Deckhouse

Fixes


- **[node-manager]** Increase early-oom PSI threshold to 30 (from 5). [3427](https://github.com/deckhouse/deckhouse/pull/3427)
- **[user-authn]** Fix insecure OIDC Ca patch. [3439](https://github.com/deckhouse/deckhouse/pull/3439)

Chore


- **[candi]** Temporary disable `seccomp` for `kube-controller-manager`. [3426](https://github.com/deckhouse/deckhouse/pull/3426)
- **[candi]** Support for the Standard layout in Yandex Cloud. [3411](https://github.com/deckhouse/deckhouse/pull/3411)


See [CHANGELOG v1.42](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.42.md) for more details.

Fixes


- **[istio]** Replace CA for the Ingress validation of api-proxy, fix kiali `ClusterRole`. [3395](https://github.com/deckhouse/deckhouse/pull/3395)
- **[vertical-pod-autoscaler]** Setting `admissionReviewVersions` to `v1` in mutating webhook. [3397](https://github.com/deckhouse/deckhouse/pull/3397)

Chore


- **[monitoring-deckhouse]** Add an alert about deprecated OS versions. [3405](https://github.com/deckhouse/deckhouse/pull/3405)


See [CHANGELOG v1.42](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.42.md) for more details.

Fixes


- **[ceph-csi]** Restoring the previous secret name with ceph cluster credentials. [3387](https://github.com/deckhouse/deckhouse/pull/3387)
- **[ceph-csi]** Delete storage classes after changing immutable fields. [3380](https://github.com/deckhouse/deckhouse/pull/3380)
- **[deckhouse]** Fixed unrendered backquotes in the DeckhouseRelease resource. [3367](https://github.com/deckhouse/deckhouse/pull/3367)
- **[ingress-nginx]** Fix client certificate update. [3368](https://github.com/deckhouse/deckhouse/pull/3368)

Chore


- **[candi]** Upgraded patch versions of Kubernetes images: v1.25.5. [3376](https://github.com/deckhouse/deckhouse/pull/3376)
"Kubernetes control-plane components will restart, kubelet will restart"


See [CHANGELOG v1.42](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.42.md) for more details.

The following components will be restarted during the update from the Deckhouse 1.41
- Kubernetes Control Plane components
- Prometheus/Trickster/Grafana
- `cni-cilium`
- `dashboard`
- `ingress-nginx`
- `istio` (control-plane only)
- `log-shipper`

Component version updates:
- Kubernetes control plane: `1.22.17`, `1.23.15`, `1.24.9`
- Yandex Cloud provider terraform: `v0.83.0`

Important update notes:
- The cluster will be automatically updated to Kubernetes 1.23 if the [kubernetesVersion](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-kubernetesversion) parameter is set to `Automatic`.
- If there is the [ClusterConfiguration.proxy](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-proxy) parameter configured, it is highly important to configure the [noProxy](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-proxy-noproxy) parameter with your Nodes CIDRs.
- In clusters on Google Cloud with Kubernetes 1.23+, you need to install the `node.deckhouse.io/nodeport-bind-internal-ip : "false"` annotation on a NodeGroup and restart kube-proxy pods so that load balancer healthchecks work.

Major changes:
- **The new [delivery](https://deckhouse.io/documentation/v1.42/modules/502-delivery/usage.html) module** supports the deployment of [Argo CD](https://argo-cd.readthedocs.io/)-based applications both traditionally and in a [werf bundle](https://werf.io/documentation/v1.2/advanced/bundles.html#bundles-deployment) way.
- Support for Kubernetes 1.25 has been implemented; Kubernetes 1.20 is no longer supported.
- Kubernetes 1.23 is now used by default.
- The proxy configuration mechanism has been redesigned (specifically, it is used in air-gapped environments). Proxy behavior can now be configured using the [proxy](https://deckhouse.io/documentation/v1.42/installing/configuration.html#parameters-proxy) parameter of the [ClusterConfiguration](https://deckhouse.io/documentation/v1.42/installing/configuration.html#clusterconfiguration) resource.
- Deckhouse no longer manages kernel versions but does restrict certain components from running on incompatible kernels.
- Self-signed component certificates to interact with the API server are now generated through a dedicated CA. The internal Kubernetes mechanism for issuing certificates is no longer used, given that managed solution providers (such as AWS EKS) often restrict its operation.
- The Istio dataplane is automatically updated if the `istio.deckhouse.io/auto-upgrade="true"` label is attached to the namespace or resource.
- The new [IngressIstioController](https://deckhouse.io/documentation/v1.42/modules/110-istio/cr.html#ingressistiocontroller) resource enables the implementation of an Istio-native pattern for receiving external traffic.
- The log-shipper module can now forward logs to [Splunk](https://www.splunk.com/).
- The `DexProvider` resource (of the [user-authn](https://deckhouse.io/documentation/v1.42/modules/150-user-authn/) module) now has a [claimMapping](https://deckhouse.io/documentation/v1.42/modules/150-user-authn/cr.html#dexprovider-v1-spec-oidc-claimmapping) parameter to specify a mapping for non-standard Dex provider claims.
- The OperationPolicy resource (of the [admission-policy-engine](https://deckhouse.io/documentation/v1.42/modules/015-admission-policy-engine/) module) now allows you to apply [operation policies](https://deckhouse.io/documentation/v1.42/modules/015-admission-policy-engine/#operation-policies) to resources, such as restricting image tags, registry addresses, etc. It is also possible to require that certain parameters be present in the resource specification.

See [CHANGELOG v1.42](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.42.md) for more details.

Fixes


- **[deckhouse-config]** Disable deckhouse-config webhook for uninitialized cluster. [3257](https://github.com/deckhouse/deckhouse/pull/3257)
- **[ingress-nginx]** Fix auth TLS certificates bug which leads to absent certificates on the Ingress controller bootstrap. [3259](https://github.com/deckhouse/deckhouse/pull/3259)
- **[namespace-configurator]** Apply configuration only for namespaces matched the filter in this configuration. [3273](https://github.com/deckhouse/deckhouse/pull/3273)
- **[node-manager]** Fix the description in the `NodeGroupMasterTaintIsAbsent` alert. [3248](https://github.com/deckhouse/deckhouse/pull/3248)
- **[user-authn]** Read CA for OIDC provider from encoded PEM string. [3249](https://github.com/deckhouse/deckhouse/pull/3249)


See [CHANGELOG v1.41](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.41.md) for more details.