Cozystack v0.38 — "VPC & Enhanced Networking"

This release introduces Virtual Private Cloud (VPC) support, enabling advanced networking capabilities for tenant applications. We've also added VNC console support in the dashboard, made Kubernetes worker versions configurable, and delivered numerous improvements and fixes across the platform.

Virtual Private Cloud (VPC) Networking

Cozystack v0.38.0 introduces Virtual Private Cloud (VPC) support, enabling platform administrators to create isolated network segments for tenant applications. VPCs provide network isolation and allow fine-grained control over network topology, subnets, and routing. Each VPC can contain multiple subnets, and administrators can configure subnet details including IP ranges, gateway settings, and DNS configuration.

The VPC feature integrates seamlessly with the Cozystack dashboard, allowing users to view and manage VPCs and their subnets through an intuitive interface. Subnet details are exposed in the dashboard as tables, making it easy to understand network configuration at a glance. VPC configuration is stored in ConfigMaps with predictable naming, ensuring reliable access to subnet information.

This feature is particularly valuable for multi-tenant environments where network isolation is critical, and for applications that require specific network configurations or routing rules.

VNC Console for Virtual Machines

The Cozystack dashboard now includes a built-in VNC console for virtual machines, enabling users to access VM console directly from the web interface without requiring external tools. This feature provides immediate access to virtual machine consoles for troubleshooting, configuration, and maintenance tasks. The VNC console integration streamlines VM management workflows and improves the user experience by keeping all VM operations within the Cozystack dashboard.

Highlights

• Virtual Private Cloud (VPC): New VPC system module enables advanced networking with Multus CNI, subnet management, and network isolation for tenant applications (@nbykov0 in #1543; @lllamnyp in #1587, #1590, #1600, #1621, #1638).
• VNC Console in Dashboard: Users can now access virtual machine consoles directly from the dashboard, improving VM management experience (@kvaps in #1627).
• Configurable Kubernetes Worker Versions: Platform administrators can now configure Kubernetes worker node versions independently, providing more flexibility in cluster management (@lllamnyp in #1619).
• Security Enhancements: Multiple security improvements including HTTPS-only enforcement for API, closed Flux Operator ports, and Redis security updates (@IvanHunters in #1580, #1581, #1582).
• Cozy-lib Improvements: Enhanced flatten function with better ResourceQuota handling and nil resource support (@lllamnyp in #1647; @IvanHunters in #1642; @kvaps in #1607).

New features

VPC (Virtual Private Cloud)

• [system] Add VPC: Introduced Virtual Private Cloud system module with Multus CNI integration, enabling advanced networking capabilities for tenant applications (@nbykov0 in #1543).
• [vpc] Install Multus by default: Multus CNI is now installed by default when VPC is enabled, providing multi-network interface support (@lllamnyp in #1587).
• [vpc] Give predictable name to subnet configmap: Subnet configuration maps now use predictable naming for better management and debugging (@lllamnyp in #1590).
• [vpc] Entry per subnet in the subnets configmap: Each subnet now has its own entry in the subnets configmap, improving subnet organization and management (@lllamnyp in #1600).
• [vpc,dashboard] Print subnet details as table: Subnet details are now displayed as a table in the dashboard, improving visibility and management (@lllamnyp in #1621).
• [apps] Add VPC app: Added VPC application for tenant use, enabling users to create and manage VPCs (@nbykov0 in #1543).

Dashboard

• [dashboard] Introduce VNC console: Added VNC console support in the dashboard, allowing users to access virtual machine consoles directly from the web interface (@kvaps in #1627).
• [dashboard] sync with upstream & enhancements: Synchronized dashboard with upstream project and added various enhancements (@kvaps in #1603).
• [dashboard] Migrate patches to upstream project: Migrated dashboard patches to upstream project for better maintainability (@kvaps in #1569).

Kubernetes

• [kubernetes] Make worker version configurable: Platform administrators can now configure Kubernetes worker node versions independently from control plane versions, providing more flexibility (@lllamnyp in #1619).
• [kubernetes] Use controlPlane.replicas field: Fixed managed Kubernetes app to properly use the controlPlane.replicas field instead of hardcoding the value (@lllamnyp in #1556).
• [kubernetes] Helm hooks for cleanup: Added Helm hooks for cleanup operations in Kubernetes app (@lllamnyp in #1606).

API & Platform

• [api] Efficient listing of TenantNamespaces: Optimized TenantNamespace listing by replacing per-namespace SubjectAccessReview calls with group-based rolebinding checks, significantly reducing API latency (@lllamnyp in #1507).
• [api] Use shared informer cache: Optimized API server by using shared informer cache, reducing API server load and improving performance (@lllamnyp in #1539).
• [api] Fix representation of dynamic list kinds: Fixed API representation of dynamic list kinds for better compatibility (@lllamnyp in #1630).
• [api] Delete previous instance when changing type: API now properly deletes previous instance when changing application type (@lllamnyp in #1579).

Applications

• [tenant] Allow listing workloads: Enabled listing of workloads for tenants, improving visibility and management of tenant resources (@kvaps in #1576).
• [apps] Make VM service user facing: Virtual machine services are now marked as user-facing, improving service discovery and visibility in the dashboard (@lllamnyp in #1523).
• [foundationdb] Upgrade FDB app for latest Cozy: Upgraded FoundationDB application for compatibility with latest Cozystack version (@lllamnyp in #1505).

Storage & Backups

• [seaweedfs] Update SeaweedFS v3.99 and deploy S3 as stacked service: Updated SeaweedFS to version 3.99 and deployed S3 gateway as a stacked service for better integration and performance (@kvaps in #1562).
• [seaweedfs] Allow users to discover their buckets: Users can now discover and list their S3 buckets in SeaweedFS, improving usability and bucket management (@kvaps in #1528).
• [velero] Set defaultItemOperationTimeout=24h: Set default item operation timeout to 24 hours for Velero backups, preventing timeouts on large backup operations (@kvaps in #1542).

Monitoring & Operations

• [monitoring] add settings alert for slack: Added Slack integration configuration for Alerta alerts, enabling notifications to Slack channels (@scooby87 in #1545).

Improvements (minor)

• [lineage] Separate webhook from cozy controller: Separated the lineage-controller-webhook from cozystack-controller into a separate daemonset component deployed on all control-plane nodes, reducing API server latency (@lllamnyp in #1515).
• [dashboard] Show service LB IP: Fixed JSON path issue to correctly display Service LoadBalancer IPs in the dashboard table view (@lllamnyp in #1524).
• [dashboard] Update openapi-ui v1.0.3 + fixes: Updated OpenAPI UI to version 1.0.3 with various fixes and improvements (@kvaps in #1564).
• [dashboard-controller] Move badges generation logic to internal dashboard component: Moved badges generation logic to internal dashboard component for better code organization (@kvaps in #1567).
• [bucket] Expose bucket name in secrets: Bucket names are now exposed in secrets for better integration with applications (@lllamnyp in #1518).
• [platform] Better migration for 0.36.2->0.37.2+: Improved migration script for users upgrading directly from 0.36.2 to 0.37.2+ (@lllamnyp in #1521).
• [cozy-lib] Improve flatten function: Improved flatten function in cozy-lib with better handling of complex resource structures (@lllamnyp in #1647).
• [dx] JSDoc compatible syntax for values.yaml: Added JSDoc compatible syntax for values.yaml documentation (@kvaps in #1536).
• [system] Tune kubevirt rollout and eviction settings: Tuned KubeVirt rollout and eviction settings for better stability (@nbykov0 in #1544).
• [system] multus: update to the latest version: Updated Multus CNI to the latest version (@nbykov0 in #1628).
• [system] kubeovn: increase limits: Increased resource limits for Kube-OVN components to improve stability and performance (@nbykov0 in #1629).
• [linstor] Update Piraeus Operator to v2.10.1 to enable RWX support: Updated Piraeus Operator to v2.10.1, enabling ReadWriteMany (RWX) volume support (@kvaps in #1650).
• [ci,dx] Bump MariaDB operator version: Bumped MariaDB operator version for latest features and bug fixes (@IvanHunters in #1646).

Bug fixes

• [api] Fix RBAC for listing of TenantNamespaces and handle system:masters: Fixed regression in TenantNamespace listing RBAC and added proper handling for system:masters group (@kvaps in #1511).
• [api] Fix listing tenantnamespaces for non-oidc users: Fixed TenantNamespace listing functionality for users not using OIDC authentication (@kvaps in #1517).
• [dashboard] Fix logout: Fixed dashboard logout functionality to properly clear session and redirect users (@kvaps in #1510).
• [installer] Add additional check to wait for lineage-webhook: Added additional readiness check to ensure lineage-webhook is fully ready before proceeding with installation (@kvaps in #1506).
• [lineage] Check for nil chart in HelmRelease: Added nil check to prevent crashes when lineage webhook encounters HelmReleases using chartRef instead of chart (@lllamnyp in #1525).
• [kamaji] Respect 3rd party labels: Applied patch to Kamaji controller to respect third-party labels, preventing reconciliation loops (@lllamnyp in #1531).
• [redis-operator] Build patched operator in-tree: Moved Redis operator build into Cozystack organization and patched it to prevent overwriting third-party labels (@lllamnyp in #1547).
• [mariadb-operator] Add post-delete job to remove PVCs: Added post-delete job to automatically remove PersistentVolumeClaims when MariaDB instances are deleted (@IvanHunters in #1553).
• [seaweedfs] Fix migration to v3.99: Fixed migration issues when upgrading SeaweedFS to version 3.99 (@kvaps in #1572).
• [nats] Merge container spec, not podTemplate: Fixed NATS configuration to properly merge container specifications instead of podTemplate (@lllamnyp in #1571).
• [nats] Fixes for NATS App Helm chart, fix template issues with config.merge: Fixed template issues in NATS Helm chart related to config.merge value (@insignia96 in #1583).
• [nats] Fix NATS app chart to use existing secret credentials when present: Fixed NATS app chart to use existing secret credentials when present, preventing credential regeneration (@insignia96 in #1599).
• [kubevirt] Fix: kubevirt metrics rule: Fixed KubeVirt metrics rule configuration (@kvaps in #1584).
• [controller] Remove crdmem, handle DaemonSet: Removed crdmem and improved DaemonSet handling in controller (@lllamnyp in #1555).
• [dashboard] Revert reconciler removal: Reverted reconciler removal to restore proper dashboard functionality (@lllamnyp in #1559).
• [dashboard-controller] Fix static resources reconciliation and showing secrets: Fixed static resources reconciliation and improved secret display in dashboard controller (@kvaps in #1615).
• [cozystack-api][dashboard] Fix filtering for application services/ingresses/secrets: Fixed filtering functionality for application services, ingresses, and secrets in both API and dashboard (@kvaps in #1612).
• [virtual-machine] Revert per-vm network policies: Reverted per-VM network policies to previous behavior (@kvaps in #1611).
• [cozy-lib] Fix: handling resources=nil: Fixed handling of nil resources in cozy-lib templates (@kvaps in #1607).
• [cozy-lib] Fix malformed ResourceQuota rendering for LoadBalancer services: Fixed malformed ResourceQuota rendering for LoadBalancer services in cozy-lib templates (@IvanHunters in #1642).
• [kubernetes] Cleanup loadbalancer services: Added cleanup functionality for load balancer services in Kubernetes app (@lllamnyp in #1631).
• [rbac] Fix permissions for high-privilege users: Fixed RBAC permissions for high-privilege users, ensuring proper access control (@lllamnyp in #1622).
• [vpc] Fix access to subnet details configmap: Fixed access to subnet details configmap in VPC functionality (@lllamnyp in #1638).
• [api,lineage] Ensure node-local traffic: Ensured node-local traffic handling for API and lineage components (@lllamnyp in #1554).
• [extra] ingress: rm spaces from external ip list: Removed spaces from external IP list in ingress configuration, fixing formatting issues (@nbykov0 in #1652).
• scripts: fix 20 migration: Fixed migration script #20 to ensure proper execution during upgrades (@nbykov0 in #1653).

Security

• [redis] Bump Redis image version for security fixes: Updated Redis image version to include latest security fixes, improving cluster security (@IvanHunters in #1580).
• [flux] Close Flux Operator ports to external access: Removed hostPort and hostNetwork from Flux Operator Deployment, ensuring ports 8080 and 8081 are only accessible within the cluster (@IvanHunters in #1581).
• [ingress] Enforce HTTPS-only for API: Added force-ssl-redirect annotation to default API Ingress, ensuring all HTTP traffic is redirected to HTTPS (@IvanHunters in #1582).

Dependencies & version updates

• Update LINSTOR v1.32.3: Updated LINSTOR to version 1.32.3 with latest features and bug fixes (@kvaps in #1565).
• Update Talos Linux v1.11.3: Updated Talos Linux to version 1.11.3 (@kvaps in #1527).
• Update Kube-OVN v1.14.11: Updated Kube-OVN to version 1.14.11 (@kvaps in #1514).
• [linstor] Update Piraeus Operator to v2.10.1: Updated Piraeus Operator to v2.10.1 to enable RWX support (@kvaps in #1650).
• [system] multus: update to the latest version: Updated Multus CNI to the latest version (@nbykov0 in #1628).
• [ci,dx] Bump MariaDB operator version: Bumped MariaDB operator version (@IvanHunters in #1646).
• Increase strimzi memory limit: Increased memory limit for Strimzi Kafka operator to improve stability and performance (@nbykov0 in #1651).

System Configuration

• [system] kube-ovn: turn off enableLb: Disabled load balancer functionality in Kube-OVN configuration (@nbykov0 in #1548).
• [core] rm talos lldp extension: Removed Talos LLDP extension from core configuration (@nbykov0 in #1586).

Development, Testing, and CI/CD

• [tests] Make Kubernetes tests POSIX-compatible: Replaced bash-specific constructs with POSIX-compliant code, ensuring tests work reliably with /bin/sh (@IvanHunters in #1509).
• [ferretdb] fix tests: Fixed FerretDB tests to ensure proper execution (@IvanHunters in #1540).
• [e2e] Increase Kubernetes connection timeouts: Increased connection and request timeouts in E2E tests when communicating with Kubernetes API (@IvanHunters in #1570).
• [cozystack-controller] improve API tests: Improved API tests for cozystack-controller (@kvaps in #1617).
• [ci] Fix build from external forks: Fixed build process to work correctly from external forks (@kvaps in #1530).
• [ci,dx] Add unit tests for cozy-lib: Added unit tests for cozy-lib to improve code quality and reliability (@lllamnyp in #1643).

Documentation

• [website] Add VPC page: Added VPC documentation page explaining VPC features and usage (@nbykov0 in cozystack/website@9ccac78).
• [website] Add VPC to auto-update list: Added VPC to auto-update list in documentation (@nbykov0 in cozystack/website@ca2bce6).
• [website] Update dashboard part in OIDC configuration doc: Updated OIDC configuration documentation with dashboard information (@nbykov0 in cozystack/website@6c44b93).
• [website] Update storage requirements: Updated storage requirements documentation (@nbykov0 in cozystack/website@cac3af6).
• [website] Add System Resource Planning Recommendations: Added system resource planning recommendations documentation (@kvaps in cozystack/website@c877c2a).
• [website] Optimize website for mobile devices: Improved website layout and responsiveness for mobile devices (@kvaps in cozystack/website@3ab2338).
• [website] Add OpenAPI UI: Added OpenAPI UI documentation and integration (@kvaps in cozystack/website@b1c1668).
• [website] Update Cozystack video in hero banner: Updated hero banner with new Cozystack video (@kvaps in cozystack/website@e351137).
• [website] Add screenshots carousel: Added screenshots carousel to showcase Cozystack features (@kvaps in cozystack/website@8422bd0).
• [website] Update LINSTOR documentation: Updated LINSTOR guide and set failmode=continue for ZFS configurations (@kvaps in cozystack/website@033804e).
• [website] Update managed apps reference: Updated managed applications reference documentation (@kvaps in cozystack/website@b886a74, cozystack/website@41c1849, cozystack/website@0ab71fd).
• [website] Update external apps documentation: Updated documentation for external applications (@kvaps in cozystack/website@565dad9).
• [website] Add naming conventions: Added naming conventions documentation (@kvaps in cozystack/website@b227abb).
• [website] Update golden image documentation: Updated documentation for creating golden images for virtual machines (@kvaps in cozystack/website@34c2f3a, cozystack/website@ef65593).
• [website] Fix documentation formatting: Fixed alerts, infoboxes, tabs styles and main page formatting (@kvaps in cozystack/website@e992e97, cozystack/website@b2c4dee).
• [website] Fix typo in blog article: Fixed typo in blog article (@kvaps in cozystack/website@0a4bbf3).
• [apps] vpc: more docs: Added more VPC documentation (@nbykov0 in #1594).
• [apps] vpc: fix typo in README: Fixed typo in VPC README (@nbykov0 in #1637).

Additional Repositories

boot-to-talos

• [boot-to-talos] Introduce boot/install mode: Introduced boot/install mode in boot-to-talos tool (@kvaps in cozystack/boot-to-talos#5).

cozypkg

• [cozypkg] Handle valuesFiles from cozypkg.cozystack.io/values-files annotation: Added support for handling valuesFiles from annotation in cozypkg (@kvaps in cozystack/cozypkg#8).

Refactors & chores

• [dashboard] Migrate patches to upstream project: Migrated dashboard patches to upstream project for better maintainability (@kvaps in #1569).
• Update CODEOWNERS: Updated CODEOWNERS file (@nbykov0 in #1537).
• Add QOSI to ADOPTERS.md: Added QOSI to adopters list (@tabu-a in #1589).

Breaking changes & upgrade notes

No breaking changes in this release.

Contributors

We'd like to thank all contributors who made this release possible:

• @IvanHunters
• @insignia96
• @kvaps
• @lllamnyp
• @nbykov0
• @scooby87
• @tabu-a

New Contributors

We're excited to welcome our first-time contributors:

• @tabu-a - First contribution!

Full Changelog: v0.37.0...v0.38.0