[Backport release-1.1] [kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes (#2229 )

# Description Backport of #2227 to `release-1.1`.
[kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes
2026-03-17 12:28:53 +00:00 · 2026-03-17 09:31:24 +01:00 · 2026-03-16 16:22:05 +00:00 · 2026-03-16 09:38:35 +01:00 · 2026-03-16 01:36:47 +00:00 · 2026-03-13 16:24:27 +01:00
24 changed files with 85 additions and 35 deletions
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:e9d0aa7e651b03a6713b380101a61832818a91b5f989da9754f58693898c4056
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver/controller.go
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver/controller.go
@@ -317,11 +317,7 @@ func (w *WrappedControllerService) ControllerPublishVolume(ctx context.Context,
 				"ownerReferences": []interface{}{vmiOwnerRef},
 			},
 			"spec": map[string]interface{}{
-				"endpointSelector": map[string]interface{}{
-					"matchLabels": map[string]interface{}{
-						"kubevirt.io/vm": vmName,
-					},
-				},
+				"endpointSelector": buildEndpointSelector([]string{vmName}),
 				"egress": []interface{}{
 					map[string]interface{}{
 						"toEndpoints": []interface{}{
@@ -441,6 +437,13 @@ func (w *WrappedControllerService) addCNPOwnerReference(ctx context.Context, nam
 		if err := unstructured.SetNestedSlice(existing.Object, ownerRefs, "metadata", "ownerReferences"); err != nil {
 			return status.Errorf(codes.Internal, "failed to set ownerReferences: %v", err)
 		}
+
+		// Rebuild endpointSelector to include all VMs
+		selector := buildEndpointSelector(vmNamesFromOwnerRefs(ownerRefs))
+		if err := unstructured.SetNestedField(existing.Object, selector, "spec", "endpointSelector"); err != nil {
+			return status.Errorf(codes.Internal, "failed to set endpointSelector: %v", err)
+		}
+
 		if _, err := w.dynamicClient.Resource(ciliumNetworkPolicyGVR).Namespace(namespace).Update(ctx, existing, metav1.UpdateOptions{}); err != nil {
 			return err
 		}
@@ -486,6 +489,13 @@ func (w *WrappedControllerService) removeCNPOwnerReference(ctx context.Context,
 		if err := unstructured.SetNestedSlice(existing.Object, remaining, "metadata", "ownerReferences"); err != nil {
 			return status.Errorf(codes.Internal, "failed to set ownerReferences: %v", err)
 		}
+
+		// Rebuild endpointSelector from remaining VMs
+		selector := buildEndpointSelector(vmNamesFromOwnerRefs(remaining))
+		if err := unstructured.SetNestedField(existing.Object, selector, "spec", "endpointSelector"); err != nil {
+			return status.Errorf(codes.Internal, "failed to set endpointSelector: %v", err)
+		}
+
 		if _, err := w.dynamicClient.Resource(ciliumNetworkPolicyGVR).Namespace(namespace).Update(ctx, existing, metav1.UpdateOptions{}); err != nil {
 			return err
 		}
@@ -494,6 +504,37 @@ func (w *WrappedControllerService) removeCNPOwnerReference(ctx context.Context,
 	})
 }

+// buildEndpointSelector returns an endpointSelector using matchExpressions
+// so that multiple VMs can be listed in a single selector.
+func buildEndpointSelector(vmNames []string) map[string]interface{} {
+	values := make([]interface{}, len(vmNames))
+	for i, name := range vmNames {
+		values[i] = name
+	}
+	return map[string]interface{}{
+		"matchExpressions": []interface{}{
+			map[string]interface{}{
+				"key":      "kubevirt.io/vm",
+				"operator": "In",
+				"values":   values,
+			},
+		},
+	}
+}
+
+// vmNamesFromOwnerRefs extracts VM names from ownerReferences.
+func vmNamesFromOwnerRefs(ownerRefs []interface{}) []string {
+	var names []string
+	for _, ref := range ownerRefs {
+		if refMap, ok := ref.(map[string]interface{}); ok {
+			if name, ok := refMap["name"].(string); ok {
+				names = append(names, name)
+			}
+		}
+	}
+	return names
+}
+
 func hasRWXAccessMode(pvc *corev1.PersistentVolumeClaim) bool {
 	for _, mode := range pvc.Spec.AccessModes {
 		if mode == corev1.ReadWriteMany {
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,9 +1,9 @@
 cozystackOperator:
  # Deployment variant: talos, generic, hosted
  variant: talos
-  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.1.1@sha256:1b2b9ca8592799488814472e2d33d8b42fcad73c6ff6dd459c09472f308fb59d
+  image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.1.2@sha256:2d983d1290038b806b4d36b95138f7d312c0b9e0bf239fbbff75f363a447f063
  platformSourceUrl: 'oci://ghcr.io/cozystack/cozystack/cozystack-packages'
-  platformSourceRef: 'digest=sha256:b11e4ee8e968ee0b039f19a13568273ba922ae01cb8c2c107ca9595cea2d3b53'
+  platformSourceRef: 'digest=sha256:90607296833d64af18d5c7806b8bcce411ca9e77c4f23f00c4d87b80fac2be0d'
 # Generic variant configuration (only used when cozystackOperator.variant=generic)
 cozystack:
  # Kubernetes API server host (IP only, no protocol/port)
--- a/packages/core/platform/values.yaml
+++ b/packages/core/platform/values.yaml
@@ -5,7 +5,7 @@ sourceRef:
  path: /
 migrations:
  enabled: false
-  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.1.1@sha256:bcbe612879cecd2ae1cef91dfff6d34d009c2f7de6592145c04a2d6d21b28f4b
+  image: ghcr.io/cozystack/cozystack/platform-migrations:v1.1.2@sha256:bcbe612879cecd2ae1cef91dfff6d34d009c2f7de6592145c04a2d6d21b28f4b
  targetVersion: 35
 # Bundle deployment configuration
 bundles:
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.1.1@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.1.2@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v1.1.1@sha256:15e85d2740b9337cb73aeb8117fc9132c0552ca010aeabd8ec67b7c053d0eab2
+ghcr.io/cozystack/cozystack/matchbox:v1.1.2@sha256:3ad2bf694e23cfe985f0a62c0f717f7dace8cb05bfe07388004f3f996291ab32
--- a/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
+++ b/packages/extra/seaweedfs/images/objectstorage-sidecar.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.1@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.2@sha256:0ab0ce0f69b49112eb8626bc3b9802adece123ebaef4f5aaa1780e66a99770b0
--- a/packages/system/backup-controller/values.yaml
+++ b/packages/system/backup-controller/values.yaml
@@ -1,5 +1,5 @@
 backupController:
-  image: "ghcr.io/cozystack/cozystack/backup-controller:v1.1.1@sha256:628a8e36fe1fbd6bd7631f0ab68c54647b4247a6f3168fec8ed9c07c9369f888"
+  image: "ghcr.io/cozystack/cozystack/backup-controller:v1.1.2@sha256:900e2bdb0df6e571911e2b6905189c769514b740777745c17e9d83d64ba07986"
  replicas: 2
  debug: false
  metrics:
--- a/packages/system/backupstrategy-controller/values.yaml
+++ b/packages/system/backupstrategy-controller/values.yaml
@@ -1,5 +1,5 @@
 backupStrategyController:
-  image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.1.1@sha256:5902db0bd64e416eacea4cd42b76cb86698276cfc9eadcb2df63a0e630d19100"
+  image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.1.2@sha256:d14f602b73e39e7a4cbedb22668018f03b49b839bdb8b0411d86572620dcc5bc"
  replicas: 2
  debug: false
  metrics:
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:5a7cae722ff6b424bdfbc4aba9d072c11b6930e2ee0f5fa97c3a565bd1c8dc88
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:20a6e3113b5c2005a3de7772da51a0242bec93ba1bd8936f912d958ef0d70214
--- a/packages/system/bucket/templates/deployment.yaml
+++ b/packages/system/bucket/templates/deployment.yaml
@@ -1,3 +1,12 @@
+{{- $endpoint := printf "s3.%s" .Values._namespace.host }}
+{{- range $name, $user := .Values.users }}
+  {{- $secretName := printf "%s-%s" $.Values.bucketName $name }}
+  {{- $existingSecret := lookup "v1" "Secret" $.Release.Namespace $secretName }}
+  {{- if $existingSecret }}
+    {{- $bucketInfo := fromJson (b64dec (index $existingSecret.data "BucketInfo")) }}
+    {{- $endpoint = trimPrefix "https://" (index $bucketInfo.spec.secretS3 "endpoint") }}
+  {{- end }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,6 +26,6 @@ spec:
        image: "{{ $.Files.Get "images/s3manager.tag" | trim }}"
        env:
        - name: ENDPOINT
-          value: "s3.{{ .Values._namespace.host }}"
+          value: {{ $endpoint | quote }}
        - name: SKIP_SSL_VERIFICATION
          value: "true"
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,3 +1,3 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v1.1.1@sha256:07a5437746c8dca8511ea545defc88d88d11ddf1ac4c989d276d261509514360
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v1.1.2@sha256:d63128e7aac97e5671c5a04a45b96d08f5fc57f5b94ecaab040ef00dde94dc5b
  replicas: 2
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,4 +1,4 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.1.1@sha256:01a242eb2b1edb2c19662205c69db4415e684f6ff84496d10b82712e3ef8ead0
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.1.2@sha256:372e65f4dfe402a4392ed408decf1e78f4d6365bc9053d53440389c15dd35e9d
  debug: false
  disableTelemetry: false
--- a/packages/system/dashboard/templates/configmap.yaml
+++ b/packages/system/dashboard/templates/configmap.yaml
@@ -1,6 +1,6 @@
 {{- $brandingConfig := .Values._cluster.branding | default dict }}

-{{- $tenantText := "v1.1.1" }}
+{{- $tenantText := "v1.1.2" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:v1.1.1@sha256:0c27362f075f9637a1fc4f716229ab6dab16ffa2b3c858b3e8c542502d6b244c
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v1.1.2@sha256:b232a5e44553beddda6218350e061746c0be7ede428846136abb3e5778688bbb
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.1.1@sha256:c938fee904acd948800d4dc5e121c4c5cd64cb4a3160fb8d2f9dbff0e5168740
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.1.2@sha256:7dd82ebe1d0c1925bbc440bc65a86852f3dd2bc0f6f12856904df847f15913d3
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:v1.1.1@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
+  image: ghcr.io/cozystack/cozystack/token-proxy:v1.1.2@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
--- a/packages/system/grafana-operator/images/grafana-dashboards.tag
+++ b/packages/system/grafana-operator/images/grafana-dashboards.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana-dashboards:v1.1.1@sha256:2c9aa0b48e2bf6167db198f4d15882bfe51700108edf2e9f6d0942940a2c1204
+ghcr.io/cozystack/cozystack/grafana-dashboards:v1.1.2@sha256:2c9aa0b48e2bf6167db198f4d15882bfe51700108edf2e9f6d0942940a2c1204
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v1.1.1@sha256:914d04f7442f0faecf18f8282c192dee9fe244a711494a8c892e2f9e2ad415f7
+    tag: v1.1.2@sha256:e46d5bb83afdfa42c7702c0fb69d50fade85541ab25795415aa407ae71d5a0db
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
@@ -13,4 +13,4 @@ kamaji:
      cpu: 100m
      memory: 100Mi
  extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v1.1.1@sha256:914d04f7442f0faecf18f8282c192dee9fe244a711494a8c892e2f9e2ad415f7
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v1.1.2@sha256:e46d5bb83afdfa42c7702c0fb69d50fade85541ab25795415aa407ae71d5a0db
--- a/packages/system/kubeovn-plunger/values.yaml
+++ b/packages/system/kubeovn-plunger/values.yaml
@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v1.1.1@sha256:79bfdea16ad23c3e7121b0ec0abf016ba1d841af0d955e95d258a2f4da28f285
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v1.1.2@sha256:1d12beabe1b71ae0525b0a6215c4e96b0ba091357418228e134d1e7ed5be2437
 ovnCentralName: ovn-central
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v1.1.1@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v1.1.2@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
--- a/packages/system/lineage-controller-webhook/values.yaml
+++ b/packages/system/lineage-controller-webhook/values.yaml
@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v1.1.1@sha256:f2c0f41a8d5bdbddc38c4f27f9242e581a3d503e039597866d0899de41fde7bb
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v1.1.2@sha256:bd17f7a4c57789d13926a97f8b59aea8bbf9117291ccc63ac0d238b5ea5f3b67
  debug: false
  localK8sAPIEndpoint:
    enabled: true
--- a/packages/system/linstor/values.yaml
+++ b/packages/system/linstor/values.yaml
@@ -13,4 +13,4 @@ linstor:
 linstorCSI:
  image:
    repository: ghcr.io/cozystack/cozystack/linstor-csi
-    tag: v1.10.5@sha256:21d48617cff1448e759be8fb9a9cc3d03ded97e2a7045b37f3558d317e966741
+    tag: v1.10.5@sha256:093034953ddb0466a67f5e28f2f242464bf8f263545632e05e0c32adc07f3f8a
--- a/packages/system/objectstorage-controller/values.yaml
+++ b/packages/system/objectstorage-controller/values.yaml
@@ -1,3 +1,3 @@
 objectstorage:
  controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v1.1.1@sha256:e40e94f3014cfd04cce4230597315a1acfcca2daa8051b987614d0c05da6d928"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v1.1.2@sha256:6f46dd505e976b10e08ee47bc8bbc2b7de9f49ed1cc5afe84490c2b7b811385d"
--- a/packages/system/seaweedfs/values.yaml
+++ b/packages/system/seaweedfs/values.yaml
@@ -177,7 +177,7 @@ seaweedfs:
    bucketClassName: "seaweedfs"
    region: ""
    sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.1@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.1.2@sha256:0ab0ce0f69b49112eb8626bc3b9802adece123ebaef4f5aaa1780e66a99770b0"
  certificates:
    commonName: "SeaweedFS CA"
    ipAddresses: []
--- a/pkg/cmd/server/openapi.go
+++ b/pkg/cmd/server/openapi.go
@@ -224,8 +224,8 @@ func buildPostProcessV3(kindSchemas map[string]string) func(*spec3.OpenAPI) (*sp
 		base, ok1 := doc.Components.Schemas[baseRef]
 		list, ok2 := doc.Components.Schemas[baseListRef]
 		stat, ok3 := doc.Components.Schemas[baseStatusRef]
-		if !(ok1 && ok2 && ok3) && len(kindSchemas) > 0 {
-			return doc, fmt.Errorf("base Application* schemas not found")
+		if !(ok1 && ok2 && ok3) {
+			return doc, nil // not the apps GV — nothing to patch
 		}

 		// Clone base schemas for each kind
@@ -339,8 +339,8 @@ func buildPostProcessV2(kindSchemas map[string]string) func(*spec.Swagger) (*spe
 		base, ok1 := defs[baseRef]
 		list, ok2 := defs[baseListRef]
 		stat, ok3 := defs[baseStatusRef]
-		if !(ok1 && ok2 && ok3) && len(kindSchemas) > 0 {
-			return sw, fmt.Errorf("base Application* schemas not found")
+		if !(ok1 && ok2 && ok3) {
+			return sw, nil // not the apps GV — nothing to patch
 		}

 		for kind, raw := range kindSchemas {
Author	SHA1	Message	Date
Andrei Kvapil	ea641f7ec7	[Backport release-1.1] [kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes (#2229 ) # Description Backport of #2227 to `release-1.1`.	2026-03-17 09:31:24 +01:00
mattia-eleuteri	2c23f1fab6	[kubernetes] Fix CiliumNetworkPolicy endpointSelector for multi-node RWX volumes When an NFS-backed RWX volume is published to multiple VMs, the CiliumNetworkPolicy egress rule only allowed traffic from the first VM. The endpointSelector.matchLabels was set once on creation and never broadened, causing NFS mounts to hang on all nodes except the first. Switch from matchLabels to matchExpressions (operator: In) so the selector can list multiple VM names. Rebuild the selector whenever ownerReferences are added or removed. Signed-off-by: mattia-eleuteri <mattia@hidora.io> (cherry picked from commit `cc5ec0b7a3`)	2026-03-16 16:22:05 +00:00
Andrei Kvapil	2de20be50b	Release v1.1.2 (#2218 ) This PR prepares the release `v1.1.2`.	2026-03-16 09:38:35 +01:00
cozystack-bot	1c87fe2004	Prepare release v1.1.2 Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>	2026-03-16 01:36:47 +00:00
Andrei Kvapil	a18047fc16	[Backport release-1.1] fix(api): skip OpenAPI post-processor for non-apps group versions (#2217 ) # Description Backport of #2212 to `release-1.1`.	2026-03-13 16:24:27 +01:00
Andrei Kvapil	803d6b15ba	[Backport release-1.1] [bucket] Fix s3manager endpoint mismatch with COSI credentials (#2215 ) # Description Backport of #2211 to `release-1.1`.	2026-03-13 16:23:58 +01:00
Andrei Kvapil	c94768c64b	Revert "fix(operator): requeue packages when dependencies are not ready" This reverts commit `f906a0d8ad`. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `2b60c010dd`)	2026-03-13 15:23:34 +00:00
Andrei Kvapil	093329cdce	fix(operator): requeue packages when dependencies are not ready When dependencies are not ready the reconciler returned without requeueing, relying solely on watch events to re-trigger. If a watch event was missed (controller restart, race condition, dependency already ready before watch setup), the package would stay stuck in DependenciesNotReady forever. Add RequeueAfter: 30s so dependencies are periodically rechecked. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `f906a0d8ad`)	2026-03-13 15:23:34 +00:00
Andrei Kvapil	0e3c7fabff	fix(api): skip OpenAPI post-processor for non-apps group versions The OpenAPI PostProcessSpec callback is invoked for every group-version (apps, core, version, etc.), but the Application schema cloning logic only applies to apps.cozystack.io. When called for other GVs the base Application schemas are absent, causing a spurious error log on every API server start. Return early instead of erroring when the base schemas are not found. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com> (cherry picked from commit `ee83aaa82e`)	2026-03-13 15:23:34 +00:00
IvanHunters	0ba129b4b7	[bucket] Fix s3manager endpoint to use actual S3 endpoint from BucketInfo The deployment template was constructing the S3 endpoint from the tenant's namespace host (e.g. s3.freedom.infra.example.com), while COSI credentials are issued for the actual SeaweedFS endpoint (e.g. s3.infra.example.com). This mismatch caused 'invalid credentials' errors when users tried to log in with valid credentials from the bucket secret. Now the endpoint is resolved from BucketInfo (same source as credentials), with a fallback to the constructed namespace host for first-time deploys before BucketAccess secrets are created. Signed-off-by: IvanHunters <xorokhotnikov@gmail.com> (cherry picked from commit `f647cfd7b9`)	2026-03-13 15:23:24 +00:00