All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- [227] Remove allowPrivilegeEscalation flag
- [#225] Proxy support for the container and dogu registry. The proxy will be used from the secret
ces-proxywhich will be created by the setup or the blueprint controller. - [#222] Functionality to set security-specific fields in Dogu descriptors and CRs.
- These will be used to generate a security context for the deployment.
- [#223] Removed unnecessary rbac proxy to fix CVE-2024-45337
- [#218] Missing RBACs for events
- [#216] Annotation for exposed ports
- [#218] Leader-election. It is not necessary as we do not scale for now.
- [#216] Exposing services
- [#218] Problem with missing RBACs for events
- [#215] Create network policies for all dogus and their component-dependencies
- [#208] Disable default service-account auto-mounting for dogus
- [#208] Disable service-account token auto-mounting for exec-pods
- [#212] NetworkPolicy to deny all ingress traffic to this operator
- [#204] fetch dogu descriptors with retry
- [#211] Create network policies for all dogus and their dogu-dependencies
- [#205] Use correct apiVersion
v1in component patch template.
- [#201] Breaking: The name of secret containing the container registry configurations changed from
k8s-dogu-operator-docker-registrytoces-container-registries. Use this secret and instead of mounting this as an environment variable the dogu-operator mount it as a file/tmp/.docker/config.json. Add the environment variableDOCKER_CONFIGso that crane can use the configuration as default.
- [#200] Restrict RBAC permissions as much as possible
- [#198] Change go module to v2
- [#198] Change dogu api to v2
- [#198] Change mocks to be inpackage and testonly
- [#198] Change go version to 1.23.2
- [#198] Change makefile version to 9.3.1
- [#196] Update k8s-registry-lib to v0.4.1
- [#192] Add missing clientSet-dependency to ManagerSet
- This fixes a bug when removing component service-accounts
- [#190] Fix a bug where the dogu operator could not install dogus with optional dependencies because the old etcd not found error was used in dependency validation instead of the k8s not found error.
- Relicense to AGPL-3.0-only
- [#187] Fix dependency for k8s-dogu-operator-crd in helm-chart
- Now depends on
k8s-dogu-operator-crd:2.x.x-0
- Now depends on
Breaking Change ahead
- [#184] Remove support for internal ETCD
- [#184] Add k8s-registry lib in version 0.2.2 to use config maps for configuration instead of the etcd.
- This change requires all other installed dogus to use doguctl >= v0.12.1
- [#181] Handle dogu health states with a config map and provide dogus the volume mounts
- [#182] Update dogu upgrade docs not to use doguctl state for handling upgrades
- [#171] Fix unnecessary creation of dogu PVCs.
- [#173] Fix start dogu-operator if dogu-cr is in cluster without a deployment
- [#171] Only create PVCs for dogus with volumes that need backup.
- Update go version to 1.22
- Update go dependencies
- [#174] Use ConfigMaps in parallel to ETCD for the local dogu registry
- [#176] Add environment variable
ECOSYSTEM_MULTINODEto identify if dogu is running in multinode. - [#179] Use local dogu registry from k8s-registry-lib
- [#169] Fix dogu-operator-crd dependency version.
- This release is broken due to an invalid helm dependency version for the
dogu-operator-crd
- [#149] Clarified escaping rules for running the operator locally (see here or here)
- [#151] Add field
stoppedin Dogu to start or stop the Dogu. - [#151] Add new CRD
DoguRestartto trigger a dogu restart.- The reconciler uses the
stoppedfield from the Dogu.
- The reconciler uses the
- [#159] Manage Service Accounts provided by components
- [#162] Add start and shutdown handler to refresh the dogu health states.
- [#158] Add installed version to dogus status to be able to check the exact state of the dogu.
- [#154] Only accept dogu volume sizes in binary format.
- [#156] Stabilized process when updating the status of the dogu cr.
- [#152] The health routine no longer marks a dogu as available if the deployment was scaled to 0.
- [#153] Fix dogu status of restart routine.
- [#167] Select dogu restart resources pro dogu for garbage collection.
- Update go dependencies
- Particularly update the k8s-libraries to v0.29.1
- [#141] Improve documentation for running an offline Cloudogu EcoSystem.
- [#143] Track health on dogu CR
- [#145] Dogu startupProbe timeouts in airgapped environments
- [#145] Configurable startupProbe timeout
- [#139] Fix missing value for attribute
chownInitImagein patch templates.
- [#137] Patch-template for mirroring this operator and its images
- [#135] Replace monolithic K8s resource YAML into Helm templates
- Update Makefiles to 9.0.1
- [#133] Add CRD-Release to Jenkinsfile
- [#130] updated go dependencies
- [#130] deprecation warning for argument
logtostderrin kube-rbac-proxy
- [#130] deprecated argument
logtostderrfrom kube-rbac-proxy
- [#128] Move component-dependencies to helm-annotations
- this release cleans up unused code parts that are no longer required: no functionality has been changed
- [#118] Make implicitly used init container images explicit and configurable
- this release adds a mandatory ConfigMap
k8s-dogu-operator-additional-imageswhich contains additionally used images - see the operations docs for more information
- this release adds a mandatory ConfigMap
- [#125] Validate that
metadata.Nameequals simple dogu name inspec.Name.
- [#121] Operator cannot recognize multiple changes/required operations at once.
- Now multiple required operations are detected and after the first operation is done, a requeue is triggered to execute the other ones.
- [#117] Fix waiting for PVC to be resized on "AzureDisk"-storage
- The conditions "FileSystemResizePending" has to be checked for storage-interfaces (like "AzureDisk") that require a file system expansion before the additional space of an expanded volume is usable by pods.
- [#119] Add "k8s-etcd" as a dependency to the helm-chart
- [#113] Prevent nginx HTTP 413 errors for too small body sizes in SCM-Manager and Jenkins in dogu resource samples
- A default value of 1 GB per request is now in place
- Update versions for SCM-Manager (2.45.1-1) and Jenkins (2.401.3-1) in the sample dogu resources
- [#115] Fixes conflicts on status update during dogu installation
- [#111] Add Helm chart release process to project
- [#109] Dogu-volumes without backup (needsBackup: false) are now mounted to an emptyDir-volume. Dogu-volumes with backup (needsBackup: true) are mounted to the Dogu-PVC.
- [#106] Resource limits (memory, cpu-cores, ephemeral storage) are now read from
/config/<dogu>/container_config/<resource-type>_limitinstead of/config/<dogu>/pod_limit/<resource-type>. - [#106] Resource request are now handled separately from limits and can be configured through
/config/<dogu>/container_config/<resource-type>_request. - [#106] Defaults for these requests and limits can now be set in the
Configuration-section of thedogu.json. These will be used if the key is not configured in the config registry.
- [#108] Failing execs on pods because of missing
VersionedParams
- [#104] Change the pre-upgrade process, so that it doesn't need to create the additional reserved volumes anymore.
To do so, we adapted the way of the k8s api (
kubectl cp) and copied the script directly in the old container by usingtar.
- [#102] Generate only one loadbalancer service for all dogu exposed ports so that all will be available with the same
ip.
Nginx ingressneeds additional information to route tcp and udp traffic. The dogu operator creates and updates configmaps (tcp-servicesandudp-services) for that.
- [#98] Support for service rewrite mechanism
- [#100] Longhorn validation for PVCs
- [#96] Trim "dogus/" suffix only on URL "default" schema
- this change avoids removing the endpoint suffix for the "index" schema
- [#93] Delete additional ingress annotations if not present on the dogu resource
- [#94] Correct ingress annotation in docs and sample
- [#91] Add additional ingress annotations to dogu resource. Append those annotations to the dogu's service.
- [#89] Add retry mechanism when pulling image metadata to avoid installation/upgrade interrupts if errors occur.
Moreover, increase the backoff time to 10 minutes when waiting for an exec pod to pull the dogu image.
- [#87] Support for Split-DNS environments
- [#85] Fix DoS vulnerability by upgrading the k8s controller-runtime (along with
k8s-apply-lib)
- The dogu operator can now handle existing private dogu keys.
- [#83] Stabilize the dogu registration process.
- Dogus only will be enabled last in the registration process to prevent faulty states in error cases.
- [#79] Fix a bug where an installation failed if old PVCs stuck with terminating status.
- [#81] Add optional volume mounts for selfsigned certs of the docker and dogu registries.
- [#78] Add a no spam filter to process every event thrown by the controller.
- [#76] Fix an issue where an update of a deployment in the dogu upgrade process lead to a resource conflict.
- [#74] Add init container for dogus with volumes to execute chown on the directories with the specified uid and gid.
- [#72] Remove the service environment variables from dogu pods with
enableServiceLinks: falsein the podspec of the dogu pods. Cluster-aware dogus are generally discouraged to use service link env vars because of security considerations. Instead, the service DNS names should be used to address these services as described in the Kubernetes documentation. - Update makefiles to version 7.2.0.
- Update ces-build-lib to 1.62.0.
- [#70] add/update label for consistent mass deletion of CES K8s resources
- select any k8s-dogu-operator related resources like this:
kubectl get deploy,pod,dogu,rolebinding,... -l app=ces,app.kubernetes.io/name=k8s-dogu-operator - select all CES components like this:
kubectl get deploy,pod,dogu,rolebinding,... -l app=ces
- select any k8s-dogu-operator related resources like this:
- Added kubernetes client for handling dogu resources of a cluster.
- Accept kind
cesfor ces control service accounts.
- [#44] Support for expanding dogu volumes. For details see volume expansion docs.
- [#66] Fixes dogu upgrade problems of
official/scmdogus and add a fallback strategy to execute pre-upgrade scripts- for a detailed discussion please see the dogu upgrade docs.
- Fixes a nil pointer panic when upgrading Dogus without
statehealth check
- [#61] Add the yaml of the Dogu CRD in api package. Other controllers/operators can consume it for e.g. integration
tests with envtest. The
generatemake target will refresh the yaml.
- [#62] Fix wrong exposed service object key. During the creation of exposed services some wrong object keys are used. Later-on this leads to an error when tried to get these resources.
- [#64] Fix the creation of service annotations by ignoring all irrelevant environment variables and by correctly
splitting environment variables containing multiple
=.
- [#59] Support for extended volume definitions in the
dogu.json, allowing the creation of kubernetes specific volumes. - [#59] Support for extended service account definitions in the
dogu.json, allowing the creation of kubernetes accounts for dogus.
- [#59] Mechanism to patch the generated dogu deployment with custom volumes and service account names. These are now
supported by the
dogu.jsonand natively generated into the deployment.
- [#55] Refactoring the creation and update of kubernetes dogu resources.
- Extract interfaces and mocks to an internal package, which removes duplicate interfaces and avoids import cycles.
- [#48] Make dogu registry URL schema configurable.
- [#47] Execute Dogu pre-upgrade scripts in upgrade process. See dogu upgrades.
- [#51] Execute Dogu post-upgrade scripts in upgrade process. See dogu upgrades.
- [#52] Remove cesapp dependency and use cesapp-lib.
- [#43] Dogu resource has now a support mode, which leads the dogu pods to a freeze but running state. This is useful in cases where the dogu is in a restart loop. See support mode for more information.
- [#41] Fire events to the specific dogu resource when installing or deleting a dogu. See event policy for more information.
- [#40] Support dogu upgrades
k8s-dogu-operatorchecks the dogu health and all its dependencies similar to thecesapp- The current PVC handling ignores any changes for dogu upgrades. This issue will be solved later.
- for more information about requeueing and internal error handling the docs on reconciliation provide more insights
- fixes a possible parsing error when the environment variable
LOG_LEVELis set but empty
- [#41] Update makefiles to version
v7.0.1.
- [#36] Update
cesapp-libto versionv0.4.0 - [#36] Update
k8s-apply-libto versionv0.4.0 - [#36] Changed the loggers for the both libs
cesapp-libandk8s-apply-libaccording to the new logging interface.
- [#38] Detect existing PVC when installing a dogu. This allows users to store initial data for dogus before their installation. See documentation for more details.
- [#38] Update
ces-build-libto version 1.56.0 - [#38] Update
makefilesto version 6.3.0
- [#34] Fixed a permission issue where the remote registry trys to write to a non-privileged cache dir.
- [#28] Dogu hardware limit updater responsible to update the deployments of dogus with configured container limits.
- [#28] Updated cesapp-lib to version 0.2.0
- [#29] Remove implementation of the remote http dogu registry and instead, reuse the implementation from the cesapp-lib.
- [#31] Split dogu manager in separate components according to it functions (install, update, delete).
- [#26] Allow the definition of custom Deployment in dogus. In such custom Deployments it is possible to define extra volumes,volume mounts, and the used service account for the dogu Deployment.
- [#6] Installing generic kubernetes resources when installing a dogu. These resources need to be provided by the dogu
image at the
k8sfolder in the root path (/k8s):- There are no restriction for namespaced resources.
- The creation of cluster scoped resources is restricted and also their deletion is not performed automatically as they could be used inside multiple namespaces.
- [#6] Update makefiles to version 6.0.2
- [#19] Remove service account on dogu deletion.
- [#20] Detect and write encrypted configuration entries for dogus into the etcd registry when installing a dogu.
- [#15] Add startup probe based on state at dogu deployment generation
- [#15] Add liveness probe based on tcp port at dogu deployment generation
- [#17] Requeue dogu installation when an error occurs when creating a dependent service account.
- [#2] Annotation
k8s-dogu-operator.cloudogu.com/ces-servicesto Dogu-Servicescontaining information of related CES services. For more information see Annotations. - [#13] The automatic generation of service accounts
- [#11] Breaking Change ahead! The secret containing the dogu registry data was split and renamed from
dogu-registry-comtok8s-dogu-operator-dogu-registryandk8s-dogu-operator-docker-registry. It also received the registry endpoint as an additional literal besides username and password. Existing user need to delete their old secret and create two new ones. The creation process is described here and here. - [#2] Update makefiles to version 5.0.0
- [#8] Add the opportunity to process custom dogu descriptors with configmaps
- [#8] Use status field of the dogu resource to identify its state
- [#4] Add functionality to remove dogus
- [#4] Restrict the dogu-operator with rbac resources to operate only in the configured namespace
- [#8] Ignore incoming dogu resources if their specs did not change
- this is likely to happen after status updates where the old and new dogu specs do not differ
- [#1] initial release