Clever Cloud Documentation – Changelog

Otoroshi 17.16.1 is available with web search (including Staan) and AI router support

Tue, 16 Jun 2026 00:00:00 +0000

Otoroshi v17.16.1 is available on Clever Cloud with the same core as the previous release, but with a bumped LLM extension 0.0.79.

This version introduces search engines as a first-class entity, with seven providers including Staan, the sovereign search engine announced today by Qwant, alongside Tavily, Brave Search, SearXNG, Google Custom Search and DuckDuckGo. You can use them as LLM tools, expose them through an HTTP API or call them from a workflow function.

The new AI router adds three routing strategies: a code-router that selects the cheapest model meeting a quality threshold, an auto-router that relies on a judge LLM for prompt-aware routing, and a fusion-router that synthesises responses from several candidates.

The extension also adds a per-provider circuit breaker, with configurable failure thresholds and cooldown windows for better fallback handling, and a plugin exposing call metadata such as model, provider, token usage, latency and cost through x-otoroshi-llm-* response headers. A mock-response decorator lets you short-circuit calls to test provider fallbacks without real API requests, OpenRouter now supports audio, image and video beyond chat, and the dashboard gains budget reset buttons.

You can update through your add-on dashboard in the Clever Cloud Console. You can also set CC_OTOROSHI_VERSION of the underlying Java application to v17.16.1_1781607455 and rebuild it, or use Clever Tools:

clever features enable operators

clever otoroshi version check yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId v17.16.1_1781607455

Learn more about Otoroshi with LLM on Clever Cloud

Keycloak 26.6.3 (security update)

Thu, 11 Jun 2026 00:00:00 +0000

The release 26.6.3 of Keycloak is available on Clever Cloud. It brings some enhancements and bug fixes, but mainly security fixes.

This release addresses sixteen security vulnerabilities: CVE-2026-0707, CVE-2026-4800, CVE-2026-4874, CVE-2026-7500, CVE-2026-8830, CVE-2026-8922, CVE-2026-9087, CVE-2026-9088, CVE-2026-9704, CVE-2026-9791, CVE-2026-9792, CVE-2026-9794, CVE-2026-9801, CVE-2026-9802, CVE-2026-37977 and CVE-2026-42581.

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_KEYCLOAK_VERSION of the underlying Java application to 26.6.3 and rebuild it, or use Clever Tools:

clever features enable operators

clever keycloak version check yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId 26.6.3

Learn more about Keycloak on Clever Cloud

Metabase 62 is available, with custom visualizations, schema viewer and a CLI

Thu, 11 Jun 2026 00:00:00 +0000

The x.62 branch of Metabase is now available on Clever Cloud. It brings custom visualizations with built-in drills and tooltips, a schema viewer to display entity-relationship diagrams of your databases, a Metabase CLI built on the API to create dashboards, transforms and metrics from the terminal or an AI agent, centralized alert management, and subcollections in the Library to organize tables and metrics with inherited permissions. Some of these features require the enterprise edition (EE).

On the AI side, this release adds official connectors for the OpenAI Codex and Claude marketplaces, new MCP server tools to read entities, create collections and execute SQL, and interactive Metabase charts rendered directly in AI clients. The official Claude connector only works with Metabase Cloud instances: for a Metabase running on Clever Cloud, add a custom Claude connector pointing to your instance’s MCP server URL. Embedding security improves with JWT tokens passed via POST instead of GET, programmatic filter control through a new parameters prop, and a streamlined embedding wizard. This release also includes multiple enhancements and bug fixes.

This branch is not the default for now if you use community-latest. You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_METABASE_VERSION of the underlying Java application to 0.62 or 1.62 for the enterprise edition (EE) and rebuild it, or use Clever Tools:

clever features enable operators

clever metabase version check yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId 0.62

Matomo 5.11 is available

Tue, 09 Jun 2026 00:00:00 +0000

Our Matomo add-on has been updated to version 5.11.0 which is now used by default. This release lets you document your analytics setup directly in Matomo: sites accept a description of up to 255 characters, and custom dimensions a description of up to 1000 characters, both available through the interface and the API.

Scheduled reports can now be sent over a custom date range, in addition to the usual periods. Reports gain finer control over flattening and exports, CSV and TSV exports now replace carriage return characters to keep files consistent, and themes benefit from a new alternative border color variable. As usual, this version ships its batch of bug fixes.

You can deploy this release from our Console or Clever Tools. Existing customers’ add-ons are already up-to-date.

Sōzu 2.1.0 is available with HTTP/2 support

Fri, 05 Jun 2026 00:00:00 +0000

Sōzu 2.1.0 is available. It consolidates every improvement shipped since the 2.0.0 milestone: a rewritten HTTP/2 frontend stack supporting the full HTTP/1 and HTTP/2 protocol matrix, a sozu top TUI for live monitoring, pluggable cryptographic providers, per-IP rate limiting, frontend routing features such as HSTS, redirects and URL rewrites, control-plane audit logging and a comprehensive metrics rewrite. It also hardens the proxy against HTTP/2 attacks such as Rapid Reset, CONTINUATION flood and MadeYouReset.

Sōzu 2.1.0 introduces first-class UDP load balancing as an opt-in listener type, with HRW and Maglev source-hash algorithms, flow affinity, PROXY protocol v2 to backends, active health checks and dedicated metrics. Patch releases since 2.0.0 added a wall-clock start_time field in access logs for OpenTelemetry span reconstruction and further HTTP/2 flow-control protections. This release also fixes a hot-reconfiguration bug that silently deactivated listeners, and adds about 1,100 debug assertions across the codebase for stronger correctness validation.

This new version currently serves cleverapps.io domains as a testing phase, before a wider rollout to custom domains.

Otoroshi 17.16.1 is available with AlphaEdge and OCR support

Thu, 04 Jun 2026 00:00:00 +0000

Otoroshi v17.16.1 is available. This patch release fixes the workflow backend response parsing, an OAuth2Caller bug where the plugin always tried to read auth_ref, and a Monaco editor issue swallowing scroll events. It also cleans up the HTTP client workflow node interface.

This release ships with LLM extension 0.0.78, which introduces OCR models as a first-class entity alongside audio, image, embedding and moderation models. You can expose them through a dedicated plugin, the unified OpenAI-compatible API or the ocr_call workflow function, with Mistral models support. The French provider AlphaEdge joins the extension for both speech transcription, with diarization and linguistic post-correction options, and optical character recognition.

You can update through your add-on dashboard in the Clever Cloud Console. You can also set CC_OTOROSHI_VERSION of the underlying Java application to v17.16.1_1780575469 and rebuild it, or use Clever Tools:

clever features enable operators

clever otoroshi version check yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId v17.16.1_1780575469

Learn more about Otoroshi with LLM on Clever Cloud

Redis 8.8 is available with new commands and field-level notifications

Thu, 04 Jun 2026 00:00:00 +0000

We updated Redis™ to release 8.8.0. It introduces the INCREX command, a window counter rate limiter combining increment, bounds and expiration in a single operation, and the XNACK command letting Streams consumers explicitly release pending messages. Keyspace notifications now work at field level for hashes, so you can subscribe to changes on individual hash fields.

This release also adds a COUNT aggregator to ZUNION, ZINTER and their store variants, support for multiple aggregators in a single TimeSeries range command, and query engine improvements with profiling support for hybrid searches. It ships bug fixes for memory tracking, cluster topology handling and module memory leaks, along with performance optimizations.

Redis™ 8.8 is available for new add-ons. Those already deployed can upgrade through migration.

Learn more about Redis™ on Clever Cloud

Metabase 61 is available, with AI governance, dashboards-as-code and Security Center

Sat, 30 May 2026 00:00:00 +0000

The x.61 branch of Metabase is now available on Clever Cloud. It focuses on AI governance: control which user groups can access AI features such as Metabot, SQL generation and auto-generated transforms, set token limits per instance or per user group with daily, weekly or monthly resets, customize Metabot with your own name, icon and system prompts, and track token spend and feature usage through a pre-made AI usage analytics dashboard.

It also introduces dashboards-as-code to create dashboards from an AI terminal such as Claude Code or Cursor with git-backed validation, arithmetic expressions across metrics in the metrics explorer, custom expressions written by Metabot in the query builder, and a Security Center with targeted alerts for your instance configuration. Embedded analytics gains usage analytics, guest token auto-renewal, a themes editor, mobile-optimized SDK components and a useMetabot React hook. Some of these features require the enterprise edition (EE).

This branch is not the default for now if you use community-latest. You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_METABASE_VERSION of the underlying Java application to 0.61 or 1.61 for the enterprise edition (EE) and rebuild it, or use Clever Tools:

clever features enable operators

clever metabase version check yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId 0.61

Otoroshi 17.16 brings user analytics, distributed rate limiting and new HTTP standards plugins

Fri, 29 May 2026 00:00:00 +0000

Otoroshi v17.16.0 is available. This release focuses on observability, API lifecycle management, Kubernetes deployments and a set of brand-new HTTP standards plugins. It also ships an updated LLM extension featuring an AI Assistant for the admin interface and an updated WAF extension. The Otoroshi documentation has been substantially expanded as well.

User analytics, dashboards and a global event stream

Otoroshi gains a complete user analytics stack. A PostgreSQL-based analytics exporter stores and queries events at scale, and you can now build your own dashboards with a graphical widget editor, drill-down support and a set of default dashboards shipped out of the box. User-defined alerts are built from analytics queries through a graphical condition editor, with a dedicated alerting interface and a scheduled evaluation job. Dashboards, alerts and analytics queries are all integrated with RBAC.

A new global node event stream page in the back office streams audit, alert and analytics events from current node, with pagination, capped buffers and per-type filtering. Data exporters also accept pluggable custom filters and a project phase, and no longer generate one event per filtered event.

Learn more about dashboards, analytics queries and alerts

API management and new HTTP standards plugins

API management hardens the split between draft and production: a clear version banner, read-only production views and plan lifecycle enforcement that locks the Api entity fields once a plan is published. A getting-started stepper guides newcomers, and the draft subscription listing, top bar search and API key plan editor have all been cleaned up.

This release introduces three plugins implementing recent HTTP standards. The HTTP Message Signatures plugins (RFC 9421) sign and verify requests and responses, the NgRfc9440ClientCertHeader plugin forwards client certificates through the standard Client-Cert and Client-Cert-Chain headers (RFC 9440), and an OAuth 2.0 Protected Resource Metadata plugin implements RFC 9728. New JSON validator plugins based on JSON Schemas are also available, and the OAuth2Caller plugin can now target a specific resource for the generated token or rely on an OAuth2 authentication module.

Distributed rate limiting, mailers and exporters

A new distributed rate-limiting strategy backed by atomic Lua scripts on Redis provides predictable, cluster-aware quotas across nodes. It is a drop-in alternative to the previous distributed strategy and is configurable per route. Scaleway TEM and MailPace join the supported mailers.

Reworked Kubernetes deployments

The Helm chart has been almost entirely rewritten with first-class cluster mode (leader and worker deployments), a Redis secured by default based on the CloudPirates Redis chart, and proper HPA, PDB, NetworkPolicies, RBAC, webhooks and certificate templates. The Kustomize manifests reach feature parity with Helm through a component-based split, and the generated CRDs now expose previously missing entities, including APIs, dashboards, alerts and the new analytics resources.

LLM extension: an AI Assistant and Meta MCP

This release includes LLM extension 0.0.76, which adds an AI Assistant to the Otoroshi admin interface. The assistant can search the documentation, query the admin API and run administrative tasks through its Search, Doc and Execute tools, with a conversational chat window, streaming responses, light and dark themes and API key-based access. A hybrid semantic and lexical search engine backs documentation queries.

The extension also introduces a Meta MCP connector that aggregates and proxies multiple MCP servers with dynamic capabilities, an Otoroshi MCP server plugin exposing the assistant tools, and image generation support in the Response and OpenResponse plugins. The Monaco editor is now used across all administration pages of the extension.

Updated bundled plugins

Every plugin delivered with Otoroshi on Clever Cloud has been rebuilt against 17.16.0. The WAF extension (0.0.9) upgrades the OWASP Core Rule Set to v4.26.0.

You can update through your add-on dashboard in the Clever Cloud Console. You can also set CC_OTOROSHI_VERSION of the underlying Java application to v17.16.0_1779982854 and rebuild it, or use Clever Tools:

clever features enable operators

clever otoroshi version check yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId v17.16.0_1779982854

Learn more about Otoroshi with LLM on Clever Cloud

Keycloak 26.6.2 (security update)

Wed, 27 May 2026 00:00:00 +0000

The release 26.6.2 of Keycloak is available on Clever Cloud. It brings some enhancements, but mainly security fixes. It also includes those from 26.6.1.

Together these releases address seventeen security vulnerabilities: CVE-2026-4366, CVE-2026-4633, CVE-2026-33870, CVE-2026-33871, CVE-2026-4628, CVE-2026-4630, CVE-2026-5588, CVE-2026-6856, CVE-2026-7307, CVE-2026-7504, CVE-2026-7507, CVE-2026-7571, CVE-2026-37978, CVE-2026-37979, CVE-2026-37980, CVE-2026-37981 and CVE-2026-37982.

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_KEYCLOAK_VERSION of the underlying Java application to 26.6.2 and rebuild it, or use Clever Tools:

clever features enable operators

clever keycloak version check yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId 26.6.2

Learn more about Keycloak on Clever Cloud

Images update: PHP 8.5.6, Java security patches, Python 3.14.5, Hugo 0.161

Fri, 22 May 2026 00:00:00 +0000

We updated all our images. Deployment is in progress for all our users.

Common:
- Apache 2.4.67
- Chromium 148.0.7778.167
- Clever Tools 4.10.0
- cURL 8.20.0
- Mise 2026.5.3
- NGINX 1.30.1
- OAuth2 Proxy 7.15.2
- Redis 8.6.3
- SQLite 3.53.1
FrankenPHP:
- Update to 1.12.3 (For CC_PHP_VERSION=8.5)
Go:
- Go 1.26.3
Java:
- Update to 1.8.0.492_p09
- Update to 11.0.31_p11
- Update to 17.0.19_p10
- Update to 21.0.11_p10
- Update to 25.0.3_p9
- Gradle 8.14.5
- Gradle 9.5.1
Node.js & Bun:
- Bun 1.3.14
PHP:
- Update to 8.2.31
- Update to 8.3.31
- Update to 8.4.21
- Update to 8.5.6
- Composer 2.2.27
- Composer 2.9.7
Python:
- Update to 3.14.5
- uv 0.11.15
Ruby:
- Update to 4.0.5
Scala:
- Play Framework 1.2.7.2
- Play Framework 1.11.0
Static:
- Hugo 0.152.2
- Hugo 0.159.2
- Hugo 0.160.1
- Hugo 0.161.1

Linux Kernel

Kernel is now updated independently. Current version is 7.0.9.

Fixes for Java, Node.js & Bun, PHP

This image includes multiple fixes for bug we encountered for Java applications using Maven, PHP applications using apcu or zip extensions, Node.js 25/26 applications using pnpm or yarn.

Hugo version update

Starting June 15th, we will only support Hugo 0.160 release and later. If you are using an older version, update your application or use Mise to download it during deployment.

PostgreSQL 18.4, 17.10, 16.14, 15.18, 14.23 are available (security update)

Thu, 21 May 2026 00:00:00 +0000

New PostgreSQL versions are available for new add-ons and migration:

PostgreSQL 18.4
PostgreSQL 17.10
PostgreSQL 16.14
PostgreSQL 15.18
PostgreSQL 14.23

These versions include over 60 bug fixes and improvements, with security patches for 11 CVEs: CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475, CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479, CVE-2026-6575, CVE-2026-6637 and CVE-2026-6638.

PostgreSQL 14 reaches its end of life on 12 November 2026. Plan a migration to a newer version before that date to keep receiving security updates. Also note that PostgreSQL 11 is not available anymore for migrations on Clever Cloud.

Learn more about PostgreSQL on Clever Cloud

Cellar: new dashboard and Cellar Explorer

Tue, 12 May 2026 00:00:00 +0000

Cellar, our S3-compatible object storage service, gets a new dashboard in the Clever Cloud Console. It puts the information you need to connect and operate your add-on within reach: access key ID and secret, endpoint, region, current storage and bandwidth consumption, plan and billing details. The pre-filled s3cfg configuration file is one click away, ready to drop into your home directory and use with s3cmd or any compatible tool.

Cellar Explorer

The new dashboard also opens the door to the Cellar Explorer, a browser-side file manager for your Cellar buckets, built in the spirit of the KV Explorer we shipped for Materia KV and Redis® add-ons. It lists every bucket of the add-on, lets you navigate objects as folders, and supports the operations you reach for most often: download an object, upload one or several files, copy a public URL, inspect object metadata, all without leaving the Console or installing a third-party S3 client.

Under the hood, the Cellar Explorer relies on the new Cellar APIs we’ve been rolling out, which also power upcoming features around versioning and usage reporting. Expect the tool to keep evolving over the coming months, with more operations exposed directly in the interface.

The Cellar Explorer is available in Beta for every Cellar add-on. Share your feedback and feature requests on our GitHub Community.

Keycloak 26.6 with per-realm IP filtering

Tue, 12 May 2026 00:00:00 +0000

The release 26.6.1 of Keycloak is available on Clever Cloud, bringing bug fixes on top of the new features introduced in Keycloak 26.6.0. This version graduates several features from preview and adds new ones:

Step-up authentication for SAML (preview)
Zero-downtime patch releases supported, with rolling updates for minor versions
New Groups scope for user membership changes and Vault SPI lookup for client secrets
JWT Authorization Grant, Federated client authentication and Workflows promoted to supported
Identity Brokering APIs V2 (preview), the successor to legacy Token Exchange V1 for retrieving external IdP tokens
OAuth Client ID Metadata Document (experimental), enabling Keycloak as an authorization server for the Model Context Protocol
New KCRAW_ environment variable prefix to preserve literal values, dedicated HTTP access log file, configurable log file rotation, graceful HTTP shutdown

Organization groups

Organization groups give each organization its own isolated, nestable group hierarchy. Two organizations can now have a /Engineering/Backend group each without sharing members, attributes or identifiers, which removes the need to namespace groups across the realm.

Identity providers can assign users to organization groups automatically through two new mappers: Hardcoded Group, which adds every brokered user to a specific group, and Advanced Claim to Group, which routes users based on the value of an external IdP claim. Group memberships appear in the organization claim of OIDC tokens and as attributes in SAML assertions, so applications can authorize on them without an extra round-trip. Full automation is available through the new endpoints under /admin/realms/<realm>/organizations/{orgId}/groups.

SCIM Realm API (experimental)

This release also introduces the SCIM Realm API (System for Cross-domain Identity Management) as an experimental feature, disabled by default. It exposes POST, GET, PATCH, PUT and DELETE operations for users and groups, the core user, enterprise user and group schemas, and SCIM filtering and pagination on search endpoints. Bulk operations, password management, sorting and custom schemas and attributes are not supported yet. Two security fixes ship in this release, addressing an IDOR on the SCIM PUT endpoint and an authorization bypass on user group management.

To expose /realms/<realm>/scim/* endpoints, add scim-api to the KC_FEATURES environment variable of the Java application and rebuild it. KC_FEATURES is a build-time setting, so a simple restart is not enough. Once the rebuild completes, enable SCIM on each target realm from the Keycloak admin console (Realm Settings, SCIM API Enabled toggle) where the SCIM base URL is also displayed.

Per-realm IP filtering

On top of upstream features, this version of the Keycloak add-on deployed on Clever Cloud extends its IP filtering capabilities. In addition to the existing in-realm authenticator flow, you can now restrict access to administration, public and SCIM endpoints on a per-realm basis through environment variables of the underlying Java application. Four families of variables control these filters, each accepting a comma-separated list of IP addresses:

CC_KEYCLOAK_ADMIN_IPS_<REALM>: restricts /admin/<realm>/* and /admin/realms/<realm>/* for a given realm
CC_KEYCLOAK_PUBLIC_IPS_<REALM>: restricts /realms/<realm>/* (login pages, user authentication, tokens)
CC_KEYCLOAK_SCIM_IPS_<REALM>: restricts /realms/<realm>/scim/* provisioning endpoints
CC_KEYCLOAK_ADMIN_IPS: global fallback for any /admin/* endpoint not covered by a per-realm admin rule

The realm name in the variable suffix must match the realm name as it appears in URLs (case-sensitive). Per-realm filters take precedence over the global admin filter. Blocked requests receive an HTTP 403 response. If no IP filtering variable is set, Keycloak keeps its standard public behavior.

For example, to allow only two office IPs to reach the master realm admin console and a dedicated server to call SCIM on the production realm:

CC_KEYCLOAK_ADMIN_IPS_master="203.0.113.10,203.0.113.11"
CC_KEYCLOAK_SCIM_IPS_production="198.51.100.42"

Updating

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_KEYCLOAK_VERSION of the underlying Java application to 26.6.1 and rebuild it, or use Clever Tools:

clever features enable operators

clever keycloak version check yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId 26.6.1

Linux kernel 7.0.6 available

Tue, 12 May 2026 00:00:00 +0000

Over the last few weeks, we worked on decoupling the Linux kernel from the rest of our runtime images. This work is now complete: kernel upgrades no longer require a full image refresh and can roll out on their own cadence, which means faster delivery of security fixes and hardware support improvements without touching the language runtimes, build tools, or system libraries shipped in each image.

As a first step on this new pipeline, Linux 7.0.6 is now available. To run your application on this kernel, restart it from the Clever Cloud Console or with clever restart. Newly deployed applications pick up the new kernel automatically.

Metabase 60 is available, with Metabot, MCP server and split panel charts

Tue, 12 May 2026 00:00:00 +0000

The x.60 branch of Metabase is now available on Clever Cloud. It brings Metabot with “bring your own key” support for Anthropic models, an official MCP server to connect Claude, Cursor and other tools, and a Slack integration to query data directly from a channel.

It also introduces a metrics explorer to compare multiple metrics side-by-side and surface trends across dimensions, split panel charts to display multiple series as faceted panels, frozen columns and rows in tables, a transform inspector to compare data before and after a transform runs, model-to-transform migration in a few clicks, OpenID Connect (OIDC) authentication, remote sync with GitLab and Bitbucket in addition to GitHub, and multiple enhancements and bug fixes.

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_METABASE_VERSION of the underlying Java application to 0.60 or 1.60 for the enterprise edition (EE) and rebuild it, or use Clever Tools:

clever features enable operators

clever metabase version check yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId 0.60

New RAM requirements

Starting with the x.60 branch, Metabase requires at least 2 GB of RAM to run. Because the XS Java instance previously used by default only provides 1 GB of RAM, the default sizing has been adapted: new Metabase add-ons are deployed on a S Java instance, and existing add-ons are automatically migrated to a S Java instance when upgrading to version 60.

This new branch is not yet the default if you use community-latest, we’ll move to it in the next few weeks. To prepare for the automatic move to x.60, we recommend scaling the underlying Java application from XS (the current default) to a S instance now from the Scalability link in your Metabase add-on dashboard.

If you want to keep an XS instance, stay on the x.59 branch by setting CC_METABASE_VERSION to 0.59 (or 1.59 for the Enterprise Edition) on the underlying Java application. Keep in mind that staying on x.59 means you will not receive the new features shipped with x.60 and beyond; security patches and some fixes will still be provided as long as the 0.59 branch is maintained. We recommend moving to a S instance and the latest branch as soon as possible.

Network Groups are now available in the Console

Tue, 12 May 2026 00:00:00 +0000

Network Groups — our WireGuard-based private networks between Clever Cloud resources — are now first-class citizens in the Clever Cloud Console. Until now, creating and managing them required the public API or Clever Tools. The same operations are now available directly in the Console.

From the Network Groups section of your organisation, you can create a new group with its label, description and tags, browse the groups already in place, and delete the ones you don’t need anymore. Opening a group shows its CIDR, the members linked to it (applications, add-ons or external resources) and the peers currently connected, with domain name and IP inside the private network.

Linking resources is also done from the Console: pick an application or an add-on from your organisation and add it as a member of the group in a few clicks. Removing a member works the same way, and the change is reflected immediately on the peers list as instances reconnect to the network.

This rounds out the Network Groups experience across all our interfaces — API, CLI, and now the Console — so you can pick the one that fits your workflow. Share your feedback and feature requests on our GitHub Community.

Materia KV: query your data through GraphQL

Mon, 11 May 2026 00:00:00 +0000

Materia KV gains a second compatibility layer: a GraphQL endpoint that reads from the same keyspace as the Redis API. Every key you write through a Redis/Valkey compatible client is immediately queryable through GraphQL, with no synchronization in between. Both interfaces authenticate with the same token ($KV_TOKEN / $REDIS_PASSWORD), passed as a bearer token.

As Materia KV is a distributed cluster, the GraphQL endpoint is a single URL shared by every add-on in a given region. For Paris:

https://materiakv-graphql.eu-fr-1.services.clever-cloud.com/graphql

The schema exposes a single root type, MateriaKvQuery, with queries for strings, hashes and sets — single-key lookups, batched reads, pattern matching, and server-side set algebra (setIntersection, setDifference, setUnion). Introspection is enabled, so you can browse the full schema in the embedded GraphiQL playground (open the URL in a browser) or pull it as SDL with any introspection tool.

The GraphQL layer is read-only for now — mutations aren’t supported yet. Use the Redis API for writes. Have a look at this end-to-end example combining both layers: writes via the Redis API, reads via GraphQL.

Clever Tools 4.10: organisation-scoped add-on providers

Thu, 07 May 2026 00:00:00 +0000

Clever Tools 4.10.0 is available. This release makes add-on provider discovery organisation-aware, so you can see exactly which providers, regions and plans are available for a given organisation before creating a new add-on.

Organisation-scoped add-on providers

The clever addon providers and clever addon providers show commands now accept an --org option. When set, results are filtered to match the providers, zones and plans exposed by the addonproviders API for that organisation, instead of the global catalogue.

# List add-on providers available for a specific organisation
clever addon providers --org orga_xxx

# Inspect a single provider, with org-specific plans and regions
clever addon providers show postgresql-addon --org orga_xxx

The clever addon create command also uses --org to validate the requested region. Without it, region availability checks were not organisation-aware, which could let creation calls through in regions not allowed for your organisation. With this fix, the CLI rejects the call up front when the target region is not available in the selected organisation.

How to upgrade

To upgrade Clever Tools, use your favourite package manager. For example with npm:

npm update -g clever-tools
clever version

Metabase 60 and RAM requirements

Wed, 06 May 2026 00:00:00 +0000

Starting with its x.60 branch, Metabase requires at least 2 GB of RAM to run. The XS Java instance currently used by default for the Metabase add-on on Clever Cloud only provides 1 GB of RAM, which is no longer enough. To make sure your Metabase instance keeps deploying and running smoothly, we are adapting the default sizing:

Metabase add-ons created from today onwards use a S Java instance instead of XS
When the update to version 60 will be offered, existing add-ons will automatically be migrated to a S Java instance during the upgrade

Kubernetes 1.36 is now used by default

Tue, 05 May 2026 00:00:00 +0000

Kubernetes 1.36 “Haru” is available on Clever Kubernetes Engine since its release. It’s now the default version deployed when no --cluster-version is specified. New clusters will run on v1.36 unless you explicitly pick another supported one.

You can still target v1.35 or v1.34 with --cluster-version, as long as they remain supported (n-2 from the current release, mirroring the official Kubernetes support policy):

clever k8s create myCluster --cluster-version 1.35

Existing clusters are not migrated automatically. To move one to v1.36, use Clever Tools:

clever k8s version update myClusterNameOrId 1.36

Matomo 5.10 is available with dark mode and a refreshed interface

Mon, 04 May 2026 00:00:00 +0000

Our Matomo add-on has been updated to version 5.10.0 which is now used by default. This release introduces a new dark mode, available from your personal settings, to reduce brightness in low-light environments. The interface has also been modernized with updated widget styling, refreshed navigation bars, redesigned selectors for websites, segments or dashboards.

This version also improves the Goals submenu ordering, lets actions use configured delimiters for flat report labels, prevents modern content tables from overflowing their card containers and keeps action buttons properly styled during focus states.

You can deploy this release from our Console or Clever Tools. Existing customers’ add-ons are already up-to-date.

Clever Tools 4.9: full Kubernetes lifecycle from the CLI

Tue, 28 Apr 2026 00:00:00 +0000

Clever Tools 4.9.0 is available. This release significantly extends the clever k8s command set to cover the full lifecycle of Clever Kubernetes Engine, as it’s now in public Beta. It also adds Swagger UI access to Otoroshi services and ships smaller quality-of-life improvements.

Kubernetes lifecycle management

The clever k8s command set now covers cluster creation with detailed topology, ongoing operations, node group management, version upgrades and quota visibility. The create command accepts --topology, --flavor, --cluster-version, --replication-factor, --autoscaling, --persistent-storage and --nodegroup to provision a cluster matching your needs in a single command. The get output now reports topology, features, node groups and load balancers.

# Enable access to the k8s command set
clever features enable k8s

# Create a cluster with a control plane topology, version and initial node group
clever k8s create my-cluster \
 --topology dedicated_compute --flavor S --replication-factor 3 \
 --cluster-version 1.36 --autoscaling \
 --nodegroup XS:3 --persistent-storage

# Inspect the cluster (topology, features, node groups, load balancers)
clever k8s get my-cluster

# Update metadata or features
clever k8s update my-cluster --description "Production cluster" --tag env:prod,team:platform

Node groups have their own subcommands to list, create, get, update and delete, with autoscaling bounds and arbitrary tags:

# Create an autoscaling node group
clever k8s nodegroups create my-cluster workers XS:3 --autoscaling --min 3 --max 10

# List node groups attached to a cluster
clever k8s nodegroups list my-cluster

# Update bounds or target count
clever k8s nodegroups update my-cluster workers --count 5

# Delete a node group
clever k8s nodegroups delete my-cluster workers --yes

Version management is now first-class. The version subcommand reports the installed version and offers to upgrade to the latest available release when the cluster is outdated. The version update subcommand upgrades a cluster to an explicit target version when you prefer to drive the upgrade yourself:

# Check the current version and prompt for an upgrade if available
clever k8s version my-cluster

# Upgrade the cluster to a target version
clever k8s version update my-cluster --target 1.36

Two more commands round out the set: clever k8s activity shows recent deployment events of a cluster, and clever k8s quota reports the Kubernetes quota, current usage and remaining capacity for an organisation during public Beta.

clever k8s activity my-cluster --limit 100
clever k8s quota

Once your cluster reaches the ACTIVE state, retrieve its kubeconfig and drive it with kubectl like any other Kubernetes cluster. With --persistent-storage enabled at creation time, a default Ceph RBD StorageClass is provisioned on the cluster, so any PersistentVolumeClaim you create is bound automatically:

# Generate the kubeconfig and set it as your current context
clever k8s get-kubeconfig my-cluster > ~/.kube/config

# Inspect cluster nodes and the persistent storage driver
kubectl get nodes
kubectl get csidrivers
kubectl get storageclasses

# Deploy a workload and let it consume the default StorageClass
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80 --type=LoadBalancer

Learn more about Clever Kubernetes Engine

Otoroshi Swagger UI

You can now open the Otoroshi Swagger UI directly from the CLI with a new clever otoroshi open swaggerui subcommand. The clever otoroshi get command also exposes the Swagger URL alongside the other endpoints, so you can hand it over to teammates or automation without opening the Console first.

# Open the Swagger UI of an Otoroshi service in your browser
clever otoroshi open swaggerui my-otoroshi

# Get service details, including the Swagger URL
clever otoroshi get my-otoroshi

How to upgrade

To upgrade Clever Tools, use your favourite package manager. For example with npm:

npm update -g clever-tools
clever version

Images update: Ruby 4.0.3, Git 2.54, Yarn 4.14

Tue, 28 Apr 2026 00:00:00 +0000

We updated all our images, except PHP. Deployment is in progress for all our users.

Common:
- Linux kernel 6.19.14
- CA certificates 20260223
- Git 2.54.0
Node.js & Bun:
- Yarn 4.14.1
Ruby:
- Update to 3.2.11
- Update to 3.4.9
- Update to 4.0.3

Kubernetes 1.36 is available

Fri, 24 Apr 2026 00:00:00 +0000

We added support for Kubernetes 1.36.0 “Haru”, which ships multiple enhancements. Fine-grained kubelet API authorization and faster SELinux labelling of volumes reach GA, while Workload Aware Scheduling and DRA device taints and tolerations move to beta. The long-deprecated gitRepo volume plugin is permanently removed, and Service.spec.externalIPs enters deprecation ahead of its removal in v1.43. Kubernetes 1.36.0 can be selected for new deployments; v1.35 remains the default for now. Migration of existing clusters will be available soon.

Decommissioning Logs API v2 endpoints

Thu, 23 Apr 2026 00:00:00 +0000

Clever Cloud is decommissioning the legacy Logs API v2 endpoints on May 23rd, 2026. The v4 API has been available for some time and provides a more reliable and consistent interface to access your application logs. If you still rely on v2 endpoints to fetch logs, migrate to the v4 API as soon as possible.

May 23rd, 2026: v2 logs endpoints will be permanently disabled. Any integration still using v2 will stop receiving logs.

How to migrate

The v4 Logs API exposes the same capabilities with an improved interface. Update your HTTP calls to target the v4 endpoints documented in the Logs section of the v4 API reference. Authentication and query parameters follow the same conventions as the rest of the v4 API.

After migrating, your integration can continue fetching logs via v4.

If you have any questions or need help with the migration, contact our support team.

Logs API v4 reference

Otoroshi 17.15 brings agents with tools and memory, OAuth2 token exchange, PluginPresets and requires Java 25

Thu, 23 Apr 2026 00:00:00 +0000

Otoroshi v17.15.1 is available. It introduces an OAuth2 token exchange plugin implementing RFC 8693 for secure service-to-service API communication, a new PluginPreset kind to package and reuse plugin configurations, a MandatoryConsumerPreset plugin and a workflow-based authentication module. The OAuth2Caller plugin can now rely on an authentication module for the client credentials flow, and $2b$ / $2y$ Bcrypt hashes are now accepted.

A redesigned admin interface and manual

The admin interface has been redesigned with refreshed themes, a new home page, a reworked API editor with sticky actions and form views capped at 1000 px to improve readability. The UI also now only displays entities a user is actually authorized to see. The full manual has been reworked as well, with ditaa schemas replaced by mermaid ones, and the OpenAPI specification and Swagger UI can be protected behind an optional access secret.

API management, data exporters and plugin development

API management gains direct subscription to a plan and a new consistency service. The PostgreSQL data exporter now supports retention and plugin developers can rely on a reusable stateful clients internal API. Several fixes address a race condition in data exporters loading, legacy audit event layouts, body consumption handling and the OAuth2Caller password grant type.

LLM extension: agents, memory and Kreuzberg

This release includes LLM extension 0.0.75, which significantly expands agent capabilities with built-in tools (system_exec, file_read, file_write, http_call), a per-session working memory, autonomous persistent memory on Redis and PostgreSQL and a new agent OpenAI proxy plugin. Embedding stores and persistent memories now support many backends (PostgreSQL, Redis, Elasticsearch, OpenSearch, Qdrant, Weaviate, Pinecone, ChromaDB), a semantic cache on Redis with a custom embedding model and MCP audit events. The Anthropic provider exposes version and beta settings, and Kreuzberg is now available as a content-to-markdown and OCR backend.

Java 25 is now required

Otoroshi 17.15 requires Java 25 to load the Kreuzberg content-to-markdown and OCR backend. Starting with this release, all new Otoroshi add-ons are created with CC_JAVA_VERSION=25, and any update to Otoroshi 17.15 automatically switches the underlying Java application to Java 25. If you prefer to handle this manually, you can set CC_JAVA_VERSION to 25 on the Java application backing your Otoroshi add-on and rebuild it before updating Otoroshi itself.

You can update through your add-on dashboard in the Clever Cloud Console. You can also set CC_OTOROSHI_VERSION of the underlying Java application to v17.15.1_1776891995 and rebuild it, or use Clever Tools:

clever features enable operators

clever otoroshi version check yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId v17.15.1_1776891995

Learn more about Otoroshi with LLM on Clever Cloud

Kubernetes 1.36 is available

Wed, 22 Apr 2026 00:00:00 +0000

Kubernetes release 1.36.0 is available on Clever Kubernetes Engine. Headline changes include faster SELinux volume labeling promoted to GA, external signing of ServiceAccount tokens through cloud KMS or HSMs, and Dynamic Resource Allocation gaining taints and tolerations for physical devices. The gitRepo volume driver — deprecated since v1.11 — has been permanently removed; migrate to init containers or git-sync tools. Select 1.36 explicitly at creation with --cluster-version 1.36; the default for new clusters remains 1.35. Migration of existing clusters will be available soon.

Matomo 5.9 is available with CNIL compliance automation and segment management

Wed, 22 Apr 2026 00:00:00 +0000

Our Matomo add-on has been updated to version 5.9.0 which is now used by default. You can enable “Enforce compliance” to automatically apply CNIL-compliant settings to your sites, without manual configuration. A dedicated page lets you create, edit and organise all your segments in one place, accessible from the Visitors menu and segment selector. The updated calendar adds new date presets for frequently used reporting periods.

This release also brings security enhancements such as multi-session sign-out, the ability to export a dashboard to scheduled reports, and various bug fixes across segment handling, visitor mapping and database optimization. No major database upgrade is required.

You can deploy this release from our Console or Clever Tools. Existing customers’ add-ons are already up-to-date.

API update: rotate GitHub webhook secrets for your applications

Tue, 21 Apr 2026 00:00:00 +0000

The Clever Cloud API now exposes a dedicated endpoint to rotate the GitHub webhook secret of an application linked to a GitHub repository.

The rotation applies to the target application and its siblings sharing the same webhook, so a single call keeps every linked deployment in sync with the new secret. Until now, rotating a webhook secret meant creating a new application, which was cumbersome and error-prone. The new endpoint replaces that workflow with a single authenticated call.

How to use it

You can call this endpoint through any authenticated request to the Clever Cloud API, or through the clever curl command of Clever Tools, which signs the request using the active user profile:

clever curl -X POST https://api.clever-cloud.com/v2/organisations/{orgId}/applications/{appId}/github-webhook/secret

The response confirms the rotation. Any existing GitHub push event already in flight keeps working with the previous secret until GitHub picks up the new configuration; subsequent deliveries use the rotated secret automatically.

Refer to the v2 API reference for the full request and response schema.

Images update: Node.js 24.15, Clever Tools 4.8, nginx 1.30, FrankenPHP 1.12.2

Tue, 21 Apr 2026 00:00:00 +0000

We updated all our images, except PHP. Deployment is in progress for all our users.

Common:
- Linux kernel 6.19.13
- Chromium 147.0.7727.101
- Clever Tools 4.8.0
- htop 3.5.0
- nano 9.0
- nginx 1.30.0
- OpenSSH 10.3p1
- OpenSSL 3.5.6
- SQLite 3.53.0
FrankenPHP:
- Update to 1.12.2 (with CC_PHP_VERSION=8.5)
- Symfony CLI 5.17.1
Go:
- Update to 1.26.2
Node.js & Bun:
- Update to 24.15.0 (npm 11.12.1)
- Bun 1.3.12
Python:
- Update to 3.13.13
- Update to 3.14.4
- uv 0.11.7
Ruby:
- Update to 3.2.11

Matomo 5.8 is available with AI chatbot traffic tracking

Wed, 15 Apr 2026 00:00:00 +0000

The Matomo add-on on Clever Cloud has been updated to version 5.8.0, which is now used by default. This release introduces a new AI Assistants menu with dedicated reports to track AI chatbot traffic separately from human visits, covering platforms such as Cloudflare, Amazon CloudFront and WordPress. The All Websites dashboard now shows a “Total AI Chatbots Requests” metric, and “Total Hits” combines human visits with AI chatbot requests. This version also improves scheduled reports formatting, CSV/TSV export options and archiving performance.

You can deploy this release from the Clever Cloud Console or Clever Tools. Existing customers’ add-ons are already up-to-date.

JS Client 12.1: new features for Keycloak, Matomo, Metabase and Otoroshi

Mon, 13 Apr 2026 00:00:00 +0000

Clever Cloud JS client 12.1 is available. This release extends the new client structure introduced in v12 with dedicated commands for four managed add-ons: Keycloak, Matomo, Metabase and Otoroshi.

New add-on commands

You can now manage the lifecycle of these services directly from the client. For Matomo, the release adds RebootMatomoCommand and RebuildMatomoCommand to reboot the add-on or rebuild it without cache, and exposes the associated Materia KV identifier through resource.kvId in the GetMatomoInfoCommand output. Keycloak, Metabase and Otoroshi each get their own dedicated command set on the same model.

import { CcApiClient } from "@clevercloud/client/cc-api-client.js";
import { GetMatomoInfoCommand } from "@clevercloud/client/cc-api-commands/matomo/get-matomo-info-command.js";

const client = new CcApiClient({
 authMethod: {
 type: 'api-token',
 apiToken: process.env.CLEVER_API_TOKEN,
 },
});

const info = await client.send(new GetMatomoInfoCommand({ id: 'addon_xxxxxxxx' }));
console.log(info.resource.kvId);

Bug fixes

Events: the events client now uses ws:// when the API host is served over http://, restoring support for local development setups.
Matomo: GetMatomoInfoCommand no longer sorts available versions, preserving the order returned by the API.

How to upgrade

Add or update @clevercloud/client in your project:

npm install @clevercloud/client@12.1.0

Refer to the new client documentation for usage details and share your feedback on the GitHub repository.

Keycloak 26.5.7 (security update)

Mon, 13 Apr 2026 00:00:00 +0000

The release 26.5.7 of Keycloak is available on Clever Cloud. It addresses seven security vulnerabilities: CVE-2025-14083, CVE-2026-1002, CVE-2026-3429, CVE-2026-4634, CVE-2026-4636, CVE-2026-3872 and CVE-2026-4282.

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_KEYCLOAK_VERSION of the underlying Java application to 26.5.7 and rebuild it, or use Clever Tools:

clever features enable operators

clever keycloak version check yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId 26.5.7

Learn more about Keycloak on Clever Cloud

Clever Tools 4.8: OAuth consumers and drains for add-ons

Thu, 09 Apr 2026 00:00:00 +0000

Clever Tools 4.8.0 is available. This release adds a new oauth-consumers command set to manage OAuth consumers from the CLI and extends clever drain to operate on add-ons.

OAuth consumers management

You can now create and manage OAuth consumers directly from the CLI. The new clever oauth-consumers command set covers the full lifecycle: list, create, get details, update, open in the Console and delete. Consumers can be referenced by name (when unambiguous) or by their consumer key, and the get command supports a --with-secret flag when you need to retrieve the consumer secret for application configuration.

# List OAuth consumers
clever oauth-consumers list

# Create a new consumer with rights and callback URL
clever oauth-consumers create my-app \
 --description "My application" \
 --url https://my-app.example.com \
 --base-url https://my-app.example.com/oauth/callback \
 --rights access-personal-information,access-organisations

# Get details, including the secret
clever oauth-consumers get my-app --with-secret

# Update an existing consumer
clever oauth-consumers update my-app --description "Updated description"

# Open the consumer page in the Console
clever oauth-consumers open my-app

# Delete a consumer
clever oauth-consumers delete my-app --yes

These commands target the current profile’s organisation by default. The create command accepts the --org option to specify the consumer’s organisation. For other commands, the consumer key is enough to identify the resource.

Learn more about OAuth consumers

Drains on add-ons

The clever drain commands now accept an --addon option to manage log drains on add-ons, in addition to applications. All drain subcommands (create, enable, disable, get, remove and the top-level listing) accept this new option, which resolves either an add-on ID or its real ID. The --addon option is mutually exclusive with --app and --alias.

# List drains on an add-on
clever drain --addon postgresql_xxxxxxxx

# Create a drain on an add-on
clever drain create --addon postgresql_xxxxxxxx raw-http https://logs.example.com

# Get a specific drain
clever drain get --addon postgresql_xxxxxxxx <DRAIN-ID>

# Remove a drain
clever drain remove --addon postgresql_xxxxxxxx <DRAIN-ID>

Bug fixes

Network groups commands have been adapted to the @clevercloud/client v12 API change for peer configuration, restoring proper peer handling.

How to upgrade

To upgrade Clever Tools, use your favourite package manager. For example with npm:

npm update -g clever-tools
clever version

Images update: mdBook 0.5, Static Web Server 2.42, OAuth2Proxy 7.15.1, Tailscale 1.96.3

Tue, 07 Apr 2026 00:00:00 +0000

We updated all our images, except PHP. Deployment is in progress for all our users.

Common:
- Linux kernel 6.19.11
- nginx 1.28.3
- OAuth2 Proxy 7.15.1
- Tailscale 1.96.3
Python:
- uv 0.11.2
Ruby:
- Update to 3.3.11
- Update to 4.0.2
Static:
- mdBook 0.5.2
- Static Web Server 2.42.0
V (Vlang):
- Update to 0.5.1

mdBook 0.5

mdBook 0.5 introduces some breaking changes. If your configuration is not yet compatible, follow the migration guide.

Terraform provider 1.11.0

Thu, 02 Apr 2026 00:00:00 +0000

The 1.11.0 release of the Clever Cloud Terraform provider is available. It adds new resources (add-on provider, OAuth consumer, vulnerability scanner), improved validation for environment variables, add-on options and plan slugs, exponential backoff retry for 503 errors, and multiple bug fixes.

Learn more about Clever Cloud Terraform provider

MySQL 8.0.45 and 8.4.8 are available

Tue, 31 Mar 2026 00:00:00 +0000

We updated MySQL images for releases 8.4 (8.4.8-8) and 8.0 (8.0.45-36). They’re now available for add-ons creation and migration.

Invoices now group services by sub-organisation

Mon, 30 Mar 2026 00:00:00 +0000

Some of our customers operate organisations on behalf of third parties, such as business providers, and manage sub-organisations for them. Starting with the next billing cycle, invoices will be improved for these use cases:

Billed services will be grouped by sub-organisation within the invoice
A per sub-organisation summary will be included at the beginning of the invoice, providing a clear overview of costs

This makes it easier to track and allocate costs across sub-organisations, without changing the existing detailed breakdown.

Current invoice detail on the left, new per sub-organisation summary on the right

Materia KV: new hash, string and TTL commands

Mon, 30 Mar 2026 00:00:00 +0000

Materia KV adds six new commands to its Redis-compatible layer, expanding hash, string and time to live (TTL) management capabilities:

HEXISTS: check if a field exists in a hash
HSETNX: set a hash field only if it doesn’t already exist
HINCRBY: increment the integer value of a hash field
GETDEL: atomically get a string value and delete its key
EXPIREAT: set key expiration using an absolute Unix timestamp in seconds
PEXPIREAT: set key expiration using an absolute Unix timestamp in milliseconds

These commands are available for new and already deployed add-ons, with no additional configuration.

This update also brings reliability improvements to the underlying storage layer. The SCAN, HSCAN, SSCAN and KEYS commands now produce more accurate results thanks to fixes in the scan boundary logic.

Transactions now enforce retry limits of 5 retries with a 5-second timeout, preventing cascading retries from overwhelming the cluster under heavy contention. Previously, transactions could retry indefinitely on conflict.

Otoroshi 17.14 enhances remote catalogs, adds PostgreSQL data export and MCP OAuth2 enforcement

Mon, 30 Mar 2026 00:00:00 +0000

Otoroshi v17.14 is available with significant enhancements to remote catalogs. They now support organisation scanning, additional GitHub-like providers, pattern-based and YAML-formatted descriptor files, as well as Kubernetes-like manifests. This release also introduces PostgreSQL as a data exporter target and adds Redis Sentinel password support with the Lettuce driver.

New mandatory flags are available on client certificate plugins and OIDC JWT verification for APIs, offering finer control over authentication requirements. The expression language has been improved with path-based read support for deep structures such as user profiles, with complex structure stringification. Several fixes address tunnel handler plugin visibility, Kafka data exporter host validation, and the “Override Location header” plugin behaviour.

This release includes LLM extension 0.0.74, adding over 40 new providers through an enhanced generic OpenAI client (including Minimax, Morph, Cloud Temple and many others). MCP exposition has been significantly strengthened with all missing methods now implemented (resources, templates, prompts), fine-grained per-tool scoped authorisations, and OAuth2 enforcement with a new MCP Protected Resource Metadata document plugin. This version also introduces an OpenAI Responses proxy plugin and a new OpenAI API aggregator plugin that unifies chat completions, responses, Anthropic /messages and context serving into a single endpoint.

You can update through add-on’s dashboard in the Clever Cloud Console. You can also set CC_OTOROSHI_VERSION of the underlying Java application to v17.14.0_1774627527 and rebuild it, or use Clever Tools:

clever features enable operators

clever otoroshi version check yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId v17.14.0_1774627527

Learn more about Otoroshi with LLM on Clever Cloud

Images update: FrankenPHP 1.12, Gradle 9.4, Rust 1.94, set PHP & Composer versions in all runtimes

Wed, 25 Mar 2026 00:00:00 +0000

We updated all our images, except PHP. Deployment is in progress for all our users.

Common:
- Linux kernel 6.19.7
- Anubis 1.25.0
- Chromium 146.0.7680.153
- Clever Tools 4.7.1
- cURL 8.19.0
- FFmpeg 8.1
- Ghostscript 10.07
- OAuth2 Proxy 7.14.3
- Poppler 26.03
- SQLite 3.52.0
- Varnish 8.0.1
- Vim 9.2.0096
Elixir:
- Erlang 26.2.5.18
- Erlang 27.3.4.9
- Erlang 28.4.1
FrankenPHP:
- Update to 1.12.1 with PHP 8.5.4 (with CC_PHP_VERSION=8.5)
Go:
- Update to 1.26.1
Java:
- Gradle 9.4.1
- Maven 3.9.14
Node.js & Bun:
- Update to 24.14.1 (npm 11.11.0)
- Bun 1.3.11
- Yarn 4.13.0
Python:
- Update to 3.10.20
- Update to 3.11.15
- Update to 3.12.13
- uv 0.10.12
Ruby:
- Update to 3.4.9
Rust:
- Update to 1.94.0
- Rustup 1.29.0
Static:
- Caddy 2.11.2

PHP & Composer version

You can now set CC_PHP_VERSION and CC_COMPOSER_VERSION in any runtime. We also fixed a bug that prevented to use another Composer version than the LTS with FrankenPHP.

Log drains collection

We removed old log drains stack, except for application still using it.

Learn more about log drains old stack deprecation

Keycloak 26.5.6 (security update)

Mon, 23 Mar 2026 00:00:00 +0000

The release 26.5.6 of Keycloak is available on Clever Cloud. It addresses eight security vulnerabilities: CVE-2026-1180, CVE-2026-1035, CVE-2025-14777, CVE-2025-14082, CVE-2026-3121, CVE-2026-3190, CVE-2026-3911 and CVE-2026-2366.

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_KEYCLOAK_VERSION of the underlying Java application to 26.5.6 and rebuild it, or use Clever Tools:

clever features enable operators

clever keycloak version check yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId 26.5.6

Learn more about Keycloak on Clever Cloud

Metabase 59 is now used by default

Mon, 23 Mar 2026 00:00:00 +0000

The x.59 branch of Metabase is available on Clever Cloud since earlier this month. It’s now the default branch deployed with the release 0.59.3. It means that:

All new add-ons will use it
All add-ons using default configuration (community-latest) will use it after a rebuild

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_METABASE_VERSION of the underlying Java application to 0.59 or 1.59 for the enterprise edition (EE) and rebuild it, or use Clever Tools:

clever features enable operators

clever metabase version check yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId 0.59

Drains legacy stack deprecation

Thu, 19 Mar 2026 00:00:00 +0000

For the past few months, Clever Cloud has provided a new drain stack and a v4 API that is more reliable and provides better monitoring. It’s available through Clever Tools since release 4.4.0. If you still use the legacy drains implementation, we encourage you to migrate to the new stack as soon as possible.

The legacy drains will be disabled on June 1st, 2026. In the meantime, we will make some changes to prepare for the migration and help you transition smoothly:

March 19th, 2026: we added CC_PREVENT_LEGACY_LOGSCOLLECTION=false environment variable on applications linked to a legacy active drain
Starting with the next image release, if not set to false, we will consider this environment variable as true and only push logs of applications with a drain to the new drain stack
June 1st, 2026: legacy drains will be disabled and all applications will need to use the new drain stack to receive logs

How to migrate

To migrate to the new drain stack, just create a new drain with Clever Tools, then remove CC_PREVENT_LEGACY_LOGSCOLLECTION=false from your application environment variables and restart it. The new drain should start receiving logs immediately.

If you have any questions or if you need help with the migration, contact our support team.

Learn more about Clever Tools drain command

Clever Tools 4.7: SSH remote commands, improved drains and backup downloads

Wed, 11 Mar 2026 00:00:00 +0000

Clever Tools 4.7.0 is available. This release enhances SSH with remote command execution and interactive instance selection, improves drain monitoring and fixes database backup downloads.

SSH remote command execution

You can now execute a single command on a running instance with the new --command (or -c) option. The command runs in a login shell and exits immediately, making it convenient for quick diagnostics, scripting or automation.

# List application files
clever ssh -c 'ls -lah $APP_HOME'

# Inspect application environment variables
clever ssh -c "env | sort"

# Read application logs
clever ssh -c "journalctl -u bas-deploy.service --no-pager -n 50"

This also enables AI coding assistants (Claude Code, Codex, Cursor, OpenCode…) to inspect the state of a running instance, analyse configuration files, check logs or troubleshoot issues on your behalf.

Interactive instance selection

When multiple instances are running, clever ssh now displays an interactive selection prompt instead of a numbered list. This provides a more intuitive experience when choosing which instance to connect to.

clever ssh
> ? Select an instance:
> ❯ Sleepy Ponita - Instance 0 - UP (11281f38-...)
> Tense Caterpie - Instance 1 - UP (b10d19d9-...)

Improved drain monitoring

The clever drain and clever drain get commands now display message rates and throughput with dynamic units (messages/hour, messages/minute, messages/second, KiB/second, MiB/second) that adapt to the actual values. Retry information is also shown, including attempt count, last and next attempt timestamps, helping you troubleshoot delivery issues more effectively.

Bug fixes

Database backup downloads now use Node.js stream pipelines, fixing backpressure issues that could cause incomplete downloads on large backups.
Detached HEAD deployments are now handled correctly when using the system Git feature, fixing failures that occurred when deploying from a detached HEAD state.

How to upgrade

To upgrade Clever Tools, use your favourite package manager. For example with npm:

npm update -g clever-tools
clever version

PostgreSQL 18.3, 17.9, 16.13, 15.17, 14.22 are available

Mon, 09 Mar 2026 00:00:00 +0000

New PostgreSQL versions are available for new add-ons and migration:

PostgreSQL 18.3
PostgreSQL 17.9
PostgreSQL 16.13
PostgreSQL 15.17
PostgreSQL 14.22

These versions include multiple bug fixes and improvements. PostgreSQL 14 and 15 are now shipped without plls and plcoffee extensions, which are no longer supported with up to date add-ons.

Learn more about PostgreSQL on Clever Cloud

Keycloak 26.5.5 (security update)

Fri, 06 Mar 2026 00:00:00 +0000

The release 26.5.5 of Keycloak is available on Clever Cloud. It addresses four security vulnerabilities: CVE-2026-3047, CVE-2026-3009, CVE-2026-2603 and CVE-2026-2092.

You can update through the add-on’s dashboard in the Clever Cloud Console. You can also set CC_KEYCLOAK_VERSION of the underlying Java application to 26.5.5 and rebuild it, or use Clever Tools:

clever features enable operators

clever keycloak version check yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId
clever keycloak version update yourKeycloakNameOrId 26.5.5

Learn more about Keycloak on Clever Cloud

Otoroshi 17.13 brings Kubernetes Gateway API support, remote catalogs and audio STT extensions

Wed, 04 Mar 2026 00:00:00 +0000

Otoroshi v17.13 is available with experimental support for the Kubernetes Gateway API, enabling standardised Kubernetes-native traffic management. This release also introduces remote catalogs, allowing to fetch and manage plugin or configuration catalogs from external sources.

A webhook validator plugin is also included, providing HMAC signature verification for incoming webhook payloads. It supports multiple algorithms (SHA256, SHA512, SHA384, SHA1) and is provider-agnostic with configurable signature headers and signing templates, compatible with services such as GitHub, Stripe, Slack or YouSign.

Security headers plugin now supports Referrer-Policy and Permissions-Policy headers, and new configuration options allow exposing public keys with algorithms in JWKS endpoints. Several router fixes improve path matching with wildcard domains, query/header/cookie matching prioritisation, and trailing slash handling. The strict mode of the JWT user extractor plugin has also been fixed.

This release includes LLM extension 0.0.73, bringing audio speech-to-text support with Mistral Voxtral model and Azure OpenAI Audio API. It also includes various provider payload cleanups for Anthropic and xAI formats.

You can update through add-on’s dashboard in the Clever Cloud Console. You can also set CC_OTOROSHI_VERSION of the underlying Java application to v17.13.0_1772616661 and rebuild it, or use Clever Tools:

clever features enable operators

clever otoroshi version check yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId
clever otoroshi version update yourOtoroshiNameOrId v17.13.0_1772616661

Learn more about Otoroshi with LLM on Clever Cloud

Metabase 59 is available, with Data Studio, AI and box-and-whisker plots

Tue, 03 Mar 2026 00:00:00 +0000

The x.59 branch of Metabase is now available on Clever Cloud. It introduces Data Studio, a comprehensive toolkit for data governance including a semantic layer library, dependency graphs, diagnostic tools and data transforms. It also brings box-and-whisker plots, conditional colors for big number displays, AI-powered text-to-SQL for open source users via Anthropic API, a new Agent API, multiple enhancements and bug fixes.

clever features enable operators

clever metabase version check yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId
clever metabase version update yourMetabaseNameOrId 0.59

This new branch is not yet the default if you use community-latest, we’ll move to it in the next few weeks.