v1.6.0: release notes

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -31,6 +31,7 @@ body:
       label: Version
       description: What version are you running?
       options:
+        - v1.6.0
         - v1.5.1
         - v1.5.0
         - v1.4.0

README.md

@@ -16,7 +16,7 @@
 
 <p align="center">
   <a href="https://github.com/gravitl/netmaker/releases">
-    <img src="https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square" />
+    <img src="https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square" />
   </a>
   <a href="https://hub.docker.com/r/gravitl/netmaker/tags">
     <img src="https://img.shields.io/docker/pulls/gravitl/netmaker?label=downloads" />

compose/docker-compose.netclient.yml

@@ -3,7 +3,7 @@ version: "3.4"
 services:
   netclient:
     container_name: netclient
-    image: 'gravitl/netclient:v1.5.1'
+    image: 'gravitl/netclient:v1.6.0'
     hostname: netmaker-1
     network_mode: host
     restart: on-failure

k8s/client/netclient-daemonset.yaml

@@ -16,7 +16,7 @@ spec:
       hostNetwork: true
       containers:
       - name: netclient
-        image: gravitl/netclient:v1.5.1
+        image: gravitl/netclient:v1.6.0
         env:
         - name: TOKEN
           value: "TOKEN_VALUE"

k8s/client/netclient.yaml

@@ -28,7 +28,7 @@ spec:
       #           - "<node label value>"
       containers:
       - name: netclient
-        image: gravitl/netclient:v1.5.1
+        image: gravitl/netclient:v1.6.0
         env:
         - name: TOKEN
           value: "TOKEN_VALUE"

k8s/server/netmaker-ui.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: netmaker-ui
-        image: gravitl/netmaker-ui:v1.5.1
+        image: gravitl/netmaker-ui:v1.6.0
         ports:
         - containerPort: 443
         env:

main.go

@@ -36,10 +36,10 @@ import (
 	"golang.org/x/exp/slog"
 )
 
-var version = "v1.5.1"
+var version = "v1.6.0"
 
 //	@title			NetMaker
-//	@version		1.5.1
+//	@version		1.6.0
 //	@description	NetMaker API Docs
 //	@tag.name	    APIUsage
 //	@tag.description.markdown

migrate/migrate_schema.go

@@ -28,8 +28,8 @@ func ToSQLSchema() error {
 		return err
 	}
 
-	// v1.5.2 migration includes migrating the pending users and user invites tables.
-	err = ensureMigrationCompleted(context.TODO(), "migration-v1.5.2", migrateV1_5_2)
+	// v1.6.0 migration includes migrating the pending users and user invites tables.
+	err = ensureMigrationCompleted(context.TODO(), "migration-v1.6.0", migrateV1_6_0)
 	if err != nil {
 		return err
 	}

migrate/migrate_v1_5_2.go → migrate/migrate_v1_6_0.go

@@ -20,7 +20,7 @@ import (
 	"gorm.io/gorm"
 )
 
-func migrateV1_5_2(ctx context.Context) error {
+func migrateV1_6_0(ctx context.Context) error {
 	err := migratePendingUsers(ctx)
 	if err != nil {
 		return err

release.md

@@ -1,56 +1,97 @@
-# Netmaker v1.5.1 Release Notes 🚀
+# Netmaker v1.6.0 Release Notes 🚀
 
 ## 🚀 What’s New
 
-### 🔁 Traffic Logs (Beta)
+### 🔁 Site-to-Site ACLs (Beta)
 
-Traffic Logs have now moved into **Beta**.
+Define ACL policies that permit traffic between egress endpoints across networks.
 
-- Traffic Logs are now enriched with relevant **domain tagging**, making network activity easier to audit and investigate.
+- Build site-to-site rules between egress resources on different networks.
+- Combine egress resources, nodes, and specific IPs in a single policy.
+- Site-to-site rules are emitted alongside device-mesh rules without key collisions.
+
+
+### 🛡️ Egress ACLs with IP Restriction
+
+ACL policies can now target **individual IPs** inside an egress range using the `ip` ACL target type.
+
+- Restrict access to specific hosts within a larger egress CIDR.
+- Validate that selected IPs fall within the referenced egress range at policy create/update time.
+- Mix egress resources, nodes, tags, and individual IPs in the same policy.
+
+### 📦 Egress Preset Catalog (Pro)
+
+A built-in catalog simplifies domain-based egress for common SaaS and cloud providers.
+
+- Browse presets via `GET /api/v1/egress/presets` (AWS, Azure, Google, Salesforce, and more).
+- Create egress resources from a `preset_id`; the server can resolve AWS IP ranges automatically.
+- Support for **multiple domains** per egress resource.
+
+### ⏱️ JIT Group Memberships
+
+Just-In-Time (JIT) access can now be scoped to **user groups** per network.
+
+- Enable JIT for all non-admin users, or limit it to selected user groups.
+- Users request access; admins approve or deny with email notifications.
+- Expired grants are cleaned up automatically and users are notified.
+
+### 🔗 SIEM Integration
+
+Forward Netmaker audit events to your security stack from **Integrations**.
+
+- Supported providers: **Splunk**, **Datadog**, **Elastic**, and **Microsoft Sentinel**.
+- Configure, test, and manage integrations via the REST API (`/api/v1/integrations/siem/{provider}`).
+- Events are exported through the SIEM exporter service.
+
+### 🔑 Default Enrollment Keys
+
+Networks can designate a **default enrollment key** for simplified device onboarding.
+
+- Fetch the default key per network via the API or CLI.
+- Regenerate enrollment key tokens without recreating the key.
 
 ---
 
-## 🧰 Improvements & Fixes
+## 🗄️ Database Schema Migration
+
+This release introduces schema changes to the following core entities:
 
-- **Scalability & Reliability Improvements**
-  Introduced a peer update debouncer that coalesces rapid-fire PublishPeerUpdate calls into a single broadcast — a 500ms resettable debounce window capped by a 3s max-wait deadline ensures back-to-back operations (bulk node updates, gateway changes, host deletions) produce one peer update instead of dozens, drastically reducing CPU and MQTT pressure on the control plane
+- Nodes
+- Pending Users
+- User Invites
+- Posture Check Violations
 
-  Pre-warms peer update caches after each debounced broadcast so pull requests from hosts are served instantly from cache instead of triggering expensive on-demand computation
+**Impact:**
 
-  Batched metrics export to netmaker exporter via periodic ticker instead of publishing on every individual MQTT metrics message, reducing continuous CPU pressure from Prometheus scraping
+- The database structure will be updated automatically during the upgrade.
+- Downgrades may not be supported after migration.
 
-- **Database Schema Migration**  
-  Added schema migrations for the **Users, Groups, Roles, Networks, and Hosts** tables.
+**👉 Action Required:**
 
-- **Deprecated Legacy ACLs**  
-  Legacy ACLs have been **fully removed** as part of the platform’s transition to the updated access control model.
+- Ensure the application starts successfully and migrations are complete.
+- Validate core functionality post-upgrade.
 
-- **Paginated APIs**  
-  Introduced pagination support for **Users** and **Hosts** APIs.
+For detailed upgrade steps, refer to the official upgrade documentation:
+
+[Server Upgrades v1.5.1+](https://learn.netmaker.io/getting-started/server-and-client-management/upgrading-your-client-and-server#server-upgrades-v1.5.1)
+
+---
+
+## 🧰 Improvements & Fixes
 
-- **DNS**  
-  Added **native Active Directory support**.
+- **Netclient registration UX** — Host registration over OAuth/basic auth now returns clear websocket close reasons on failure (auth errors, missing access, posture violations, and server errors).
 
-- **Posture Checks**  
-  Nodes can now **skip the auto-update check during join**, improving join reliability in controlled environments.
+- **User group management** — Streamlined user role permissions and group updates, role-downgrade handling.
 
-- **IDP Sync**  
-  Improved identity provider sync behavior:
-  - Synced IDP groups are now **denied access by default** until explicitly granted.
-  - **Okta-specific settings** are now reset when an IDP integration is removed.
+- **Orphan reference cleanup** — Removes stale network references left behind after resource deletion.
 
-- **HA Setup**  
-  Streamlined **high availability (HA)** setup and operational workflows.
+- **Scalability & reliability** — Optimized node status calculation, offline-status hooks, zombie/orphan node cleanup, and ACL cache race fixes.
 
-- **Install Script**  
-  Added **on-demand Monitoring Stack installation** support via:  
-  `./nm-quick.sh -m`
+- **API hardening** — Auth rate limiting on REST endpoints and activity-log permission fixes.
 
-- **Monitoring Stack**  
-  Updated the monitoring stack to use the **official Prometheus and Grafana images**.
+- **Egress improvements** — CIDR validation for ACL egress IPs, multi-domain egress routing, and domain-answer handling for preset-based egress.
 
-- **HA Gateways**
-  Reset Auto Assigned gw when it is disconnected from the network.
+- **Failover removed** — Legacy per-node failover APIs and CLI commands have been removed in favor of gateway-based patterns.
 
 ---
 
@@ -70,4 +111,4 @@ Traffic Logs have now moved into **Beta**.
   - a **Full Tunnel Gateway**, and
   - a **Split Tunnel Gateway**
 
-  the gateway monitoring component may disconnect from the **Split Tunnel Gateway**.
+  the gateway monitoring component may disconnect from the **Split Tunnel Gateway**.

scripts/nm-quick.sh

@@ -17,7 +17,7 @@ fi
 CONFIG_PATH="$INSTALL_DIR/$CONFIG_FILE"
 NM_QUICK_VERSION="1.0.0"
 #LATEST=$(curl -s https://api.github.com/repos/gravitl/netmaker/releases/latest | grep "tag_name" | cut -d : -f 2,3 | tr -d [:space:],\")
-LATEST=v1.5.1
+LATEST=v1.6.0
 BRANCH=master
 if [ $(id -u) -ne 0 ]; then
 	echo "This script must be run as root"

swagger.yaml

@@ -2919,7 +2919,7 @@ info:
   contact: {}
   description: NetMaker API Docs
   title: NetMaker
-  version: 1.5.1
+  version: 1.6.0
 paths:
   /api/dns:
     get: