v1.3.4 (2026-05-19)

A patch release that wires OpenSearch into the PaaS bundle on 1.3 (so the operator and dashboard entry actually deploy when bundles.paas.enabled=true) and fixes a Harbor reconciliation regression that prevented the Harbor app from coming up cleanly when the COSI BucketAccess Secret had not been populated yet. Documentation and the bundled talm CLI also moved forward during this release window.

Features and Improvements

No notable user-facing features in this patch release.

Fixes

• fix(platform,dashboard): wire OpenSearch into PaaS bundle and form overrides: OpenSearch has shipped as a complete package set on the 1.3 line — packages/apps/opensearch/, packages/system/opensearch-operator/, packages/system/opensearch-rd/, and the cozystack.opensearch-* PackageSources — but the PaaS bundle template never referenced the OpenSearch PackageSources. On any 1.3 cluster with bundles.paas.enabled=true, that meant opensearch-operator was never deployed (no OpenSearchCluster CRD on the cluster), the opensearch-rd release was never deployed (no ApplicationDefinition/opensearch), and the dashboard catalog had no OpenSearch entry — tenants could not create opensearches.apps.cozystack.io. Two changes ship here: (1) packages/core/platform/templates/bundles/paas.yaml now references cozystack.opensearch-operator and cozystack.opensearch-application, matching every other DB application; and (2) internal/controller/dashboard/customformsoverride.go (and its unit test) add OpenSearch to the StorageClass listInput override case, so the create-form storageClass field renders as a dropdown in the legacy openapi-ui dashboard that ships with 1.3. (The new cozystack-ui in 1.4 derives this widget client-side from the schema, so the form-override half is not needed on main — see counterpart [#2648].) (@myasnikovdaniil in [#2649]).

• fix(harbor): drive bucket-secret.yaml from values, gate HelmRelease on BucketInfo: Previously the Harbor system chart rendered its *-registry-s3 Secret by calling lookup against the COSI BucketAccess credentials Secret. On the first reconcile that Secret does not yet exist, so the template crashed with index of untyped nil and Harbor never came up. The template is now driven by .Values.bucket.bucketInfo (a JSON string) with dig-based safe accessors, so a missing, empty, or partially-populated value renders nothing instead of erroring. The downstream <release>-system HelmRelease now sources BucketInfo through valuesFrom (valuesKey: BucketInfo, targetPath: bucket.bucketInfo) with the default optional: false, which tells helm-controller to refuse to compose values until the COSI BucketAccess controller has populated the Secret — both gating initial reconciliation and forcing a config-digest change (and thus a helm upgrade) once credentials arrive. This is the correct primitive here because Flux HelmRelease.dependsOn cannot reference COSI resources directly, and helm-controller's upgrade trigger is digest-based: a lookup returning new data on a later reconcile is not enough to force an upgrade on its own. The now-unused bucket.secretName value has been dropped from both the system chart's values.yaml default and the apps chart's values: block, and a new helm-unittest covers the unset / empty / empty-object / fully-populated render paths (@myasnikovdaniil in [#2528], backport [#2673]).

Documentation

• [website] docs(platform): add guides related managed apps backups: Adds a tenant guide for application backup and recovery across managed Postgres, MariaDB, ClickHouse, and FoundationDB (one-off and scheduled backups, status, in-place or copy restores) and an administrator guide for configuring the backup framework via cluster BackupClass and driver strategies. The legacy chart-level backup values are marked deprecated with migration guidance (@androndo in cozystack/website#536).
• [website] docs(virtualization): document vm-default-images as opt-in package: Adds a "Default Image Collection (opt-in package)" section to the Golden Images page documenting that vm-default-images is disabled by default, the ~320 GiB storage footprint of the default 16-image set, how to enable it via bundles.enabledPackages, and how to override storageClass or the images[] list through the cozystack.vm-default-images Package (@myasnikovdaniil in cozystack/website#538).
• [website] docs(talm): init reference + operator extension points: Adds a full talm init reference page (flag matrix, encrypt/decrypt, key recovery hint, --cluster-endpoint) and documents the new operator extension points (extra* values keys) introduced in talm v0.30.0 (@lexfrei in cozystack/website#537).
• [website] docs: lineage-controller-webhook configuration guide: Documents the lineage-controller-webhook component and how to configure it on a Cozystack cluster (@lllamnyp in cozystack/website#513).
• [website] fix(docs): stop autoupdate PRs from rewriting source URLs every run: Pins the autoupdate doc generator so it no longer regenerates the same source URLs on every CI run, eliminating churn-only PRs against the docs site (@myasnikovdaniil in cozystack/website#516).
• [website] docs(resource-management): instance-type resource presets: Adds a reference for instance-type resource presets (CPU, memory, ratio) used by managed workloads, with backticked values for clarity (@lexfrei in cozystack/website#535).
• [website] docs: add platform licenses reference: Adds a licenses page listing all OSS components shipped with Cozystack, with logos and license metadata, surfaced as an OSS-card grid on the docs site (@tym83 in cozystack/website#530).
• [website] docs(networking): clusterDomain is pinned on tenants, drop stale 0.7.0 references: Clarifies that clusterDomain is pinned on tenant clusters and removes outdated 0.7.0-era references (@lexfrei in cozystack/website#534).
• [website] feat(seo): canonical, JSON-LD, sitemap directive, richer meta descriptions: Adds canonical link tags, JSON-LD schemas (including SoftwareApplication), a Sitemap directive in robots.txt, llms.txt, noindex for legacy doc versions, and richer per-page meta descriptions for keyword coverage in search and AI-search engines (@tym83 in cozystack/website#533).
• [website] feat(docs): added guide about backup workloads from managed k8s: New how-to guide for backing up workloads running inside managed tenant Kubernetes clusters with the Velero addon, including SeaweedFS bucket setup and credential extraction (@androndo in cozystack/website#528).
• [website] docs(networking): document publishing.proxyProtocol + ouroboros hairpin-NAT fix: Documents publishing.proxyProtocol and explains the ouroboros hairpin-NAT fix for in-cluster clients reaching their own public IPs (@lexfrei in cozystack/website#527).
• [website] docs(storage): add LINSTOR GUI documentation: Documents the LINSTOR GUI bundled with Cozystack — how to access it and what it exposes (@myasnikovdaniil in cozystack/website#521).
• [website] docs(virtualization): update vm-image guide for golden images / vm-default-images: Rewrites the VM image guide around the golden-image / vm-default-images workflow that ships in the v1.3 line (@myasnikovdaniil in cozystack/website#520).
• [website] chore(ci): remove obsolete update-managed-apps cron workflow: Removes the obsolete update-managed-apps cron workflow from the docs site CI (@myasnikovdaniil in cozystack/website#519).
• [website] fix(ci): skip prereleases when picking openapi.json release: The OpenAPI spec download step in the GitHub Pages build now skips prereleases so the docs site always picks up the latest stable openapi.json (@myasnikovdaniil in cozystack/website#515).
• [website] fix: refresh OSS health snapshots monthly: Keeps the OSS Health page's telemetry snapshot stable by refreshing it on a monthly cadence rather than on every build (@tym83 in cozystack/website#531).

Other repositories

• [talm] v0.25.1 → v0.30.0: Significant talm development in this window. Major user-visible changes:
  • Breaking — -n shorthand for --nodes dropped (talm v0.28.0, #197): the long form --nodes <IP> is unchanged, but -n IP no longer works. The shorthand was silently absorbing -n <value> typed after a wrapped talosctl subcommand (e.g. talm get hostnames -n network parsed network as an additional node and failed inside the gRPC resolver with "produced zero addresses"); operators with kubectl -n <ns> muscle memory now get a clean flag -n not defined from cobra instead. Update scripts and docs accordingly (@lexfrei in cozystack/talm#197).
  • Behaviour change — talm init refuses inside an existing project (talm v0.27.0, #161): pass --root . to create a sub-project under the current directory anyway, or run from the ancestor root to re-init it. --root <path> on subcommands (apply, template, talosconfig, kubeconfig, rotate-ca) now also correctly opts out of the implicit CWD walk-up — previously the flag was silently ignored on subcommands (@lexfrei in cozystack/talm#161).
  • Apply-time safety gates (talm v0.28.0, #173, #200): talm apply now refuses to apply if declared resources don't exist on the node, and previews/verifies drift before mutating state. Follow-ups (#189, #190, #191, #192) round out the UX. The first -f file anchors the project root and later -f files are treated as patches (@lexfrei in cozystack/talm#173, #200).
  • talm reset preserves META by default (talm v0.28.0, #185): operators no longer wipe Talos META during a reset unless they explicitly opt in (@lexfrei in cozystack/talm#185).
  • talm upgrade now sources the image from values.yaml, not the rendered node body, and point-patches install.image after a successful upgrade so the next render matches reality (talm v0.29.0 and v0.30.0, #204, #211). Fixes drift between what was upgraded to and what subsequent renders would produce (@lexfrei in cozystack/talm#204, #211).
  • VIP / floatingIP correctness (talm v0.27.0–v0.28.x, #163, #145, #147, #201): VIP is now pinned to a subnet-matching link (longest-prefix match) instead of the default-route link, IPv6 Hetzner topologies are pinned, empty bond configs are skipped, malformed CIDRs are filtered, and the v1.12 multi-doc network renderer was rewritten for full link coverage. --endpoints is honored in both init and the talosconfig regenerate flow (#202).
  • Reliability (talm v0.27.0): RotateKeys is now atomic — backup-and-restore on any phase failure, no partial state on disk (#159). talm init is all-or-nothing: every destination is pre-checked before the first write, so a Chart.yaml conflict no longer leaves talosconfig / talm.key / secrets.encrypted.yaml stranded. Encryption helpers write secrets.yaml and encrypted output with mode 0600. IPv6 endpoint normalisation preserves brackets.
  • Engine (#139, #146): talm apply is now idempotent for object-array and merge:replace fields, and $patch:delete on absent paths is a no-op instead of an error.
  • Operator extension points + presets (talm v0.30.0, #211): exposes Talos operator extension points (extra* values keys) in the cozystack and generic presets, allowing operators to extend node configs without forking the chart (@lexfrei in cozystack/talm#211).
  • talm dmesg retired (talm v0.29.0, #207): retired ahead of the upstream removal; operators are redirected to talm logs kernel (@lexfrei in cozystack/talm#207).
  • UX hardening (talm v0.28.0, #197): persistent flags reworked, crashdump and kubeconfig hints on failure, dmesg cushion, TUI refusal in non-interactive contexts, rich shell autocompletion for presets, modes, files, and talosconfig (#204), and --set warns when the value looks like a bare IP that should have been --set-string.
  • Other (#148): the cluster name can now be overridden via chart values (@dislogical in cozystack/talm#148).

Contributors

Thanks to everyone who contributed to this patch release:

• @androndo
• @dislogical
• @lexfrei
• @lllamnyp
• @myasnikovdaniil
• @tym83

Full Changelog: https://github.com/cozystack/cozystack/compare/v1.3.3...v1.3.4