Skip to main content

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

[0.32.0] - 2024-10-04

Changed

  • Shift operator now waits until the uninstallation of helm releases is complete before proceeding to the update tasks.
  • Helm releases that are not found during uninstallation are now ignored.

[0.31.1] - 2024-09-30

Changed

[0.31.0] - 2024-09-18

Changed

[0.30.1] - 2024-08-27

Changed

[0.30.0] - 2024-08-15

Changed

[0.29.0] - 2024-07-22

Fixed

Changed

  • Update ansible-operator base image from v1.34.3 to v1.35.0.
  • Update helm from 3.15.2 to 3.15.3
  • Update shift-operator from 0.28.1 to 0.28.2.
  • Update ci-library from 26.1.0 to 26.5.0.
  • Update dev-iac from dev-iac-2-rc.32 to dev-iac-2-rc.34.
  • Update shift from 0.178.0 to 0.179.0.

[0.28.2] - 2024-07-08

Changed

[0.28.1] - 2024-06-20

Changed

[0.28.0] - 2024-06-12

Added

  • Added jobs that collect the Kubernetes RBAC roles required by Shift operator and add them to the release atrifacts. The release artifact contains the following files:
    • role-shift-operator-deployment.yaml contains the required permissions to deploy the Shift operator helm chart.
    • role-shift-operator-runtime.yaml contains the permissions required by Shift operator during runtime.

Fixed

Changed

Removed

  • Theoretical support for Kubernetes horizontal pod autoscaler was removed, since the Shift operator only supports one replica.

[0.27.0] - 2024-05-24

Security

Fixed

Changed

  • Update Helm from 3.14.4 to 3.15.1.
  • Update ansible-operator base image from v1.34.1 to v1.34.2.
  • Update ci-library from 24.0.0 to 24.2.0.

[0.26.0] - 2024-05-03

Security

  • Update CVE ignore list
    • Ignore CVEs GHSA-gpvv-69j7-gwj8 and GHSA-r9hx-vwmv-q579 found in Python 3.6. These are false positives. The Red Hat provided packages already contain fixes for these CVEs, see CVE-2022-40897 and CVE-2019-20916.
    • Ignore CVE GHSA-3ww4-gg4f-jr7f because a fix in the Red Hat provided packages is not yet available. Red Hat classifies the severity of this CVE as 'moderate' due to a high attack complexity CVE-2023-50782.
    • Ignore CVE GHSA-6vqw-3v5j-54x4 found in the python package cryptography as we depend on the upstream ansible operator image to include the fixed version. This image does not use PKCS#12 data and is therefore not affected.

Fixed

  • Fixed an issue in the pod readiness check. Previously the pods belonging to a ServiceGroup where checked sequentially. Therfore, the default of 5 minutes for the readiness check were spent per pod and not per ServiceGroup. If all pods of a large ServiceGroup failed to become ready (e.g. due to configuration issues), this could easily add up to 50 minutes in which the Shift Operator was not reacting to changes in the ServiceGroup. The fix was to perform the readiness check in parallel for all pod of a ServiceGroup.

Changed

  • Shift operator now uses Ansible Kubernetes modules instead of kubectl. The kubectl binary was removed which also removes CVE GHSA-hqxw-f8mx-cpmw.
  • Update kubernetes.core ansible collection from 2.4.0 to 3.0.1.
  • Update Helm from 3.14.3 to 3.14.4.
  • Update ci-lib from 23.15.1 to 24.0.0

[0.25.1] - 2024-04-03

Fixed

Changed

  • Update Helm from 3.14.0 to 3.14.3
  • Update Kubectl from 1.27.10 to 1.27.11

[0.25.0] - 2024-03-04

Removed

  • Breaking change: Remove the tasks for migrating old servicegroups names introduced in Shift operator version 0.11.0. Ensure that Shift operator version 0.11.0 or higher is running before updating to this version.

Security

  • Update CVE ignore list
    • Ignore CVE GHSA-hqxw-f8mx-cpmw found in Kubectl. The CVE describes a denial of service attack against an API endpoint of docker/distribution. Kubectl itself is not vulnerable.
    • Ignore CVEs GHSA-gpvv-69j7-gwj8 and GHSA-r9hx-vwmv-q579 found in Python 3.6. These are false positives. The Red Hat provided packages already contain fixes for these CVEs, see CVE-2022-40897 and CVE-2019-20916.
    • Ignore CVE GHSA-3ww4-gg4f-jr7f because a fix in the Red Hat provided packages is not yet available. Red Hat classifies the severity of this CVE as 'moderate' due to a high attack complexity CVE-2023-50782.
    • Ignore CVE GHSA-6vqw-3v5j-54x4 found in the python package cryptography as we depend on the upstream ansible operator image to include the fixed version. This image does not use PKCS#12 data and is therefore not affected.

Changed

  • Added CHANGELOG.md and README.md files to chart package.
  • Improve log output. Prefix task names with the service group name. Remove redundant log lines for ansible task execution. Add helm debug logs in the 'install component package' and 'uninstall components' tasks to list the updated Kubernetes resources.
  • Update ansible-operator base image from v1.34 to v1.34.1.

[0.24.1] - 2024-02-19

Security

  • Update CVE ignore list
    • Ignore CVE GHSA-hqxw-f8mx-cpmw found in Kubectl. The CVE describes a denial of service attack against an API endpoint of docker/distribution. Kubectl itself is not vulnerable.
    • Ignore CVEs GHSA-gpvv-69j7-gwj8 and GHSA-r9hx-vwmv-q579 found in Python 3.6. These are false positives. The Red Hat provided packages already contain fixes for these CVEs, see CVE-2022-40897 and CVE-2019-20916.
    • Ignore CVE GHSA-3ww4-gg4f-jr7f because a fix in the Red Hat provided packages is not yet available. Red Hat classifies the severity of this CVE as 'moderate' due to a high attack complexity CVE-2023-50782.

Fixed

  • Fixed an issue that caused the additional CA certificates provided via values trustedCerts.existingSecretName: or trustedCerts.certs to be ignored.

[0.24.0] - 2024-02-05

Security

Fixed

Changed

  • Update ansible-operator base image from v1.33 to v1.34.
  • Updated ci-library from 23.7.0 to 23.8.1.

[0.23.0] - 2024-01-18

Fixed

Changed

  • Update Helm from 3.13.3 to 3.14.0
  • Update Kubectl from 1.27.9 to 1.27.10
  • Updated ci-library from 23.5.0 to 23.7.0.

[0.22.0] - 2024-01-11

Changed

  • Creation of required role and rolebinding for the Shift operator's service account can be disabled by setting value rbac.create: false. When disabled, the role and rolebinding must be created manually.
  • Updated Kubectl from 1.27.8 to 1.27.9.
  • Updated ci-library from 23.4.0 to 23.5.0.

Removed

  • No longer used CRDs were removed:
    • shift.kobil.com_asts.yaml
    • shift.kobil.com_boilerplates.yaml
    • shift.kobil.com_dashboards.yaml
    • shift.kobil.com_idps.yaml
    • shift.kobil.com_scps.yaml
    • shift.kobil.com_smartdashboards.yaml
    • shift.kobil.com_smartscreens.yaml

[0.21.0] - 2023-12-21

Added

  • Added support for using http and https proxies when fetching chart packages from the chart repository. See README for details.

[0.20.0] - 2023-12-15

Security

  • Update CVE ignore list
    • Ignore CVE GHSA-hqxw-f8mx-cpmw found in Kubectl. The CVE describes a denial of service attack against an API endpoint of docker/distribution. Kubectl itself is not vulnerable.
    • Ignore CVE GHSA-m425-mq94-257g found in the ansible-operator. The CVE describes a denial of service attack against http servers. This image does not run a http server and is therefore not affected.
    • Ignore CVE CVE-2023-45285 found in Kubectl. The CVE describes an issue when using 'go get' to fetch modules with git suffix. This image does not use kubectl to fetch modules and is therefore not affected.

Changed

  • Update ansible-operator base image from v1.32 to v1.33.
  • Update Helm from 3.13.2 to 3.13.3
  • Update ci-lib from 23.3.0 to 23.4.0
  • Update ks-chart-template from 0.14.0 to 0.15.0

[0.19.0] - 2023-11-30

Security

  • Update CVE ignore list
    • Ignore CVE GHSA-hqxw-f8mx-cpmw found in Kubectl. The CVE describes a denial of service attack against an API endpoint of docker/distribution. Kubectl itself is not vulnerable.
    • Ignore CVEs GHSA-m425-mq94-257g, GHSA-4374-p667-p6c8, and CVE-2023-44487 which describe a denial of service attack against http servers. This image does not run a http server and is therefore not affected.
    • Ignore CVE CVE-2023-39323 which describes an attack that requires the go binary. This image doesn't contain go and is therefore not affected.

Changed

  • Update Kubectl from 1.27.7 to 1.27.8
  • Update Helm from 3.13.1 to 3.13.2
  • Update ci-lib from 22.16.1 to 23.3.0
  • Update ks-chart-template from 0.13.0 to 0.14.0

Fixed

  • CVE GHSA-jfhm-5ghh-2f97 from Python package cryptography.

[0.18.0] - 2023-11-07

Security

  • Update CVE ignore list
    • Ignore CVE GHSA-hqxw-f8mx-cpmw which comes from Kubectl 1.27.6. The CVE describes a denial of service attack against an API endpoint of docker/distribution. Kubectl itself is not vulnerable.
    • Ignore CVEs GHSA-m425-mq94-257g, GHSA-4374-p667-p6c8, CVE-2023-39325, and CVE-2023-44487 which describe a denial of service attack against http servers. This image does not run a http server and is therefore not affected.
    • Ignore CVE CVE-2023-39323 which describes an attack that required the go binary. This image doesn't contain go and is therefore not affected.

Added

  • Add option to configure the path prefix for fetching helm charts. Configured using value helmRepo.path. The default ("/charts/") assumes that charts are hosted using chart museum. Change this value as required if charts are hosted by a different helm repository, e.g. Nexus. See README for details.

Changed

  • Update Kubectl from 1.27.6 to 1.27.7
  • Update Helm from 3.13.0 to 3.13.1
  • Update ci-lib from 22.11.1 to 22.16.1
  • Update ks-chart-template from 0.12.0 to 0.13.0

[0.17.1] - 2023-10-20

Fixed

Changed

  • Update ci-lib from 22.11.0 to 22.11.1

[0.17.0] - 2023-10-18

Security

Changed

  • migrate to docker multiarch jobs

[0.16.0] - 2023-10-09

Changed

  • Update ansible-operator base image from v1.31 to v1.32.
  • Update Helm from 3.12.3 to 3.13.0

Fixed

[0.15.0] - 2023-09-26

Changed

  • Update CVE ignore list
    • Ignore CVE GHSA-232p-vwff-86mp which comes from Helm 3.12.3. According to the helm maintainers, this is a false positive
    • Ignore CVE GHSA-hqxw-f8mx-cpmw which comes from Kubectl 1.27.6. The CVE describes a denial of service attack against an API endpoint of docker/distribution. Kubectl itself is not vulnerable.
  • Update Kubectl from 1.27.4 to 1.27.6
  • Update Helm from 3.12.2 to 3.12.3
  • Update ci-lib from 21.2.0 to 22.10.0
  • Update ks-chart-template from 0.9.1 to 0.12.0

Removed

  • Removed support for no longer used custom resource definitions (CRD) asts.shift.kobil.com, boilerplates.shift.kobil.com, dashboards.shift.kobil.com, idps.shift.kobil.com, scps.shift.kobil.com, smartdashboards.shift.kobil.com, smartscreens.shift.kobil.com. The only supported CRD is servicegroups.shift.kobil.com.

Fixed

  • Removed CVEs CVE-2023-2603 CVE-2023-29491 CVE-2023-30630 CVE-2023-3899.

[0.14.0] - 2023-08-02

Fixed

  • Fixed an issue in the readiness check for Servicegroups. Previously, Servicegroups were falsely marked as ready if pods were in state Pending.

Changed

  • Update ci-lib from 19.3.0 to 21.2.0 and add 'deploys' pipeline from dev-iac-2-rc.6.
  • Update ansible-operator base image from v1.28 to v1.31.
  • Update helm from 3.10.0 to 3.12.2.
  • Update kubectl from 1.24.6 to 1.27.4.

[0.13.0] - 2023-04-28

Changed

  • Improves error handling of shift operator if non-existing chart version is used in servicegroup
  • CI-library ref updated to 19.3.0
  • Ansible-operator base image updated to v1.28
  • Update ks-chart-template-common from 0.9.0 to 0.9.1

Fixed

  • 401 requests from shift operator to charts museum:
    • force_basic_auth to true for get_url module, so that ansible doesn't try to request without basic auth.

[0.12.0] - 2023-03-10

Added

  • Operational notes concerning resource usage to README.md.

Changed

  • Helm charts are now fetched using ansible module url_get. The helm command is only used for installing of fetched chart packages. This significantly reduces ephemeral storage usage of the shift operator pod. This also reduces memory usage.
  • update ks-chart-template-common from 0.7.0 to 0.8.0.

[0.11.0] - 2023-02-07

Changed

  • The operator now truncates helm release name prefixes if the annotation app.shift.kobil.com/release-prefix is available. This avoids conflicts when using long release names for the shift helm release.
  • Simplify the required escaping of special characters when passing values via valuesOverride in custom resources.
  • ci-library ref updated to 16.6.0
  • ansible-operator base image updated to v1.27
  • Updated ignored CVE list to GHSA-2pfh-q76x-gwvm GHSA-6j58-grhv-2769 GHSA-wwch-cmqr-hhrm GHSA-cpx3-93w7-457x GHSA-r9hx-vwmv-q579.

[0.10.0] - 2022-12-20

Changed

  • common chart template version updated to 0.7.0
  • ci-library ref updated to 14.7.1
  • ansible-operator base image updated to v1.26

Fixed

  • Wrong truncation of helm release name. Previously trailing dashes were not removed from the truncated release name.

[0.9.0] - 2022-10-17

Added

  • Support for deploying the same helm chart multiple times. The keys under ServiceGroup's spec. define the chart 'alias' and the name of the chart to deploy is taken from value spec.{alias}.chart. If no value chart is specified, the alias is used as chart name. For example:

    spec:
      internal:
        chart: proxy 
      external:
        chart: proxy

    deploys chart 'proxy' two times with alias 'internal' and 'external', whereas

    spec:
      proxy:

    deploys chart 'proxy' with alias 'proxy'.

Changed

  • base image ansible-operator updated to v1.24

[0.8.0] - 2022-09-30

Added

  • Feature to optionally skip status check of ServiceGroups. To use this feature, add label app.kubernetes.io/readycheck: "false" to the ServiceGroup resource.

Changed

  • update ks-chart-template-common to 0.4.0
  • update ci-library to 13.4.1
  • update base image to quay.io/operator-framework/ansible-operator:v1.23.0
  • update helm to 3.10.0
  • update kubectl to 1.24.6

[0.7.0] - 2022-07-07

Changed

  • service chart will be uninstalled by disabling or deleting from the servicegroup CR.
  • ci-lib ref to 10.6.1
  • ansible-operator base image to v1.22

[0.6.0] - 2022-06-27

Added

  • Failure reporting within status of servicegroup CRs. Can be checked with kubectl describe servicegroup
  • Values ansible.extraVars: in helm chart to provide additional configuration to Ansible via the --extra-vars parameter.

Fixed

  • Fixed a bug that caused the Getting pods status task to succeed when a pod was stuck in pending. This was achieved by additionally checking that pod's status list is not empty.

[0.5.0] - 2022-06-14

Added

  • CRD servicegroup as a common type to replace old CRDs.
  • kubectl v1.24.0 tool into the docker image
  • Information about components deployed as part of a CRD can be listed with kubectl get servicegroup

Changed

  • Refactored logic for determining status of CRD. A CRD is now considered ready if all its pods are either running and ready or completed. This allows the helm flags --wait --timeout 15m0s to be removed for install and uninstall logic.
  • helm chart refactored for using common chart template
  • Base image upgraded to ansible-operator:v1.21
  • Old CDRs are marked as deprecated
  • The default manageStatus of CRDs is set to false. The status is managed by install logic.

[0.4.1] - 2022-02-02

Changed

  • built in waiting into helm uninstall command
  • ignoring fails on chart uninstall

[0.4.0] - 2022-01-31

Added

  • Helm chart value for ansible verbosity ansible.verbosityLevel with default 0.

Changed

  • Increase async time limit of helm install task to 20 minutes to avoid potential race conditions with long lasting deployments.
  • Increase retries of check install status task to 120.
  • Added GHSA-q2q7-5pp4-w6pg, GHSA-qc9x-gjcv-465w to ignored CVES.
  • Update pipeline to 6.0.0

[0.3.0]

Added

  • maverickboilerplate CRD
  • serviceMonitor manifest for the shift operator's metrics

Changed

  • ansible-operator docker image updated to v1.15

[0.2.0]

Added

  • handling of valuesOverride values block

[0.1.0]

Added

  • initial shift operator implementation
  • Ignored CVES: CVE-2016-1905 CVE-2016-1906 CVE-2016-7075 CVE-2021-33503 GHSA-2pfh-q76x-gwvm GHSA-q2q7-5pp4-w6pg