diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index cf173765c..b01bf9364 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -31,6 +31,7 @@ body: label: Version description: What version are you running? options: + - v1.6.0 - v1.5.1 - v1.5.0 - v1.4.0 diff --git a/README.md b/README.md index 82b84929c..4bcb38254 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@

- + diff --git a/compose/docker-compose.netclient.yml b/compose/docker-compose.netclient.yml index 538f2ccd9..3647bcdc6 100644 --- a/compose/docker-compose.netclient.yml +++ b/compose/docker-compose.netclient.yml @@ -3,7 +3,7 @@ version: "3.4" services: netclient: container_name: netclient - image: 'gravitl/netclient:v1.5.1' + image: 'gravitl/netclient:v1.6.0' hostname: netmaker-1 network_mode: host restart: on-failure diff --git a/k8s/client/netclient-daemonset.yaml b/k8s/client/netclient-daemonset.yaml index bde6ad87a..197307ae1 100644 --- a/k8s/client/netclient-daemonset.yaml +++ b/k8s/client/netclient-daemonset.yaml @@ -16,7 +16,7 @@ spec: hostNetwork: true containers: - name: netclient - image: gravitl/netclient:v1.5.1 + image: gravitl/netclient:v1.6.0 env: - name: TOKEN value: "TOKEN_VALUE" diff --git a/k8s/client/netclient.yaml b/k8s/client/netclient.yaml index 56ca523d5..ad4668997 100644 --- a/k8s/client/netclient.yaml +++ b/k8s/client/netclient.yaml @@ -28,7 +28,7 @@ spec: # - "" containers: - name: netclient - image: gravitl/netclient:v1.5.1 + image: gravitl/netclient:v1.6.0 env: - name: TOKEN value: "TOKEN_VALUE" diff --git a/k8s/server/netmaker-ui.yaml b/k8s/server/netmaker-ui.yaml index 1d803efc8..06f2e403b 100644 --- a/k8s/server/netmaker-ui.yaml +++ b/k8s/server/netmaker-ui.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: netmaker-ui - image: gravitl/netmaker-ui:v1.5.1 + image: gravitl/netmaker-ui:v1.6.0 ports: - containerPort: 443 env: diff --git a/main.go b/main.go index 02977dd19..4fb85dde3 100644 --- a/main.go +++ b/main.go @@ -36,10 +36,10 @@ import ( "golang.org/x/exp/slog" ) -var version = "v1.5.1" +var version = "v1.6.0" // @title NetMaker -// @version 1.5.1 +// @version 1.6.0 // @description NetMaker API Docs // @tag.name APIUsage // @tag.description.markdown diff --git a/migrate/migrate_schema.go b/migrate/migrate_schema.go index 78481a472..484fb5d2b 100644 --- a/migrate/migrate_schema.go +++ b/migrate/migrate_schema.go @@ -28,8 +28,8 @@ func ToSQLSchema() error { return err } - // v1.5.2 migration includes migrating the pending users and user invites tables. - err = ensureMigrationCompleted(context.TODO(), "migration-v1.5.2", migrateV1_5_2) + // v1.6.0 migration includes migrating the pending users and user invites tables. + err = ensureMigrationCompleted(context.TODO(), "migration-v1.6.0", migrateV1_6_0) if err != nil { return err } diff --git a/migrate/migrate_v1_5_2.go b/migrate/migrate_v1_6_0.go similarity index 99% rename from migrate/migrate_v1_5_2.go rename to migrate/migrate_v1_6_0.go index 6178dbcd9..2f0d08582 100644 --- a/migrate/migrate_v1_5_2.go +++ b/migrate/migrate_v1_6_0.go @@ -20,7 +20,7 @@ import ( "gorm.io/gorm" ) -func migrateV1_5_2(ctx context.Context) error { +func migrateV1_6_0(ctx context.Context) error { err := migratePendingUsers(ctx) if err != nil { return err diff --git a/release.md b/release.md index fc0fdc4a9..d1944d6ba 100644 --- a/release.md +++ b/release.md @@ -1,56 +1,97 @@ -# Netmaker v1.5.1 Release Notes πŸš€ +# Netmaker v1.6.0 Release Notes πŸš€ ## πŸš€ What’s New -### πŸ” Traffic Logs (Beta) +### πŸ” Site-to-Site ACLs (Beta) -Traffic Logs have now moved into **Beta**. +Define ACL policies that permit traffic between egress endpoints across networks. -- Traffic Logs are now enriched with relevant **domain tagging**, making network activity easier to audit and investigate. +- Build site-to-site rules between egress resources on different networks. +- Combine egress resources, nodes, and specific IPs in a single policy. +- Site-to-site rules are emitted alongside device-mesh rules without key collisions. + + +### πŸ›‘οΈ Egress ACLs with IP Restriction + +ACL policies can now target **individual IPs** inside an egress range using the `ip` ACL target type. + +- Restrict access to specific hosts within a larger egress CIDR. +- Validate that selected IPs fall within the referenced egress range at policy create/update time. +- Mix egress resources, nodes, tags, and individual IPs in the same policy. + +### πŸ“¦ Egress Preset Catalog (Pro) + +A built-in catalog simplifies domain-based egress for common SaaS and cloud providers. + +- Browse presets via `GET /api/v1/egress/presets` (AWS, Azure, Google, Salesforce, and more). +- Create egress resources from a `preset_id`; the server can resolve AWS IP ranges automatically. +- Support for **multiple domains** per egress resource. + +### ⏱️ JIT Group Memberships + +Just-In-Time (JIT) access can now be scoped to **user groups** per network. + +- Enable JIT for all non-admin users, or limit it to selected user groups. +- Users request access; admins approve or deny with email notifications. +- Expired grants are cleaned up automatically and users are notified. + +### πŸ”— SIEM Integration + +Forward Netmaker audit events to your security stack from **Integrations**. + +- Supported providers: **Splunk**, **Datadog**, **Elastic**, and **Microsoft Sentinel**. +- Configure, test, and manage integrations via the REST API (`/api/v1/integrations/siem/{provider}`). +- Events are exported through the SIEM exporter service. + +### πŸ”‘ Default Enrollment Keys + +Networks can designate a **default enrollment key** for simplified device onboarding. + +- Fetch the default key per network via the API or CLI. +- Regenerate enrollment key tokens without recreating the key. --- -## 🧰 Improvements & Fixes +## πŸ—„οΈ Database Schema Migration + +This release introduces schema changes to the following core entities: -- **Scalability & Reliability Improvements** - Introduced a peer update debouncer that coalesces rapid-fire PublishPeerUpdate calls into a single broadcast β€” a 500ms resettable debounce window capped by a 3s max-wait deadline ensures back-to-back operations (bulk node updates, gateway changes, host deletions) produce one peer update instead of dozens, drastically reducing CPU and MQTT pressure on the control plane +- Nodes +- Pending Users +- User Invites +- Posture Check Violations - Pre-warms peer update caches after each debounced broadcast so pull requests from hosts are served instantly from cache instead of triggering expensive on-demand computation +**Impact:** - Batched metrics export to netmaker exporter via periodic ticker instead of publishing on every individual MQTT metrics message, reducing continuous CPU pressure from Prometheus scraping +- The database structure will be updated automatically during the upgrade. +- Downgrades may not be supported after migration. -- **Database Schema Migration** - Added schema migrations for the **Users, Groups, Roles, Networks, and Hosts** tables. +**πŸ‘‰ Action Required:** -- **Deprecated Legacy ACLs** - Legacy ACLs have been **fully removed** as part of the platform’s transition to the updated access control model. +- Ensure the application starts successfully and migrations are complete. +- Validate core functionality post-upgrade. -- **Paginated APIs** - Introduced pagination support for **Users** and **Hosts** APIs. +For detailed upgrade steps, refer to the official upgrade documentation: + +[Server Upgrades v1.5.1+](https://learn.netmaker.io/getting-started/server-and-client-management/upgrading-your-client-and-server#server-upgrades-v1.5.1) + +--- + +## 🧰 Improvements & Fixes -- **DNS** - Added **native Active Directory support**. +- **Netclient registration UX** β€” Host registration over OAuth/basic auth now returns clear websocket close reasons on failure (auth errors, missing access, posture violations, and server errors). -- **Posture Checks** - Nodes can now **skip the auto-update check during join**, improving join reliability in controlled environments. +- **User group management** β€” Streamlined user role permissions and group updates, role-downgrade handling. -- **IDP Sync** - Improved identity provider sync behavior: - - Synced IDP groups are now **denied access by default** until explicitly granted. - - **Okta-specific settings** are now reset when an IDP integration is removed. +- **Orphan reference cleanup** β€” Removes stale network references left behind after resource deletion. -- **HA Setup** - Streamlined **high availability (HA)** setup and operational workflows. +- **Scalability & reliability** β€” Optimized node status calculation, offline-status hooks, zombie/orphan node cleanup, and ACL cache race fixes. -- **Install Script** - Added **on-demand Monitoring Stack installation** support via: - `./nm-quick.sh -m` +- **API hardening** β€” Auth rate limiting on REST endpoints and activity-log permission fixes. -- **Monitoring Stack** - Updated the monitoring stack to use the **official Prometheus and Grafana images**. +- **Egress improvements** β€” CIDR validation for ACL egress IPs, multi-domain egress routing, and domain-answer handling for preset-based egress. -- **HA Gateways** - Reset Auto Assigned gw when it is disconnected from the network. +- **Failover removed** β€” Legacy per-node failover APIs and CLI commands have been removed in favor of gateway-based patterns. --- @@ -70,4 +111,4 @@ Traffic Logs have now moved into **Beta**. - a **Full Tunnel Gateway**, and - a **Split Tunnel Gateway** - the gateway monitoring component may disconnect from the **Split Tunnel Gateway**. \ No newline at end of file + the gateway monitoring component may disconnect from the **Split Tunnel Gateway**. diff --git a/scripts/nm-quick.sh b/scripts/nm-quick.sh index 48782af1d..50e0e3a08 100755 --- a/scripts/nm-quick.sh +++ b/scripts/nm-quick.sh @@ -17,7 +17,7 @@ fi CONFIG_PATH="$INSTALL_DIR/$CONFIG_FILE" NM_QUICK_VERSION="1.0.0" #LATEST=$(curl -s https://api.github.com/repos/gravitl/netmaker/releases/latest | grep "tag_name" | cut -d : -f 2,3 | tr -d [:space:],\") -LATEST=v1.5.1 +LATEST=v1.6.0 BRANCH=master if [ $(id -u) -ne 0 ]; then echo "This script must be run as root" diff --git a/swagger.yaml b/swagger.yaml index 8802ef3d3..89082630b 100644 --- a/swagger.yaml +++ b/swagger.yaml @@ -2919,7 +2919,7 @@ info: contact: {} description: NetMaker API Docs title: NetMaker - version: 1.5.1 + version: 1.6.0 paths: /api/dns: get: