From 54ccfe04d78dddba5b1ded491a46ffd7e52845da Mon Sep 17 00:00:00 2001 From: "openbao-operator-release-pr[bot]" <270663009+openbao-operator-release-pr[bot]@users.noreply.github.com> Date: Tue, 19 May 2026 05:49:41 +0000 Subject: [PATCH 1/2] chore(release-please--branches--release-please--branches--release-please--branches--release-please--branches--release-please--branches--release-please--branches--main): release 0.3.0 --- .release-please-manifest.json | 2 +- CHANGELOG.md | 26 +++ charts/openbao-operator/Chart.yaml | 276 ++++++++++++++++++++++++++++- 3 files changed, 296 insertions(+), 8 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 30bfd91bf..c5bd7d265 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,4 +1,4 @@ { - ".": "0.2.0" + ".": "0.3.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 57c8a3ffa..261c70f0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,32 @@ Release notes are generated and maintained via **release-please** based on **Conventional Commits**. +## [0.3.0](https://github.com/dc-tec/openbao-operator/compare/0.2.0...0.3.0) (2026-05-19) + + +### Features + +* **openbaocluster:** add ingress integration readiness ([#409](https://github.com/dc-tec/openbao-operator/issues/409)) ([945b4a4](https://github.com/dc-tec/openbao-operator/commit/945b4a407829e8bb5f5617309873215ae356fc2d)) +* **openbao:** improve PKCS[#11](https://github.com/dc-tec/openbao-operator/issues/11) runtime ergonomics ([#400](https://github.com/dc-tec/openbao-operator/issues/400)) ([f32a6ec](https://github.com/dc-tec/openbao-operator/commit/f32a6ec0fdc46ab911bc714daa4ec40d0527ef97)) + + +### Bug Fixes + +* **backup:** record manual triggers and failure time ([#407](https://github.com/dc-tec/openbao-operator/issues/407)) ([ff172c6](https://github.com/dc-tec/openbao-operator/commit/ff172c60d6efabb541f9093dca769fb7b354f0ce)) +* **config:** align audit device options with OpenBao ([#423](https://github.com/dc-tec/openbao-operator/issues/423)) ([b1ed4a3](https://github.com/dc-tec/openbao-operator/commit/b1ed4a344e2d9b99fb4ff0efad86107133209bc7)) +* **config:** harden generated JWT roles ([#420](https://github.com/dc-tec/openbao-operator/issues/420)) ([546c6db](https://github.com/dc-tec/openbao-operator/commit/546c6dbc605c97c1dac743c5cefb97e4dc595688)) +* **config:** use SemVer precedence for OpenBao version checks ([#394](https://github.com/dc-tec/openbao-operator/issues/394)) ([173847d](https://github.com/dc-tec/openbao-operator/commit/173847d22397796e4caa7aa41180f60fcc2a6839)) +* **deps:** restore dependency update CI coverage ([#399](https://github.com/dc-tec/openbao-operator/issues/399)) ([032e1b7](https://github.com/dc-tec/openbao-operator/commit/032e1b7a8ae0a008bacc17772bac5d764f410876)) +* **gateway:** emit TLSRoute as Gateway API v1 ([#429](https://github.com/dc-tec/openbao-operator/issues/429)) ([05177d3](https://github.com/dc-tec/openbao-operator/commit/05177d3aae16aa5bbd80151806b75b5842e6ced9)) +* **helm:** deduplicate generated RBAC labels ([#414](https://github.com/dc-tec/openbao-operator/issues/414)) ([78f8d73](https://github.com/dc-tec/openbao-operator/commit/78f8d73ed5329c4dfaa7c82926f98ca8933bcb19)) +* **openbao:** share JWT token cache ([#419](https://github.com/dc-tec/openbao-operator/issues/419)) ([a4a0887](https://github.com/dc-tec/openbao-operator/commit/a4a088762c584867932d3f48d47ee5399ceadc9e)) +* **provisioner:** support external tenant PSS label ownership ([#428](https://github.com/dc-tec/openbao-operator/issues/428)) ([08462c9](https://github.com/dc-tec/openbao-operator/commit/08462c9e108dba154aa9831ce38f9d209b6dbf9e)) +* **rbac:** allow verification pull secret reads ([#427](https://github.com/dc-tec/openbao-operator/issues/427)) ([10d40c0](https://github.com/dc-tec/openbao-operator/commit/10d40c0169bda12ea318f9ab1629b0bf4e8bc312)) +* **restore:** harden restore job rendering ([#405](https://github.com/dc-tec/openbao-operator/issues/405)) ([3e52f5a](https://github.com/dc-tec/openbao-operator/commit/3e52f5a51731562cb61f8cb8e48d2fdf8bd72e09)) +* **storage:** retry transient S3 bucket ensure failures ([#408](https://github.com/dc-tec/openbao-operator/issues/408)) ([9796c2c](https://github.com/dc-tec/openbao-operator/commit/9796c2c174c06f84f8fa645ae29909a774bc6f73)) +* **upgrade:** harden rolling upgrade resume ([#406](https://github.com/dc-tec/openbao-operator/issues/406)) ([33fe59d](https://github.com/dc-tec/openbao-operator/commit/33fe59d148751253d6819070630ebad0ce81d80b)) +* **workload:** mount OCI plugin directory ([#421](https://github.com/dc-tec/openbao-operator/issues/421)) ([fc95717](https://github.com/dc-tec/openbao-operator/commit/fc95717479d010af90550ae7f74d51e999d36990)) + ## [0.2.0](https://github.com/dc-tec/openbao-operator/compare/0.1.0...0.2.0) (2026-05-19) diff --git a/charts/openbao-operator/Chart.yaml b/charts/openbao-operator/Chart.yaml index 89788d0f1..b8aa62f19 100644 --- a/charts/openbao-operator/Chart.yaml +++ b/charts/openbao-operator/Chart.yaml @@ -4,8 +4,8 @@ description: >- OpenBao Operator installs the OpenBao Kubernetes operator and its required cluster-scoped resources. type: application -version: 0.2.0 -appVersion: 0.2.0 +version: 0.3.0 +appVersion: 0.3.0 icon: >- https://raw.githubusercontent.com/dc-tec/openbao-operator/main/docs/assets/logo.svg home: https://github.com/dc-tec/openbao-operator @@ -26,35 +26,199 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/operator: 'true' artifacthub.io/operatorCapabilities: Full Lifecycle - artifacthub.io/prerelease: "false" + artifacthub.io/prerelease: 'false' artifacthub.io/containsSecurityUpdates: 'true' artifacthub.io/changes: | + - kind: changed + description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" + - kind: changed + description: "core: remove Sentinel drift detection (VAP hardening)" + - kind: changed + description: "upgrade: simplify blue/green cutover and split rolling strategy" + - kind: changed + description: "config: openbaocluster config renderer" + - kind: changed + description: "upgrade: upgrade manager; blue/green upgrades" + - kind: changed + description: "controller: openbaocluster refactor; sentinel improvements" - kind: added description: "admission: authorize maintenance through RBAC" + - kind: added + description: "api: add OpenBaoCluster observedGeneration and printer columns" - kind: added description: "api: add runtime restart controls" + - kind: added + description: "ast-grep: add policy-driven architecture guardrails with CI enforcement" + - kind: added + description: "backup;restore: azure blob storage and GCS support as backup provider" + - kind: added + description: "bluegreen: blue/green traffic switching improvements" + - kind: added + description: "charts: operator helm chart" + - kind: added + description: "controller;chart;rbac: controller hardening, Helm sync automation, and RBAC race fix" + - kind: added + description: "controller: add extra metrics" + - kind: added + description: "controller: single tenancy support" + - kind: added + description: "core: add consistent Kubernetes lifecycle events" + - kind: added + description: "core: add perf baseline harness and gates" + - kind: added + description: "core: cluster lifecycle hardening; e2e suite refactor" + - kind: added + description: "core: enable Raft Autopilot for automatic dead server cleanup" + - kind: added + description: "core: harden lifecycle contracts and supporting coverage" + - kind: added + description: "core: helm manifest values and templates" + - kind: added + description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" + - kind: added + description: "core: introduce restore CRD" + - kind: added + description: "core: make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore" + - kind: added + description: "core: OpenShift compatibility support" + - kind: added + description: "infra;controller: implement support for online PVC expansion of running OpenBao Clusters" + - kind: added + description: "infra: add default node and zone spreading for OpenBao StatefulSets" + - kind: added + description: "infra: add pod metadata hooks for workload identity" + - kind: added + description: "infra: Expose listenerName field for Gateway API HTTPRoute targeting" + - kind: added + description: "infra: improve hardened and ACME deployments" + - kind: added + description: "infra: make DNS namespace configurable in NetworkPolicies" + - kind: added + description: "manifests: install manifest" + - kind: added + description: "manifests: self-service tenant onboarding" + - kind: added + description: "manifests: wire-in image verification for all components" + - kind: added + description: "observability: add metrics, dashboards, e2e assertions; upgrade stability" - kind: added description: "openbaocluster: add ingress integration readiness" - kind: added description: "openbao: improve PKCS#11 runtime ergonomics" + - kind: added + description: "operator: add supported single-tenant custom identity install paths" + - kind: added + description: "perf: refresh kind performance baseline" + - kind: added + description: "policy: enforce Hardened profile requires replicas >= 3 via VAP" + - kind: added + description: "provisioner: configurable tenant resource quotas" - kind: added description: "readreplicas: add steady-state read replica topology and status" - kind: added description: "readreplicas: integrate read replicas with upgrade and restore workflows" + - kind: added + description: "restore: add RBAC for restore jobs and validate authentication" + - kind: security + description: "security: Add admission-time protections for SSRF, TLS secrets, and tenant self-service" + - kind: security + description: "security: add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images" + - kind: security + description: "security: expand control-plane audit coverage for startup, operations, and RBAC mutations" + - kind: security + description: "security: harden image verification and align edge/nightly signed manifest streams" + - kind: security + description: "security: harden image verification defaults and sign edge/nightly images" + - kind: security + description: "security: harden operator RBAC with ValidatingAdmissionPolicy guardrails" + - kind: security + description: "security: tighten operator security and authentication contracts" + - kind: added + description: "upgrade: harden backup and restore flows" + - kind: added + description: "upgrade: improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic" + - kind: added + description: "upgrade: unify manual upgrade requests on OpenBaoCluster" + - kind: added + description: "vap: harden OpenBaoRestore VAP guardrails + allow default backup executor image" + - kind: fixed + description: "admission: add admission check" + - kind: fixed + description: "admission: allow hardened image verification defaults" - kind: fixed description: "admission: guard hardened security context overrides" + - kind: fixed + description: "admission: implement security/rbac improvements" + - kind: fixed + description: "api,security: harden CRD/admission contracts and guardrails" + - kind: fixed + description: "api: switch SecretReference to LocalObjectReference" + - kind: fixed + description: "auth: harden OIDC discovery and add least-privilege RBAC + admission guardrails" + - kind: fixed + description: "auth: harden operator OIDC bootstrap discovery" + - kind: fixed + description: "auth: retry kubernetes jwks discovery via api service" + - kind: fixed + description: "backup: align retention behavior across providers and refactor backup/restore flow" + - kind: fixed + description: "backup: make sure backup jobs are idempotent" - kind: fixed description: "backup: record manual triggers and failure time" + - kind: fixed + description: "backup: remove unused function" + - kind: fixed + description: "bluegreen: harden deterministic upgrade flow, tests, and docs" + - kind: fixed + description: "build: stabilize byte reproducibility gates for checksums and sbom outputs" + - kind: fixed + description: "chart: sync helm chart" + - kind: fixed + description: "chart: sync helm chart" - kind: fixed description: "ci: allow PR label sync to write labels" + - kind: fixed + description: "ci: always run perf weekly issue job after failed schedule check" + - kind: fixed + description: "ci: create kind cluster in release e2e gate" + - kind: fixed + description: "ci: handle kind load failures for multi-arch OpenBao images" + - kind: fixed + description: "ci: harden mainline publish workflows" - kind: fixed description: "ci: replace dangerous PR labeling workflow" + - kind: fixed + description: "ci: restore security and bot PR pipeline stability" + - kind: fixed + description: "ci: stabilize nightly e2e image refs and matrix check naming" + - kind: fixed + description: "ci: stabilize release/build reproducibility and align CI documentation" + - kind: fixed + description: "ci: unblock draft release lookup and run reproducibility post-release" - kind: fixed description: "config: align audit device options with OpenBao" - kind: fixed description: "config: harden generated JWT roles" - kind: fixed description: "config: use SemVer precedence for OpenBao version checks" + - kind: fixed + description: "controller: infer BlueImage from running pods to prevent premature upgrades" + - kind: fixed + description: "controller: Prevent data loss by orphaning secrets when DeletionPolicy is Retain" + - kind: fixed + description: "controller: prevent OpenBaoCluster resourceVersion churn" + - kind: fixed + description: "controller: recheck admission dependencies at runtime" + - kind: fixed + description: "controller: refresh cluster status on standard cadence" + - kind: fixed + description: "controller: remove force ownership of status" + - kind: fixed + description: "core: harden controller determinism and idempotency" + - kind: fixed + description: "core: rbac and admission hardening" + - kind: fixed + description: "deps: resolve security vulnerabilities in go-tuf/v2 and rekor dependencies" - kind: fixed description: "deps: restore dependency update CI coverage" - kind: fixed @@ -65,12 +229,38 @@ annotations: description: "helm: deduplicate generated RBAC labels" - kind: fixed description: "helm: Helm provisioner admission identity" + - kind: fixed + description: "images: fail-fast on missing OPERATOR_VERSION environment variable" + - kind: fixed + description: "Implement versioned default images for backup, upgrade, and init container" + - kind: fixed + description: "infra: add IPv6/dual-stack support for listener binding and development egress rules" - kind: fixed description: "infra: delete scaled-down raft PVCs" + - kind: fixed + description: "infra: exclude job pods from pdb" + - kind: fixed + description: "infra: fail closed on hostile OIDC bootstrap discovery" + - kind: fixed + description: "infra: improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation" + - kind: fixed + description: "infra: resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade" + - kind: fixed + description: "infra: stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs" + - kind: fixed + description: "init: retrty writing root token to secret to handle transient cr\u2026" + - kind: fixed + description: "kube: add job check" + - kind: fixed + description: "manifests: secure defaults and profiles" - kind: fixed description: "multitenancy: gate cluster reconcile on tenant onboarding" - kind: fixed description: "network: Require source-scoped managed Ingress access" + - kind: fixed + description: "nightly: harden init token persistence and e2e autopilot reliability" + - kind: fixed + description: "openbao: handle 403 forbidden gracefully" - kind: fixed description: "openbao: share JWT token cache" - kind: fixed @@ -83,37 +273,109 @@ annotations: description: "provisioner: support external tenant PSS label ownership" - kind: fixed description: "rbac: allow verification pull secret reads" + - kind: fixed + description: "release: grant tag workflow comment permissions" + - kind: fixed + description: "release: remove unsupported tag app scope" + - kind: fixed + description: "release: sign release tags and trim release gates" - kind: fixed description: "restore: harden restore job rendering" + - kind: fixed + description: "rolling: handle retry status conflicts during upgrade resume" + - kind: fixed + description: "security;e2e: verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults" - kind: security description: "security: fail closed for configured trusted roots" + - kind: security + description: "security: harden managed image digests and gateway validation reads" + - kind: security + description: "security: implement image verification LRU cache; docker auth handeling" + - kind: security + description: "security: performance issue image verification by reording cache lookups" + - kind: security + description: "security: remove resolved govulncheck ignores" + - kind: security + description: "security: validate UMASK bounds in bao-wrapper" + - kind: security + description: "security: wrap bundle fallback verification error" + - kind: fixed + description: "sentinel: prevent noisy neighbors and thundering herd behavior" + - kind: fixed + description: "sentinel: rely on uuids instead of timestamps as sentinel triggerid" + - kind: fixed + description: "status: make lifecycle status guidance more actionable" - kind: fixed description: "status: mark unsafe admission mode not production-ready" + - kind: fixed + description: "storage: enforce storage class immutability consistently" - kind: fixed description: "storage: retry transient S3 bucket ensure failures" + - kind: fixed + description: "upgrade: clear rolling retry failure state with merge status patch" - kind: fixed description: "upgrade: complete SSA ownership migration" - kind: fixed description: "upgrade: harden bluegreen and rolling recovery flakes" + - kind: fixed + description: "upgrade: harden OpenBaoCluster upgrade validation, recovery, and documentation" - kind: fixed description: "upgrade: harden rolling upgrade resume" + - kind: fixed + description: "upgrade: improve upgrade manager stability" + - kind: fixed + description: "upgrade: make rolling upgrades deterministic and harden rolling upgrade coverage" + - kind: fixed + description: "upgrade: revert partition update to MergeFrom to fix StatefulSet validation" - kind: fixed description: "upgrade: set executor job resource requirements" - kind: fixed description: "upgrade: treat raft promote already-voter as no-op" - kind: fixed description: "upgrade: verify default helper images for hardened clusters" + - kind: fixed + description: "validation: block upgrade strategy switches" + - kind: fixed + description: "vap: require self init requests when self initialization is enabled" + - kind: fixed + description: "vap: stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP" - kind: fixed description: "workload: mount OCI plugin directory" + - kind: changed + description: "release: release 0.1.0" + - kind: changed + description: "release: release 0.1.0-rc.7" + - kind: changed + description: "release: set release target to 0.1.0-rc.1" + - kind: changed + description: "release: set release target to 0.1.0-rc.2" + - kind: changed + description: "release: set release target to 0.1.0-rc.3" + - kind: changed + description: "release: set release target to 0.1.0-rc.4" + - kind: changed + description: "release: set release target to 0.1.0-rc.5" + - kind: changed + description: "trigger release-please for 0.1.0-rc.6" + - kind: changed + description: "config: openbaocluster config renderer" + - kind: changed + description: "controller: openbaocluster refactor; sentinel improvements" + - kind: changed + description: "core: remove Sentinel drift detection (VAP hardening)" + - kind: changed + description: "upgrade: simplify blue/green cutover and split rolling strategy" + - kind: changed + description: "upgrade: upgrade manager; blue/green upgrades" artifacthub.io/images: | - name: openbao-operator - image: ghcr.io/dc-tec/openbao-operator:0.2.0 + image: ghcr.io/dc-tec/openbao-operator:0.1.0 - name: openbao-init - image: ghcr.io/dc-tec/openbao-init:0.2.0 + image: ghcr.io/dc-tec/openbao-init:0.1.0 - name: openbao-backup - image: ghcr.io/dc-tec/openbao-backup:0.2.0 + image: ghcr.io/dc-tec/openbao-backup:0.1.0 - name: openbao-upgrade - image: ghcr.io/dc-tec/openbao-upgrade:0.2.0 + image: ghcr.io/dc-tec/openbao-upgrade:0.1.0 artifacthub.io/crds: | - kind: OpenBaoCluster version: v1alpha1 From eed1198808359caf87127defe2366c17678fbdeb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 19 May 2026 05:49:55 +0000 Subject: [PATCH 2/2] chore(release): sync chart metadata and changelog Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- charts/openbao-operator/Chart.yaml | 318 +---------------------------- 1 file changed, 6 insertions(+), 312 deletions(-) diff --git a/charts/openbao-operator/Chart.yaml b/charts/openbao-operator/Chart.yaml index b8aa62f19..b4f2761fe 100644 --- a/charts/openbao-operator/Chart.yaml +++ b/charts/openbao-operator/Chart.yaml @@ -26,356 +26,50 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/operator: 'true' artifacthub.io/operatorCapabilities: Full Lifecycle - artifacthub.io/prerelease: 'false' - artifacthub.io/containsSecurityUpdates: 'true' + artifacthub.io/prerelease: "false" + artifacthub.io/containsSecurityUpdates: 'false' artifacthub.io/changes: | - - kind: changed - description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" - - kind: changed - description: "core: remove Sentinel drift detection (VAP hardening)" - - kind: changed - description: "upgrade: simplify blue/green cutover and split rolling strategy" - - kind: changed - description: "config: openbaocluster config renderer" - - kind: changed - description: "upgrade: upgrade manager; blue/green upgrades" - - kind: changed - description: "controller: openbaocluster refactor; sentinel improvements" - - kind: added - description: "admission: authorize maintenance through RBAC" - - kind: added - description: "api: add OpenBaoCluster observedGeneration and printer columns" - - kind: added - description: "api: add runtime restart controls" - - kind: added - description: "ast-grep: add policy-driven architecture guardrails with CI enforcement" - - kind: added - description: "backup;restore: azure blob storage and GCS support as backup provider" - - kind: added - description: "bluegreen: blue/green traffic switching improvements" - - kind: added - description: "charts: operator helm chart" - - kind: added - description: "controller;chart;rbac: controller hardening, Helm sync automation, and RBAC race fix" - - kind: added - description: "controller: add extra metrics" - - kind: added - description: "controller: single tenancy support" - - kind: added - description: "core: add consistent Kubernetes lifecycle events" - - kind: added - description: "core: add perf baseline harness and gates" - - kind: added - description: "core: cluster lifecycle hardening; e2e suite refactor" - - kind: added - description: "core: enable Raft Autopilot for automatic dead server cleanup" - - kind: added - description: "core: harden lifecycle contracts and supporting coverage" - - kind: added - description: "core: helm manifest values and templates" - - kind: added - description: "core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics" - - kind: added - description: "core: introduce restore CRD" - - kind: added - description: "core: make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore" - - kind: added - description: "core: OpenShift compatibility support" - - kind: added - description: "infra;controller: implement support for online PVC expansion of running OpenBao Clusters" - - kind: added - description: "infra: add default node and zone spreading for OpenBao StatefulSets" - - kind: added - description: "infra: add pod metadata hooks for workload identity" - - kind: added - description: "infra: Expose listenerName field for Gateway API HTTPRoute targeting" - - kind: added - description: "infra: improve hardened and ACME deployments" - - kind: added - description: "infra: make DNS namespace configurable in NetworkPolicies" - - kind: added - description: "manifests: install manifest" - - kind: added - description: "manifests: self-service tenant onboarding" - - kind: added - description: "manifests: wire-in image verification for all components" - - kind: added - description: "observability: add metrics, dashboards, e2e assertions; upgrade stability" - kind: added description: "openbaocluster: add ingress integration readiness" - kind: added description: "openbao: improve PKCS#11 runtime ergonomics" - - kind: added - description: "operator: add supported single-tenant custom identity install paths" - - kind: added - description: "perf: refresh kind performance baseline" - - kind: added - description: "policy: enforce Hardened profile requires replicas >= 3 via VAP" - - kind: added - description: "provisioner: configurable tenant resource quotas" - - kind: added - description: "readreplicas: add steady-state read replica topology and status" - - kind: added - description: "readreplicas: integrate read replicas with upgrade and restore workflows" - - kind: added - description: "restore: add RBAC for restore jobs and validate authentication" - - kind: security - description: "security: Add admission-time protections for SSRF, TLS secrets, and tenant self-service" - - kind: security - description: "security: add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images" - - kind: security - description: "security: expand control-plane audit coverage for startup, operations, and RBAC mutations" - - kind: security - description: "security: harden image verification and align edge/nightly signed manifest streams" - - kind: security - description: "security: harden image verification defaults and sign edge/nightly images" - - kind: security - description: "security: harden operator RBAC with ValidatingAdmissionPolicy guardrails" - - kind: security - description: "security: tighten operator security and authentication contracts" - - kind: added - description: "upgrade: harden backup and restore flows" - - kind: added - description: "upgrade: improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic" - - kind: added - description: "upgrade: unify manual upgrade requests on OpenBaoCluster" - - kind: added - description: "vap: harden OpenBaoRestore VAP guardrails + allow default backup executor image" - - kind: fixed - description: "admission: add admission check" - - kind: fixed - description: "admission: allow hardened image verification defaults" - - kind: fixed - description: "admission: guard hardened security context overrides" - - kind: fixed - description: "admission: implement security/rbac improvements" - - kind: fixed - description: "api,security: harden CRD/admission contracts and guardrails" - - kind: fixed - description: "api: switch SecretReference to LocalObjectReference" - - kind: fixed - description: "auth: harden OIDC discovery and add least-privilege RBAC + admission guardrails" - - kind: fixed - description: "auth: harden operator OIDC bootstrap discovery" - - kind: fixed - description: "auth: retry kubernetes jwks discovery via api service" - - kind: fixed - description: "backup: align retention behavior across providers and refactor backup/restore flow" - - kind: fixed - description: "backup: make sure backup jobs are idempotent" - kind: fixed description: "backup: record manual triggers and failure time" - - kind: fixed - description: "backup: remove unused function" - - kind: fixed - description: "bluegreen: harden deterministic upgrade flow, tests, and docs" - - kind: fixed - description: "build: stabilize byte reproducibility gates for checksums and sbom outputs" - - kind: fixed - description: "chart: sync helm chart" - - kind: fixed - description: "chart: sync helm chart" - - kind: fixed - description: "ci: allow PR label sync to write labels" - - kind: fixed - description: "ci: always run perf weekly issue job after failed schedule check" - - kind: fixed - description: "ci: create kind cluster in release e2e gate" - - kind: fixed - description: "ci: handle kind load failures for multi-arch OpenBao images" - - kind: fixed - description: "ci: harden mainline publish workflows" - - kind: fixed - description: "ci: replace dangerous PR labeling workflow" - - kind: fixed - description: "ci: restore security and bot PR pipeline stability" - - kind: fixed - description: "ci: stabilize nightly e2e image refs and matrix check naming" - - kind: fixed - description: "ci: stabilize release/build reproducibility and align CI documentation" - - kind: fixed - description: "ci: unblock draft release lookup and run reproducibility post-release" - kind: fixed description: "config: align audit device options with OpenBao" - kind: fixed description: "config: harden generated JWT roles" - kind: fixed description: "config: use SemVer precedence for OpenBao version checks" - - kind: fixed - description: "controller: infer BlueImage from running pods to prevent premature upgrades" - - kind: fixed - description: "controller: Prevent data loss by orphaning secrets when DeletionPolicy is Retain" - - kind: fixed - description: "controller: prevent OpenBaoCluster resourceVersion churn" - - kind: fixed - description: "controller: recheck admission dependencies at runtime" - - kind: fixed - description: "controller: refresh cluster status on standard cadence" - - kind: fixed - description: "controller: remove force ownership of status" - - kind: fixed - description: "core: harden controller determinism and idempotency" - - kind: fixed - description: "core: rbac and admission hardening" - - kind: fixed - description: "deps: resolve security vulnerabilities in go-tuf/v2 and rekor dependencies" - kind: fixed description: "deps: restore dependency update CI coverage" - kind: fixed description: "gateway: emit TLSRoute as Gateway API v1" - - kind: fixed - description: "helm: allow global values in chart schema" - kind: fixed description: "helm: deduplicate generated RBAC labels" - - kind: fixed - description: "helm: Helm provisioner admission identity" - - kind: fixed - description: "images: fail-fast on missing OPERATOR_VERSION environment variable" - - kind: fixed - description: "Implement versioned default images for backup, upgrade, and init container" - - kind: fixed - description: "infra: add IPv6/dual-stack support for listener binding and development egress rules" - - kind: fixed - description: "infra: delete scaled-down raft PVCs" - - kind: fixed - description: "infra: exclude job pods from pdb" - - kind: fixed - description: "infra: fail closed on hostile OIDC bootstrap discovery" - - kind: fixed - description: "infra: improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation" - - kind: fixed - description: "infra: resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade" - - kind: fixed - description: "infra: stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs" - - kind: fixed - description: "init: retrty writing root token to secret to handle transient cr\u2026" - - kind: fixed - description: "kube: add job check" - - kind: fixed - description: "manifests: secure defaults and profiles" - - kind: fixed - description: "multitenancy: gate cluster reconcile on tenant onboarding" - - kind: fixed - description: "network: Require source-scoped managed Ingress access" - - kind: fixed - description: "nightly: harden init token persistence and e2e autopilot reliability" - - kind: fixed - description: "openbao: handle 403 forbidden gracefully" - kind: fixed description: "openbao: share JWT token cache" - - kind: fixed - description: "openbao: stage safe raft scale-downs" - - kind: fixed - description: "probe: stabilize openbao workload probes" - - kind: fixed - description: "provisioner: reduce release reconciliation log noise" - kind: fixed description: "provisioner: support external tenant PSS label ownership" - kind: fixed description: "rbac: allow verification pull secret reads" - - kind: fixed - description: "release: grant tag workflow comment permissions" - - kind: fixed - description: "release: remove unsupported tag app scope" - - kind: fixed - description: "release: sign release tags and trim release gates" - kind: fixed description: "restore: harden restore job rendering" - - kind: fixed - description: "rolling: handle retry status conflicts during upgrade resume" - - kind: fixed - description: "security;e2e: verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults" - - kind: security - description: "security: fail closed for configured trusted roots" - - kind: security - description: "security: harden managed image digests and gateway validation reads" - - kind: security - description: "security: implement image verification LRU cache; docker auth handeling" - - kind: security - description: "security: performance issue image verification by reording cache lookups" - - kind: security - description: "security: remove resolved govulncheck ignores" - - kind: security - description: "security: validate UMASK bounds in bao-wrapper" - - kind: security - description: "security: wrap bundle fallback verification error" - - kind: fixed - description: "sentinel: prevent noisy neighbors and thundering herd behavior" - - kind: fixed - description: "sentinel: rely on uuids instead of timestamps as sentinel triggerid" - - kind: fixed - description: "status: make lifecycle status guidance more actionable" - - kind: fixed - description: "status: mark unsafe admission mode not production-ready" - - kind: fixed - description: "storage: enforce storage class immutability consistently" - kind: fixed description: "storage: retry transient S3 bucket ensure failures" - - kind: fixed - description: "upgrade: clear rolling retry failure state with merge status patch" - - kind: fixed - description: "upgrade: complete SSA ownership migration" - - kind: fixed - description: "upgrade: harden bluegreen and rolling recovery flakes" - - kind: fixed - description: "upgrade: harden OpenBaoCluster upgrade validation, recovery, and documentation" - kind: fixed description: "upgrade: harden rolling upgrade resume" - - kind: fixed - description: "upgrade: improve upgrade manager stability" - - kind: fixed - description: "upgrade: make rolling upgrades deterministic and harden rolling upgrade coverage" - - kind: fixed - description: "upgrade: revert partition update to MergeFrom to fix StatefulSet validation" - - kind: fixed - description: "upgrade: set executor job resource requirements" - - kind: fixed - description: "upgrade: treat raft promote already-voter as no-op" - - kind: fixed - description: "upgrade: verify default helper images for hardened clusters" - - kind: fixed - description: "validation: block upgrade strategy switches" - - kind: fixed - description: "vap: require self init requests when self initialization is enabled" - - kind: fixed - description: "vap: stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP" - kind: fixed description: "workload: mount OCI plugin directory" - - kind: changed - description: "release: release 0.1.0" - - kind: changed - description: "release: release 0.1.0-rc.7" - - kind: changed - description: "release: set release target to 0.1.0-rc.1" - - kind: changed - description: "release: set release target to 0.1.0-rc.2" - - kind: changed - description: "release: set release target to 0.1.0-rc.3" - - kind: changed - description: "release: set release target to 0.1.0-rc.4" - - kind: changed - description: "release: set release target to 0.1.0-rc.5" - - kind: changed - description: "trigger release-please for 0.1.0-rc.6" - - kind: changed - description: "config: openbaocluster config renderer" - - kind: changed - description: "controller: openbaocluster refactor; sentinel improvements" - - kind: changed - description: "core: remove Sentinel drift detection (VAP hardening)" - - kind: changed - description: "upgrade: simplify blue/green cutover and split rolling strategy" - - kind: changed - description: "upgrade: upgrade manager; blue/green upgrades" artifacthub.io/images: | - name: openbao-operator - image: ghcr.io/dc-tec/openbao-operator:0.1.0 + image: ghcr.io/dc-tec/openbao-operator:0.3.0 - name: openbao-init - image: ghcr.io/dc-tec/openbao-init:0.1.0 + image: ghcr.io/dc-tec/openbao-init:0.3.0 - name: openbao-backup - image: ghcr.io/dc-tec/openbao-backup:0.1.0 + image: ghcr.io/dc-tec/openbao-backup:0.3.0 - name: openbao-upgrade - image: ghcr.io/dc-tec/openbao-upgrade:0.1.0 + image: ghcr.io/dc-tec/openbao-upgrade:0.3.0 artifacthub.io/crds: | - kind: OpenBaoCluster version: v1alpha1