deckhouse/deckhouse v1.30.1

Deckhouse v1.30.1

on GitHub

Changelog since v1.29

Components that will be restarted during the update

• Grafana/Prometheus
• cert-manager
• control-plane-manager
• ingress-nginx (versions 0.33+)
• metallb
• user-auth (Dex authenticators)

Significant Changes

• Kubernetes 1.22 support;
• Ingress nginx controller version 1.0;
• Disable legacy cert-manager for Kubernetes >= 1.22;
• Added alerts to track certificates expiration and cert-exporter health;
• Update local-path-provisioner to protect PVs to be reused in case of unmounted storage;
• Update oauth2-proxy to the latest version 7.2.0;
• namespace-configurator — the new module, that allows assigning annotations and labels to namespaces automatically.

Other changes

[bashible]

• features
  • Docker face slapper (pods stuck in terminating)
    • Pull request
    • NOTE! New step added
  • Log rotation changed from 10 Mi / 10 files to 50 Mi / 4 files.
    • Pull request
    • NOTE! kubelet will restart, neither docker nor containerd won't restart. The change affects only containerd CRI.
• fixes
  • Fix remove of docker
    • Pull request
  • Fixed notManaged mode for CRI.
    • Pull request

[bashible-apiserver]

• fixes
  • Fix do not render bashible bundle in static clusters .
    • Pull request

[cert-manager]

• features
  • Actualize annotation to delete in the orphan secrets alert description
    • Pull request
  • Support k8s v1.22 mutating admission for annotations-converter webhook
    • Pull request
• fixes
  • Disable legacy cert-manager for >= 1.22 kubernetes
    • Pull request
    • NOTE! Legacy cert-manager resources (certmanager.k8s.io) will not be supported in 1.22+ clusters

[chrony]

• features
  • Disable ntp on nodes by custom bashible step.
    • Pull request
• fixes
  • Bashible step fix — missed openntpd.service and time-sync.target in list.
    • Pull request
  • Add VPA label workload-resource-policy to make it take part in resources requests calculations.
    • Pull request

[cloud-provider-vsphere]

• fixes
  • Install latest version of open-vm-tools
    • Pull request

[cluster-and-infustructure]

• features
  • Add Kubernetes 1.22 support.
    • Pull request
    • NOTE! Numerous deckhouse components would be restarted due to the upgrade of kube-rbac-proxy.

[control-plane-manager]

• features
  • Add basic audit-policy.
    • Pull request
    • NOTE! Due to the new basic audit-policy api-server component will be restarted.

[deckhouse]

• features
  • Check requirements before applying a DeckhouseRelease
    • Pull request
  • Different severity level based on pending DeckhouseReleases count
    • Pull request
  • Add alert if deckhouse config is broken
    • Pull request
  • Add canary deckhouse release update
    • Pull request
• fixes
  • Fix requirements check semver lib
    • Pull request
  • The start and end times of the update window must belong to the same day.
    • Pull request
  • Use scrape interval x2 instead of hardcoded value for invalid config values alerting
    • Pull request

[dhctl]

• fixes
  • Check deckhouse pod readiness before get logs. It fixes static cluster bootstrap.
    • Pull request
  • All master nodes will have control-plane role in new clusters.
    • Pull request

[docs]

• fixes
  • Fix instructions for switching registry and image copier
    • Pull request
  • Add the 'experimental' warning to namespace-configurator module documentation pages.
    • Pull request
  • Fix examples in ClusterLoggingConfig and PodLoggingConfig CR. Fix CR generator.
    • Pull request

[extended-monitoring]

• features
  • Add cert-exporter alerts
    • Pull request
    • NOTE! Added alerts to track certificates expiration and cert-exporter health
  • Add cert-exporter
    • Pull request
    • NOTE! Added cert-exporter to track certificates expiration
• fixes
  • CronJobFailed alert bugfix.
    • Pull request

[flant-integration]

• features
  • Add madison-proxy notification channel to send alert from grafana to madison via proxy and show them in Polk
    • Pull request
    • NOTE! Add rewrite rule to madison-proxy from /api/v1/alerts url to madison url, because grafana always send notification to this URL.
• fixes
  • Remove "kubeall.team" field from the deckhouse ConfigMap.
    • Pull request
  • Remove the plan parameter from the OpenAPI specification
    • Pull request
  • Implement proper HA remote-write and reduce outgoing traffic amount.
    • Pull request

[global]

• features
  • All master nodes will have control-plane role in new exist clusters.
    • Pull request
    • NOTE! Add migration for adding role. Bashible steps will be rerunned on master nodes.
  • Update Kubernetes patch versions.
    • Pull request
• fixes
  • Fix parsing deckhouse images repo if there is the sha256 sum in the image name
    • Pull request
  • Fix serialization of empty strings in secrets
    • Pull request

[helm]

• fixes
  • Provide an actual description for deprecated resources API versions alerts.
    • Pull request
  • Add deprecation guide link to deprecated resources alerts.
    • Pull request

[ingress-nginx]

• features
  • Add an example of usage LoadBalancer inlet with MetalLB.
    • Pull request
  • Add ingress-nginx controller version 1.0
    • Pull request
• fixes
  • Added "pcre_jit on" to nginx.tmpl for controller-0.46 and above
    • Pull request
    • NOTE! Ingress Controller >= 0.46 will be restarted
  • Set proper version for new ingress-nginx controller 1.0 (drop the patch version).
    • Pull request
  • Always return auth request cookies (only for controllers >= 0.33)
    • Pull request
    • NOTE! Ingress Nginx controllers >=0.33 pods will be restarted

[istio]

• features
  • alliance.ingressGateway.nodePort.port option to set a static port for NodePort-type ingressgateway Service.
    • Pull request
• fixes
  • Correct decision to deploy ingressgateway for multiclusters.
    • Pull request
  • globalVersion option clarification in documentation.
    • Pull request

[local-path-provisioner]

• features
  • Added reclaimPolicy selector, set default reclaimPolicy to Retain
    • Pull request
• fixes
  • Update local-path-provisioner v0.0.21, include fix
    • Pull request
    • NOTE! Protect PVs to be reused in case of unmounted storage.

[log-shipper]

• fixes
  • Add VPA label workload-resource-policy to make it take part in resources requests calculations.
    • Pull request

[monitoring-kubernetes]

• features
  • Added ebpf-exporter
    • Pull request
    • NOTE! ebpf-exporter that monitors global and per-cgroup OOMs. With recording rules and dashboard.
• fixes
  • Filter VPA by actual controllers to calculate VPA coverage
    • Pull request
  • Fixed node-exporter apparmor profile.
    • Pull request

[namespace-configurator]

• features
  • New namespace-configurator module
    • Pull request
    • NOTE! namespace-configurator module allows to assign annotations and labels to namespaces automatically

[node-manager]

• features
  • Added Early OOM killer
    • Pull request
    • NOTE! Primitive early OOM that prevents nodes from getting stuck in out-of-memory conditions. Triggers when MemAvailable becomes less than 500 MiB.
• fixes
  • Fix Static node template annotations updating
    • Pull request

[okmener]

• fixes
  • Bump oksupervisor version to fix updating problems
    • Pull request

[okmeter]

• features
  • Okmeter agent image will be checked periodically by tag and used sha256 hash to pin the image for agent.
    • Pull request

[prometheus]

• features
  • Provisioning alerts channels from CRD's to grafana via new secret. Migrate to direct datasources.
    • Pull request
    • NOTE! Grafana will be restarted.
      Now grafana using direct (proxy) type for deckhouse datasources (main, longterm, uncached), because direct(browse) datasources type is depreated now. And alerts don't work with direct data sources.
      Provisioning datasources from secret instead configmap. Deckhouse datasources need client certificates to connect to prometheus or trickter. Old cm leave to prevent mount error while terminating.
• fixes
  • Make Grafana home dashboard queries to only show the top-used versions
    • Pull request

[prometheus-crd]

• features
  • Add GrafanaAlertsChannel CRD.
    • Pull request
    • NOTE! Support only prometheus alert manager notification channel

[registry-packages]

• fixes
  • Fixed build of containerd-fe registry package.
    • Pull request

[upmeter]

• fixes
  • Assigned limited access rights to the agent serviceaccount
    • Pull request

[user-authn]

• features
  • Validation webhook for preventing duplicate DexAuthenticators to be created.
    • Pull request
  • Update oauth2-proxy to the latest version (7.2.0)
    • Pull request
    • NOTE! Dex Authenticators will be restarted
• fixes
  • Ignore updating an existing DexAuthenticator
    • Pull request
  • Delete publish API secrets with not matching names to avoid the orphaned secrets alerts
    • Pull request

[user-authz]

• fixes
  • Allow empty group and apiVersion requests in user-authz webhook
    • Pull request

Changelog since v1.30.0

[bashible]

• features
  • Log rotation changed from 10 Mi / 10 files to 50 Mi / 4 files.
    • Pull request
    • NOTE! kubelet will restart, neither docker nor containerd won't restart. The change affects only containerd CRI.

[documentation]

• fixes
  • Add the 'experimental' warning to namespace-configurator module documentation pages.
    • Pull request
  • Fix examples in ClusterLoggingConfig and PodLoggingConfig CR. Fix CR generator.
    • Pull request

[flant-integration]

• fixes
  • Remove "kubeall.team" field from the deckhouse ConfigMap.
    • Pull request

[helm]

• fixes
  • Add deprecation guide link to deprecated resources alerts.
    • Pull request

[registry-packages]

• fixes
  • Fixed build of containerd-fe registry package.
    • Pull request