Releasenotes

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.

We use towncrier for the generation of our release notes file.

Information about unreleased changes can be found here.

v9.0.14 (2025-09-05)

Bugfixes

  • A bug in the migration script resulting in infinite recursion has been fixed (!2093)

  • k8s-login run in root CA rotation phase 1 works again with a Vault token only having the yaook/orchestrator policy. (regression of v9.0.11)

    Note

    Action needed

    To activate the fix the Vault orchestrator policy needs to be updated.

    VAULT_TOKEN=$vault_root_token ./managed-k8s/tools/vault/init.sh

    _ (!2093)

Changes in the Documentation

  • Changelogs of previous releases have been dropped. These are still accessible when switching to the respective version. From now on, changelogs for each version will be maintained separately and not continously. (!2093)

Misc

v9.0.13 (2025-08-19)

Changed functionality

v9.0.12 (2025-08-13)

Changed functionality

  • The project has been renamed from YAOOK/K8s to TAROOK. The repository location has been updated to reflect this change. (!2001)

Other Tasks

v9.0.11 (2025-07-16)

Bugfixes

  • The CA rotation procedure has been fixed once again including force-renewal of the certificates and kubeconfig on Kubernetes nodes and k8s-login for the orchestrator’s kubeconfig. (!1935)

v9.0.10 (2025-05-07)

Changed functionality

v9.0.9 (2025-05-05)

Bugfixes

v9.0.8 (2025-04-15)

Bugfixes

  • A minor bug in the monitoring playbook got fixed that caused it to fail if no CRD update is needed. (!1781)

v9.0.7 (2025-03-27)

Bugfixes

v9.0.6 (2025-03-27)

Attention

This release introduced two minor regressions

The connect-k8s-to-openstack Ansible role fails if yk8s.miscellaneous.openstack_cinder_volume_type is unset.

Likewise, the monitoring_v2 Ansible role fails if yk8s.k8s-service-layer.prometheus.remote_writes.*.basic_auth_secret_name is unset.

These regressions are fixed with release v9.0.9.

Bugfixes

Changes in the Documentation

v9.0.5 (2025-03-25)

Bugfixes

  • Fix IP address autodetection in Calico when used with VRRP on the hosts

    If keepalived was installed on a host, Calico would sometimes incorrectly pick the VRRP address as node address. While generally harmless, this could cause calico-node to break during/after VRRP failovers because it would then see the VRRP address on a different node all of a sudden, leading to a node IP address conflict. (!1753)

v9.0.4 (2025-03-25)

Bugfixes

  • Due to a vulnerability in the ingress-nginx admission controller, ingress-nginx has been updated. (!1761)

v9.0.3 (2025-03-07)

Bugfixes

v9.0.2 (2025-03-04)

Bugfixes

  • The type of the yk8s.rook.nodes.devices config option was fixed. (regression of release v9.0.0) (!1725)

v9.0.1 (2025-02-19)

Bugfixes

  • A bug has been fixed that made the inventory updater erroneously output error: Neither IPv4 nor IPv6 are enabled. to users with a broken locale setup and swallowed any error output related to that. (!1677)

  • An envrc function has been added to address common locale issues on non-NixOS systems. (!1679)

  • A bug has been fixed that caused k8s-supplements to fail if yk8s.miscellaneous.openstack_cinder_volume_type was not set. (!1688)

  • pre-commit has been added back to the default group. (!1693)

  • The default value of yk8s.k8s-service-layer.prometheus.scheduling_key for thanos_v2 has been fixed. (!1693)

  • A bug regarding the renaming of pod_limit to pod_limit_worker has been fixed. (!1693)

Changes in the Documentation

  • Instructions on how to Install system requirements. have been refined. We additionally explain how to install on Ubuntu 24.04 from Ubuntu repositories now. (!1689)

Other Tasks

v9.0.0 (2025-02-14)

Breaking changes

  • The configuration has been reworked and is now based on Nix, which makes Nix a hard dependency.

    All configuration options are documented at Configuration Options.

    The cluster repository layout has changed:

    your_cluster_repo
├── config/                           # All user configuration now resides in this directory
│   ├── default.nix                   # Nix-based cluster configuration
│   └── hosts                         # Manual Ansible hosts file for bare-metal, referenced in default.nix
├── inventory/yaook-k8s/              # Ansible inventory is now completely generated and MAY be excluded from version control
│   ├── group-vars/                   # Variables passed to Ansible
│   └── hosts                         # Ansible hosts file, generated from config even for bare-metal
├── state/                            # Auto-generated files that need to be preserved. MUST be checked into version control
│   ├── wireguard/
│   │   └── ipam.toml                 # WireGuard IP address management
│   ├── terraform/                    # Terraform specific state files
┊   ┊

    Attention

    Action required

    Ensure you’ve installed and configured Nix according to Install System Requirements

    Attention

    Action required

    In order to migrate to the new cluster repository layout, run

    $ ./managed-k8s/actions/migrate-cluster-repo.sh

    The first run may fail, because manual adjustments to the config are required. These cases require manual action:

    • Jinja templates in values need to be replaced with the equivalent Nix expressions

    • Options that no longer exist need to be removed

    • Custom config options you may have added must be moved to the custom section

    The migration script will point out these cases.

    _ (!1265)

  • The following Terraform resources are deprecated and have been updated:

    • openstack_compute_floatingip_associate_v2 replaced by openstack_networking_floatingip_associate_v2

      Attention

      Action required

      For the replacement to be perfomed correctly (therefore non-disruptive) you must run the migration script before any apply-terraform action.

      ./managed-k8s/actions/migrate-cluster-repo.sh

    _ (!1562, !1667)

  • The Vault S3 backup configuration file moved to Vault.

    Attention

    You must update the Vault policies.

    Note

    A root token must be sourced.

    $ bash managed-k8s/tools/vault/init.sh

    If yk8s.k8s-service-layer.vault.enabled is true and yk8s.k8s-service-layer.vault.enable_backups is true, you addditionally have to import the S3 backup config to Vault.

    Inserting the Vault S3 backup config into Vault can be automated by storing the configuration at config/vault_backup_s3_config.yaml. Please check the documentation on HashiCorp Vault how to create a configuration.

    Note

    A root token must be sourced.

    $ bash managed-k8s/tools/vault/update.sh
$ bash managed-k8s/actions/apply-k8s-supplements.sh install-vault.yaml

    _ (!1616)

  • The .gitignore-template has been changed and starting with this release, it is highly recommended that inventory/ is ignored and not checked into version control.

    Attention

    Action required

    You must run the migration script to ensure your .gitignore contains the necessary entries and inventory/ is removed from version control:

    ./managed-k8s/actions/migrate-cluster-repo.sh

    _ (!1653)

New Features

  • Automatic evaluation of the devShell can now be disabled by setting YAOOK_K8S_DIRENV_MANUAL=true in .config/yaook-k8s/env or .envrc.local (!1323)

  • The default version of rook has been bumped to v1.15.4. (!1453)

  • Add multicluster support for grafana dashoards (!1483)

  • Add support for basic auth in Prometheus remote write (!1484)

  • The LCM continuously ensures that all Kubernetes control plane and worker nodes are labeled with node-role.kubernetes.io/control-plane= xor node-role.kubernetes.io/worker= respectively.

    This is part of the concept of LCM managed labels which is introduced at the same time. Refer to the documentation for details.

    Amongst other things, this allows monitoring and alerting solutions to reliably target nodes by their role. For instance, the monitoring stack that can optionally be installed with YAOOK/k8s, exposes the kube_node_role metric.

    _ (!1587)

  • Kubernetes node labels and taints are now applied on LCM rollout instead on node join. This allows additions and changes of node labels and taints through the config after the respective node joined the cluster. Removal is still unsupported.

    related documentation: Scheduling (Taints and Labels) (!1597)

  • A script has been added which can be used to create new CSRs for clusters using intermediate CAs. A procedure description has been added to the documentation: Importing new Intermediates. (!1599)

  • Add support for specifying the maximum number of pods allowed to be scheduled on master nodes (maxPods). The former configuration option pod_limit only allowed modifying maxPods for worker nodes. We now support setting maxPods for both master nodes and worker nodes introducing two different configuration options yk8s.kubernetes.kubelet.pod_limit_master and yk8s.kubernetes.kubelet.pod_limit_worker (!1606)

  • A new option has been added which allows to configure a specific volume type for the csi-sc-cinderplugin StorageClass: yk8s.miscellaneous.openstack_cinder_volume_type. (!1617)

Changed functionality

  • The Prometheus integration with Vault has been updated to use a long-lived periodic token.

    To activate this change, the Vault policy must be updated.

    Follow these steps:

    • Retrieve the root token from the Vault instance running within Kubernetes.

    • Write the root token to the file etc/vault_root_token in the cluster repository.

    • Execute the following command to complete the process:

    ./managed-k8s/actions/apply-k8s-supplements.sh install-vault.yaml

    _ (!1456)

  • Most options from the terraform configuration section have moved into one of two new sections, either openstack for OpenStack specific options or infra for options used by all clusters. Have a look at the deprecation warnings during Nix evaluation. (!1466)

  • vault.cluster_name now defaults to infra.cluster_name (!1466)

  • Cloud&Heat specific default have been removed from the Terraform module. (!1504)

  • Depending on the IP version enabled, node address autodetection is explicitly set to {}. (!1529)

  • Additional testing in the CI pipeline has been added that verifies that Kubernetes certificate signing is functional. (!1543)

  • The default blackbox-exporter version has been bumped to v9.1.0. (!1575)

  • The default version of the Prometheus stack has been bumped to v66.2.2. (!1575)

  • The default version of Prometheus adapter has been bumped to v4.11.0. (!1575)

  • The default Thanos version has been bumped to v15.8.2. (!1575)

  • The Kubernetes upgrade procedure has been adjusted such that the system update happens after switching to the next Kubernetes repository. (!1586)

  • The Prometheus node exporter metrics now additionally contain a role label which reflects the Kubernetes role of the node. Based upon if a node is labeled with node-role.kubernetes.io/worker or node-role.kubernetes.io/control-plane, the value is either worker or control-plane. (!1596)

  • The Nix binary cache has been moved to a new location. Please remove all occurences of “tarook.cachix.org” and, if desired, configure

    extra-substituters = https://nix-cache.tarook.cloud
extra-trusted-public-keys = nix-cache.tarook.cloud-2:2X2yPTrpwmakhSgS83FVB2fKkG6IzfOJ1AGIIcvNyM0=

    in /etc/nix/nix.conf. Then do systemctl restart nix-daemon.service for the change to take effect immediately. (!1600)

  • The default Kubernetes version and the internally used ones have been bumped to their latest patch releases. (!1607)

Bugfixes

  • Marked the following immutable config setting as such:

    • k8s-service-layer.prometheus.thanos_storegateway_size

    • k8s-service-layer.prometheus.thanos_storegateway_size

    • k8s-service-layer.prometheus.thanos_compactor_size

    • k8s-service-layer.rook.mon_volume_storage_class

    • k8s-service-layer.rook.mon_volume_size

    • k8s-service-layer.rook.osd_volume_size

    • k8s-service-layer.rook.osd_storage_class

    A manual workaround to change these settings nonetheless is outlined in the respective documentation. (!1498)

  • Fixed Ansible to never assume any host in the gateways host group. (!1503)

  • The proxy-support role has been fixed. A missing template has been re-added. (!1528)

  • The type of k8s-service-layer.prometheus.remote_writes has been fixed. (!1541)

  • The regex for the option type that handles memory and volume sizes has been fixed to allow fractional values. (!1544)

  • Thanos compactor is now restarted on failure. Previously it just stopped operation but never exited (see issue #724). (!1592)

  • The YAOOK/K8s Terraform module does not fail anymore if there are multiple Openstack images with the same name but simply selects the most recent one. (!1598)

  • A bug has been fixed which caused Kubernetes upgrades to fail if yk8s.kubernetes.controller_manager.enable_signing_requests is enabled. (!1608, !1675)

  • A bug has been fixed that made the nix-fmt pre-commit check always fail. (!1614)

Changes in the Documentation

  • direnv has been marked as requirement (!1512)

  • A jq command was fixed in the Openstack credentials rotation guide. (!1555)

  • Unused variables were removed, and Vault documentation has been updated to eliminate outdated path references. (!1557)

  • The exact format of the wg_conf_name environment variable is mentioned in the documentation. (!1579)

  • A short description about tools/vault/rotate-root-ca-intermediate.sh and tools/vault/rotate-root-ca-root.sh has been added. (!1599)

  • A short description about tools/vault/update.sh has been added. (!1599)

  • A user facing tutorial has been created, which describes how to upgrade to a new YAOOK/K8s release. (!1602, !1660)

  • The Terraform developer reference documentation has been dropped in favor of yk8s.terraform. (!1611)

  • Some typos have been fixed (!1615)

  • Minor fixes in the docs. (!1642)

Deprecations and Removals

  • YAOOK/K8s switched from Poetry to Nix for managing Python dependencies. Please remove all occurences of layout poetry in your .envrc (!1570)

  • Support for Kubernetes v1.28 has been dropped and along with it the deprecated manifest-based way to deploy the CCM and the cinder CSI plugin. (!1622)

Other Tasks

Misc