Releasenotes

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.

We use towncrier for the generation of our release notes file.

Information about unreleased changes can be found here.

v9.1.16 (2025-09-05)

Bugfixes

• k8s-login run in root CA rotation phase 1 works again with a Vault token only having the yaook/orchestrator policy. (regression of v9.1.10)

  Note

  Action needed

  To activate the fix the Vault orchestrator policy needs to be updated.

  VAULT_TOKEN=$vault_root_token ./managed-k8s/tools/vault/init.sh
  

  _ (!2094)

• A bug in the migration script resulting in infinite recursion has been fixed (!2094)

Changes in the Documentation

• Changelogs of previous releases have been dropped. These are still accessible when switching to the respective version. From now on, changelogs for each version will be maintained separately and not continously. (!2094)

v9.1.15 (2025-08-25)

New Features

• The following modules of yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.module now do also accept the HTTP status code 400:

  • http_api_v6

  • http_api_insecure_v6

  • http_api

  • http_api_insecure

  . (!2055)

Bugfixes

• Allow to configure IPv6-specific modules for blackbox-exporter probes in yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.module. Although these modules have been introduced in v9.1.0, they could not be configured until now. (!2055)

v9.1.14 (2025-08-19)

Changed functionality

• The Thanos image repository has been set to bitnamilegacy/thanos due to recent changes by the Bitnami offering. (!1990)

v9.1.13 (2025-08-13)

Changed functionality

• The project has been renamed from YAOOK/K8s to TAROOK. The repository location has been updated to reflect this change. (!2000)

Other Tasks

• !2000

v9.1.12 (2025-08-05)

Bugfixes

• Cluster setup for IPv6-only clusters has been fixed. (!1985)

v9.1.11 (2025-07-24)

Changed functionality

• A new environment group yk8s-env.update-inventory has been added, so update-inventory.sh can be run without downloading unnecessary dependencies. (!1921)

v9.1.10 (2025-07-16)

Bugfixes

• The CA rotation procedure has been fixed once again including force-renewal of the certificates and kubeconfig on Kubernetes nodes and k8s-login for the orchestrator’s kubeconfig. (!1936)

v9.1.9 (2025-07-07)

New Features

• Support for audit policies has been added. (!1896)

v9.1.8 (2025-07-03)

Changed functionality

• Terraform is now disabled by default, which means that for bare-metal clusters it is now sufficient to disable Openstack. This change is non-breaking, because the OpenStack module automatically enabled Terraform. (!1856)

Bugfixes

• A bug has been fixed that resulted in a warning about missing wireguard peers if wireguard was disabled. (!1856)

• The missing options networking_fixed_ip and networking_fixed_ip_v6 have been added to the infra section. (!1856)

• Some option renames have been added to simplify migration of bare-metal clusters. (!1856)

• A bug in the migration script has been fixed that caused the migration to fail if an empty vault state directory existed from a previous failed attempt. (!1909)

• The migration script does not unnecessarily add an openstack section for bare-metal clusters anymore. (!1909)

v9.1.7 (2025-05-07)

Changed functionality

• We are now using packages from NixOS stable. One reason for that is that we’re using boto3 to manage the S3 bucket for yk8s.k8s-service-layer.etcd-backup, but the latest versions of boto3 are incompatible to OpenStack Swift. (!1849)

v9.1.6 (2025-04-15)

Bugfixes

• A minor bug in the monitoring playbook got fixed that caused it to fail if no CRD update is needed. (!1781)

v9.1.5 (2025-04-14)

Bugfixes

• A bug has been fixed which caused the deployment of Vault on Kubernetes to incorrectly fail with an external Ingress issuer configured. (!1803)

v9.1.4 (2025-03-27)

Bugfixes

• A bug has been fixed which accidentally applied the Prometheus resource requests and limits yk8s.k8s-service-layer.prometheus.prometheus_resources also to the operator yk8s.k8s-service-layer.prometheus.operator_resources. (!1770)

v9.1.3 (2025-03-26)

Bugfixes

• The default value of option yk8s.k8s-service-layer.prometheus.common_labels has been set to an empty set again such that Prometheus collects all ServiceMonitors by default. (!1767)

• A bug has been fixed which caused an error when applying the Cinder StorageClass in existing clusters running on OpenStack if yk8s.openstack.cinder_volume_type was unset which it is by default. (!1767)

• If specified, yk8s.testing.nodes are now properly used in the test stage. (!1767)

Changes in the Documentation

• The option yk8s.k8s-service-layer.prometheus.remote_writes.*.basic_auth_secret_name has been added to documentation. (!1767)

v9.1.2 (2025-03-25)

Bugfixes

• Fix IP address autodetection in Calico when used with VRRP on the hosts

  If keepalived was installed on a host, Calico would sometimes incorrectly pick the VRRP address as node address. While generally harmless, this could cause calico-node to break during/after VRRP failovers because it would then see the VRRP address on a different node all of a sudden, leading to a node IP address conflict. (!1752)

v9.1.1 (2025-03-25)

Bugfixes

• Due to a vulnerability in the ingress-nginx admission controller, ingress-nginx has been updated. (!1760)

v9.1.0 (2025-03-21)

New Features

• Bump Keepalived exporter to version 0.7.1 which introduces IPv6 support https://github.com/gen2brain/keepalived_exporter/releases/tag/v0.7.1 (!1482)

• Add IPv6 support for Blackbox exporter (!1482)

• The etcd-metrics-proxy has been adjusted to work on dual stack as well as IPv6 only clusters.

  For dual stack clusters which have been setup prior to release v9.1.0, etcd-metrics can be scraped by IPv4 only as etcd must be patched to supply metrics on [::1]:2381 as well. Out of the box it supplies metrics only on 127.0.0.1 even if Kubernetes has been set up to use dual stack. This release introduces an automated patch which basically does the following things:

  1. Adjust the ClusterConfiguration in the kubeadm-config ConfigMap to reflect the following

  # [...]
  etcd:
    local:
      extraArgs:
        listen-metrics-urls: "http://127.0.0.1:2381,http://[::1]:2381"
  # [...]
  

  2. Regenerate the static Pod manifests of etcd on each control plane node with the patched ClusterConfiguration

  $ kubectl get cm kubeadm-config -n kube-system -o json | jq -r .data.ClusterConfiguration > /tmp/cluster-configuration.yaml
  $ kubeadm init phase etcd local --config /tmp/cluster-configuration.yaml
  

  3. Regenerate the certificates used for TLS encryption between Prometheus and the etcd-metrics-proxy Pods

  4. Restart Prometheus and the etcd-metrics-proxy DaemonSet

  5. Adjust the etcd-metrics-proxy DaemonSet to supply metrics over both IPv4 and IPv6

  The necessary changes are automatically applied on a full rollout. To trigger them in a more controlled way, run:

  $ bash managed-k8s/actions/apply-k8s-core.sh install-k8s.yaml
  $ bash managed-k8s/actions/apply-k8s-supplements.sh install-monitoring.yaml
  

  The above patch is not needed for newly initialized dual stack clusters. (!1631)

• Added support for Kubernetes v1.31 (!1662)

• update-inventory.sh now passes any arguments given to nix build (!1715)

Changed functionality

• A new env var wg_private_key_command has been introduced. This env var lets the user specify a command that retrieves their WireGuard private key from a (safe) place, e.g. from a password safe, rather than having it stored in a plain text file or worse, stored in an env var directly.

  Both old variables wg_private_key and wg_private_key_file have been deprecated. (!1609)

• Unset options are now rendered to the inventory with an explicit null value. (!1687)

• Updated default version of helm chart rook-ceph of https://github.com/rook/rook from v1.15.4 to v1.16.5 (!1700)

• Some options have been moved to a better fitting place. (!1716)

• It is now allowed to have yk8s.wireguard.enabled set to true without any yk8s.wireguard.peers being configured. The inventory updater will output a warning though. (!1737)

Bugfixes

• Only deploy Bird ServiceMonitor when the Bird exporter is actually deployed (!1482)

• The ability to limit the test stage to certain nodes has been fixed (!1690)

• A bug has been fixed which prevented the install-k8s.yaml playbook to succeed if explicitly triggered.

  It is now possible again to execute the following:

  ./managed-k8s/actions/apply-k8s-core.sh install-k8s.yaml
  

  . (!1741)

Changes in the Documentation

• A new coding guide line has been added to specify that for Ansible builtins only the short names shall be used. (!1696)

• Dropped libpam-systemd from necessary packages for Nix on Ubuntu 24.04. (!1704)

• Advice about making the nix-users group effective on first setup has been improved. (!1708)

• A note why the binary cache must be configured in /etc/nix/nix.conf must be configured has been added. (!1710)

Deprecations and Removals

• The legacy installation method to deploy FluxCD has been removed. (!1673)

Other Tasks

• !1676, !1683, !1684, !1685, !1686, !1691, !1697, !1701, !1702, !1707, !1713, !1719, !1721, !1722, !1723, !1724, !1727, !1730, !1732, !1733, !1734, !1740

Misc

• !1542, !1640, !1665, !1705, !1720