All notable changes to this project will be documented in this file.
- Add support for OPA 1.12.3 (#797, #805).
- Add support for OpenLDAP backend to user-info-fetcher (#779).
- Bump testing-tools to
0.3.0-stackable0.0.0-dev(#793). - Support objectOverrides using
.spec.objectOverrides. See objectOverrides concepts page for details (#795). - Support
cliOverridesto allow customization of OPA command-line arguments at role and rolegroup levels (#803).
- Bump stackable-operator to 0.108.0 and strum to 0.28 (#810, #812).
- Gracefully shutdown all concurrent tasks by forwarding the SIGTERM signal (#804).
- Introduce
v1alpha2OpaCluster and mark UIF Entra backend as non-experimental (#801). - Deprecate OPA 1.8.0 (#797).
- user-info-fetcher: Move backend initialization and credential resolution into backend-specific implementations (#782).
- Prevent unnecessary warning messages in the OPA logs caused by setting a service for the Prometheus status (#799).
- Fix "404 page not found" error for the initial object list (#812).
- Remove support for OPA 1.4.2 (#797).
- Add end-of-support checker which can be controlled with environment variables and CLI arguments (#771).
EOS_CHECK_MODE(--eos-check-mode) to set the EoS check mode. Currently, only "offline" is supported.EOS_INTERVAL(--eos-interval) to set the interval in which the operator checks if it is EoS.EOS_DISABLED(--eos-disabled) to disable the EoS checker completely.
- Add a dedicated per-rolegroup
-metricsService, which can be used to get Prometheus metrics (#748). - Expose more Prometheus metrics, such as successful or failed bundle loads and information about the OPA environment (#748).
- Helm: Allow Pod
priorityClassNameto be configured (#762). - Add support for OPA
1.8.0(#765). - Add
prometheus.io/path|port|schemeannotations to metrics service (#767). - Add support for TLS (#774)
- Bump stackable-operator to
0.100.1(#772). - BREAKING: The per-rolegroup services now only serves the HTTP port and has a
-headlesssuffix to better indicate their purpose and to be consistent with other operators (#748). - BREAKING: The per-role server service is now prefixed with
-serverto be consistent with other operators (#748). - The User info fetcher is no longer an experimental feature (#752).
- Deprecate support for OPA
1.4.2(#765).
- Fixed
envOverridesnot getting applied due to not being added to the product config machinery (#754).
- Remove support for OPA
1.0.1(#765).
- Adds new telemetry CLI arguments and environment variables (#715, #744).
- Use
--file-log-max-files(orFILE_LOG_MAX_FILES) to limit the number of log files kept. - Use
--file-log-rotation-period(orFILE_LOG_ROTATION_PERIOD) to configure the frequency of rotation. - Use
--console-log-format(orCONSOLE_LOG_FORMAT) to set the format toplain(default) orjson.
- Use
- Log the startup event for bundle-builder and user-info-fetcher (#703).
- Support experimental user-info-fetcher Entra backend to fetch user groups (#712).
- Add support for OPA
1.4.2(#723). - Add RBAC rule to helm template for automatic cluster domain detection (#743).
- BREAKING: Replace stackable-operator
initialize_loggingwith stackable-telemetryTracing(#703, #710, #715, #744).- operator-binary:
- The console log level was set by
OPA_OPERATOR_LOG, and is now set byCONSOLE_LOG_LEVEL. - The file log level was set by
OPA_OPERATOR_LOG, and is now set byFILE_LOG_LEVEL. - The file log directory was set by
OPA_OPERATOR_LOG_DIRECTORY, and is now set byFILE_LOG_DIRECTORY(or via--file-log-directory <DIRECTORY>).
- The console log level was set by
- bundle-builder:
- The console log level was set by
OPA_BUNDLE_BUILDER_LOG, and is now set byCONSOLE_LOG_LEVEL. - The file log level was set by
OPA_BUNDLE_BUILDER_LOG, and is now set byFILE_LOG_LEVEL. - The file log directory was set by
OPA_BUNDLE_BUILDER_LOG_DIRECTORY, and is now set byFILE_LOG_DIRECTORY(or via--file-log-directory <DIRECTORY>).
- The console log level was set by
- user-info-fetcher:
- The console log level was set by
OPA_OPERATOR_LOG, and is now set byCONSOLE_LOG_LEVEL. - The file log level was set by
OPA_OPERATOR_LOG, and is now set byFILE_LOG_LEVEL. - The file log directory was set by
OPA_OPERATOR_LOG_DIRECTORY, and is now set byFILE_LOG_DIRECTORY(or via--file-log-directory <DIRECTORY>).
- The console log level was set by
- Replace stackable-operator
print_startup_stringwithtracing::info!with fields.
- operator-binary:
- BREAKING: Inject the vector aggregator address into the vector config using the env var
VECTOR_AGGREGATOR_ADDRESSinstead of having the operator write it to the vector config (#707). - test: Bump to Vector 0.46.1 (#721).
- Use versioned common structs (#727).
- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now (#732)
- The
runAsUserandrunAsGroupfields will not be set anymore by the operator - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward
- This is marked as breaking because tools and policies might exist, which require these fields to be set
- The
- user-info-fetcher: the AD backend now uses the Kerberos realm to expand the user search filter (#737)
- BREAKING: Bump stackable-operator to 0.94.0 and update other dependencies (#743, #744).
- The default Kubernetes cluster domain name is now fetched from the kubelet API unless explicitly configured.
- This requires operators to have the RBAC permission to get nodes/proxy in the apiGroup "". The helm-chart takes care of this.
- The CLI argument
--kubernetes-node-nameor env variableKUBERNETES_NODE_NAMEneeds to be set. The helm-chart takes care of this.
- The operator helm-chart now grants RBAC
patchpermissions onevents.k8s.io/events, so events can be aggregated (e.g. "error happened 10 times over the last 5 minutes") (#745).
- Use
jsonfile extension for log files (#709). - Allow uppercase characters in domain names (#743).
- Add missing RBAC permission to patch Kubernetes
eventsused for error reporting to helm-chart (#744). - Correctly propagate the Kubernetes cluster domain to the
opa-bundle-builderanduser-info-fetchersidecars (#744).
- Remove support for OPA
0.67.1(#723). - Remove the
lastUpdateTimefield from the stacklet status (#743). - Remove role binding to legacy service accounts (#743).
- Run a
containerdebugprocess in the background of each OPA container to collect debugging information (#666). - Added support for OPA
1.0.x(#677) and (#687). - Aggregate emitted Kubernetes events on the CustomResources (#675).
- Added support for filtering groups searched by Active Directory (#693).
- Removed support for OPA
0.66.0(#677).
- Bump
stackable-operatorto 0.87.0 andstackable-versionedto 0.6.0 (#696). - Default to OCI for image metadata and product image selection (#671).
- Active Directory backend for user-info-fetcher now uses the
service={opacluster}scope rather thanpod,node(#698).
- BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after restart (#656).
- Added regorule library for accessing user-info-fetcher (#580).
- Added support for OPA 0.67.1 (#616).
- The operator can now run on Kubernetes clusters using a non-default cluster domain.
Use the env var
KUBERNETES_CLUSTER_DOMAINor the operator Helm chart propertykubernetesClusterDomainto set a non-default cluster domain (#637). - Added Active Directory backend for user-info-fetcher (#622).
- Rewrite of the OPA bundle builder (#578).
- Reduce CRD size from
468KBto42KBby accepting arbitrary YAML input instead of the underlying schema for the following fields (#621):podOverridesaffinity
- Bundle builder should no longer keep serving deleted rules until it is restarted (#578).
- Failing to parse one
OpaClustershould no longer cause the whole operator to stop functioning (#638).
- Remove support for OPA 0.61.0 (#616).
- Support enabling decision logs (#555).
- Bump
stackable-operatorto0.70.0,product-configto0.7.0, and other dependencies (#595).
- Processing of corrupted log events fixed; If errors occur, the error messages are added to the log event (#583).
- Dead code (#596).
- Add user-info-fetcher to fetch user metadata from directory services (#433).
- Helm: support labels in values.yaml (#507).
- Added support for OPA 0.61.0 (#518).
- [BREAKING]: Remove legacy
nodeSelectoron rolegroups. Use the fieldaffinity.nodeAffinityinstead (#433).
- Removed support for OPA 0.51.0 (#518).
- Default stackableVersion to operator version (#467).
- Document we don't create PodDisruptionBudgets (#480).
- Added support for 0.57.0 (#482).
- Support graceful shutdown (#487).
- Disable OPA telemetry (#487).
- Removed support for versions 0.45.0, 0.41.0, 0.37.2, 0.28.0, 0.27.1 (#482).
- Generate OLM bundle for Release 23.4.0 (#442).
- Missing CRD defaults for
status.conditionsfield (#443). - Support for OPA 0.51.0 (#451).
- Set explicit resources on all containers (#453).
- Support
podOverrides(#458).
- operator-rs:
0.40.1->0.44.0(#440, #460). - Use 0.0.0-dev product images for testing (#441).
- Use testing-tools 0.2.0 (#441).
- Added kuttl test suites (#455).
- Set explicit resources on all containers (#453, #456).
- Migrate "opa-bundle-builder" container name from <= 23.1 releases (#445).
- Increase the size limit of the log volume (#460).
- Cluster status conditions (#428).
- Extend cluster resources for status and cluster operation (paused, stopped) ([430]).
- [BREAKING] Support specifying Service type.
This enables us to later switch non-breaking to using
ListenerClassesfor the exposure of Services. This change is breaking, because - for security reasons - we default to thecluster-internalListenerClass. If you need your cluster to be accessible from outside of Kubernetes you need to setclusterConfig.listenerClasstoexternal-unstableorexternal-stable(#432). operator-rs0.27.1->0.40.1(#411, #420, #430, #431).- Fragmented
OpaConfig(#411). - Bumped stackable image versions to
23.4.0-rc2(#420). - Enabled logging (#420).
- Openshift compatibility: extended roles (#431).
- Use operator-rs
build_rbac_resourcesmethod (#431).
- Updated stackable image versions (#374).
operator-rs0.22.0->0.27.1(#377).- Don't run init container as root and avoid chmod and chowning (#382).
- [BREAKING] Use Product image selection instead of version.
spec.versionhas been replaced byspec.image(#385). - Support offline mode (#391).
- Updated to new docker tags containing the opa-bundle builder (#391).
- CPU and memory limits are now configurable (#347).
- Better documentation on the bundle builder (#350)
- Support OPA 0.45.0 (#360).
- Include chart name when installing with a custom release name (#313, #314).
operator-rs0.15.0->0.22.0(#315).
- Reconciliation errors are now reported as Kubernetes events (#241).
- Bundle builder side car container that generates bundles from
ConfigMapobjects (#244) - The command line argument
--opa-builder-clusterrolefor therunsubcommand or the environment variableOPA_BUNDLE_BUILDER_CLUSTERROLEto set up a service account for the OPA pods (#244, #252). - The command line argument
--watch-namespacefor therunsubcommand or the environment variableWATCH_NAMESPACEcan be used to instruct the operator to watch a particular namespace. (#244) - Added
kuttltests fromintegration-testrepository (#289)
operator-rs0.10.0->0.15.0(#241, #244, #273).- BREAKING: Renamed custom resource from
OpenPolicyAgenttoOpaCluster(#244). - Replace the
tempdircrate withtempfile(#287). - [BREAKING] Specifying the product version has been changed to adhere to ADR018 instead of just specifying the product version you will now have to add the Stackable image version as well, so
version: 3.5.8becomes (for example)version: 3.5.8-stackable0.1.0(#293)
regoRuleReferencefrom OpaConfig and CRD respectively (#273).
- BREAKING: STFU rework (#146).
- BREAKING: regoRuleReference in config now optional (#188).
- Version now a String instead of enum (#156).
operator-rs0.6.0→0.8.0(#177).- Custom resource example now points to regorule-operator service (#177).
snafu0.6.0→0.7.0(#188).
- Configurable Port from code and product config (#188).
operator-rs0.3.0→0.4.0(#119).- Adapted pod image and container command to docker image (#119).
- BREAKING CRD: Fixed typos
ReporuletoRegorule(#119). - Adapted documentation to represent new workflow with docker images (#119).
- BREAKING monitoring: container port
metricstemporarily removed (cannot assign the same port toclientandmetrics). This will not work with the current monitoring approach (#119).
- Added PartialEq trait to
OpaReference(#103).
operator-rs:0.3.0(#115).- Renamed crd/util to crd::discovery and added deprecated reexport for backwards compatibility (#103).
- Moved
wait_until_crds_presentto operator-binary (preparation for commands) (#115).
kube-rs:0.58→0.60(#88).k8s-openapi0.12→0.13and features:v1_21→v1_22(#88).operator-rs0.2.1→0.2.2(#88).
kube-runtimedependency (#88).
- Added versioning code from operator-rs for up and downgrades (#86).
- Added
ProductVersionto status (#86). - Added
Conditionto status (#86).
- Breaking: Repository structure was changed and the -server crate renamed to -binary. As part of this change the -server suffix was removed from both the package name for os packages and the name of the executable ([#72]).
- Initial release