diff --git a/.release-please-manifest.json b/.release-please-manifest.json index c5bd7d265..fe864868c 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,4 +1,4 @@ { - ".": "0.3.0" + ".": "0.1.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index ece336fa5..8bc06255f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,197 @@ Release notes are generated and maintained via **release-please** based on **Conventional Commits**. +## [0.1.0](https://github.com/dc-tec/openbao-operator/compare/0.3.0...0.1.0) (2026-05-19) + + +### ⚠ BREAKING CHANGES + +* **core:** Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics ([#73](https://github.com/dc-tec/openbao-operator/issues/73)) +* **core:** remove Sentinel drift detection (VAP hardening) ([#39](https://github.com/dc-tec/openbao-operator/issues/39)) +* **upgrade:** simplify blue/green cutover and split rolling strategy ([#37](https://github.com/dc-tec/openbao-operator/issues/37)) +* **config:** openbaocluster config renderer +* **upgrade:** upgrade manager; blue/green upgrades +* **controller:** openbaocluster refactor; sentinel improvements + +### Features + +* **admission:** authorize maintenance through RBAC ([#347](https://github.com/dc-tec/openbao-operator/issues/347)) ([b7c05a7](https://github.com/dc-tec/openbao-operator/commit/b7c05a770bcc97ea1931caf0a3c05919540c38ab)) +* **api:** add OpenBaoCluster observedGeneration and printer columns ([#286](https://github.com/dc-tec/openbao-operator/issues/286)) ([1c8f8ae](https://github.com/dc-tec/openbao-operator/commit/1c8f8aeb143fd90ca6452d2f72852c47b14ab5ea)) +* **api:** add runtime restart controls ([#348](https://github.com/dc-tec/openbao-operator/issues/348)) ([b1efd34](https://github.com/dc-tec/openbao-operator/commit/b1efd3442c2c5cd0a58c654b749103ab7cf5ac81)) +* **ast-grep:** add policy-driven architecture guardrails with CI enforcement ([#201](https://github.com/dc-tec/openbao-operator/issues/201)) ([1faee9a](https://github.com/dc-tec/openbao-operator/commit/1faee9a6b000d0e68770d7e2894e68d66f13f534)) +* **backup;restore:** azure blob storage and GCS support as backup provider ([#71](https://github.com/dc-tec/openbao-operator/issues/71)) ([e8a2f2d](https://github.com/dc-tec/openbao-operator/commit/e8a2f2dd68b4af96136d0e387e9199e934a74c82)) +* **bluegreen:** blue/green traffic switching improvements ([5e5f815](https://github.com/dc-tec/openbao-operator/commit/5e5f8157e52dd7dfcacd07565cd35270c0ec3f20)) +* **charts:** operator helm chart ([c00ff58](https://github.com/dc-tec/openbao-operator/commit/c00ff58ab1d39b64919acad5456ae221c8b69fc1)) +* **controller;chart;rbac:** controller hardening, Helm sync automation, and RBAC race fix ([#40](https://github.com/dc-tec/openbao-operator/issues/40)) ([c9dd0b5](https://github.com/dc-tec/openbao-operator/commit/c9dd0b54857a60d2dfe47bcc10d4a75929412a27)) +* **controller:** add extra metrics ([3ed3915](https://github.com/dc-tec/openbao-operator/commit/3ed3915ad5d37349891bbc0abadccca7ce0b0643)) +* **controller:** single tenancy support ([49b7327](https://github.com/dc-tec/openbao-operator/commit/49b7327caed9394e89999023a4cd1f2488faf2a4)) +* **core:** add consistent Kubernetes lifecycle events ([#226](https://github.com/dc-tec/openbao-operator/issues/226)) ([93687af](https://github.com/dc-tec/openbao-operator/commit/93687af087760053b01de76dc6a050e3f5c9e280)) +* **core:** add perf baseline harness and gates ([#118](https://github.com/dc-tec/openbao-operator/issues/118)) ([bf91ce2](https://github.com/dc-tec/openbao-operator/commit/bf91ce24ec1de79cb96b1d1a1370938b62195dd7)) +* **core:** cluster lifecycle hardening; e2e suite refactor ([#72](https://github.com/dc-tec/openbao-operator/issues/72)) ([3de5142](https://github.com/dc-tec/openbao-operator/commit/3de5142367e0076a169f1ebb14497c150dbf5722)) +* **core:** enable Raft Autopilot for automatic dead server cleanup ([#44](https://github.com/dc-tec/openbao-operator/issues/44)) ([61aa711](https://github.com/dc-tec/openbao-operator/commit/61aa7115390c8cd9143f9fd4f985414c2756b909)) +* **core:** harden lifecycle contracts and supporting coverage ([#237](https://github.com/dc-tec/openbao-operator/issues/237)) ([44de947](https://github.com/dc-tec/openbao-operator/commit/44de94790ed765a8eb4036490858139b6a8561bd)) +* **core:** helm manifest values and templates ([6060fbd](https://github.com/dc-tec/openbao-operator/commit/6060fbd04cfb36caadd97718f604fee4250f43e3)) +* **core:** Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics ([#73](https://github.com/dc-tec/openbao-operator/issues/73)) ([446e494](https://github.com/dc-tec/openbao-operator/commit/446e4949febbb3155aa999b2d53a720f971e8db5)) +* **core:** introduce restore CRD ([4d19b72](https://github.com/dc-tec/openbao-operator/commit/4d19b72b5c74b337b61776f58f0d8f6ff711e8a9)) +* **core:** make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore ([#57](https://github.com/dc-tec/openbao-operator/issues/57)) ([3057c61](https://github.com/dc-tec/openbao-operator/commit/3057c61293920b718d3dd5ece951858b77f5b1c6)) +* **core:** OpenShift compatibility support ([#62](https://github.com/dc-tec/openbao-operator/issues/62)) ([47d7770](https://github.com/dc-tec/openbao-operator/commit/47d7770854a52d3113294ecc9cd667d8b54acd77)) +* **infra;controller:** implement support for online PVC expansion of running OpenBao Clusters ([#75](https://github.com/dc-tec/openbao-operator/issues/75)) ([42fabd3](https://github.com/dc-tec/openbao-operator/commit/42fabd30c6ef0d5ec4ababe85f74fc8d37cc1810)) +* **infra:** add default node and zone spreading for OpenBao StatefulSets ([#214](https://github.com/dc-tec/openbao-operator/issues/214)) ([1d7afc8](https://github.com/dc-tec/openbao-operator/commit/1d7afc8d55ddede8b24207274101a13d4352e98a)) +* **infra:** add pod metadata hooks for workload identity ([#216](https://github.com/dc-tec/openbao-operator/issues/216)) ([9bd2546](https://github.com/dc-tec/openbao-operator/commit/9bd2546ccf5caf0024263073635a2a87ad6713c1)) +* **infra:** Expose listenerName field for Gateway API HTTPRoute targeting ([#30](https://github.com/dc-tec/openbao-operator/issues/30)) ([5babd3f](https://github.com/dc-tec/openbao-operator/commit/5babd3f8a2b44c8135b8c1e2ea75a31062bc42e9)) +* **infra:** improve hardened and ACME deployments ([#63](https://github.com/dc-tec/openbao-operator/issues/63)) ([d40600e](https://github.com/dc-tec/openbao-operator/commit/d40600effacb689a89c0f52aee1f74e74129117e)) +* **infra:** make DNS namespace configurable in NetworkPolicies ([#58](https://github.com/dc-tec/openbao-operator/issues/58)) ([a675dfa](https://github.com/dc-tec/openbao-operator/commit/a675dfad6c52c030e7c265ebf60836b976957d26)) +* **manifests:** install manifest ([ffc63c6](https://github.com/dc-tec/openbao-operator/commit/ffc63c669bd13c930c8e8f11ce465298e4ab4c0d)) +* **manifests:** self-service tenant onboarding ([2a8d4d0](https://github.com/dc-tec/openbao-operator/commit/2a8d4d03bfdd53b86af93dbf4b6b4be9c9fcc9a7)) +* **manifests:** wire-in image verification for all components ([d94d1f9](https://github.com/dc-tec/openbao-operator/commit/d94d1f9d14c81bd994124fc964e69787045fb646)) +* **observability:** add metrics, dashboards, e2e assertions; upgrade stability ([#101](https://github.com/dc-tec/openbao-operator/issues/101)) ([d4ce07d](https://github.com/dc-tec/openbao-operator/commit/d4ce07dc4d895381066ca86962fc5758f66dfd33)) +* **openbaocluster:** add ingress integration readiness ([#409](https://github.com/dc-tec/openbao-operator/issues/409)) ([945b4a4](https://github.com/dc-tec/openbao-operator/commit/945b4a407829e8bb5f5617309873215ae356fc2d)) +* **openbao:** improve PKCS[#11](https://github.com/dc-tec/openbao-operator/issues/11) runtime ergonomics ([#400](https://github.com/dc-tec/openbao-operator/issues/400)) ([f32a6ec](https://github.com/dc-tec/openbao-operator/commit/f32a6ec0fdc46ab911bc714daa4ec40d0527ef97)) +* **operator:** add supported single-tenant custom identity install paths ([#239](https://github.com/dc-tec/openbao-operator/issues/239)) ([d41ff74](https://github.com/dc-tec/openbao-operator/commit/d41ff74b33133bd05bb2b2a7dadcaf4e4fe3305a)) +* **perf:** refresh kind performance baseline ([#120](https://github.com/dc-tec/openbao-operator/issues/120)) ([69e5366](https://github.com/dc-tec/openbao-operator/commit/69e5366651ac500925336358fb013c0e9650e4f2)) +* **policy:** enforce Hardened profile requires replicas >= 3 via VAP ([#23](https://github.com/dc-tec/openbao-operator/issues/23)) ([c15ab9f](https://github.com/dc-tec/openbao-operator/commit/c15ab9fd1421b613e138861a962f51cd76b721b3)) +* **provisioner:** configurable tenant resource quotas ([#50](https://github.com/dc-tec/openbao-operator/issues/50)) ([4c6fc29](https://github.com/dc-tec/openbao-operator/commit/4c6fc2915cb821547129a6c9b8e1ed73e42fd500)) +* **readreplicas:** add steady-state read replica topology and status ([#361](https://github.com/dc-tec/openbao-operator/issues/361)) ([9a74c14](https://github.com/dc-tec/openbao-operator/commit/9a74c143e9061f42f5c7557af7a7e9b767252926)) +* **readreplicas:** integrate read replicas with upgrade and restore workflows ([#362](https://github.com/dc-tec/openbao-operator/issues/362)) ([e8bf8b8](https://github.com/dc-tec/openbao-operator/commit/e8bf8b820c06ccab1fb81a9df25223dfbf4e0666)) +* **restore:** add RBAC for restore jobs and validate authentication ([#16](https://github.com/dc-tec/openbao-operator/issues/16)) ([e7772a1](https://github.com/dc-tec/openbao-operator/commit/e7772a146482c9626c545bddff185b9a2f687c1b)) +* **security:** Add admission-time protections for SSRF, TLS secrets, and tenant self-service ([#51](https://github.com/dc-tec/openbao-operator/issues/51)) ([ae2f86c](https://github.com/dc-tec/openbao-operator/commit/ae2f86c851b1369676cee536b37dd934c8ef0d0a)) +* **security:** add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images ([#8](https://github.com/dc-tec/openbao-operator/issues/8)) ([4c1b8cc](https://github.com/dc-tec/openbao-operator/commit/4c1b8cccd1d2c47618c29efa3d08c54535da421c)) +* **security:** expand control-plane audit coverage for startup, operations, and RBAC mutations ([#109](https://github.com/dc-tec/openbao-operator/issues/109)) ([b32dc97](https://github.com/dc-tec/openbao-operator/commit/b32dc97175999aadb84cecf867395a7cca2a6f85)) +* **security:** harden image verification and align edge/nightly signed manifest streams ([#112](https://github.com/dc-tec/openbao-operator/issues/112)) ([b755ca3](https://github.com/dc-tec/openbao-operator/commit/b755ca333c4e598cf5904b9e68817ac540393cc5)) +* **security:** harden image verification defaults and sign edge/nightly images ([#111](https://github.com/dc-tec/openbao-operator/issues/111)) ([5ffed83](https://github.com/dc-tec/openbao-operator/commit/5ffed83ea179fe14fedba50320425d8e4ce0b30c)) +* **security:** harden operator RBAC with ValidatingAdmissionPolicy guardrails ([#100](https://github.com/dc-tec/openbao-operator/issues/100)) ([643fd94](https://github.com/dc-tec/openbao-operator/commit/643fd94af7f0a128bf4f62fa073ffa70ec92af18)) +* **security:** tighten operator security and authentication contracts ([#238](https://github.com/dc-tec/openbao-operator/issues/238)) ([7b14fb1](https://github.com/dc-tec/openbao-operator/commit/7b14fb1cc9046cd469451c3d1d8bb4cb0cbb0302)) +* **upgrade:** harden backup and restore flows ([cb542ab](https://github.com/dc-tec/openbao-operator/commit/cb542ab466e29ddbbf61460ebd9368891aa9e359)) +* **upgrade:** improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic ([#17](https://github.com/dc-tec/openbao-operator/issues/17)) ([78f6124](https://github.com/dc-tec/openbao-operator/commit/78f6124b7e3545149b86a167165fb081b7c810ac)) +* **upgrade:** unify manual upgrade requests on OpenBaoCluster ([#228](https://github.com/dc-tec/openbao-operator/issues/228)) ([b6f6848](https://github.com/dc-tec/openbao-operator/commit/b6f68487add3723932ff454f18d63f0c6688cac5)) +* **vap:** harden OpenBaoRestore VAP guardrails + allow default backup executor image ([#76](https://github.com/dc-tec/openbao-operator/issues/76)) ([93524c8](https://github.com/dc-tec/openbao-operator/commit/93524c8b91563bd5bee91caf2ef0d9360d0a2b04)) + + +### Bug Fixes + +* **admission:** add admission check ([50d3af0](https://github.com/dc-tec/openbao-operator/commit/50d3af0aa06773e5ea5ee98a1194cba7c9f98b1e)) +* **admission:** allow hardened image verification defaults ([#240](https://github.com/dc-tec/openbao-operator/issues/240)) ([817f144](https://github.com/dc-tec/openbao-operator/commit/817f144a066b21bf05040dd03d35e45ea37b8eb3)) +* **admission:** guard hardened security context overrides ([#390](https://github.com/dc-tec/openbao-operator/issues/390)) ([d0a6533](https://github.com/dc-tec/openbao-operator/commit/d0a6533a4c5dbb7b23e4c0c83abf6ee07a5b491e)) +* **admission:** implement security/rbac improvements ([95cd1b2](https://github.com/dc-tec/openbao-operator/commit/95cd1b246c2eacb18e9fa8da977a44ee7faf1313)) +* **api,security:** harden CRD/admission contracts and guardrails ([#106](https://github.com/dc-tec/openbao-operator/issues/106)) ([40f49d8](https://github.com/dc-tec/openbao-operator/commit/40f49d890a757c3623f08142355fb5c1db3ad5e6)) +* **api:** switch SecretReference to LocalObjectReference ([c3b8fef](https://github.com/dc-tec/openbao-operator/commit/c3b8fefd41e8f06b1b4456f66861974d06de4428)) +* **auth:** harden OIDC discovery and add least-privilege RBAC + admission guardrails ([#86](https://github.com/dc-tec/openbao-operator/issues/86)) ([d128a5d](https://github.com/dc-tec/openbao-operator/commit/d128a5d653aa504bbaaadaf48dbd240fc8c7c8da)) +* **auth:** harden operator OIDC bootstrap discovery ([#242](https://github.com/dc-tec/openbao-operator/issues/242)) ([c6fef5d](https://github.com/dc-tec/openbao-operator/commit/c6fef5d05860dab3de42f37cf45c9360c9723986)) +* **auth:** retry kubernetes jwks discovery via api service ([#241](https://github.com/dc-tec/openbao-operator/issues/241)) ([37358f6](https://github.com/dc-tec/openbao-operator/commit/37358f65677819cd8d9ac52cd9775ebe718f23ea)) +* **backup:** align retention behavior across providers and refactor backup/restore flow ([#105](https://github.com/dc-tec/openbao-operator/issues/105)) ([2e1fa9d](https://github.com/dc-tec/openbao-operator/commit/2e1fa9d941f818512155e34d6e7c8a9c6a620689)) +* **backup:** make sure backup jobs are idempotent ([#47](https://github.com/dc-tec/openbao-operator/issues/47)) ([8e2ec6f](https://github.com/dc-tec/openbao-operator/commit/8e2ec6f058928a169718908b3e7fa38150ffcf80)) +* **backup:** record manual triggers and failure time ([#407](https://github.com/dc-tec/openbao-operator/issues/407)) ([ff172c6](https://github.com/dc-tec/openbao-operator/commit/ff172c60d6efabb541f9093dca769fb7b354f0ce)) +* **backup:** remove unused function ([556161f](https://github.com/dc-tec/openbao-operator/commit/556161f542a71570fb94660a4d986a51df660a84)) +* **backup:** upgrade paths ([e2bb9b5](https://github.com/dc-tec/openbao-operator/commit/e2bb9b5ceded236632ce89eee43a001efc0dca70)) +* **bluegreen:** harden deterministic upgrade flow, tests, and docs ([#104](https://github.com/dc-tec/openbao-operator/issues/104)) ([bb64c2e](https://github.com/dc-tec/openbao-operator/commit/bb64c2ed593962f94c004971ec0986270a5270e0)) +* **build:** stabilize byte reproducibility gates for checksums and sbom outputs ([#180](https://github.com/dc-tec/openbao-operator/issues/180)) ([7547ea4](https://github.com/dc-tec/openbao-operator/commit/7547ea48876ddda4788a4d004da31f5f4ea7b985)) +* **chart:** sync helm chart ([9c22829](https://github.com/dc-tec/openbao-operator/commit/9c228297ace116396f351290620eb44991739d57)) +* **chart:** sync helm chart ([#7](https://github.com/dc-tec/openbao-operator/issues/7)) ([507c364](https://github.com/dc-tec/openbao-operator/commit/507c36400b8f83b75e614df3fd34fcddd0e12283)) +* **ci:** allow PR label sync to write labels ([#307](https://github.com/dc-tec/openbao-operator/issues/307)) ([51591d8](https://github.com/dc-tec/openbao-operator/commit/51591d8a212019134cb290d3c876385b08745e01)) +* **ci:** always run perf weekly issue job after failed schedule check ([3d0eb18](https://github.com/dc-tec/openbao-operator/commit/3d0eb189ccda2545def4e3635dd5aabb8a24c599)) +* **ci:** create kind cluster in release e2e gate ([#135](https://github.com/dc-tec/openbao-operator/issues/135)) ([838fe67](https://github.com/dc-tec/openbao-operator/commit/838fe6744cdde4346fe000c092c8059700de0664)) +* **ci:** handle kind load failures for multi-arch OpenBao images ([#125](https://github.com/dc-tec/openbao-operator/issues/125)) ([05038ba](https://github.com/dc-tec/openbao-operator/commit/05038baaf0a706ee4c4c1c1d944f93a84c4768f0)) +* **ci:** harden mainline publish workflows ([#224](https://github.com/dc-tec/openbao-operator/issues/224)) ([3bebc04](https://github.com/dc-tec/openbao-operator/commit/3bebc04970d43c77ba7fc7bcfac5cc7c63a18937)) +* **ci:** replace dangerous PR labeling workflow ([#304](https://github.com/dc-tec/openbao-operator/issues/304)) ([b3740f8](https://github.com/dc-tec/openbao-operator/commit/b3740f89f65379b734ac70e8db5cd5982e479939)) +* **ci:** restore security and bot PR pipeline stability ([#129](https://github.com/dc-tec/openbao-operator/issues/129)) ([ae8d297](https://github.com/dc-tec/openbao-operator/commit/ae8d297eae7ed5673d919673167ac4bdea002e1c)) +* **ci:** stabilize nightly e2e image refs and matrix check naming ([#121](https://github.com/dc-tec/openbao-operator/issues/121)) ([c69993d](https://github.com/dc-tec/openbao-operator/commit/c69993d4eace0c5104aaf1659f390a25fadb4b69)) +* **ci:** stabilize release/build reproducibility and align CI documentation ([#179](https://github.com/dc-tec/openbao-operator/issues/179)) ([4378cfe](https://github.com/dc-tec/openbao-operator/commit/4378cfe9cf33c35b87ea429290608a2d6a3f0c18)) +* **ci:** unblock draft release lookup and run reproducibility post-release ([#185](https://github.com/dc-tec/openbao-operator/issues/185)) ([4fa1089](https://github.com/dc-tec/openbao-operator/commit/4fa10896da12c125cf7873567fd0e49876299517)) +* **config:** align audit device options with OpenBao ([#423](https://github.com/dc-tec/openbao-operator/issues/423)) ([b1ed4a3](https://github.com/dc-tec/openbao-operator/commit/b1ed4a344e2d9b99fb4ff0efad86107133209bc7)) +* **config:** harden generated JWT roles ([#420](https://github.com/dc-tec/openbao-operator/issues/420)) ([546c6db](https://github.com/dc-tec/openbao-operator/commit/546c6dbc605c97c1dac743c5cefb97e4dc595688)) +* **config:** use SemVer precedence for OpenBao version checks ([#394](https://github.com/dc-tec/openbao-operator/issues/394)) ([173847d](https://github.com/dc-tec/openbao-operator/commit/173847d22397796e4caa7aa41180f60fcc2a6839)) +* **controller:** infer BlueImage from running pods to prevent premature upgrades ([#95](https://github.com/dc-tec/openbao-operator/issues/95)) ([dfdc11e](https://github.com/dc-tec/openbao-operator/commit/dfdc11efe964fa427b69cfebf0b22bac0fa98d3e)) +* **controller:** Prevent data loss by orphaning secrets when DeletionPolicy is Retain ([#11](https://github.com/dc-tec/openbao-operator/issues/11)) ([0899cfa](https://github.com/dc-tec/openbao-operator/commit/0899cfa44d53deea6aaf65343d44b61c6a488168)) +* **controller:** prevent OpenBaoCluster resourceVersion churn ([#49](https://github.com/dc-tec/openbao-operator/issues/49)) ([c0e4fe8](https://github.com/dc-tec/openbao-operator/commit/c0e4fe88c628cec4cab6ed6cd1bc053378f27d1e)) +* **controller:** recheck admission dependencies at runtime ([#262](https://github.com/dc-tec/openbao-operator/issues/262)) ([8203a59](https://github.com/dc-tec/openbao-operator/commit/8203a59048f54c1b89a5862235b602cc9b0fb376)) +* **controller:** refresh cluster status on standard cadence ([#257](https://github.com/dc-tec/openbao-operator/issues/257)) ([5fd50f3](https://github.com/dc-tec/openbao-operator/commit/5fd50f371870d3012c485e93b2839a7394cd272a)) +* **controller:** remove force ownership of status ([#70](https://github.com/dc-tec/openbao-operator/issues/70)) ([e59e5da](https://github.com/dc-tec/openbao-operator/commit/e59e5da6d22ea82dde7c8c272447e4744991b51e)) +* **core:** harden controller determinism and idempotency ([#107](https://github.com/dc-tec/openbao-operator/issues/107)) ([e573bf9](https://github.com/dc-tec/openbao-operator/commit/e573bf96702c4fca761c34456b9898f5d7d63e90)) +* **core:** rbac and admission hardening ([477be64](https://github.com/dc-tec/openbao-operator/commit/477be6472cd6d45324b2ec879a70d50bd10fcf2f)) +* **deps:** resolve security vulnerabilities in go-tuf/v2 and rekor dependencies ([#74](https://github.com/dc-tec/openbao-operator/issues/74)) ([ecbfba8](https://github.com/dc-tec/openbao-operator/commit/ecbfba80715689bf0eb1689ec370befbfad6cd83)) +* **deps:** restore dependency update CI coverage ([#399](https://github.com/dc-tec/openbao-operator/issues/399)) ([032e1b7](https://github.com/dc-tec/openbao-operator/commit/032e1b7a8ae0a008bacc17772bac5d764f410876)) +* **gateway:** emit TLSRoute as Gateway API v1 ([#429](https://github.com/dc-tec/openbao-operator/issues/429)) ([05177d3](https://github.com/dc-tec/openbao-operator/commit/05177d3aae16aa5bbd80151806b75b5842e6ced9)) +* **helm:** allow global values in chart schema ([#378](https://github.com/dc-tec/openbao-operator/issues/378)) ([5dad02e](https://github.com/dc-tec/openbao-operator/commit/5dad02ebc4253ddb366f636e3aea60ffce5f4ffa)) +* **helm:** deduplicate generated RBAC labels ([#414](https://github.com/dc-tec/openbao-operator/issues/414)) ([78f8d73](https://github.com/dc-tec/openbao-operator/commit/78f8d73ed5329c4dfaa7c82926f98ca8933bcb19)) +* **helm:** Helm provisioner admission identity ([#387](https://github.com/dc-tec/openbao-operator/issues/387)) ([f781c70](https://github.com/dc-tec/openbao-operator/commit/f781c70b885973b0d682cc102607d3e0b41f36dd)) +* **images:** fail-fast on missing OPERATOR_VERSION environment variable ([#25](https://github.com/dc-tec/openbao-operator/issues/25)) ([1a42097](https://github.com/dc-tec/openbao-operator/commit/1a42097c8fd80bfe773682865c1119b29ca77d02)) +* Implement versioned default images for backup, upgrade, and init container ([#14](https://github.com/dc-tec/openbao-operator/issues/14)) ([1b34f78](https://github.com/dc-tec/openbao-operator/commit/1b34f785009750a2667293d31334260fee04716d)) +* **infra:** add IPv6/dual-stack support for listener binding and development egress rules ([#56](https://github.com/dc-tec/openbao-operator/issues/56)) ([7bfdb41](https://github.com/dc-tec/openbao-operator/commit/7bfdb41840bed338cbfcede82be3aea6642a7a53)) +* **infra:** delete scaled-down raft PVCs ([#341](https://github.com/dc-tec/openbao-operator/issues/341)) ([f406e90](https://github.com/dc-tec/openbao-operator/commit/f406e9029d94c8e7984d77b66cf02b8a97f3c339)) +* **infra:** exclude job pods from pdb ([#9](https://github.com/dc-tec/openbao-operator/issues/9)) ([825a191](https://github.com/dc-tec/openbao-operator/commit/825a1916d68a6a0bb09c4f46c1251cf2af9cd159)) +* **infra:** fail closed on hostile OIDC bootstrap discovery ([#263](https://github.com/dc-tec/openbao-operator/issues/263)) ([2dbd9be](https://github.com/dc-tec/openbao-operator/commit/2dbd9be4a01395d071af79876ef9cc9989cf606c)) +* **infra:** improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation ([#55](https://github.com/dc-tec/openbao-operator/issues/55)) ([f760ac5](https://github.com/dc-tec/openbao-operator/commit/f760ac5c17bd99f747e8c3dc637bdcee1b4cb511)) +* **infra:** resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade ([#10](https://github.com/dc-tec/openbao-operator/issues/10)) ([7052a54](https://github.com/dc-tec/openbao-operator/commit/7052a54145a4d9ac1a1d9ed3b7fdb1cc8de994a2)) +* **infra:** stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs ([#54](https://github.com/dc-tec/openbao-operator/issues/54)) ([d73179a](https://github.com/dc-tec/openbao-operator/commit/d73179a434428bb787684791d1de88dc778f138f)) +* **init:** retrty writing root token to secret to handle transient cr… ([#84](https://github.com/dc-tec/openbao-operator/issues/84)) ([e100176](https://github.com/dc-tec/openbao-operator/commit/e1001769b05fbccae2c861b586dd3eac3eaefd8c)) +* **kube:** add job check ([a7439a9](https://github.com/dc-tec/openbao-operator/commit/a7439a9fe060a4710deda76bea6b7bfafde18020)) +* **manifests:** secure defaults and profiles ([6617383](https://github.com/dc-tec/openbao-operator/commit/66173839968834008119e07cf29cc99188ef8121)) +* **multitenancy:** gate cluster reconcile on tenant onboarding ([#359](https://github.com/dc-tec/openbao-operator/issues/359)) ([cfd850f](https://github.com/dc-tec/openbao-operator/commit/cfd850fcf819c4d1562644cc9495143cfee69b27)) +* **network:** Require source-scoped managed Ingress access ([#389](https://github.com/dc-tec/openbao-operator/issues/389)) ([a3cec85](https://github.com/dc-tec/openbao-operator/commit/a3cec85a56230560be8196ac02666ad38b7e136d)) +* **nightly:** harden init token persistence and e2e autopilot reliability ([#117](https://github.com/dc-tec/openbao-operator/issues/117)) ([f85886f](https://github.com/dc-tec/openbao-operator/commit/f85886fc92b5df3eff30b5075659b41279e8717d)) +* **openbao:** handle 403 forbidden gracefully ([#94](https://github.com/dc-tec/openbao-operator/issues/94)) ([4243f67](https://github.com/dc-tec/openbao-operator/commit/4243f67d68e69d8406b5e0702c806a4f876dd774)) +* **openbao:** share JWT token cache ([#419](https://github.com/dc-tec/openbao-operator/issues/419)) ([a4a0887](https://github.com/dc-tec/openbao-operator/commit/a4a088762c584867932d3f48d47ee5399ceadc9e)) +* **openbao:** stage safe raft scale-downs ([#339](https://github.com/dc-tec/openbao-operator/issues/339)) ([4da1ec7](https://github.com/dc-tec/openbao-operator/commit/4da1ec74f8e4e45e710a0fae51f86bbf44c257c8)) +* **probe:** stabilize openbao workload probes ([#371](https://github.com/dc-tec/openbao-operator/issues/371)) ([260547b](https://github.com/dc-tec/openbao-operator/commit/260547b71d3e12e2ec97ae500f9ed63ab1619804)) +* **provisioner:** reduce release reconciliation log noise ([#370](https://github.com/dc-tec/openbao-operator/issues/370)) ([b2f2bca](https://github.com/dc-tec/openbao-operator/commit/b2f2bcaf18dfef15348aa02b9f3de224c02e38ab)) +* **provisioner:** support external tenant PSS label ownership ([#428](https://github.com/dc-tec/openbao-operator/issues/428)) ([08462c9](https://github.com/dc-tec/openbao-operator/commit/08462c9e108dba154aa9831ce38f9d209b6dbf9e)) +* **rbac:** allow verification pull secret reads ([#427](https://github.com/dc-tec/openbao-operator/issues/427)) ([10d40c0](https://github.com/dc-tec/openbao-operator/commit/10d40c0169bda12ea318f9ab1629b0bf4e8bc312)) +* **release:** grant tag workflow comment permissions ([#295](https://github.com/dc-tec/openbao-operator/issues/295)) ([61ec413](https://github.com/dc-tec/openbao-operator/commit/61ec413d7b640e446d135e67e98bbc17c85badec)) +* **release:** remove unsupported tag app scope ([#296](https://github.com/dc-tec/openbao-operator/issues/296)) ([e794a76](https://github.com/dc-tec/openbao-operator/commit/e794a7629f3ad31083834a7d5b0f63d64cc4b93e)) +* **release:** sign release tags and trim release gates ([#298](https://github.com/dc-tec/openbao-operator/issues/298)) ([33a687b](https://github.com/dc-tec/openbao-operator/commit/33a687b9b93537bffd944791d7f02fc7d48fe855)) +* **restore:** harden restore job rendering ([#405](https://github.com/dc-tec/openbao-operator/issues/405)) ([3e52f5a](https://github.com/dc-tec/openbao-operator/commit/3e52f5a51731562cb61f8cb8e48d2fdf8bd72e09)) +* **rolling:** handle retry status conflicts during upgrade resume ([#192](https://github.com/dc-tec/openbao-operator/issues/192)) ([c6957f2](https://github.com/dc-tec/openbao-operator/commit/c6957f280e1264b7912d0304d5937d6227b8a5f2)) +* **security;e2e:** verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults ([#116](https://github.com/dc-tec/openbao-operator/issues/116)) ([3b966fe](https://github.com/dc-tec/openbao-operator/commit/3b966fe25097fbb4e490682f93bc8671463741f2)) +* **security:** fail closed for configured trusted roots ([#393](https://github.com/dc-tec/openbao-operator/issues/393)) ([04cbd64](https://github.com/dc-tec/openbao-operator/commit/04cbd64cf0356f111f0e3c0450b859008e6c5b69)) +* **security:** harden managed image digests and gateway validation reads ([#243](https://github.com/dc-tec/openbao-operator/issues/243)) ([62a44d0](https://github.com/dc-tec/openbao-operator/commit/62a44d006fc27019e2f5cc1fa58ddb216e088503)) +* **security:** implement image verification LRU cache; docker auth handeling ([#18](https://github.com/dc-tec/openbao-operator/issues/18)) ([a4b7203](https://github.com/dc-tec/openbao-operator/commit/a4b720313ec7fa40a7b0123de4bbbbe090441c0e)) +* **security:** performance issue image verification by reording cache lookups ([#12](https://github.com/dc-tec/openbao-operator/issues/12)) ([a5ca5eb](https://github.com/dc-tec/openbao-operator/commit/a5ca5eb1268d9afe98d8bcc0ce6c3dda0efde20c)) +* **security:** remove resolved govulncheck ignores ([#249](https://github.com/dc-tec/openbao-operator/issues/249)) ([58be543](https://github.com/dc-tec/openbao-operator/commit/58be543c57c0b47b977271d1e51eb0baa49853f9)) +* **security:** validate UMASK bounds in bao-wrapper ([#195](https://github.com/dc-tec/openbao-operator/issues/195)) ([08b5f8a](https://github.com/dc-tec/openbao-operator/commit/08b5f8a6a92325d176ba40e3c79a4106570ab029)) +* **security:** wrap bundle fallback verification error ([#200](https://github.com/dc-tec/openbao-operator/issues/200)) ([827899e](https://github.com/dc-tec/openbao-operator/commit/827899ea077c149e93ccf7aaf3c9d333a45b37c5)) +* **sentinel:** prevent noisy neighbors and thundering herd behavior ([57eb7bd](https://github.com/dc-tec/openbao-operator/commit/57eb7bdfd9b714e2d64c0954d5a36c260dde7efa)) +* **sentinel:** rely on uuids instead of timestamps as sentinel triggerid ([#6](https://github.com/dc-tec/openbao-operator/issues/6)) ([f88b697](https://github.com/dc-tec/openbao-operator/commit/f88b697f6dc13f19cf9a00d2764a4ed0be58868d)) +* **status:** make lifecycle status guidance more actionable ([#227](https://github.com/dc-tec/openbao-operator/issues/227)) ([6bf9147](https://github.com/dc-tec/openbao-operator/commit/6bf9147aa42231f0f2494c00f6c9d77924a7e292)) +* **status:** mark unsafe admission mode not production-ready ([#391](https://github.com/dc-tec/openbao-operator/issues/391)) ([98022a3](https://github.com/dc-tec/openbao-operator/commit/98022a3925742e011dbb8ce1fb55c2c79c5a1496)) +* **storage:** enforce storage class immutability consistently ([#215](https://github.com/dc-tec/openbao-operator/issues/215)) ([c0a551f](https://github.com/dc-tec/openbao-operator/commit/c0a551fd8e5e0c653d151de5b17990573767c333)) +* **storage:** retry transient S3 bucket ensure failures ([#408](https://github.com/dc-tec/openbao-operator/issues/408)) ([9796c2c](https://github.com/dc-tec/openbao-operator/commit/9796c2c174c06f84f8fa645ae29909a774bc6f73)) +* **upgrade:** clear rolling retry failure state with merge status patch ([#205](https://github.com/dc-tec/openbao-operator/issues/205)) ([f4b47f9](https://github.com/dc-tec/openbao-operator/commit/f4b47f9403fdd1ea954dd7af902d194f7889b055)) +* **upgrade:** complete SSA ownership migration ([#345](https://github.com/dc-tec/openbao-operator/issues/345)) ([eafa931](https://github.com/dc-tec/openbao-operator/commit/eafa9317acf33155cc7863924b5cb4a8725f97bc)) +* **upgrade:** harden bluegreen and rolling recovery flakes ([#374](https://github.com/dc-tec/openbao-operator/issues/374)) ([62cf706](https://github.com/dc-tec/openbao-operator/commit/62cf706df50b8ff462e5893166fc61b83749b298)) +* **upgrade:** harden OpenBaoCluster upgrade validation, recovery, and documentation ([#225](https://github.com/dc-tec/openbao-operator/issues/225)) ([a170c0a](https://github.com/dc-tec/openbao-operator/commit/a170c0acb3c835016f32483169d3c61e07ab26b3)) +* **upgrade:** harden rolling upgrade resume ([#406](https://github.com/dc-tec/openbao-operator/issues/406)) ([33fe59d](https://github.com/dc-tec/openbao-operator/commit/33fe59d148751253d6819070630ebad0ce81d80b)) +* **upgrade:** improve upgrade manager stability ([#13](https://github.com/dc-tec/openbao-operator/issues/13)) ([c6a1b34](https://github.com/dc-tec/openbao-operator/commit/c6a1b34a515e7ed4201d61cd2b564ba2b0a9b5bf)) +* **upgrade:** make rolling upgrades deterministic and harden rolling upgrade coverage ([#103](https://github.com/dc-tec/openbao-operator/issues/103)) ([5f3edfd](https://github.com/dc-tec/openbao-operator/commit/5f3edfd3d1b111b3b07a8818aa743f523ab8d810)) +* **upgrade:** revert partition update to MergeFrom to fix StatefulSet validation ([#52](https://github.com/dc-tec/openbao-operator/issues/52)) ([504c319](https://github.com/dc-tec/openbao-operator/commit/504c31970030519ed602f16ebc3d7be5b339d32c)) +* **upgrade:** set executor job resource requirements ([#392](https://github.com/dc-tec/openbao-operator/issues/392)) ([8efb8da](https://github.com/dc-tec/openbao-operator/commit/8efb8da900d378139e35bd32c54489bcc74bec15)) +* **upgrade:** treat raft promote already-voter as no-op ([#382](https://github.com/dc-tec/openbao-operator/issues/382)) ([7d25753](https://github.com/dc-tec/openbao-operator/commit/7d25753b9c5c780e174e8adb5487f48c67128267)) +* **upgrade:** verify default helper images for hardened clusters ([#308](https://github.com/dc-tec/openbao-operator/issues/308)) ([8bfeabb](https://github.com/dc-tec/openbao-operator/commit/8bfeabb6b79a8d897617b0aac63d89be9530ef16)) +* **validation:** block upgrade strategy switches ([#288](https://github.com/dc-tec/openbao-operator/issues/288)) ([b5f0af4](https://github.com/dc-tec/openbao-operator/commit/b5f0af4a7e5c7fbceb733a52e4bc3327171f93c6)) +* **vap:** require self init requests when self initialization is enabled ([#82](https://github.com/dc-tec/openbao-operator/issues/82)) ([c572aaa](https://github.com/dc-tec/openbao-operator/commit/c572aaa392ecc8c8f6dccdee5203a964055a6106)) +* **vap:** stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP ([#53](https://github.com/dc-tec/openbao-operator/issues/53)) ([0c56a87](https://github.com/dc-tec/openbao-operator/commit/0c56a8726c3a972566fc4a93b8a8d3d9bbd99ae7)) +* **workload:** mount OCI plugin directory ([#421](https://github.com/dc-tec/openbao-operator/issues/421)) ([fc95717](https://github.com/dc-tec/openbao-operator/commit/fc95717479d010af90550ae7f74d51e999d36990)) + + +### Miscellaneous Chores + +* **release:** release 0.1.0 ([#302](https://github.com/dc-tec/openbao-operator/issues/302)) ([ebcaf03](https://github.com/dc-tec/openbao-operator/commit/ebcaf03b7ca60a02d56e64135a45e6f1e20be424)) +* **release:** release 0.1.0-rc.7 ([#299](https://github.com/dc-tec/openbao-operator/issues/299)) ([f1aa990](https://github.com/dc-tec/openbao-operator/commit/f1aa990e7ac08d4cf203d61ede7fd8b3448419bd)) +* **release:** set release target to 0.1.0-rc.1 ([#133](https://github.com/dc-tec/openbao-operator/issues/133)) ([ad509ed](https://github.com/dc-tec/openbao-operator/commit/ad509edfa50936cc8b263fcae1d1233fa6b9f47b)) +* **release:** set release target to 0.1.0-rc.2 ([#136](https://github.com/dc-tec/openbao-operator/issues/136)) ([624238d](https://github.com/dc-tec/openbao-operator/commit/624238df4f561709ce0390f3332c0737685d7a67)) +* **release:** set release target to 0.1.0-rc.3 ([#176](https://github.com/dc-tec/openbao-operator/issues/176)) ([af6043e](https://github.com/dc-tec/openbao-operator/commit/af6043ee5c02d6440b9de9401ce8bb9c332831ba)) +* **release:** set release target to 0.1.0-rc.4 ([#183](https://github.com/dc-tec/openbao-operator/issues/183)) ([b5402ea](https://github.com/dc-tec/openbao-operator/commit/b5402eaed71cf776dfa6b6a42b23c5030b38896c)) +* **release:** set release target to 0.1.0-rc.5 ([#187](https://github.com/dc-tec/openbao-operator/issues/187)) ([39649ee](https://github.com/dc-tec/openbao-operator/commit/39649ee68ef28ed3c94cfebf2dc9de04f3ff2466)) +* trigger release-please for 0.1.0-rc.6 ([#293](https://github.com/dc-tec/openbao-operator/issues/293)) ([9f8bfa1](https://github.com/dc-tec/openbao-operator/commit/9f8bfa193a8bb45d3327f99a6e365e49cab9879c)) + + +### Code Refactoring + +* **config:** openbaocluster config renderer ([a230262](https://github.com/dc-tec/openbao-operator/commit/a230262c4795566c21ad58a65b74364e7cdd36b6)) +* **controller:** openbaocluster refactor; sentinel improvements ([9d0de98](https://github.com/dc-tec/openbao-operator/commit/9d0de984d9681d53f4c5569ff84443ae46e2bad5)) +* **core:** remove Sentinel drift detection (VAP hardening) ([#39](https://github.com/dc-tec/openbao-operator/issues/39)) ([d289cf2](https://github.com/dc-tec/openbao-operator/commit/d289cf262213ab13ca3c9e3631df1d4845ee6fc7)) +* **upgrade:** simplify blue/green cutover and split rolling strategy ([#37](https://github.com/dc-tec/openbao-operator/issues/37)) ([7453e23](https://github.com/dc-tec/openbao-operator/commit/7453e23880b1edbfa0c825d6982c29893d4ac08d)) +* **upgrade:** upgrade manager; blue/green upgrades ([2ba56a4](https://github.com/dc-tec/openbao-operator/commit/2ba56a426caa12a79a069700b0b2a4ede44156e1)) + ## [0.3.0](https://github.com/dc-tec/openbao-operator/compare/0.2.0...0.3.0) (2026-05-19) diff --git a/charts/openbao-operator/Chart.yaml b/charts/openbao-operator/Chart.yaml index b4f2761fe..c61f3dc6c 100644 --- a/charts/openbao-operator/Chart.yaml +++ b/charts/openbao-operator/Chart.yaml @@ -4,8 +4,8 @@ description: >- OpenBao Operator installs the OpenBao Kubernetes operator and its required cluster-scoped resources. type: application -version: 0.3.0 -appVersion: 0.3.0 +version: 0.1.0 +appVersion: 0.1.0 icon: >- https://raw.githubusercontent.com/dc-tec/openbao-operator/main/docs/assets/logo.svg home: https://github.com/dc-tec/openbao-operator @@ -27,49 +27,357 @@ annotations: artifacthub.io/operator: 'true' artifacthub.io/operatorCapabilities: Full Lifecycle artifacthub.io/prerelease: "false" - artifacthub.io/containsSecurityUpdates: 'false' + artifacthub.io/containsSecurityUpdates: 'true' artifacthub.io/changes: | + - kind: changed + description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" + - kind: changed + description: "core: remove Sentinel drift detection (VAP hardening)" + - kind: changed + description: "upgrade: simplify blue/green cutover and split rolling strategy" + - kind: changed + description: "config: openbaocluster config renderer" + - kind: changed + description: "upgrade: upgrade manager; blue/green upgrades" + - kind: changed + description: "controller: openbaocluster refactor; sentinel improvements" + - kind: added + description: "admission: authorize maintenance through RBAC" + - kind: added + description: "api: add OpenBaoCluster observedGeneration and printer columns" + - kind: added + description: "api: add runtime restart controls" + - kind: added + description: "ast-grep: add policy-driven architecture guardrails with CI enforcement" + - kind: added + description: "backup;restore: azure blob storage and GCS support as backup provider" + - kind: added + description: "bluegreen: blue/green traffic switching improvements" + - kind: added + description: "charts: operator helm chart" + - kind: added + description: "controller;chart;rbac: controller hardening, Helm sync automation, and RBAC race fix" + - kind: added + description: "controller: add extra metrics" + - kind: added + description: "controller: single tenancy support" + - kind: added + description: "core: add consistent Kubernetes lifecycle events" + - kind: added + description: "core: add perf baseline harness and gates" + - kind: added + description: "core: cluster lifecycle hardening; e2e suite refactor" + - kind: added + description: "core: enable Raft Autopilot for automatic dead server cleanup" + - kind: added + description: "core: harden lifecycle contracts and supporting coverage" + - kind: added + description: "core: helm manifest values and templates" + - kind: added + description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" + - kind: added + description: "core: introduce restore CRD" + - kind: added + description: "core: make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore" + - kind: added + description: "core: OpenShift compatibility support" + - kind: added + description: "infra;controller: implement support for online PVC expansion of running OpenBao Clusters" + - kind: added + description: "infra: add default node and zone spreading for OpenBao StatefulSets" + - kind: added + description: "infra: add pod metadata hooks for workload identity" + - kind: added + description: "infra: Expose listenerName field for Gateway API HTTPRoute targeting" + - kind: added + description: "infra: improve hardened and ACME deployments" + - kind: added + description: "infra: make DNS namespace configurable in NetworkPolicies" + - kind: added + description: "manifests: install manifest" + - kind: added + description: "manifests: self-service tenant onboarding" + - kind: added + description: "manifests: wire-in image verification for all components" + - kind: added + description: "observability: add metrics, dashboards, e2e assertions; upgrade stability" - kind: added description: "openbaocluster: add ingress integration readiness" - kind: added description: "openbao: improve PKCS#11 runtime ergonomics" + - kind: added + description: "operator: add supported single-tenant custom identity install paths" + - kind: added + description: "perf: refresh kind performance baseline" + - kind: added + description: "policy: enforce Hardened profile requires replicas >= 3 via VAP" + - kind: added + description: "provisioner: configurable tenant resource quotas" + - kind: added + description: "readreplicas: add steady-state read replica topology and status" + - kind: added + description: "readreplicas: integrate read replicas with upgrade and restore workflows" + - kind: added + description: "restore: add RBAC for restore jobs and validate authentication" + - kind: security + description: "security: Add admission-time protections for SSRF, TLS secrets, and tenant self-service" + - kind: security + description: "security: add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images" + - kind: security + description: "security: expand control-plane audit coverage for startup, operations, and RBAC mutations" + - kind: security + description: "security: harden image verification and align edge/nightly signed manifest streams" + - kind: security + description: "security: harden image verification defaults and sign edge/nightly images" + - kind: security + description: "security: harden operator RBAC with ValidatingAdmissionPolicy guardrails" + - kind: security + description: "security: tighten operator security and authentication contracts" + - kind: added + description: "upgrade: harden backup and restore flows" + - kind: added + description: "upgrade: improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic" + - kind: added + description: "upgrade: unify manual upgrade requests on OpenBaoCluster" + - kind: added + description: "vap: harden OpenBaoRestore VAP guardrails + allow default backup executor image" + - kind: fixed + description: "admission: add admission check" + - kind: fixed + description: "admission: allow hardened image verification defaults" + - kind: fixed + description: "admission: guard hardened security context overrides" + - kind: fixed + description: "admission: implement security/rbac improvements" + - kind: fixed + description: "api,security: harden CRD/admission contracts and guardrails" + - kind: fixed + description: "api: switch SecretReference to LocalObjectReference" + - kind: fixed + description: "auth: harden OIDC discovery and add least-privilege RBAC + admission guardrails" + - kind: fixed + description: "auth: harden operator OIDC bootstrap discovery" + - kind: fixed + description: "auth: retry kubernetes jwks discovery via api service" + - kind: fixed + description: "backup: align retention behavior across providers and refactor backup/restore flow" + - kind: fixed + description: "backup: make sure backup jobs are idempotent" - kind: fixed description: "backup: record manual triggers and failure time" + - kind: fixed + description: "backup: remove unused function" + - kind: fixed + description: "backup: upgrade paths" + - kind: fixed + description: "bluegreen: harden deterministic upgrade flow, tests, and docs" + - kind: fixed + description: "build: stabilize byte reproducibility gates for checksums and sbom outputs" + - kind: fixed + description: "chart: sync helm chart" + - kind: fixed + description: "chart: sync helm chart" + - kind: fixed + description: "ci: allow PR label sync to write labels" + - kind: fixed + description: "ci: always run perf weekly issue job after failed schedule check" + - kind: fixed + description: "ci: create kind cluster in release e2e gate" + - kind: fixed + description: "ci: handle kind load failures for multi-arch OpenBao images" + - kind: fixed + description: "ci: harden mainline publish workflows" + - kind: fixed + description: "ci: replace dangerous PR labeling workflow" + - kind: fixed + description: "ci: restore security and bot PR pipeline stability" + - kind: fixed + description: "ci: stabilize nightly e2e image refs and matrix check naming" + - kind: fixed + description: "ci: stabilize release/build reproducibility and align CI documentation" + - kind: fixed + description: "ci: unblock draft release lookup and run reproducibility post-release" - kind: fixed description: "config: align audit device options with OpenBao" - kind: fixed description: "config: harden generated JWT roles" - kind: fixed description: "config: use SemVer precedence for OpenBao version checks" + - kind: fixed + description: "controller: infer BlueImage from running pods to prevent premature upgrades" + - kind: fixed + description: "controller: Prevent data loss by orphaning secrets when DeletionPolicy is Retain" + - kind: fixed + description: "controller: prevent OpenBaoCluster resourceVersion churn" + - kind: fixed + description: "controller: recheck admission dependencies at runtime" + - kind: fixed + description: "controller: refresh cluster status on standard cadence" + - kind: fixed + description: "controller: remove force ownership of status" + - kind: fixed + description: "core: harden controller determinism and idempotency" + - kind: fixed + description: "core: rbac and admission hardening" + - kind: fixed + description: "deps: resolve security vulnerabilities in go-tuf/v2 and rekor dependencies" - kind: fixed description: "deps: restore dependency update CI coverage" - kind: fixed description: "gateway: emit TLSRoute as Gateway API v1" + - kind: fixed + description: "helm: allow global values in chart schema" - kind: fixed description: "helm: deduplicate generated RBAC labels" + - kind: fixed + description: "helm: Helm provisioner admission identity" + - kind: fixed + description: "images: fail-fast on missing OPERATOR_VERSION environment variable" + - kind: fixed + description: "Implement versioned default images for backup, upgrade, and init container" + - kind: fixed + description: "infra: add IPv6/dual-stack support for listener binding and development egress rules" + - kind: fixed + description: "infra: delete scaled-down raft PVCs" + - kind: fixed + description: "infra: exclude job pods from pdb" + - kind: fixed + description: "infra: fail closed on hostile OIDC bootstrap discovery" + - kind: fixed + description: "infra: improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation" + - kind: fixed + description: "infra: resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade" + - kind: fixed + description: "infra: stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs" + - kind: fixed + description: "init: retrty writing root token to secret to handle transient cr\u2026" + - kind: fixed + description: "kube: add job check" + - kind: fixed + description: "manifests: secure defaults and profiles" + - kind: fixed + description: "multitenancy: gate cluster reconcile on tenant onboarding" + - kind: fixed + description: "network: Require source-scoped managed Ingress access" + - kind: fixed + description: "nightly: harden init token persistence and e2e autopilot reliability" + - kind: fixed + description: "openbao: handle 403 forbidden gracefully" - kind: fixed description: "openbao: share JWT token cache" + - kind: fixed + description: "openbao: stage safe raft scale-downs" + - kind: fixed + description: "probe: stabilize openbao workload probes" + - kind: fixed + description: "provisioner: reduce release reconciliation log noise" - kind: fixed description: "provisioner: support external tenant PSS label ownership" - kind: fixed description: "rbac: allow verification pull secret reads" + - kind: fixed + description: "release: grant tag workflow comment permissions" + - kind: fixed + description: "release: remove unsupported tag app scope" + - kind: fixed + description: "release: sign release tags and trim release gates" - kind: fixed description: "restore: harden restore job rendering" + - kind: fixed + description: "rolling: handle retry status conflicts during upgrade resume" + - kind: fixed + description: "security;e2e: verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults" + - kind: security + description: "security: fail closed for configured trusted roots" + - kind: security + description: "security: harden managed image digests and gateway validation reads" + - kind: security + description: "security: implement image verification LRU cache; docker auth handeling" + - kind: security + description: "security: performance issue image verification by reording cache lookups" + - kind: security + description: "security: remove resolved govulncheck ignores" + - kind: security + description: "security: validate UMASK bounds in bao-wrapper" + - kind: security + description: "security: wrap bundle fallback verification error" + - kind: fixed + description: "sentinel: prevent noisy neighbors and thundering herd behavior" + - kind: fixed + description: "sentinel: rely on uuids instead of timestamps as sentinel triggerid" + - kind: fixed + description: "status: make lifecycle status guidance more actionable" + - kind: fixed + description: "status: mark unsafe admission mode not production-ready" + - kind: fixed + description: "storage: enforce storage class immutability consistently" - kind: fixed description: "storage: retry transient S3 bucket ensure failures" + - kind: fixed + description: "upgrade: clear rolling retry failure state with merge status patch" + - kind: fixed + description: "upgrade: complete SSA ownership migration" + - kind: fixed + description: "upgrade: harden bluegreen and rolling recovery flakes" + - kind: fixed + description: "upgrade: harden OpenBaoCluster upgrade validation, recovery, and documentation" - kind: fixed description: "upgrade: harden rolling upgrade resume" + - kind: fixed + description: "upgrade: improve upgrade manager stability" + - kind: fixed + description: "upgrade: make rolling upgrades deterministic and harden rolling upgrade coverage" + - kind: fixed + description: "upgrade: revert partition update to MergeFrom to fix StatefulSet validation" + - kind: fixed + description: "upgrade: set executor job resource requirements" + - kind: fixed + description: "upgrade: treat raft promote already-voter as no-op" + - kind: fixed + description: "upgrade: verify default helper images for hardened clusters" + - kind: fixed + description: "validation: block upgrade strategy switches" + - kind: fixed + description: "vap: require self init requests when self initialization is enabled" + - kind: fixed + description: "vap: stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP" - kind: fixed description: "workload: mount OCI plugin directory" + - kind: changed + description: "release: release 0.1.0" + - kind: changed + description: "release: release 0.1.0-rc.7" + - kind: changed + description: "release: set release target to 0.1.0-rc.1" + - kind: changed + description: "release: set release target to 0.1.0-rc.2" + - kind: changed + description: "release: set release target to 0.1.0-rc.3" + - kind: changed + description: "release: set release target to 0.1.0-rc.4" + - kind: changed + description: "release: set release target to 0.1.0-rc.5" + - kind: changed + description: "trigger release-please for 0.1.0-rc.6" + - kind: changed + description: "config: openbaocluster config renderer" + - kind: changed + description: "controller: openbaocluster refactor; sentinel improvements" + - kind: changed + description: "core: remove Sentinel drift detection (VAP hardening)" + - kind: changed + description: "upgrade: simplify blue/green cutover and split rolling strategy" + - kind: changed + description: "upgrade: upgrade manager; blue/green upgrades" artifacthub.io/images: | - name: openbao-operator - image: ghcr.io/dc-tec/openbao-operator:0.3.0 + image: ghcr.io/dc-tec/openbao-operator:0.1.0 - name: openbao-init - image: ghcr.io/dc-tec/openbao-init:0.3.0 + image: ghcr.io/dc-tec/openbao-init:0.1.0 - name: openbao-backup - image: ghcr.io/dc-tec/openbao-backup:0.3.0 + image: ghcr.io/dc-tec/openbao-backup:0.1.0 - name: openbao-upgrade - image: ghcr.io/dc-tec/openbao-upgrade:0.3.0 + image: ghcr.io/dc-tec/openbao-upgrade:0.1.0 artifacthub.io/crds: | - kind: OpenBaoCluster version: v1alpha1