Deckhouse

Fixes


- **[log-shipper]** Loki fix extra labels. [2852](https://github.com/deckhouse/deckhouse/pull/2852)


See [CHANGELOG v1.38](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.38.md) for more details.

Fixes


- **[node-manager]** Avoid "node-role.kubernetes.io/master" taint removal when it is explicitly set in the master NG. [2837](https://github.com/deckhouse/deckhouse/pull/2837)


See [CHANGELOG v1.38](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.38.md) for more details.

Fixes


- **[candi]** Remove `master` taint if `control-plane` taint was removed in a single node installation. [2816](https://github.com/deckhouse/deckhouse/pull/2816)
- **[cloud-provider-yandex]** Disable the `csi-snapshotter` module. [2823](https://github.com/deckhouse/deckhouse/pull/2823)
- **[deckhouse-controller]** Reworked flow that checks release requirements. [2785](https://github.com/deckhouse/deckhouse/pull/2785)
- **[docs]** Updated search indexing for the ability to search by OpenAPI spec parameters. [2822](https://github.com/deckhouse/deckhouse/pull/2822)
- **[ingress-nginx]** Increase Ingress validation webhook timeout. [2818](https://github.com/deckhouse/deckhouse/pull/2818)
- **[kube-dns]** Added "prefer_udp" to stub zones. [2774](https://github.com/deckhouse/deckhouse/pull/2774)
- **[prometheus]** Fixed disk retention size calculation for small disks. [2825](https://github.com/deckhouse/deckhouse/pull/2825)

Chore


- **[istio]** Refreshed documentation on the use of Istio. [1732](https://github.com/deckhouse/deckhouse/pull/1732)


See [CHANGELOG v1.38](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.38.md) for more details.

The following components will be restarted during the update from the Deckhouse 1.37
- Kubernetes Control Plane components
- log-shipper
- openvpn
- Prometheus
- user-authn

Component version updates
- log-shipper/vector: `0.24.2`
- dex: `2.35`

Major changes

- The new **[admission-policy-engine](https://deckhouse.io/en/documentation/latest/modules/015-admission-policy-engine/)** module allows you to use security policies in the cluster namespace according to the Kubernetes [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/). To apply a policy, it is enough to set a label `security.deckhouse.io/pod-policy=<POLICY_NAME>` to the corresponding namespace.
- Code refactoring has been conducted to prepare for storing Deckhouse module configurations in separate custom resources instead of using the `deckhouse` ConfigMap. The feature is expected to be introduced in the next release.
- Validation of the [publicDomainTemplate](https://deckhouse.io/en/documentation/v1/deckhouse-configure-global.html#parameters-modules-publicdomaintemplate) parameter has been added.
- Fixes have been made to the `Kubernetes / Ingress Nginx Controllers` and `Kubernetes / Ingress Nginx Controller Details` Grafana dashboards.
- Automatic volume expansion in Prometheus has been removed because it failed to work as expected.
- The `tlsMode` parameter has been removed in the [istio](https://deckhouse.io/en/documentation/latest/modules/110-istio/configuration.html) module.

See [CHANGELOG v1.38](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.38.md) for more details.

Fixes


- **[node-manager]** Avoid "node-role.kubernetes.io/master" taint removal when it is explicitly set in the master NG [2831](https://github.com/deckhouse/deckhouse/pull/2831)


See [CHANGELOG v1.37](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.37.md) for more details.

Fixes


- **[candi]** Remove `master` taint if `control-plane` taint was removed in a single node installation. [2809](https://github.com/deckhouse/deckhouse/pull/2809)
- **[ingress-nginx]** Increase Ingress validation webhook timeout. [2812](https://github.com/deckhouse/deckhouse/pull/2812)


See [CHANGELOG v1.37](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.37.md) for more details.