Deckhouse

Fixes


- **[ceph-csi]** Restoring the previous secret name with ceph cluster credentials. [3387](https://github.com/deckhouse/deckhouse/pull/3387)
- **[ceph-csi]** Delete storage classes after changing immutable fields. [3380](https://github.com/deckhouse/deckhouse/pull/3380)
- **[deckhouse]** Fixed unrendered backquotes in the DeckhouseRelease resource. [3367](https://github.com/deckhouse/deckhouse/pull/3367)
- **[ingress-nginx]** Fix client certificate update. [3368](https://github.com/deckhouse/deckhouse/pull/3368)

Chore


- **[candi]** Upgraded patch versions of Kubernetes images: v1.25.5. [3376](https://github.com/deckhouse/deckhouse/pull/3376)
"Kubernetes control-plane components will restart, kubelet will restart"


See [CHANGELOG v1.42](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.42.md) for more details.

The following components will be restarted during the update from the Deckhouse 1.41
- Kubernetes Control Plane components
- Prometheus/Trickster/Grafana
- `cni-cilium`
- `dashboard`
- `ingress-nginx`
- `istio` (control-plane only)
- `log-shipper`

Component version updates:
- Kubernetes control plane: `1.22.17`, `1.23.15`, `1.24.9`
- Yandex Cloud provider terraform: `v0.83.0`

Important update notes:
- The cluster will be automatically updated to Kubernetes 1.23 if the [kubernetesVersion](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-kubernetesversion) parameter is set to `Automatic`.
- If there is the [ClusterConfiguration.proxy](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-proxy) parameter configured, it is highly important to configure the [noProxy](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-proxy-noproxy) parameter with your Nodes CIDRs.
- In clusters on Google Cloud with Kubernetes 1.23+, you need to install the `node.deckhouse.io/nodeport-bind-internal-ip : "false"` annotation on a NodeGroup and restart kube-proxy pods so that load balancer healthchecks work.

Major changes:
- **The new [delivery](https://deckhouse.io/documentation/v1.42/modules/502-delivery/usage.html) module** supports the deployment of [Argo CD](https://argo-cd.readthedocs.io/)-based applications both traditionally and in a [werf bundle](https://werf.io/documentation/v1.2/advanced/bundles.html#bundles-deployment) way.
- Support for Kubernetes 1.25 has been implemented; Kubernetes 1.20 is no longer supported.
- Kubernetes 1.23 is now used by default.
- The proxy configuration mechanism has been redesigned (specifically, it is used in air-gapped environments). Proxy behavior can now be configured using the [proxy](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-proxy) parameter of the [ClusterConfiguration](https://deckhouse.io/documentation/v1.42/installing/configuration.html#clusterconfiguration) resource.
- Deckhouse no longer manages kernel versions but does restrict certain components from running on incompatible kernels.
- Self-signed component certificates to interact with the API server are now generated through a dedicated CA. The internal Kubernetes mechanism for issuing certificates is no longer used, given that managed solution providers (such as AWS EKS) often restrict its operation.
- The Istio dataplane is automatically updated if the `istio.deckhouse.io/auto-upgrade="true"` label is attached to the namespace or resource.
- The new [IngressIstioController](https://deckhouse.io/documentation/v1.42/modules/110-istio/cr.html#ingressistiocontroller) resource enables the implementation of an Istio-native pattern for receiving external traffic.
- The log-shipper module can now forward logs to [Splunk](https://www.splunk.com/).
- The `DexProvider` resource (of the [user-authn](https://deckhouse.io/documentation/v1.42/modules/150-user-authn/) module) now has a [claimMapping](https://deckhouse.io/documentation/v1.42/modules/150-user-authn/cr.html#dexprovider-v1-spec-oidc-claimmapping) parameter to specify a mapping for non-standard Dex provider claims.
- The OperationPolicy resource (of the [admission-policy-engine](https://deckhouse.io/documentation/v1.42/modules/015-admission-policy-engine/) module) now allows you to apply [operation policies](https://deckhouse.io/documentation/v1.42/modules/015-admission-policy-engine/#operation-policies) to resources, such as restricting image tags, registry addresses, etc. It is also possible to require that certain parameters be present in the resource specification.

See [CHANGELOG v1.42](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.42.md) for more details.

Fixes


- **[deckhouse-config]** Disable deckhouse-config webhook for uninitialized cluster. [3257](https://github.com/deckhouse/deckhouse/pull/3257)
- **[ingress-nginx]** Fix auth TLS certificates bug which leads to absent certificates on the Ingress controller bootstrap. [3259](https://github.com/deckhouse/deckhouse/pull/3259)
- **[namespace-configurator]** Apply configuration only for namespaces matched the filter in this configuration. [3273](https://github.com/deckhouse/deckhouse/pull/3273)
- **[node-manager]** Fix the description in the `NodeGroupMasterTaintIsAbsent` alert. [3248](https://github.com/deckhouse/deckhouse/pull/3248)
- **[user-authn]** Read CA for OIDC provider from encoded PEM string. [3249](https://github.com/deckhouse/deckhouse/pull/3249)


See [CHANGELOG v1.41](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.41.md) for more details.

Fixes


- **[deckhouse-config]** Apply defaults before spec.settings validation. [3206](https://github.com/deckhouse/deckhouse/pull/3206)
- **[ingress-nginx]** Fix manual pods rollout for `HostPort` inlet. [3207](https://github.com/deckhouse/deckhouse/pull/3207)
- **[node-manager]** Fix node-group template generation when `minPerZone==0` and capacity is not set. [3222](https://github.com/deckhouse/deckhouse/pull/3222)


See [CHANGELOG v1.41](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.41.md) for more details.

The following components will be restarted during the update from the Deckhouse 1.40
- ceph-csi
- prometheus

The following modules will be restarted during the update if a proxy server is used in the cluster
> A proxy server is used in the cluster if the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables are set.
- cloud-provider-yandex
- image-availability-exporter
- linstor
- snapshot-controller

Component version updates:
- CSI driver (cloud-provider-vsphere module): `v2.5.4`
- Ceph CSI: `v3.7.2`

Important update notes:
Editing the deckhouse ConfigMap is no longer possible due to switching to the new Deckhouse configuration mechanism.

Major changes:
- **The new Deckhouse configuration mechanism has been implemented.**
The global Deckhouse configuration and module configurations are now stored in `ModuleConfig` resources. The former method of configuring Deckhouse via the `deckhouse` ConfigMap is no longer available. See the [documentation](https://deckhouse.io/documentation/v1.41/) for more information about the new configuration method.
- Basic authentication using the `auth.password` parameter is no longer supported (use the [user-auth](https://deckhouse.io/documentation/v1.41/modules/150-user-authn/) module to restrict access). This change affects `cilium-hubble`, `dashboard`, `deckhouse-web`, `istio`, `openvpn`, `prometheus`, and `upmeter` modules.
- The standby node allocation mechanism has been improved.
- It is now possible to disable creating `letsencrypt` and `letsencrypt-staging` ClusterIssuer resources (use the [disableLetsencrypt](https://deckhouse.io/documentation/v1.41/modules/101-cert-manager/configuration.html#parameters-disableletsencrypt) parameter to do so).
- [The instruction](https://deckhouse.io/documentation/v1.41/deckhouse-faq.html#nexus) for configuring Nexus in docker registry proxy mode have been updated.
- The Grafana *homepage* has been updated. Some items have been redesigned; information about the update channel used, the update windows, and the depth of Prometheus metrics collection has been added:

See [CHANGELOG v1.41](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.41.md) for more details.