Version: v0.22

metal-stack v0.22.15

See original release note at https://github.com/metal-stack/releases/releases/tag/v0.22.15

General

Gardener v1.134
- Please note that this release contains the gardener-apiserver built from the metal-stack fork in order to prevent the defaulting of worker machine images by Gardener. This will be resolved upstream with https://github.com/gardener/gardener/pull/13785. If you do not use short image versions in the CloudProfile you can also use the upstream version of the gardener-apiserver.
firewall-controller v2.5.0

Breaking Changes

The event job label was renamed from monitoring/event-exporter to events. Update any existing LogQL queries, dashboard filters, and alert rules that reference {job="monitoring/event-exporter"} to {job="events"}.

The monitoring role's basic auth configuration for Thanos Receive Ingress has changed. The raw htpasswd string monitoring_thanos_receive_ingress_basic_auth has been replaced by two plaintext variables monitoring_thanos_receive_ingress_basic_auth_user: thanos-receive and monitoring_thanos_receive_ingress_basic_auth_password: mysecret. See: https://github.com/metal-stack/metal-roles/blob/master/control-plane/roles/monitoring/README.md#thanos-receive-ingress-credentials (metal-stack/metal-roles#595)

Noteworthy

It is now possible to annotate the FirewallMonitor resource with the annotation firewall.metal-stack.io/restart-systemd-services=<service-name> in order to trigger a restart of a systemd service on the firewall. Only whitelisted services can be restarted. (metal-stack/firewall-controller#220)
The ClusterWideNetworkPolicy only supports ports of type int32 now. Before that, we allowed intstr. The string value, however, was always prevented by validation such that the transition should not cause any issues. (metal-stack/firewall-controller#219)

Required Actions

The partition promtail role is deprecated and replaced by the new alloy role. Operators should migrate to Alloy for partition log collection.

Follow the migration instructions: https://github.com/metal-stack/metal-roles/blob/master/partition/roles/alloy/README.md#migration-from-promtail

Several migration scenarios are supported — from a hard cutover to a parallel run for verification before switching over. Note that running both services simultaneously will produce duplicate log entries in Loki during the transition window. (metal-stack/metal-roles#592)
The control-plane logging role now deploys Grafana Alloy as the default log collector. Alloy needs to be configured before running the new version of the role, as the deprecated Promtail DaemonSet and the event-exporter resources are disabled and removed by default.

Follow the migration instructions:
- https://github.com/metal-stack/metal-roles/blob/master/control-plane/roles/logging-common/README.md#migration-from-promtail
Several migration scenarios are supported — from a hard cutover to a parallel run for verification before switching over. Note that running both simultaneously will produce duplicate log entries in Loki during the transition window. (metal-stack/metal-roles#595)

Component Releases

metal-apiserver v0.5.0

Partition response does not include mgmt servers (metal-stack/metal-apiserver#219) @majst01
Update dependencies (metal-stack/metal-apiserver#218) @majst01
Fix missing machine allocation uuid query. (metal-stack/metal-apiserver#217) @Gerrit91
Add default retention to all asynq tasks. (metal-stack/metal-apiserver#216) @Gerrit91
Provide generic Encode/Decode payload func for asynq package. (metal-stack/metal-apiserver#215) @Gerrit91
Introduce secure-cookie flag (metal-stack/metal-apiserver#213) @majst01
Machine State Command (metal-stack/metal-apiserver#211) @majst01
IP Query for IPType was wrong (metal-stack/metal-apiserver#210) @majst01
Enhance token validation security (metal-stack/metal-apiserver#207) @majst01
Fix Partition list (metal-stack/metal-apiserver#209) @majst01
Fix FSL issues found during api-conformance (metal-stack/metal-apiserver#220) @majst01
Return deletion task IDs in meta. (metal-stack/metal-apiserver#221) @Gerrit91
Machine delete and machine update validation (metal-stack/metal-apiserver#197) @majst01

metal-bmc v0.7.3

Update go-hal dependency for powersupply (metal-stack/metal-bmc#97) @simcod

helm-charts v0.6.4

Postgreslet next release (metal-stack/helm-charts#164) @eberlep
modify block transaction (metal-stack/helm-charts#163) @emekaponw
Secure Cookie flag for metal-apiserver (metal-stack/helm-charts#162) @majst01

api v0.1.3

Return task IDs in deletion responses. (metal-stack/api#133) @Gerrit91
Fix issues found during api-conformance (metal-stack/api#134) @majst01
Admin machine delete (metal-stack/api#135) @majst01
Introduce TokenQuery. (metal-stack/api#111) @Gerrit91

firewall-controller-manager v0.6.1

Add systemd-restart annotation for firewall resource. (metal-stack/firewall-controller-manager#88) @Gerrit91
fix: correct event message format in createFirewall function (metal-stack/firewall-controller-manager#90) @mwennrich
Fix typos in API constants. (metal-stack/firewall-controller-manager#89) @Gerrit91

metal-roles v0.22.0

chore: replace control-plane promtail with alloy (metal-stack/metal-roles#595) @ma-hartma
chore: replace partition promtail with alloy (metal-stack/metal-roles#592) @ma-hartma
Adadpt sonic-config README for VLAN sub-interfaces (metal-stack/metal-roles#607) @iljarotar
Secure Cookie flag for metal-apiserver (metal-stack/metal-roles#620) @majst01
Update actions. (metal-stack/metal-roles#619) @Gerrit91

sonic-configdb-utils v0.5.0

allow multiple CIDRs for a VLAN sub-interface (metal-stack/sonic-configdb-utils#40) @iljarotar

mini-lab v0.6.0

chore: replace control-plane and partition promtail with alloy (metal-stack/mini-lab#298) @ma-hartma
Cosign verify (metal-stack/mini-lab#308) @Gerrit91
Update debian, disable secure cookie (metal-stack/mini-lab#304) @majst01
Update some release vector overwrites. (metal-stack/mini-lab#303) @Gerrit91
fix: re-introduce bgp restart for community sonic to ensure default route (metal-stack/mini-lab#302) @ma-hartma
feat: allow using local checkouts of dependencies via env var (metal-stack/mini-lab#294) @ma-hartma
fix: install missing frr-reload.service on dell_sonic leaves (metal-stack/mini-lab#295) @ma-hartma
chore: prepare kamaji tests (metal-stack/mini-lab#289) @ma-hartma
chore(deps): use latest nginx-ingress helm chart version (metal-stack/mini-lab#288) @vknabel
add kamaji flavor (metal-stack/mini-lab#280) @mac641
chore: remove redundant ansible.cfg and hide skipped ansible task output (metal-stack/mini-lab#282) @ma-hartma
make bash shebang use /usr/bin/env for better compatibility across systems (metal-stack/mini-lab#284) @mac641
Allow disabling monitoring deployment through make param. (metal-stack/mini-lab#283) @Gerrit91
Deploy monitoring in mini-lab (metal-stack/mini-lab#275) @ostempel
Migrate to new sonic-config role for community SONiC flavor (metal-stack/mini-lab#276) @iljarotar
Add zitadel OIDC (metal-stack/mini-lab#273) @ostempel
sudo-rs does not allow to preserve all env variables (metal-stack/mini-lab#277) @majst01
Introduce new mini-lab flavor for Enterprise SONiC and fix capi-lab (metal-stack/mini-lab#272) @mwindower

Merged Pull Requests

This is a list of pull requests that were merged since the last release. The list does not contain pull requests from release-vector-repositories.

The fact that these pull requests were merged does not necessarily imply that they have already become part of this metal-stack release.

Remove trailing comma to make release happen (metal-stack/metal-images#416) @majst01
Fix for CVE-2026-23111 (metal-stack/metal-images#417) @majst01
Some more small refinements on building own images. (metal-stack/website#284) @Gerrit91
Bump releases to version v0.22.14 (metal-stack/website#283) @metal-robot[bot]
Update docs. (metal-stack/metal-images#418) @Gerrit91
chore(deps): bump @scalar/api-reference-react from 0.9.42 to 0.9.45 in the docusaurus-dependencies group (metal-stack/website#287) @dependabot[bot]
chore(deps): bump semver from 7.8.1 to 7.8.4 in the other-dependencies group (metal-stack/website#288) @dependabot[bot]
Collect powersupplies if power metrics are available (metal-stack/go-hal#90) @simcod
Always use terse mode when listing nftables ruleset (metal-stack/nftables-exporter#38) @ConnorsApps
Update deps (metal-stack/nftables-exporter#40) @majst01
Hello API V2 conformance tests (metal-stack/releases#298) @majst01
feat: rework flavors explanation (metal-stack/website#285) @l0wl3vel
Add possibility to restart systemd services through annotations (metal-stack/firewall-controller#220) @majst01
Define own NetworkPolicyPort field. (metal-stack/firewall-controller#219) @Gerrit91
Update go modules and gh actions (metal-stack/firewall-controller#221) @majst01
Provide GenericCLI e2e test framework. (metal-stack/metal-lib#203) @Gerrit91
docs(monitoring): use alloy instead of promtail (metal-stack/website#260) @ma-hartma
Ubuntu 26.04 (metal-stack/metal-images#411) @majst01
whitelist H13SSH boards from bios modifications (metal-stack/go-hal#91) @mwennrich
Update firewall-controller and tools (metal-stack/metal-images#419) @majst01
Next release (metal-stack/releases#297) @metal-robot[bot]

General​

Breaking Changes​

Noteworthy​

Required Actions​

Component Releases​

metal-apiserver v0.5.0​

metal-bmc v0.7.3​

helm-charts v0.6.4​

api v0.1.3​

firewall-controller-manager v0.6.1​

metal-roles v0.22.0​

sonic-configdb-utils v0.5.0​

mini-lab v0.6.0​