Deckhouse

Features


- **[dhctl]** Add support for uploading mirrored Deckhouse images to custom repo paths. [6467](https://github.com/deckhouse/deckhouse/pull/6467)
- **[dhctl]** Compute stribog 256 bit hash for downloaded registry copy. [6409](https://github.com/deckhouse/deckhouse/pull/6409)
- **[linstor]** Add a custom script for eviction of LINSTOR resources from a node. [6457](https://github.com/deckhouse/deckhouse/pull/6457)

Fixes


- **[candi]** Do not use cloud network setup scripts for static NodeGroups. [6464](https://github.com/deckhouse/deckhouse/pull/6464)
- **[dhctl]** Fix `edit provider-cluster-configuration` command to not remove `discovery-data.json` file from `kube-system/d8-provider-cluster-configuration` Secret. [6486](https://github.com/deckhouse/deckhouse/pull/6486)
- **[operator-prometheus]** Fix RBAC for updating alertmanager status. [6466](https://github.com/deckhouse/deckhouse/pull/6466)
- **[user-authn]** Provide `userID` field for correct JWT generation. [6484](https://github.com/deckhouse/deckhouse/pull/6484)

Chore


- **[docs]** Add a guide for mirroring the Deckhouse registry using the `dhctl mirror` tool. [6339](https://github.com/deckhouse/deckhouse/pull/6339)
- **[go_lib]** Bump `addon-operator` to avoid race panics. [6505](https://github.com/deckhouse/deckhouse/pull/6505)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.54.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.54.0).

Fixes


- **[external-module-manager]** Fix deckhouse ModuleSource recreation on startup. [6448](https://github.com/deckhouse/deckhouse/pull/6448)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.54.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.54.0).

Major changes

- The **Ingress controller version 1.9** has been introduced. It is based on the chroot version of Nginx (which is more secure) and **adds fixes for several recently discovered critical vulnerabilities (CVE-2022-4886, CVE-2023-5043, CVE-2023-5044)**. Updating the Ingress controller is strongly recommended, as these vulnerabilities are only mitigated in version 1.9. On top of that, version 1.9 features a new [annotationValidationEnabled](https://deckhouse.io/documentation/v1.54/modules/402-ingress-nginx/cr.html#ingressnginxcontroller-v1-spec-annotationvalidationenabled) parameter (disabled by default) to activate the validation of the Ingress resource annotations.
- **The [configOverrides](https://deckhouse.io/documentation/latest/installing/configuration.html#initconfiguration-deckhouse-configoverrides) parameter of the InitConfiguration resource has been deprecated**. From now on, modules are configured using ModuleConfig resources both during and after the Deckhouse installation.
- **The _virtualization_ module** is about to undergo a major redesign. Starting with Deckhouse 1.54, the existing module implementation **can no longer be enabled**. However, you can continue to use it provided that it was enabled earlier (changing the module configuration is also blocked).
- **Vulnerabilities** in the following components have been mitigated: _kube-rbac-proxy, protobuf-exporter, nginx-exporter, kruise-state-metrics, kruise, local-path-provisioner, loki, kube-state-metrics, bashible-apiserver, alertmanager, trickster_.
- The _chrony, local-path-provisioner, monitoring-ping_ modules now use distroless images. This increases module security and reduces the attack surface.
- It is now possible to set your own logo in Grafana and on the authentication page (user-authn module). See the [PR description](https://github.com/deckhouse/deckhouse/pull/6268) for more details.

The following components will be restarted during the update

- **Kubernetes control plane**
- **Ingress controller**
- **Prometheus/Grafana**
- admission-policy-engine
- cert-manager
- chrony
- cloud-provider-aws (cloud-data-discoverer)
- cloud-provider-azure (cloud-data-discoverer)
- cloud-provider-gcp (cloud-data-discoverer)
- cloud-provider-openstack (cloud-data-discoverer)
- cloud-provider-yandex (cloud-metrics-exporter)
- cni-cilium (agent, operator)
- dashboard
- extended-monitoring
- istio (api-proxy)
- kube-dns
- kube-proxy
- linstor (linstor-controller, linstor-node, piraeus-operator)
- local-path-provisioner
- log-shipper
- loki
- metallb
- monitoring-kubernetes (ebpf-exporter, kube-state-metrics, node-exporter)
- monitoring-kubernetes-control-plane
- node-local-dns
- node-manager (bashible-apiserver, capi-controller-manager, cluster-autoscaler, early-oom, machine-controller-manager)
- openvpn
- operator-prometheus
- operator-trivy
- pod-reloader
- runtime-audit-engine
- snapshot-controller
- terraform-manager
- upmeter
- user-authn (dex)

Component version updates

- Kubernetes control plane: `1.25.15`, `1.26.10`, `1.27.7`, `1.28.3`.
- NGINX Ingress Controller: `1.9.4`
- Grafana Loki: `2.7.7`

See [CHANGELOG v1.54](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.54.md) for more details.

Fixes


- **[common]** Fix build of `csi-external-*` images. [6378](https://github.com/deckhouse/deckhouse/pull/6378)
`csi-controller` pod will restart.


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.53.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.53.0).

Fixes


- **[candi]** Send bootstrap logs to console in case of manual bootstrap. [6332](https://github.com/deckhouse/deckhouse/pull/6332)
- **[candi]** Improve bashible steps running order. [6307](https://github.com/deckhouse/deckhouse/pull/6307)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.53.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.53.0).