Skip to content

Release v1.28.0
Compare
Choose a tag to compare
@SIGHUP-C-3PO SIGHUP-C-3PO released this 12 Apr 16:00
· 416 commits to main since this release
v1.28.0
99aac36
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Kubernetes Fury Distribution Release v1.28.0

Welcome to KFD release v1.28.0.

The distribution is maintained with ❤️ by the team SIGHUP it is battle tested in production environments.

This release adds compatibility with Kubernetes 1.28.

New Features since v1.27.4

Core Module Updates

  • networking 📦 core module: v1.16.0
    • Updated calico to 3.27.0.
    • Updated tigera operator to 1.32.3.
    • Updated cilium to 1.15.2.
  • monitoring 📦 core module: v3.1.0
    • Updated thanos to v0.34.0.
    • Updated x509-exporter to v3.12.0.
    • Updated mimir to v2.11.0.
    • Updated minio-ha to RELEASE.2024-02-09T21-25-16Z.
  • logging 📦 core module: v3.4.0
    • Removed cerebro.
    • Updated opensearch to 2.12.0.
    • Updated opensearch-dashboards to 2.12.0.
    • Updated logging-operator to 4.5.6.
  • ingress 📦 core module: v2.3.0
    • Updated cert-manager to 1.14.2.
    • Updated external-dns to 0.14.0.
    • Updated forecastle to 1.0.136.
    • Updated nginx to 1.9.6.
  • dr 📦 core module: v2.3.0
    • Updated velero to 1.13.0.
    • Updated all plugins to 1.9.0.
  • OPA 📦 core module: v1.12.0
    • Updated gatekeeper to 3.15.1.
    • Updated gatekeeper-policy-manager to 1.0.10.
    • Updated kyverno to 1.11.4.
  • auth 📦 core module: v0.2.0
    • Updated dex to 2.38.0.
    • Updated pomerium to 0.25.0.
  • tracing 📦 core module: v1.0.3

Please refer the individual release notes for detailed information.

New features 🌟

This release add the following features:

  • New Encryption Feature on ETCD: This version introduces a feature for the OnPremises provider that allows inserting the encryption-provider-config parameter into the API server to enable encryption within the ETCD database. You can adjust the parameter using .spec.kubernetes.advanced.encryption.configuration: <string> (NOTE: For existing clusters, manual execution of the command kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml is required on all masters). An example configuration to encrypt new secrets with fallback to plaintext is:

    apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          # example base64 encode of "passwordpassword"
          secret: cGFzc3dvcmRwYXNzd29yZAo=
    # fallback to read non encrypted secrets
    - identity: {}

  • New Encryption Parameters to Change TLS Cipher Suites in ETCD and API Server: A new parameter to customize the TLS cipher suites available in the API server and ETCD service has been added, .spec.kubernetes.advanced.encryption.tlsCipherSuites: <array of strings> (NOTE: For existing clusters, manual execution of the command kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml is required on all masters, along with a manual restart of the ETCD service).

  • Image Directive on CustomPatches on All Providers: With this release, we added the possibility to customize the image using the following configuration:

    spec:
  distribution:
    customPatches:
      images:
        - name: registry.sighup.io/fury/prometheus-operator/prometheus-operator
          newName: quay.io/prometheus-operator/prometheus-operator
          newTag: latest

  • Auto Role Setting on Workers for the OnPremises Provider: Automatic labeling of worker nodes with their name in the privileged label node-role.kubernetes.io/{{ node_role }}= has been added.

  • Replaced Gangway with Gangplank: We created a fork, Gangplank, of the open-source Gangway project archived by VMware. This new fork updates all dependencies and revamps the UI.

  • Additional Static Clients on DEX: A new parameter, additionalStaticClients, on DEX configuration can now be configured:

    spec:
  distribution:
    modules:
      auth:
        dex: 
          connectors:
            - type: ldap
              ...
          additionalStaticClients:
            - id: test
              redirectURIs:
                - https://argocd.test/auth/callback
                - https://argocd.test/auth/login
              name: 'ArgoCD Login'
              secret: XXXXXX

Fixes

  • Mimir Tolerations and Selectors: Tolerations and selectors on the Mimir deployment were not being honored.
  • Mimir max_global_series_per_user to Unlimited: We changed the default value of max_global_series_per_user to unlimited since Mimir, after the cluster was up and running for a while, was rejecting metrics from Prometheus.

Removals 🗑️

  • Removed Cerebro: Cerebro is an unmaintained open-source project. Due to security reasons, we decided to remove it from the logging module without replacement.

Upgrade procedure

Check the upgrade docs for the detailed procedure.

Assets 8
Loading