Deckhouse

Changelog

Fixes

- **[candi]** Fix bash word splitting. [7410](https://github.com/deckhouse/deckhouse/pull/7410)
- **[metallb]** Add `livenessProbe` and `readinessProbe` in metallb speaker spec. [7382](https://github.com/deckhouse/deckhouse/pull/7382)
The `metallb-speaker` pods will restart.
- **[monitoring-kubernetes]** Revert https://github.com/deckhouse/deckhouse/pull/7272. [#7411](https://github.com/deckhouse/deckhouse/pull/7411)
- **[monitoring-kubernetes]** Revert https://github.com/deckhouse/deckhouse/pull/6241. [#7269](https://github.com/deckhouse/deckhouse/pull/7269)

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.57.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.57.0).

Changelog

Fixes

- **[candi]** Deckhouse Kubernetes Platform BE improvements. [7338](https://github.com/deckhouse/deckhouse/pull/7338)
- **[dhctl]** Mirroring will now include Trivy vulnerability database image. [7359](https://github.com/deckhouse/deckhouse/pull/7359)
- **[operator-trivy]** Fix `node-collector` image. [7329](https://github.com/deckhouse/deckhouse/pull/7329)

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.57.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.57.0).

Changelog

Features


- **[candi]** Add Deckhouse Kubernetes Platform Basic Edition (BE). [7260](https://github.com/deckhouse/deckhouse/pull/7260)
- **[candi]** Add the ability to install packages from images inside an external module. [7254](https://github.com/deckhouse/deckhouse/pull/7254)
- **[control-plane-manager]** Kubernetes version 1.24 support will be removed in the next Deckhouse release (1.58). [7268](https://github.com/deckhouse/deckhouse/pull/7268)

Fixes


- **[candi]** Add validation pattern for the `imagesRepo` parameter. [7169](https://github.com/deckhouse/deckhouse/pull/7169)
- **[deckhouse]** Keep enabled modules without helm charts after converge. [7315](https://github.com/deckhouse/deckhouse/pull/7315)
- **[descheduler]** Set the number of replicas to 0 if we have only one node. [5221](https://github.com/deckhouse/deckhouse/pull/5221)
- **[dhctl]** Skip converge base infra if user does not want converge base infra [7313](https://github.com/deckhouse/deckhouse/pull/7313)
- **[monitoring-kubernetes]** Add control of minimal Linux kernel version >= `5.8.0` for `ebpf_exporter` and a corresponding alert. [7272](https://github.com/deckhouse/deckhouse/pull/7272)
- **[prometheus]** Fix alerts-receiver reconcile loop issue. [7287](https://github.com/deckhouse/deckhouse/pull/7287)
Alerts-receiver pod will be recreated.

Chore


- **[candi]** Bump patch versions of Kubernetes images: `v1.26.13`, `v1.27.10`, `v1.28.6` [7262](https://github.com/deckhouse/deckhouse/pull/7262)
Kubernetes control-plane components will restart, kubelet will restart.
- **[external-module-manager]** Prevent releases with versions less than current deployed version from deploying. [7297](https://github.com/deckhouse/deckhouse/pull/7297)
- **[external-module-manager]** Provide a registry scheme in a module OpenAPI. [7263](https://github.com/deckhouse/deckhouse/pull/7263)
- **[prometheus]** Fix concurrent map access error. [7261](https://github.com/deckhouse/deckhouse/pull/7261)
Internal alerts-receiver will restart.


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.57.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.57.0).

Please note

* **Support for the current implementation of the linstor module has been discontinued**. The module will be removed in the next Deckhouse Kubernetes Platform release. You can use the [sds-drbd](https://deckhouse.io/modules/sds-drbd/stable/faq.html#migrating-from-the-deckhouse-kubernetes-platform-linstorhttpsdeckhouseiodocumentationv157modules041-linstor--built-in-module-to-sds-drbd) module as a substitute.
* **Deckhouse Kubernetes Platform will fail to upgrade** if the cluster uses **Istio version lower than 1.16** (see the [globalVersion](https://deckhouse.io/documentation/v1.57/modules/110-istio/configuration.html#parameters-globalversion) parameter or the `istio.io/rev=` [annotation](https://deckhouse.io/documentation/v1.57/modules/110-istio/#activating-istio-to-work-with-the-application) attached to the Namespace).

Major changes

* _PrometheusRemoteWrite._ This resource configures the way monitoring data is transmitted over the _Prometheus remote-write_ protocol. You can now add a CA certificate to it (using the [tlsConfig.ca](https://deckhouse.io/documentation/v1.57/modules/300-prometheus/cr.html#prometheusremotewrite) field). This comes in handy when self-signed certificates are used, in private environments, etc.
* The [upmeter](https://deckhouse.io/documentation/v1.57/modules/500-upmeter/) module has got a fixed data rotation period of one and a half years.

New mechanism of working with modules

You can now connect additional modules from the module source (the [ModuleSource](https://deckhouse.io/documentation/v1.57/cr.html#modulesource) resource). These modules are updated independently of the Deckhouse Kubernetes Platform updates (the way the internal modules are treated has not changed — they continue to be updated along with the new Deckhouse Kubernetes Platform versions). Note that the `deckhouse` ModuleSource will be enabled automatically when you upgrade Deckhouse Kubernetes Platform to version 1.57.

The [ModuleUpdatePolicy](https://deckhouse.io/documentation/v1.57/cr.html#moduleupdatepolicy) resource lets you manage the way modules are updated. It is automatically created and defaults to match the existing Deckhouse Kubernetes Platform update mode in the cluster.


Here are some useful commands to:

* Get a list of modules available in the `deckhouse` ModuleSource:

shell
kubectl get ms deckhouse -o yaml


* Get release history and available module updates:

shell
kubectl get mr


* Get module update mode (for the `deckhouse` ModuleSource):

shell
kubectl get mup deckhouse -o yaml


If manual update mode is set, updates will remain in the _Pending_ state and will not be applied automatically. To apply them, add the `modules.deckhouse.io/approved="true"` annotation to the corresponding moduleRelease, e.g.:

shell
kubectl annotate mr deckhouse-admin-v1.15.3 modules.deckhouse.io/approved="true"`


A list of modules and documentation is available on the Deckhouse Kubernetes Platform website under [Documentation -> Modules](https://deckhouse.io/modules/).

Switching to distroless images

The following modules and components have been migrated to distroless images:

* ceph-csi
* extended-monitoring
* network-policy-engine
* prometheus-pushgateway
* redis (the delivery module)
* runtime-audit-engine
* shell-operator


Security

The following vulnerabilities have been addressed in the CSI components:

* CVE-2022-41723
* CVE-2023-39325
* GHSA-m425-mq94-257g

Component version updates

* pushgateway: `v1.6.2`
* node-exporter: `v1.7.0`


A list of internal modules or their components that will be restarted during the upgrade

- **Ingress controller**
- **Prometheus/Grafana**
- **Kubernetes Control Plane**
- admission-policy-engine
- ceph-csi
- cert-manager
- chrony
- cloud-provider-aws
- cloud-provider-azure
- cloud-provider-gcp
- cloud-provider-openstack
- cloud-provider-vsphere
- cloud-provider-yandex
- cni-cilium
- cni-flannel
- cni-simple-bridge
- containerd
- descheduler
- documentation
- extended-monitoring
- falcosidekick (runtime-audit-engine)
- keepalived
- kube-dns
- kube-proxy
- local-path-provisioner
- loki
- metallb
- monitoring-kubernetes
- network-gateway
- network-policy-engine
- node-local-dns
- node-manager
- operator-prometheus
- operator-trivy
- pod-reloader
- prometheus-metrics-adapter
- prometheus-pushgateway
- terraform-manager
- upmeter
- user-authn
- user-authz
- vertical-pod-autoscaler

Fixes


- **[external-module-manager]** Fix multiple symlinks for a single module in the symlink folder. [7228](https://github.com/deckhouse/deckhouse/pull/7228)
- **[external-module-manager]** Fix outdated module versions in multi-master environment. [7222](https://github.com/deckhouse/deckhouse/pull/7222)

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.56.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.56.0).