Staging 0.50.1

bin/update-ips.bash

@@ -521,7 +521,9 @@ allow_subnet() {
 
   # Allowing the subnet is currently only supported for clusters setup with
   # CAPI on OpenStack. Fallback on allowing individual nodes otherwise.
-  if [ "$(yq_read "${cluster}" '.global.ck8sK8sInstaller' "")" != "capi" ] || [ "$(yq_read "${cluster}" '.global.ck8sCloudProvider' "")" != "openstack" ]; then
+  if [ "$(yq_read "${cluster}" '.global.ck8sK8sInstaller' "")" != "capi" ] ||
+    { [ "$(yq_read "${cluster}" '.global.ck8sCloudProvider' "")" != "openstack" ] &&
+      [ "$(yq_read "${cluster}" '.global.ck8sCloudProvider' "")" != "elastx" ]; }; then
     allow_nodes "${cluster}" "${config_option}" "${label}"
     return
   fi

changelog/0.50.md

@@ -76,3 +76,20 @@ Released 2025-10-23
 - [9e6247a](https://github.com/elastisys/compliantkubernetes-apps/pull/2814/commits/9e6247a5b87a977885b5ec6b26bb3bc61cb9b0ca) - test: Add wait for subnamespace to mitigate occasional failures of kubectl wait for namespace [@andremarklund-elastisys](https://github.com/andrema1rklund-elastisys)
 - [#2858](https://github.com/elastisys/compliantkubernetes-apps/pull/2858) - apps wc: move user alertmanager secret to created with install hook [@viktor-f](https://github.com/viktor-f)
 - [3eddee2b](https://github.com/elastisys/compliantkubernetes-apps/pull/2814/commits/3eddee2b81a288060bdb254f32f7f596e7916430) - deploy: fixed ingress-nginx netpol when not using hostnetwork [@lucianvlad](https://github.com/lucianvlad)
+
+## v0.50.1
+
+Released 2025-12-17
+
+## Changes by kind
+
+### Improvement(s)
+
+- [#2885](https://github.com/elastisys/compliantkubernetes-apps/pull/2885) - chore: bump rclone to v1.72.0 [@rarescosma](https://github.com/rarescosma)
+- [#2888](https://github.com/elastisys/compliantkubernetes-apps/pull/2888) - apps: remove denial logging from node-local-dns, due to spamming [@viktor-f](https://github.com/viktor-f)
+- [#2892](https://github.com/elastisys/compliantkubernetes-apps/pull/2892) - OpenSearch top_queries index improvements [@lunkan93](https://github.com/lunkan93)
+
+### Other(s)
+
+- [#2884](https://github.com/elastisys/compliantkubernetes-apps/pull/2884) - bug: apps: fix velero snapshots [@Eliastisys](https://github.com/Eliastisys)
+- [#2895](https://github.com/elastisys/compliantkubernetes-apps/pull/2895) - bug: fixes for upcoming patch release [@rarescosma](https://github.com/rarescosma)

helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml

@@ -21,6 +21,7 @@ spec:
     volumes:
       - configMap
       - downwardAPI
+      - hostPath
       - emptyDir
       - persistentVolumeClaim
       - projected

helmfile.d/charts/node-local-dns/templates/node-local-dns.yaml

@@ -108,7 +108,7 @@ data:
       {{- . | nindent 6 }}
       {{- end }}
       log . {combined} {
-        class denial error
+        class error
       }
       cache 30
       reload

helmfile.d/charts/prometheus-alerts/templates/alerts/opensearch.yaml

@@ -66,7 +66,7 @@ spec:
         summary: Index {{`{{ $labels.index }}`}} is using {{`{{ $value }}`}} percent of max field limit
         runbook_url: {{ .Values.runbookUrls.opensearch.OpenSearchFieldLimit }}
     - alert: OpenSearchFieldLimit
-      expr: (sum(max_over_time(elasticsearch_indices_mappings_stats_fields{namespace="opensearch-system"}[5m])) by (index) / sum(max_over_time(elasticsearch_indices_settings_total_fields{namespace="opensearch-system"}[5m])) by (index)) * 100 > 95
+      expr: (sum(max_over_time(elasticsearch_indices_mappings_stats_fields{namespace="opensearch-system",index!~"top_queries.*"}[5m])) by (index) / sum(max_over_time(elasticsearch_indices_settings_total_fields{namespace="opensearch-system",index!~"top_queries.*"}[5m])) by (index)) * 100 > 95
       for: 15m
       labels:
         severity: critical

helmfile.d/lists/images.yaml

@@ -80,7 +80,7 @@ images:
     curatorCronjob: ghcr.io/elastisys/bitnami/elasticsearch-curator:5.8.4-debian-10-r235
     exporter: quay.io/prometheuscommunity/elasticsearch-exporter:v1.7.0
   rclone:
-    image: ghcr.io/elastisys/rclone-sync:1.70.3
+    image: ghcr.io/elastisys/rclone-sync:1.72.0
   tekton:
     controller: ghcr.io/tektoncd/github.com/tektoncd/pipeline/cmd/controller:v0.45.0
     remoteResolvers: ghcr.io/tektoncd/github.com/tektoncd/pipeline/cmd/resolvers:v0.45.0

helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl

@@ -33,3 +33,11 @@ policies:
       egress:
         - rule: egress-rule-dns
         - rule: egress-rule-apiserver
+
+    velero-data-mover:
+      podSelectorLabels:
+        velero.io/exposer-pod-group: snapshot-exposer
+      egress:
+        - rule: egress-rule-dns
+        - rule: egress-rule-apiserver
+        - rule: egress-rule-object-storage

helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl

@@ -9,6 +9,7 @@ constraints:
           - emptyDir
           - projected
           - secret
+          - configMap
         allowedHostPaths:
           - pathPrefix: /var/lib/kubelet/pods
             readOnly: false
@@ -25,16 +26,42 @@ constraints:
       allow:
         runAsUser:
           rule: MustRunAsNonRoot
+        volumes:
+          - hostPath
+          - emptyDir
+          - projected
+          - secret
+          - persistentVolumeClaim
+          - configMap
+          - downwardAPI
+        allowedHostPaths:
+          - pathPrefix: /var/lib/kubelet/pods
+            readOnly: false
+          - pathPrefix: /var/lib/kubelet/plugins
+            readOnly: false
       mutation:
-        runAsUser: 1000
+        runAsUser: 1002
     data-upload:
       podSelectorLabels:
         velero.io/exposer-pod-group: snapshot-exposer
       allow:
         runAsUser:
           rule: MustRunAsNonRoot
+        volumes:
+          - hostPath
+          - emptyDir
+          - projected
+          - secret
+          - persistentVolumeClaim
+          - configMap
+          - downwardAPI
+        allowedHostPaths:
+          - pathPrefix: /var/lib/kubelet/pods
+            readOnly: false
+          - pathPrefix: /var/lib/kubelet/plugins
+            readOnly: false
       mutation:
-        runAsUser: 1000
+        runAsUser: 1002
     repo-maintenance:
       podSelectorExpressions:
         - key: velero.io/repo-name

helmfile.d/values/velero/sc.yaml.gotmpl

@@ -134,6 +134,7 @@ schedules:
     template:
       storageLocation: default
       snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }}
+      snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }}
       labelSelector:
         matchLabels:
           velero: backup

helmfile.d/values/velero/wc.yaml.gotmpl

@@ -134,6 +134,7 @@ schedules:
     template:
       storageLocation: default
       snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }}
+      snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }}
       excludedNamespaces:
         {{- with .Values.velero.excludedNamespaces }}
         {{- toYaml . | nindent 8 }}

images/rclone-sync/Dockerfile

@@ -4,7 +4,7 @@ FROM ubuntu:rolling as download
 RUN apt-get update && apt-get install -y curl unzip
 
 # Install rclone
-ENV RCLONE_VERSION="v1.70.3"
+ENV RCLONE_VERSION="v1.72.0"
 RUN curl -O https://downloads.rclone.org/${RCLONE_VERSION}/rclone-${RCLONE_VERSION}-linux-amd64.zip && \
     unzip rclone-${RCLONE_VERSION}-linux-amd64.zip && \
     cd rclone-*-linux-amd64 && \

sbom/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:6b81f7db-087c-436b-ba19-7f4dc90c35d3",
+  "serialNumber": "urn:uuid:b57a8c32-510d-4a08-849f-5c786f5c0372",
   "version": 1,
   "metadata": {
-    "timestamp": "2025-11-04T11:59:08Z",
+    "timestamp": "2025-11-28T14:39:31Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -3100,15 +3100,15 @@
       "purl": "pkg:oci/elastisys/[email protected]?repository_url=ghcr.io"
     },
     {
-      "bom-ref": "pkg:oci/elastisys/rclone-sync@1.70.3?repository_url=ghcr.io",
+      "bom-ref": "pkg:oci/elastisys/rclone-sync@1.72.0?repository_url=ghcr.io",
       "type": "container",
       "supplier": {
         "name": "elastisys"
       },
       "name": "ghcr.io/elastisys/rclone-sync",
-      "version": "1.70.3",
-      "cpe": "cpe:2.3:a:elastisys:rclone-sync:1.70.3:*:*:*:*:*:*:*",
-      "purl": "pkg:oci/elastisys/rclone-sync@1.70.3?repository_url=ghcr.io"
+      "version": "1.72.0",
+      "cpe": "cpe:2.3:a:elastisys:rclone-sync:1.72.0:*:*:*:*:*:*:*",
+      "purl": "pkg:oci/elastisys/rclone-sync@1.72.0?repository_url=ghcr.io"
     },
     {
       "bom-ref": "pkg:oci/elastisys/[email protected]?repository_url=ghcr.io",
@@ -4904,7 +4904,7 @@
       "ref": "pkg:helm/[email protected]",
       "dependsOn": [
         "pkg:oci/elastisys/[email protected]?repository_url=ghcr.io",
-        "pkg:oci/elastisys/rclone-sync@1.70.3?repository_url=ghcr.io"
+        "pkg:oci/elastisys/rclone-sync@1.72.0?repository_url=ghcr.io"
       ]
     },
     {
@@ -5119,7 +5119,7 @@
       "dependsOn": []
     },
     {
-      "ref": "pkg:oci/elastisys/rclone-sync@1.70.3?repository_url=ghcr.io",
+      "ref": "pkg:oci/elastisys/rclone-sync@1.72.0?repository_url=ghcr.io",
       "dependsOn": []
     },
     {

tests/Dockerfile

@@ -71,6 +71,11 @@ RUN curl -LOs "https://github.com/open-policy-agent/opa/releases/download/v${OPA
     install -Tm 755 opa_linux_amd64 /usr/local/bin/opa && \
     rm opa_linux_amd64
 
+ARG PROMETHEUS_VERSION="3.6.0"
+RUN curl -fsSL "https://github.com/prometheus/prometheus/releases/download/v${PROMETHEUS_VERSION}/prometheus-${PROMETHEUS_VERSION}.linux-amd64.tar.gz" | \
+    tar -zxvf - "prometheus-${PROMETHEUS_VERSION}.linux-amd64/promtool" --strip-components=1 && \
+    mv promtool /usr/local/bin/
+
 ARG SOPS_VERSION="3.10.1"
 RUN curl -LOs "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64" && \
     install -Tm 755 "sops-v${SOPS_VERSION}.linux.amd64" /usr/local/bin/sops && \

tests/end-to-end/velero/resources/backup-spec-sc.yaml

@@ -20,5 +20,6 @@ labelSelector:
     velero: backup
 metadata: {}
 snapshotMoveData: true
+snapshotVolumes: true
 storageLocation: default
 ttl: 720h0m0s

tests/end-to-end/velero/resources/backup-spec-wc.yaml

@@ -39,5 +39,6 @@ labelSelector:
       operator: DoesNotExist
 metadata: {}
 snapshotMoveData: true
+snapshotVolumes: true
 storageLocation: default
 ttl: 720h0m0s

tests/end-to-end/velero/resources/test-application.yaml

@@ -15,6 +15,7 @@ metadata:
   name: velero-test
   namespace: velero-test
 spec:
+  terminationGracePeriodSeconds: 1
   containers:
   - image: ${image}
     args:

tests/unit/general/alerting-rules.bats

@@ -0,0 +1,50 @@
+#!/usr/bin/env bats
+
+# bats file_tags=releases,general,prometheus
+
+setup_file() {
+  # for dynamically registering tests using `bats_test_function`
+  bats_require_minimum_version 1.11.1
+
+  load "../../bats.lib.bash"
+  load_common "env.bash"
+  load_common "gpg.bash"
+  load_common "yq.bash"
+
+  gpg.setup
+  env.setup
+
+  env.init openstack capi dev
+}
+
+setup() {
+  load "../../bats.lib.bash"
+  load_assert
+  load_common "yq.bash"
+  load_common "env.bash"
+  env.private
+}
+
+teardown_file() {
+  env.teardown
+  gpg.teardown
+}
+
+declare -a clusters=("service" "workload")
+
+for cluster in "${clusters[@]}"; do
+  bats_test_function \
+    --description "check ${cluster} cluster alerting rules" \
+    -- check_alerting_rules "${cluster}"
+done
+
+check_alerting_rules() {
+  local -r cluster="${1}_cluster"
+
+  run --separate-stderr bats_pipe \
+    helmfile -f "${ROOT}/helmfile.d" -e "${cluster}" -l app=prometheus -l chart=charts/prometheus-alerts template --log-level error \
+    \| yq eval-all '[select(.kind == "PrometheusRule") | .spec.groups[]] | {"groups": .}' \
+    \| promtool check rules --no-lint-fatal /dev/stdin
+
+  assert_success
+}