Skip to content

Latest commit

 

History

History
325 lines (227 loc) · 13.7 KB

CHANGELOG.md

File metadata and controls

325 lines (227 loc) · 13.7 KB

Changelog

All notable changes to this project will be documented in this file.

[Unreleased]

Added

  • Add format-specific annotations to override secret file names (#572). The following new annotations are available:
    • secrets.stackable.tech/format.tls-pkcs12.keystore-name
    • secrets.stackable.tech/format.tls-pkcs12.truststore-name
    • secrets.stackable.tech/format.tls-pem.cert-name
    • secrets.stackable.tech/format.tls-pem.key-name
    • secrets.stackable.tech/format.tls-pem.ca-name
  • Adds new telemetry CLI arguments and environment variables (#591).
    • Use --file-log-max-files (or FILE_LOG_MAX_FILES) to limit the number of log files kept.
    • Use --file-log-rotation-period (or FILE_LOG_ROTATION_PERIOD) to configure the frequency of rotation.
    • Use --console-log-format (or CONSOLE_LOG_FORMAT) to set the format to plain (default) or json.

Changed

  • BREAKING: Replace stackable-operator initialize_logging with stackable-telemetry Tracing (#581, #587, #591).
    • operator-binary:
      • The console log level was set by SECRET_PROVISIONER_LOG, and is now set by CONSOLE_LOG_LEVEL.
      • The file log level was set by SECRET_PROVISIONER_LOG, and is now set by FILE_LOG_LEVEL.
      • The file log directory was set by SECRET_PROVISIONER_LOG_DIRECTORY, and is now set by FILE_LOG_DIRECTORY (or via --file-log-directory <DIRECTORY>).
    • olm-deployer:
      • The console log level was set by STKBL_SECRET_OLM_DEPLOYER_LOG, and is now set by CONSOLE_LOG_LEVEL.
      • The file log level was set by STKBL_SECRET_OLM_DEPLOYER_LOG, and is now set by FILE_LOG_LEVEL.
      • The file log directory was set by STKBL_SECRET_OLM_DEPLOYER_LOG_DIRECTORY, and is now set by FILE_LOG_DIRECTORY (or via --file-log-directory <DIRECTORY>).
    • Replace stackable-operator print_startup_string with tracing::info! with fields.

Fixed

  • Use json file extension for log files (#586).

[25.3.0] - 2025-03-21

Removed

  • Removed CA secret migration job (#548).
    • BREAKING: This means that direct upgrades from 24.3 are no longer supported. Users of 24.3 must first upgrade to 24.7 or 24.11 before continuing. Bear in mind that we officially only support direct upgrades (24.3 -> 24.7 -> 24.11 -> ...).

Added

  • Made RSA key length configurable for certificates issued by cert-manager (#528).
  • Kerberos principal backends now also provision principals for IP address, not just DNS hostnames (#552).
  • OLM deployment helper (#546).
  • Allow the specification of additional trust roots in autoTls SecretClasses (#573).

Changed

  • Bump stackable-operator to 0.87.0 and rand to 0.9 (#569).
  • Default to OCI for image metadata (#544).
  • [BREAKING] When using a fully qualified domain name, only the variant without the trailing dot is added to the SANs. This should only improve the behavior in scenarios where FQDNs are used and not affect anything else (#564).

Fixed

  • Underscores are now allowed in Kerberos principal names (#563).
  • The issuer in generated TLS certificates is set to the subject of the issuing certificate (#566).
  • Lookup KVNO from Active Directory rather than hard coding it (#571).

[24.11.1] - 2025-01-10

Fixed

  • Helm chart: The secret migration job can be omitted via Helm values (#536).
  • Helm chart: The tag of the tools image used for the secret migration job can be changed in the Helm values and defaults now to 1.0.0-stackable24.11.0 rather than being hard-coded to 1.0.0-stackable24.7.0 (#536).

[24.11.0] - 2024-11-18

Added

  • Active Directory's samAccountName generation can now be customized (#454).
  • Added experimental cert-manager backend (#482).
  • Make RSA key length configurable (#506).
  • The operator can now run on Kubernetes clusters using a non-default cluster domain. Use the env var KUBERNETES_CLUSTER_DOMAIN or the operator Helm chart property kubernetesClusterDomain to set a non-default cluster domain` (#510).

Changed

  • Refactored hostname validation (#494).
    • BREAKING: Hostname validation is now somewhat stricter.
    • BREAKING: Hostname validation is now enforced in CRD.
  • Remove custom h2 patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) (#495).

Fixed

  • Fixed Kerberos keytab provisioning reusing its credential cache (#490).
  • Fixed listener volumes missing a required permission to inspect manually provisioned listeners (#497).
  • test: Fixed cert-manager tests by installing cert-manager if it doesn't exist (#505).

[24.7.0] - 2024-07-24

Added

  • The associated configuration is now logged for each issued secret (#413).
  • Chore: Upgrade csi-provisioner to 5.0.1 and csi-node-driver-registrar to 2.11.1 (#455)

Changed

  • [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically stackable-operators), rather than default (#397).
    • Existing users can either migrate by either:
      • (Recommended) Copying the CA into the new location (kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-)
      • Setting the secretClasses.tls.caSecretNamespace Helm flag (--set secretClasses.tls.caSecretNamespace=default)
  • Reduce CA default lifetime to one year (#403)
  • Update the image docker.stackable.tech/k8s/sig-storage/csi-provisioner in the Helm values to v4.0.1 (#440).
  • Update the image docker.stackable.tech/k8s/sig-storage/csi-node-driver-registrar in the Helm values to v2.10.1 (#440).
  • Bump stackable-operator to 0.70.0, and other dependencies (#467, #470).

Removed

[24.3.0] - 2024-03-20

Added

  • Improved CRD documentation (#333).
  • Helm: support labels in values.yaml (#352).

Changed

  • Use new annotation builder (#341).
  • autoTLS certificate authorities will now be rotated regularly (#350).
    • [BREAKING] This changes the format of the CA secrets. Old secrets will be migrated automatically, but manual intervention will be required to downgrade back to 23.11.x.
  • autoTLS certificate authority lifetimes are now configurable (#357).
  • Certificate lifetimes are now jittered (#361).

[23.11.0] - 2023-11-24

Added

  • Make certificate lifetime configurable (#306).
  • Added support for encrypting PKCS#12 keystores (#314).
  • Added listener scope for provisioned secrets (#310).

[23.7.0] - 2023-07-14

Added

  • Generate OLM bundle for Release 23.4.0 ([#271]).
  • Added support for converting secrets (including generating PKCS#12 bundles) (#286).

Changed

  • operator-rs 0.27.1 -> 0.44.0 (#275, #294).
  • Removed dummy key from generated Kerberos keytab (#285).
  • [BREAKING] Daemonset for SecretOperator now assign resource requests and limits to all containers and init containers. Users who have configured resource limits previously in the 'values.yaml' file will need to move the configured limits from .resources to .node.driver.resources for them to be honored going forward (#289).

[23.4.0] - 2023-04-17

Added

  • Added kerberosKeytab provisioner backend using MIT Kerberos (#99, #257).
  • Added experimental unprivileged mode (#252).

Changed

  • Shortened the registration socket path for Microk8s compatibility (#231).
    • The old CSI registration path will be automatically migrated during upgrade (#258, #260).
    • You might need to manually remove /var/lib/kubelet/plugins_registry/secrets.stackable.tech-reg.sock when downgrading
  • Made kubeletDir configurable (#232).
    • Microk8s users will need to --set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet.

[23.1.0] - 2023-01-23

Changed

  • operator-rs: 0.25.0 -> 0.27.1 (#212).

[0.6.0] - 2022-11-07

Changed

  • Include chart name when installing with a custom release name (#153).
  • operator-rs: 0.10.0 -> 0.25.0 (#180).

[0.5.0] - 2022-06-30

Added

  • "privileged" security context constraints for OpenShift clusters (#144)

[0.4.0] - 2022-05-18

Added

  • Pods that consume Node-scoped k8sSearch secrets will now only be scheduled to Nodes that have the secret provisioned (#125).
    • This is only supported for pods that use the new-style ephemeral volume definitions rather than csi.

Changed

  • Pods that consume secrets should now use the ephemeral volume type rather than csi (#125).
    • csi volumes will keep working for now, but should be considered deprecated, and will not be compatible with all new features.

[0.3.0] - 2022-05-05

Added

  • Pods that use autoTls volumes are now evicted when their certificates are about to expire (#114, commons-#20).

Changed

  • autoTls CA generation now requires opt-in (#77).
    • The default tls SecretClass now has this opt-in by default.

Removed

  • k8sSearch backend's option secretLabels has been removed (#123).

[0.2.0] - 2022-02-14

This release will cause any Pods that already used it get stuck Terminating when they are next deleted. The easiest way to fix this is to perform a rolling reboot of all nodes after the upgrade.

This is a one-time migration.

Changed

  • Store secrets on tmpfs (#37).
  • Locked down secret permissions by default (#37).
  • Operator-rs: 0.8.0 -> 0.10.0 (#49).

Bugfixes

  • Fixed thread starvation and slow shutdowns (#47).

[0.1.0] - 2022-02-03

Added

  • Initial release