elastisys · Pavan-Gunda · Aug 22, 2025 · Aug 19, 2025 · Aug 19, 2025 · Aug 21, 2025
@@ -0,0 +1,46 @@
+# v2.28.0-ck8s1
+
+Released 2025-08-19
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+> - Node labels and taints can now be applied using the configuration file `node-labels-and-taints.yaml`.
+> - Our rook installation has moved to the [welkin-rook repository](https://github.com/elastisys/welkin-rook). If you are not part of the Elastisys organization and need access to this repository, [contact Elastisys](https://elastisys.com/contact/).
+
+## Release highlights
+
+- Welkin-kubespray now supports using Cilium as a network plugin for new clusters. Please refer to `docs/cilium.md` on how to enable it.
+
+## Changes by kind
+
+### Feature(s)
+
+- [#429](https://github.com/elastisys/compliantkubernetes-kubespray/pull/429) - rook: add option to enable cephfs csi @TorLdre
+- [#431](https://github.com/elastisys/compliantkubernetes-kubespray/pull/431) - Add containerd config template for private registry @HaoruiPeng
+- [#442](https://github.com/elastisys/compliantkubernetes-kubespray/pull/442) - Add dynamic inventory to label and taint nodes @simonklb
+- [#454](https://github.com/elastisys/compliantkubernetes-kubespray/pull/454) - Mainline Cilium support for Kubespray @rarescosma
+  - Welkin-kubespray now supports using Cilium as a network plugin for new clusters. Please refer to `docs/cilium.md` on how to enable it.
+
+### Improvement(s)
+
+- [#428](https://github.com/elastisys/compliantkubernetes-kubespray/pull/428) - rook: add calico vxlan ips to peers, and support ipv6 @kristiangronas
+- [#438](https://github.com/elastisys/compliantkubernetes-kubespray/pull/438) - fix: frontend port now uses port instead of target_port @Pavan-Gunda
+- [#449](https://github.com/elastisys/compliantkubernetes-kubespray/pull/449) - Define servicemonitors CRD early @rarescosma
+- [#450](https://github.com/elastisys/compliantkubernetes-kubespray/pull/450) - Avoid overwriting GPU containerd config  @HaoruiPeng
+- [#451](https://github.com/elastisys/compliantkubernetes-kubespray/pull/451) - config: update audit policy for valkey @Mlundm
+- [#452](https://github.com/elastisys/compliantkubernetes-kubespray/pull/452) - upgrade to kubepsray v2.28.0 @shafi-elastisys
+- [#457](https://github.com/elastisys/compliantkubernetes-kubespray/pull/457) - Adding default values for fs.inotify params @elastisys-staffan
+
+### Other(s)
+
+- [#423](https://github.com/elastisys/compliantkubernetes-kubespray/pull/423) - documentation: Port v2.26.0-ck8s4 @Ajarmar
+- [#430](https://github.com/elastisys/compliantkubernetes-kubespray/pull/430) - other: Port 2.27.0 ck8s1 @davidumea
+- [#432](https://github.com/elastisys/compliantkubernetes-kubespray/pull/432) - clean-up: Purge yq3 @rarescosma
+- [#433](https://github.com/elastisys/compliantkubernetes-kubespray/pull/433) - bug: rook-ceph: add exporter psp and fix dashboard @lunkan93
+- [#436](https://github.com/elastisys/compliantkubernetes-kubespray/pull/436) - other: Bump containerd-version image to v1.7.27 in origin fork v2.27.0 @lucianvlad
+- [#440](https://github.com/elastisys/compliantkubernetes-kubespray/pull/440) - other: Add changelog for release v2.27.0-ck8s2 @lucianvlad
+- [#441](https://github.com/elastisys/compliantkubernetes-kubespray/pull/441) - other: Add changelog for release v2.26.0-ck8s5 @lucianvlad
+- [#444](https://github.com/elastisys/compliantkubernetes-kubespray/pull/444) - bug: fix(calico): remove pinned version @FredrikCarlssn
+- [#447](https://github.com/elastisys/compliantkubernetes-kubespray/pull/447) - clean-up: all: remove rook folder @Ajarmar
+- [#448](https://github.com/elastisys/compliantkubernetes-kubespray/pull/448) - documentation: Update Git steps in migration template README @anders-elastisys
+- [#456](https://github.com/elastisys/compliantkubernetes-kubespray/pull/456) - other: chore: add security policy @rarescosma
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+HERE="$(dirname "$(readlink -f "${0}")")"
+ROOT="$(readlink -f "${HERE}/../../../")"
+
+# shellcheck source=scripts/migration/lib.sh
+source "${ROOT}/scripts/migration/lib.sh"
+
+log_info "disable openstack lbaas if infra provider is safespring"
+
+if [[ "${CK8S_CLUSTER}" =~ ^(sc|both)$ ]]; then
+  log_info "Replacing openstack_lbaas_enabled with external_openstack_lbaas_enabled in service cluster config"
+
+  CONFIG_FILE="${CK8S_CONFIG_PATH}/sc-config/group_vars/k8s_cluster/ck8s-k8s-cluster-openstack.yaml"
+
+  # Check if the key exists and equals false
+  if yq4 '.openstack_lbaas_enabled' "$CONFIG_FILE" | grep -q '^false$'; then
+    # Delete old key
+    yq4 -i 'del(.openstack_lbaas_enabled)' "$CONFIG_FILE"
+    # Add new key with same value
+    yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
+  fi
+fi
+
+if [[ "${CK8S_CLUSTER}" =~ ^(wc|both)$ ]]; then
+  log_info "Replacing openstack_lbaas_enabled with external_openstack_lbaas_enabled in workload cluster config"
+
+  CONFIG_FILE="${CK8S_CONFIG_PATH}/wc-config/group_vars/k8s_cluster/ck8s-k8s-cluster-openstack.yaml"
+
+  # Check if the key exists and equals false
+  if yq4 '.openstack_lbaas_enabled' "$CONFIG_FILE" | grep -q '^false$'; then
+    # Delete old key
+    yq4 -i 'del(.openstack_lbaas_enabled)' "$CONFIG_FILE"
+    # Add new key with same value
+    yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
+  fi
+fi
+
+log_info "Calico will now use the default version from Kubespray (v3.29.1)"
+log_info "This change requires compliantkubernetes-apps version v0.47+ that supports Calico v3.29.x"
+2 −4		contrib/terraform/upcloud/main.tf
+111 −89		contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
+9 −1		contrib/terraform/upcloud/modules/kubernetes-cluster/output.tf
+34 −35		contrib/terraform/upcloud/modules/kubernetes-cluster/variables.tf
+24 −26		contrib/terraform/upcloud/variables.tf
+7 −7		roles/kubespray_defaults/defaults/main/download.yml