## What this PR does
The managed Kubernetes app accepts a .controPlane.replicas field, but
this value was never used, instead being hardcoded in the
KamajiControlPlane template to 2. This patch fixes this.
### Release note
```release-note
[kubernetes] Pass the .controlPlane.replicas field into the
KamajiControlPlane template, making the replica count of the
controlplane pods user-configurable.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
depends on https://github.com/cozystack/cozyvalues-gen/pull/16
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[dx] JSDoc compatible syntax for values.yaml
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized and tightened wording, punctuation and examples across
many charts, READMEs and schemas for clearer parameter docs and
defaults.
* **Refactor**
* Replaced many inline parameter blocks with consistent typedefs/enums
and typed maps (resources, presets, components, addons, storage,
sources, etc.) to unify configuration surfaces.
* **Chores**
* Workflow: updated pre-commit generate step to a newer generator
release.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
With this release, the new Flux 2.7 version becomes generally available
The Flux 2.7 upgrade may require some API bumps. (This PR only upgrades
Flux Operator.)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added support for an optional “source-watcher” component in Flux
installations, selectable via chart configuration.
- Documentation
- Updated READMEs to reflect v0.30.0 and clarified that charts can
install, configure, and automatically upgrade Flux. Version badges
refreshed.
- Chores
- Bumped chart and app versions to 0.30.0 across Flux Operator and Flux
Instance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
Turns off kubeovn enableLb, kube-proxy implementation of kube-ovn.
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[system] kube-ovn: turn off kube-proxy implementation
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added a new load balancing configuration option to system settings
(disabled by default).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
This patch moves the build of the Redis operator into the Cozystack
organization and patches it to prevent overwriting third-party labels on
owned resources.
### Release note
```release-note
[redis-operator] Move operator into tree and patch it to retain
third-party labels on owned resources, reducing noisy traffic to the API
server.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Implemented automated Docker image build pipeline with version
tracking and caching.
* Updated image configuration to include repository reference and digest
for reproducibility.
* **Bug Fixes**
* Improved label and annotation handling to preserve existing Kubernetes
resource metadata instead of overwriting it.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
This patch changes all clients in the Cozystack API server to typed ones
from the controller runtime. This should improve the performance of the
API server and simplifies the code by removing work with unstructured
objects and dynamic clients.
### Release note
```release-note
[api] Use typed and cache-backed k8s clients in the Cozystack API to
improve performance. Get rid of operations on unstructured objects and
use of dynamic clients.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Backend migrated to a controller-runtime manager with typed clients
for Kubernetes resources, improving watch reliability and cache sync.
* Storage paths for applications, tenant modules, namespaces, and
secrets now use strongly-typed resource handling for more consistent
behavior.
* **Chores**
* Cluster role expanded to include services in core API permissions.
* **Notes**
* No user-facing API schema changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This patch changes all clients in the Cozystack API server to typed
ones from the controller runtime. This should improve the performance of
the API server and simplifies the code by removing work with
unstructured objects and dynamic clients.
```release-note
[api] Use typed and cache-backed k8s clients in the Cozystack API to
improve performance. Get rid of operations on unstructured objects and
use of dynamic clients.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Documentation
- Added changelogs v0.35.3–v0.35.5 documenting fixes (SeaweedFS S3
liveness/timeouts, VM update-hook regression, Helm merge precedence,
Makefile autodetect removal, etcd topology constraints, test quotas)
with comparison links.
- Published v0.36.0 release notes (feature highlights, major
improvements, dependencies, fixes, CI/dev updates).
- Added v0.36.1 and v0.36.2 release notes and a changelog
template/formatting tweak.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**What this PR does**
This PR adds configuration for sending alerts from Alerta to Slack.
**Key changes**
Added Slack integration configuration in Alerta settings.
This patch moves the build of the Redis operator into the Cozystack
organization and patches it to prevent overwriting third-party labels on
owned resources.
```release-note
[redis-operator] Move operator into tree and patch it to retain
third-party labels on owned resources, reducing noisy traffic to the API
server.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
## What this PR does
Previous test for FerretDB referenced Postgres init jobs, likely copied from other test cases. Removed these references to make tests pass.
### Release note
```release-note
[ferretdb] Remove an erroneous reference to Postgres in the FerretDB test.
```
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
This PR changes default timeout for Velero to copy single item. Default
value 4h is not enough for copying large block volumes of virtual
machines.
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[velero] Set defaultItemOperationTimeout=24h
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Extended default operation timeout to 24 hours to provide increased
time for operations to complete.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[]
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added configurable OVN IPsec key directory and updated deployments to
mount keys from this path.
- Tightened CRD validation with explicit numeric min/max bounds to
prevent invalid configurations.
- Chores
- Updated kube-ovn chart and container image to v1.14.11 (build
environment updated).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- klinch0
+ nbykov0
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
CODEOWNERS updated
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
CODEOWNERS updated
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated repository maintenance configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
Add multus to system components.
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
Added multus to system components.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Multus CNI integration enabling multi-network support for
Kubernetes clusters.
* Provided a Helm chart and packaged deployment for Multus, including
required CRD, RBAC, service account, ConfigMap, and DaemonSet to
provision and run the Multus daemon.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
The Kamaji controller overwrites labels on many of the resources it owns
(clastix/kamaji#991). This change applies PR clastix/kamaji#992 to
Cozystack's build of Kamaji, so the lineage webhook doesn't fight the
Kamaji controller, causing a non-stop reconciliation loop.
### Release note
```release-note
[kamaji] Do not clobber third party labels on resources controlled by
Kamaji.
```
The Kamaji controller overwrites labels on many of the resources it owns
(clastix/kamaji#991). This change applies PR clastix/kamaji#992 to
Cozystack's build of Kamaji, so the lineage webhook doesn't fight the
Kamaji controller, causing a non-stop reconciliation loop.
```release-note
[kamaji] Do not clobber third party labels on resources controlled by
Kamaji.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[ci] Fix build from external forks
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated continuous integration workflow configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[feature] add ferretdb tests
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Tests
- Added an end-to-end test that provisions a FerretDB instance on
Kubernetes, waits for readiness and init completion, verifies
connectivity to read/write Postgres services (including endpoint
convergence), accounts for known RO delays, and performs full cleanup.
Uses timeouts and retries for stability.
- Chores
- No user-facing product changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
Update Talos Linux v1.11.3
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version to v1.11.3 across installer profiles.
* Refreshed system extension images to latest available builds with
updated firmware and driver versions.
* Enhanced output format configuration for improved image generation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
Some HelmReleases use `chartRef` instead of `chart`. If the lineage
webhook finds such a HelmRelease, a nil pointer dereference happens.
This patch adds a nil check to guard against this.
### Release note
```release-note
[lineage] Add a nil check to guard against HelmReleases with a nil
.spec.chart field when traversing the ownership tree.
```
Some HelmReleases use `chartRef` instead of `chart`. If the
lineage webhook finds such a HelmRelease, a nil pointer dereference
happens. This patch adds a nil check to guard against this.
```release-note
[lineage] Add a nil check to guard against HelmReleases with a nil
.spec.chart field when traversing the ownership tree.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
Fix an incorrect JSON path that prevented Service LoadBalancer IPs from
rendering in the table view.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
## What this PR does
For users upgrading from 0.36.2 directly to 0.37.2+, where the
lineage-controller-webhook is broken out of the Cozystack controller
into a separate daemonset, the existing migration script of 0.36->0.37.0
is insufficient. This patch ensures the presence of the new version of
the lineage webhook and fixes a bug in the migration script where the
readiness of the webhook was not appropriately verified.
### Release note
```release-note
[platform] Improved migration script when skipping versions 0.37.0 and
0.37.1 during upgrades.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Automatically installs the lineage-controller webhook via Helm during
setup, aligning its deployment with existing controller components.
* **Chores**
* Adds a temporary namespace for preflight validation of the webhook
service to avoid cluster-wide side effects.
* Replaces cluster-scoped dry-run checks with namespace-scoped dry-run
and ensures cleanup and timeout-based waits for predictable
installation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For users upgrading from 0.36.2 directly to 0.37.2+, where the
lineage-controller-webhook is broken out of the Cozystack controller
into a separate daemonset, the existing migration script of 0.36->0.37.0
is insufficient. This patch ensures the presence of the new version of
the lineage webhook and fixes a bug in the migration script where the
readiness of the webhook was not appropriately verified.
```release-note
[platform] Improved migration script when skipping versions 0.37.0 and
0.37.1 during upgrades.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
## What this PR does
Adds summary of changes since the release of v0.36.0 up to v0.37.0.
### Release note
```release-note
[docs] Changelog for v0.37
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added the public-facing v0.37.0 changelog: “OpenAPI Dashboard &
Lineage Everywhere.”
* Details highlights, new features (Dashboard, Webhook/Lineage,
API/Platform, Monitoring & Ops, Storage & Backups, Kubernetes/Tooling,
UI/Icons), minor improvements, and bug fixes.
* Includes dependency/version notes, refactors/chores, governance,
breaking changes with upgrade guidance, and security/stability
information.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->
## What this PR does
### Release note
<!-- Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->
```release-note
[api] Fix listing tenantnamespaces for non-oidc users
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Namespace access now recognizes group, user, and service-account
subjects when evaluating RBAC bindings, granting access for matching
identities.
* Service accounts are properly recognized and allowed when their
fully-qualified identity matches bindings.
* **Improvements**
* Simplified and more reliable RBAC subject evaluation to reduce missed
eligible namespaces.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What this PR does
The object storage controller creates secrets with bucket credentials
that have no reference to the parent BucketAccess object. Because of
this they cannot be linked to the managing app
(buckets.apps.cozystack.io) and are not displayed in the new dashboard.
This change patches the auxiliary helm release <bucket_name>-system to
include the bucket name in __its__ secret, so that the necessary secret
values is still presented to the user.
### Release note
```release-note
[bucket] Expose bucket name in tenant secret.
```
The object storage controller creates secrets with bucket credentials
that have no reference to the parent BucketAccess object. Because of
this they cannot be linked to the managing app
(buckets.apps.cozystack.io) and are not displayed in the new dashboard.
This change patches the auxiliary helm release <bucket_name>-system to
include the bucket name in __its__ secret, so that the necessary secret
values is still presented to the user.
```release-note
[bucket] Expose bucket name in tenant secret.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
## What this PR does
The lineage-controller-webhook makes a lot of outgoing API calls for
every event it handles, contributing to a high API server latency,
increasing the number of in-flight requests and generally degrading
performance. This patch remedies this by separating the lineage
component from the cozystack-controller and deploying it as a separate
component on all control-plane nodes. Additionally, a new internal label
is introduced to track if a resource has already been handled by the
webhook. This label is used to exclude such resources from
consideration. Addresses #1513.
### Release note
```release-note
[lineage] Break webhook out into a separate daemonset. Reduce
unnecessary webhook calls by marking handled resources and excluding
them from consideration by the webhook's object selector.
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Standalone Lineage Controller Webhook deployed as its own DaemonSet
with a dedicated Helm chart and image build targets.
- Dedicated TLS provisioning for the webhook via chart-managed certs.
- **Changes**
- Main controller no longer hosts webhook endpoints or certificates.
- Webhook now excludes already-managed resources to reduce unnecessary
invocations.
- Platform bundles updated to include the new webhook release.
- **Documentation**
- Changelog updated to reflect the separation and optimization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
