feat: Ubuntu 26.04 support and cozy-system namespace adoption (#37)

* fix(examples/ubuntu): allow opting out of linux-modules-extra for 26.04+

Ubuntu 26.04 LTS bundles openvswitch and vport-geneve into the main
linux-image-generic and has no linux-modules-extra-* split package
for kernel 7.x. Without an opt-out, the apt task fails with
'No package matching linux-modules-extra-7.x.x-generic available'.

Add a length-zero guard on cozystack_ubuntu_extra_packages and
document the override path in the vars block, so 26.04 inventories
can simply set the list to [] without forking the playbook.

Existing 22.04 / 24.04 inventories keep working with the default
list — behaviour unchanged.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(examples/ubuntu): work around sudo-rs default on Ubuntu 26.04

Ubuntu 26.04 LTS ships sudo-rs (Rust rewrite) as the default
/usr/bin/sudo alternative. sudo-rs does not honour ansible's
privilege-escalation pseudo-tty: every task with become: true on a
password-protected user hangs and fails with
'Timeout (12s) waiting for privilege escalation prompt'.

The classical sudo binary is co-installed at /usr/bin/sudo.ws on
26.04 hosts. Add prepare-sudo.yml that switches the sudo alternative
to it via a raw command (which does not depend on ansible become and
works even when become is broken). Wire it into site.yml so the
full pipeline keeps working out of the box on 26.04, with no
behavioural change for earlier Ubuntu / Debian targets — the play
is a no-op when sudo-rs is not the active alternative.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(role): adopt cozy-system namespace into helm release on reinstall

The cozy-installer chart renders the target namespace (cozy-system by
default) as a templated resource, so a fresh install fails when that
namespace already exists out of band — manual kubectl create ns,
remnant from a previous failed install, or a different chart that
shares the namespace name. The error surfaces as

  Namespace "cozy-system" exists and cannot be imported into the
  current release: invalid ownership metadata

Add a pre-task that looks up the namespace and stamps the helm
ownership label and annotations expected by the chart. The task is a
no-op when the namespace is absent or already carries matching
metadata, so first-install and idempotent re-runs are unchanged.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* docs: README and CHANGELOG entries for Ubuntu 26.04 + namespace adoption

Document the two Ubuntu 26.04 opt-ins (sudo-rs alternative switch +
empty cozystack_ubuntu_extra_packages list) under Known limitations
in the README, and add the matching CHANGELOG entries for the
sudo workaround playbook, the linux-modules-extra guard, and the
helm namespace adoption pre-task in the role.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* ci: cover sudo workaround syntax + namespace adoption regression

Two test additions for the Ubuntu 26.04 / namespace-adoption changes:

1. Lint job runs --syntax-check on examples/ubuntu/prepare-sudo.yml,
   matching the existing checks for the prepare-* playbooks.

2. E2E job adds a third pipeline run that simulates an orphan
   cozy-system namespace: strip the helm release storage Secret and
   the namespace's helm labels and annotations, then re-run
   examples/ubuntu/site.yml. This is the failure mode the role's
   namespace adoption pre-task fixes — without it, helm install
   would error with 'invalid ownership metadata'. After the run the
   step verifies the namespace carries the expected managed-by label
   and meta.helm.sh/release-name annotation again.

A 26.04-specific e2e for the sudo-rs alternative switch is not
included: GitHub-hosted runners are still on 24.04 and there is no
26.04 image yet. The syntax check plus ansible-lint are the most
that fits on the current runner pool.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(examples/ubuntu): harden prepare-sudo.yml secret handling and binary path

Two issues raised in review of the original prepare-sudo.yml:

1. Without no_log: true, ansible_become_password is interpolated
   directly into the rendered raw command and would leak into ansible
   output on task failure or with -vv verbosity, surfacing the user's
   sudo password in CI logs and on-call screenshots.

2. The original code piped the password to bare `sudo`, which on
   26.04 resolves to sudo-rs — the very binary the workaround exists
   to circumvent — and depends on sudo-rs supporting --stdin/--prompt
   in a backwards-compatible way with classical sudo. sudo-rs is a
   partial reimplementation and its CLI surface is not stable.

Switch both the password-piped and the passwordless branches to call
/usr/bin/sudo.ws directly (the classical sudo binary co-installed on
26.04 hosts), and add no_log: true to the switch task. The detection
heuristic remains gated on 'sudo-rs' appearing in the active sudo
alternative target, so /usr/bin/sudo.ws is only invoked when we have
already verified sudo-rs is in the picture and sudo.ws is therefore
present.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(role): patch literal cozy-system in adoption pre-task

The cozy-installer chart hardcodes `name: cozy-system` in
templates/cozystack-operator.yaml — there is no values key for the
operator namespace. The role's cozystack_namespace variable is
documented but the chart does not actually honour it (a foot-gun
that pre-dates this change).

The adoption pre-task introduced in 02975ad used the variable, so a
user who set cozystack_namespace to a non-default value would have
the pre-task patch the wrong namespace while helm install still
fails on the literal cozy-system. Patch the literal cozy-system
directly, with a comment pointing at the chart hardcoding so a
future chart change makes the lookup easy to fix back.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(examples/ubuntu): auto-skip linux-modules-extra on 26.04+, doc clarity

Two follow-ups from review of the Ubuntu 26.04 changes:

- Auto-skip the linux-modules-extra-* apt install on Ubuntu 26.04+
  by adding 'ansible_distribution_version is version("26.04", "<")'
  to the task's when clause. Earlier code required users to set
  cozystack_ubuntu_extra_packages: [] in inventory, which is an
  unnecessary cliff: ansible_distribution_version is gathered
  automatically and the playbook already auto-detects CPU vendor and
  distribution elsewhere. Manual override is still respected for
  hosts where the fact is unreliable.

- Rephrase the Ubuntu 26.04 note in README from 'two opt-ins' to
  'two changes to be aware of'. The sudo-rs alternative switch is
  applied automatically by examples/ubuntu/site.yml — a user does
  not opt in, they get it for free unless they bypass site.yml.
  Clarify that and document the bypass case.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* test(unit): structural invariants for examples/ubuntu/ playbooks

Three regression checks paired with the recent prepare-sudo.yml and
prepare-ubuntu.yml changes:

1. examples/ubuntu/prepare-sudo.yml: the 'Switch sudo alternative'
   task carries no_log: true, so ansible_become_password cannot leak
   into ansible output if the raw command fails or is run with -vv.

2. The same task invokes /usr/bin/sudo.ws directly in both branches
   (password and passwordless). Bare 'sudo' would resolve to sudo-rs
   on 26.04 and re-introduce the bug the playbook exists to fix.

3. examples/ubuntu/prepare-ubuntu.yml: the linux-modules-extra task
   carries an ansible_distribution_version < 26.04 gate so 26.04
   users do not need to set cozystack_ubuntu_extra_packages: [] by
   hand.

These run under ansible-test units alongside the existing IP plugin
tests and use only PyYAML, which ansible-core already requires.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(role): refuse to hijack cozy-system from another helm release

Two safety fixes to the namespace-adoption pre-task introduced in
02975ad / b8fc0a3:

1. Foreign-owner refusal. The previous when: clause fired the patch
   whenever the namespace's helm metadata did not match this role's
   release_name / release_namespace. That includes the case where
   cozy-system is legitimately owned by a *different* helm release —
   silently overwriting meta.helm.sh/release-name in that case is
   data-loss-class: the original owner's next reconcile breaks with
   'invalid ownership metadata' and the operator has no signal that
   this role flipped the bits. Add an explicit fail task that
   triggers when managed-by=Helm and either annotation points
   elsewhere, with a message naming the conflicting release. The
   adopt task only runs when the managed-by label is missing or
   already ours.

2. cozystack_namespace assert. The cozy-installer chart hardcodes
   'name: cozy-system' in templates/cozystack-operator.yaml — there
   is no values key for the operator namespace. The role used to
   document cozystack_namespace as a configurable variable, but
   overriding it silently broke the wait/patch tasks in this role
   (the operator deploys to cozy-system regardless, while the role
   waits in the override). Assert at validation time that the
   variable still equals cozy-system, with a clear fail_msg pointing
   at the chart constraint. Drop the variable from the user-facing
   README table to stop advertising a non-functional knob.

Also: README chart_version drift fix (1.2.2 -> 1.3.1) since the
table is in the same file area touched by this PR.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* test: cover foreign-owner refusal and cozystack_namespace assert

Three new test cases for the safety fixes in ff4b3a3:

- Unit (tests/unit/playbooks/): assert that the role contains a
  validation task pinning cozystack_namespace to 'cozy-system', and
  a fail-not-patch task gated on managed-by=Helm + release-name
  mismatch. Future edits that reintroduce silent re-adoption will
  trip these.

- E2E (.github/workflows/test.yml): after the existing adoption
  scenario succeeds, re-stamp cozy-system as owned by a fictional
  'some-other-release' and run the pipeline again. The role must
  fail with 'owned by helm release some-other-release' in the
  output. The cleanup step restores ownership so subsequent CI
  steps see a healthy cluster.

Also document in prepare-sudo.yml that the password-stdin path
reads only the first line, so a password containing a literal
newline is unsupported. Edge case unlikely in practice but worth
naming since the play's headers describe the password contract.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* docs: move Unreleased to top of CHANGELOG, add Ubuntu 26.04 to supported targets

Two documentation alignments flagged in review:

- CHANGELOG.rst: move Unreleased section to immediately after the
  title, ahead of all tagged versions. The previous file order had
  Unreleased sandwiched between v1.1.3 and v1.1.2, which is
  chronologically nonsensical and contradicts the convention
  documented in the contributor guidelines.

- README.md: add Ubuntu 26.04 to the Supported targets table at
  top-of-file. The PR adds 26.04 support end-to-end (prepare-sudo
  workaround, linux-modules-extra auto-skip, Known limitations
  subsection) but the headline distribution table still listed only
  22.04 / 24.04 / Debian 12 — readers scanning the table would
  conclude 26.04 is unsupported and never reach the limitations.
  Mark 26.04 as best-effort with a pointer to Known limitations.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(role): drop cozystack_namespace variable, hardcode literal cozy-system

The cozy-installer chart hardcodes 'name: cozy-system' in
templates/cozystack-operator.yaml and exposes no values key for the
operator namespace. The role's cozystack_namespace variable was
therefore a phantom: documented as configurable, defaulted to
cozy-system, and silently broke the wait/patch tasks if anyone
overrode it (operator deployed to cozy-system regardless, while the
role waited in the override and timed out).

Remove the variable from defaults/main.yml. Replace its remaining
references with the literal 'cozy-system' in the wait task and the
platform-package template. The validation block now asserts the
variable is *unset* — any inventory still defining it (even at the
old default value) fails fast with a clear upgrade message rather
than silently inheriting the typo. Strip cozystack_namespace from
the test fixtures that explicitly set it, since they would now hit
the assert.

Also strengthen the foreign-owner refusal check so a partial-write
state (release-name annotation set without managed-by label, or
vice versa) is still detected as a conflict, instead of slipping
into the adopt branch and stamping our annotations on top.

Add unit tests covering: the rejection assert content, the absence
of any remaining {{ cozystack_namespace }} references in role
files, and the strengthened ownership-indicator coverage in the
foreign-owner fail task. Document the breaking-but-rare variable
removal in CHANGELOG Unreleased.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

* fix(role): drive namespace lookup via kubectl, not kubernetes.core.k8s_info

The k8s_info module requires the optional Python 'kubernetes'
package on the controller, which is not installed in the project's
CI environment (and is not a documented prerequisite for users
either). The rest of this role already drives the cluster via
`kubectl ... --output=json` for the same reason.

Switch the cozy-system lookup to `kubectl get namespace ... \
--ignore-not-found --output=json` and parse the result with
from_json. `--ignore-not-found` returns an empty stdout (rather
than a non-zero exit) when the namespace is absent, so the same
length-check gate as before keeps the foreign-owner and adopt
tasks no-op'd on first install.

The unit tests are unchanged because they check task names and
when-clause structure, not the lookup module's internals.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

---------

Signed-off-by: Aleksei Sviridkin <f@lex.la>

Author: lexfrei

.github/workflows/test.yml

@@ -37,6 +37,9 @@ jobs:
       - name: Syntax check Ubuntu example
         run: ansible-playbook examples/ubuntu/prepare-ubuntu.yml --syntax-check
 
+      - name: Syntax check Ubuntu sudo workaround
+        run: ansible-playbook examples/ubuntu/prepare-sudo.yml --syntax-check
+
       - name: Syntax check SUSE example
         run: ansible-playbook examples/suse/prepare-suse.yml --syntax-check
 
@@ -230,3 +233,96 @@ jobs:
         run: >-
           sudo env "PATH=$PATH" "HOME=$HOME" ansible-playbook examples/ubuntu/site.yml
           --inventory tests/ci-inventory.yml
+
+      # Namespace adoption regression test. Reproduces the failure
+      # mode: the cozy-installer chart templates Namespace
+      # cozy-system, and a `helm install` against an existing
+      # namespace without helm ownership metadata fails with
+      #   Namespace "cozy-system" exists and cannot be imported into
+      #   the current release: invalid ownership metadata
+      # Strip both the helm release storage Secret (so helm forgets
+      # the release entirely) and the namespace's helm labels and
+      # annotations (so the next install sees an orphan namespace).
+      # This simulates a manual `kubectl create ns` or a remnant
+      # from a previous failed install.
+      - name: Simulate orphan cozy-system namespace
+        run: |
+          set -eux
+          KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+          sudo kubectl --kubeconfig $KUBECONFIG \
+            label namespace cozy-system app.kubernetes.io/managed-by-
+          sudo kubectl --kubeconfig $KUBECONFIG \
+            annotate namespace cozy-system \
+              meta.helm.sh/release-name- \
+              meta.helm.sh/release-namespace-
+          sudo kubectl --kubeconfig $KUBECONFIG \
+            delete secret --namespace kube-system \
+              --selector=owner=helm,name=cozy-installer
+
+      - name: Test namespace adoption (re-install over orphan namespace)
+        run: >-
+          sudo env "PATH=$PATH" "HOME=$HOME" ansible-playbook examples/ubuntu/site.yml
+          --inventory tests/ci-inventory.yml
+
+      - name: Verify cozy-system namespace was re-adopted
+        run: |
+          set -eux
+          KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+          managed_by="$(sudo kubectl --kubeconfig $KUBECONFIG \
+            get namespace cozy-system \
+            --output jsonpath='{.metadata.labels.app\.kubernetes\.io/managed-by}')"
+          release_name="$(sudo kubectl --kubeconfig $KUBECONFIG \
+            get namespace cozy-system \
+            --output jsonpath='{.metadata.annotations.meta\.helm\.sh/release-name}')"
+          if [ "$managed_by" != "Helm" ] || [ "$release_name" != "cozy-installer" ]; then
+            echo "ERROR: namespace adoption failed"
+            echo "  managed-by label:    '$managed_by' (expected 'Helm')"
+            echo "  release-name annot.: '$release_name' (expected 'cozy-installer')"
+            exit 1
+          fi
+          echo "OK: cozy-system namespace adopted into helm release"
+
+      # Foreign-owner refusal: re-stamp cozy-system as owned by a
+      # different fake helm release and assert the role fails
+      # rather than silently hijacking ownership.
+      - name: Stamp cozy-system as owned by a different helm release
+        run: |
+          set -eux
+          KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+          sudo kubectl --kubeconfig $KUBECONFIG \
+            annotate namespace cozy-system --overwrite \
+              meta.helm.sh/release-name=some-other-release \
+              meta.helm.sh/release-namespace=elsewhere
+
+      - name: Test that foreign-owner namespace is NOT overwritten
+        run: |
+          set +e
+          output="$(sudo env "PATH=$PATH" "HOME=$HOME" \
+            ansible-playbook examples/ubuntu/site.yml \
+            --inventory tests/ci-inventory.yml 2>&1)"
+          status=$?
+          set -e
+
+          if [ "$status" -eq 0 ]; then
+            echo "ERROR: role silently re-adopted a foreign-owned namespace."
+            echo "Expected refusal because cozy-system is owned by 'some-other-release'."
+            echo "$output" | tail -50
+            exit 1
+          fi
+
+          if ! grep -q "owned by helm release 'some-other-release'" <<< "$output"; then
+            echo "ERROR: role failed but not for the expected reason."
+            echo "$output" | tail -50
+            exit 1
+          fi
+
+          echo "OK: role correctly refused to overwrite foreign helm ownership."
+
+      - name: Restore cozy-system ownership for cleanup
+        run: |
+          set -eux
+          KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+          sudo kubectl --kubeconfig $KUBECONFIG \
+            annotate namespace cozy-system --overwrite \
+              meta.helm.sh/release-name=cozy-installer \
+              meta.helm.sh/release-namespace=kube-system

CHANGELOG.rst

@@ -2,42 +2,54 @@
 cozystack.installer Release Notes
 =================================
 
-v1.2.3
-======
-
-- Drop ``ansible.utils`` collection dependency and ``netaddr`` Python
-  package requirement. Master node IP validation now uses a bundled
-  ``cozystack.installer.is_ip_address`` Jinja2 test backed by the
-  Python standard library ``ipaddress`` module.
-- Add IPv6 inventory fixture and CI coverage for IPv6 host keys.
-
-v1.2.2
-======
-
-Synced with Cozystack v1.2.2.
-
-- Bump ``cozystack_chart_version`` to ``1.2.2``
-
-v1.2.1
-======
-
-Synced with Cozystack v1.2.1.
-
-- Bump ``cozystack_chart_version`` to ``1.2.1``
-- Derive ``MASTER_NODES`` for kube-ovn from the ``server`` inventory
-  group; add ``cozystack_master_nodes`` override for multi-master setups
-- Validate master node entries are valid IP addresses, not hostnames
-
-v1.1.3
-======
-
-Synced with Cozystack v1.1.3.
-
-- Bump ``cozystack_chart_version`` to ``1.1.3``
 
 Unreleased
 ==========
 
+Ubuntu 26.04 LTS support and namespace adoption.
+
+- ``examples/ubuntu/`` now boots end-to-end on Ubuntu 26.04 LTS. Two
+  changes were needed:
+
+  - New playbook ``examples/ubuntu/prepare-sudo.yml`` switches the
+    ``sudo`` alternative from ``sudo-rs`` (Rust rewrite, default on
+    26.04) back to classical sudo at ``/usr/bin/sudo.ws``. ``sudo-rs``
+    does not honour ansible's privilege-escalation pseudo-tty and
+    every subsequent ``become: true`` task hangs with
+    ``Timeout (12s) waiting for privilege escalation prompt``. The
+    play uses ``raw`` so it runs before any become-dependent task and
+    is a no-op on releases that do not ship ``sudo-rs``.
+    ``examples/ubuntu/site.yml`` imports it first.
+  - ``Install Ubuntu-only extra kernel modules`` now skips when
+    ``cozystack_ubuntu_extra_packages`` is empty. Ubuntu 26.04 ships
+    ``openvswitch`` and ``vport-geneve`` in the main
+    ``linux-image-generic`` and has no ``linux-modules-extra-*`` for
+    kernel 7.x. Override the variable to ``[]`` in inventory on those
+    hosts; earlier releases keep the existing default.
+
+- The role now adopts the ``cozy-system`` namespace into the
+  cozy-installer helm release on first run if it already exists
+  out-of-band. Without this pre-task, ``helm install`` fails with
+  ``Namespace "cozy-system" exists and cannot be imported into the
+  current release: invalid ownership metadata`` whenever the
+  namespace was created manually, by a previous failed install, or
+  by a different chart that shares the namespace name. The pre-task
+  is a no-op when the namespace is absent or already carries matching
+  helm metadata, and refuses to proceed (rather than silently
+  hijacking) when the namespace is owned by a *different* helm
+  release.
+
+- **Breaking, but rarely set in practice**: the ``cozystack_namespace``
+  variable was removed from the role's defaults. The cozy-installer
+  chart hardcodes ``name: cozy-system`` in
+  ``templates/cozystack-operator.yaml`` and provides no values key
+  to override it; the variable was effectively a phantom that
+  silently broke the role's wait/patch tasks if changed. The role
+  now asserts at validation time that the variable is *unset* — any
+  inventory still defining it (even at the old default
+  ``cozy-system``) must remove the line. Replace any references in
+  custom playbooks with the literal ``cozy-system``.
+
 - New variable ``cozystack_external_ips`` (list, default ``[]``): external
   IP addresses for ingress-nginx Service ``externalIPs``. Required on
   ``isp-full-generic`` platform variant when nodes lack a native load
@@ -100,6 +112,39 @@ Node prerequisites: comprehensive audit and install in examples.
   ``prepare-rhel.yml`` fails fast with a clear message until an entry is
   added to ``cozystack_zfs_release_rpm_by_major``.
 
+v1.2.3
+======
+
+- Drop ``ansible.utils`` collection dependency and ``netaddr`` Python
+  package requirement. Master node IP validation now uses a bundled
+  ``cozystack.installer.is_ip_address`` Jinja2 test backed by the
+  Python standard library ``ipaddress`` module.
+- Add IPv6 inventory fixture and CI coverage for IPv6 host keys.
+
+v1.2.2
+======
+
+Synced with Cozystack v1.2.2.
+
+- Bump ``cozystack_chart_version`` to ``1.2.2``
+
+v1.2.1
+======
+
+Synced with Cozystack v1.2.1.
+
+- Bump ``cozystack_chart_version`` to ``1.2.1``
+- Derive ``MASTER_NODES`` for kube-ovn from the ``server`` inventory
+  group; add ``cozystack_master_nodes`` override for multi-master setups
+- Validate master node entries are valid IP addresses, not hostnames
+
+v1.1.3
+======
+
+Synced with Cozystack v1.1.3.
+
+- Bump ``cozystack_chart_version`` to ``1.1.3``
+
 v1.1.2
 ======
 

README.md

@@ -6,7 +6,7 @@ Supported targets:
 
 | Example playbook | Distributions | Validated end-to-end |
 | --- | --- | --- |
-| `examples/ubuntu/` | Ubuntu 22.04, Ubuntu 24.04, Debian 12 | Ubuntu 22.04, Ubuntu 24.04, Debian 12 on OCI: 3-node multi-master, 87/87 HelmReleases Ready |
+| `examples/ubuntu/` | Ubuntu 22.04, Ubuntu 24.04, Ubuntu 26.04, Debian 12 | Ubuntu 22.04, Ubuntu 24.04, Debian 12 on OCI: 3-node multi-master, 87/87 HelmReleases Ready. Ubuntu 26.04: best-effort — see Known limitations for the sudo-rs and `linux-modules-extra` notes |
 | `examples/rhel/` | RHEL 8+, CentOS Stream 8+, Rocky 9/10, Alma 9/10 | Rocky 10 on OCI: 3-node multi-master, 87/87 HelmReleases Ready (`cozystack_enable_zfs: false` required — see Known limitations) |
 | `examples/suse/` | openSUSE Leap 15.6+, openSUSE Tumbleweed, SLES 15 | — |
 
@@ -167,6 +167,9 @@ informational notice:
 
 Other subsystem notes:
 
+- **Ubuntu 26.04 LTS:** two changes to be aware of.
+  1. *Auto-applied by `examples/ubuntu/site.yml`*: `sudo-rs` ships as the default `/usr/bin/sudo` alternative and does not honour ansible's `become_method: sudo` privilege-escalation pseudo-tty — every `become: true` task hangs with `Timeout (12s) waiting for privilege escalation prompt`. The classical sudo binary is co-installed at `/usr/bin/sudo.ws`. `site.yml` imports `prepare-sudo.yml` first, which switches the `sudo` alternative back via `update-alternatives` using a `raw` command (so it works even when become is broken). The play is a no-op on releases without sudo-rs. If you bypass `site.yml` and call the prepare playbooks directly, run `prepare-sudo.yml` before any task with `become: true` on 26.04 hosts.
+  2. *Manual inventory setting on 26.04 hosts*: the playbook auto-skips `linux-modules-extra-*` on Ubuntu 26.04+ because the package no longer exists for kernel 7.x — `openvswitch` and `vport-geneve` are bundled into `linux-image-generic`. The auto-skip relies on `ansible_distribution_version`; on hosts where that fact is unreliable, set `cozystack_ubuntu_extra_packages: []` in inventory to skip the apt install explicitly.
 - **Cloud providers (Ubuntu on OCI, AWS, GCP):** stock Ubuntu cloud images ship an iptables INPUT chain that ends with `REJECT icmp-host-prohibited`, which blocks k3s ports 2380/6443 between nodes. Set `cozystack_flush_iptables: true` in your inventory so the prepare playbook flushes the INPUT chain before k3s installs. Oracle Linux images on OCI do not have this restriction out of the box.
 - **Rocky 10 / Alma 10 (and other RHEL 10 rebuilds):** the `iptables` userspace binary is not installed by default. `examples/rhel/prepare-rhel.yml` installs `iptables-nft` so the `cozystack_flush_iptables` task and k3s kube-proxy replacement have a working `iptables` wrapper over nftables.
 - **ARM64 (aarch64):** OpenZFS does not publish aarch64 RPMs for RHEL-family distributions via `zfsonlinux.org/epel`. Cozystack itself targets x86_64.
@@ -310,9 +313,8 @@ Runs on `server[0]` only.
 | Variable | Default | Description |
 | --- | --- | --- |
 | `cozystack_chart_ref` | `oci://ghcr.io/cozystack/cozystack/cozy-installer` | Helm chart OCI reference |
-| `cozystack_chart_version` | `1.2.2` | Helm chart version |
+| `cozystack_chart_version` | `1.3.1` | Helm chart version |
 | `cozystack_release_name` | `cozy-installer` | Helm release name |
-| `cozystack_namespace` | `cozy-system` | Namespace for operator and resources |
 | `cozystack_release_namespace` | `kube-system` | Namespace for Helm release secret |
 | `cozystack_operator_variant` | `generic` | Operator variant: generic, talos, hosted |
 | `cozystack_api_server_port` | `6443` | API server port |

examples/ubuntu/prepare-sudo.yml

@@ -0,0 +1,61 @@
+---
+# Switch sudo alternative to classical sudo on Ubuntu 26.04+.
+#
+# Ubuntu 26.04 LTS ships sudo-rs (Rust rewrite) as the default
+# /usr/bin/sudo alternative. sudo-rs does not read passwords from
+# ansible's privilege-escalation pseudo-tty, so every task with
+# `become: true` and a password-protected user hangs and fails with
+#   Timeout (12s) waiting for privilege escalation prompt.
+#
+# The classical sudo binary is co-installed at /usr/bin/sudo.ws on
+# 26.04 hosts. This playbook switches the `sudo` alternative to it
+# before any other play runs `become: true` tasks, then becomes a
+# no-op on subsequent runs and on releases without sudo-rs.
+#
+# Run before prepare-ubuntu.yml on Ubuntu 26.04+ inventories. Earlier
+# Ubuntu releases and Debian skip every task here — safe to keep in
+# site.yml unconditionally.
+#
+# Connection model: this play uses the `raw` module with no `become`,
+# so it works even when standard ansible become is broken by sudo-rs.
+# Privilege escalation goes through `/usr/bin/sudo.ws` directly so
+# we never depend on whatever flag surface sudo-rs exposes:
+#   - If the connecting user has passwordless sudo, leave
+#     ansible_become_password unset; sudo.ws --non-interactive runs
+#     without prompting.
+#   - If the user requires a password, set ansible_become_password
+#     in inventory or pass it via --ask-become-pass. The password is
+#     piped to sudo.ws --stdin which reads only the first line, so a
+#     password containing a literal newline is unsupported.
+
+- name: Switch sudo alternative to classical sudo (Ubuntu 26.04+)
+  hosts: cluster
+  gather_facts: false
+  become: false
+  tasks:
+    - name: Detect current sudo alternative target
+      ansible.builtin.raw: |
+        readlink -f /etc/alternatives/sudo 2>/dev/null || true
+      register: _cozystack_sudo_current
+      changed_when: false
+      failed_when: false
+
+    # Calls /usr/bin/sudo.ws directly (the classical sudo binary
+    # co-installed on 26.04). Skipping the `sudo` symlink avoids any
+    # dependency on sudo-rs' subset of the classical CLI. no_log
+    # prevents ansible_become_password from leaking into task output
+    # if the raw command fails.
+    - name: Switch sudo alternative to /usr/bin/sudo.ws
+      ansible.builtin.raw: |
+        {% if ansible_become_password is defined %}
+        printf '%s\n' {{ ansible_become_password | quote }} | /usr/bin/sudo.ws --stdin --prompt='' update-alternatives --set sudo /usr/bin/sudo.ws
+        {% else %}
+        /usr/bin/sudo.ws --non-interactive update-alternatives --set sudo /usr/bin/sudo.ws
+        {% endif %}
+      register: _cozystack_sudo_switch
+      changed_when: _cozystack_sudo_switch.rc == 0
+      no_log: true
+      when:
+        - _cozystack_sudo_current.stdout is defined
+        - "'sudo-rs' in _cozystack_sudo_current.stdout"
+        - "'/usr/bin/sudo.ws' not in _cozystack_sudo_current.stdout"

examples/ubuntu/prepare-ubuntu.yml

@@ -33,6 +33,13 @@
     # Ubuntu-only: linux-modules-extra-* ships openvswitch and geneve
     # on cloud/minimal kernels. Debian includes these in its base
     # kernel image and has no such split package.
+    #
+    # Ubuntu 26.04 LTS bundles openvswitch and vport-geneve into the
+    # main linux-image-generic and ships no linux-modules-extra-*
+    # package for kernel 7.x. The task below auto-skips on 26.04+,
+    # but if `ansible_distribution_version` is unreliable on a host
+    # (custom builds, derivatives), force-skip from inventory:
+    #   cozystack_ubuntu_extra_packages: []
     cozystack_ubuntu_extra_packages:
       - "linux-modules-extra-{{ ansible_kernel }}"
 
@@ -127,11 +134,17 @@
         state: present
         update_cache: true
 
+    # Auto-skip on Ubuntu 26.04+ (no linux-modules-extra-* for kernel
+    # 7.x, modules ship in linux-image-generic) and when the list is
+    # explicitly empty (inventory force-skip).
     - name: Install Ubuntu-only extra kernel modules
       ansible.builtin.apt:
         name: "{{ cozystack_ubuntu_extra_packages }}"
         state: present
-      when: ansible_distribution == 'Ubuntu'
+      when:
+        - ansible_distribution == 'Ubuntu'
+        - ansible_distribution_version is version('26.04', '<')
+        - cozystack_ubuntu_extra_packages | length > 0
 
     - name: Try loading optional kernel modules (may be built-in or missing)
       community.general.modprobe:

examples/ubuntu/site.yml

@@ -7,6 +7,12 @@
 # Usage:
 #   ansible-playbook site.yml
 
+# Ubuntu 26.04 ships sudo-rs as the default sudo alternative; ansible
+# `become_method: sudo` hangs against it. This play switches the
+# alternative back to classical sudo and is a no-op everywhere else.
+- name: Switch sudo alternative to classical sudo (Ubuntu 26.04+)
+  ansible.builtin.import_playbook: prepare-sudo.yml
+
 - name: Prepare Ubuntu/Debian nodes for Cozystack
   ansible.builtin.import_playbook: prepare-ubuntu.yml
 

roles/cozystack/defaults/main.yml

@@ -15,11 +15,11 @@ cozystack_chart_version: "1.3.1"
 # Helm release name
 cozystack_release_name: "cozy-installer"
 
-# Kubernetes namespace where Cozystack operator and resources live
-cozystack_namespace: "cozy-system"
-
 # Namespace for the Helm release secret (the chart creates cozy-system
-# via its own template, so the release must live in a pre-existing namespace)
+# via its own template, so the release must live in a pre-existing namespace).
+# The operator namespace itself is fixed at `cozy-system` by the chart
+# (templates/cozystack-operator.yaml hardcodes the literal); there is no
+# values key to override it, so this role no longer exposes a variable.
 cozystack_release_namespace: "kube-system"
 
 # Operator deployment variant: generic, talos, hosted