nebius/nebius-ps-services nebius-vpngw-v0.5.5

nebius-vpngw-v0.5.5

Repository: nebius/nebius-ps-services

Tag: nebius-vpngw-v0.5.5

Published: 2026-04-01T00:10:28Z

Prerelease: no

Release notes:

• Added regression coverage proving publish-release.sh --prep remains

idempotent for unreleased versions: reruns for the same version now stay no-op once Unreleased is empty and the tag has not been created.

• Fixed publish-release.sh --prep changelog formatting so moving

Unreleased notes into a dated release section preserves a blank line before the next ## heading, keeping the file markdownlint-safe in editors.

• Changed publish-release.sh --prep to fail before editing CHANGELOG.md if

the target tag already exists locally or on origin, so duplicate release preparation for an already-published version stops immediately.

• Fixed source-checkout runtime version fallback for release tagging without

setuptools-scm installed: nebius_vpngw.__version__ now derives from git describe before consulting a generated _version.py, so publish-release.sh --publish no longer rejects a fresh exact tag because of a stale local dev-version cache.

• Fixed add-routes-local for pinned multi-VM topologies: remote prefixes are

now routed through the gateway VM that owns each connection, and BGP route discovery is scoped to the owning VM(s) instead of querying every gateway VM.

• Fixed restart-tunnel for multi-VM topologies: it now targets only

the gateway VM that owns the selected tunnel, fails fast when the tunnel name is unknown, and has regression coverage alongside the existing manual failover/failback command paths.

• Simplified manual failover and failback tunnel selection: both commands

now take the tunnel name as an optional positional argument instead of --tunnel-failover / --tunnel-failback, which matches restart-tunnel and relies on schema-enforced global tunnel-name uniqueness.

• Clarified manual failover semantics in both UX and docs: failover now

explicitly remains an operational override that preserves configured YAML roles, and status now reports configured role separately from current traffic state with a Traffic Override panel when runtime behavior differs from the configured active/passive preference.

• Aligned publish-release.sh --prep with the shared release-template behavior:

it now requires a named branch and auto-configures origin/ as upstream on the first push instead of failing with Git's default upstream error.

• Tightened local release gating in publish-release.sh: the clean-worktree

check now includes untracked files, and --publish now fails before tagging if the target release section exists but is empty.

• Pinned Pygments>=2.20.0,<3.0.0 directly in project metadata and refreshed

uv.lock so runtime installs, dev/test environments, and generated wheel metadata no longer permit the vulnerable transitive version.

• Fixed apply agent deployment for wheel-based installs: when a fresh local build is unavailable,

SSH push now falls back to the originally installed wheel recorded in pip direct_url.json (including direct GitHub release URLs and local wheel files) instead of requiring python -m build.

• Cleaned up version packaging/runtime wiring: source checkouts now pass the

non-deprecated nested scm.git.describe_command config to setuptools-scm, and wheel builds now use a package-local version_file so release artifacts no longer include a duplicate repo-relative _version.py.

• Changed the local developer make build/make all path to reuse the prepared

project virtualenv (python -m build --wheel --no-isolation), which avoids noisy isolated-build vcs_versioning warnings while keeping local artifacts deterministic.

• Fixed runtime version resolution for source/editable checkouts so nebius-vpngw now prefers live setuptools-scm git state over a generated _version.py cache, and publish-release.sh --publish now verifies local runtime version/tag alignment before pushing the release tag.
• Clarified BFD documentation and comments: support is now described as vendor/platform specific, the template/README no longer imply generic cloud-VPN support, and the misleading GCP HA VPN BFD note was removed.
• Added concise Nebius Managed Kubernetes routing guidance covering gateway.local_prefixes, Pod-vs-ClusterIP expectations, and the common Cilium routing/masquerade defaults operators should account for over VPN.