github deckhouse/deckhouse v1.30.19
Deckhouse v1.30.19

latest releases: v1.65.4, v1.65.3, v1.65.2...
2 years ago

Changelog v1.30.19 since v1.29

Components that will be restarted during the update

  • cert-manager
  • control-plane-manager
  • etcd
  • ingress-nginx (versions 0.33+)
  • metallb
  • user-auth (Dex authenticators)

Significant Changes

  • Kubernetes 1.22 support;
  • etcd version 3.5.1;
  • Ingress nginx controller version 1.0;
  • Ingress nginx controller Pods now managed by a special hook, not by a Kubernetes Controller.
  • Disable legacy cert-manager for Kubernetes >= 1.22;
  • Added alerts to track certificates expiration and cert-exporter health;
  • Update local-path-provisioner to protect PVs to be reused in case of unmounted storage;
  • Update oauth2-proxy to the latest version 7.2.0;
  • namespace-configurator — the new module, that allows assigning annotations and labels to namespaces automatically.

Other changes

[bashible]

  • features
    • Docker face slapper (pods stuck in terminating)
    • Log rotation changed from 10 Mi / 10 files to 50 Mi / 4 files.
      • Pull request
      • NOTE! kubelet will restart, neither docker nor containerd won't restart. The change affects only containerd CRI.
  • fixes

[bashible-apiserver]

  • fixes
    • Fix do not render bashible bundle in static clusters .

[candi]

[cert-manager]

  • features
    • Actualize annotation to delete in the orphan secrets alert description
    • Support k8s v1.22 mutating admission for annotations-converter webhook
  • fixes
    • Disable legacy cert-manager for >= 1.22 kubernetes
      • Pull request
      • NOTE! Legacy cert-manager resources (certmanager.k8s.io) will not be supported in 1.22+ clusters

[chore]

[chrony]

  • features
    • Disable ntp on nodes by custom bashible step.
  • fixes
    • Bashible step fix — missed openntpd.service and time-sync.target in list.
    • Add VPA label workload-resource-policy to make it take part in resources requests calculations.

[cloud-provider-aws]

[cloud-provider-openstack]

  • fixes
    • Set volume availability zone in dhctl on bootstrap.

[cloud-provider-vsphere]

  • fixes

[cluster-and-infustructure]

  • features
    • Add Kubernetes 1.22 support.
      • Pull request
      • NOTE! Numerous deckhouse components would be restarted due to the upgrade of kube-rbac-proxy.

[control-plane-manager]

  • features
    • Add basic audit-policy.
      • Pull request
      • NOTE! Due to the new basic audit-policy api-server component will be restarted.
    • Bump etcd version to 3.5.1.
      • Pull request
      • NOTE! Short-term API server unavailability due to etcd restart.

[deckhouse]

  • features
    • Check requirements before applying a DeckhouseRelease
    • Different severity level based on pending DeckhouseReleases count
    • Add alert if deckhouse config is broken
    • Add canary deckhouse release update
  • fixes
    • Fix requirements check semver lib
    • The start and end times of the update window must belong to the same day.
    • Use scrape interval x2 instead of hardcoded value for invalid config values alerting
    • Update the description of the release process
    • The more controlled and transparent release process

[dhctl]

  • features

    • Add a templating feature for Kubernetes resources сreated by dhctl.
      - Pull request
  • fixes

    • Check deckhouse pod readiness before get logs. It fixes static cluster bootstrap.
    • All master nodes will have control-plane role in new clusters.
    • Do not print error about not existing bastion host key for abort command.

[docs]

  • fixes
    • Fix instructions for switching registry and image copier
    • Add the 'experimental' warning to namespace-configurator module documentation pages.
    • Fix examples in ClusterLoggingConfig and PodLoggingConfig CR. Fix CR generator.
    • Getting started with Azure minor updates.
    • Fix keepalived module examples in the documentation.
    • Review and fix the 'How to configure' article.

[extended-monitoring]

  • features
    • Add cert-exporter alerts
      • Pull request
      • NOTE! Added alerts to track certificates expiration and cert-exporter health
    • Add cert-exporter
      • Pull request
      • NOTE! Added cert-exporter to track certificates expiration
  • fixes

[flant-integration]

  • features
    • Add madison-proxy notification channel to send alert from grafana to madison via proxy and show them in Polk
      • Pull request
      • NOTE! Add rewrite rule to madison-proxy from /api/v1/alerts url to madison url, because grafana always send notification to this URL.
  • fixes
    • Remove "kubeall.team" field from the deckhouse ConfigMap.
    • Remove the plan parameter from the OpenAPI specification
    • Implement proper HA remote-write and reduce outgoing traffic amount.
    • Getting rid of deprecated flantIntegration.kubeall.team config value spec.

[global]

  • features
    • All master nodes will have control-plane role in new exist clusters.
      • Pull request
      • NOTE! Add migration for adding role. Bashible steps will be rerunned on master nodes.
    • Update Kubernetes patch versions.
    • New bundle for Debian 9, 10, 11
    • Add OpenAPI spec for global values. Validates configuration global section of a d8-system/deckhouse ConfigMap.
      • Pull request
      • NOTE! If Deckhouse upgrading on a new version was failed with the OpenAPI validation error, please report us. Do not change/remove params from d8-system/deckhouse ConfigMap, and please wait for an OpenAPI specification fix. And you have to restart Deckhouse manually to apply updates because auto-updating begins work after global values validation.
  • fixes
    • Fix parsing deckhouse images repo if there is the sha256 sum in the image name
    • Fix serialization of empty strings in secrets
    • Add number type for modules.resourcesRequests.everyNode.cpu and modules.resourcesRequests.masterNode.cpu

[helm]

  • fixes
    • Provide an actual description for deprecated resources API versions alerts.
    • Add deprecation guide link to deprecated resources alerts.

[ingress-nginx]

  • features
    • Add an example of usage LoadBalancer inlet with MetalLB.
    • Add ingress-nginx controller version 1.0
    • Add panels to Grafana dashboards with detailed nginx statistic
    • Add documentation article "How to enable HorizontalPodAutoscaling for IngressNginxController".
  • fixes
    • Added "pcre_jit on" to nginx.tmpl for controller-0.46 and above
      • Pull request
      • NOTE! Ingress Controller >= 0.46 will be restarted
    • Set proper version for new ingress-nginx controller 1.0 (drop the patch version).
    • Always return auth request cookies (only for controllers >= 0.33)
      • Pull request
      • NOTE! Ingress Nginx controllers >=0.33 pods will be restarted
    • Temporary remove support of 1.0 controller.
    • Fix handled request query on a dashboard.
    • Manual update for ingress controllers.

[istio]

  • features
    • alliance.ingressGateway.nodePort.port option to set a static port for NodePort-type ingressgateway Service.
  • fixes
    • Correct decision to deploy ingressgateway for multiclusters.
    • globalVersion option clarification in documentation.
    • nodeSelector and tolerations customization for control-plane.

[keepalived]

[local-path-provisioner]

  • features
    • Added reclaimPolicy selector, set default reclaimPolicy to Retain
  • fixes
    • Update local-path-provisioner v0.0.21, include fix
      • Pull request
      • NOTE! Protect PVs to be reused in case of unmounted storage.

[log-shipper]

  • fixes
    • Add VPA label workload-resource-policy to make it take part in resources requests calculations.

[monitoring]

  • fixes
    • Remove apparmor profile for node-exporter.
    • Replace severity by severity_level
      • Pull request
      • NOTE! The severity annotation is deprecated, use severity_level [1-9] instead.

[monitoring-kubernetes]

  • features
    • Added ebpf-exporter
      • Pull request
      • NOTE! ebpf-exporter that monitors global and per-cgroup OOMs. With recording rules and dashboard.
  • fixes
    • Filter VPA by actual controllers to calculate VPA coverage
    • Fixed node-exporter apparmor profile.

[monitoring-kubernetes-control-plane]

  • features
    • Add sorted tables for kube-apiserver metrics.

[namespace-configurator]

  • features
    • New namespace-configurator module
      • Pull request
      • NOTE! namespace-configurator module allows to assign annotations and labels to namespaces automatically

[node-manager]

  • features
    • Added Early OOM killer
      • Pull request
      • NOTE! Primitive early OOM that prevents nodes from getting stuck in out-of-memory conditions. Triggers when MemAvailable becomes less than 500 MiB.
    • Update NodeUser resource to support NodeGroup selector and multiple ssh keys.
  • fixes
    • Fix Static node template annotations updating
    • FAQ bootstrap and adopt clarification.
    • When calculating maximum instances for particular NodeGroup without zones defined — use global zones count from CloudProvider configuration.
    • Fix event creation for NodeGroup when new Machine provisioning process is failed.
    • Do not deploy VPA for bashible-apiserver if autoscaler is not enabled.

[okmener]

  • fixes
    • Bump oksupervisor version to fix updating problems

[okmeter]

  • features
    • Okmeter agent image will be checked periodically by tag and used sha256 hash to pin the image for agent.

[prometheus]

  • features
    • Provisioning alerts channels from CRD's to grafana via new secret. Migrate to direct datasources.
      • Pull request
      • NOTE! Grafana will be restarted.
        Now grafana using direct (proxy) type for deckhouse datasources (main, longterm, uncached), because direct(browse) datasources type is depreated now. And alerts don't work with direct data sources.
        Provisioning datasources from secret instead configmap. Deckhouse datasources need client certificates to connect to prometheus or trickter. Old cm leave to prevent mount error while terminating.
    • Add supporting ServiceMonitors and PodMonitors from user-space
  • fixes
    • Make Grafana home dashboard queries to only show the top-used versions

[prometheus-crd]

  • features
    • Add GrafanaAlertsChannel CRD.
      • Pull request
      • NOTE! Support only prometheus alert manager notification channel

[prometheus-metrics-adapter]

  • fixes
    • Restore HPA external metrics behavior. Disable enforced namespace passing to a query. If your metric need to be selected with a specific namespace label value, you should set it directly in an HPA's label selector

[registry-packages]

[upmeter]

  • fixes
    • Assigned limited access rights to the agent serviceaccount
    • Fixed floating bug causing false downtime of deckhouse/cluster-configuration probe

[user-authn]

  • features
    • Validation webhook for preventing duplicate DexAuthenticators to be created.
    • Update oauth2-proxy to the latest version (7.2.0)
  • fixes
    • Ignore updating an existing DexAuthenticator
    • Delete publish API secrets with not matching names to avoid the orphaned secrets alerts
    • Migrate BitbucketCloud connector to utilizing workspaces API.
    • Fixed .spec.ldap.bindPW escaping in DexProvider.

[user-authz]

  • fixes
    • Allow empty group and apiVersion requests in user-authz webhook

[testing]

  • features
    • Speed up matrix tests, reduce object allocations for helm renders
    • Add monitoring trigger linter for modules
  • fixes

Changelog v1.30.19 since v1.30.18

Release digest

  • Disable enforced namespace passing to a query. If your metric need to be selected with a specific namespace label value, you should set it directly in an HPA's label selector

Fixes

  • [prometheus-metrics-adapter] Restore HPA external metrics behavior #1154
    Disable enforced namespace passing to a query. If your metric need to be selected with a specific namespace label value, you should set it directly in an HPA's label selector

Don't miss a new deckhouse release

NewReleases is sending notifications on new releases.