Download Latest Version metal-amd64.iso (540.4 MB)
Email in envelope

Get an email when there's a new version of cozystack

Home / v1.5.2
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-07-03 11.9 kB
v1.5.2 source code.tar.gz 2026-07-03 6.6 MB
v1.5.2 source code.zip 2026-07-03 9.0 MB
openapi.json 2026-07-03 2.6 MB
cozypkg-checksums.txt 2026-07-03 564 Bytes
cozypkg-windows-arm64.tar.gz 2026-07-03 22.9 MB
cozypkg-darwin-amd64.tar.gz 2026-07-03 26.7 MB
cozypkg-darwin-arm64.tar.gz 2026-07-03 24.8 MB
cozypkg-linux-amd64.tar.gz 2026-07-03 25.4 MB
cozypkg-linux-arm64.tar.gz 2026-07-03 22.9 MB
cozypkg-windows-amd64.tar.gz 2026-07-03 25.6 MB
initramfs-metal-amd64.xz 2026-07-03 154.4 MB
kernel-amd64 2026-07-03 20.4 MB
nocloud-amd64.raw.xz 2026-07-03 347.5 MB
metal-amd64.raw.xz 2026-07-03 347.5 MB
metal-amd64.iso 2026-07-03 540.4 MB
cozystack-operator-hosted.yaml 2026-07-03 2.5 kB
cozystack-operator-generic.yaml 2026-07-03 2.6 kB
cozystack-operator-talos.yaml 2026-07-03 2.6 kB
cozystack-crds.yaml 2026-07-03 20.0 kB
Totals: 20 Items   1.6 GB 2

v1.5.2 (2026-07-03)

A patch release with ten bug fixes covering managed Kubernetes, MariaDB, Kafka, Harbor, SeaweedFS, VictoriaMetrics-operator dependency gating, Kamaji, and platform install ordering, plus new documentation and a talm update adding encrypted user values.

Fixes

  • fix(kamaji): backport datastore unused-deletion deadlock fix: Deleting a Tenant whose etcd DataStore had no more referencing TenantControlPlanes left the DataStore stuck Terminating (blocked by the kamaji.clastix.io/TenantControlPlane finalizer), hanging the etcd Helm uninstall and wedging the tenant namespace. Backports the upstream fix (clastix/kamaji#1122, fixing clastix/kamaji#1115) as a source patch on the pinned kamaji build, so deleting the last control plane on a DataStore now cleans up correctly (@myasnikovdaniil in [#3146], backport [#3187]).

  • fix(kubernetes): gate vmop cert-manager-crds dependency on certManager.enabled: The victoria-metrics-operator HelmRelease listed cert-manager-crds in dependsOn unconditionally, even though that HelmRelease is only created when certManager.enabled is true. Clusters running monitoringAgents.enabled=true with certManager.enabled=false had victoria-metrics-operator permanently blocked on a dependency that would never exist, cascading to monitoring-agents and vertical-pod-autoscaler never becoming ready. The dependency is now gated on the same condition that creates it (@myasnikovdaniil in [#3130], backport [#3185]).

  • fix(tenant): gate VM-resource HelmReleases on victoria-metrics-operator readiness: The tenant etcd, ingress, and monitoring HelmReleases create VictoriaMetrics-operator custom resources guarded by a validating webhook with failurePolicy: Fail. On a cold install the operator pod could be briefly unavailable, so these releases would reconcile before the webhook was serving and fail with "connection refused" — the failed-install/rollback/retry churn could then outlast the install-readiness deadline and surface as a spurious failure. These releases now dependsOn the victoria-metrics-operator HelmRelease so they wait for it to become Ready first, eliminating the race on fresh installs (@lexfrei in [#3141], backport [#3166]).

  • fix(mariadb): re-guard replication so single-replica passes the operator webhook: A prior change made replication.enabled: true unconditional so the operator would always create -primary/-secondary services, but the mariadb-operator validating webhook rejects replication when spec.replicas == 1, so single-replica MariaDB instances could no longer be created — the HelmRelease never became Ready. Replication is now re-guarded on replicas > 1; single-replica installs keep external access via a LoadBalancer service on the bare release name, and backups, RBAC, and dashboards are updated to recognize both topologies (@scooby87 in [#3180], backport [#3183]).

  • fix(kubernetes): make node group resources optional when instanceType is set: A managed-Kubernetes node group sized purely by instanceType (with resources omitted) failed values.schema.json validation because resources was required on every node group. resources is now optional: a node group sized purely by instanceType passes validation and installs, while a node group setting both instanceType and explicit resources has the explicit resources take precedence, so KubeVirt does not reject a VM referencing an instancetype while overriding domain.cpu/memory (@lexfrei in [#3121], backport [#3156]).

  • fix(seaweedfs): enforce read-only bucket access by bumping cosi-driver to v0.3.1: The bundled SeaweedFS COSI driver (v0.1.2) hardcoded read-write S3 permissions for every BucketAccess and ignored the chart's -readonly BucketAccessClass, so credentials meant to be read-only could still upload and delete objects. Bumping the driver to v0.3.1 makes it honor accessPolicy: readonly and issue Read/List-only credentials, closing the privilege gap for tenants relying on read-only bucket access (@lexfrei in [#3136], backport [#3153]).

  • fix(platform): order backupstrategy-controller after cozystack-basics: backupstrategy-controller creates the cozy-backups Bucket in the tenant-root namespace, which cozystack-basics provisions. On a fresh install the Bucket could race namespace creation and fail with namespaces "tenant-root" not found, which then raced the install-wait deadline and failed unrelated fresh installs. A dependsOn edge on cozystack-basics now guarantees the target namespace exists first (@lexfrei in [#3037], backport [#3079]).

  • fix(kafka): set entity-operator resources to avoid OOM under tenant LimitRange: Kafka's entityOperator topic-operator and user-operator containers carried no resource requests/limits, so in tenant namespaces — where the default LimitRange caps containers at 128Mi — the JVM processes were OOMKilled on startup. The entity-operator stayed in CrashLoopBackOff, KafkaTopic/KafkaUser objects never reconciled, and topics could get stuck on the strimzi.io/topic-operator finalizer during teardown. Explicit 256Mi/512Mi requests/limits are now set so the operators no longer inherit the namespace default (@myasnikovdaniil in [#2934], backport [#3054]).

  • fix(harbor): preserve jobservice and trivy storageClass on upgrade: The cozy-harbor wrapper never forwarded storageClass to the jobservice jobLog PVC, so it was created without a storageClassName and picked up the cluster default via default-StorageClass admission — and because PVC storageClassName is immutable, this produced rendered-vs-live drift on every upgrade. The Trivy StatefulSet's volume claim template had the same latent issue. Both now preserve an existing PVC's class via lookup and fall back to the configured storageClass for fresh installs (@myasnikovdaniil in [#2930], backport [#3147]).

  • fix(seaweedfs): point S3 consumers at the reachable S3 service: Renaming the SeaweedFS S3 Service to <name>-s3 left several consumers — the S3 ingress backend, the iceberg ingress backend, and the in-cluster COSI provisioner endpoint — still resolving the old <fullname>-s3 name or the wrong port, so the external S3 endpoint returned 503 via ingress-nginx and in-cluster COSI paths defaulted to port 443 (or the filer service, which serves no S3) instead of the real S3 service on port 8333. All consumers now resolve seaweedfs-s3 on the correct port (@lexfrei in [#3119], backport [#3127]).

Other repositories

talm v0.32.0

  • [talm] feat: first-class encrypted user values, honored at template and apply: Adds support for encrypted user secret values (a registry password, a KMS plugin's secret-id, etc.) that chart templates consume — encrypted at rest in git with the existing talm.key, decrypted in memory only at render time, and kept out of committed node files and terminal output. A value file named *.encrypted.yaml referenced from templateOptions.valueFiles is age-decrypted in memory at both talm template and talm apply; talm init --encrypt/--decrypt covers values-secret.yamlvalues-secret.encrypted.yaml. talm apply now also honors the full value-source flag set and Chart.yaml's templateOptions, and secret-bearing fields are redacted by default from rendered node files, stdout, and the apply drift preview, with --show-secrets/--show-secrets-in-drift to reveal them on demand (@lexfrei in cozystack/talm#222).

Documentation

  • [website] docs(operations): add containerized GPU workloads guide: Publishes a new operations guide for the container variant of cozystack.gpu-operator, covering containerized GPU workloads (CUDA pods, ML training, inference) on GPU nodes that already ship the NVIDIA driver and nvidia-container-toolkit via the distro package manager (@lexfrei in cozystack/website#555).

  • [website] docs(talos): warn against changing op: on the machine files block: Adds a warning next to the Talos machine.files block in the bare-metal bootstrap docs, explaining that Talos rejects op: create for files outside /var, so the /etc/lvm/lvm.conf entry must keep op: overwrite — changing it silently fails the WriteUserFiles boot step and reboot-loops the node with only the opaque bootstrap is not available yet error (@lexfrei in cozystack/website#575).

  • [website] docs(talm): document chart drift detection and strict mode: Documents the chart drift detection shipping with talm (cozystack/talm#216) — the library-content and preset-baseline drift warnings, the .talm-preset.lock file and the advice to commit it, talm init --update re-sync semantics, and the strictCharts: true/--strict-charts escalation with its unverifiable-baseline behavior (@lexfrei in cozystack/website#577).

  • [website] docs(platform): document publishing.certificates wildcard options: Documents two previously-undocumented publishing.certificates.* platform-package options, including the opt-in wildcard mode that issues one shared *.<root-host> certificate via a DNS-01 solver instead of a per-host ACME certificate, helping operators avoid Let's Encrypt rate limits at scale (@lexfrei in cozystack/website#588).

  • [website] fix(docs): correct stale version pins and prevent next.yaml drift: The version-pin data file for the v1.5 docs was a stale copy of next.yaml, so every {{< version-pin >}} on the v1.5 docs — including the go get example and roughly 40 install-doc references — rendered Cozystack v1.3.0/Talos v1.12.6 instead of the correct v1.5.0/v1.13.0. The version pins are corrected and the release script is hardened so next.yaml cannot drift stale again (@myasnikovdaniil in cozystack/website#589).

  • [website] feat(blog): add Cozystack v1.5.0 release announcement: Publishes the release-announcement blog post for Cozystack v1.5.0, covering Gateway API via Cilium, TLS for managed databases and messaging, out-of-the-box backups with a platform-managed BackupClass, Flux v2.8, flux-shard-operator, operator-provided wildcard certificates, GPU passthrough, deletion protection, and runtime-populated dashboard docs (@tym83 in cozystack/website#592).

Contributors

Thanks to everyone who contributed to this patch release:

Full Changelog: https://github.com/cozystack/cozystack/compare/v1.5.1...v1.5.2

Download cozystack

Source: README.md, updated 2026-07-03