Changelog v1.57.0

[deckhouse-BOaTswain]

Changelog v1.57.0

Know before update

• All containers that use spotify/scratch image will be restarted (almost all Deckhouse containers).
• Deckhouse will not upgrade if linstor module is enabled.
• Deckhouse will not upgrade if the istio version in the cluster is lower than 1.16.
• The linstor module is deprecated. Please switch to sds-drbd module ASAP. The linstor module cannot be enabled but will continue to work if it was already enabled before.

Features

• [candi] Set curl connect timeout to 10s and explicitly set overall timeout to 300s. #7059
• [ceph-csi] ceph-csi module is based on a distroless image. #6724
• [cloud-provider-yandex] Add alert about deprecated NAT Instance zone. #6736
• [common] shell-operator image is based on a distroless image. #7047
• [delivery] Redis image is based on a distroless image. #6224
• [dhctl] Retry failed pull/push operations during the mirroring. #7080
• [dhctl] Added a flag that forces mirror to accept non-trusted registry certificates. #7068
• [documentation] Improved stability of the documentation site. #6873
• [extended-monitoring] extended-monitoring-exporter image is based on a distroless image. #7164
• [extended-monitoring] Group CronJobFailed alerts. #6715
• [external-module-manager] Always create default MUP for Deckhouse #7185
• [monitoring-kubernetes] Add NodeFilesystemIsRO alert. #6744
• [monitoring-kubernetes] ebpf_exporter image is based on a distroless image. Bump version to v2.3.0. #6241
• [network-gateway] network-gateway module is based on a distroless image. #6968
• [node-manager] Allow specifying the CloudStatic type in the staticInstance field of a NodeGroup. #7178
• [operator-trivy] Disable non-remote image source for remote scans. #7016
  trivy-operator pod will be recreated.
• [prometheus] Add the ability to specify a CA certificate in PrometheusRemoteWrite CR. #6933
• [prometheus-pushgateway] Pushgateway image is based on a distroless image. Bump version to v1.6.2. #7058
• [runtime-audit-engine] Module images are based on a distroless image. #7035
• [upmeter] database retention #7153
  The upmeter database will only store data for the last 548 days.

Fixes

• [candi] Raise the priority for NodeUser step. #7140
• [candi] Decrease shutdownGracePeriod for YandexCloud. #6897
• [candi] Fixes for compliance with CIS Benchmarks. #6647
• [candi] Wait for a node to be added to the cluster before annotating the node. #6443
• [common] Fixed vulnerabilities in csi livenessprobe and node-driver-registrar: CVE-2022-41723, CVE-2023-39325, GHSA-m425-mq94-257g #6956
  csi-controller pod will restart.
• [deckhouse-controller] fix for change-registry helper's handling of registry credentials. #7095
• [deckhouse-controller] Fix ModuleConfig validation for configs with empty settings. #7064
• [dhctl] Fix skipping preflight check about registry-through-proxy. #7135
• [dhctl] Fix ModuleConfig update error: 'Invalid value: 0x0: must be specified for an update' #7048
• [external-module-manager] Fix outdated module versions in multi-master environment. #7234
• [istio] Improved checking for currently running deprecated versions of Istio in the cluster. #7028
• [istio] After disabling the module, clean up any orphaned Istio components. #6906
• [monitoring-kubernetes] Fix generation of metrics kube_persistentvolume_is_local recording rule. #6755
• [monitoring-kubernetes] Bump node-exporter to v1.7.0. Fix crashes of node-exporter. #6730
• [monitoring-kubernetes] Fix AppArmor rule in kubelet-eviction-thresholds-exporter. #6711
• [network-gateway] Fix distroless build. #7250
• [network-policy-engine] Module images are based on a distroless image. #6460
• [node-manager] Add RBAC rules for kube-rbac-proxy in capi-controller-manager. #6854
• [operator-trivy] CIS compliance checks are now available immediately after activating the module. #6951
• [terraform-manager] Rename plugin terraform-provider-gcp to terraform-provider-google in terraform-state-exporter. #7156

Chore

• [candi] Update cni-plugins to version 1.4.0. #7078
  cni-plugins will restart.
• [candi] Change base_scratch from spotify/scratch to base_images/scratch. #6748
  All containers that use spotify/scratch image will be restarted (almost all Deckhouse containers).
• [cilium-hubble] Add the ingressClass parameter to the module configuration. #7007
• [cni-cilium] Add user-authz RBACs for ciliumnetworkpolicies. #6813
• [deckhouse-controller] Add deckhouse-service initialization check. #7163
• [istio] Add a minimum version of istio to the Deckhouse update requirements. #7119
  Deckhouse will not upgrade if the istio version in the cluster is lower than 1.16.
• [istio] Improve hack_iop_reconciling hook to prevent istio-operator stucking. #7043
• [istio] Generate only requested mutating and validating webhooks. #7037
• [istio] Add the ingressClass parameter to the module configuration. #7007
• [keepalived] keepalived is now based on a distroless image. #6962
  keepalived pods will restart.
• [linstor] Disable Deckhouse update while legacy linstor module is enabled. #7088
  Deckhouse will not upgrade if linstor module is enabled.
• [linstor] Add a validating webhook to prevent the linstor module from being enabled. #7086
  The linstor module is deprecated. Please switch to sds-drbd module ASAP. The linstor module cannot be enabled but will continue to work if it was already enabled before.
• [monitoring-kubernetes] Move helm module to monitoring-kubernetes module. #6726
• [prometheus] Set .spec.externalURL in the alermanager manifest when a public domain is specified. #7042
• [user-authn] Don't recreate the CA certificate if the publishAPI.https.mode parameter changes. #6927

See CHANGELOG v1.57 for more details.

[z9r5]

/changelog

[deckhouse-BOaTswain]

Cherry pick PR 7256 to the branch release-1.57 successful!