v1.3.1 (2026-04-28)

Patch release covering a TenantNamespace IDOR fix in the API, a destructive post-upgrade hook removed from the etcd chart, kamaji controller stability, a linstor-csi bump that fixes live migration on Protocol-A/B DRBD resources, the missing linstor-gui build wiring, and a velero RBAC fix that unblocked installs on bundles without Velero.

Security

• fix(api): prevent IDOR in TenantNamespace Get and Watch handlers: Two IDOR (Insecure Direct Object Reference) vulnerabilities allowed authenticated users to read TenantNamespace metadata they had no RoleBinding for. The Get and Watch handlers now go through a new hasAccessToNamespace() helper that lists RoleBindings scoped only to the target namespace (orders of magnitude faster than the previous all-cluster scan), returns NotFound instead of leaking existence on unauthorized access, and applies the same check on the Watch filter path. Includes regression tests for the unauthorized paths. (@IvanHunters in [#2471], backport [#2524])

Features

• feat(linstor): bump linstor-csi to v1.10.6 with Protocol-C dual-attach fix: Live migration of KubeVirt VMs on Protocol-A/B (async) DRBD volumes no longer fails with Protocol C required. linstor-csi v1.10.6 now installs a Protocol=C override on the resource-definition during dual-attach and reverts it on detach, so replicated-async StorageClasses and other Protocol-A/B resource groups support live migration without manual drbdadm adjust intervention. (@kvaps in [#2496], backport [#2505])

Fixes

• fix(backups): move velero-configmap Role to velero chart: The backupstrategy-controller (a default package) declared a Role/RoleBinding scoped to the cozy-velero namespace for managing ResourceModifier ConfigMaps. On bundles where Velero was not enabled, that namespace did not exist and the HelmRelease failed with namespaces "cozy-velero" not found, blocking installation. The Role/RoleBinding now lives in the velero chart, so it is created only when velero is actually deployed. (@myasnikovdaniil in [#2459], backport [#2467])

• fix(etcd): remove destructive post-upgrade cert-regeneration hook: The etcd chart ran a post-upgrade Helm hook on every upgrade that deleted etcd TLS Secrets (etcd-ca-tls, etcd-peer-ca-tls, etcd-client-tls, etcd-peer-tls, etcd-server-tls) and then deleted etcd pods, forcing cert-manager to re-issue the entire etcd CA chain. On clusters with Kamaji-managed tenant control planes this put every tenant kube-apiserver into CrashLoopBackOff until each DataStore was manually re-reconciled. The hook was a one-shot 2.6.0 → 2.6.1 migration that became a permanent footgun once chart versioning moved to 0.0.0+<git-hash> (always < 2.6.1 per semver) and after the underlying rotationPolicy: Always issue was fixed in 47d81f70. The hook is now removed entirely. (@myasnikovdaniil in [#2462], backport [#2511])

• fix(kamaji): increase memory limits and add startup probe: The kamaji controller frequently entered CrashLoopBackOff due to OOMKills (exit 137) within ~20–25 seconds of startup, with the readiness probe failing while the controller was still finishing initialization. Memory limit raised from 500Mi to 512Mi, request from 100Mi to 256Mi, and a 60-second startup probe (12 attempts × 5s periods) is added so the controller has room to boot before liveness/readiness probes engage. (@IvanHunters in [#2421], backport [#2491])

Build

• build(linstor): include linstor-gui in root image build target: The linstor-gui package (added in [#2382]) was never wired into the root Makefile's build: target, so CI never built or published the image. ghcr.io/cozystack/cozystack/linstor-gui returned NAME_UNKNOWN and values.yaml stayed pinned to tag: 2.3.0 without a digest. The missing build line is added so the next CI run publishes the image and the per-package Makefile digest-pins values.yaml automatically. (@myasnikovdaniil in [#2498], backport [#2518])

Contributors

Thanks to everyone who contributed to this patch release:

• @IvanHunters
• @kvaps
• @myasnikovdaniil

Full Changelog: https://github.com/cozystack/cozystack/compare/v1.3.0...v1.3.1