Deckhouse

Fixes


- **[ingress-nginx]** Add libraries to the final image. [7666](https://github.com/deckhouse/deckhouse/pull/7666)
Ingress nginx controller will restart.
- **[log-shipper]** Add missing ca-certs to prevent errors with HTTPS connections. [7686](https://github.com/deckhouse/deckhouse/pull/7686)
- **[openvpn]** Add missing ca-certs to prevent errors with HTTPS connections. [7686](https://github.com/deckhouse/deckhouse/pull/7686)

Chore


- **[istio]** Bump istio version to `1.19.7`. [7584](https://github.com/deckhouse/deckhouse/pull/7584)
The Istio control plane will restart. User workloads will not restart automaticaly, you will have to restart them eventually.


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.58.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.58.0).

Fixes


- **[cni-cilium]** Improve `safe-agent-updater`. [7576](https://github.com/deckhouse/deckhouse/pull/7576)
Cilium-agent pods may be reloaded.
- **[control-plane-manager]** Fix race reading between the deckhouse pod status and the `minUsedControlPlaneKubernetesVersion` variable. [7637](https://github.com/deckhouse/deckhouse/pull/7637)
Prevents the Deckhouse version update error from being skipped.
- **[deckhouse-controller]** Add CA certificates to the standard `/etc/ssl/` path. [7625](https://github.com/deckhouse/deckhouse/pull/7625)
- **[monitoring-kubernetes]** Fix `UnsupportedContainerRuntimeVersion` alert to support the newest containerd versions (`1.7.*`). [7622](https://github.com/deckhouse/deckhouse/pull/7622)
- **[prometheus]** Fix validating webhook build for promtool work. [7636](https://github.com/deckhouse/deckhouse/pull/7636)
- **[prometheus]** Fix Prometheus build to return sample limit patch. [7636](https://github.com/deckhouse/deckhouse/pull/7636)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.58.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.58.0).

Deckhouse Kubernetes Platform v1.58 Release Overview

Major changes

* **Support for Kubernetes 1.29 has been added** while support for Kubernetes 1.24 has been discontinued. The default Kubernetes version (1.25) remains the same for now. Note that it will be switched to 1.27 in the next release.
* Deckhouse Enterprise Edition now features **support for VMware Cloud Director**. The related [cloud provider module](https://deckhouse.io/documentation/v1.58/modules/030-cloud-provider-vcd/) is under active development.
* **Project-related changes** (the `multitenancy-manager` module).
* The [ProjectTemplate](https://deckhouse.io/documentation/v1.58/modules/160-multitenancy-manager/cr.html#projecttemplate) (project template, a new resource) and [Project](https://deckhouse.io/documentation/v1.58/modules/160-multitenancy-manager/cr.html#project) (project instance) resources are now used to define a project. The _ProjectType_ resource is considered deprecated and will be removed in future releases.
* Three predefined project templates have been added: _default_, _secure_ and _secure with dedicated nodes_. Now, all you need to do to start a project is to create a Project resource ([example](https://deckhouse.io/documentation/v1.58/modules/160-multitenancy-manager/usage.html#creating-a-project)). Refer to the [documentation](https://deckhouse.io/documentation/v1.58/modules/160-multitenancy-manager/usage.html#default-project-templates) to learn more about the predefined project templates.
* **The MetalLB dashboard has been added to Grafana.** Dashboard screenshots can be found in the [respective PR](https://github.com/deckhouse/deckhouse/pull/7459#issuecomment-1951945806).
* The documentation in the cluster has been updated to include the **ModuleSource modules documentation** (the [ModuleSource](https://deckhouse.io/documentation/v1.58/cr.html#modulesource) resource). Browse it by switching to the module documentation section in the _Documentation_ drop-down list at the top menu of the page.
* The log message metadata now features a field containing the name of the _NodeGroup_. See the [documentation](https://deckhouse.io/documentation/v1.58/modules/460-log-shipper/#metadata) for more details on log collection.
* The _WithNATInstance_ layout of the Yandex Cloud provider module now features a section of parameters for managing the NAT instance resources (the [natInstanceResources](https://deckhouse.io/documentation/v1.58/modules/030-cloud-provider-yandex/cluster_configuration.html#yandexclusterconfiguration-withnatinstance-natinstanceresources) parameter).
* New options to customize the registry connection when configuring availability monitoring of container images in a cluster (the [imageAvailability.registry](https://deckhouse.io/documentation/v1.58/modules/340-extended-monitoring/configuration.html#parameters-imageavailability-registry) section) have been added. For example, you can now specify a certificate authority certificate (good for private environments).
* An option to control the protocol to connect to the upstream DNS server (the [transportProtocolMode](https://deckhouse.io/documentation/v1.58/modules/042-kube-dns/configuration.html#parameters-transportprotocolmode) parameter) has been added.

Security

- `cilium-operator`, `cilium-hubble`, and `openvpn` have been migrated to distroless images.
- The Ingress controller build process has been refactored to improve security.
- The general build process has also been refactored to improve security.
- The following vulnerabilities have been addressed in the istio module: CVE-2024-23322, CVE-2024-23323, CVE-2024-23324, CVE-2024-23325, CVE-2024-23327.

Component version updates

* Kubernetes control plane: `1.26.14`, `1.27.11`, `1.28.7`, `1.29.2`
* containerd: `1.7.13`
* local-path-provisioner: `0.0.26`
* Prometheus: `2.45.2`
* runc: `1.1.12`


A list of internal modules or their components that will be restarted during the upgrade

Note that _all_ Deckhouse Kubernetes Platform components including the Ingress controller, Prometheus/Grafana, and Kubernetes control plane will be restarted during the upgrade.

See [CHANGELOG v1.58](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.58.md) for more details.

Fixes


- **[deckhouse]** Сhange the way the `deckhouse` pod readiness is determined during the minor version update. [7866](https://github.com/deckhouse/deckhouse/pull/7866)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.57.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.57.0).

Fixes


- **[dhctl]** Change the order in which resources are created. Service accounts will be created before secrets. [7470](https://github.com/deckhouse/deckhouse/pull/7470)
- **[node-manager]** Fix panic when the vSphere driver creates a disk. [7465](https://github.com/deckhouse/deckhouse/pull/7465)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.57.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.57.0).

Changelog

Fixes


- **[metallb]** Change VPA `updateMode` to `Initial`. [7432](https://github.com/deckhouse/deckhouse/pull/7432)

Chore


- **[candi]** Fix the bashible message about node annotation. [7452](https://github.com/deckhouse/deckhouse/pull/7452)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.57.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.57.0).