Releasenotes

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.

We use towncrier for the generation of our release notes file.

Information about unreleased changes can be found here.

v10.0.6 (2025-09-05)

Bugfixes

  • k8s-login run in root CA rotation phase 1 works again with a Vault token only having the yaook/orchestrator policy. (regression of v10.0.0)

    Note

    Action needed

    To activate the fix the Vault orchestrator policy needs to be updated.

    VAULT_TOKEN=$vault_root_token ./managed-k8s/tools/vault/init.sh

    _ (!2098)

Changes in the Documentation

  • Changelogs of previous releases have been dropped. These are still accessible when switching to the respective version. From now on, changelogs for each version will be maintained separately and not continously. (!2098)

Misc

v10.0.5 (2025-08-26)

New Features

Bugfixes

Misc

v10.0.4 (2025-08-19)

Changed functionality

v10.0.3 (2025-08-13)

Changed functionality

  • The project has been renamed from YAOOK/K8s to TAROOK. The repository location has been updated to reflect this change. (!1870)

Bugfixes

Other Tasks

v10.0.2 (2025-08-05)

Bugfixes

  • Cluster setup for IPv6-only clusters has been fixed. (!1977)

v10.0.1 (2025-07-31)

Bugfixes

v10.0.0 (2025-07-26)

Breaking changes

  • The VIP port IP address and the gateway port IDs are now added to the ch-k8s-lbaas configuration (./k8s-supplements/ansible/roles/ch-k8s-lbaas-controller/templates/controller-config.toml) which is required as we re-introduced OpenStack security groups which are needed in OpenStack environments which use OVN.

    From now on, ch-k8s-lbaas must know the OpenStack port id for its configuration. The port id is added to the hosts file by Terraform automatically. Terraform therefore has to be triggered once and the ch-k8s-lbaas setup must be updated.

    The migrate-to-release.sh script takes care of all the necessary steps:

    $ bash managed-k8s/actions/migrate-to-release.sh

    Attention

    Note that ch-k8s-lbaas’ config must be updated immediately after Terraform updated the harbour infrastructure in order to not interrupt the cluster’s internet connectivity. Therefore, if you have yk8s.ch-k8s-lbaas.enabled set, make sure the migration script completes both actions in quick succession.

    _ (!1250)

  • The LCM now supports OVN-based OpenStack environments. That required to reintroduce OpenStack security groups and to enable port security on the gateway ports.

    Furthermore, if yk8s.ch-k8s-lbaas.enabled is enabled, yk8s.ch-k8s-lbaas.version must be set to 0.8.0 or higher.

    Hint

    Note that it is recommended to not explicitly pin ch-k8s-lbaas to a specific version because then it is automatically updated once support for a new version has been added.

    There may be connectivity issues with load-balanced services managed by ch-k8s-lbaas starting with the completion of the Terraform stage until a rollout fully finished. This is because port security on the gateway ports has been reenabled, but the ch-k8s-lbaas agents are not aware about that, yet. If yk8s.ch-k8s-lbaas.enabled is set to true, it is highly recommended to update its version in advance to the Terraform stage to reduce impact.

    The migrate-to-release.sh script takes care of all the necessary steps:

    $ bash managed-k8s/actions/migrate-to-release.sh

    A full rollout is recommended but not mandatory:

    $ bash managed-k8s/actions/apply-all.sh

    . (!1250)

  • The following legacy options have been removed as they had no effect in recent versions, aren’t documented well and it is currently not intended to support the use cases they once served:

    • yk8s.miscellaneous.docker_insecure_registries

    • yk8s.miscellaneous.container_mirror_default_host

    • yk8s.miscellaneous.configure_mirror_ca

    Mirrors can be configured via yk8s.containerd.mirrors now. (!1613)

  • The option yk8s.miscellaneous.container_mirrors has been removed. Mirrors can be configured via yk8s.containerd.mirrors now. (!1613)

  • A new envrc layout for YAOOK/K8s has been added.

    Attention

    Action required

    Run the migration script to ensure the layout is used

    ./managed-k8s/actions/migrate-to-release.sh

    . (!1694)

  • The obsolete option yk8s.load-balancing.priorities has been removed. (!1717)

  • The obsolete option yk8s.miscellaneous.wireguard_on_workers has been removed. (!1717)

  • The options to configure a wireguard endpoint directly under yk8s.wireguard have been removed. Please use yk8s.wireguard.endpoints instead. (!1717)

  • The yk8s.ipsec.remote_private_addrs config option expects a list now instead of a non-empty string previously.

    Attention

    Action required

    If you use this option in your config, you must convert its value.

    _ (!1731)

  • yk8s.k8s-service-layer.vault.s3_config_file defaults to null now. (!1731)

  • The following config options now accept a Nix path instead of a file path string (e.g. "path/file"./path/file).

    _ (!1731)

  • The yk8s.miscellaneous.no_proxy config option expects a list now instead of a comma separated list (string) previously.

    Attention

    Action required

    If you use this option in your config, you must convert its value.

    _ (!1731)

  • The release migration script has been renamed to better reflect its actions. (!1738)

  • Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 66.7.1 to 70.0.2 (!1739)

  • Since we recommend that etc/admin.conf should not be checked into version control, it has been added to the LCM managed gitignore rules.

    If your automation relies on etc/admin.conf being checked into version control you may override the LCM’s gitignore rules.

    Attention

    Action required

    You must run the migration script to ensure that the cluster repo’s .gitignore is updated.

    ./managed-k8s/actions/migrate-cluster-repo.sh
# optionally, if you already committed etc/admin.conf
git rm --cached etc/admin.conf

    _ (!1787)

  • Running the release migration script now inserts and updates the LCM’s gitignore rules in the cluster repo’s gitignore file. You may override them if needed.

    It is recommended to apply the cluster repo’s gitignore rules to its git index with every major release. The following will remove any committed but gitignored file from version control:

    git ls-files --ignored --cached --exclude-from=.gitignore -z \
  | xargs --no-run-if-empty --null git rm --cached -r

    _ (!1789)

  • Updated default version of helm chart thanos of https://github.com/bitnami/charts from 15.14.1 to 16.0.2 (!1798)

  • The option yk8s.kubernetes.network.plugin has been removed. Use yk8s.kubernetes.network.calico.enabled instead. (!1836)

  • The option yk8s.terraform.prevent_disruption has been removed. Preventing disruption is now handled by a lock file in the Terraform state directory. (!1841)

  • Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 70.10.0 to 72.0.0 (!1846)

  • Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 72.9.1 to 73.1.0 (!1881)

  • The option yk8s.kubernetes.apiserver.audit_logs.custom_policy has been removed. Use yk8s.kubernetes.apiserver.audit_logs.policy instead. (!1896)

  • Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 9.8.0 to 11.0.0 (!1903)

  • Updated default version of helm chart thanos of https://github.com/bitnami/charts from 16.0.7 to 17.2.0 (!1908)

New Features

Changed functionality

Bugfixes

  • Helm invocations have been decoupled from the local Helm state. (!644, !1894)

  • The version selection dropup in the documentation’s sidebar is now properly positioned above the search bar and entries do not expand off-screen anymore. (!1776)

  • We fixed a bug where the yk8s.k8s-service-layer.rook.scheduling_key wasn’t properly used for nodeAffinity. (!1796)

  • The priorityClassName system-node-critical is now applied to the csi-cinder-plugin again to prevent its Pods from getting evicted. (!1824)

  • The mutual exclusiveness of the config options yk8s.kubernetes.is_gpu_cluster and yk8s.kubernetes.virtualize_gpu is now enforced. (!1887)

  • A bug in wg-up.sh has been fixed that caused wg_private_key_command to fail if it contained environment variables. See VPN Configuration for an example on how to use it with pass. (!1899)

  • The nopreempt setting of keepalived for the VRRP instances has been fixed by setting the initial states to BACKUP. (!1916)

  • OpenStack security groups to allow VRRP traffic have been added. (!1916)

Changes in the Documentation

  • A note has been added which clearifies that a ready-to-use container runtime is needed if one wants to make use of the development Vault setup. (!1777)

  • The documentation about expected minimal changes to the environment has been improved. (!1777)

  • Releases in the sidebar are now sorted such that the recent versions appear on top. (!1778)

  • A part of documentation that is specific to the config options in yk8s.terraform has been moved back from yk8s.openstack. The documentation of both config sections received minor corrections. (!1795)

  • Any config option in the documentation is now mentioned with its fully qualified name in Nix dot notation. Additionally, those mentions link directly to the description of the particular config option.

    A few previously renamed or replaced config options were fixed as well. (!1801)

  • All mentions of the legacy TOML based configuration were removed as it has been replaced with Nix since release v9.0.0. (!1801)

  • !1905, !1907, !1920

  • Corrected the docs for yk8s.k8s-service-layer.etcd-backup, which previously stated to use endpoint_cacrt, but now correctly states to use certRef. (!1918)

  • The guide on how to rotate OpenStack credentials has been updated. (!1928)

  • The root of our documentation now redirects to ./devel using HTTP redirect instead of HTML meta refresh. (!1940)

  • The description of migrate-to-release.sh has been updated. (!1958, !1960)

Deprecations and Removals

  • The yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_path config option is removed. Please use yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_file instead. (!1731)

  • The yk8s.node-scheduling.scheduling_key_prefix config option is deprecated. Please substitute it with a let expression (see example below).

    - config.yk8s.node-scheduling = {
-   scheduling_key_prefix = "foo.example.com";
-   labels = {
-     node-a = ["${config.yk8s.node-scheduling.scheduling_key_prefix}/label=value"];
-   };
- };
+ config.yk8s.node-scheduling = let
+   scheduling_key_prefix = "foo.example.com";
+ in {
+   labels = {
+     node-a = ["${scheduling_key_prefix}/label=value"];
+   };
+ };

    _ (!1731)

  • Support for Kubernetes v1.29 has been dropped. (!1890)

  • The feature to manage IPSec tunnels (yk8s.ipsec) is deprecated and support for it will be dropped in a release after v11.0.0. (!1950)

Other Tasks

Misc