Merge Requests integrated in this release

610 sylva-core merge requests were integrated between 1.3.0 and 1.4.0.
These notes don't account for the MRs merged in secondary repos under sylva-elements.

Kubernetes

Update Kubernetes to 1.30.9 1.29.13, switch Ubuntu to Noble/24.04, align calico and ingress-nginx versions !3933 ~"networking" ~"renovate"
Update Kubernetes to 1.31.7, 1.30.11, 1.29.15 !4178 ~"networking" ~"renovate"
Update dependency sylva-projects/sylva-elements/diskimage-builder to v0.4.11, include k8s 1.31.8 and 1.30.12 !4358 ~"networking" ~"renovate"

Breaking changes

cleanup the old way for defining the longhorn disk configuration ('bmh_metadata.annotations') !3548 ~"longhorn" ~"type::cleanup"
CAPM3 network refactoring !3571 ~"capm3" ~"type::feature"
Use metallb-resources as helmchart in sylva-capi-cluster and improve MetalLB BGP configuration !4127 ~"networking" ~"type::feature"
reduce "shared settings" to the strict minimum, ie. mgmt cluster state !4084 ~"type::feature"

Networking

Update Helm chart metallb to v0.14.9 !3506 ~"renovate"
Update kube-vip container to v0.9.1 ~"renovate" ~"kubeadm" !3576 !3636 !4191 !4237 !4316
Update sriov to v1.5.2+up1.5.0 ~"renovate" !3607 !4190 !4374
Update Sylva Helm chart metallb-resources to v0.1.0 ~"renovate" !3831 !4019
Update Sylva Helm chart sriov-resources to v0.0.5 !4039 ~"renovate"
Disable Calico bgp mode by default !3643
Fix metallb speaker pod eviction !3804
Add loadBalancerClass support !2062 ~"type::feature"
use "one_shot: true" unit for loadbalancerclass/service fix units !3834
Update Kubernetes to 1.30.9 1.29.13, switch Ubuntu to Noble/24.04, align calico and ingress-nginx versions !3933 ~"k8s-upgrade" ~"renovate"
fix schema for sriov.node_policies !4033 ~"type::bug"
Update service annotations for metallb !4046
remove metallb speaker control plane node selection constraint !3771
Cluster unit check for calico unit during upgrade !3793
MetalLB: update a remaining metallb.universe.tf annotation !4068
Replace service.spec.loadBalancerIP with metallb.io/loadBalancerIPs annotation on cluster-vip service !4072 ~"type::cleanup"
upgrade: update metallb-resources unit before metallb unit (avoid having VIP on an MD node) !4083
Add policy to sort sriov-device-plugin nodeSelectors !4140
Use the same values for metallb in sylva-capi-cluster and Flux !4224
Update Kubernetes to 1.31.7, 1.30.11, 1.29.15 !4178 ~"k8s-upgrade" ~"renovate"
capm3: add support for setting VLAN MTU on unallocated interfaces !4253 ~"capm3"
Use metallb-resources as helmchart in sylva-capi-cluster and improve MetalLB BGP configuration !4127 ~"API-breaking-change" ~"type::feature"
examples for metallb l3_options !4032 ~"docs"
Remove multus-bond-cni unit (now useless) !4314 ~"type::cleanup"
update certManager sr-iov network operator path and enable admission controllers !3780
Add MetalLB monitoring !4285 ~"monitoring"
Disable prune for Multus unit to prevent cluster breakage on uninstall !4360
Import metallb-resources schema !4276
Change MTU size logic in sylva-core !3283 ~"capm3"
Update dependency sylva-projects/sylva-elements/diskimage-builder to v0.4.11, include k8s 1.31.8 and 1.30.12 !4358 ~"k8s-upgrade" ~"renovate"
Set freeze_first_node_files based on _internal.is_upgrade !4255 ~"rke2"
SRIOV: remove workaround for node-feature-discovery container image !4508
Firewalling - add network policies for the server interfaces and cluster VIP !1256 ~"security" ~"type::feature"

OpenStack ~capo

Update sylva-elements/container-images/openstack-client container to v0.0.22 ~"renovate" !3564 !3579 !3651 !3681
Update dependency kubernetes-sigs/cluster-api-provider-openstack to v0.12.3 ~"renovate" !3704 !3837 !4098 !4335
Update heat-operator to v0.1.0 !3915 ~"renovate"
Update dependency k-orc/openstack-resource-controller to v2.1.0 ~"renovate" !3938 !4172 !4186 !4349
Update Helm chart openstack-cinder-csi to v2.32.0 !3985 ~"renovate"
Update Sylva Helm chart sync-openstack-images to v0.4.5 ~"renovate" !4035 !4383 !4465
get-openstack-images: obtain an individual token everytime a new OCI artifact is being pulled !3536 ~"has-backport-issue-1.3.x"
Fix get-openstack-images creating duplicate images (API pagination issue) !3672 ~"type::bug"
refactor get-openstack-images unit as a Helm-based unit !3565
sync-openstack-images: pass OS images information via values !3657
sync-openstack-images: use OS image selectors from .cluster !3671 ~"type::feature"
sync-openstack-images: don't compute PV size in sylva-units !3666 ~"type::cleanup"
simplify OS images activation (os_images/sylva_diskimage_builder) !3794 ~"capm3"
skip os-images-info configmap creation if no image is listed !4065 ~"capm3"
CAPO: better name for VIP Neutron port !4111
sync-openstack-images: improve how Job hash is computed !4097
Suspend heatstack bootstrap cluster on pivot stage !4209
gzip cloud-init data on openstack platforms (RKE2 CAPI provider 0.13.x) !4326 ~"rke2"
CI: fix gathering of CAPO OpenStack VM information in bootstrap cluster dump !4370 ~"CI-bugs"
increase openstack-resource-controller memory limit/requests !4435

Baremetal ~capm3

Update dependency metal3-io/cluster-api-provider-metal3 to v1.9.3 ~"renovate" !3603 !3829 !3999
Update Sylva Helm chart os-image-server to v2.2.5 ~"renovate" !3710 !3949 !4015
Update Helm chart metal3 to v0.11.1 ~"renovate" !3600 !4025 !4064 !4187
os-images-server: introduce OS image selectors !3668 ~"type::feature"
os-images-server: clone into workload clusters the os-image-info configmap produced by the chart !3695
Revert "os-images-server: clone into workload clusters the os-image-info configmap produced by the chart" !3935
re-add cluster-node-deletion-timeout-fix Kyverno policy !3928 ~"rke2"
os-images-server: clone into workload clusters the os-image-info configmap produced by the chart !3936
os-images-server: define OS image selectors == current cluster image selectors + os_image_server_additional_selectors !3693
os-images-server: simplify how we restrict which images are downloaded on bootstrap !3728
simplify OS images activation (os_images/sylva_diskimage_builder) !3794 ~"capo"
skip os-images-info configmap creation if no image is listed !4065 ~"capo"
CAPM3 network refactoring !3571 ~"API-breaking-change" ~"type::feature"
Revert "Update Helm chart metal3 to v0.10.1" !4179
rewrite cluster-nodes-provider-id-blacklist Kyverno policy to use ValidatingAdmissionPolicy to prevent Node recreation !4128
capm3 decouple os-images-info and os-image-server output ConfigMap !4200
Remove baremetal BMC addresses from no_proxy !4211
capm3: add support for setting VLAN MTU on unallocated interfaces !4253 ~"networking"
Revert "capm3 example add sylva-user to sylva-ops group" (sylva-capi-cluster schema violation) !4291
Add drift ignore rules for cluster-bmh !4345
Monitoring updates related to Longhorn, and to Lenovo XCC SNMP alert rules !4376 ~"longhorn" ~"monitoring"
Change MTU size logic in sylva-core !3283 ~"networking"
Enable HTTPS for baremetal OS images download !4256
Validate node count against baremetal hosts !4348
metal3: remove settings for MariaDB (SQLite is now used) !4509 ~"type::cleanup"
capm3: no need to wait for os-image-server unit before pivot !4524
metal3: use an IPA downloader image specific to x86_64 (upgrade metal3 chart to 0.11.x) !4392

VSphere ~capv

Update dependency kubernetes-sigs/cluster-api-provider-vsphere to v1.13.0 ~"renovate" !3512 !4331
Update dependency kubernetes-sigs/vsphere-csi-driver to v3.4.0 !4236 ~"renovate"

Monitoring

Update Helm chart jiralert to v1.7.2 !3443 ~"renovate"
Update Helm chart prometheus-pushgateway to v3.3.0 ~"renovate" !3549 !3650 !3858 !4193 !4261 !4454 !4500
Update Helm chart prometheus-snmp-exporter to v9 ~"renovate" !3614 !3912 !4002 !4007 !4086
Update Sylva Helm chart sylva-alertmanager-resources to v0.0.3 !3675 ~"renovate"
Update Sylva Helm chart sylva-dashboards to v0.0.15 !3892 ~"renovate"
Update Sylva Helm chart sylva-thanos-rules to v0.1.0 !4075 ~"renovate"
Update rancher-monitoring to v105.2.0+up66.7.1-rancher.10 ~"renovate" !3608 !4480
Update Helm chart alertmanager-snmp-notifier to v0.5.0 !4339 ~"renovate"
use max_source_resolution=auto for management cluster Thanos datasource !3575
Add new metrics related to projects and namespaces !3531
Add podAnnotations to jiralert !3613
Add management cluster override for sylva-prometheus-rules unit !3454
Add prometheus-adapter resource requests & limits !3718
Fix Kyverno policies related to Thanos compactor in order to check for the existence of the Deployment !3545 ~"type::bug"
Update Thanos components defaults !3526
Enable metrics in Crossplane unit !3890
Add Alertmanager snmp-notifier webhook support !3895
Update Prometheus default rules for the management cluster !4022
Disable Rancher monitoring node-exporter alerting rules for the management cluster !4137
fix field loglevel to logLevel for thanos-queryFrontend !4212
Standardize thanos configuration in monitoring !4184
Update snmp-exporter config generation !4180
Add MetalLB monitoring !4285 ~"networking"
Monitoring updates related to Longhorn, and to Lenovo XCC SNMP alert rules !4376 ~"capm3" ~"longhorn"
Update Thanos unit flags !4414
Revisit collection of cluster metrics in rancher !4495
Add Harbor monitoring !4441
Add persistent storage to Thanos components !4355

Logging

Update github.com/grafana/loki to v3.5.1 ~"renovate" !3328 !3891 !4268 !4491
Update rancher-logging to v105.3.0+up4.10.0-rancher.4 ~"renovate" !2990 !3721 !4479
Enable loki by default if logging is enabled !3042
Remove loki chunk & results cache memory requests !3767
Update memory request and limit for minio-logging !3914 ~"storage"
Add clientMaxBodySize for Loki and cleanup workarounds !4041
Add podSecurityContext for fluentd to prevent upgrade failure !4279

Storage

Update longhorn to v105.2.0+up1.8.1 ~"renovate" !3560 !4001 !4173
Update github.com/minio/operator to v7.1.1 ~"renovate" !3639 !3707 !4116 !4259
Update github.com/rancher/local-path-provisioner to v0.0.31 !3727 ~"renovate"
longhorn: set storageclass as default consistently with what sylva-units computes !3514
Configure longhorn storageclasses based on the number of longhorn nodes in the cluster !3236
cleanup the old way for defining the longhorn disk configuration ('bmh_metadata.annotations') !3548 ~"API-breaking-change" ~"type::cleanup"
Add v1.min.io/tenant label to minio service !3963
Fix longhorn-instance-manager-cleanup to support multiple pods !3959
Update memory request and limit for minio-logging !3914 ~"logging"
Generate minio internal certificates !4027
Enable NFSv4.1 as the Default Version for NFS Ganesha !4103
Add Kyverno Policies for automatic MinIO pod rollout on certificate renewal !4117
Revert "Add Kyverno Policies for automatic MinIO pod rollout on certificate renewal" !4168
Add minio-cleanup units, in order to fix tenant failed status after upgrade !4071
Add HealthCheckExpr for minio tenants !4067
Monitoring updates related to Longhorn, and to Lenovo XCC SNMP alert rules !4376 ~"capm3" ~"monitoring"
Fix broken policies for MinIO pods deletion on secret change !4210
Update enabled conditions for Longhorn storageClass units !4318 ~"type::bug"
allow end user to control default storage class !4426
make _internal.default_storageclass as immutable !4413
Use single-replica-storageclass for Flux on longhorn !4430
set default_storage_class as per units enabled !4462
Patch the minio-xxx Kustomizations with the new spec.healthCheckExprs field on upgrade !4468
Update/Adapt Helm release ceph-csi-cephfs to v3.14.0 !4482
stop autocomputing default storage class for Longhorn, revisit longhorn_node_count !4407

Security

Update Helm chart core to v2.8.3 !3315 ~"renovate"
Update github.com/bank-vaults/vault-operator to v1.22.5 !3488 ~"renovate"
Update Helm chart rancher-cis-benchmark-crd to v105 !3588 ~"renovate"
Update Helm chart trivy-operator to v0.26.0 ~"renovate" !3601 !3860
Update dependency keycloak/keycloak-k8s-resources to v26.1.5 ~"renovate" !3645 !3815 !3884 !4003 !4076 !4220
Update rancher-cis-benchmark to v105.4.0+up7.4.0 ~"renovate" !3706 !3817 !3978 !4174
Update Helm chart cert-manager to v1.17.0 !3796 ~"renovate"
Update Helm chart kyverno to v3.3.9 ~"renovate" !3836 !3861 !3897 !4322
Update Helm chart vault-config-operator to v0.8.33 ~"renovate" !4093 !4177 !4267 !4544
Fix Neuvector Kyverno Policy Exception namespace !3470
Update rancher-cis-benchmark !3508 ~"renovate"
Removing incorrect certificate and DNS setting in kubevirt manager !3491 ~"kubevirt"
Fix Pod security for neuvector-updater-pod Cronjob !3701
Introduce Crossplane unit !2976
disable sandbox-privileged-namespace unit by default !3781
fix/homogenize external service TLS Secret management !3683 ~"type::tech-debt"
Revert "Update rancher-cis-benchmark to v105.2.0+up7.2.0 (main) (minor)" !3812
Definition of grafana viewer and editor roles !3900
Fix trivy-operator scanJobs, in order to generate vulnerability reports. !3925
Bump ingress-nginx image, in order to fix CVE-2025-1974 !4167
Update Vault password policy !4095
Manage password special characters used in keycloak jobs !4244
Don't use special chars in Vault passwords !4260
introduce the SBOM operator !638 ~"type::feature"
Exclude Neuvector from 'disallow-latest-and-main-tag' ValidatingAdmissionPolicy validation !4372
Enable workload cluster teams to only create SecretStore to access to Vault instead of ClusterSecretStore !4405
Deploy neuvector on workload clusters !3256
Script to merge container image lists of each deployment (capo, capm3, etc.) !3384 ~"type::feature"
Firewalling - add network policies for the server interfaces and cluster VIP !1256 ~"networking" ~"type::feature"

Lifecyle

Update workload-cluster-operator to v0.3.2 ~"renovate" !3954 !4387 !4444 !4533
Update Helm chart gitea to v11.0.1 ~"renovate" !4008 !4155
Update sylva-units-operator to v0.2.2 ~"renovate" !4148 !4530
Update Sylva Helm chart workload-team-defs to v0.1.2 !4436 ~"renovate"
CAPI: enable MachineSetPreflightChecks (ensure full control-plane k8s upgrade before upgrading MD nodes) !3084
add ingress rules in the flux system component to enable sylva GitOps !4503

RKE2

Update Helm chart rke2-multus to v4.2.002 ~"renovate" !3908 !4043 !4150 !4188 !4390
Update dependency rancher/cluster-api-provider-rke2 to v0.16.1 ~"renovate" !4129 !4272 !4517
Update Sylva Helm chart sylva-capi-cluster to v0.9.12 !4548 ~"renovate"
fix workload-cluster cluster-vip Kustomization namespace !3541
Disable hostPort for RKE2 Ingress NGINX Controller !3905
re-add cluster-node-deletion-timeout-fix Kyverno policy !3928 ~"capm3"
Update dependency rancher/cluster-api-provider-rke2 to v0.12.0 + custom patch !3640
gzip cloud-init data on openstack platforms (RKE2 CAPI provider 0.13.x) !4326 ~"capo"
Set freeze_first_node_files based on _internal.is_upgrade !4255 ~"networking"

Kubeadm

Update kube-vip container to v0.9.1 ~"renovate" ~"networking" !3576 !3636 !4191 !4237 !4316
add missing opensuse/kubeadm images to sylva_diskimagebuilder_images !4105 ~"type::bug"

OKD/OpenShift

Add openshift security context constraint for cephfs !3582
Add dhcp-less and dns-less capabilities to okd deployments !3055

Bug Fixes

Ensure CHECK_TEST_UNITS variable as a default value !3530
Fix permissions for admin user of Harbor !3216
Disable neuvector-cert-upgrader CronJob as certmanager is used !3679
Shortening service certificate commonName to keep it under 64 characters !3708
fix regression causing kubevirt-manager to not be deployable in workload clusters !3833 ~"kubevirt"
avoid irrelevant PolicyReports for reconcile-thanos-helmrelease Kyverno policy !4100
Updating exceptions for disallow-latest-and-main-tag and neuvector labels !4304
fix misconfiguration of keycloak resources for kunai !4346
Revert bump of ci-image and sylva-toolbox (yq issue) !4439

Other

Let users pick a specific k8s version for kind bootstrap cluster !3395
Don't define no_proxy if proxy is not set !3520
Fix no_proxy definition on _values_helpers template !3535
Set CNPG Database for keycloak based on .Values._internal.ha_cluster.is_ha !3539
Increase Rancher Ingress proxy-body-size value to support large Helm payloads going through it !3583
Update CNPG-postgres limits for keycloak db !3553
fix cluster-reachable unit (real test by creating a dummy resource) !3563
sylva-units schema: don't abitrarily restrict what fields can be used in (OCI|Git)Repository.spec.ref (semver,semverFilter,name) !3611
Update Helm chart descheduler to v0.32.1 (+ adjust descheduler RBAC) !3664
Cleanup old postgres unit for Keycloak !3552
fix ns and job name in check_pivot_has_ran !3748
kubevirt VM test templates improvement !1713 ~"kubevirt"
make it possible to override helm_repo_url in OCI deployments !3610
Delete root dependencies prior to upgrade sylva-units !3782
Kubevirt: add feature gate for disk expansions on VM !3751 ~"kubevirt"
fix condition preventing the deployment of a workload cluster with 'monitoring' disabled !3788
Avoid deletion for multiple hr/ks in mgmt cluster !3268
Introduce "interpret" named-template to explicitely interpret values !3363
sylva-units: add support for "one shot" units !3805
Fix OCI image tag mismatch between build and pull phases !3856
Print dependency chain when loop is observed !3842
Set log level to info on specific Sylva units !3866
Update memory request kyverno background controller !3882
Small refactoring in all-units-deps computation !3839
Use persistent storage for flux source controller !3795
Regression: Enabling kubevirt-cdi unit in conjuction with kubevirt unit on workload cluster !3869
debug-on-exit.sh: dump PriorityClasses !3859
Fix bad kubeconfig context when serving crustgather in case of unexisting management cluster !3939
increase Flux Helm controller memory request/limit !3946
Add env var and CI options to enable sylvactl record !3943
Change default rolling update strategy for MachineDeployments !3986
restart vault pods when certs are renewed !3750
Flux: revert source-controller to v1.4.1 !4006
Flux: revert source-controller to v1.4.1 in bootstrap cluster !4011
Modifying list of UI/API at the end of deployment !2777
Revert "Modifying list of UI/API at the end of deployment" !4023
Increase Resource Requests and Limits for Kustomization Controller in Flux System !3962
reword ensure_sylva_toolbox error message !4030
Enforce Validation Policy to restrict caBundle modifications in CRDs to cert-manager only !3802
Fix apiVersion in deny-cabundle-changes ValidatingAdmissionPolicy !4045
sylva-units: make it possible to control HelmRepository.spec !4063
cluster_virtual_ip value as immutable !4060
Add Kunai unit !3635 ~"type::feature"
Enhancing list of UI/API at the end of deployment !4061
Update memory request and limit rke2-ingress-nginx-controller !3975
Fix Kyverno admissionController memory limits !4094
Refine roles in kyverno controllers !3543
Cleanup wrong default value of cluster_virtual_ip and setting it as empty !3984
Increase memory limit and request for Kyverno reportsController !4104
Relocate operator images definitions to kustomize-units !4109
tune Flux kustomize and Helm controllers !4113
Allow to disable root-dependency !4066
Revert: Cleanup wrong default value of cluster_virtual_ip and setting it as empty !4120
avoid transient error message for cluster-node-deletion-timeout-fix unit on fresh install !4121
Enabling external-secrets-operator when kubevirt-manager is enabled !4135
Remove references to registry secrets in kube-(cron)jobs !4144
Fix typo in force-reconcile-helmreleases policy !4143
Deploy bond CNI plugin along with Multus !4082
Add conditionals for units dependent on sylva-units-operator !3896
Force upgrading CRDs for all units with flux in HelmReleases !4009
Activate drift detection for helmreleases and add a CI job to test it !2445
Introduced SIGINT !4214
Remove Flux controllers CPU limits !4217
Set max-pods to 500 for capm3 and 210 by default !2581
have cluster pause/resume play nicely with user-initiated cluster pause !4203
Add possibility to run scripts from symlinks and to target custom SYLVA_CORE_COMMIT !4119
Add units annotations to HelmReleases !4269
Make cluster_domain immutable !4245
introduce is_default_mirror flag for mirror registries to prevent upstream registries usage for containerd !4124
Fix the schema of source_templates for the signature verification !4159
Rewrite kyverno validating policies as ValidatingAdmissionPolicies !3779 ~"type::enhancement"
minor: move deny-cabundle-changes Validating Admission Policy !4284
Revert sylva-capi-cluster 0.8.3 !4319
Make debug-on-exit usable standalone !4249 ~"type::feature"
ignore force reconcile for sylva-units helm chart !4252
sylva-capi-cluster refactoring !3652
increase spec.interval of FluxCD resources !4306
increase spec.interval for sylva-units GitRepository/HelmRepository !4366
fix sylva-units OCI HelmRepository interval (168m->168h) !4368
Ensure that kustomisation producing helmreleases are being pruned !4369
Improve sylva-units schema generation script !4325
Revert "ignore force reconcile for sylva-units helm chart" !4375
Set check_cluster_name default to true !4408
Ingress-nginx - restrict the number of worker-processes !4411
Add drift ignore rules for healthCheckExprs !4432
sylva-units: support uninterpreted values, aka "raw" values !4356 ~"type::feature"
fix BOOTSTRAP_PROXIES_FROM_VALUES parametrization !4469
Fix chart path in bootstrap.sh !4472
Use display_external_ip as ClusterIP in ingress-nginx-init of bootstrap.values.yaml !4487
Add unit to backup CAPI resources of all clusters !3813 ~"type::feature"
Add unit to backup ETCD of the current management or workload cluster !4288 ~"type::feature"
sylva-units: increase GitRepositories/OCIRepositories/HelmRepository timeout !4501
cleanup default value for cluster_virtual_ip !4505
add PDB for Keycloak CNPG database (only in HA setup) !3818
bootstrap: sylva-capi-cluster should not see kind pod/subnet ranges in no_proxy !4518
feat: update kunai and remove comment blocking renovate bot !4452
Introduce support for Ignition-based systems, in particular OpenSuse Leap Micro !2885 ~"OperatingSystem" ~"type::feature"

Other dependency upgrades

Update kube-job to v1.2.1 !3524 !3435 !4303 !4396
Update Helm chart harbor to v1.15.2 !3417
Update sylva-elements/container-images/ci-image container to v1.0.55 !3518 !3580
Update Helm chart external-secrets to v0.16.2 !3195 !3403 !3691 !3989 !4056 !4107 !4175 !4231 !4373
Update Helm chart cloudnative-pg to v0.23.2 !3544 !4016
Update Helm chart rancher to v2.10.3 !3320 !3764 !4000
Update registry.gitlab.com/python-gitlab/python-gitlab container to v5.6.0 !3546 !3749 !3758
Update cluster-api & capd-manager to v1.9.7 !3540 !3602 !4099 !4265
Update docker container to v27.5.1 !3522 !3632 !3705
Update Helm chart cert-manager to v1.17.2 !3030 !3658 !3903 !4286
Update busybox container to v1.37.0 !3019
Update sylva-toolbox & ci-image to v0.10.0 !3627 !3887 !3929 !3934 !3947 !4026 !4081 !4125 !4262
Update dependency sylva-projects/sylva-elements/ci-tooling/runner-aas to v1.2.0 !3648
Update Sylva Helm chart sylva-capi-cluster to v0.9.11 !3659 !3851 !3877 !4017 !4204 !4289 !4308 !4321 !4433 !4445 !4499 !4539
Update Helm chart sylva-library to v0.3.2 !3768 !4005 !4036
Update Helm chart crossplane to v1.19.1 !3757 !3889 !3888 !4154
Update python container to v3.13.3 !3843 !4201
Update curlimages/curl container to v8.13.0 !3828 !3902 !4192
Update Helm chart kepler to v0.5.14 !3783 !4305
Update Helm chart descheduler to v0.33.0 !3881 !4351
Update dependency fluxcd/flux2 to v2.5.1 !3951
Update dependency sylva-projects/sylva-elements/diskimage-builder to v0.4.12 !4010 !4258 !4313 !4434
Update oci-tools container to v0.1.3 !4092 !4158 !4309
Update bitnami/configmap-reload container to v0.15.0 !4207
Update container-images/sylva-toolbox container to v0.10.1 !4343
Update Sylva Helm chart capi-rancher-import to v0.2.0 !4422
Update Sylva Helm chart capo-contrail-bgpaas to v1.1.0 !4423
Update Helm chart kubevirt to v0.5.0 !4115 ~"kubevirt"
Update sylva-toolbox & ci-image !3778
Update sylva-toolbox & ci-image !4361
Update sylva-toolbox & ci-image !4397
Update sylva-toolbox & ci-image !4443

Documentation

minor: avoid wrong calls to '| include "interpret"' !4271
examples for metallb l3_options !4032 ~"networking"
environment-values examples add sylva-user to sylva-ops group !4292

Cleanups

cleanup the old way for defining the longhorn disk configuration ('bmh_metadata.annotations') !3548 ~"API-breaking-change" ~"longhorn"
fix/homogenize external service TLS Secret management !3683 ~"security" ~"security::certificates"
cleanup units for upgrade kube-jobs and policies !3809
sylva-units: cleanup and simplify schema for os_images !3807
sync-openstack-images: don't compute PV size in sylva-units !3666 ~"capo"
cleanup for os-image-server to use pathType: ImplementationSpecific !3981
Exclude functions calls from common.sh !3224
Replace service.spec.loadBalancerIP with metallb.io/loadBalancerIPs annotation on cluster-vip service !4072 ~"networking"
simplify CEL expression in deny-cabundle-changes ValidatingAdmissionPolicy !4044
remove support of k8s 1.28 from sylva units !3987
cleanup capi-providers-pivot-ready unit !4206
cleanup: remove unused shared_workload_clusters_values.sylva_system_default_storage_class_unit !4278
Remove multus-bond-cni unit (now useless) !4314 ~"networking"
Use rancher-turtles to import workload clusters in Rancher !4176
metal3: remove settings for MariaDB (SQLite is now used) !4509 ~"capm3"
cleanup how we override FluxCD controllers 'concurrent' !4497

CI

Update dependency renovate-bot/renovate-runner to v22 ~"renovate" !3542 !3547 !3554 !3628 !3653 !3673 !3739 !3784 !3862 !3863 !3961 !4352
Update registry.gitlab.com/python-gitlab/python-gitlab container to v5.3.1 !3570 ~"renovate"
Update dependency sylva-projects/sylva-elements/ci-tooling/ci-templates to v1.0.40 ~"renovate" !3578 !3712 !3723 !3741 !3870 !4052 !4090 !4393
Update quay.io/kubevirt/cirros-container-disk-demo container to v1.4.0 !3606 ~"kubevirt" ~"renovate"
Update sylva-elements/container-images/ci-image container to v1.0.56 !3676 ~"renovate"
Update dependency to-be-continuous/gitleaks to v2.7.1 ~"renovate" !3740 !4182
Update sylva-toolbox & ci-image to v1.0.59 !3844 ~"renovate"
Update dependency zegl/kube-score to v1.20.0 !3605 ~"renovate"
Whitelist cnpg-keycloak-app "user", "port", "host", "dbname" for CI secrets leak check !3504 ~"security::CI"
Check runner IID on capm3 jobs in order to mitigate Gitlab tags bug !3568 ~"capm3"
Fix remaining leaks in leaks report CI job !3562 ~"security"
debug-on-exit: CAPO, include VM console log dumps !2773 ~"capo"
Fix cronjob test artifacts path !3630
Allow to skip the workload cluster deletion in CI pipelines !3642
CI: Add more details in case of critical alert detection !3649
[Rework CI] part3 Provide control on deployment variants to be tested !3163
Add renovate capo predefined CI config !3655
Fix CI schedule report !3669
Fix capd nighty pipeline config !3667
Simplify tests addition in our gitlab ci framework !3478
Build OCI artifacts for each commit !3687
Add upgrade scenario from 1.3.1 !3654
Update CI configuration in Merge Request template !3698
Patch neuvector-updater and neuvector-scanner in order to be ignored by kube-score rule !3537 ~"security"
Support spaces after CI options !3692
Minor typo in MR template !3709
CI: consolidate sylva-upgrade(-x.x.x) scenarios and default to -from-1.3.x !3715
Fix CI scenario with dots !3717
Fix crustgather collect when https_proxy env variable is set !3720
Use Playwright as end-to-end testing framework for ui parts. !3322
Bump CI deployment values to 0.4.28 !3725
CI jobs outside of deployments should be interruptible !3665
Add autorun/allow-failure options for deployment pipelines !3729
CI: improve ci-deployment-values version-dependent folder selection !3726
Run kubescore at the same time as the others tests !3745
Fix typo for neuvector playwright test !3746
Create images reference list after each CI deployment run !3161 ~"security"
debug-on-exit.sh: dump OpenStackServers !3753 ~"capo" ~"has-backport-issue-1.3.x"
Interrupt redundant pipelines and add manual job to avoid it !3747
CI: update sylva-upgrade-from-1.3.x scenario to use 1.3.3 !3761
sylva-units: add test-values for upgrades of workload clusters, both kubeadm and RKE2 !3724
CI: typo versionned -> versioned !3760
Summarize latest deployment pipelines in MR comment !3696
Add a new CI scenarios with more explicit names !3754
Use lighter image for python scripts !3799
Change emoji for 'created' jobs !3800
display success rate in scheduled pipeline report !3803
Fix kyverno policy for Neuvector OIDC !3743 ~"security"
Fix minor typo in scheduled report script !3819
Do not interrrupt pipelines on protected branches !3816
Display only latest pipeline info in deployment summary !3792
Use OCI by default for deployment pipelines !3820
Provide CI scenario description !3789 ~"docs"
CI: add more debug info for pipelines_schedules_report.py failure on pipelineschedules.list !3840
Add thanos UI test in playwright !3359
Upgrade libvirt-metal version to 0.1.22 !3821 ~"capm3"
CI: scheduled pipelines report: merge old 'oci' names with newer names for the report !3849
retry sso tests !3854
CI: add more debug info for pipelines_schedules_report.py failure on pipelineschedules.list !3855
Fix machine dump for capm3 !3853
Reconfigure scheduled pipelines !3848
collecting kubernetes API response time !2854
Bump ci deployment values to 0.4.30 !3876
add some error handling for 404 responses to prevent crashes in get_image_refs.py !3886
Bump CI deployment-values to 0.4.31 !3883
CI job to highlight events related to longhorn instance manager cleanup !3786 ~"longhorn"
CI: fix bash syntax for test on SKIP_DOCKER_SERVICE !3918
Cleanup of oci option in CI Readme !3953 ~"docs"
Support dot in CI option name !3958
Don't run prepare deployment on commit event !3957
Document tests run in CI !3898 ~"docs"
capo & capm3: stop relying on image_key (in CI and in examples) !3702 ~"capm3" ~"capo" ~"docs"
pipelines_schedules_report.py: add retries on GitLab API operations !3964
CI: have sylva-upgrade-from-1.3.x use release-1.3 as initial revision !3968
CI: pipelines_schedules_report.py, fix retries !3971
CI: pipelines_schedules_report.py, don't break if prepare-deployment-jobs failed on a pipeline !3974
Fix workload machine dump !3977
Add maxsurge-0 option in CI !2605 ~"capo"
Bump CI deployment values tags to 0.4.38 !3988
Add checks in generate_deployment_jobs script and inject deployment parameters as variables !3995
Fix extract_from_job_name() function in CI script !4014
Fix CI rules for check-doc jobs !4021
Allow renovate MRs CI configuration via comments !3846 ~"renovate"
Downgrade sylvactl to v0.6.6 !4051
Improve tests rules to skip tests that can't be perform on a given infra/bootstrap provider !4012
Add rule to prevent scenarios but preview with capd !4085
CI: use ci-deployment-values 0.4.41 !4089
Fix capm3 misc deployments !4110
Update workload values for network refactoring !4166 ~"capm3" ~"docs"
CI: for an MR targetting a branch other than main or release-*, use 'current' values !4205
environment-values: fix capm3 base values for kubeadm, don't set 'hardened: true' !4131 ~"capm3"
capm3 example add sylva-user to sylva-ops group !3994 ~"capm3" ~"docs"
Add logging option in CI !4282
Add new nightly jobs with logging enabled !4287
Increase numCPU for libvirt_metal !4294 ~"capm3"
fix kunai-related breakage of "upgrade from sylva 1.3" pipelines !4297
Remove legacy condition in base-capm3-virt values !4293
Remove 1.1.1 code exceptions and configurations from the CI !4299 ~"type::cleanup"
add playwright test for kepler dashboard !4077
debug-on-exit.sh: add SRIOV network operator policies !4311
Fix workload cluster dump in debug-on-exit !4354
Cleanup gitleaks configuration !4315 ~"security" ~"type::cleanup"
CI: don't fail drift correction detection job for SriovOperatorConfig !4367
CI: fix gathering of CAPO OpenStack VM information in bootstrap cluster dump !4370 ~"capo"
CI: improve pipelines suggestions to have distinct ones for sylva-upgrade and misc !4442
Read proxy vars to be used for bootstrap cluster ('s flux) directly from values.yaml !1889
Add no-logging option in CI !3940
Fix light deployments in CI !4481
Updating kubevirt VM names to introduce restart as required after upgrade !4489 ~"kubevirt"
CI: update which pipelines are proposed for renovate MR !4510
Enhance drift detection script with resource modification and patch tracking !4492 ~"type::enhancement"
canonical-ck8s: enable no-wkld scenario for the nightly build !4507 ~"ck8s"
allow OCI charts to be pulled by OCI building tool !4502
Add kubevirt VirtualMachines to debug artifact !4525
Fix test units check in apply-workload-cluster !4523
Use Google Container Registry mirror for capm3-virt !4312 ~"capm3"
CI: fix (cluster)policyreport jobs !4550
Use CI_CONFIGURATION_GUEST_TOKEN token to retrieve MR description !4516

Internal tooling

fix renovate on kube-job image for sylva-units delete hook chart !3418
Track kubescore version with renovate !3486
Do not trigger capm3 pipeline on renovate::configuration label !3533
Regroup kube-job updates !3532
Migrate renovate config !3525
update Renovate configuration to allow Rancher 105.x charts !3559
Configure renovate to track patch updates for release-1.3 branch !3574
include CI deployment pipeline configuration block in Renovate Bot MRs !3684 ~"CI" ~"CI::linter"
generate-renovate-json.sh: fix newlines in the generated MR description snippet !3697
Fix special versionning renovate configuration for rke2 multus !3906 ~"CI"
Migrate renovate config !4353 ~"renovate"
Renovate configuration - Regroup oci-tools updates !4429

Contributors

43 people contributed (authors of MRs in sylva-core, other repos not taken into account).

A Gottis, Abhishek Bandarupalle, Adrian Vladu, Akshay Yadav, Alain Thioliere, Alex Ghita, Alin H, Amit Kumar, Antoine Monlong, Arnaud Bouts, Aurélien Sollaud, Benjamin Le Diguerher, Bogdan Antohe, Bogdan-Adrian Burciu, Cristian Manda, Daniel Anton, Dragos Gerea, Emmanuel Wyckens, Francois Eleouet, Francois Klieber, François-Régis Menguy, Ionut Spanu, Ishita Mittal, Jianzhu Zhang, Jonathan Gayvallet, Loic Nicolle, Lupescu Daniel, Manik Bindlish, Marc Bailly, Mickaël Sourget, Mihai Zaharia, Mohan Sharma, Médéric De Verdilhac, Pierrick Seite, Ravindra Tanwar, Remi Le Trocquer, Sakshi Choudhary, Sakshi Gupta, Samuel Bartel, Thomas Morin, Vladimir Braquet, Xavier Francois, Yiping Chen

sylva-projects/sylva-core 1.4.0 on GitLab