-1.2`.
2026-03-31 12:03:09 +02:00
Andrei Kvapil
aefd8b45ff fix(multus): pin master CNI to 05-cilium.conflist
Set multusMasterCNI to explicitly use 05-cilium.conflist instead of
auto-detecting the first available conflist at boot. This prevents a
race condition where multus picks 10-kube-ovn.conflist if it appears
before 05-cilium.conflist during node startup, bypassing the Cilium
CNI chain entirely.

Upstream issue: https://github.com/k8snetworkplumbingwg/multus-cni/issues/1499
Tracking issue: https://github.com/cozystack/cozystack/issues/2310

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit e09cd0f37f)
2026-03-31 10:02:01 +00:00
Andrei Kvapil
f16ef08a98
[Backport release-1.2] fix(multus): build custom image with DEL cache fix (#2314)
# Description
Backport of #2313 to `release-1.2`.
2026-03-31 11:22:52 +02:00
Andrei Kvapil
3ab03d3bce chore: remove build artifact
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit 1cd564330c)
2026-03-31 09:22:35 +00:00
Andrei Kvapil
56f0484eb0 fix(multus): build custom image with DEL cache fix
When CNI ADD never completes, multus DEL fails because delegate plugins
require runtime state that only exists after a successful ADD. This
creates a deadlock where containerd cannot release sandbox name
reservations, permanently blocking pod creation on the affected node.

Build a custom multus-cni image with a patch that returns success on
DEL when no cache file exists (ADD was never completed).

Upstream PR: https://github.com/k8snetworkplumbingwg/multus-cni/pull/1498
Tracking issue: https://github.com/cozystack/cozystack/issues/2310

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit 094b80ae16)
2026-03-31 09:22:35 +00:00
Andrei Kvapil
9a1b45b49d
[Backport release-1.2] fix(linstor): set verify-alg to crc32c to avoid crct10dif unavailability (#2312)
# Description
Backport of #2303 to `release-1.2`.
2026-03-31 10:48:26 +02:00
Andrei Kvapil
e3336bf6f5 fix(linstor): set verify-alg to crc32c to avoid crct10dif unavailability
The crct10dif kernel crypto module is no longer available in Talos
v1.12.6 (kernel 6.18.18). DRBD auto-verify selects crct10dif by
default, causing peer connections to fail with VERIFYAlgNotAvail.
Setting verify-alg explicitly to crc32c at the controller level
ensures all resources use an available algorithm.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit 30616b73f3)
2026-03-31 08:48:01 +00:00
Andrei Kvapil
064294d870
[Backport release-1.2] feat(postgres): hardcode PostgreSQL 17 for monitoring and add migration (#2309)
# Description
Backport of #2304 to `release-1.2`.
2026-03-31 10:16:13 +02:00
IvanHunters
f6ce580126 feat(postgres): extend v17 hardcode to all system components
Add explicit PostgreSQL 17.7 image to Harbor, SeaweedFS, and Keycloak
databases to ensure consistent version across all system components.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
(cherry picked from commit 620c8fb3c0)
2026-03-31 08:15:51 +00:00
IvanHunters
091f21fbd2 feat(postgres): hardcode PostgreSQL 17 for monitoring and add migration
Add migration 37 to backfill spec.version=v17 for existing PostgreSQL
resources without a version set.

Hardcode PostgreSQL 17.7 image in monitoring databases (Grafana and Alerta)
to ensure compatibility with monitoring queries that expect PostgreSQL 17
features (pg_stat_checkpointer, updated pg_stat_bgwriter).

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
(cherry picked from commit fd1714442e)
2026-03-31 08:15:50 +00:00
Andrei Kvapil
02e200372b
[Backport release-1.2] fix(platform): propagate resource allocation ratios to packages (#2301)
# Description
Backport of #2296 to `release-1.2`.
2026-03-30 20:16:15 +02:00
Kirill Ilin
982a6508a9 fix(platform): propagate resource allocation ratios to packages
Since the bundle restructure in 2d022e38, the cpuAllocationRatio,
memoryAllocationRatio and ephemeralStorageAllocationRatio values from
platform values.yaml were no longer propagated to child packages.

The old monolithic bundles read these values from the cozystack
ConfigMap via lookup and passed them explicitly. After migration to
the Package CRD model, the bridge was lost: cozy-lib expects the
ratios in _cluster config (via cozystack-values Secret), but platform
never wrote them there, so the hardcoded defaults were always used.

This commit restores the propagation by:
- Adding cpu/memory/ephemeral-storage allocation ratios to the
  _cluster section in the cozystack-values Secret, so cozy-lib in
  all managed applications picks them up.
- Passing cpuAllocationRatio to the kubevirt Package component, so
  the KubeVirt CR gets the configured value.

Assisted-By: Claude AI
Signed-off-by: Kirill Ilin <stitch14@yandex.ru>
(cherry picked from commit b42a8ed7e4)
2026-03-30 18:15:24 +00:00
Andrei Kvapil
0eefd0b236
[Backport release-1.2] [linstor] Preserve TCP ports during toggle-disk operations (#2299)
# Description
Backport of #2292 to `release-1.2`.
2026-03-30 20:08:26 +02:00
Andrei Kvapil
56e6178685 fix(linstor): preserve TCP ports during toggle-disk operations
Update fix-duplicate-tcp-ports patch to preserve existing TCP ports when
DrbdRscData is recreated during toggle-disk operations. Without this,
removeLayerData() frees ports and ensureStackDataExists() may allocate
different ones, causing port mismatches between controller and satellites
if the satellite misses the update.

Also add dh_strip_nondeterminism override in Dockerfile to fix build
failures on some JAR files.

Upstream: https://github.com/LINBIT/linstor-server/pull/476#issuecomment-4147527442

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
(cherry picked from commit 812d4138bb)
2026-03-30 18:06:55 +00:00
Andrei Kvapil
4d92b6362b
[Backport release-1.2] [platform] Prevent installed packages deletion (#2297)
# Description
Backport of #2273 to `release-1.2`.
2026-03-30 20:04:36 +02:00
Myasnikov Daniil
7eca74675a [platform] Added resource-policy to keep installed packages
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
(cherry picked from commit a243f3d72a)
2026-03-30 16:37:01 +00:00
IvanHunters
b45df978b9
Release v1.2.0 (#2290)
This PR prepares the release `v1.2.0`.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Chores
- Updated container images across core infrastructure components
(operator, controllers, API services) with new versions and digests
- Migrated Ubuntu container disk image references from temporary to
permanent registry
- Updated image digests for cluster-autoscaler, kubevirt CSI driver, and
monitoring components
- Refreshed dashboard and system service container image versions

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-27 18:02:28 +03:00