v1.4.3 (2026-06-10)

A patch release shipping five bug fixes for the dashboard, API server, networking, object storage, and managed Kubernetes, along with a seaweedfs-cosi-driver update, an ouroboros v0.8.0 upgrade, two ansible-cozystack improvements, and a batch of new documentation.

Features and Improvements

• feat(ouroboros): bump to v0.8.0: Upgrades the ouroboros proxy to v0.8.0, which now logs an explicit reason when its TCP backend readiness check fails — making stuck-proxy situations immediately diagnosable instead of silently NotReady. The upgrade also migrates the kubectl sidecar image from Docker Hub to mirror.gcr.io, avoiding anonymous pull rate-limits on shared CI/runner IPs (@lexfrei in [#2807], backport [#2835]).

• [ansible-cozystack] feat(prepare): exclude loop and virtual devices from host LVM scanning: Sets an LVM global_filter in /etc/lvm/lvm.conf on all prepare playbooks (Ubuntu, RHEL, SUSE) so the host LVM does not scan or activate DRBD, device-mapper, zd-device, or loop-backed volume groups — preventing unintended VG activation of LINSTOR/DRBD volumes or loop-mounted images. The filter is exposed as the cozystack_lvm_global_filter inventory variable for clusters whose own PVs live on device-mapper (LVM-on-LUKS, multipath), and its effectiveness is verified via lvmconfig immediately after writing (@kvaps in cozystack/ansible-cozystack#49).

• [ansible-cozystack] fix(prepare): enable containerd device_ownership_from_security_context for CDI block imports: Adds a k3s containerd drop-in config enabling device_ownership_from_security_context on the CRI plugin across all prepare playbooks. Without this setting k3s ships the option disabled, so the KubeVirt CDI importer fails with "cannot open /dev/cdi-block-volume: Permission denied" when writing VM disk images into raw block volumes, causing DataVolume to hang in ImportInProgress and VMs to stay Pending (@lexfrei in cozystack/ansible-cozystack#48).

Fixes

• fix(dashboard): grant tenant dashboard read on cozy-public PVCs: The VM disk source-image dropdown in the console was returning 403 and staying empty even when golden images existed in the cozy-public namespace. The cozy:tenant:dashboard Role only granted read on Flux HelmRepositories and HelmCharts; get/list/watch on PersistentVolumeClaims has been added so tenant identities can list the vm-default-images-* PVCs (@myasnikovdaniil in [#2843], backport [#2858]).

• fix(api): emit initial-events-end bookmark for core.cozystack.io watches: The TenantSecret, TenantModule, and TenantNamespace aggregated API resources never sent the k8s.io/initial-events-end bookmark required by the WatchList / streaming-list protocol. Client-go informers using WatchListClient (on by default since v1.35) never reached HasSynced and logged "hasn't received required bookmark event marking the end of initial events stream" every ~10 seconds. The bookmark is now emitted after initial ADDED events, matching the behaviour apps.cozystack.io/Application already implemented (@sunib in [#2786], backport [#2844]).

• fix(networking): point host ouroboros proxy at the root-tenant ingress: When publishing.proxyProtocol was enabled, the host-level ouroboros proxy inherited the wrapper chart's default backend (ingress-nginx-controller.cozy-ingress-nginx), a FQDN that describes a managed Kubernetes tenant cluster. On the host, ingress-nginx is deployed by extra/ingress as root-ingress-controller in tenant-root, so the composed FQDN never resolved and the proxy never became Ready. The host ouroboros Package is now emitted with a proxy.target override derived from publishing.ingressName (@lexfrei in [#2800], backport [#2846]).

• fix(objectstorage-controller): propagate Bucket readiness to BucketClaim: The vendored COSI controller (v0.2.2) hardcoded bucketReady=false after dynamic provisioning and never re-read the Bucket to pick up the true transition, so BucketAccess was never granted and provisioned buckets ended up without credentials. The controller now re-reads the live Bucket after create and propagates its readiness, converging BucketClaim to ready on the next resync (@lexfrei in [#2792], backport [#2828]).

• fix(kubernetes): stamp application lineage labels on worker node VMs: Worker-node VMs of a tenant Kubernetes cluster are created by Cluster API and the KubeVirt provider, so their virt-launcher pods were never stamped with the apps.cozystack.io/application.{group,kind,name} lineage labels, preventing the dashboard from attributing those pods to their owning Kubernetes application. The labels are now applied to the KubevirtMachineTemplate worker VM template. A companion fix also quotes application.name so a purely-numeric cluster name renders as a YAML string rather than an integer, which would fail label-value validation (@kvaps in [#2779], backport [#2790]).

Dependencies

• chore(seaweedfs): bump seaweedfs-cosi-driver to v0.3.1: v0.3.1 ships a stale-socket self-heal: the COSI driver now removes any leftover UNIX socket before binding, so the objectstorage provisioner recovers automatically from CrashLoopBackOff after a non-graceful exit (SIGKILL, OOM, or panic) instead of wedging on "bind: address already in use" (@lexfrei in [#2791], backport [#2827]).

Development, Testing, and CI/CD

• ci(release): repair orphaned draft tag_name on retag: When the git tag was deleted and re-created between draft creation and merge, GitHub orphaned the draft release by setting tag_name to "untagged-<hash>" while preserving the human-readable name. The finalize step looked up the draft by tag_name and threw "Draft release for \<tag> not found", blocking the release. The workflow now detects the orphaned form, falls back to matching by name, repairs tag_name via updateRelease, and then publishes (@myasnikovdaniil in [#2761], backport [#2829]).

Documentation

• docs(ingress): explain how ingress works in the platform: Adds a "How ingress works" overview section to the ingress package README (rendered at /docs/v1.4/operations/services/ingress/), covering per-tenant ingress-nginx controllers, the per-namespace IngressClass model, cross-tenant sharing via namespace.cozystack.io/ingress, TLS via cert-manager issuers, and the whitelist/cloudflareProxy access-control options (@myasnikovdaniil in [#2770]).

• [website] docs(networking): publish Kubernetes API endpoint via external-dns with kuberture: Documents how to expose the managed Kubernetes API endpoint through external-dns using the kuberture system package, including configuration examples (@lexfrei in cozystack/website#539).

• [website] docs: exclude loop devices from LVM global_filter: Adds documentation explaining the LVM global_filter requirement for hosts running Cozystack on bare metal, preventing unintended activation of DRBD/loop-backed volume groups (@kvaps in cozystack/website#563).

• [website] feat(blog): add Managed Kubernetes how-to post: Publishes a practical how-to blog post covering how to deploy and use managed Kubernetes clusters within Cozystack (@tym83 in cozystack/website#565).

• [website] feat(blog): add platform-managed backups introduction post: Publishes a blog post introducing Cozystack's platform-managed backup capabilities for stateful workloads (@tym83 in cozystack/website#566).

• [website] docs(talm): document DRBD sysctl tuning, keepalive toggle, etcd quota: Adds documentation for talm covering DRBD sysctl performance tuning, the DRBD keepalive toggle, and the etcd quota configuration (@lexfrei in cozystack/website#567).

Contributors

Thanks to everyone who contributed to this patch release:

• @kvaps
• @lexfrei
• @myasnikovdaniil
• @sunib
• @tym83

New Contributors

We're excited to welcome our first-time contributors:

• @sunib - First contribution!

Full Changelog: https://github.com/cozystack/cozystack/compare/v1.4.2...v1.4.3