From 99899827a723821eafdaed1fedf23799072c59c8 Mon Sep 17 00:00:00 2001
From: Pavan Gunda <pavan.gunda@elastisys.com>
Date: Tue, 19 Aug 2025 09:15:34 +0200
Subject: [PATCH 1/6] Add changelog for release v2.28.0-ck8s1

---
 changelog/2.28.0.md | 46 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 changelog/2.28.0.md

diff --git a/changelog/2.28.0.md b/changelog/2.28.0.md
new file mode 100644
index 00000000..3a48f6f1
--- /dev/null
+++ b/changelog/2.28.0.md
@@ -0,0 +1,46 @@
+# v2.28.0-ck8s1
+
+Released 2025-08-19
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+> - Node labels and taints can now be applied using the configuration file `node-labels-and-taints.yaml`.
+> - Our rook installation has moved to the [welkin-rook repository](https://github.com/elastisys/welkin-rook). If you are not part of the Elastisys organization and need access to this repository, [contact Elastisys](https://elastisys.com/contact/).
+
+## Release highlights
+
+- Welkin-kubespray now supports using Cilium as a network plugin for new clusters. Please refer to `docs/cilium.md` on how to enable it.
+
+## Changes by kind
+
+### Feature(s)
+
+- [#429](https://github.com/elastisys/compliantkubernetes-kubespray/pull/429) - rook: add option to enable cephfs csi @TorLdre
+- [#431](https://github.com/elastisys/compliantkubernetes-kubespray/pull/431) - Add containerd config template for private registry @HaoruiPeng
+- [#442](https://github.com/elastisys/compliantkubernetes-kubespray/pull/442) - Add dynamic inventory to label and taint nodes @simonklb
+- [#454](https://github.com/elastisys/compliantkubernetes-kubespray/pull/454) - Mainline Cilium support for Kubespray @rarescosma
+  - Welkin-kubespray now supports using Cilium as a network plugin for new clusters. Please refer to `docs/cilium.md` on how to enable it.
+
+### Improvement(s)
+
+- [#428](https://github.com/elastisys/compliantkubernetes-kubespray/pull/428) - rook: add calico vxlan ips to peers, and support ipv6 @kristiangronas
+- [#438](https://github.com/elastisys/compliantkubernetes-kubespray/pull/438) - fix: frontend port now uses port instead of target_port @Pavan-Gunda
+- [#449](https://github.com/elastisys/compliantkubernetes-kubespray/pull/449) - Define servicemonitors CRD early @rarescosma
+- [#450](https://github.com/elastisys/compliantkubernetes-kubespray/pull/450) - Avoid overwriting GPU containerd config  @HaoruiPeng
+- [#451](https://github.com/elastisys/compliantkubernetes-kubespray/pull/451) - config: update audit policy for valkey @Mlundm
+- [#452](https://github.com/elastisys/compliantkubernetes-kubespray/pull/452) - upgrade to kubepsray v2.28.0 @shafi-elastisys
+- [#457](https://github.com/elastisys/compliantkubernetes-kubespray/pull/457) - Adding default values for fs.inotify params @elastisys-staffan
+
+### Other(s)
+
+- [#423](https://github.com/elastisys/compliantkubernetes-kubespray/pull/423) - documentation: Port v2.26.0-ck8s4 @Ajarmar
+- [#430](https://github.com/elastisys/compliantkubernetes-kubespray/pull/430) - other: Port 2.27.0 ck8s1 @davidumea
+- [#432](https://github.com/elastisys/compliantkubernetes-kubespray/pull/432) - clean-up: Purge yq3 @rarescosma
+- [#433](https://github.com/elastisys/compliantkubernetes-kubespray/pull/433) - bug: rook-ceph: add exporter psp and fix dashboard @lunkan93
+- [#436](https://github.com/elastisys/compliantkubernetes-kubespray/pull/436) - other: Bump containerd-version image to v1.7.27 in origin fork v2.27.0 @lucianvlad
+- [#440](https://github.com/elastisys/compliantkubernetes-kubespray/pull/440) - other: Add changelog for release v2.27.0-ck8s2 @lucianvlad
+- [#441](https://github.com/elastisys/compliantkubernetes-kubespray/pull/441) - other: Add changelog for release v2.26.0-ck8s5 @lucianvlad
+- [#444](https://github.com/elastisys/compliantkubernetes-kubespray/pull/444) - bug: fix(calico): remove pinned version @FredrikCarlssn
+- [#447](https://github.com/elastisys/compliantkubernetes-kubespray/pull/447) - clean-up: all: remove rook folder @Ajarmar
+- [#448](https://github.com/elastisys/compliantkubernetes-kubespray/pull/448) - documentation: Update Git steps in migration template README @anders-elastisys
+- [#456](https://github.com/elastisys/compliantkubernetes-kubespray/pull/456) - other: chore: add security policy @rarescosma

From f6ce7fa833ca28af9291059271b7385cdbd451bb Mon Sep 17 00:00:00 2001
From: Pavan Gunda <pavan.gunda@elastisys.com>
Date: Tue, 19 Aug 2025 09:22:06 +0200
Subject: [PATCH 2/6] config: update submodule to include fixes

---
 kubespray | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubespray b/kubespray
index ead3b002..70b21b2b 160000
--- a/kubespray
+++ b/kubespray
@@ -1 +1 @@
-Subproject commit ead3b0024701b75657d4cdcd9dee7c5a22c7094c
+Subproject commit 70b21b2bc4885a48620c1d33cb91ede085694f31

From 052776c319a61d9890d82a91e4494f352e0289f1 Mon Sep 17 00:00:00 2001
From: Pavan Gunda <pavan.gunda@elastisys.com>
Date: Thu, 21 Aug 2025 10:00:28 +0200
Subject: [PATCH 3/6] config: update submodule

---
 kubespray | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubespray b/kubespray
index 70b21b2b..9c618891 160000
--- a/kubespray
+++ b/kubespray
@@ -1 +1 @@
-Subproject commit 70b21b2bc4885a48620c1d33cb91ede085694f31
+Subproject commit 9c618891ea1053de6ac4cdf6e6fbdb5516ebca48

From 811a698219de051480bc3a9947a35d23d8b4db9d Mon Sep 17 00:00:00 2001
From: Pavan Gunda <pavan.gunda@elastisys.com>
Date: Fri, 22 Aug 2025 16:11:57 +0200
Subject: [PATCH 4/6] migration script: disable external lbaas

---
 .../v2.28/prepare/40-disable-openstack-lb.sh  | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100755 migration/v2.28/prepare/40-disable-openstack-lb.sh

diff --git a/migration/v2.28/prepare/40-disable-openstack-lb.sh b/migration/v2.28/prepare/40-disable-openstack-lb.sh
new file mode 100755
index 00000000..d2d6b1cc
--- /dev/null
+++ b/migration/v2.28/prepare/40-disable-openstack-lb.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+HERE="$(dirname "$(readlink -f "${0}")")"
+ROOT="$(readlink -f "${HERE}/../../../")"
+
+# shellcheck source=scripts/migration/lib.sh
+source "${ROOT}/scripts/migration/lib.sh"
+
+log_info "disable openstack lbaas if infra provider is safespring"
+
+if [[ "${CK8S_CLUSTER}" =~ ^(sc|both)$ ]]; then
+  log_info "Replacing openstack_lbaas_enabled with external_openstack_lbaas_enabled in service cluster config"
+
+  CONFIG_FILE="${CK8S_CONFIG_PATH}/sc-config/group_vars/k8s_cluster/ck8s-k8s-cluster-openstack.yaml"
+
+  # Check if the key exists and equals false
+  if yq4 '.openstack_lbaas_enabled' "$CONFIG_FILE" | grep -q '^false$'; then
+    # Delete old key
+    yq4 -i 'del(.openstack_lbaas_enabled)' "$CONFIG_FILE"
+    # Add new key with same value
+    yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
+  fi
+fi
+
+if [[ "${CK8S_CLUSTER}" =~ ^(wc|both)$ ]]; then
+  log_info "Replacing openstack_lbaas_enabled with external_openstack_lbaas_enabled in workload cluster config"
+
+  CONFIG_FILE="${CK8S_CONFIG_PATH}/wc-config/group_vars/k8s_cluster/ck8s-k8s-cluster-openstack.yaml"
+
+  # Check if the key exists and equals false
+  if yq4 '.openstack_lbaas_enabled' "$CONFIG_FILE" | grep -q '^false$'; then
+    # Delete old key
+    yq4 -i 'del(.openstack_lbaas_enabled)' "$CONFIG_FILE"
+    # Add new key with same value
+    yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
+  fi
+fi
+
+log_info "Calico will now use the default version from Kubespray (v3.29.1)"
+log_info "This change requires compliantkubernetes-apps version v0.47+ that supports Calico v3.29.x"

From f13b45439487cdcbb4b18f537ee91d4591c8c3fd Mon Sep 17 00:00:00 2001
From: Pavan Gunda <pavan.gunda@elastisys.com>
Date: Fri, 22 Aug 2025 16:15:37 +0200
Subject: [PATCH 5/6] Update migration/v2.28/prepare/40-disable-openstack-lb.sh

Co-authored-by: Fredrik Liv <fredrik.liv@elastisys.com>
---
 migration/v2.28/prepare/40-disable-openstack-lb.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/migration/v2.28/prepare/40-disable-openstack-lb.sh b/migration/v2.28/prepare/40-disable-openstack-lb.sh
index d2d6b1cc..49e2fde5 100755
--- a/migration/v2.28/prepare/40-disable-openstack-lb.sh
+++ b/migration/v2.28/prepare/40-disable-openstack-lb.sh
@@ -36,5 +36,3 @@ if [[ "${CK8S_CLUSTER}" =~ ^(wc|both)$ ]]; then
   fi
 fi
 
-log_info "Calico will now use the default version from Kubespray (v3.29.1)"
-log_info "This change requires compliantkubernetes-apps version v0.47+ that supports Calico v3.29.x"

From f2302aae4307a036334cf275682efd40fb1fec3f Mon Sep 17 00:00:00 2001
From: Pavan Gunda <pavan.gunda@elastisys.com>
Date: Fri, 22 Aug 2025 16:33:15 +0200
Subject: [PATCH 6/6] docs: fix pre commit

---
 migration/v2.28/prepare/40-disable-openstack-lb.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/migration/v2.28/prepare/40-disable-openstack-lb.sh b/migration/v2.28/prepare/40-disable-openstack-lb.sh
index 49e2fde5..f0837a7a 100755
--- a/migration/v2.28/prepare/40-disable-openstack-lb.sh
+++ b/migration/v2.28/prepare/40-disable-openstack-lb.sh
@@ -35,4 +35,3 @@ if [[ "${CK8S_CLUSTER}" =~ ^(wc|both)$ ]]; then
     yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
   fi
 fi
-