diff --git a/.release-please-manifest.json b/.release-please-manifest.json index fe864868c..30bfd91bf 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,4 +1,4 @@ { - ".": "0.1.0" + ".": "0.2.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 55b988b5b..57c8a3ffa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,54 @@ Release notes are generated and maintained via **release-please** based on **Conventional Commits**. +## [0.2.0](https://github.com/dc-tec/openbao-operator/compare/0.1.0...0.2.0) (2026-05-19) + + +### Features + +* **admission:** authorize maintenance through RBAC ([#347](https://github.com/dc-tec/openbao-operator/issues/347)) ([b7c05a7](https://github.com/dc-tec/openbao-operator/commit/b7c05a770bcc97ea1931caf0a3c05919540c38ab)) +* **api:** add runtime restart controls ([#348](https://github.com/dc-tec/openbao-operator/issues/348)) ([b1efd34](https://github.com/dc-tec/openbao-operator/commit/b1efd3442c2c5cd0a58c654b749103ab7cf5ac81)) +* **openbaocluster:** add ingress integration readiness ([#409](https://github.com/dc-tec/openbao-operator/issues/409)) ([945b4a4](https://github.com/dc-tec/openbao-operator/commit/945b4a407829e8bb5f5617309873215ae356fc2d)) +* **openbao:** improve PKCS[#11](https://github.com/dc-tec/openbao-operator/issues/11) runtime ergonomics ([#400](https://github.com/dc-tec/openbao-operator/issues/400)) ([f32a6ec](https://github.com/dc-tec/openbao-operator/commit/f32a6ec0fdc46ab911bc714daa4ec40d0527ef97)) +* **readreplicas:** add steady-state read replica topology and status ([#361](https://github.com/dc-tec/openbao-operator/issues/361)) ([9a74c14](https://github.com/dc-tec/openbao-operator/commit/9a74c143e9061f42f5c7557af7a7e9b767252926)) +* **readreplicas:** integrate read replicas with upgrade and restore workflows ([#362](https://github.com/dc-tec/openbao-operator/issues/362)) ([e8bf8b8](https://github.com/dc-tec/openbao-operator/commit/e8bf8b820c06ccab1fb81a9df25223dfbf4e0666)) + + +### Bug Fixes + +* **admission:** guard hardened security context overrides ([#390](https://github.com/dc-tec/openbao-operator/issues/390)) ([d0a6533](https://github.com/dc-tec/openbao-operator/commit/d0a6533a4c5dbb7b23e4c0c83abf6ee07a5b491e)) +* **backup:** record manual triggers and failure time ([#407](https://github.com/dc-tec/openbao-operator/issues/407)) ([ff172c6](https://github.com/dc-tec/openbao-operator/commit/ff172c60d6efabb541f9093dca769fb7b354f0ce)) +* **ci:** allow PR label sync to write labels ([#307](https://github.com/dc-tec/openbao-operator/issues/307)) ([51591d8](https://github.com/dc-tec/openbao-operator/commit/51591d8a212019134cb290d3c876385b08745e01)) +* **ci:** replace dangerous PR labeling workflow ([#304](https://github.com/dc-tec/openbao-operator/issues/304)) ([b3740f8](https://github.com/dc-tec/openbao-operator/commit/b3740f89f65379b734ac70e8db5cd5982e479939)) +* **config:** align audit device options with OpenBao ([#423](https://github.com/dc-tec/openbao-operator/issues/423)) ([b1ed4a3](https://github.com/dc-tec/openbao-operator/commit/b1ed4a344e2d9b99fb4ff0efad86107133209bc7)) +* **config:** harden generated JWT roles ([#420](https://github.com/dc-tec/openbao-operator/issues/420)) ([546c6db](https://github.com/dc-tec/openbao-operator/commit/546c6dbc605c97c1dac743c5cefb97e4dc595688)) +* **config:** use SemVer precedence for OpenBao version checks ([#394](https://github.com/dc-tec/openbao-operator/issues/394)) ([173847d](https://github.com/dc-tec/openbao-operator/commit/173847d22397796e4caa7aa41180f60fcc2a6839)) +* **deps:** restore dependency update CI coverage ([#399](https://github.com/dc-tec/openbao-operator/issues/399)) ([032e1b7](https://github.com/dc-tec/openbao-operator/commit/032e1b7a8ae0a008bacc17772bac5d764f410876)) +* **gateway:** emit TLSRoute as Gateway API v1 ([#429](https://github.com/dc-tec/openbao-operator/issues/429)) ([05177d3](https://github.com/dc-tec/openbao-operator/commit/05177d3aae16aa5bbd80151806b75b5842e6ced9)) +* **helm:** allow global values in chart schema ([#378](https://github.com/dc-tec/openbao-operator/issues/378)) ([5dad02e](https://github.com/dc-tec/openbao-operator/commit/5dad02ebc4253ddb366f636e3aea60ffce5f4ffa)) +* **helm:** deduplicate generated RBAC labels ([#414](https://github.com/dc-tec/openbao-operator/issues/414)) ([78f8d73](https://github.com/dc-tec/openbao-operator/commit/78f8d73ed5329c4dfaa7c82926f98ca8933bcb19)) +* **helm:** Helm provisioner admission identity ([#387](https://github.com/dc-tec/openbao-operator/issues/387)) ([f781c70](https://github.com/dc-tec/openbao-operator/commit/f781c70b885973b0d682cc102607d3e0b41f36dd)) +* **infra:** delete scaled-down raft PVCs ([#341](https://github.com/dc-tec/openbao-operator/issues/341)) ([f406e90](https://github.com/dc-tec/openbao-operator/commit/f406e9029d94c8e7984d77b66cf02b8a97f3c339)) +* **multitenancy:** gate cluster reconcile on tenant onboarding ([#359](https://github.com/dc-tec/openbao-operator/issues/359)) ([cfd850f](https://github.com/dc-tec/openbao-operator/commit/cfd850fcf819c4d1562644cc9495143cfee69b27)) +* **network:** Require source-scoped managed Ingress access ([#389](https://github.com/dc-tec/openbao-operator/issues/389)) ([a3cec85](https://github.com/dc-tec/openbao-operator/commit/a3cec85a56230560be8196ac02666ad38b7e136d)) +* **openbao:** share JWT token cache ([#419](https://github.com/dc-tec/openbao-operator/issues/419)) ([a4a0887](https://github.com/dc-tec/openbao-operator/commit/a4a088762c584867932d3f48d47ee5399ceadc9e)) +* **openbao:** stage safe raft scale-downs ([#339](https://github.com/dc-tec/openbao-operator/issues/339)) ([4da1ec7](https://github.com/dc-tec/openbao-operator/commit/4da1ec74f8e4e45e710a0fae51f86bbf44c257c8)) +* **probe:** stabilize openbao workload probes ([#371](https://github.com/dc-tec/openbao-operator/issues/371)) ([260547b](https://github.com/dc-tec/openbao-operator/commit/260547b71d3e12e2ec97ae500f9ed63ab1619804)) +* **provisioner:** reduce release reconciliation log noise ([#370](https://github.com/dc-tec/openbao-operator/issues/370)) ([b2f2bca](https://github.com/dc-tec/openbao-operator/commit/b2f2bcaf18dfef15348aa02b9f3de224c02e38ab)) +* **provisioner:** support external tenant PSS label ownership ([#428](https://github.com/dc-tec/openbao-operator/issues/428)) ([08462c9](https://github.com/dc-tec/openbao-operator/commit/08462c9e108dba154aa9831ce38f9d209b6dbf9e)) +* **rbac:** allow verification pull secret reads ([#427](https://github.com/dc-tec/openbao-operator/issues/427)) ([10d40c0](https://github.com/dc-tec/openbao-operator/commit/10d40c0169bda12ea318f9ab1629b0bf4e8bc312)) +* **restore:** harden restore job rendering ([#405](https://github.com/dc-tec/openbao-operator/issues/405)) ([3e52f5a](https://github.com/dc-tec/openbao-operator/commit/3e52f5a51731562cb61f8cb8e48d2fdf8bd72e09)) +* **security:** fail closed for configured trusted roots ([#393](https://github.com/dc-tec/openbao-operator/issues/393)) ([04cbd64](https://github.com/dc-tec/openbao-operator/commit/04cbd64cf0356f111f0e3c0450b859008e6c5b69)) +* **status:** mark unsafe admission mode not production-ready ([#391](https://github.com/dc-tec/openbao-operator/issues/391)) ([98022a3](https://github.com/dc-tec/openbao-operator/commit/98022a3925742e011dbb8ce1fb55c2c79c5a1496)) +* **storage:** retry transient S3 bucket ensure failures ([#408](https://github.com/dc-tec/openbao-operator/issues/408)) ([9796c2c](https://github.com/dc-tec/openbao-operator/commit/9796c2c174c06f84f8fa645ae29909a774bc6f73)) +* **upgrade:** complete SSA ownership migration ([#345](https://github.com/dc-tec/openbao-operator/issues/345)) ([eafa931](https://github.com/dc-tec/openbao-operator/commit/eafa9317acf33155cc7863924b5cb4a8725f97bc)) +* **upgrade:** harden bluegreen and rolling recovery flakes ([#374](https://github.com/dc-tec/openbao-operator/issues/374)) ([62cf706](https://github.com/dc-tec/openbao-operator/commit/62cf706df50b8ff462e5893166fc61b83749b298)) +* **upgrade:** harden rolling upgrade resume ([#406](https://github.com/dc-tec/openbao-operator/issues/406)) ([33fe59d](https://github.com/dc-tec/openbao-operator/commit/33fe59d148751253d6819070630ebad0ce81d80b)) +* **upgrade:** set executor job resource requirements ([#392](https://github.com/dc-tec/openbao-operator/issues/392)) ([8efb8da](https://github.com/dc-tec/openbao-operator/commit/8efb8da900d378139e35bd32c54489bcc74bec15)) +* **upgrade:** treat raft promote already-voter as no-op ([#382](https://github.com/dc-tec/openbao-operator/issues/382)) ([7d25753](https://github.com/dc-tec/openbao-operator/commit/7d25753b9c5c780e174e8adb5487f48c67128267)) +* **upgrade:** verify default helper images for hardened clusters ([#308](https://github.com/dc-tec/openbao-operator/issues/308)) ([8bfeabb](https://github.com/dc-tec/openbao-operator/commit/8bfeabb6b79a8d897617b0aac63d89be9530ef16)) +* **workload:** mount OCI plugin directory ([#421](https://github.com/dc-tec/openbao-operator/issues/421)) ([fc95717](https://github.com/dc-tec/openbao-operator/commit/fc95717479d010af90550ae7f74d51e999d36990)) + ## [0.1.0](https://github.com/dc-tec/openbao-operator/compare/0.3.0...0.1.0) (2026-05-19) diff --git a/charts/openbao-operator/Chart.yaml b/charts/openbao-operator/Chart.yaml index 018ad994f..89788d0f1 100644 --- a/charts/openbao-operator/Chart.yaml +++ b/charts/openbao-operator/Chart.yaml @@ -4,8 +4,8 @@ description: >- OpenBao Operator installs the OpenBao Kubernetes operator and its required cluster-scoped resources. type: application -version: 0.1.0 -appVersion: 0.1.0 +version: 0.2.0 +appVersion: 0.2.0 icon: >- https://raw.githubusercontent.com/dc-tec/openbao-operator/main/docs/assets/logo.svg home: https://github.com/dc-tec/openbao-operator @@ -29,196 +29,32 @@ annotations: artifacthub.io/prerelease: "false" artifacthub.io/containsSecurityUpdates: 'true' artifacthub.io/changes: | - - kind: changed - description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" - - kind: changed - description: "core: remove Sentinel drift detection (VAP hardening)" - - kind: changed - description: "upgrade: simplify blue/green cutover and split rolling strategy" - - kind: changed - description: "config: openbaocluster config renderer" - - kind: changed - description: "upgrade: upgrade manager; blue/green upgrades" - - kind: changed - description: "controller: openbaocluster refactor; sentinel improvements" - kind: added description: "admission: authorize maintenance through RBAC" - - kind: added - description: "api: add OpenBaoCluster observedGeneration and printer columns" - kind: added description: "api: add runtime restart controls" - - kind: added - description: "ast-grep: add policy-driven architecture guardrails with CI enforcement" - - kind: added - description: "backup;restore: azure blob storage and GCS support as backup provider" - - kind: added - description: "bluegreen: blue/green traffic switching improvements" - - kind: added - description: "charts: operator helm chart" - - kind: added - description: "controller;chart;rbac: controller hardening, Helm sync automation, and RBAC race fix" - - kind: added - description: "controller: add extra metrics" - - kind: added - description: "controller: single tenancy support" - - kind: added - description: "core: add consistent Kubernetes lifecycle events" - - kind: added - description: "core: add perf baseline harness and gates" - - kind: added - description: "core: cluster lifecycle hardening; e2e suite refactor" - - kind: added - description: "core: enable Raft Autopilot for automatic dead server cleanup" - - kind: added - description: "core: harden lifecycle contracts and supporting coverage" - - kind: added - description: "core: helm manifest values and templates" - - kind: added - description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" - - kind: added - description: "core: introduce restore CRD" - - kind: added - description: "core: make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore" - - kind: added - description: "core: OpenShift compatibility support" - - kind: added - description: "infra;controller: implement support for online PVC expansion of running OpenBao Clusters" - - kind: added - description: "infra: add default node and zone spreading for OpenBao StatefulSets" - - kind: added - description: "infra: add pod metadata hooks for workload identity" - - kind: added - description: "infra: Expose listenerName field for Gateway API HTTPRoute targeting" - - kind: added - description: "infra: improve hardened and ACME deployments" - - kind: added - description: "infra: make DNS namespace configurable in NetworkPolicies" - - kind: added - description: "manifests: install manifest" - - kind: added - description: "manifests: self-service tenant onboarding" - - kind: added - description: "manifests: wire-in image verification for all components" - - kind: added - description: "observability: add metrics, dashboards, e2e assertions; upgrade stability" - kind: added description: "openbaocluster: add ingress integration readiness" - kind: added description: "openbao: improve PKCS#11 runtime ergonomics" - - kind: added - description: "operator: add supported single-tenant custom identity install paths" - - kind: added - description: "perf: refresh kind performance baseline" - - kind: added - description: "policy: enforce Hardened profile requires replicas >= 3 via VAP" - - kind: added - description: "provisioner: configurable tenant resource quotas" - kind: added description: "readreplicas: add steady-state read replica topology and status" - kind: added description: "readreplicas: integrate read replicas with upgrade and restore workflows" - - kind: added - description: "restore: add RBAC for restore jobs and validate authentication" - - kind: security - description: "security: Add admission-time protections for SSRF, TLS secrets, and tenant self-service" - - kind: security - description: "security: add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images" - - kind: security - description: "security: expand control-plane audit coverage for startup, operations, and RBAC mutations" - - kind: security - description: "security: harden image verification and align edge/nightly signed manifest streams" - - kind: security - description: "security: harden image verification defaults and sign edge/nightly images" - - kind: security - description: "security: harden operator RBAC with ValidatingAdmissionPolicy guardrails" - - kind: security - description: "security: tighten operator security and authentication contracts" - - kind: added - description: "upgrade: harden backup and restore flows" - - kind: added - description: "upgrade: improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic" - - kind: added - description: "upgrade: unify manual upgrade requests on OpenBaoCluster" - - kind: added - description: "vap: harden OpenBaoRestore VAP guardrails + allow default backup executor image" - - kind: fixed - description: "admission: add admission check" - - kind: fixed - description: "admission: allow hardened image verification defaults" - kind: fixed description: "admission: guard hardened security context overrides" - - kind: fixed - description: "admission: implement security/rbac improvements" - - kind: fixed - description: "api,security: harden CRD/admission contracts and guardrails" - - kind: fixed - description: "api: switch SecretReference to LocalObjectReference" - - kind: fixed - description: "auth: harden OIDC discovery and add least-privilege RBAC + admission guardrails" - - kind: fixed - description: "auth: harden operator OIDC bootstrap discovery" - - kind: fixed - description: "auth: retry kubernetes jwks discovery via api service" - - kind: fixed - description: "backup: align retention behavior across providers and refactor backup/restore flow" - - kind: fixed - description: "backup: make sure backup jobs are idempotent" - kind: fixed description: "backup: record manual triggers and failure time" - - kind: fixed - description: "backup: remove unused function" - - kind: fixed - description: "bluegreen: harden deterministic upgrade flow, tests, and docs" - - kind: fixed - description: "build: stabilize byte reproducibility gates for checksums and sbom outputs" - - kind: fixed - description: "chart: sync helm chart" - - kind: fixed - description: "chart: sync helm chart" - kind: fixed description: "ci: allow PR label sync to write labels" - - kind: fixed - description: "ci: always run perf weekly issue job after failed schedule check" - - kind: fixed - description: "ci: create kind cluster in release e2e gate" - - kind: fixed - description: "ci: handle kind load failures for multi-arch OpenBao images" - - kind: fixed - description: "ci: harden mainline publish workflows" - kind: fixed description: "ci: replace dangerous PR labeling workflow" - - kind: fixed - description: "ci: restore security and bot PR pipeline stability" - - kind: fixed - description: "ci: stabilize nightly e2e image refs and matrix check naming" - - kind: fixed - description: "ci: stabilize release/build reproducibility and align CI documentation" - - kind: fixed - description: "ci: unblock draft release lookup and run reproducibility post-release" - kind: fixed description: "config: align audit device options with OpenBao" - kind: fixed description: "config: harden generated JWT roles" - kind: fixed description: "config: use SemVer precedence for OpenBao version checks" - - kind: fixed - description: "controller: infer BlueImage from running pods to prevent premature upgrades" - - kind: fixed - description: "controller: Prevent data loss by orphaning secrets when DeletionPolicy is Retain" - - kind: fixed - description: "controller: prevent OpenBaoCluster resourceVersion churn" - - kind: fixed - description: "controller: recheck admission dependencies at runtime" - - kind: fixed - description: "controller: refresh cluster status on standard cadence" - - kind: fixed - description: "controller: remove force ownership of status" - - kind: fixed - description: "core: harden controller determinism and idempotency" - - kind: fixed - description: "core: rbac and admission hardening" - - kind: fixed - description: "deps: resolve security vulnerabilities in go-tuf/v2 and rekor dependencies" - kind: fixed description: "deps: restore dependency update CI coverage" - kind: fixed @@ -229,38 +65,12 @@ annotations: description: "helm: deduplicate generated RBAC labels" - kind: fixed description: "helm: Helm provisioner admission identity" - - kind: fixed - description: "images: fail-fast on missing OPERATOR_VERSION environment variable" - - kind: fixed - description: "Implement versioned default images for backup, upgrade, and init container" - - kind: fixed - description: "infra: add IPv6/dual-stack support for listener binding and development egress rules" - kind: fixed description: "infra: delete scaled-down raft PVCs" - - kind: fixed - description: "infra: exclude job pods from pdb" - - kind: fixed - description: "infra: fail closed on hostile OIDC bootstrap discovery" - - kind: fixed - description: "infra: improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation" - - kind: fixed - description: "infra: resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade" - - kind: fixed - description: "infra: stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs" - - kind: fixed - description: "init: retrty writing root token to secret to handle transient cr\u2026" - - kind: fixed - description: "kube: add job check" - - kind: fixed - description: "manifests: secure defaults and profiles" - kind: fixed description: "multitenancy: gate cluster reconcile on tenant onboarding" - kind: fixed description: "network: Require source-scoped managed Ingress access" - - kind: fixed - description: "nightly: harden init token persistence and e2e autopilot reliability" - - kind: fixed - description: "openbao: handle 403 forbidden gracefully" - kind: fixed description: "openbao: share JWT token cache" - kind: fixed @@ -273,109 +83,37 @@ annotations: description: "provisioner: support external tenant PSS label ownership" - kind: fixed description: "rbac: allow verification pull secret reads" - - kind: fixed - description: "release: grant tag workflow comment permissions" - - kind: fixed - description: "release: remove unsupported tag app scope" - - kind: fixed - description: "release: sign release tags and trim release gates" - kind: fixed description: "restore: harden restore job rendering" - - kind: fixed - description: "rolling: handle retry status conflicts during upgrade resume" - - kind: fixed - description: "security;e2e: verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults" - kind: security description: "security: fail closed for configured trusted roots" - - kind: security - description: "security: harden managed image digests and gateway validation reads" - - kind: security - description: "security: implement image verification LRU cache; docker auth handeling" - - kind: security - description: "security: performance issue image verification by reording cache lookups" - - kind: security - description: "security: remove resolved govulncheck ignores" - - kind: security - description: "security: validate UMASK bounds in bao-wrapper" - - kind: security - description: "security: wrap bundle fallback verification error" - - kind: fixed - description: "sentinel: prevent noisy neighbors and thundering herd behavior" - - kind: fixed - description: "sentinel: rely on uuids instead of timestamps as sentinel triggerid" - - kind: fixed - description: "status: make lifecycle status guidance more actionable" - kind: fixed description: "status: mark unsafe admission mode not production-ready" - - kind: fixed - description: "storage: enforce storage class immutability consistently" - kind: fixed description: "storage: retry transient S3 bucket ensure failures" - - kind: fixed - description: "upgrade: clear rolling retry failure state with merge status patch" - kind: fixed description: "upgrade: complete SSA ownership migration" - kind: fixed description: "upgrade: harden bluegreen and rolling recovery flakes" - - kind: fixed - description: "upgrade: harden OpenBaoCluster upgrade validation, recovery, and documentation" - kind: fixed description: "upgrade: harden rolling upgrade resume" - - kind: fixed - description: "upgrade: improve upgrade manager stability" - - kind: fixed - description: "upgrade: make rolling upgrades deterministic and harden rolling upgrade coverage" - - kind: fixed - description: "upgrade: revert partition update to MergeFrom to fix StatefulSet validation" - kind: fixed description: "upgrade: set executor job resource requirements" - kind: fixed description: "upgrade: treat raft promote already-voter as no-op" - kind: fixed description: "upgrade: verify default helper images for hardened clusters" - - kind: fixed - description: "validation: block upgrade strategy switches" - - kind: fixed - description: "vap: require self init requests when self initialization is enabled" - - kind: fixed - description: "vap: stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP" - kind: fixed description: "workload: mount OCI plugin directory" - - kind: changed - description: "release: release 0.1.0" - - kind: changed - description: "release: release 0.1.0-rc.7" - - kind: changed - description: "release: set release target to 0.1.0-rc.1" - - kind: changed - description: "release: set release target to 0.1.0-rc.2" - - kind: changed - description: "release: set release target to 0.1.0-rc.3" - - kind: changed - description: "release: set release target to 0.1.0-rc.4" - - kind: changed - description: "release: set release target to 0.1.0-rc.5" - - kind: changed - description: "trigger release-please for 0.1.0-rc.6" - - kind: changed - description: "config: openbaocluster config renderer" - - kind: changed - description: "controller: openbaocluster refactor; sentinel improvements" - - kind: changed - description: "core: remove Sentinel drift detection (VAP hardening)" - - kind: changed - description: "upgrade: simplify blue/green cutover and split rolling strategy" - - kind: changed - description: "upgrade: upgrade manager; blue/green upgrades" artifacthub.io/images: | - name: openbao-operator - image: ghcr.io/dc-tec/openbao-operator:0.1.0 + image: ghcr.io/dc-tec/openbao-operator:0.2.0 - name: openbao-init - image: ghcr.io/dc-tec/openbao-init:0.1.0 + image: ghcr.io/dc-tec/openbao-init:0.2.0 - name: openbao-backup - image: ghcr.io/dc-tec/openbao-backup:0.1.0 + image: ghcr.io/dc-tec/openbao-backup:0.2.0 - name: openbao-upgrade - image: ghcr.io/dc-tec/openbao-upgrade:0.1.0 + image: ghcr.io/dc-tec/openbao-upgrade:0.2.0 artifacthub.io/crds: | - kind: OpenBaoCluster version: v1alpha1