Releasenotes

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.

We use towncrier for the generation of our release notes file.

Information about unreleased changes can be found here.

General information about release upgrades are documented at How to Upgrade to a new TAROOK release.

v12.0.0 (2026-02-12)

Breaking changes

• The deprecated option infra.hosts_file has been removed. Use yk8s.infra.ansible_hosts instead. (!1840)

• update-inventory.sh now differentiates between multiple targets. If you directly use update-inventory.sh in your automation, you must adapt your scripts. Run

  $ ./managed-k8s/actions/update-inventory.sh help
  

  for details. (!1840)

• Vault policies must be updated for existing Vault instances which serve as backend for clusters. A Vault root token is required to do so.

  VAULT_TOKEN=$vault_root_token ./managed-k8s/actions/migrate-to-release.sh
  

  . (!2123)

• Updated default version of helm chart etcdbackup from 0.20251127.0 to 1.0.0 (!2255)

New Features

• The helm chart for cert-manager can now be configured with arbitrary values through yk8s.k8s-service-layer.cert-manager.helm.values. (!1807)

• It is now possible to add custom hooks for pre-drain and post-uncordon roles via yk8s.hooks. (!1927)

• The shared secret for ch-k8s-lbaas is now auto-generated and handled via Vault. Previously, the user was expected to manually generate and configure it in yk8s.ch-k8s-lbaas.shared_secret. (!2123)

• It is now checked that a Kubernetes control-plane node fulfills kubeadm’s minimal CPU and memory requirements during node bootstrapping: at least 2 CPUs and 1700MB memory per node. (!2134)

• Support for Kubernetes v1.34 has been added. (!2201)

• The preparation of Kubernetes nodes can now be separately triggered via

  $ bash managed-k8s/actions/apply-k8s-core.sh prepare-k8s-nodes.yaml
  

  . (!2245)

• An option to manage the containerd version on Kubernetes nodes has been introduced: yk8s.containerd.version.

  Previously, the latest available version has been installed which caused issues. (!2245)

Changed functionality

• Updated default version of helm chart rook-ceph of https://github.com/rook/rook from v1.17.8 to v1.18.5 (!2077)

• It is now ensured that all components of ch-k8s-lbaas are deconfigured and absent if the option yk8s.ch-k8s-lbaas.enabled is false. (!2123)

• Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.18.3 to v1.19.1 (!2150)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 78.2.1 to 78.3.0 (!2167)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 78.3.0 to 78.3.2 (!2171)

• Updated default version of helm chart dcgm-exporter of https://github.com/nvidia/dcgm-exporter from 4.5.2 to 4.6.0 (!2172)

• Updated default version of helm chart nvidia-device-plugin of https://github.com/NVIDIA/k8s-device-plugin from 0.17.4 to 0.18.0 (!2176)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 78.3.2 to 78.4.0 (!2177)

• Updated default version of helm chart etcdbackup from 0.20250918.0 to 0.20251023.0 (!2181)

• Updated default version of helm chart prometheus-adapter of https://github.com/prometheus-community/helm-charts from 5.1.0 to 5.2.0 (!2182)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 78.4.0 to 78.5.0 (!2184)

• Updated default version of helm chart rook-ceph of https://github.com/rook/rook from v1.18.5 to v1.18.6 (!2189)

• Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.13.3 to 4.13.6 (!2194)

• Updated default version of helm chart etcdbackup from 0.20251023.0 to 0.20251127.0 (!2218)

• Tasks have been added which set net.netfilter.nf_conntrack_buckets to 65536 and net.netfilter.nf_conntrack_max to 262144 on frontend nodes (see #837). (!2221, !2267)

• Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.4.1 to 11.6.0 (!2222)

• Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.19.1 to v1.19.2 (!2226)

• The script to verify Kubernetes supplements has been renamed to verify-10-supplements-health.sh.

  An additional script to verify the healthiness of the Kubernetes API has been introduced: verify-00-kubernetes-api.sh.

  It is now checked that the Kubernetes API is healthy after configuring the control plane nodes. (!2251)

• The restart of containers of control plane components after e.g. certificate renewal has been improved. (!2251)

• The autogeneration header has been removed from Wireguard client templates. (!2259)

• Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.6.0 to 11.6.1 (!2264)

• Updated default version of helm chart flux2 of https://github.com/fluxcd-community/helm-charts from 2.15.0 to 2.16.4

  Note

  Please note that upgrading the flux2 chart to >=v2.17.0 requires patching the CRDs in advance, which is not automated, yet.

  . (!2276)

• Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.19.2 to v1.19.3 (!2278)

• Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.13.6 to 4.13.7 (!2280)

• In the vault-backup deployment, the version of yaook/backup-shifter has been bumped to 1.0.329 and the version of yaook/backup-creator has been pinned to 2.0.179. This makes it possible to scrape backup metrics via IPv6. (!2282)

Bugfixes

• Bug #846 was fixed which caused values to be mangled when the same option was set in multiple places. (!2243)

• The Kubernetes initialization state is now taken into account when updating frontend nodes. (!2245)

Changes in the Documentation

• The suggestion to install the helm diff plugin has been added. (!2162)

• !2170, !2219

• Adjusted the description of yk8s.k8s-service-layer.rook.nmgrs. (!2231)

Deprecations and Removals

• The option yk8s.ch-k8s-lbaas.shared_secret has been marked as deprecated. The secret is handled via Vault from now on and if the option is set, the option’s value is automatically moved to Vault on a rollout. Once a rollout has been done, the option should be unset as it is going to be removed in a future release. (!2123)

• Support for Kubernetes v1.31 has been dropped. (!2251)

Other Tasks

• !2169, !2173, !2185, !2186, !2197, !2198, !2200, !2202, !2205, !2227, !2229, !2256, !2268, !2276, !2279, !2284, !2295

Misc

• !1031, !2090, !2161, !2233, !2261