Find a file
myasnikovdaniil 36e326d768
fix(etcd): remove destructive post-upgrade cert-regeneration hook (#2462)
## What this PR does

Removes the `post-upgrade` Helm hook in `packages/extra/etcd` that was
`kubectl delete`ing the etcd TLS chain (`etcd-ca-tls`,
`etcd-peer-ca-tls`,
`etcd-client-tls`, `etcd-peer-tls`, `etcd-server-tls`) and then deleting
etcd pods on every chart upgrade.

The hook was gated by a semver compare of a stored
`etcd-deployed-version`
ConfigMap against `2.6.1`. That gate was written when chart versions
looked
like `2.6.0`, `2.6.1`, etc. Since commit `f871fbdb` ("Remove
versions_map
logic") all chart versions are stamped as `0.0.0+<git-hash>`, which per
semver is always `< 2.6.1`, so the gate always evaluates to "regenerate
certs" and the destructive hook fires on every upgrade.

On clusters running Kamaji-managed tenant control planes the consequence
is
severe: wiping the etcd CA triggers cert-manager to re-issue it with a
brand-new CA, but Kamaji's `datastore-certificate` Secrets still carry
the
old CA bundle mounted into tenant `kube-apiserver` pods. Those
apiservers
hit `x509: certificate signed by unknown authority` against
`etcd.<ns>.svc:2379` and go into CrashLoopBackOff until each tenant
`DataStore` is individually force-reconciled and the Deployments rolled.

Commit `47d81f70` ("Disabled private key rotation in CA certs") already
fixed the underlying `rotationPolicy: Always` issue the hook was written
to
paper over in March 2025, so the migration has no remaining use.

Changes:
- Delete `templates/hook/{job,role,rolebinding,serviceaccount}.yaml`
- Delete `templates/version.yaml` (only the hook read
`etcd-deployed-version`)
- Add `tests/no-post-upgrade-hook_test.yaml` as a regression guard — if
`templates/hook/job.yaml` or `templates/version.yaml` is ever brought
back,
  `make unit-tests` fails

### Release note

```release-note
fix(etcd): remove destructive post-upgrade cert-regeneration hook. Previously the etcd chart ran a `post-upgrade` hook on every Helm upgrade that deleted etcd TLS Secrets and pods, causing cert-manager to re-issue the etcd CA. On clusters with Kamaji-managed tenant control planes this put every tenant `kube-apiserver` into CrashLoopBackOff until each DataStore was manually re-reconciled. The hook was a one-shot `2.6.0 -> 2.6.1` migration that became a permanent footgun once chart versioning moved to `0.0.0+<git-hash>` and the underlying `rotationPolicy: Always` issue was fixed in commit `47d81f70`. This is behavior removal, not cosmetic cleanup.
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Added Helm chart test suite verifying absence of post-upgrade hook Job
and version ConfigMap.

* **Chores**
* Removed post-upgrade hook Job and associated RBAC resources (Role,
RoleBinding, ServiceAccount).
  * Removed version ConfigMap.
  * Added `test` target to Makefile for running Helm chart unit tests.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-28 14:36:59 +05:00
.gemini docs: adopt Conventional Commits across contributing docs 2026-04-13 22:50:08 +03:00
.github ci(api): add codegen drift check (#2463) 2026-04-28 12:41:48 +05:00
api [vm-instance] Fix PortList not filtering ingress ports (#2501) 2026-04-28 11:17:59 +02:00
cmd fix(kube-ovn): scope kubeovn-plunger cache and RBAC to its namespace 2026-04-21 17:13:27 +02:00
dashboards feat(monitoring): add MongoDB Grafana dashboards 2026-03-05 22:47:53 +03:00
docs [vm-instance] Add externalAllowICMP knob, drop in-PR changelog 2026-04-28 08:37:13 +02:00
examples/backups/vmi feat(backups): restore vmi to copy in another namespace 2026-04-09 14:06:33 +04:00
hack test(hack): rename remediation-guard bats test to match what it pins 2026-04-16 22:32:24 +03:00
img Cozystack logo for dark GitHub theme (#9) 2024-02-09 11:02:41 +01:00
internal feat(operator): add per-package upgradeCRDs policy for HelmRelease 2026-04-27 11:19:29 +03:00
packages fix(etcd): remove destructive post-upgrade cert-regeneration hook (#2462) 2026-04-28 14:36:59 +05:00
pkg fix(kubernetes): history guard non-empty check + nits from review 2026-04-16 21:50:10 +03:00
tools/openapi-gen [docs] Added openapi generation tool 2026-03-25 15:57:25 +05:00
.coderabbit.yaml [ci] Enable CodeRabbit incremental reviews 2026-04-13 13:32:15 +03:00
.gitignore feat(application): add WorkloadsReady condition and Events tab 2026-04-15 17:20:45 +03:00
.pre-commit-config.yaml ci(api): broaden codegen drift trigger paths and detect untracked files 2026-04-23 22:19:35 +05:00
ADOPTERS.md Update ADOPTERS.md by adding new adopter 2025-12-18 16:45:06 +03:00
AGENTS.md docs(agents): use full path .github/labels.yml in AGENTS.md 2026-04-27 03:30:43 +03:00
CODE_OF_CONDUCT.md Update CODE_OF_CONDUCT.md 2025-10-08 09:43:34 +05:00
CONTRIBUTING.md [docs] Proofread the readme and contributing 2025-04-09 11:09:19 +03:00
CONTRIBUTOR_LADDER.md Update CONTRIBUTOR_LADDER.md 2025-10-08 09:28:27 +05:00
go.mod feat(controller): add BucketClaim support to WorkloadMonitorReconciler 2026-04-17 10:58:47 +03:00
go.sum feat(controller): add BucketClaim support to WorkloadMonitorReconciler 2026-04-17 10:58:47 +03:00
GOVERNANCE.md Create GOVERNANCE.md (#733) 2025-04-01 18:48:14 +02:00
LICENSE Preapare release v0.0.1 2024-02-08 12:04:32 +01:00
MAINTAINERS.md Add Mattia Eleuteri (@mattia-eleuteri) as Maintainer 2026-04-15 23:46:43 +05:00
Makefile build: wire go-unit-tests into make unit-tests 2026-04-16 21:29:49 +03:00
README.md Update README.md 2026-04-16 14:30:51 +05:00
SECURITY.md docs: add SECURITY.md 2026-03-17 02:57:52 +05:00

Cozystack Cozystack

Open Source Apache-2.0 License Support Active GitHub Release GitHub Commit OpenSSF Best Practices

Cozystack

Cozystack is a free platform and framework for building clouds.

Cozystack is a CNCF Sandbox Level Project that was originally built and sponsored by Ænix.

With Cozystack, you can transform a bunch of servers into an intelligent system with a simple REST API for spawning Kubernetes clusters, Database-as-a-Service, virtual machines, load balancers, HTTP caching services, and other services with ease.

Use Cozystack to build your own cloud or provide a cost-effective development environment.

Cozystack user interface

Use-Cases

Documentation

The documentation is located on the cozystack.io website.

Read the Getting Started section for a quick start.

If you encounter any difficulties, start with the troubleshooting guide and work your way through the process that we've outlined.

Versioning

Versioning adheres to the Semantic Versioning principles.
A full list of the available releases is available in the GitHub repository's Release section.

Contributions

Contributions are highly appreciated and very welcomed!

In case of bugs, please check if the issue has already been opened by checking the GitHub Issues section. If it isn't, you can open a new one. A detailed report will help us replicate it, assess it, and work on a fix.

You can express your intention to on the fix on your own. Commits are used to generate the changelog, and their author will be referenced in it.

If you have Feature Requests please use the Discussion's Feature Request section.

Community

You are welcome to join our Telegram group and come to our weekly community meetings. Add them to your Google Calendar or iCal for convenience.

License

Cozystack is licensed under Apache 2.0.
The code is provided as-is with no warranties.

Commercial Support

A list of companies providing commercial support for this project can be found on official site.