[Backport release-1.1] [kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes (#2229 )

# Description Backport of #2227 to `release-1.1`.
[kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes
2026-03-17 12:28:53 +00:00 · 2026-03-17 09:31:24 +01:00 · 2026-03-16 16:22:05 +00:00 · 2026-03-16 09:38:35 +01:00 · 2026-03-16 01:36:47 +00:00 · 2026-03-13 16:24:27 +01:00
34 changed files with 188 additions and 73 deletions
--- a/internal/controller/dashboard/marketplacepanel.go
+++ b/internal/controller/dashboard/marketplacepanel.go
@@ -68,31 +68,46 @@ func (m *Manager) ensureMarketplacePanel(ctx context.Context, crd *cozyv1alpha1.
 		tags[i] = t
 	}

-	specMap := map[string]any{
-		"description": d.Description,
-		"name":        displayName,
-		"type":        "nonCrd",
-		"apiGroup":    "apps.cozystack.io",
-		"apiVersion":  "v1alpha1",
-		"plural":      app.Plural, // e.g., "buckets"
-		"disabled":    false,
-		"hidden":      false,
-		"tags":        tags,
-		"icon":        d.Icon,
-	}
-
-	specBytes, err := json.Marshal(specMap)
-	if err != nil {
-		return reconcile.Result{}, err
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
+	_, err := controllerutil.CreateOrUpdate(ctx, m.Client, mp, func() error {
 		if err := controllerutil.SetOwnerReference(crd, mp, m.Scheme); err != nil {
 			return err
 		}
 		// Add dashboard labels to dynamic resources
 		m.addDashboardLabels(mp, crd, ResourceTypeDynamic)

+		// Preserve user-set disabled/hidden values from existing resource
+		disabled := false
+		hidden := false
+		if mp.Spec.Raw != nil {
+			var existing map[string]any
+			if err := json.Unmarshal(mp.Spec.Raw, &existing); err == nil {
+				if v, ok := existing["disabled"].(bool); ok {
+					disabled = v
+				}
+				if v, ok := existing["hidden"].(bool); ok {
+					hidden = v
+				}
+			}
+		}
+
+		specMap := map[string]any{
+			"description": d.Description,
+			"name":        displayName,
+			"type":        "nonCrd",
+			"apiGroup":    "apps.cozystack.io",
+			"apiVersion":  "v1alpha1",
+			"plural":      app.Plural, // e.g., "buckets"
+			"disabled":    disabled,
+			"hidden":      hidden,
+			"tags":        tags,
+			"icon":        d.Icon,
+		}
+
+		specBytes, err := json.Marshal(specMap)
+		if err != nil {
+			return err
+		}
+
 		// Only update spec if it's different to avoid unnecessary updates
 		newSpec := dashv1alpha1.ArbitrarySpec{
 			JSON: apiextv1.JSON{Raw: specBytes},
--- a/internal/controller/dashboard/sidebar.go
+++ b/internal/controller/dashboard/sidebar.go
@@ -38,6 +38,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 	}
 	all = crdList.Items

+	// 1b) Fetch all MarketplacePanels to determine which resources are hidden
+	hiddenResources := map[string]bool{}
+	var mpList dashv1alpha1.MarketplacePanelList
+	if err := m.List(ctx, &mpList, &client.ListOptions{}); err == nil {
+		for i := range mpList.Items {
+			mp := &mpList.Items[i]
+			if mp.Spec.Raw != nil {
+				var spec map[string]any
+				if err := json.Unmarshal(mp.Spec.Raw, &spec); err == nil {
+					if hidden, ok := spec["hidden"].(bool); ok && hidden {
+						hiddenResources[mp.Name] = true
+					}
+				}
+			}
+		}
+	}
+
 	// 2) Build category -> []item map (only for CRDs with spec.dashboard != nil)
 	type item struct {
 		Key    string
@@ -63,6 +80,11 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
 		plural := pickPlural(kind, def)
 		lowerKind := strings.ToLower(kind)

+		// Skip resources hidden via MarketplacePanel
+		if hiddenResources[def.Name] {
+			continue
+		}
+
 		// Check if this resource is a module
 		if def.Spec.Dashboard.Module {
 			// Special case: info should have its own keysAndTags, not be in modules
--- a/internal/controller/dashboard/static_refactored.go
+++ b/internal/controller/dashboard/static_refactored.go
@@ -1924,12 +1924,12 @@ func CreateAllFactories() []*dashboardv1alpha1.Factory {
 				map[string]any{
 					"type": "EnrichedTable",
 					"data": map[string]any{
-						"id":                   "external-ips-table",
-						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
-						"clusterNamePartOfUrl": "{2}",
-						"baseprefix":           "/openapi-ui",
-						"customizationId":      "factory-details-v1.services",
-						"pathToItems":          []any{"items"},
+						"id":              "external-ips-table",
+						"fetchUrl":        "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/services",
+						"cluster":         "{2}",
+						"baseprefix":      "/openapi-ui",
+						"customizationId": "factory-details-v1.services",
+						"pathToItems":     ".items",
 						"fieldSelector": map[string]any{
 							"spec.type": "LoadBalancer",
 						},
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:e9d0aa7e651b03a6713b380101a61832818a91b5f989da9754f58693898c4056
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:faaa6bcdb68196edb4baafe643679bd7d2ef35f910c639b71e06a4ecc034f232
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:1c8c842277f45f189a5c645fcf7b2023c8ed7189f44029ce8b988019000da14c
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver/controller.go
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver/controller.go
@@ -317,11 +317,7 @@ func (w *WrappedControllerService) ControllerPublishVolume(ctx context.Context,
 				"ownerReferences": []interface{}{vmiOwnerRef},
 			},
 			"spec": map[string]interface{}{
-				"endpointSelector": map[string]interface{}{
-					"matchLabels": map[string]interface{}{
-						"kubevirt.io/vm": vmName,
-					},
-				},
+				"endpointSelector": buildEndpointSelector([]string{vmName}),
 				"egress": []interface{}{
 					map[string]interface{}{
 						"toEndpoints": []interface{}{
@@ -441,6 +437,13 @@ func (w *WrappedControllerService) addCNPOwnerReference(ctx context.Context, nam
 		if err := unstructured.SetNestedSlice(existing.Object, ownerRefs, "metadata", "ownerReferences"); err != nil {
 			return status.Errorf(codes.Internal, "failed to set ownerReferences: %v", err)
 		}
+
+		// Rebuild endpointSelector to include all VMs
+		selector := buildEndpointSelector(vmNamesFromOwnerRefs(ownerRefs))
+		if err := unstructured.SetNestedField(existing.Object, selector, "spec", "endpointSelector"); err != nil {
+			return status.Errorf(codes.Internal, "failed to set endpointSelector: %v", err)
+		}
+
 		if _, err := w.dynamicClient.Resource(ciliumNetworkPolicyGVR).Namespace(namespace).Update(ctx, existing, metav1.UpdateOptions{}); err != nil {
 			return err
 		}
@@ -486,6 +489,13 @@ func (w *WrappedControllerService) removeCNPOwnerReference(ctx context.Context,
 		if err := unstructured.SetNestedSlice(existing.Object, remaining, "metadata", "ownerReferences"); err != nil {
 			return status.Errorf(codes.Internal, "failed to set ownerReferences: %v", err)
 		}
+
+		// Rebuild endpointSelector from remaining VMs
+		selector := buildEndpointSelector(vmNamesFromOwnerRefs(remaining))
+		if err := unstructured.SetNestedField(existing.Object, selector, "spec", "endpointSelector"); err != nil {
+			return status.Errorf(codes.Internal, "failed to set endpointSelector: %v", err)
+		}
+
 		if _, err := w.dynamicClient.Resource(ciliumNetworkPolicyGVR).Namespace(namespace).Update(ctx, existing, metav1.UpdateOptions{}); err != nil {
 			return err
 		}
@@ -494,6 +504,37 @@ func (w *WrappedControllerService) removeCNPOwnerReference(ctx context.Context,
 	})
 }

+// buildEndpointSelector returns an endpointSelector using matchExpressions
+// so that multiple VMs can be listed in a single selector.
+func buildEndpointSelector(vmNames []string) map[string]interface{} {
+	values := make([]interface{}, len(vmNames))
+	for i, name := range vmNames {
+		values[i] = name
+	}
+	return map[string]interface{}{
+		"matchExpressions": []interface{}{
+			map[string]interface{}{
+				"key":      "kubevirt.io/vm",
+				"operator": "In",
+				"values":   values,
+			},
+		},
+	}
+}
+
+// vmNamesFromOwnerRefs extracts VM names from ownerReferences.
+func vmNamesFromOwnerRefs(ownerRefs []interface{}) []string {
+	var names []string
+	for _, ref := range ownerRefs {
+		if refMap, ok := ref.(map[string]interface{}); ok {
+			if name, ok := refMap["name"].(string); ok {
+				names = append(names, name)
+			}
+		}
+	}
+	return names
+}
+
 func hasRWXAccessMode(pvc *corev1.PersistentVolumeClaim) bool {
 	for _, mode := range pvc.Spec.AccessModes {
 		if mode == corev1.ReadWriteMany {
--- a/packages/apps/vm-instance/templates/vm.yaml
+++ b/packages/apps/vm-instance/templates/vm.yaml
@@ -34,6 +34,12 @@ spec:
    metadata:
      annotations:
        kubevirt.io/allow-pod-bridge-network-live-migration: "true"
+        {{- $ovnIPName := printf "%s.%s" (include "virtual-machine.fullname" .) .Release.Namespace }}
+        {{- $ovnIP := lookup "kubeovn.io/v1" "IP" "" $ovnIPName }}
+        {{- if $ovnIP }}
+        ovn.kubernetes.io/mac_address: {{ $ovnIP.spec.macAddress | quote }}
+        ovn.kubernetes.io/ip_address: {{ $ovnIP.spec.ipAddress | quote }}
+        {{- end }}
      labels:
        {{- include "virtual-machine.labels" . | nindent 8 }}
    spec:
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,9 +1,9 @@
 cozystackOperator:
  # Deployment variant: talos, generic, hosted
  variant: talos
-  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.1.0@sha256:9367001a8d1d2dcf08ae74a42ac234eaa6af18f1af64ac28ce8a5946af9c5d3f
+  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.1.2@sha256:2d983d1290038b806b4d36b95138f7d312c0b9e0bf239fbbff75f363a447f063
  platformSourceUrl: 'oci://ghcr.io/cozystack/cozystack/cozystack-packages'
-  platformSourceRef: 'digest=sha256:7c6da38e7b99ec80d35ba2cef721ea1579f8a0824989454544fa85318bb7bf15'
+  platformSourceRef: 'digest=sha256:90607296833d64af18d5c7806b8bcce411ca9e77c4f23f00c4d87b80fac2be0d'
 # Generic variant configuration (only used when cozystackOperator.variant=generic)
 cozystack:
  # Kubernetes API server host (IP only, no protocol/port)
--- a/packages/core/platform/images/migrations/migrations/34
+++ b/packages/core/platform/images/migrations/migrations/34
@@ -13,6 +13,15 @@
 set -euo pipefail

 DEFAULT_VERSION="v3.13"
+
+# Skip if the CRD does not exist (rabbitmq was never installed)
+if ! kubectl api-resources --api-group=apps.cozystack.io -o name 2>/dev/null | grep -q '^rabbitmqs\.'; then
+  echo "CRD rabbitmqs.apps.cozystack.io not found, skipping migration"
+  kubectl create configmap -n cozy-system cozystack-version \
+    --from-literal=version=35 --dry-run=client -o yaml | kubectl apply -f-
+  exit 0
+fi
+
 RABBITMQS=$(kubectl get rabbitmqs.apps.cozystack.io -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}{"\n"}{end}')
 for resource in $RABBITMQS; do
  NS="${resource%%/*}"
--- a/packages/core/platform/values.yaml
+++ b/packages/core/platform/values.yaml
@@ -5,7 +5,7 @@ sourceRef:
  path: /
 migrations:
  enabled: false
-  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.1.0@sha256:d7e8955c1ad8c8fbd4ce42b014c0f849d73d0c3faf0cedaac8e15d647fb2f663
+  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.1.2@sha256:bcbe612879cecd2ae1cef91dfff6d34d009c2f7de6592145c04a2d6d21b28f4b
  targetVersion: 35
 # Bundle deployment configuration
 bundles:
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.1.0@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.1.2@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v1.1.0@sha256:e4c872f6dadc2bbcb9200d04a1d9878f62502f74e979b4eae6c7203abc6d8fa6
+ghcr.io/cozystack/cozystack/matchbox:v1.1.2@sha256:3ad2bf694e23cfe985f0a62c0f717f7dace8cb05bfe07388004f3f996291ab32
--- a/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
+++ b/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.0@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.2@sha256:0ab0ce0f69b49112eb8626bc3b9802adece123ebaef4f5aaa1780e66a99770b0
--- a/packages/system/backup-controller/values.yaml
+++ b/packages/system/backup-controller/values.yaml
@@ -1,5 +1,5 @@
 backupController:
-  image: "ghcr.io/cozystack/cozystack/backup-controller:v1.1.0@sha256:8e42e29f5d30ecbef1f05cb0601c32703c5f9572b89d2c9032c1dff186e9a526"
+  image: "ghcr.io/cozystack/cozystack/backup-controller:v1.1.2@sha256:900e2bdb0df6e571911e2b6905189c769514b740777745c17e9d83d64ba07986"
  replicas: 2
  debug: false
  metrics:
--- a/packages/system/backupstrategy-controller/values.yaml
+++ b/packages/system/backupstrategy-controller/values.yaml
@@ -1,5 +1,5 @@
 backupStrategyController:
-  image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.1.0@sha256:508e3bd5a83a316732cfb84fe598064e3092482d941cfc53738ca21237642e6f"
+  image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.1.2@sha256:d14f602b73e39e7a4cbedb22668018f03b49b839bdb8b0411d86572620dcc5bc"
  replicas: 2
  debug: false
  metrics:
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:5a7cae722ff6b424bdfbc4aba9d072c11b6930e2ee0f5fa97c3a565bd1c8dc88
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:20a6e3113b5c2005a3de7772da51a0242bec93ba1bd8936f912d958ef0d70214
--- a/packages/system/bucket/templates/deployment.yaml
+++ b/packages/system/bucket/templates/deployment.yaml
@@ -1,3 +1,12 @@
+{{- $endpoint := printf "s3.%s" .Values._namespace.host }}
+{{- range $name, $user := .Values.users }}
+  {{- $secretName := printf "%s-%s" $.Values.bucketName $name }}
+  {{- $existingSecret := lookup "v1" "Secret" $.Release.Namespace $secretName }}
+  {{- if $existingSecret }}
+    {{- $bucketInfo := fromJson (b64dec (index $existingSecret.data "BucketInfo")) }}
+    {{- $endpoint = trimPrefix "https://" (index $bucketInfo.spec.secretS3 "endpoint") }}
+  {{- end }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,6 +26,6 @@ spec:
        image: "{{ $.Files.Get "images/s3manager.tag" | trim }}"
        env:
        - name: ENDPOINT
-          value: "s3.{{ .Values._namespace.host }}"
+          value: {{ $endpoint | quote }}
        - name: SKIP_SSL_VERIFICATION
          value: "true"
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,3 +1,3 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v1.1.0@sha256:3a8e559b1a71cffb445bab14178d9abeba1b90509f9fec31df5ff5a9a38333d1
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v1.1.2@sha256:d63128e7aac97e5671c5a04a45b96d08f5fc57f5b94ecaab040ef00dde94dc5b
  replicas: 2
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,4 +1,4 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.1.0@sha256:f04fa839924a761571e1035d83f380f39f62d1708ea8d22f7a323f17bb59ff96
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.1.2@sha256:372e65f4dfe402a4392ed408decf1e78f4d6365bc9053d53440389c15dd35e9d
  debug: false
  disableTelemetry: false
--- a/packages/system/dashboard/templates/configmap.yaml
+++ b/packages/system/dashboard/templates/configmap.yaml
@@ -1,6 +1,6 @@
 {{- $brandingConfig := .Values._cluster.branding | default dict }}

-{{- $tenantText := "v1.1.0" }}
+{{- $tenantText := "v1.1.2" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:v1.1.0@sha256:bc530ae2e428727eed284d7f80b2eea4fdd98b7618d20cab262eef7199af5fa5
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v1.1.2@sha256:b232a5e44553beddda6218350e061746c0be7ede428846136abb3e5778688bbb
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.1.0@sha256:c938fee904acd948800d4dc5e121c4c5cd64cb4a3160fb8d2f9dbff0e5168740
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.1.2@sha256:7dd82ebe1d0c1925bbc440bc65a86852f3dd2bc0f6f12856904df847f15913d3
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:v1.1.0@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
+  image: ghcr.io/cozystack/cozystack/token-proxy:v1.1.2@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
--- a/packages/system/etcd-operator/charts/etcd-operator/README.md
+++ b/packages/system/etcd-operator/charts/etcd-operator/README.md
@@ -38,8 +38,8 @@
 | kubeRbacProxy.args[2] | string | `"--logtostderr=true"` |  |
 | kubeRbacProxy.args[3] | string | `"--v=0"` |  |
 | kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository |
-| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image |
+| kubeRbacProxy.image.repository | string | `"quay.io/brancz/kube-rbac-proxy"` | Image repository |
+| kubeRbacProxy.image.tag | string | `"v0.18.1"` | Version of image |
 | kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
--- a/packages/system/etcd-operator/charts/etcd-operator/values.yaml
+++ b/packages/system/etcd-operator/charts/etcd-operator/values.yaml
@@ -98,13 +98,13 @@ kubeRbacProxy:
  image:

    # -- Image repository
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    repository: quay.io/brancz/kube-rbac-proxy

    # -- Image pull policy
    pullPolicy: IfNotPresent

    # -- Version of image
-    tag: v0.16.0
+    tag: v0.18.1

  args:
    - --secure-listen-address=0.0.0.0:8443
--- a/packages/system/grafana-operator/images/grafana-dashboards.tag
+++ b/packages/system/grafana-operator/images/grafana-dashboards.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana-dashboards:v1.1.0@sha256:2c9aa0b48e2bf6167db198f4d15882bfe51700108edf2e9f6d0942940a2c1204
+ghcr.io/cozystack/cozystack/grafana-dashboards:v1.1.2@sha256:2c9aa0b48e2bf6167db198f4d15882bfe51700108edf2e9f6d0942940a2c1204
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v1.1.0@sha256:914d04f7442f0faecf18f8282c192dee9fe244a711494a8c892e2f9e2ad415f7
+    tag: v1.1.2@sha256:e46d5bb83afdfa42c7702c0fb69d50fade85541ab25795415aa407ae71d5a0db
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
@@ -13,4 +13,4 @@ kamaji:
      cpu: 100m
      memory: 100Mi
  extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v1.1.0@sha256:914d04f7442f0faecf18f8282c192dee9fe244a711494a8c892e2f9e2ad415f7
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v1.1.2@sha256:e46d5bb83afdfa42c7702c0fb69d50fade85541ab25795415aa407ae71d5a0db
--- a/packages/system/keycloak/templates/sts.yaml
+++ b/packages/system/keycloak/templates/sts.yaml
@@ -76,6 +76,8 @@ spec:
            {{- end }}
            - name: KC_METRICS_ENABLED
              value: "true"
+            - name: KC_HEALTH_ENABLED
+              value: "true"
            - name: KC_LOG_LEVEL
              value: "info"
            - name: KC_CACHE
@@ -130,16 +132,27 @@ spec:
            - name: http
              containerPort: 8080
              protocol: TCP
+            - name: management
+              containerPort: 9000
+              protocol: TCP
+          startupProbe:
+            httpGet:
+              path: /health/ready
+              port: management
+            failureThreshold: 30
+            periodSeconds: 10
          livenessProbe:
            httpGet:
-              path: /
-              port: http
-            initialDelaySeconds: 120
+              path: /health/live
+              port: management
+            periodSeconds: 15
            timeoutSeconds: 5
+            failureThreshold: 5
          readinessProbe:
            httpGet:
-              path: /realms/master
-              port: http
-            initialDelaySeconds: 60
-            timeoutSeconds: 1
+              path: /health/ready
+              port: management
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
      terminationGracePeriodSeconds: 60
--- a/packages/system/kubeovn-plunger/values.yaml
+++ b/packages/system/kubeovn-plunger/values.yaml
@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v1.1.0@sha256:b91bf0964a3204e50f703092f190b7d96c078a6ccee430215042ae1275ed5127
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v1.1.2@sha256:1d12beabe1b71ae0525b0a6215c4e96b0ba091357418228e134d1e7ed5be2437
 ovnCentralName: ovn-central
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v1.1.0@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v1.1.2@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
--- a/packages/system/kubevirt-csi-node/values.yaml
+++ b/packages/system/kubevirt-csi-node/values.yaml
@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:faaa6bcdb68196edb4baafe643679bd7d2ef35f910c639b71e06a4ecc034f232
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:1c8c842277f45f189a5c645fcf7b2023c8ed7189f44029ce8b988019000da14c
--- a/packages/system/lineage-controller-webhook/values.yaml
+++ b/packages/system/lineage-controller-webhook/values.yaml
@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v1.1.0@sha256:4d6a2bb76cae84e24cd48c7377b03ed6bdfefe611221d2c0a7f77a5457db8849
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v1.1.2@sha256:bd17f7a4c57789d13926a97f8b59aea8bbf9117291ccc63ac0d238b5ea5f3b67
  debug: false
  localK8sAPIEndpoint:
    enabled: true
--- a/packages/system/linstor/values.yaml
+++ b/packages/system/linstor/values.yaml
@@ -13,4 +13,4 @@ linstor:
 linstorCSI:
  image:
    repository: ghcr.io/cozystack/cozystack/linstor-csi
-    tag: v1.10.5@sha256:50ab1ab0210d4e7ebfca311f445bb764516db5ddb63fc6d28536b28622eee753
+    tag: v1.10.5@sha256:093034953ddb0466a67f5e28f2f242464bf8f263545632e05e0c32adc07f3f8a
--- a/packages/system/objectstorage-controller/values.yaml
+++ b/packages/system/objectstorage-controller/values.yaml
@@ -1,3 +1,3 @@
 objectstorage:
  controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v1.1.0@sha256:e40e94f3014cfd04cce4230597315a1acfcca2daa8051b987614d0c05da6d928"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v1.1.2@sha256:6f46dd505e976b10e08ee47bc8bbc2b7de9f49ed1cc5afe84490c2b7b811385d"
--- a/packages/system/seaweedfs/values.yaml
+++ b/packages/system/seaweedfs/values.yaml
@@ -177,7 +177,7 @@ seaweedfs:
    bucketClassName: "seaweedfs"
    region: ""
    sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.0@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.2@sha256:0ab0ce0f69b49112eb8626bc3b9802adece123ebaef4f5aaa1780e66a99770b0"
  certificates:
    commonName: "SeaweedFS CA"
    ipAddresses: []
--- a/pkg/cmd/server/openapi.go
+++ b/pkg/cmd/server/openapi.go
@@ -224,8 +224,8 @@ func buildPostProcessV3(kindSchemas map[string]string) func(*spec3.OpenAPI) (*sp
 		base, ok1 := doc.Components.Schemas[baseRef]
 		list, ok2 := doc.Components.Schemas[baseListRef]
 		stat, ok3 := doc.Components.Schemas[baseStatusRef]
-		if !(ok1 && ok2 && ok3) && len(kindSchemas) > 0 {
-			return doc, fmt.Errorf("base Application* schemas not found")
+		if !(ok1 && ok2 && ok3) {
+			return doc, nil // not the apps GV — nothing to patch
 		}

 		// Clone base schemas for each kind
@@ -339,8 +339,8 @@ func buildPostProcessV2(kindSchemas map[string]string) func(*spec.Swagger) (*spe
 		base, ok1 := defs[baseRef]
 		list, ok2 := defs[baseListRef]
 		stat, ok3 := defs[baseStatusRef]
-		if !(ok1 && ok2 && ok3) && len(kindSchemas) > 0 {
-			return sw, fmt.Errorf("base Application* schemas not found")
+		if !(ok1 && ok2 && ok3) {
+			return sw, nil // not the apps GV — nothing to patch
 		}

 		for kind, raw := range kindSchemas {
Author	SHA1	Message	Date
Andrei Kvapil	ea641f7ec7	[Backport release-1.1] [kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes (#2229 ) # Description Backport of #2227 to `release-1.1`.	2026-03-17 09:31:24 +01:00
mattia-eleuteri	2c23f1fab6	[kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes When an NFS-backed RWX volume is published to multiple VMs, the CiliumNetworkPolicy egress rule only allowed traffic from the first VM. The endpointSelector.matchLabels was set once on creation and never broadened, causing NFS mounts to hang on all nodes except the first. Switch from matchLabels to matchExpressions (operator: In) so the selector can list multiple VM names. Rebuild the selector whenever ownerReferences are added or removed. Signed-off-by: mattia-eleuteri <mattia@hidora.io> (cherry picked from commit `cc5ec0b7a3`)	2026-03-16 16:22:05 +00:00
Andrei Kvapil	2de20be50b	Release v1.1.2 (#2218 ) This PR prepares the release `v1.1.2`.	2026-03-16 09:38:35 +01:00
cozystack-bot	1c87fe2004	Prepare release v1.1.2 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-03-16 01:36:47 +00:00
Andrei Kvapil	a18047fc16	[Backport release-1.1] fix(api): skip OpenAPI post-processor for non-apps group versions (#2217 ) # Description Backport of #2212 to `release-1.1`.	2026-03-13 16:24:27 +01:00
Andrei Kvapil	803d6b15ba	[Backport release-1.1] [bucket] Fix s3manager endpoint mismatch with COSI credentials (#2215 ) # Description Backport of #2211 to `release-1.1`.	2026-03-13 16:23:58 +01:00
Andrei Kvapil	c94768c64b	Revert "fix(operator): requeue packages when dependencies are not ready" This reverts commit `f906a0d8ad`. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `2b60c010dd`)	2026-03-13 15:23:34 +00:00
Andrei Kvapil	093329cdce	fix(operator): requeue packages when dependencies are not ready When dependencies are not ready the reconciler returned without requeueing, relying solely on watch events to re-trigger. If a watch event was missed (controller restart, race condition, dependency already ready before watch setup), the package would stay stuck in DependenciesNotReady forever. Add RequeueAfter: 30s so dependencies are periodically rechecked. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `f906a0d8ad`)	2026-03-13 15:23:34 +00:00
Andrei Kvapil	0e3c7fabff	fix(api): skip OpenAPI post-processor for non-apps group versions The OpenAPI PostProcessSpec callback is invoked for every group-version (apps, core, version, etc.), but the Application schema cloning logic only applies to apps.cozystack.io. When called for other GVs the base Application schemas are absent, causing a spurious error log on every API server start. Return early instead of erroring when the base schemas are not found. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `ee83aaa82e`)	2026-03-13 15:23:34 +00:00
IvanHunters	0ba129b4b7	[bucket] Fix s3manager endpoint to use actual S3 endpoint from BucketInfo The deployment template was constructing the S3 endpoint from the tenant's namespace host (e.g. s3.freedom.infra.example.com), while COSI credentials are issued for the actual SeaweedFS endpoint (e.g. s3.infra.example.com). This mismatch caused 'invalid credentials' errors when users tried to log in with valid credentials from the bucket secret. Now the endpoint is resolved from BucketInfo (same source as credentials), with a fallback to the constructed namespace host for first-time deploys before BucketAccess secrets are created. Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> (cherry picked from commit `f647cfd7b9`)	2026-03-13 15:23:24 +00:00
Andrei Kvapil	095d3ab150	Release v1.1.1 (#2184 ) This PR prepares the release `v1.1.1`.	2026-03-11 00:12:15 +01:00
cozystack-bot	b06e2cecd5	Prepare release v1.1.1 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-03-10 20:31:40 +00:00
Andrei Kvapil	b255214da0	[Backport release-1.1] fix(dashboard): exclude hidden MarketplacePanel resources from sidebar menu (#2203 ) # Description Backport of #2177 to `release-1.1`.	2026-03-10 17:50:15 +01:00
Andrei Kvapil	4c9c68b7f5	[Backport release-1.1] fix(dashboard): preserve disabled/hidden state on MarketplacePanel reconciliation (#2201 ) # Description Backport of #2176 to `release-1.1`.	2026-03-10 17:50:04 +01:00
IvanHunters	002bd20f19	fix(dashboard): exclude hidden MarketplacePanel resources from sidebar menu The sidebar was generated independently from MarketplacePanels, always showing all resources regardless of their hidden state. Fetch MarketplacePanels during sidebar reconciliation and skip resources where hidden=true, so hiding a resource from the marketplace also removes it from the sidebar navigation. Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> (cherry picked from commit `318079bf66`)	2026-03-10 16:49:44 +00:00
IvanHunters	22c46d7271	fix(dashboard): preserve disabled/hidden state on MarketplacePanel reconciliation The controller was hardcoding disabled=false and hidden=false on every reconciliation, overwriting any user changes made through the dashboard UI. Move spec building inside the CreateOrUpdate mutate function to read and preserve current disabled/hidden values from the existing resource. Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> (cherry picked from commit `e69efd80c4`)	2026-03-10 16:48:33 +00:00
Andrei Kvapil	dce757c884	[Backport release-1.1] fix(dashboard): fix External IPs factory EnrichedTable rendering (#2193 ) # Description Backport of #2175 to `release-1.1`.	2026-03-10 15:19:42 +01:00
Andrei Kvapil	109b4a333e	[Backport release-1.1] [platform] Fix VM MAC address not preserved during migration (#2190 ) # Description Backport of #2169 to `release-1.1`.	2026-03-10 15:19:15 +01:00
IvanHunters	4dada99a92	fix(dashboard): fix External IPs factory EnrichedTable rendering The external-ips factory used incorrect EnrichedTable properties causing empty rows in the dashboard. Replace `clusterNamePartOfUrl` with `cluster` and change `pathToItems` from array to dot-path string format to match the convention used by all other working EnrichedTable instances. Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> (cherry picked from commit `49601b166d`)	2026-03-10 14:19:13 +00:00
Kirill Ilin	fd18a699b9	fix(migration): preserve VM MAC address during virtual-machine to vm-instance migration Kube-OVN reads MAC address exclusively from the pod annotation ovn.kubernetes.io/mac_address, not from the IP resource spec.macAddress. Without pod-level annotations, migrated VMs receive a new random MAC, breaking OS-level network config that matches by MAC (e.g. netplan). Add a Helm lookup for the Kube-OVN IP resource in the vm-instance chart template. When the IP resource exists, its macAddress and ipAddress are automatically injected as pod annotations. This removes the need for fragile Flux postRenderers on the HelmRelease — the chart itself handles MAC/IP preservation based on actual cluster state. Remove the postRenderers approach from migration 29 since the chart now handles this natively. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Kirill Ilin <stitch14@yandex.ru> (cherry picked from commit `9a4f49238c`)	2026-03-10 14:18:35 +00:00
Andrei Kvapil	532669ad61	[Backport release-1.1] fix(etcd-operator): replace deprecated kube-rbac-proxy image (#2182 ) # Description Backport of #2181 to `release-1.1`.	2026-03-10 12:39:16 +01:00
Andrei Kvapil	116e1baf63	fix(etcd-operator): replace deprecated kube-rbac-proxy image The gcr.io/kubebuilder/kube-rbac-proxy image is no longer available since GCR was deprecated. Replace it with quay.io/brancz/kube-rbac-proxy from the original upstream author. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `4946383cf1`)	2026-03-10 11:37:08 +00:00
Andrei Kvapil	52b4a0a7c6	[Backport release-1.1] fix(migrations): handle missing rabbitmq CRD in migration 34 (#2180 ) # Description Backport of #2168 to `release-1.1`.	2026-03-10 09:03:24 +01:00
IvanHunters	0b4f3c7d30	fix(migrations): handle missing rabbitmq CRD in migration 34 Migration 34 fails when rabbitmqs.apps.cozystack.io CRD does not exist, which happens when RabbitMQ was never installed on the cluster. Add a check for CRD presence before attempting to list resources. Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> (cherry picked from commit `21f293ace5`)	2026-03-10 07:19:01 +00:00
Andrei Kvapil	ccb37d3fac	[Backport release-1.1] fix(keycloak): use management port health endpoints for probes (#2179 ) # Description Backport of #2162 to `release-1.1`.	2026-03-10 08:17:32 +01:00
mattia-eleuteri	89d90cac2d	fix(keycloak): add startupProbe, remove initialDelaySeconds Use a startupProbe to defer liveness/readiness checks until Keycloak has fully started, instead of relying on initialDelaySeconds. This is more robust for applications with variable startup times. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: mattia-eleuteri <mattia@hidora.io> (cherry picked from commit `d18ed79382`)	2026-03-10 07:15:33 +00:00
mattia-eleuteri	4f9a035c5b	fix(keycloak): use management port health endpoints for probes Keycloak 26.x exposes dedicated health endpoints on the management port (9000) via /health/live and /health/ready. The previous probes used GET / on port 8080 which redirects to the configured KC_HOSTNAME (HTTPS), causing kubelet to fail the probe with "Probe terminated redirects" and eventually kill the pod in a crashloop. Changes: - Add KC_HEALTH_ENABLED=true to activate health endpoints - Expose management port 9000 in container ports - Switch liveness probe to /health/live on port 9000 - Switch readiness probe to /health/ready on port 9000 - Increase failure thresholds for more tolerance during startup Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: mattia-eleuteri <mattia@hidora.io> (cherry picked from commit `0873691913`)	2026-03-10 07:15:33 +00:00