Deckhouse

The following components will be restarted during the update from the Deckhouse 1.39
- Kubernetes Control Plane components
- admission-policy-engine
- cert-manager
- cloud-provider-yandex
- cni-cilium
- dashboard
- extended-monitoring
- ingress-nginx
- kube-dns
- kube-proxy
- linstor
- log-shipper
- metallb
- monitoring-kubernetes
- node-local-dns
- node-manager
- openvpn
- prometheus
- pod-reloader
- snapshot-controller
- terraform-manager
- upmeter
- user-authn
- vertical-pod-autoscaler

Component version updates
- linstor-server: v1.20.0
- linstor-client: v1.15.1
- linstor-csi: v0.21.0
- linstor-api: v1.15.1
- piraeus-opeartor: v1.10.0
- piraeus-ha-controller: v1.10.0
- drbd: v9.2.0
- drbd-utils: v9.22.0
- drbd-reactor: v0.9.0
- csi-attacher: v4.0.0
- csi-resizer: v1.6.0

Major changes
- Support for the obsolete version of cert-manager (0.10) has been removed. Certificates obtained using the certmanager.k8s.io API resources will no longer be updated and must be migrated to use the `certificates.cert-manager.io` API. Use this command to scan for resources with an outdated API version: `kubectl get certificates.certmanager.k8s.io -A`.
- Support for the Ingress controllers with versions lower than 1.1 has been removed. Deckhouse will not update if there are such Ingress controllers in the cluster.
- The [monitoring-kubernetes-control-plane](https://deckhouse.io/en/documentation/latest/modules/340-monitoring-kubernetes-control-plane/) module has been refactored (it only works with the [control-plane-manager](https://deckhouse.io/en/documentation/latest/modules/040-control-plane-manager/) module).
- A kernel version check has been implemented for modules. The module will not start, and an alert will pop up if the node's kernel version does not meet the requirements. The kernel requirements are specified for the [cni-cilium](https://deckhouse.io/en/documentation/latest/modules/021-cni-cilium/) module and the case when it works with either the [istio](https://deckhouse.io/en/documentation/latest/modules/110-istio/), [openvpn](https://deckhouse.io/en/documentation/latest/modules/500-openvpn/), or [node-local-dns](https://deckhouse.io/en/documentation/latest/modules/350-node-local-dns/) module.
- [NodeGroup](https://deckhouse.io/en/documentation/latest/modules/040-node-manager/cr.html#nodegroup) now supports specifying **zero** as a lower limit for the number of nodes (the [minPerZone](https://deckhouse.io/en/documentation/latest/modules/040-node-manager/cr.html#nodegroup-v1-spec-cloudinstances-minperzone) parameter). In this case, the nodes will be added to the group when needed. The option to prioritize a group of nodes further increases the flexibility of node scaling.
- Components of the [linstor](https://deckhouse.io/en/documentation/latest/modules/041-linstor/) module have been updated; support for *Ubuntu 22.04* has been added.
- [RootCAData](https://deckhouse.io/en/documentation/latest/modules/150-user-authn/cr.html#dexprovider-v1-spec-oidc-rootcadata) and [InsecureSkipVerify](https://deckhouse.io/en/documentation/latest/modules/150-user-authn/cr.html#dexprovider-v1-spec-oidc-insecureskipverify) parameters for OIDC providers have been added to the [DexProvider](https://deckhouse.io/en/documentation/latest/modules/150-user-authn/cr.html#dexprovider) resource of the [user-authn](https://deckhouse.io/en/documentation/latest/modules/150-user-authn/) module. They allow for managing TLS certificate validation.
- The *Kubernetes Cluster -> Prometheus Benchmark* dashboard has been added to Grafana. It allows you to diagnose Prometheus-related problems (while the latter is running).


See [CHANGELOG v1.40](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.40.md) for more details.

Fixes


- **[prometheus]** Fixed calculation of PVC size and retention size. [2934](https://github.com/deckhouse/deckhouse/pull/2934)


See [CHANGELOG v1.39](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.39.md) for more details.

Fixes


- **[kube-proxy]** Fix insufficient privileges for the init container. [2923](https://github.com/deckhouse/deckhouse/pull/2923)
The `kube-proxy` will be restarted.


See [CHANGELOG v1.39](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.39.md) for more details.

The following components will be restarted during the update from the Deckhouse 1.38
- cni-cillium
- kube-proxy
- linstor
- log-shipper
- node-local-dns
- openvpn
- upmeter

Component version updates
- metallb: `0.13.7`

Major changes
- Version `1.10` of Istio has been deprecated and is no longer supported. We recommend using `v1.13` or any other supported version.
- Validation for the Deckhouse module containers has been improved.
- The `node-local-dns` module can now run on Rocky Linux.
- [Trivy-based](https://github.com/aquasecurity/trivy) automatic periodic testing of container images for known vulnerabilities (CVE) has been added.
- In the log-shipper module:
- It is now possible to collect logs from [Apache Kafka](https://kafka.apache.org/) as well as stream them to it.
- Several fixes have been made, including fixing an error that occurred when sending logs to [Elasticsearch](https://www.elastic.co/) `8.x`.

See [CHANGELOG v1.39](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.39.md) for more details.