🤖 I have created a release beep boop

0.1.0 (2026-05-19)

⚠ BREAKING CHANGES

• core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics (#73)
• core: remove Sentinel drift detection (VAP hardening) (#39)
• upgrade: simplify blue/green cutover and split rolling strategy (#37)
• config: openbaocluster config renderer
• upgrade: upgrade manager; blue/green upgrades
• controller: openbaocluster refactor; sentinel improvements

Features

• admission: authorize maintenance through RBAC (#347) (b7c05a7)
• api: add OpenBaoCluster observedGeneration and printer columns (#286) (1c8f8ae)
• api: add runtime restart controls (#348) (b1efd34)
• ast-grep: add policy-driven architecture guardrails with CI enforcement (#201) (1faee9a)
• backup;restore: azure blob storage and GCS support as backup provider (#71) (e8a2f2d)
• bluegreen: blue/green traffic switching improvements (5e5f815)
• charts: operator helm chart (c00ff58)
• controller;chart;rbac: controller hardening, Helm sync automation, and RBAC race fix (#40) (c9dd0b5)
• controller: add extra metrics (3ed3915)
• controller: single tenancy support (49b7327)
• core: add consistent Kubernetes lifecycle events (#226) (93687af)
• core: add perf baseline harness and gates (#118) (bf91ce2)
• core: cluster lifecycle hardening; e2e suite refactor (#72) (3de5142)
• core: enable Raft Autopilot for automatic dead server cleanup (#44) (61aa711)
• core: harden lifecycle contracts and supporting coverage (#237) (44de947)
• core: helm manifest values and templates (6060fbd)
• core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics (#73) (446e494)
• core: introduce restore CRD (4d19b72)
• core: make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore (#57) (3057c61)
• core: OpenShift compatibility support (#62) (47d7770)
• infra;controller: implement support for online PVC expansion of running OpenBao Clusters (#75) (42fabd3)
• infra: add default node and zone spreading for OpenBao StatefulSets (#214) (1d7afc8)
• infra: add pod metadata hooks for workload identity (#216) (9bd2546)
• infra: Expose listenerName field for Gateway API HTTPRoute targeting (#30) (5babd3f)
• infra: improve hardened and ACME deployments (#63) (d40600e)
• infra: make DNS namespace configurable in NetworkPolicies (#58) (a675dfa)
• manifests: install manifest (ffc63c6)
• manifests: self-service tenant onboarding (2a8d4d0)
• manifests: wire-in image verification for all components (d94d1f9)
• observability: add metrics, dashboards, e2e assertions; upgrade stability (#101) (d4ce07d)
• openbaocluster: add ingress integration readiness (#409) (945b4a4)
• openbao: improve PKCS#11 runtime ergonomics (#400) (f32a6ec)
• operator: add supported single-tenant custom identity install paths (#239) (d41ff74)
• perf: refresh kind performance baseline (#120) (69e5366)
• policy: enforce Hardened profile requires replicas >= 3 via VAP (#23) (c15ab9f)
• provisioner: configurable tenant resource quotas (#50) (4c6fc29)
• readreplicas: add steady-state read replica topology and status (#361) (9a74c14)
• readreplicas: integrate read replicas with upgrade and restore workflows (#362) (e8bf8b8)
• restore: add RBAC for restore jobs and validate authentication (#16) (e7772a1)
• security: Add admission-time protections for SSRF, TLS secrets, and tenant self-service (#51) (ae2f86c)
• security: add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images (#8) (4c1b8cc)
• security: expand control-plane audit coverage for startup, operations, and RBAC mutations (#109) (b32dc97)
• security: harden image verification and align edge/nightly signed manifest streams (#112) (b755ca3)
• security: harden image verification defaults and sign edge/nightly images (#111) (5ffed83)
• security: harden operator RBAC with ValidatingAdmissionPolicy guardrails (#100) (643fd94)
• security: tighten operator security and authentication contracts (#238) (7b14fb1)
• upgrade: harden backup and restore flows (cb542ab)
• upgrade: improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic (#17) (78f6124)
• upgrade: unify manual upgrade requests on OpenBaoCluster (#228) (b6f6848)
• vap: harden OpenBaoRestore VAP guardrails + allow default backup executor image (#76) (93524c8)

Bug Fixes

• admission: add admission check (50d3af0)
• admission: allow hardened image verification defaults (#240) (817f144)
• admission: guard hardened security context overrides (#390) (d0a6533)
• admission: implement security/rbac improvements (95cd1b2)
• api,security: harden CRD/admission contracts and guardrails (#106) (40f49d8)
• api: switch SecretReference to LocalObjectReference (c3b8fef)
• auth: harden OIDC discovery and add least-privilege RBAC + admission guardrails (#86) (d128a5d)
• auth: harden operator OIDC bootstrap discovery (#242) (c6fef5d)
• auth: retry kubernetes jwks discovery via api service (#241) (37358f6)
• backup: align retention behavior across providers and refactor backup/restore flow (#105) (2e1fa9d)
• backup: make sure backup jobs are idempotent (#47) (8e2ec6f)
• backup: record manual triggers and failure time (#407) (ff172c6)
• backup: remove unused function (556161f)
• backup: upgrade paths (e2bb9b5)
• bluegreen: harden deterministic upgrade flow, tests, and docs (#104) (bb64c2e)
• build: stabilize byte reproducibility gates for checksums and sbom outputs (#180) (7547ea4)
• chart: sync helm chart (9c22829)
• chart: sync helm chart (#7) (507c364)
• ci: allow PR label sync to write labels (#307) (51591d8)
• ci: always run perf weekly issue job after failed schedule check (3d0eb18)
• ci: create kind cluster in release e2e gate (#135) (838fe67)
• ci: handle kind load failures for multi-arch OpenBao images (#125) (05038ba)
• ci: harden mainline publish workflows (#224) (3bebc04)
• ci: replace dangerous PR labeling workflow (#304) (b3740f8)
• ci: restore security and bot PR pipeline stability (#129) (ae8d297)
• ci: stabilize nightly e2e image refs and matrix check naming (#121) (c69993d)
• ci: stabilize release/build reproducibility and align CI documentation (#179) (4378cfe)
• ci: unblock draft release lookup and run reproducibility post-release (#185) (4fa1089)
• config: align audit device options with OpenBao (#423) (b1ed4a3)
• config: harden generated JWT roles (#420) (546c6db)
• config: use SemVer precedence for OpenBao version checks (#394) (173847d)
• controller: infer BlueImage from running pods to prevent premature upgrades (#95) (dfdc11e)
• controller: Prevent data loss by orphaning secrets when DeletionPolicy is Retain (#11) (0899cfa)
• controller: prevent OpenBaoCluster resourceVersion churn (#49) (c0e4fe8)
• controller: recheck admission dependencies at runtime (#262) (8203a59)
• controller: refresh cluster status on standard cadence (#257) (5fd50f3)
• controller: remove force ownership of status (#70) (e59e5da)
• core: harden controller determinism and idempotency (#107) (e573bf9)
• core: rbac and admission hardening (477be64)
• deps: resolve security vulnerabilities in go-tuf/v2 and rekor dependencies (#74) (ecbfba8)
• deps: restore dependency update CI coverage (#399) (032e1b7)
• gateway: emit TLSRoute as Gateway API v1 (#429) (05177d3)
• helm: allow global values in chart schema (#378) (5dad02e)
• helm: deduplicate generated RBAC labels (#414) (78f8d73)
• helm: Helm provisioner admission identity (#387) (f781c70)
• images: fail-fast on missing OPERATOR_VERSION environment variable (#25) (1a42097)
• Implement versioned default images for backup, upgrade, and init container (#14) (1b34f78)
• infra: add IPv6/dual-stack support for listener binding and development egress rules (#56) (7bfdb41)
• infra: delete scaled-down raft PVCs (#341) (f406e90)
• infra: exclude job pods from pdb (#9) (825a191)
• infra: fail closed on hostile OIDC bootstrap discovery (#263) (2dbd9be)
• infra: improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation (#55) (f760ac5)
• infra: resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade (#10) (7052a54)
• infra: stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs (#54) (d73179a)
• init: retrty writing root token to secret to handle transient cr… (#84) (e100176)
• kube: add job check (a7439a9)
• manifests: secure defaults and profiles (6617383)
• multitenancy: gate cluster reconcile on tenant onboarding (#359) (cfd850f)
• network: Require source-scoped managed Ingress access (#389) (a3cec85)
• nightly: harden init token persistence and e2e autopilot reliability (#117) (f85886f)
• openbao: handle 403 forbidden gracefully (#94) (4243f67)
• openbao: share JWT token cache (#419) (a4a0887)
• openbao: stage safe raft scale-downs (#339) (4da1ec7)
• probe: stabilize openbao workload probes (#371) (260547b)
• provisioner: reduce release reconciliation log noise (#370) (b2f2bca)
• provisioner: support external tenant PSS label ownership (#428) (08462c9)
• rbac: allow verification pull secret reads (#427) (10d40c0)
• release: grant tag workflow comment permissions (#295) (61ec413)
• release: remove unsupported tag app scope (#296) (e794a76)
• release: sign release tags and trim release gates (#298) (33a687b)
• restore: harden restore job rendering (#405) (3e52f5a)
• rolling: handle retry status conflicts during upgrade resume (#192) (c6957f2)
• security;e2e: verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults (#116) (3b966fe)
• security: fail closed for configured trusted roots (#393) (04cbd64)
• security: harden managed image digests and gateway validation reads (#243) (62a44d0)
• security: implement image verification LRU cache; docker auth handeling (#18) (a4b7203)
• security: performance issue image verification by reording cache lookups (#12) (a5ca5eb)
• security: remove resolved govulncheck ignores (#249) (58be543)
• security: validate UMASK bounds in bao-wrapper (#195) (08b5f8a)
• security: wrap bundle fallback verification error (#200) (827899e)
• sentinel: prevent noisy neighbors and thundering herd behavior (57eb7bd)
• sentinel: rely on uuids instead of timestamps as sentinel triggerid (#6) (f88b697)
• status: make lifecycle status guidance more actionable (#227) (6bf9147)
• status: mark unsafe admission mode not production-ready (#391) (98022a3)
• storage: enforce storage class immutability consistently (#215) (c0a551f)
• storage: retry transient S3 bucket ensure failures (#408) (9796c2c)
• upgrade: clear rolling retry failure state with merge status patch (#205) (f4b47f9)
• upgrade: complete SSA ownership migration (#345) (eafa931)
• upgrade: harden bluegreen and rolling recovery flakes (#374) (62cf706)
• upgrade: harden OpenBaoCluster upgrade validation, recovery, and documentation (#225) (a170c0a)
• upgrade: harden rolling upgrade resume (#406) (33fe59d)
• upgrade: improve upgrade manager stability (#13) (c6a1b34)
• upgrade: make rolling upgrades deterministic and harden rolling upgrade coverage (#103) (5f3edfd)
• upgrade: revert partition update to MergeFrom to fix StatefulSet validation (#52) (504c319)
• upgrade: set executor job resource requirements (#392) (8efb8da)
• upgrade: treat raft promote already-voter as no-op (#382) (7d25753)
• upgrade: verify default helper images for hardened clusters (#308) (8bfeabb)
• validation: block upgrade strategy switches (#288) (b5f0af4)
• vap: require self init requests when self initialization is enabled (#82) (c572aaa)
• vap: stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP (#53) (0c56a87)
• workload: mount OCI plugin directory (#421) (fc95717)

Miscellaneous Chores

• release: release 0.1.0 (#302) (ebcaf03)
• release: release 0.1.0-rc.7 (#299) (f1aa990)
• release: set release target to 0.1.0-rc.1 (#133) (ad509ed)
• release: set release target to 0.1.0-rc.2 (#136) (624238d)
• release: set release target to 0.1.0-rc.3 (#176) (af6043e)
• release: set release target to 0.1.0-rc.4 (#183) (b5402ea)
• release: set release target to 0.1.0-rc.5 (#187) (39649ee)
• trigger release-please for 0.1.0-rc.6 (#293) (9f8bfa1)

Code Refactoring

• config: openbaocluster config renderer (a230262)
• controller: openbaocluster refactor; sentinel improvements (9d0de98)
• core: remove Sentinel drift detection (VAP hardening) (#39) (d289cf2)
• upgrade: simplify blue/green cutover and split rolling strategy (#37) (7453e23)
• upgrade: upgrade manager; blue/green upgrades (2ba56a4)

This PR was generated with Release Please. See documentation.