Releasenotes
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.
We use towncrier for the generation of our release notes file.
Information about unreleased changes can be found here.
General information about release upgrades are documented at How to Upgrade to a new TAROOK release.
v13.0.0 (2026-04-21)
Breaking changes
Common names for certificates issued by HashiCorp Vault are now prevented from being treated as domain names during validation.
This change requires a Vault policy update (backwards-compatible).
Attention
Action required
VAULT_TOKEN=${vault_root_token:?} ./managed-k8s/tools/vault/init.sh
_ (!2254)
The KUBECONFIG variable is now set by our direnv layout “yaook-k8s”. The migration script will remove our previous default from your .envrc. If you’ve customized the definition, it won’t be touched. (!2274)
For development setups with a local Vault container, the Vault certificates must be removed and regenerated as newer Ansible versions enforce the usage of a key extension which was not included in the Vault development setup until now.
The only clean way to achieve that is to setup a complete new cluster repository for your development setup. (!2289)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 78.5.0 to 82.0.0 (!2301)
Updated default version of helm chart etcdbackup from 1.4.1 to 2.0.0 (!2407)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 82.15.0 to 83.0.0 (!2419)
New Features
Options for flexible kubelet configuration have been added. These options can be applied at various levels of granularity:
For all nodes: yk8s.kubernetes.kubelet.defaultOptions
For worker nodes only: yk8s.kubernetes.kubelet.workerOptions
For master nodes only: yk8s.kubernetes.kubelet.masterOptions
For specific nodes: yk8s.kubernetes.kubelet.nodeOptions
. (!1910)
Retries have been added to Kubernetes API calls to further improve resilience. (!2289)
Changed functionality
The
nixpkgs.urlhas been changed from 25.05 to 25.11. (!2289)kubelets are configured now such that up to three images are pulled in parallel by default. (!2289)
The Ansible plays have been made compatible with Ansible 12. (!2289, !2448)
Updated default version of helm chart tigera-operator of https://github.com/projectcalico/calico from v3.30.6 to v3.31.4 (!2307)
Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.14.5 to 4.15.1 (!2333)
Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.19.4 to v1.20.0 (!2334)
Nodes already being cordoned before a rollout are not automatically uncordoned on system or Kubernetes upgrades anymore. (!2362)
Updated default version of helm chart vault of https://helm.releases.hashicorp.com from 0.23.0 to 0.25.0. This results in an upgrade of HashiCorp Vault from 1.12.1 to 1.14.0.
Attention
Action required
Rolling out the new Helm chart version only updates the
vaultStatefulSet, but not the replica Pods.Refer to Upgrading Hashicorp Vault for the additional steps necessary.
_ (!2363)
Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.8.0 to 11.9.0 (!2387)
Updated default version of helm chart etcdbackup from 1.4.0 to 1.4.1 (!2388)
The kube-prometheus-stack Helm chart’s automatic CRD upgrade job option has been enabled. It is now enforced that yk8s.k8s-service-layer.prometheus.prometheus_stack_version is set to at least
68.4.0. (!2392)Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 82.0.0 to 82.13.0 (!2393)
For clusters running on OpenStack, the VolumeSnapshotClass
csi-cinder-snapclasshas been adapted such that snapshots of attached (in-use) Cinder volumes are allowed. It is still highly recommended to snapshot detached volumes only, as snapshots of attached volumes are not guaranteed to be application-consistent. (!2394)Updated default version of helm chart rook-ceph of https://github.com/rook/rook from v1.18.9 to v1.18.10 (!2403)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 82.13.0 to 82.15.0 (!2408)
Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.20.0 to v1.20.1 (!2409)
Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.9.0 to 11.9.1 (!2412)
Updated default version of helm chart etcdbackup from 2.0.0 to 2.0.1 (!2415)
The helm diff plugin has been added to the default devShell. (!2420)
Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 83.0.0 to 83.4.0 (!2426)
Updated default version of helm chart etcdbackup from 2.0.1 to 2.0.2 (!2430)
Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.20.1 to v1.20.2 (!2435)
Updated default version of helm chart tigera-operator of https://github.com/projectcalico/calico from v3.31.4 to v3.31.5 (!2436)
Bugfixes
An off-by-one-error in the kube-prometheus-stack upgrade procedure has been fixed. (!2289)
A bug has been fixed in the Root Certificate Authority Rotation, which caused it to fail in phase 1 if yk8s.kubernetes.controller_manager.enable_signing_requests is enabled. (!2289)
A bug has been fixed where, when running a Kubernetes upgrade, the maximum pod limit for control plane nodes was temporarily reset to 110. (!2325)
The value of yk8s.wireguard.endpoints.*.port is now enforced to be unique across all Wireguard endpoints. (!2364)
Fixed a bug that prevented the cleanup of IPSec when yk8s.ipsec.enabled was set to
false. (!2378)Added missing IPSec cleanup tasks. (!2378)
Changes in the Documentation
Added a guide to setting up automatic Vault backups, see Automatic backups of HashiCorp Vault. (!2363)