Merge Requests integrated in this release

484 merge requests were integrated in this repo between release-1.5 branch (2025-09-22) and 1.6.0.
These notes don't account for the MRs merged in secondary repos.

Kubernetes

(main) k8s patch versions to 1.31.13 and 1.32.9 !5680 (issues: #2959)
Kubernetes to include all images in the node, max 200 !6036 ~"area:capi" (issues: #2534)
canonical-kubernetes: add support for OpenStack infra provider (capo) !5793 ~"area:capi" ~"capo" ~"ck8s"
add support of Kubernetes 1.33 !5899 (issues: #2989)
remove support of k8s 1.30 !6150 (issues: #2987)

Sylva-units framework

Update sylva-units-operator to v1.1.6 ~"renovate" !6075 !6116 !6312 !6349 !6355 !6376 !6404 !6441
use management cluster proxy for mgmt-run kube-jobs !5549 (issues: #2886)
Move flux bootstrap kustomization to a component !5528
apply scripts: fail if local kustomization still uses disableNameSuffixHash !5790
CLI scripts: refactor "wait for sylva-units" step !5791 (issues: #3052)
use sylvactl dumpInventory to dump relevant resources !5969
fix: copying the proxy configuration when generating a new kubeconfig !6067
Copy all values sources used by sylvaUnitsRelease from bootstrap to management !5998 (issues: #3108)
fix: specify sylva-system for management-flag check !6066
configure units_override_enabled as a dict to ease adding and removing elements while overriding !5246 (issues: #2473)
Switch from clusterType to valuesFrom/enabledContexts overlays !6095 ~"lifecycle-operators" (issues: #3162)
Add unset named template !6278 (issues: #3243)
Allow referencing existing sources and use the one created by the sylva-units-release operator for sylva-core !5992 (issues: #3023)
Fix computation of sylva_base_oci_registry !6341
Add sylvaunitsrelease mockup for lookup in unit tests !6369 (issues: #3286)
reset sylva-units HelmRelease on first upgrade from Sylva <1.6, before first adoption by SylvaUnitsRelease !6371 (issues: #3285)
Rename SylvaUnitsReleaseTemplates to SylvaUnitsReleasePresets !6353
Ensure pre-upgrade labels on flux-system and sylva-units-operator kustomizations !6342
Don't derive sylva_base_oci_registry from sylvaUnitsSource url when git is used !6385
sylva-units/CLI: use branch+commit with GitRepository !6392
Revert "sylva-units/CLI: use branch+commit with GitRepository" !6403
Upgrade OCIrepositories to source.toolkit.fluxcd.io/v1 !6363 ~"lifecycle-operators" ~"sylva-lifecycle" (issues: #2522)
Prevent deadlock while waiting for pre-upgrade-units !6436

Cluster API

Update Sylva Helm chart capo-contrail-bgpaas to v1.3.5 ~"capo" ~"renovate" !5757 !6269
Update metal3 to v1.10.4 !6076 ~"capm3" ~"renovate"
Update Sylva Helm chart sylva-capi-cluster to v0.12.25 ~"renovate" !6091 !6176 !6251 !6270 !6357
Update dependency kubernetes-sigs/cluster-api-provider-openstack to v0.12.6 !6202 ~"capo" ~"renovate"
Update cluster-api & capd-manager to v1.10.9 !6340 ~"renovate"
CAPO: ability to autoheal Machines after resolution of transient OpenStack issues/quota exceeded !5450 ~"capo" (issues: #2838)
Fix rancher-webhook drain loop by removing unschedulable toleration !5613 ~"type::bug" (issues: #2866)
Remove the use of the old kube-job image from the pivot phase in order to use a more recent version of clusterctl !5752 ~"capm3" (issues: #2947)
Kubernetes to include all images in the node, max 200 !6036 ~"area:kubernetes-core" (issues: #2534)
canonical-kubernetes: add support for OpenStack infra provider (capo) !5793 ~"area:kubernetes-core" ~"capo" ~"ck8s"
Create metal3-system namespace using new metal3-init unit !4760 ~"capm3" ~"type::cleanup"
process os_image_autoselect_registries in sylva-library !6174 ~"capm3" ~"capo" (issues: #3190)
OKD/OpenShift: replace cabpoa unit with mce unit, for Multicluster Engine integration !6092 ~"okd" (issues: #3125)
Expose k8s_version n-1 and n-2 in _internal values !6209 ~"kubeadm"
Add CI tests to check node pressure status !6275 ~"area:CI" ~"capo" ~"type::bug" (issues: #3232)

Workload cluster

Update Helm chart kunai to v3 !6258 ~"kunai" ~"renovate"
Update workload-cluster-operator to v0.12.0 !6414 ~"renovate"
baremetal: allow the use of OS images from previous Sylva versions !6005 ~"capm3" (issues: #1942)
Add nvidia gpu operator !4715 ~"RFE" ~"cluster-configuration" (issues: #1029)
Introduce workload-teams-repo unit to sync teams from external repo !5883 (issues: #2993)
feat: add git authentication and custom certificate to workload-teams-repo !6109
workload-team-defs: enable the definition of several SylvaUnitsReleaseTemplates !6084
feat: kunai: let Kunai map users to groups (add group info in JWT) !6243 (issues: #3239)
fix: workload-teams-repo rely on kustomization_substitute_secrets for repo_auth !6336 ~"area:security" (issues: #3266)
fix workload-teams-def schema !6378
Workload-team-repo - configure vault role following less privilege for workload-teams-defs !6120 (issues: #3169)
GitOps operators are not experimental anymore !6421 ~"lifecycle-operators" (issues: #3316)
fix: add deepcopy to keep .Values.workload_clusters.teams_repo intact !6409

Backup and Restore

Update Helm chart velero to v11 !5632 ~"renovate"
Use rke2 etcd backup configuration and specialize the backup-etcd unit to kubeadm !4552 ~"backup" (issues: #2420)
add unit to backup keycloak postgres database !6234

Networking

Update dependency nmstate/kubernetes-nmstate to v0.85.1 !6273 ~"renovate"
Update Helm chart metallb to v0.15.3 !6281 ~"renovate" (issues: #3304)
Add goldpinger-init as dependency of goldpinger !5635
properly align calico-crd Helm chart version !5719
Enable TLSv1.3 in ingress nginx !5733 ~"security" (issues: #2897)
Introduce Cilium support for fresh installs !5376 (issues: #2839)
Add gateway validation unit for CAPO !5960 ~"capo" (issues: #3062)
Enable drift correction for calico HR !5756 (issues: #1814)
Set proper roles on capo-validate-gateway job !6201 (issues: #3204)
Add dependency on monitoring-crd for goldpinger unit !6199 (issues: #3205)
NMState Operator integration for workload clusters based on openSUSE Leap Micro 6.x OS !5353 ~"immutable-os" ~"type::feature" (issues: #1909)
SR-IOV: add restart kyverno policy on operator-webhook certificate renewal !5988 ~"area:security" ~"security" ~"security::certificates" ~"type::bug" (issues: #3090)
Firewall rules for openstack clusters using an external network !4877 ~"area:security" ~"capo" ~"security" (issues: #2530)

OpenStack ~capo

Update Sylva Helm chart sync-openstack-images to v0.7.2 ~"renovate" !5592 !6002 !6100
Update heat-operator to v0.3.1 ~"renovate" !5595 !5736
Update Sylva Helm chart capo-contrail-bgpaas to v1.3.5 ~"area:capi" ~"renovate" !5583 !5757 !6269
Update sylva-elements/container-images/openstack-client container to v0.1.3 ~"renovate" !5238 !6077
Update Helm chart openstack-cinder-csi to v2.34.1 ~"renovate" !5839 !5852
Update dependency k-orc/openstack-resource-controller to v2.3.0 !6019 ~"renovate"
Update dependency kubernetes-sigs/cluster-api-provider-openstack to v0.12.6 !6202 ~"area:capi" ~"renovate"
Update Helm chart ceph-csi-rbd to v3.15.1 !6413 ~"area:storage" ~"renovate"
CAPO: fix capo-contrail-bgpaas controller failing to remove finalizer !5714 (issues: #8)
Use capo-network-settings kustomization to create the ORC network object !5743 ~"type::bug" (issues: #2978)
CAPO: ability to autoheal Machines after resolution of transient OpenStack issues/quota exceeded !5450 ~"area:capi" (issues: #2838)
Change Kyverno cleanupController resync period !6011 ~"area:misc" (issues: #3066)
make capo-autoheal available before cluster provisioning starts !6022
Add gateway validation unit for CAPO !5960 ~"area:networking" (issues: #3062)
canonical-kubernetes: add support for OpenStack infra provider (capo) !5793 ~"area:capi" ~"area:kubernetes-core" ~"ck8s"
update sylva n-1 and n-2 OS image artifacts (capo/capm3) !6093 ~"area:operating-systems" ~"capm3"
process os_image_autoselect_registries in sylva-library !6174 ~"area:capi" ~"capm3" (issues: #3190)
add SKIP_CAPO_CLEANUP variable to control CAPO cleanup !6354 ~"area:CI"
Firewall rules for openstack clusters using an external network !4877 ~"area:security" ~"security" ~"security::networking" (issues: #2530)
Add CI tests to check node pressure status !6275 ~"area:CI" ~"area:capi" ~"type::bug" (issues: #3232)

Baremetal ~capm3

Update sylva-elements/container-images/libvirt-metal to v0.3.0 !5582 ~"renovate"
Update dependency metal3-io/cluster-api-provider-metal3 to v1.10.3 ~"renovate" !5405 !5862
Update dependency metal3-io/ip-address-manager to v1.10.3 !5849 ~"renovate"
Update Helm chart metal3 to v0.12.9 ~"renovate" !5909 !5937
Update metal3 to v1.10.4 !6076 ~"area:capi" ~"renovate"
Remove the use of the old kube-job image from the pivot phase in order to use a more recent version of clusterctl !5752 ~"area:capi" (issues: #2947)
libvirt-metal: use the q35 domain definition with iothreads and cache=unsafe !4947 ~"area:CI"
Update default values for okd-capm3-virt (adapt interface names after libvirt-metal change) !6073 ~"area:CI" ~"okd" ~"type::bug" (issues: #3150)
baremetal: allow the use of OS images from previous Sylva versions !6005 ~"area:workload-cluster" (issues: #1942)
update sylva n-1 and n-2 OS image artifacts (capo/capm3) !6093 ~"area:operating-systems" ~"capo"
Create metal3-system namespace using new metal3-init unit !4760 ~"area:capi" ~"type::cleanup"
increase unit timeout for os-images-info !6155
capm3/os-images: add os-image-server-clear-old-ingresses one-shot kube-job to handle Ingress name transition !6154 ~"area:operating-systems"
process os_image_autoselect_registries in sylva-library !6174 ~"area:capi" ~"capo" (issues: #3190)
capm3 OS images: backwards compatibilty, use custom registries in sylva_diskimagebuilder_images require without extra-change !6217
Configure new tags for dedicated capm3 bmh runner !6398 ~"area:CI"

Monitoring

Update Sylva Helm chart sylva-thanos-rules to v0.3.1 ~"area:observability" ~"renovate" !5591 !5904
Update Sylva Helm chart sylva-dashboards to v0.2.3 ~"area:observability" ~"renovate" !5587 !6128
Update Sylva Helm chart sylva-snmp-resources to v0.2.0 !5590 ~"renovate"
Update Sylva Helm chart sylva-alertmanager-resources to v0.2.0 !5585 ~"renovate"
Update Sylva Helm chart sylva-prometheus-rules to v0.2.4 ~"area:observability" ~"renovate" !5622 !5866 !6129 !6252
Update Helm chart prometheus-snmp-exporter to v9.8.2 ~"area:observability" ~"renovate" !5840 !6020
Update quay.io/thanos/thanos container to v0.40.0 !5929 ~"area:observability" ~"renovate"
Update thanos/thanos container to v0.40.1 !5941 ~"area:observability" ~"renovate"
Update Helm chart prometheus-pushgateway to v3.6.0 ~"area:observability" ~"renovate" !5965 !6220 !6307
Update rancher-monitoring to v107.2.2+up69.8.2-rancher.26 !6143 ~"area:observability" ~"renovate"
Add deployment existence check to Grafana OIDC restart policy !5678 ~"area:observability" ~"kyverno" (issues: #2963)
Set priorityClass on prometheus pods and change memory/retention period !5957 ~"area:observability"
move grafana additional sources from configmap to secret to avoid password leak !5815 ~"area:observability" ~"area:security" ~"security" ~"security::credentials" (issues: #2875)
Update thanos unit reconcile timeout !6007 ~"area:observability" (issues: #3043)
Revert "move grafana additional sources from configmap to secret to avoid password leak" !6062 ~"area:observability"
Update Loki serviceMonitor !6094 ~"area:observability" ~"logging"
Add Goldpinger conditional !6122 ~"area:observability" (issues: #2599)
Enable keycloak's cnpg cluster Podmonitoring to get metrics to raise alerts on high diskspace usage !4749 ~"area:observability"
Disable Grafana default datasource !6021 ~"area:observability" (issues: #3149)
Make keycloak-postgresql unit dependent on monitoring unit !6222 ~"area:observability" ~"area:security" (issues: #3224)

Logging

Update Sylva Helm chart sylva-logging-flows to v0.2.0 !5588 ~"renovate"
Update ghcr.io/grafana/helm-charts/loki container to v6.49.0 ~"area:observability" ~"renovate" !5565 !5639 !5753 !6343
Update github.com/kube-logging/logging-operator to v6.1.0 !5809 ~"area:observability" ~"renovate"
Collect Node Level logs like SSH,AUTH,AUDIT !5767 ~"area:observability" (issues: #2177)
Update Loki serviceMonitor !6094 ~"area:observability" ~"monitoring"
Change loki unit timeout from 5m to 10m !6205 ~"area:observability" (issues: #3194)
Allow workload cluster to send logs in loki !6373 ~"area:observability"

Observability

Add an healthCheckExprs to ensure that loki-secrets contains at least a tenant definition. !5646 ~"type::bug" (issues: #2895)
Enable monitoring on Policy Reporter unit !5920 (issues: #3011)
Add missing substitution for Grafana certificate key !6271 ~"type::bug" (issues: #3242)
Definition of custom roles to manage logging in a project !5820 ~"area:security" (issues: #3027)

Storage

Update longhorn to v107.1.1+up1.9.2 ~"renovate" !5369 !5875 !6147
Update Helm chart trident-operator to v100.2510.0 !6383 ~"renovate"
Update Helm chart ceph-csi-rbd to v3.15.1 !6413 ~"capo" ~"renovate"
Upgrade Longhorn after waiting for volumes to be healthy !5629 (issues: #2326)
NFS-Ganesha: update vfs.conf to disable ID mapping !5487 (issues: #2862)
Test longhorn detached volume healtheck !5638 ~"Test" (issues: #2948)
Fix syntax for nfs-provisioner matching with renovate !5727
Remove call of log_event from longhorn longhorn-instance-manager-cleanup Job script !5764
Enable Longhorn volume encryption in Sylva !4420 ~"area:security" (issues: #1020)
Add longhorn-pre-disk-check unit !5783 (issues: #2988)
add clusterpolicy to avoid deletion of longhorn encryption secrets if PVC Exists !6175 ~"area:security" (issues: #3115)
add Trident CSI to support NetApp storage !6211 (issues: #1920)
Add ceph-csi-rbd unit !6323 (issues: #3131)
Don't enable ceph-csi-rbd unit by default !6417

Security

Update dependency keycloak/keycloak-k8s-resources to v26.4.0 ~"renovate" !5501 !5721
Update ghcr.io/openbao/openbao container to v2.4.1 !5475 ~"renovate"
Update rancher-cis-benchmark to v106.1.0+up8.2.0 (main) (minor) and update CIS benchmark profile to rke2-cis-1.10-profile !5318 ~"renovate"
Update Helm chart vault-config-operator to v0.8.36 ~"renovate" !5535 !5846 !6057
Update github.com/kyverno/policy-reporter to v3.6.0 ~"renovate" !5750 !6160
Update Helm chart harbor to v1.18.0 !5529 ~"renovate"
Update Helm chart kyverno to v3.4.6 !5982 ~"renovate"
Update rancher-compliance to v107.3.0+up1.2.2 !6164 ~"renovate"
Update crossplane-contrib/provider-keycloak container to v2.12.1 !6260 ~"renovate"
Set vault paths as variables !4427 ~"type::enhancement" (issues: #2389)
Assign the grafanaadmin role to the infra-users group instead of sylva-admin user !5530 (issues: #2893)
Introduce a value for the vault URL !4451 ~"type::enhancement" (issues: #2395)
Bump the k8s-gateway version !5742
keep kyverno-policy-rancher-webhook-ha after upgrades !5777 (issues: #3005)
Enable TLSv1.3 in ingress nginx !5733 (issues: #2897)
Make openbao the default vault variant !5816 (issues: #2894)
Generate metrics for rancher tokens !5897 (issues: #3048)
Introduce Oauth2-proxy !4198 (issues: #2056)
Enable Neuvector federation for workload cluster !4467 (issues: #2404)
Increase default NeuVector enforcer pods CPU limit !5981 (issues: #2386)
Cleanup Neuvector federation for workload cluster !5999 ~"type::cleanup" (issues: #3106)
move grafana additional sources from configmap to secret to avoid password leak !5815 ~"area:observability" ~"monitoring" (issues: #2875)
kubevirt-manager: replace commit id with tag to get auto update via renovate, and upgrade to 1.5.3 !6001 ~"area:CI" ~"area:misc" ~"renovate::configuration" (issues: #3109)
Add keycloak resources for realm and builtin resources (Part 2) !5951
Enable TLS verification for vault-config-operator 's CRDs !6061 (issues: #261)
Limit the permissions on the kube-jobs and kube-cronjobs units !5460
on OpenBao/Vault transition, replace pods with a rolling upgrade instead of reset !6096
Disable kyverno-vault-restart-policy unit !6125
on OpenBao/Vault transition, preserve resources (bis) !6114
Enable Longhorn volume encryption in Sylva !4420 ~"area:storage" ~"longhorn" (issues: #1020)
Fix keycloak in upgrade scenario !6118
Add healthcheck for grafana client crossplane resource !6153
Enable OIDC Keycloak integration for Policy Reporter !5971 (issues: #3010)
copy sylva-ca.crt in ns keycloak !6144 ~"bug-workaround::identified" (issues: #3178)
keycloak: set the correct podAntiAffinity app name !6191 (issues: #3196)
Rename the kustomize-unit first-login-rancher into rancher-settings !6132 ~"newcomers" ~"type::cleanup" (issues: #3025)
enable TLS verification for vault-config-operator's crds !6141
Set cosign verify 'offline' for os-image-info !6198
Make keycloak-postgresql unit dependent on monitoring unit !6222 ~"area:observability" ~"monitoring" (issues: #3224)
Definition of custom roles to manage logging in a project !5820 ~"area:observability" (issues: #3027)
SR-IOV: add restart kyverno policy on operator-webhook certificate renewal !5988 ~"area:networking" ~"type::bug" (issues: #3090)
OKD/OpenShift: add Vault SecurityContextConstraints, capabilities, etc. !5379 ~"okd"
add keycloak-user-management unit !6255
add clusterpolicy to avoid deletion of longhorn encryption secrets if PVC Exists !6175 ~"area:storage" (issues: #3115)
automate Rancher roles management, creation and binding !5974 (issues: #3127)
Pass Management CA cert content to Workload cluster !6339 ~"harbor" (issues: #1892)
Firewall rules for openstack clusters using an external network !4877 ~"capo" (issues: #2530)
fix: workload-teams-repo rely on kustomization_substitute_secrets for repo_auth !6336 ~"area:workload-cluster" (issues: #3266)
add the config map scope to the script which check of leaks !5766 ~"area:CI" (issues: #2879)
Revisit crossplane keycoak provider deployment logic to allow pulling the image from a registry mirror !6401 ~"type::bug" (issues: #3309)
add unit to manage rancher cluster role bindings at workload cluster level !6157 (issues: #3176)
Allow running apply-workload-cluster.sh with a kubeconfig different from management-cluster-kubeconfig !6429

RKE2

Update dependency rancher/cluster-api-provider-rke2 to v0.21.1 !5356 ~"renovate"
Create compliance-operator-system namespace as privileged !6161 (issues: #3185)

Kubeadm

Expose k8s_version n-1 and n-2 in _internal values !6209 ~"area:capi"

OKD/OpenShift

Update default values for okd-capm3-virt (adapt interface names after libvirt-metal change) !6073 ~"area:CI" ~"capm3" ~"type::bug" (issues: #3150)
Fix deployment for OKD - Apply selection management/workload into user provided env name !6291 ~"area:CI" (issues: #3247)
OKD/OpenShift: replace cabpoa unit with mce unit, for Multicluster Engine integration !6092 ~"area:capi" (issues: #3125)
OKD/OpenShift: add Vault SecurityContextConstraints, capabilities, etc. !5379 ~"area:security" ~"security"

Bug Fixes

more container image overrides for bitnami images, use bitnamilegacy instead (+ CI check) !5531 (issues: #2889)
Add drift ignore rule to avoid having Flux try to drift-correct the CustomResourceDefinition spec/conversion/webhook/clientConfig/caBundle field !5466 (issues: #2809)
Configuring Harbor read replica's PDB to prevent node rolling update failure where harbor-postgres-read-0 is preventing node drain !6236 ~"area:misc" ~"harbor" (issues: #3195)

Other

Update rancher-turtles to v0.23.0 !5810
increase per unit timeout for rancher !5601
include misc-controllers-suite version in units-description.md !5616
set specific Sylva 1.5 tags in sylva-elements repo !5617
bootstrap: use increased memory for flux controllers, as in mgmt cluster !5634 (issues: #2871)
use kube-job on 1.4.0 for sylva-units pre-delete job !5631
Replace hardcoded grafanaadmin role with dynamic KEYCLOAK_ROLE variable !4920
add flux-system version to units-description.md !5720 (issues: #2876)
Fix rancher-turtle deployment !5705
use image rancher/shell instead of bitnami/os-shell !5724 ~"update"
Introduce Policy Reporter as an addition to Kyverno !5380 ~"kyverno" (issues: #32)
Use sylva units operator in CLI workflow !4101 ~"sylva-units-management" (issues: #2171)
use alpine/kubectl instead of bitnami/kubectl !5722
Revert "use alpine/kubectl instead of bitnami/kubectl" !5806
Add keycloak resources for realm and builtin resources !4683 ~"security::user-and-role-management"
Make keycloak-base-resource unit depend on crossplane-provider-keycloak !5861 (issues: #3044)
Add license file !5872
Avoid logging in ensure_kustomization_uses_name_suffix_hash !5874
Add the required PDB for rancher, neuvector-scanner, rke2-coredns and K8s-gateway !5489 ~"type::enhancement"
Add vault existence check to Vault restart policy !5885
Add healthChecks on CrossPlane unit !5884
Revert "Add keycloak resources for realm and builtin resources" !5925
Increase cnpg archive_timeout !5922
Add HealthChecks on monitoring unit !5945 (issues: #3067)
Create rancher-turtles-system namespace using the rancher-turtles unit kustomization !4779
increase unit-timeout for keycloak-postgresql unit !5990 (issues: #3099)
workload-cluster: validating-admission-policies unit, remove depends_on cert-manager !6000 ~"area:misc" (issues: #3114)
Add Sylva n-1, n-2 Kiwi images to os_images_oci_registries !6108 ~"area:operating-systems" (issues: #3166)
fix ks-prune-false-pre-update-hook.sh: don't fail if Kustomization is absent !6138 (issues: #3172)
Make Policy reporter UI and related components enabled, only when Keycloak is enabled. !6167 ~"area:triage" ~"sylva-units-management" (issues: #3188)
check the annotation on node to verify that all pre/post-commands succeeded !3354
set rancher public api body limit to 8M !6185 (issues: #3124)
Fix the copy of flux sources before pivot !6197
don't let Rancher fleet-agent pods interfere with CAPI node rolling updates !6212 (issues: #3182)
resolve workload cluster circular unit dependency chain involving rancher-fleet-agent-drain-fix !6230 (issues: #3229)
add a label on eso, flux and sylva-units-operator kustomizations to pre-upgrade them with the operator !6244
Add mutate rule for existing Deployments in rancher-webhook policy !6249 ~"area:misc" (issues: #3191)
Facilitate setting of rke2 default system registry !6257 (issues: #2980)
Add drift ignore rule on ExternalSecret for workload-team-defs !6287
Add missing private key substitutions !6288
Pass Management CA cert content to Workload cluster !5335 ~"harbor" (issues: #1892)
fix tools/get_image_refs.py (make it robust to unsupported things in HelmRelease.spec) !6316
Revert "Pass Management CA cert content to Workload cluster" !6315
make OKD-specific change properly conditional !6338
generate_json_schema.py: support sub-schema not having '$defs' !6327
tools/generate_json_schema.py: separate the check for '$defs' collisions from the actual merge step !6356 (issues: #3276)
Let time to sylva-units-operator to pre-upgrade units !6433 (issues: #3321)
use diskimage-builder 0.7.7 == 0.7.4 !6439 ~"area:operating-systems"

Other dependency upgrades

Update dependency sylva-projects/sylva-elements/ci-tooling/runner-aas to v1.3.3 !5563 !5651 !6305 !6320
Update sylva-elements/container-images/oci-tools container to v0.3.2 !5493 !5625 !5758
Update sylva-units-operator to v0.3.6 !5488 ~"cluster-lifecycle"
Update Sylva Helm chart workload-team-defs to v0.4.7 !5593 !6008 !6301 !6321 !6346
Update Sylva Helm chart os-image-server to v2.6.2 !5584 !6068 !6090
Update workload-cluster-operator to v0.7.0 ~"cluster-lifecycle" !5600 !5962
Update Helm chart external-secrets to v1.1.1 !5567 !5760 !5842 !5913 !6017 !6156 !6308
Update Helm chart sylva-library to v0.7.2 !5623 !6081
Update Sylva Helm chart sylva-capi-cluster to v0.12.14 !5621 !5647 !5709 !5771 !5794 !5860 !5888 !5907 !5963
Update dependency sylva-projects/sylva-elements/diskimage-builder to v0.6.3 !5594 !5747
Update quay.io/kubevirt/cirros-container-disk-demo container to v1.6.2 !5538 !5725
Update sylva-elements/ci-tooling/ci-deployment-values to v0.5.54 !5655 !5711 !5734 !5749 !5778 !5812 !5827 !5878 !5939 !6181 !6226 !6446
Update misc-controllers-suite to v1.2.1 !5514
Update cluster-api & capd-manager to v1.10.8 !5216 !5801 !5980
Update curlimages/curl container to v8.17.0 !5454 !5989
Update ghcr.io/kube-vip/kube-vip container to v1.0.2 !5768 !6130
Update Helm chart cert-manager to v1.19.2 !5802 !5851 !6337
Update python container to v3.14.0 !5805
Update dependency sylva-projects/sylva-elements/ci-tooling/ci-templates to v1.0.50 !5893 !5952 !6104 !6170 !6264 !6391
Update pre-commit hook PyYAML to v6.0.3 !5660
Update Helm chart cloudnative-pg to v0.27.0 !5908 !6344
Update rancher-backup to v106.0.4+up7.0.3 !5876
Update Helm chart velero to v11.1.1 !5835
Update dependency python_gitlab to v7 !5949
Update dependency tenacity to v9 !5950
Update Helm chart descheduler to v0.34.0 !5964
Update pre-commit hook crate-ci/typos to v1.40.0 !5983 !6045 !6064 !6208
Update Helm chart crossplane to v2.0.6 !6009 !6237
Update ghcr.io/openbao/openbao container to v2.4.4 !5892 !6184
Update dependency diskimagebuilder-n-1 to v0.5.15 !6115
Update pre-commit hook astral-sh/ruff-pre-commit to v0.14.9 !6169 !6232 !6282 !6374
Update dependency to-be-continuous/gitleaks to v2.9.0 !6187
Update Helm chart sbom-operator to v0.41.0 !4298 !6309
Update Helm chart rancher-turtles to v0.24.3 !5259
Update sylva-elements/ci-tooling/runner-aas to v1.3.3 !6304 !6319
Update Helm chart gpu-operator to v25.10.1 !6248
Update pre-commit hook koalaman/shellcheck-precommit to v0.11.0 !6330
Update container-images/sylva-toolbox container to v1.3.2 !6358 !6394 !6422
Update sylva-toolbox & ci-image to v1.5.0 !6380
Update kube-job to v1.4.2 !5624
Update rancher-compliance to v107.4.0+up1.2.3 !6424
Update sylva-toolbox & ci-image !5620
Update sylva-toolbox & ci-image !5787
Update sylva-toolbox & ci-image !5905
Update sylva-toolbox & ci-image !6119
Update sylva-toolbox & ci-image !6430

Cleanups

make the removal of root-dependency resources more robust !5437 (issues: #2837)
Homogenize enabled conditions on units !5814
Create gitea namespace using new gitea-init unit !4778
Create cinder-csi namespace using a new cinder-csi-init unit !4759
Create cattle-sriov-system namespace using new sriov-init unit !4774
Cleanup Neuvector federation for workload cluster !5999 ~"area:security" (issues: #3106)
Remove kube-job template from cluster-vip !6039 (issues: #2804)
Cleanup unneeded depends_on cluster-machines-ready !6016 ~"ck8s" (issues: #3024)
Create metal3-system namespace using new metal3-init unit !4760 ~"area:capi" ~"capm3"
Rename the kustomize-unit first-login-rancher into rancher-settings !6132 ~"area:security" ~"newcomers" (issues: #3025)

CI

Update dependency sylva-projects/sylva-elements/ci-tooling/ci-templates to v1.0.44 !5807 ~"renovate"
Update sylva-elements/ci-tooling/ci-deployment-values to v0.5.40 ~"renovate" !6014 !6102
Update CI configuration after release-1.5 creation !5561
Update CI values for MetalLB BGP/FRR testing !5550
Allow sylva-upgrade-from-1.5.x scenario in CI !5650
improvements to deps-project-tool.py (release tool) !5568
CI: on 'sylvactl watch' failure, dump 'sylvactl watch' final status in a non-collapsed log section !5637
CI: increase time for debug-on-exit, increase deployment job timeouts !5703
CI: remove broken neuvector test (to reintroduce later) !5715 ~"security" ~"security::runtime-security" ~"type::bug" (issues: #2854)
add tools/check-sylva-units-k8s-versions.py !5687
decrease unit timeout for calico-ready !5776
CI: increase time for debug-on-exit, increase deployment job timeouts (+5min) !5788
Rearrange and document CI files includes !5708
Update docs to match script's default value !5841 ~"area:documentation"
Fix '🚦 keep deployment runner busy' job with the correct runner tags !5845 ~"type::bug"
Fix SSO test script !5811 (issues: #3029)
Introduce pre-commit template !5723
Adding wait for neuvector selector to avoid transient failure due to timing !5843 (issues: #3030)
Revert moving shellcheck to pre-commit !5869
Add a new dynamic enabled unit option in CI framework !5856 (issues: #3032)
Minor refactor of CI code to apply options !5895 ~"type::cleanup"
Dump alerts via alert-manager on debug-and-exit !5472
Fix intermittent playwright test failures in test_neuvector_sso caused by timing issues during page initialization. !5890 (issues: #3057)
Exclude alerts.yaml from kubescore !5921
Fix parsing to support rich editing switching !5902 (issues: #3061)
Revert merge request 5811 !5933
Refactor pipeline_schedule_report.py script !5938
Fix error management in schedule report script !5947
Improve error handling in report pipelines script !5955 ~"type::bug"
Minor fix for schedule pipeline report script !5956 (issues: #3080)
Prevent 🚨 dont-interrupt-me job to start during report / cleanup scheduled pipelines !5958
Dynamic upgrade scenario !5864 (issues: #3033)
Implement pre-commit typos tools !5844
add more resources to debug-on-exit (CNPG, Crossplane, Keycloak) !5984
fix typo in neuvector-wkld-federation-nslookup description !6006
Add scheduled pipelines configuration - upgrade-from-1.4 to main !5985
Add a global overview of pipeline history in report !6018
libvirt-metal: use the q35 domain definition with iothreads and cache=unsafe !4947 ~"capm3"
Add a quick link to create issue from the scheduled pipeline report !6041
CI: Integrate new real baremetal platform (capm3-bmh) !5333 ~"capm3"
Stabilize mgmt-Guis-test(test_ui_playwright.py) pipeline by adding waits and improving synchronization !5997 (issues: #3105)
Wait for wkld-detect-unplanned-node-rolling-updates job to finish before... !6060 (issues: #3112)
CI: fix CK8SConfig plural in debug-on-exit.sh !6079 ~"ck8s"
Update default values for okd-capm3-virt (adapt interface names after libvirt-metal change) !6073 ~"capm3" ~"okd" ~"type::bug" (issues: #3150)
baremetal: on "cluster" unit timeout, have sylvactl also dump BareMetalHosts !6072 ~"area:capi" ~"capm3"
Add retries to scheduled report jobs !6082
Do not run helm linters if charts dependencies are not up to date !6083
sylvactl use --save-inventory !6056
Fix rancher wkld login test !6089 (issues: #3158)
Stabilize mgmt_sso test pipeline by adding waits and improving synchronization !5934 (issues: #3077)
Add Vaults resources on debug-and-exit and add healthchekexprs on Vault !6010
Improve Hurl test reliability by adding global retry options !6099 (issues: #3165)
Remove "include-group" from crustgather collect command !6139 (issues: #3144)
Add parameters parsing to generate_deployments.py script !6101
Group rancher-compliance and rancher-compliance-crd in Renovate configuration !6162
Move from pylama to ruff with pre-commit !6131
Improve how drifted HRs are detected and improve script output !5619 ~"type::bug" (issues: #2754)
Remove a redundant pipeline in scheduled configuration !6204 ~"type::cleanup"
Introduce target platform 🏗️ for CI deployments !6097
Adapt mgmt-cis-scan CI job to the use of compliance operator !6224 (issues: #3225)
Handle still running pipelines in scheduled report !6241 (issues: #3147)
avoid os-image-server-clear-old-ingresses replay on first apply.sh after fresh-install !6218 ~"capm3" (issues: #3209)
Use predefined gitlab env variables as default values for scheduled report script !6254
Move every platform related variables outside of the flavored templates !6268
Allow failures on check_versions_downgrade !6290
Deploy runner-aas on pinned tag !6245
Fix deployment for OKD - Apply selection management/workload into user provided env name !6291 ~"okd" (issues: #3247)
Stablize test_download_workload_kubeconfig.py to avoid any timing and page load issue !6292 (issues: #3258)
Add yamllint to pre-commit !6289
Shellcheck in pre-commit !6328
debug-on-exit.sh: dump more Keycloak and Rancher resources related to identity and authorization !6345
Fix misc options for capm3 pipelines !6347 ~"type::bug" (issues: #3273)
Skip kubescore test job if the corresponding cluster wasn't deployed by the CI !6334
add SKIP_CAPO_CLEANUP variable to control CAPO cleanup !6354 ~"capo"
Allow to run test units jobs even if the deploy/update job is not present !6335
Remove old CRDs, when transitioning from cis-operator to rancher-compliance !6322 (issues: #3265)
refactor push helm artifacts !6210 (issues: #2945)
crustgather automation for self-hosted gitlab !6370
add the config map scope to the script which check of leaks !5766 ~"area:security" ~"security" ~"security::CI" (issues: #2879)
Update values files based on cluster type !6364 (issues: #19)
Improve get_image_refs.py to identify which Sylva unit uses which OCI artifact !5946 ~"area:misc" ~"oci" (issues: #2877)
Add CI tests to check node pressure status !6275 ~"area:capi" ~"capo" ~"type::bug" (issues: #3232)
Test wkld-k8s-upgrade-n-2-n-1 scenario in scheduled pipelines !6415
Added test for detecting self cluster unplanned node rolling updates !5608 ~"area:capi" ~"cluster-lifecycle" (issues: #2853)
deps-project-tool.py: add --check-unconsumed-tags option !6420
Configure new tags for dedicated capm3 bmh runner !6398 ~"capm3"

Internal tooling

Track CI deployment values tag with renovate !5564 (issues: #2910)
Prevent upgrading kiwi-imagebuilder to old 0.x versions !5682 ~"CI"
Regroup external dependencies updates for release-x.y branches !5649 ~"CI"
Fix renovate configuration for thanos/thanos !5729 ~"CI"
fix managerFilePatterns in renovate.json !5765 ~"type::bug"
kubevirt-manager: replace commit id with tag to get auto update via renovate, and upgrade to 1.5.3 !6001 ~"area:CI" ~"area:misc" ~"area:security" ~"security" ~"security::supply-chain" (issues: #3109)
Group ironic and all metal3-io updates !6080 ~"area:CI"
Track sylva_diskimagebuilder_version and sylva_kiwi_imagebuilder_version from previous release with renovate !6098 ~"CI" ~"area:CI"
Fix typo on the target branch used by renovate to track kiwi n-2 !6111 ~"CI" ~"area:CI"
Fix renovate regex for matching Helm chart in git repository !6137 ~"CI" ~"area:CI"
Fix renovate regex for tracking image used by operator !6136 ~"CI" ~"area:CI"
Limit rancher compliance version !6168 ~"CI" ~"area:CI"
Track provider-keycloak with renovate !6259 ~"CI" ~"area:CI" (issues: #1792)
Add a preconfigured pipeline for renovate kunai MRs !6418 ~"CI" ~"CI::configuration" ~"area:CI"
Update baseBranch configuration to handle release-1.6 !6426 ~"area:CI"
Add a temporary renovate configuration to regroup all sylva-elements updates for main !6448 ~"area:CI"

Contributors

41 people contributed.

Adhil0, Adrian Vladu, Akshay Yadav, Alain Thioliere, Alex Ghita, Alin H, Amit Kumar, Arnaud Bouts, Bogdan Antohe, Cristian Manda, Cristina Isaroiu, Daniel Anton, Daniel Kostecki, Dragos Gerea, Francois Eleouet, Francois Klieber, François-Régis Menguy, Fred Dang Tran, Ishita Mittal, Jonathan Gayvallet, Loic Nicolle, Lupescu Daniel, Manik Bindlish, Marc Bailly, Mihai Zaharia, Mohan Sharma, Médéric De Verdilhac, Nikhil Sethi, Pierrick Seite, Priya Goyal, Ravindra Tanwar, Remi Le Trocquer, Sakshi Choudhary, Samuel Bartel, Satyawan Jangra, Teodora Pirvan, Thomas Morin, Tiberiu Mihai, Vladimir Braquet, Xavier Francois, Yiping Chen

sylva-projects/sylva-core 1.6.0 on GitLab

Merge Requests integrated in this release

Kubernetes

Sylva-units framework

Cluster API

Workload cluster

Backup and Restore

Networking

OpenStack ~capo

Baremetal ~capm3

Monitoring

Logging

Observability

Storage

Security

RKE2

Kubeadm

OKD/OpenShift

Bug Fixes

Other

Other dependency upgrades

Cleanups

CI

Internal tooling

Contributors

sylva-projects/sylva-core 1.6.0
on GitLab