Release v0.41.11 (#2185 )

This PR prepares the release `v0.41.11`.
Prepare release v0.41.11
2026-03-12 18:08:58 +00:00 · 2026-03-10 21:21:40 +01:00 · 2026-03-10 11:48:01 +00:00 · 2026-03-10 12:38:58 +01:00 · 2026-03-04 00:24:11 +01:00 · 2026-03-03 01:36:20 +00:00
51 changed files with 771 additions and 106 deletions
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:9e34fd50393b418d9516aadb488067a3a63675b045811beb1c0afc9c61e149e8
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:cb25e40cb665b8bbeee8cb1ec39da4c9a7452ef3f2f371912bbc0d1b1e2d40a8
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:598331326f0c2aac420187f0cc3a49fedcb22ed5de4afe50c6ccf8e05d9fa537
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:0b208ed506dd8c453426761d93ec3d42c9d1b791ba6c91b01c6386dcb1b02442
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:bb5b17044969e663c3b391f7274883735c0ffe05a9523988469bdf2974de2dea
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:71a74ca30f75967bae309be2758f19aa3d37c60b19426b9b622ff1c33a80362f
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:9d4ad080ef729e0f9f1f5919cb85c0c9b6dc772a22d52046b2de9ccba3772715
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
@@ -1,3 +1,13 @@
+{{- define "cozystack.defaultCertManagerValues" -}}
+{{- if $.Values.addons.gatewayAPI.enabled }}
+cert-manager:
+  config:
+    apiVersion: controller.config.cert-manager.io/v1alpha1
+    kind: ControllerConfiguration
+    enableGatewayAPI: true
+{{- end }}
+{{- end }}
+
 {{- if .Values.addons.certManager.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -33,11 +43,8 @@ spec:
    force: true
    remediation:
      retries: -1
-  {{- with .Values.addons.certManager.valuesOverride }}
  values:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-
+    {{- toYaml (deepCopy .Values.addons.certManager.valuesOverride | mergeOverwrite (fromYaml (include "cozystack.defaultCertManagerValues" .))) | nindent 4 }}
  dependsOn:
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
  - name: {{ .Release.Name }}
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -231,7 +231,6 @@ rules:
    - get
    - list
    - watch
-    - delete
  - apiGroups: ["kubevirt.io"]
    resources:
    - virtualmachines
@@ -330,7 +329,6 @@ rules:
    - get
    - list
    - watch
-    - delete
  - apiGroups: ["kubevirt.io"]
    resources:
    - virtualmachines
--- a/packages/apps/virtual-machine/templates/_helpers.tpl
+++ b/packages/apps/virtual-machine/templates/_helpers.tpl
@@ -70,6 +70,29 @@ Generate a stable UUID for cloud-init re-initialization upon upgrade.
 {{- $uuid }}
 {{- end }}

+{{/*
+Domain resources (cpu, memory) as a JSON object.
+Used in vm.yaml for rendering and in the update hook for merge patches.
+*/}}
+{{- define "virtual-machine.domainResources" -}}
+{{- $result := dict -}}
+{{- if or .Values.cpuModel (and .Values.resources .Values.resources.cpu .Values.resources.sockets) -}}
+  {{- $cpu := dict -}}
+  {{- if and .Values.resources .Values.resources.cpu .Values.resources.sockets -}}
+    {{- $_ := set $cpu "cores" (.Values.resources.cpu | int64) -}}
+    {{- $_ := set $cpu "sockets" (.Values.resources.sockets | int64) -}}
+  {{- end -}}
+  {{- if .Values.cpuModel -}}
+    {{- $_ := set $cpu "model" .Values.cpuModel -}}
+  {{- end -}}
+  {{- $_ := set $result "cpu" $cpu -}}
+{{- end -}}
+{{- if and .Values.resources .Values.resources.memory -}}
+  {{- $_ := set $result "resources" (dict "requests" (dict "memory" .Values.resources.memory)) -}}
+{{- end -}}
+{{- $result | toJson -}}
+{{- end -}}
+
 {{/*
 Node Affinity for Windows VMs
 */}}
--- a/packages/apps/virtual-machine/templates/vm-update-hook.yaml
+++ b/packages/apps/virtual-machine/templates/vm-update-hook.yaml
@@ -14,14 +14,21 @@
 {{- $needUpdateProfile := false -}}
 {{- $needResizePVC := false -}}
 {{- $needRecreateService := false -}}
+{{- $needRemoveInstanceType := false -}}
+{{- $needRemoveCustomResources := false -}}

-{{- if and $existingVM $instanceType -}}
+{{- $existingHasInstanceType := and $existingVM $existingVM.spec.instancetype -}}
+{{- if and $existingHasInstanceType (not $instanceType) -}}
+  {{- $needRemoveInstanceType = true -}}
+{{- else if and $existingHasInstanceType $instanceType -}}
  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
    {{- $needUpdateType = true -}}
  {{- end -}}
+{{- else if and $existingVM (not $existingHasInstanceType) $instanceType -}}
+  {{- $needRemoveCustomResources = true -}}
 {{- end -}}

-{{- if and $existingVM $instanceProfile -}}
+{{- if and $existingVM $existingVM.spec.preference $instanceProfile -}}
  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
    {{- $needUpdateProfile = true -}}
  {{- end -}}
@@ -45,7 +52,7 @@
  {{- end -}}
 {{- end -}}

-{{- if or $needUpdateType $needUpdateProfile $needResizePVC $needRecreateService }}
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC $needRecreateService $needRemoveInstanceType $needRemoveCustomResources }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -90,6 +97,20 @@ spec:
                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
              {{- end }}

+              {{- if $needRemoveInstanceType }}
+              echo "Removing instancetype from VM (switching to custom resources)..."
+              kubectl patch virtualmachines.kubevirt.io {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":null{{- if not $instanceProfile }},"preference":null{{- end }},"template":{"spec":{"domain":{{ include "virtual-machine.domainResources" . }}}}}}'
+              {{- end }}
+
+              {{- if $needRemoveCustomResources }}
+              echo "Removing custom CPU/memory from domain (switching to instancetype)..."
+              kubectl patch virtualmachines.kubevirt.io {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name":"{{ $instanceType }}","revisionName":null},"template":{"spec":{"domain":{"cpu":null,"resources":null}}}}}'
+              {{- end }}
+
              {{- if $needResizePVC }}
              echo "Patching PVC for storage resize..."
              kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -4,6 +4,9 @@
 {{- if and .Values.instanceProfile (not (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterPreference" "" .Values.instanceProfile)) }}
 {{-   fail (printf "Specified profile not exists in cluster: %s" .Values.instanceProfile) }}
 {{- end }}
+{{- if and (not .Values.instanceType) (not (and .Values.resources .Values.resources.cpu .Values.resources.sockets .Values.resources.memory)) }}
+{{-   fail "Either instanceType or resources (cpu, sockets, memory) must be specified" }}
+{{- end }}

 apiVersion: kubevirt.io/v1
 kind: VirtualMachine
@@ -67,15 +70,12 @@ spec:
        {{- include "virtual-machine.labels" . | nindent 8 }}
    spec:
      domain:
-        {{- if and .Values.resources .Values.resources.cpu .Values.resources.sockets }}
-        cpu:
-          cores: {{ .Values.resources.cpu }}
-          sockets: {{ .Values.resources.sockets }}
+        {{- $domainRes := include "virtual-machine.domainResources" . | fromJson -}}
+        {{- with $domainRes.cpu }}
+        cpu: {{- . | toYaml | nindent 10 }}
        {{- end }}
-        {{- if and .Values.resources .Values.resources.memory }}
-        resources:
-          requests:
-            memory: {{ .Values.resources.memory | quote }}
+        {{- with $domainRes.resources }}
+        resources: {{- . | toYaml | nindent 10 }}
        {{- end }}
        firmware:
          uuid: {{ include "virtual-machine.stableUuid" . }}
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.41.7@sha256:0b029f4f01caa27ab3d6c332535d5a08da3b15e694f5e19bfc431de1e95e61cf
+  image: ghcr.io/cozystack/cozystack/installer:v0.41.11@sha256:ba9271deb2f6ac29dd067a1277a4b3c33504a045c375957a2175deaee6fdfec3
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -27,7 +27,7 @@ releases:
  dependsOn: [cilium]

 - name: cozy-proxy
-  releaseName: cozystack
+  releaseName: cozy-proxy
  chart: cozy-cozy-proxy
  namespace: cozy-system
  optional: true
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -66,7 +66,7 @@ releases:
  dependsOn: [cilium,kubeovn]

 - name: cozy-proxy
-  releaseName: cozystack
+  releaseName: cozy-proxy
  chart: cozy-cozy-proxy
  namespace: cozy-system
  dependsOn: [cilium,kubeovn,multus]
--- a/packages/core/platform/values.yaml
+++ b/packages/core/platform/values.yaml
@@ -1,2 +1,2 @@
 assets:
-  image: ghcr.io/cozystack/cozystack/cozystack-assets:v0.41.7@sha256:118427e4f9cfc01ec986369ca224640a3fc4eb231405d7b8d117be6990116e5c
+  image: ghcr.io/cozystack/cozystack/cozystack-assets:v0.41.11@sha256:04ca6ac7ac72f4a4d975a33436dc401abf457eb27a7e59f32a333f0b689a11e3
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.41.7@sha256:eac71ef0de3450fce96255629e77903630c63ade62b81e7055f1a689f92ee153
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.41.11@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.41.7@sha256:4abc4fb574f5077372d0053dbb259eb85cf0ce931de7d46701a2276a3e25efec
+ghcr.io/cozystack/cozystack/matchbox:v0.41.11@sha256:d11c034f1475d40e83f94a7f51a21082203c72346fe6a35fc931de976c0546c2
--- a/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
+++ b/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.7@sha256:3e61975b8bb04d0e1d993a08b49ce8d5265e029a21ad6d57b44d4f93243aff4c
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.11@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:5bc30fcdc14b289c7eeca3c53388270e3a56d10a3e611fe6c9099afa02661cf4
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:1f03fde12124b94b646532e3ebdebf62b8d87e42e0aa5576cd07c4559ce66403
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,5 +1,5 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.41.7@sha256:175c2b4b7e75a092eb0feefa96c1b11f524bd72d7f58d9df5c9a4fade694537f
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.41.11@sha256:3a8cb618f140c60eb2a5afd3f07a5ec7e638ab4cd949ea0913abc372703a2d82
  localK8sAPIEndpoint:
    enabled: true
  replicas: 2
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,6 +1,6 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.41.7@sha256:007deee61a161bc0eb5fad68cbe6ae5a7b080d083122a3884610aa64011f8235
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.41.11@sha256:8f1c725989e32706293afaea195d110d7690b06ad2e52742fce2bbe9f71cbe48
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.41.7"
+  cozystackVersion: "v0.41.11"
  cozystackAPIKind: "DaemonSet"
--- a/packages/system/dashboard/templates/configmap.yaml
+++ b/packages/system/dashboard/templates/configmap.yaml
@@ -1,6 +1,6 @@
 {{- $brandingConfig := .Values._cluster.branding | default dict }}

-{{- $tenantText := "v0.41.7" }}
+{{- $tenantText := "v0.41.11" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}
--- a/packages/system/dashboard/templates/web.yaml
+++ b/packages/system/dashboard/templates/web.yaml
@@ -63,6 +63,13 @@ spec:
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
+          startupProbe:
+            httpGet:
+              path: /healthcheck
+              port: 64231
+              scheme: HTTP
+            failureThreshold: 30
+            periodSeconds: 2
          name: bff
          ports:
            - containerPort: 64231
@@ -183,6 +190,13 @@ spec:
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
+          startupProbe:
+            httpGet:
+              path: /healthcheck
+              port: 8080
+              scheme: HTTP
+            failureThreshold: 30
+            periodSeconds: 2
          name: web
          ports:
            - containerPort: 8080
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.41.7@sha256:001f5fe942db0b6589a49edc9ec7983cfaf495ac028e9d3a35d01a508c9a2bd3
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.41.11@sha256:87dfcda3aaaade114e099a3bd8fbb4479a20a761d60849dd2fe47ba245db7cb8
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.41.7@sha256:d33583995dc81a47c1dcbe45dbd866fa9097f88f4b6eb78b408dca432f15bd38
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.41.11@sha256:0ee55b703839497b7d8264000c3f39c3688b550de1047eb754577523c810fa79
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:v0.41.7@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
+  image: ghcr.io/cozystack/cozystack/token-proxy:v0.41.11@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
--- a/packages/system/etcd-operator/charts/etcd-operator/README.md
+++ b/packages/system/etcd-operator/charts/etcd-operator/README.md
@@ -38,8 +38,8 @@
 | kubeRbacProxy.args[2] | string | `"--logtostderr=true"` |  |
 | kubeRbacProxy.args[3] | string | `"--v=0"` |  |
 | kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository |
-| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image |
+| kubeRbacProxy.image.repository | string | `"quay.io/brancz/kube-rbac-proxy"` | Image repository |
+| kubeRbacProxy.image.tag | string | `"v0.18.1"` | Version of image |
 | kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
--- a/packages/system/etcd-operator/charts/etcd-operator/values.yaml
+++ b/packages/system/etcd-operator/charts/etcd-operator/values.yaml
@@ -98,13 +98,13 @@ kubeRbacProxy:
  image:

    # -- Image repository
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    repository: quay.io/brancz/kube-rbac-proxy

    # -- Image pull policy
    pullPolicy: IfNotPresent

    # -- Version of image
-    tag: v0.16.0
+    tag: v0.18.1

  args:
    - --secure-listen-address=0.0.0.0:8443
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.41.7@sha256:fe9b6bb548edfc26be8aaac65801d598a4e2f9884ddf748083b9e509fa00259e
+    tag: v0.41.11@sha256:9ac09f817c67de652bacedcdc0390cd343401879b6c1a1c28131a0f109af3804
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
@@ -13,4 +13,4 @@ kamaji:
      cpu: 100m
      memory: 100Mi
  extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.41.7@sha256:fe9b6bb548edfc26be8aaac65801d598a4e2f9884ddf748083b9e509fa00259e
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.41.11@sha256:9ac09f817c67de652bacedcdc0390cd343401879b6c1a1c28131a0f109af3804
--- a/packages/system/kubeovn-plunger/values.yaml
+++ b/packages/system/kubeovn-plunger/values.yaml
@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.41.7@sha256:e17ad42e4d9d89af05c8f0534e15338e03ff5a75deb26af19fcf0ff12f5f668e
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.41.11@sha256:50dcf0aa177d8b88949d15cdbbb225f4ac06677048111b5d8ff4910d6ec97d11
 ovnCentralName: ovn-central
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.41.7@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.41.11@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
--- a/packages/system/kubeovn/Makefile
+++ b/packages/system/kubeovn/Makefile
@@ -1,5 +1,3 @@
-KUBEOVN_TAG=v0.40.0
-
 export NAME=kubeovn
 export NAMESPACE=cozy-$(NAME)

@@ -8,6 +6,6 @@ include ../../../scripts/package.mk

 update:
 	rm -rf charts values.yaml Chart.yaml
-	tag=$(KUBEOVN_TAG) && \
-	curl -sSL https://github.com/cozystack/kubeovn/archive/refs/tags/$${tag}.tar.gz | \
-	tar xzvf - --strip 2 kubeovn-$${tag#*v}/chart
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/cozystack/kubeovn-chart | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/cozystack/kubeovn-chart/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 2 kubeovn-chart-$${tag#*v}/chart
--- a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v1.14.25
+version: v1.15.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.14.25"
+appVersion: "1.15.3"

 kubeVersion: ">= 1.29.0-0"
--- a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
@@ -69,7 +69,9 @@ Number of master nodes
    {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}}
    {{- $versionRegex := `^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)` -}}
    {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}}
-      {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.13.0" -}}
+      {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.15.0" -}}
+        25.03
+      {{- else if regexFind $versionRegex $imageVersion | semverCompare ">= 1.13.0" -}}
        24.03
      {{- else if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}}
        22.12
--- a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
@@ -122,6 +122,7 @@ spec:
            limits:
              cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
              memory: {{ index .Values "ovn-central" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "ovn-central" "limits" "ephemeral-storage" }}
          volumeMounts:
            - mountPath: /var/run/ovn
              name: host-run-ovn
--- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
@@ -101,6 +101,7 @@ spec:
          - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
          - --enable-lb={{- .Values.func.ENABLE_LB }}
          - --enable-np={{- .Values.func.ENABLE_NP }}
+          - --np-enforcement={{- .Values.func.NP_ENFORCEMENT }}
          - --enable-eip-snat={{- .Values.networking.ENABLE_EIP_SNAT }}
          - --enable-external-vpc={{- .Values.func.ENABLE_EXTERNAL_VPC }}
          - --enable-ecmp={{- .Values.networking.ENABLE_ECMP }}
@@ -117,11 +118,14 @@ spec:
          - --secure-serving={{- .Values.func.SECURE_SERVING }}
          - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
          - --enable-anp={{- .Values.func.ENABLE_ANP }}
+          - --enable-dns-name-resolver={{- .Values.func.ENABLE_DNS_NAME_RESOLVER }}
          - --ovsdb-con-timeout={{- .Values.func.OVSDB_CON_TIMEOUT }}
          - --ovsdb-inactivity-timeout={{- .Values.func.OVSDB_INACTIVITY_TIMEOUT }}
          - --enable-live-migration-optimize={{- .Values.func.ENABLE_LIVE_MIGRATION_OPTIMIZE }}
          - --enable-ovn-lb-prefer-local={{- .Values.func.ENABLE_OVN_LB_PREFER_LOCAL }}
          - --image={{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          - --skip-conntrack-dst-cidrs={{- .Values.networking.SKIP_CONNTRACK_DST_CIDRS }}
+          - --non-primary-cni-mode={{- .Values.cni_conf.NON_PRIMARY_CNI }}
          securityContext:
            runAsUser: {{ include "kubeovn.runAsUser" . }}
            privileged: false
@@ -140,11 +144,7 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
-            - name: KUBE_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
@@ -194,6 +194,7 @@ spec:
            limits:
              cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }}
              memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-controller" "limits" "ephemeral-storage" }}
      nodeSelector:
        kubernetes.io/os: "linux"
      volumes:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
@@ -100,6 +100,7 @@ spec:
            limits:
              cpu: 3
              memory: 1Gi
+              ephemeral-storage: 1Gi
          volumeMounts:
            - mountPath: /var/run/ovn
              name: host-run-ovn
--- a/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
--- a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
@@ -81,7 +81,7 @@ spec:
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
@@ -110,6 +110,7 @@ spec:
            limits:
              cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
              memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-monitor" "limits" "ephemeral-storage" }}
          volumeMounts:
            - mountPath: /var/run/ovn
              name: host-run-ovn
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml
@@ -48,10 +48,18 @@ rules:
      - switch-lb-rules/status
      - vpc-dnses
      - vpc-dnses/status
+      - dnsnameresolvers
+      - dnsnameresolvers/status
      - qos-policies
      - qos-policies/status
    verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
  - apiGroups:
      - ""
    resources:
@@ -84,6 +92,8 @@ rules:
      - network-attachment-definitions
    verbs:
      - get
+      - list
+      - watch
  - apiGroups:
      - ""
      - networking.k8s.io
@@ -166,7 +176,11 @@ rules:
    resources:
      - leases
    verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
  - apiGroups:
      - "kubevirt.io"
    resources:
@@ -181,6 +195,7 @@ rules:
    resources:
      - adminnetworkpolicies
      - baselineadminnetworkpolicies
+      - clusternetworkpolicies
    verbs:
      - get
      - list
@@ -276,7 +291,6 @@ rules:
    verbs:
      - get
      - list
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -355,12 +369,23 @@ rules:
      - "list"
      - "watch"
      - "delete"
-  - apiGroups:
-      - ""
-    resources:
-      - "secrets"
-    verbs:
-      - "get"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader-ovn-ipsec
+  namespace: {{ .Values.namespace }}
+rules:
+- apiGroups: 
+    - ""
+  resources: 
+    - "secrets"
+  resourceNames: 
+    - "ovn-ipsec-ca"
+  verbs: 
+    - "get"
+    - "list"
+    - "watch"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CRB.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CRB.yaml
@@ -67,6 +67,20 @@ subjects:
    namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-ovn-cni-secret-reader
+  namespace: {{ .Values.namespace }}
+subjects:
+- kind: ServiceAccount
+  name: kube-ovn-cni
+  namespace: {{ .Values.namespace }}
+roleRef:
+  kind: Role
+  name: secret-reader-ovn-ipsec
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kube-ovn-app
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
@@ -54,7 +54,7 @@ spec:
              value: "{{- .Values.networking.TUNNEL_TYPE }}"
            - name: DPDK_TUNNEL_IFACE
              value: "{{- .Values.networking.DPDK_TUNNEL_IFACE }}"
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -122,9 +122,7 @@ spec:
          - --secure-serving={{- .Values.func.SECURE_SERVING }}
          - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
          - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
-          {{- with .Values.mtu }}
-          - --mtu={{ . }}
-          {{- end }}
+          - --non-primary-cni-mode={{- .Values.cni_conf.NON_PRIMARY_CNI }}
        securityContext:
          runAsUser: 0
          privileged: false
@@ -143,7 +141,7 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
-          - name: KUBE_NODE_NAME
+          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
@@ -227,6 +225,7 @@ spec:
          limits:
            cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }}
            memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }}
+            ephemeral-storage: {{ index .Values "kube-ovn-cni" "limits" "ephemeral-storage" }}
      nodeSelector:
        kubernetes.io/os: "linux"
      volumes:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
@@ -115,7 +115,7 @@ spec:
              value: "{{- .Values.func.HW_OFFLOAD }}"
            - name: TUNNEL_TYPE
              value: "{{- .Values.networking.TUNNEL_TYPE }}"
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
@@ -173,6 +173,7 @@ spec:
            limits:
              cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }}
              memory: {{ index .Values "ovs-ovn" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "ovs-ovn" "limits" "ephemeral-storage" }}
      nodeSelector:
        kubernetes.io/os: "linux"
      volumes:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
@@ -73,7 +73,6 @@ spec:
          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
          {{ .Values.ipv6.PINGER_EXTERNAL_DOMAIN }}
          {{- end }}
-          - --ds-namespace={{ .Values.namespace }}
          - --logtostderr=false
          - --alsologtostderr=true
          - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log
@@ -102,6 +101,10 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
            - name: NODE_NAME
              valueFrom:
                fieldRef:
@@ -133,6 +136,7 @@ spec:
            limits:
              cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }}
              memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-pinger" "limits" "ephemeral-storage" }}
          livenessProbe:
            httpGet:
              path: /metrics
--- a/packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml
@@ -120,6 +120,14 @@ spec:
            - sh
            - -c
            - /kube-ovn/remove-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-finalizer.log
+          resources:
+            requests:
+              cpu: 100m
+              memory: 200Mi
+            limits:
+              cpu: 1
+              memory: 500Mi
+              ephemeral-storage: 1Gi
          volumeMounts:
            - mountPath: /var/log/kube-ovn
              name: kube-ovn-log
--- a/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
@@ -31,6 +31,8 @@ rules:
      - daemonsets
    verbs:
      - list
+      - get
+      - watch
  - apiGroups:
      - apps
    resources:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml
@@ -7,7 +7,7 @@ metadata:
    kubernetes.io/description: |
      kube-ovn vpc-nat common config
 data:
-  image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }}
+  image: {{ .Values.global.registry.address }}/{{ .Values.global.images.natgateway.repository }}:{{ or .Values.global.images.natgateway.tag .Values.global.images.kubeovn.tag }}

 ---
 kind: ConfigMap
--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml
@@ -8,10 +8,11 @@ global:
  images:
    kubeovn:
      repository: kube-ovn
-      vpcRepository: vpc-nat-gateway
-      tag: v1.14.25
-      support_arm: true
-      thirdparty: true
+      tag: v1.15.3
+    natgateway:
+      repository: vpc-nat-gateway
+      # Falls back to the same tag as kubeovn if empty
+      tag: v1.15.3

 image:
  pullPolicy: IfNotPresent
@@ -46,6 +47,8 @@ networking:
  ENABLE_METRICS: true
  # comma-separated string of nodelocal DNS ip addresses
  NODE_LOCAL_DNS_IP: ""
+  # comma-separated list of destination IP CIDRs that should skip conntrack processing
+  SKIP_CONNTRACK_DST_CIDRS: ""
  PROBE_INTERVAL: 180000
  OVN_NORTHD_PROBE_INTERVAL: 5000
  OVN_LEADER_PROBE_INTERVAL: 5
@@ -57,6 +60,7 @@ networking:
 func:
  ENABLE_LB: true
  ENABLE_NP: true
+  NP_ENFORCEMENT: standard
  ENABLE_EXTERNAL_VPC: false
  HW_OFFLOAD: false
  ENABLE_LB_SVC: false
@@ -73,6 +77,7 @@ func:
  ENABLE_NAT_GW: true
  ENABLE_OVN_IPSEC: false
  ENABLE_ANP: false
+  ENABLE_DNS_NAME_RESOLVER: false
  SET_VXLAN_TX_OFF: false
  OVSDB_CON_TIMEOUT: 3
  OVSDB_INACTIVITY_TIMEOUT: 10
@@ -80,6 +85,10 @@ func:
  ENABLE_OVN_LB_PREFER_LOCAL: false

 ipv4:
+  POD_CIDR: "10.16.0.0/16"
+  POD_GATEWAY: "10.16.0.1"
+  SVC_CIDR: "10.96.0.0/12"
+  JOIN_CIDR: "100.64.0.0/16"
  PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
  PINGER_EXTERNAL_DOMAIN: "kube-ovn.io."

@@ -116,6 +125,7 @@ cni_conf:
  CNI_CONF_FILE: "/kube-ovn/01-kube-ovn.conflist"
  LOCAL_BIN_DIR: "/usr/local/bin"
  MOUNT_LOCAL_BIN_DIR: false
+  NON_PRIMARY_CNI: false

 kubelet_conf:
  KUBELET_DIR: "/var/lib/kubelet"
@@ -135,7 +145,7 @@ fullnameOverride: ""
 HYBRID_DPDK: false
 HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default
 HUGEPAGES: 1Gi
-DPDK_IMAGE_TAG: "v1.14.0-dpdk"
+DPDK_IMAGE_TAG: "v1.15.0-dpdk"
 DPDK_CPU: "1000m" # Default CPU configuration
 DPDK_MEMORY: "2Gi" # Default Memory configuration

@@ -146,6 +156,7 @@ ovn-central:
  limits:
    cpu: "3"
    memory: "4Gi"
+    ephemeral-storage: 1Gi
 ovs-ovn:
  requests:
    cpu: "200m"
@@ -153,6 +164,7 @@ ovs-ovn:
  limits:
    cpu: "2"
    memory: "1000Mi"
+    ephemeral-storage: 1Gi
 kube-ovn-controller:
  requests:
    cpu: "200m"
@@ -160,6 +172,7 @@ kube-ovn-controller:
  limits:
    cpu: "1000m"
    memory: "1Gi"
+    ephemeral-storage: 1Gi
 kube-ovn-cni:
  requests:
    cpu: "100m"
@@ -167,6 +180,7 @@ kube-ovn-cni:
  limits:
    cpu: "1000m"
    memory: "1Gi"
+    ephemeral-storage: 1Gi
 kube-ovn-pinger:
  requests:
    cpu: "100m"
@@ -174,6 +188,7 @@ kube-ovn-pinger:
  limits:
    cpu: "200m"
    memory: "400Mi"
+    ephemeral-storage: 1Gi
 kube-ovn-monitor:
  requests:
    cpu: "200m"
@@ -181,3 +196,4 @@ kube-ovn-monitor:
  limits:
    cpu: "200m"
    memory: "200Mi"
+    ephemeral-storage: 1Gi
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -65,4 +65,4 @@ global:
  images:
    kubeovn:
      repository: kubeovn
-      tag: v1.14.25@sha256:d0b29daaf36e81cac0f9fb15d0ea6b1b49f1abba81a14c73b88a2e60ffcc5978
+      tag: v1.15.3@sha256:fa53d5f254f640cb626329ad35d9e7aad647dd8e1e645e68f3f13c3659472a30
--- a/packages/system/kubevirt-csi-node/values.yaml
+++ b/packages/system/kubevirt-csi-node/values.yaml
@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:0b208ed506dd8c453426761d93ec3d42c9d1b791ba6c91b01c6386dcb1b02442
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:bb5b17044969e663c3b391f7274883735c0ffe05a9523988469bdf2974de2dea
--- a/packages/system/lineage-controller-webhook/values.yaml
+++ b/packages/system/lineage-controller-webhook/values.yaml
@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.41.7@sha256:1680ba3634c81691c2cf346759c7746cf700ce59fd752fce862e5e89f3a6fdb5
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.41.11@sha256:91ad700fe681c6f96e756c51ee22ff50e606536c316c608e11207bdca817e0ce
  debug: false
  localK8sAPIEndpoint:
    enabled: true
--- a/packages/system/linstor/values.yaml
+++ b/packages/system/linstor/values.yaml
@@ -1,7 +1,7 @@
 piraeusServer:
  image:
    repository: ghcr.io/cozystack/cozystack/piraeus-server
-    tag: 1.32.3@sha256:3d1b4348c665fb88f8bead09a1fa68547e6872172ed0168449cb232c4467ad84
+    tag: 1.32.3@sha256:18fac1ac740ce64c1dfb31b5ab36b6d008af8d9a70aedd451b32a726c79ca794
 linstor:
  autoDiskful:
    enabled: true
@@ -10,4 +10,4 @@ linstor:
 linstorCSI:
  image:
    repository: ghcr.io/cozystack/cozystack/linstor-csi
-    tag: v1.10.5@sha256:6e6cf48cb994f3918df946e02ec454ac64916678b3e60d78c136b431f1a26155
+    tag: v1.10.5@sha256:50ab1ab0210d4e7ebfca311f445bb764516db5ddb63fc6d28536b28622eee753
--- a/packages/system/objectstorage-controller/values.yaml
+++ b/packages/system/objectstorage-controller/values.yaml
@@ -1,3 +1,3 @@
 objectstorage:
  controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.41.7@sha256:85c9dd60b4a5e2a9ce7e5675f6a62bb4d3bb95656c7bcf6b64c87e9a56aadf9d"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.41.11@sha256:e40e94f3014cfd04cce4230597315a1acfcca2daa8051b987614d0c05da6d928"
--- a/packages/system/seaweedfs/values.yaml
+++ b/packages/system/seaweedfs/values.yaml
@@ -177,7 +177,7 @@ seaweedfs:
    bucketClassName: "seaweedfs"
    region: ""
    sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.7@sha256:3e61975b8bb04d0e1d993a08b49ce8d5265e029a21ad6d57b44d4f93243aff4c"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.11@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f"
  certificates:
    commonName: "SeaweedFS CA"
    ipAddresses: []
Author	SHA1	Message	Date
Andrei Kvapil	b1dac3c3c9	Release v0.41.11 (#2185 ) This PR prepares the release `v0.41.11`.	2026-03-10 21:21:40 +01:00
cozystack-bot	ab9643c35e	Prepare release v0.41.11 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-03-10 11:48:01 +00:00
Andrei Kvapil	c720bde0e9	fix(etcd-operator): replace deprecated kube-rbac-proxy image (#2181 ) ## Summary - Replace deprecated `gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0` with `quay.io/brancz/kube-rbac-proxy:v0.18.1` in the vendored etcd-operator chart - The GCR-hosted image became unavailable after March 18, 2025 Fixes #2172 #488 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Chores * Updated proxy component to v0.18.1 with configuration changes for improved stability and compatibility. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-03-10 12:38:58 +01:00
Andrei Kvapil	c7b2f60d18	Release v0.41.10 (#2139 ) This PR prepares the release `v0.41.10`.	2026-03-04 00:24:11 +01:00
cozystack-bot	2a766df6e0	Prepare release v0.41.10 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-03-03 01:36:20 +00:00
Andrei Kvapil	d2ac669b29	fix(platform): correct cozy-proxy releaseName to avoid conflict with installer (#2127 ) ## What this PR does Fixes cozy-proxy `releaseName` from `cozystack` to `cozy-proxy` in paas-full and distro-full bundles. The cozy-proxy component was incorrectly configured with `releaseName: cozystack`, which is the same name used by the installer helm release. During upgrade to v1.0, the cozy-proxy HelmRelease reconciles and overwrites the installer release, deleting the cozystack-operator deployment. ### Release note ```release-note [platform] Fix cozy-proxy releaseName collision with installer that caused operator deletion during v1.0 upgrade ```	2026-03-02 12:57:26 +01:00
Andrei Kvapil	e7bfa9b138	fix(platform): correct cozy-proxy releaseName to avoid conflict with installer The cozy-proxy component was incorrectly configured with releaseName: cozystack, which collides with the installer helm release name. This causes the cozy-proxy HelmRelease to overwrite the installer release during upgrade to v1.0, deleting the cozystack-operator. Change releaseName from "cozystack" to "cozy-proxy" in both paas-full and distro-full bundles. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2026-03-02 12:55:22 +01:00
Andrei Kvapil	d5a5d31354	Release v0.41.9 (#2078 ) This PR prepares the release `v0.41.9`.	2026-02-21 21:48:10 +01:00
cozystack-bot	dd67bd56c4	Prepare release v0.41.9 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-02-21 01:37:37 +00:00
Andrei Kvapil	513b2e20df	Update Kube-OVN to v1.15.3 Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2026-02-20 10:51:09 +01:00
Andrei Kvapil	8d8f7defd7	fix(cozystack-basics) Deny resourcequotas deletion for tenant admin (#2076 ) <!-- Thank you for making a contribution! Here are some tips for you: - Start the PR title with the [label] of Cozystack component: - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc. - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc. - For development and maintenance: [tests], [ci], [docs], [maintenance]. - If it's a work in progress, consider creating this PR as a draft. - Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft. - Add the label `backport` if it's a bugfix that needs to be backported to a previous version. --> <!-- Write a release note: - Explain what has changed internally and for users. - Start with the same [label] as in the PR title - Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md. --> ```release-note Fixed cozy:tenant:admin:base ClusterRole to deny deletion of tenant ResourceQuotas for the tenant admin and superadmin ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> * Bug Fixes * Removed resource quota management permissions from tenant admin role to reduce unnecessary administrative access. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-02-20 10:28:12 +01:00
Andrei Kvapil	7bcc3a3d01	Release v0.41.8 (#2029 ) This PR prepares the release `v0.41.8`.	2026-02-11 17:09:01 +01:00
cozystack-bot	ff10d684da	Prepare release v0.41.8 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-02-11 11:20:45 +00:00
Andrei Kvapil	dfb280d091	[Backport release-0.41] [dashboard] Add startupProbe to prevent container restarts on slow hardware (#2014 ) # Description Backport of #1996 to `release-0.41`.	2026-02-10 12:30:39 +01:00
Andrei Kvapil	32b1bc843a	[Backport release-0.41] [vm] allow switching between instancetype and custom resources (#2013 ) # Description Backport of #2008 to `release-0.41`.	2026-02-10 12:30:11 +01:00
Andrei Kvapil	2c87a83949	[Backport release-0.41] feat(kubernetes): auto-enable Gateway API support in cert-manager (#2012 ) # Description Backport of #1997 to `release-0.41`.	2026-02-10 12:29:57 +01:00
Andrei Kvapil	a53df5eb90	fix(dashboard): add startupProbe to prevent container restarts on slow hardware Kubelet kills bff and web containers on slow hardware because the livenessProbe only allows 33 seconds for startup. Add startupProbe with failureThreshold=30 and periodSeconds=2, giving containers up to 60 seconds to start before livenessProbe kicks in. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `330cbe70d4`)	2026-02-10 11:22:41 +00:00
Kirill Ilin	b212dc02f3	[vm] add validation for resources Signed-off-by: Kirill Ilin <stitch14@yandex.ru> (cherry picked from commit `13d848efc3`)	2026-02-10 11:20:54 +00:00
Kirill Ilin	ec50052ea4	[vm] allow switching between instancetype and custom resources Implemented by upgrade hook atomically patching VM resource Signed-off-by: Kirill Ilin <stitch14@yandex.ru> (cherry picked from commit `cf2c6bc15f`)	2026-02-10 11:20:54 +00:00
Andrei Kvapil	9b61d1318c	feat(kubernetes): auto-enable Gateway API support in cert-manager When the Gateway API addon is enabled, automatically configure cert-manager with enableGatewayAPI: true. Uses the same default values + mergeOverwrite pattern as Cilium for consistency. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `90ac6de475`)	2026-02-10 11:20:04 +00:00