Security on Cozystack

Cozystack v0.41: MongoDB, Dashboard Edit Button, Resource Quota UI, JWT Security, and cert-manager Gateway API

Tue, 20 Jan 2026 00:00:00 +0000

Cozystack v0.41: MongoDB, Dashboard Edit Button, Resource Quota UI, JWT Security, and cert-manager Gateway API

Version 0.41 expands the database catalog with MongoDB and significantly improves the dashboard and security posture.

Major Features and Improvements

MongoDB as a Managed Application

MongoDB joins the Cozystack application catalog as a fully managed service with:

Replica set deployment with configurable replicas.
Persistent storage with configurable size.
Resource management (CPU and memory requests/limits).
Built-in monitoring integration.

Dashboard Edit Button

All resources in the dashboard now have an Edit button, enabling users to modify any deployed application directly from the UI without switching to the CLI.

Talm v0.17: Built-in Age Encryption for Secrets Management

Wed, 17 Dec 2025 00:00:00 +0000

Talm v0.17: Built-in Age Encryption for Secrets Management

The latest release of Talm, the configuration manager for Talos Linux, introduces a powerful new feature: built-in encryption using the age encryption tool. This enhancement allows you to securely store sensitive configuration files like secrets.yaml, talosconfig, and kubeconfig in Git repositories while following security best practices.

Why Age Encryption?

Managing secrets in Git repositories has always been a challenge. While storing configuration files in version control is convenient for GitOps workflows, sensitive data like API keys, certificates, and cluster credentials should never be committed in plain text. Traditional solutions like git-crypt or external secret management systems add complexity and dependencies.

Flux-aio, Kubernetes mTLS and the Chicken and Egg Problem

Fri, 12 Dec 2025 00:00:00 +0000

Here at Cozystack, we’re once again solving the chicken-and-egg problem: how to deploy CNI and kube-proxy through Flux, while ensuring Flux itself works without CNI and kube-proxy.

Flux can be started without CNI and kube-proxy using the flux-aio project (by the creator of Flux), which runs a single deployment with all controllers configured to communicate with each other via localhost.

The specific challenge for Cozystack is that we deploy a small HTTP server with Helm charts and other assets used in the platform to each cluster. Flux reads these charts and installs them into the system.

Cozystack v0.38: Virtual Private Cloud, VNC Console, Configurable Worker K8s Versions, and HTTPS Enforcement

Tue, 25 Nov 2025 00:00:00 +0000

Cozystack v0.38: Virtual Private Cloud, VNC Console, Configurable Worker K8s Versions, and HTTPS Enforcement

Version 0.38 brings network isolation capabilities, improved VM access, and security hardening across the platform.

Major Features and Improvements

Virtual Private Cloud (VPC)

The headline feature of v0.38 is VPC support with Multus CNI integration. Operators can now create isolated virtual networks with:

Subnet management for fine-grained network layout.
Network isolation between tenants at the network level.
Full integration with the Cozystack dashboard for VPC lifecycle management.

VNC Console for VMs

Virtual machines now have a VNC console accessible directly from the dashboard, enabling graphical access to VMs without external tools.

Cozystack v0.20 Release: Terraform, Keycloak, and Stability & Security Improvements

Thu, 12 Dec 2024 00:00:00 +0000

Cozystack v0.20 Release: Terraform, Keycloak, and Stability & Security Improvements

This release focuses on enhancing stability while addressing a significant number of bugs and introducing new features.

What’s new

Kube-OVN updated to the latest stable release.
Improved logic in KubeVirt CCM, delivering more reliable load balancers for tenant Kubernetes clusters.
Resolved user permissions issues in OIDC.
Added a dedicated cluster admin group.
Fixed alerts and dashboards in Grafana.
NATs now supports enabling JetStream and passing configuration files.
Introduced Terraform support for interacting with our API.

In v0.19, we introduced OIDC support, along with the integration of Keycloak. However, due to the need for stability improvements, we did not announce v0.19 separately. With this release, Keycloak is bundled with Cozystack, providing seamless OIDC support.

Cozystack v0.19: Keycloak SSO, Dashboard Services View, KubeVirt v1.4, and MetalLB Update

Wed, 04 Dec 2024 00:00:00 +0000

Cozystack v0.19: Keycloak SSO, Dashboard Services View, KubeVirt v1.4, and MetalLB Update

Version 0.19 introduces identity management with Keycloak and significantly improves the dashboard experience.

Major Features and Improvements

Keycloak SSO Integration

Keycloak is now available as an optional platform component, providing:

Single Sign-On (SSO) for the Cozystack dashboard and Kubeapps.
Role-based access with configurable SSO roles.
Keycloak is optional and can be enabled per distro bundle.
Network policies included for secure Keycloak operation.

Dashboard Services View

Services are now visible in the dashboard, giving users a clear overview of their deployed managed services and their endpoints.