All notable changes to this project will be documented in this file.
- Made RSA key length configurable for certificates issued by cert-manager (#528).
- Helm chart: The secret migration job can be omitted via Helm values (#536).
- Helm chart: The tag of the tools image used for the secret migration job can be changed in the Helm values and defaults now to 1.0.0-stackable24.11.0 rather than being hard-coded to 1.0.0-stackable24.7.0 (#536).
- Active Directory's
samAccountName
generation can now be customized (#454). - Added experimental cert-manager backend (#482).
- Make RSA key length configurable (#506).
- The operator can now run on Kubernetes clusters using a non-default cluster domain.
Use the env var
KUBERNETES_CLUSTER_DOMAIN
or the operator Helm chart propertykubernetesClusterDomain
to set a non-default cluster domain` (#510).
- Refactored hostname validation (#494).
- BREAKING: Hostname validation is now somewhat stricter.
- BREAKING: Hostname validation is now enforced in CRD.
- Remove custom
h2
patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) (#495).
- Fixed Kerberos keytab provisioning reusing its credential cache (#490).
- Fixed listener volumes missing a required permission to inspect manually provisioned listeners (#497).
- test: Fixed cert-manager tests by installing cert-manager if it doesn't exist (#505).
- The associated configuration is now logged for each issued secret (#413).
- Chore: Upgrade csi-provisioner to 5.0.1 and csi-node-driver-registrar to 2.11.1 (#455)
- [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically
stackable-operators
), rather thandefault
(#397).- Existing users can either migrate by either:
- (Recommended) Copying the CA into the new location
(
kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-
) - Setting the
secretClasses.tls.caSecretNamespace
Helm flag (--set secretClasses.tls.caSecretNamespace=default
)
- (Recommended) Copying the CA into the new location
(
- Existing users can either migrate by either:
- Reduce CA default lifetime to one year (#403)
- Update the image docker.stackable.tech/k8s/sig-storage/csi-provisioner in the Helm values to v4.0.1 (#440).
- Update the image docker.stackable.tech/k8s/sig-storage/csi-node-driver-registrar in the Helm values to v2.10.1 (#440).
- Bump
stackable-operator
to0.70.0
, and other dependencies (#467, #470).
- Dead code (#468).
- Use new annotation builder (#341).
autoTLS
certificate authorities will now be rotated regularly (#350).- [BREAKING] This changes the format of the CA secrets. Old secrets will be migrated automatically, but manual intervention will be required to downgrade back to 23.11.x.
autoTLS
certificate authority lifetimes are now configurable (#357).- Certificate lifetimes are now jittered (#361).
- Make certificate lifetime configurable (#306).
- Added support for encrypting PKCS#12 keystores (#314).
- Added listener scope for provisioned secrets (#310).
- Generate OLM bundle for Release 23.4.0 ([#271]).
- Added support for converting secrets (including generating PKCS#12 bundles) (#286).
operator-rs
0.27.1
->0.44.0
(#275, #294).- Removed dummy key from generated Kerberos keytab (#285).
- [BREAKING] Daemonset for SecretOperator now assign resource requests and limits to all containers and init containers. Users who have configured resource limits previously in the 'values.yaml' file will need to move the configured limits from
.resources
to.node.driver.resources
for them to be honored going forward (#289).
- Added
kerberosKeytab
provisioner backend using MIT Kerberos (#99, #257). - Added experimental unprivileged mode (#252).
- Shortened the registration socket path for Microk8s compatibility (#231).
- Made kubeletDir configurable (#232).
- Microk8s users will need to
--set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet
.
- Microk8s users will need to
- operator-rs: 0.25.0 -> 0.27.1 (#212).
- Include chart name when installing with a custom release name (#153).
- operator-rs: 0.10.0 -> 0.25.0 (#180).
- "privileged" security context constraints for OpenShift clusters (#144)
- Pods that consume Node-scoped
k8sSearch
secrets will now only be scheduled to Nodes that have the secret provisioned (#125).- This is only supported for pods that use the new-style
ephemeral
volume definitions rather thancsi
.
- This is only supported for pods that use the new-style
- Pods that consume secrets should now use the
ephemeral
volume type rather thancsi
(#125).csi
volumes will keep working for now, but should be considered deprecated, and will not be compatible with all new features.
- Pods that use
autoTls
volumes are now evicted when their certificates are about to expire (#114, commons-#20).
autoTls
CA generation now requires opt-in (#77).- The default
tls
SecretClass
now has this opt-in by default.
- The default
k8sSearch
backend's optionsecretLabels
has been removed (#123).
This release will cause any Pods that already used it get stuck Terminating when they are next deleted. The easiest way to fix this is to perform a rolling reboot of all nodes after the upgrade.
This is a one-time migration.
- Store secrets on tmpfs (#37).
- Locked down secret permissions by default (#37).
- Operator-rs: 0.8.0 -> 0.10.0 (#49).
- Fixed thread starvation and slow shutdowns (#47).
- Initial release