Releasenotes
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.
We use towncrier for the generation of our release notes file.
Information about unreleased changes can be found here.
General information about release upgrades are documented at How to Upgrade to a new TAROOK release.
v11.0.1 (2025-10-21)
Bugfixes
A bug in the migration script has been fixed (!2175)
v11.0.0 (2025-10-17)
Breaking changes
Updated default version of helm chart prometheus-adapter of https://github.com/prometheus-community/helm-charts from 4.14.2 to 5.0.0 (!1997)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 73.2.3 to 77.0.0 (!2058)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.12.0 to 78.2.1 (!2156)
New Features
Ansible hosts can now be defined and referenced via Nix. See yk8s.infra.ansible_hosts. (!1250)
The helm chart for etcd-backup can now be configured with arbitrary values through yk8s.k8s-service-layer.etcd-backup.helm.values. (!1569)
The helm chart url, name and version can now be configured for the nvidia device plugin through yk8s.nvidia.device_plugin.helm. (!1784)
The helm chart for the Nvidia device plugin can now be configured with arbitrary values through yk8s.nvidia.device_plugin.helm.values. (!1784)
The helm chart for ingress-nginx can now be configured with arbitrary values through yk8s.k8s-service-layer.ingress.helm.values. (!1810)
An option to disable SNAT’ing for ch-k8s-lbaas has been added: yk8s.ch-k8s-lbaas.enable_snat.
Warning
Be aware that disabling SNAT’ing potentially has performance implications.
When directly coming from a previous release and you want to disable SNAT’ing right away without having done a full rollout yet, you have to adjust the gateway nodes first. In that case, rollout the necessary changes with:
$ ./managed-k8s/actions/apply-prepare-gw.sh $ ./managed-k8s/actions/apply-k8s-supplements.sh install-ch-k8s-lbaas.yaml
If you already did a rollout with the current release, it’s sufficient to do:
$ ./managed-k8s/actions/apply-k8s-supplements.sh install-ch-k8s-lbaas.yaml
. (!1943)
The functionality of yk8s.kubernetes.apiserver.audit_logs.enabled has been refined such that the settings take effect on cluster initialization already and modifications to the settings are not applied during Kubernetes upgrades only but on normal rollouts. The settings are also reflected in the
kube-system/kubeadm-configConfigMap in the cluster now which ensures freshly provisioned control-plane nodes have the setting right away. (!1956)
Changed functionality
Updated default version of helm chart flux2 of https://github.com/fluxcd-community/helm-charts from 2.9.2 to 2.15.0
Warning
This upgrades the Flux controllers from app version 2.0.1 to 2.5.1. You potentially have to adjust your deployed custom resources. Check the changelog for API adjustments:
You can upgrade more fine grained by setting the desired version via yk8s.k8s-service-layer.fluxcd.version.
Further information can be found in the Flux releases documentation.
. (!1698)
Updated default version of helm chart rook-ceph of https://github.com/rook/rook from v1.16.6 to v1.17.8 (!1816)
Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.3.0 to 11.3.1 (!2061)
Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.13.1 to 4.13.2 (!2070)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.0.0 to 77.2.0 (!2081)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.2.0 to 77.3.0 (!2087)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.3.0 to 77.8.0 (!2117)
The peering mechanism of keepalived has been changed from explicit unicast back to multicast. (!2118)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.8.0 to 77.9.1 (!2119)
The bucket management tasks have been dropped for yk8s.k8s-service-layer.etcd-backup. It is now the user’s responsibility to ensure the bucket exists. Documentation has been updated accordingly. Existing buckets are not touched. (!2120)
Updated default version of helm chart dcgm-exporter of https://github.com/nvidia/dcgm-exporter from 4.5.0 to 4.5.2 (!2121)
Unattended upgrades are enabled on gateways now. (!2126)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.9.1 to 77.11.0 (!2133)
Updated default version of helm chart prometheus-adapter of https://github.com/prometheus-community/helm-charts from 5.0.0 to 5.1.0 (!2138)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.11.0 to 77.11.1 (!2140)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.11.1 to 77.12.0 (!2141)
Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.3.1 to 11.4.0 (!2154)
Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.13.2 to 4.13.3 (!2158)
Updated default version of helm chart etcdbackup from 0.20250724.0 to 0.20250918.0 (!2160)
Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.4.0 to 11.4.1 (!2163)
Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.18.2 to v1.18.3 (!2166)
Bugfixes
The type of yk8s.kubernetes.apiserver.audit_logs.policy has been changed such that individual values can be overwritten. (!1956)
A bug has been fixed which prevented to deploy rook-ceph in a different namespace than the default: yk8s.k8s-service-layer.rook.namespace. (!1998)
Ansible and Helm now don’t try to use user-wide (cache) directories anymore. (!2051)
Darwin as well as Linux on aarch64 are not supported by Tarook. Thus, they have been removed from the list of supported systems. (!2067)
Fixed the
vault_v1Ansible role to deploy the vault-backup ServiceMonitor only when monitoring is enabled via yk8s.kubernetes.monitoring.enabled. (!2069)Adjust review link to new url (!2085)
Fixed an issue where regex validation of IP patterns did not work on macOS hosts. (!2104)
Deploying Vault on Kubernetes through yk8s.k8s-service-layer.vault requires cert-manager which is now documented and enforced at config evaluation. (!2114)
Fixed a bug which prevented etcd-backup to be deployed in a modified namespace: yk8s.k8s-service-layer.etcd-backup.helm.release_namespace. (!2122)
The
.gitignorefile of the cluster repository now includes the ‘managed by yk8s’ markers from cluster repo initialization already, not just after the first release migration. (!2131)SSH host certificates are now always generated using the
yaook/nodesVault approle. Previously the orchestrator’s credentials were used whenUSE_VAULT_IN_DOCKER=true(see Developing with Vault) was set which prevented the use of unpriviledged Vault tokens. (!2132)
Changes in the Documentation
A note that
nix (Nix) >= 2.9.0is required has been added to Initialization. (!2063)Documentation generation is restricted to the latest five major versions from now on. (!2102)
Merged the tutorials into the guides section (!2130)
Deprecations and Removals
Importing an existing hosts file via yk8s.infra.hosts_file is deprecated. Hosts can be defined directly via Nix now. The option
hosts_filewill be removed at some point in the future. If you want to keep providing your own hosts file after that, convert it to YAML format (see https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html ) and import it like thisansible_hosts = yk8s-libs.importYAML ./hosts;. (!1250)