Deckhouse

En
**[ingress-nginx]**
- Bug: [Remove](https://github.com/deckhouse/deckhouse/commit/416a1ec497fd30e4be01fdeb8ba16f5e3151efe0) required fields in open API spec IngressNginxController CRD.

**[cert-manager]**
- Bug: [Fix](https://github.com/deckhouse/deckhouse/commit/c8db8146cd4bedb6f9bf0b5106e1821649358e63) D8CertmanagerOrphanSecretsWithoutCorrespondingCertificateResources alert.

Ru
**[ingress-nginx]**
- Ошибка: [Удалены](https://github.com/deckhouse/deckhouse/commit/416a1ec497fd30e4be01fdeb8ba16f5e3151efe0) обязательные поля в open API cпецификации IngressNginxController CRD.

**[cert-manager]**
- Ошибка: [Исправлен](https://github.com/deckhouse/deckhouse/commit/c8db8146cd4bedb6f9bf0b5106e1821649358e63) алерт D8CertmanagerOrphanSecretsWithoutCorrespondingCertificateResources.

En
**[cert-manager]**
- Bug: [Fix](https://github.com/deckhouse/deckhouse/commit/67aebdc72edab52cdac54631aa1f2156a5215324) ClusterIssuer email auto discovery.

Ru
**[cert-manager]**
- Ошибка: [Исправлено](https://github.com/deckhouse/deckhouse/commit/67aebdc72edab52cdac54631aa1f2156a5215324) автоматическое определение email из ClusterIssuer.

En
**[global]**
- Enhancement: [Remove](https://github.com/deckhouse/deckhouse/commit/eedfed94b30ecc0204219471b61833c790b8160d) clusterName and project. Simplifies usage of Community Edition.
- Enhancement: [Add](https://github.com/deckhouse/deckhouse/commit/5d6fd65755ecc86c19d4bca0f835a460960a84cc) migration to clean up Deckhouse configuration.

**[user-authn]**
- Enhancement: [Module](https://github.com/deckhouse/deckhouse/commit/c0e5bede26631e02e0f1a39ff2f02aaa6b505347) is enabled by default.

**[nginx-ingress]**
- Enhancement: [Update](https://github.com/deckhouse/deckhouse/commit/9809d694cda5f90bb209d37f3fc43b310559fe3c) default resource requests.

**[control-plane-manager]**
- Enhancement: [Return](https://github.com/deckhouse/deckhouse/commit/45f0490712b779d43f9eec1c42ccd356aee3d865) verbose error of policy unmarshalling.

Ru

**[global]**
- Улучшение: [Удалены](https://github.com/deckhouse/deckhouse/commit/eedfed94b30ecc0204219471b61833c790b8160d) clusterName и project. Упрощает использование Community Edition.
- Улучшение: [Добавлена](https://github.com/deckhouse/deckhouse/commit/5d6fd65755ecc86c19d4bca0f835a460960a84cc) миграция для очистки конфига Deckhouse.

**[user-authn]**
- Улучшение: [Модуль](https://github.com/deckhouse/deckhouse/commit/c0e5bede26631e02e0f1a39ff2f02aaa6b505347) включен по умолчанию.

**[nginx-ingress]**
- Улучшение: [Обновлены](https://github.com/deckhouse/deckhouse/commit/9809d694cda5f90bb209d37f3fc43b310559fe3c) значения по умолчанию для запрашиваемых ресурсов.

**[control-plane-manager]**
- Улучшение: [Включен](https://github.com/deckhouse/deckhouse/commit/45f0490712b779d43f9eec1c42ccd356aee3d865) подробный вывод ошибок при обработке политик аудита.

**[core]**
[Provide](https://github.com/deckhouse/deckhouse/commit/5cee60bf0cdd20c95693a77f63a96aba6193b908) defaults for the certificate requests. Fixes the issue when an order of Certificate in the `ingress-nginx` module fails because of a zero timeout for waiting for it to be issued.

**[deckhouse]**
[Fix](https://github.com/deckhouse/deckhouse/commit/34e96fbe8c8e557634e12b47599560a34a280e7a) stabilize release channel feature.

**[cert-manager]**
[Add](https://github.com/deckhouse/deckhouse/commit/4b2bd7b4f1ed4694a2a173d4cb2cf793080bc16c) expiration for orphan_secrets_metrics_hook group. A restart of Deckhouse was needed to resolve D8CertmanagerOrphanSecretsWithoutCorrespondingCertificateResources alert even when the problem was fixed.

[prometheus] Fix ([1](https://github.com/deckhouse/deckhouse/commit/ceb3c7bcfeee125ced1d6936ff4d70d69e55b8bd),[2](https://github.com/deckhouse/deckhouse/commit/d476d75cb063260845f292130f9e95c584d21511)) openapi spec for values.yaml

En

All Deckhouse components will be restarted during the update
Switch Docker registry from registry.flant.com to registry.deckhouse.io. This is a necessary step for the public release of Deckhouse. The source code is published on GitHub. Your applications running in the cluster won’t be affected during the update.
The most crucial components that can affect your developer teams:
- API server
- Kube-controller-manager
- Kube-scheduler
- Grafana
- Prometheus
- Dashboard
- Dex
- OpenVPN
- Ingress nginx

Significant changes

[Kubernetes patch update](https://github.com/deckhouse/deckhouse/commit/45666440b6ab6a521e9e7bc01914626bd2aa0a77)
Update Kubernetes 1.19.10 to 1.19.13.

Update Kubernetes 1.20.6 to 1.20.9.

Update Kubernetes 1.21.0 to 1.21.3.

[Use base images](https://github.com/deckhouse/deckhouse/commit/b086cd6ad9d0a48f944b8e95778efa14be84c2b4) for all components
A limited number of the base images is used to build final images. If a third-party image must be used, a binary from this image is copied to the base image. Previously, a third-party image was copied to the Deckhouse registry and used as is. Alpine is used to run almost all applications in clusters.

[Online resize](https://github.com/deckhouse/deckhouse/commit/1da83f5b66064b1b501a671931f2ab0def155b70) for vSphere Volumes
Migrating from FCD (First Class Disk) to CNS (Cloud Native Storage) volume types. CNS volume types support online resize, and vSphere API that provides CNS is much more stable.

Nginx Ingress Controller improvements
[Use](https://github.com/deckhouse/deckhouse/commit/7edf775be1716d4d6c57e88bad548f0ccc6b852f) Deployment for LoadBalancer and LoadBalancerWithProxyProtocol ingress controller inlets. This allows autoscaling of ingress controllers. There is a minimum of two pods running on every frontend node that receives incoming traffic. It prevents cloud load balancers from updating targets during ingress controllers roll out.

[Fix](https://github.com/deckhouse/deckhouse/commit/5624e592fa8f5c03c0b46fdfc4c35ec6320c2d8c) the problem with 503 errors during the rollout of HostWithFailover controllers.

New module [log-shipper](https://github.com/deckhouse/deckhouse/commit/6da2ac9067c42406836fdd6f25d80324ffe4fb89)
This module allows to aggregate and to push logs from cluster to Elasticsearch, Loki, or Logstash. The management of storage itself (Elasticsearch or Loki) is out of the scope of this module.

[Update Prometheus](https://github.com/deckhouse/deckhouse/commit/e7d545ec15221f0adf8e426989cbe6db98541848) to 2.28.0
The new version has the latest features and consumes less memory during startup.

[Autoconverge](https://github.com/deckhouse/deckhouse/commit/4d903e450e68d90e64cdf7f5010b2b46b041bc5c) base infrastructure
Base infrastructure is created during the bootstrap process of the Cloud cluster. This infrastructure is allowed to be changed only by `dhctl` itself. Terraform state is periodically checked for changes introduced not through `dhctl`, and if such a change is detected – `terraform` is reapplied, but only if the change is safe. Safe change is assumed to be any change that allows the in-place updates to be done. If there are unsafe changes, there will be an alert from the cluster.

Stable v1 API versions
All stable CustomResources are released under the v1 version ([1](https://github.com/deckhouse/deckhouse/commit/8f2934933c5eed2a42b755f0ebd926689fbb4c6e), [2](https://github.com/deckhouse/deckhouse/commit/60fd8c967660f96c657e2db8d8b83dd5374dc62e)).

Other changes
**[node-manager]**
- Enhancement: [Set](https://github.com/deckhouse/deckhouse/commit/9a7ba5bae1ed5826d33100205362b4108e844ddd) containerd desired version to 1.4.6. Fixes [CVE-2021-30465](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30465). It was decided not to force containerd updates on all nodes because an attacker should have access to Kubernetes API to exploit the vulnerability. An attacker must be able to create multiple containers with a fairly specific mount configuration. All new nodes will have version 1.4.6.
- Enhancement: [Rename](https://github.com/deckhouse/deckhouse/commit/e008d7f05ab7c5a2027f5b9cfebb47e63428690d) nodeType in v1 NodeGroup API. Previously there were Cloud and Hybrid nodes. It was confusing as there was also the term Hybrid for ClusterType. To solve this ambiguity new types were introduced: CloudEphemeral (for NodeGroups that are used by machine controller manager), CloudPermanent (for NodeGroups that are created by the `dhctl`), and CloudStatic (for NodeGroups that can be used to bootstrap nodes that are manually created in a cloud provider).
- Refactoring: [Fix](https://github.com/deckhouse/deckhouse/commit/b810838dce70e60c90717745e32624462fb6a2e7) machine controller manager race condition.
The first virtual machine in NodeGroup sometimes was created with outdated settings after the InstanceClass update. This could have been leading to potential problems of cluster stability.

**[cloud-provider-openstack]**
- Enhancement: [Add](https://github.com/deckhouse/deckhouse/commit/28f6f064e1e928ac84d6c886c913581d7e9f1199) option to disable topology feature flag in csi-provisioner.

**[cloud-provider-yandex]**
- Enhancement: [Simplify](https://github.com/deckhouse/deckhouse/commit/d064b9e282fa7ecf35a905df88d5eb037368efa5) bootstrap process for the WithNATInstance layout. It also fixes routing issues for virtual machines with the additional network interface.

**[descheduler]**
- Enhancement: [Update](https://github.com/deckhouse/deckhouse/commit/64109aaeeae7a7e1bb9ee27fb1512621cddc74c0) descheduler to 0.21.0.
- Enhancement: [Add](https://github.com/deckhouse/deckhouse/commit/97aee139d8d23387d1e57caa59730047daca78c6) HighNodeUtilization strategy.
- Enhancement: [Run](https://github.com/deckhouse/deckhouse/commit/e5aa9160fbfc3ab1e39aa35d59e3de221627e2a7) as Deployment.

**[user-authn]**
- Enhancement: [Use](https://github.com/deckhouse/deckhouse/commit/01565941fd6400ed4cec3fc86e8c511f09455600) in-cluster address to access an OIDC provider.

Other internal changes
- Enhancement: [Split](https://github.com/deckhouse/deckhouse/commit/5ddcdb1e2df7f1f78330ede7712f4ad88e616b86) the code into CE/EE/FE editions.
- Refactoring: New module [flant-integration](https://github.com/deckhouse/deckhouse/commit/1e89b6dd926620f5e454b2ac65f7e6064170b5f0) combines prometheus-madison-integration and flant-pricing modules.
- Enhancement: [First step](https://github.com/deckhouse/deckhouse/commit/1cf0ee64ba22880d89160ec8273b27ec8b17cc5f) of in-cluster DNS refactoring.
- Refactoring: [Fix](https://github.com/deckhouse/deckhouse/commit/6a9ad10b9584f55a8d04e0f2c5b0923770a6477b) custom resource definitions to be fully compatible with Kubernetes API style guide.
- Refactoring: [Update](https://github.com/deckhouse/deckhouse/commit/932d5b0da59a880e7108da467da08da3e011bd8d) `dhctl` configuration structs to use the v1 API version.
- Enhancement: [Switch](https://github.com/deckhouse/deckhouse/commit/4a825f23df30fe7f880e22f1a00acb92b4f65d15) to werf 1.2.
- Enhancement: [Bump](https://github.com/deckhouse/deckhouse/commit/24c9cd7a651fd63a1b2e2a584c85573291ca5dc5) trickster version to v1.1.5.
- Fix: [Move](https://github.com/deckhouse/deckhouse/commit/866dc30d3b68af3a165863eaba7ebb2f4b5f6084) http challenge solver image to one from the Deckhouse registry in cert-manager module.
- Improvements in the `dhctl` [1](https://github.com/deckhouse/deckhouse/commit/0e7211508392378d494ad1f741e2d67fc96efd4d), [2](https://github.com/deckhouse/deckhouse/commit/29b59eafb818b590b108021ae35144d34d7456cc).
- [Fix](https://github.com/deckhouse/deckhouse/commit/10e380a2c2f312066aac4611fa855453cd6d8af1) the control-plane/scheduler probe correctness in upmeter module.
- [Deferred object patcher](https://github.com/deckhouse/deckhouse/commit/85bdd9861fd7e0b8bdc8c6c55bdf82738e2ac7fd).
- Enhancement: Migrate [ingress-nginx](https://github.com/deckhouse/deckhouse/commit/a1377e9e03abf1de4b2ef869e40f66d107cb20aa), [node-manager](https://github.com/deckhouse/deckhouse/commit/6b344dc7421b08f11ff34715a47849d8903f2d5c), [cert-manager](https://github.com/deckhouse/deckhouse/commit/0ab8f66d3a831baa67c66d8363534543195df9f8), [monitoring-ping](https://github.com/deckhouse/deckhouse/commit/9a27be754add4350dee8a521502b3dd7a545f85c), [prometheus-pushgateway](https://github.com/deckhouse/deckhouse/commit/52130a4f34e09c4a3e619ffb572389572ba77e7d), [monitoring-applications](https://github.com/deckhouse/deckhouse/commit/b21111a84141f6d156b465b6878c421d6092c83b), [control-plane-manager](https://github.com/deckhouse/deckhouse/commit/73f3ef220dea11f5fa5c61e54684a604707d2329) and other modules hooks from bash to go.
- Refactoring: [Build](https://github.com/deckhouse/deckhouse/commit/c6686b6d43758e3a5a02a2d37d76ad03d55200a4) internal documentation according to an edition type (CE/EE/FE).
- Fix: [Prevent](https://github.com/deckhouse/deckhouse/commit/0420dfbeae0b53f4f26dffb36f0b3771a72b68cf) kubelet from binding to 0.0.0.0.
- Enhancement: [Remove](https://github.com/deckhouse/deckhouse/commit/5c6b355372b2ab6aebd22996949bae3fc0134f58) k8s bundles API. This completes bashible-api-server refactoring.
Ru

Все компоненты Deckhouse будут перезапущены во время обновления
Переход с Docker registry registry.flant.com на registry.deckhouse.io. Это обязательный шаг для публичного релиза Deckhouse. Исходный код опубликован на GitHub. Ваши приложения, запущенные в кластере, не будут затронуты во время обновления.
Ключевые компоненты, которые могут сказаться на работе команды разработки:
- API server
- Kube-controller-manager
- Kube-scheduler
- Grafana
- Prometheus
- Dashboard
- Dex
- OpenVPN
- Ingress nginx

Значительные изменения

[Обновление patch версии Kubernetes](https://github.com/deckhouse/deckhouse/commit/45666440b6ab6a521e9e7bc01914626bd2aa0a77)
Обновление Kubernetes с 1.19.10 до 1.19.13.

Обновление Kubernetes с 1.20.6 до 1.20.9.

Обновление Kubernetes с 1.21.0 до 1.21.3.

[Использование базовых образов](https://github.com/deckhouse/deckhouse/commit/b086cd6ad9d0a48f944b8e95778efa14be84c2b4) для всех компонентов
Ограниченное количество базовых образов используется для сборки конечных образов. Если необходимо использовать сторонний образ, то бинарный файл из этого образа копируется в базовый образ. Раннее сторонние образа копировались в Deckhouse registry и использовались в исходном виде. Для запуска практически всех приложений в кластере используется Alpine.

[Изменение размера дисков без отмонтирования](https://github.com/deckhouse/deckhouse/commit/1da83f5b66064b1b501a671931f2ab0def155b70) для vSphere Volumes
Миграция типов дисков с FCD (First Class Disk) на CNS (Cloud Native Storage). Тип диска CNS поддерживает изменение размера на лету, и vSphere API, который предоставляет CNS, гораздо более стабильный.

Улучшения Nginx Ingress Controller
[Использование](https://github.com/deckhouse/deckhouse/commit/7edf775be1716d4d6c57e88bad548f0ccc6b852f) Deployment для LoadBalancer и LoadBalancerWithProxyProtocol инлетов ingress controller’a. Это даёт возможность автоскейлинга ingress controller’ов. Минимум два пода запущены на каждом обсуживающем входящий трафик frontend узле. Это позволяет избежать обновления списка целевых узлов на облачных балансировщиках нагрузки при перекате ingress controller’ов.

[Исправлена](https://github.com/deckhouse/deckhouse/commit/5624e592fa8f5c03c0b46fdfc4c35ec6320c2d8c) проблема с получением 503 ошибок во время переката ingress controller’ов при использовании инлета HostWithFailover.

Новый модуль [log-shipper](https://github.com/deckhouse/deckhouse/commit/6da2ac9067c42406836fdd6f25d80324ffe4fb89)
Этот модуль позволяет агрегировать и отправлять логи из кластера в Elasticsearch, Loki или Logstash. Управление самим хранилищем (Elasticsearch или Loki) не входит в задачи этого модуля.