Release v0.16.0

Changes included in v0.16.0:

🚀 Features

• release v0.16.0 #190
  • [USER][FEATURE] - Release v0.16.0
• prepare for high availability #188
  • [OPERATOR][FEATURE] Add high availability features for the openmcp-operator and service-providers, cluster-providers and platform-services
• exclude provider fields from status update & utility to set these fields #187
  • [DEVELOPER][FEATURE] - Utility function for service providers to add the kinds of their managed resources to the ServiceProvider status

🔧 Chores

• remove namespace field from secret reference in AccessRequest status #183
  • [USER][BREAKING] Removed the status.secretRef.namespace field from AccessRequest resources which was added by accident. The access secrets are expected to be in the same namespace as the AccessRequest itself, so wherever this field is read, it can just be replaced with the AccessRequest's namespace.
• improve the advanced clusteraccess library's abilities to mock fake clients in unit tests #186
  • [DEVELOPER][FEATURE] The advanced ClusterAccess library's capabilities regarding unit tests have been enhanced by adding a configurable FakeClientGenerator to the reconciler. If set, this function will be called when trying to build a client.Client out of an AccessRequest's kubeconfig secret. This enables the test code to inject fake client implementations into the reconciler's Access method and thereby removes the need for any test-specific coding in the controller's logic itself.

Release v0.15.2

Changes included in v0.15.2:

🚀 Features

• advanced clusteraccess library #173
  • [DEVELOPER][BREAKING] The behavior of the library in lib/clusteraccess has changed slightly: Before, the Reconcile method would wait for some other controller to create the namespace and requeue the reconciliation until it existed. Now, it will instead create the namespace itself.
  • [DEVELOPER][FEATURE] The lib/clusteraccess/advanced package now contains a highly flexible library for generating access to clusters during a controller's reconciliation loop. See the documentation for further information.

🐛 Fixes

• requeue mcp if not ready #184
  • [USER][BUGFIX] Fixed a bug that caused an MCPv2 to not be requeued for reconciliation despite not being Ready yet, causing it to be stuck in Progressing until a reconciliation was triggered externally.

Release v0.15.1

Changes included in v0.15.1:

🚀 Features

• allow to skip the workload cluster management #171
  • [DEVELOPER][FEATURE] Allow to skip management of Workload cluster in Access Request Reconciler

🐛 Fixes

• access request handling for MCP V2 #172
  • [USER][BUGFIX] Correctly handle MCPs without an OIDC config
    Change : to _ for the access secret provider prefix.

Release v0.15.0

Changes included in v0.15.0:

🔨 Refactoring

• move access request handling into own lib function #160
  • [DEVELOPER][FEATURE] The lib/clusteraccess package's Manager interface has been expanded with the WaitForClusterAccess method, which creates/updates an AccessRequest for an existing Cluster or ClusterRequest.

🚀 Features

• support token auth for ManagedControlPlaneV2 #168
  • [USER][FEATURE] Allow static token configuration in IAM section of ManagedControlPlaneV2
• Improve clusteraccess #167
  • [DEVELOPER][FEATURE] The StableRequestName and StableRequestNameFromLocalName functions from the lib/clusteraccess package now shorten resulting names if they exceed the character limit for k8s resource names. A hash suffix prevents conflicts for different keys with the same prefix.
  • [DEVELOPER][FEATURE] The NewTestClusterAccessManager function from lib/accessrequest serves as an implementation of the Manager interface that is suited to be used in unit tests. It fakes readiness of ClusterRequest and AccessRequest resources that it creates and returns k8s fake clients instead. The fake clients have to be configured before. While this makes the Manager usable in unit tests, the code creating the Manager still has to differentiate between the creation of a regular one or the test implementation.

Release v0.14.0

Changes included in v0.14.0:

🔨 Refactoring

• OIDC validation and defaulting #157
  • [OPERATOR][BREAKING] The naming restriction for the default OIDC provider has been removed (was restricted to default before) and it is now defaulted to openmcp instead.
  • [USER][BREAKING] The validation for the spec.iam.oidcProviders field in the ManagedControlPlaneV2 resource has been changed in multiple ways:
    • usernamePrefix and groupsPrefix have been removed and are now always assumed to be <name>:
    • name is not allowed to be set to system (prevents k8s service account impersonation)
    • The regex validation rule for name has been fixed
    • issuer and clientID are now required and the former one must look like an URL
    • Duplicate OIDC provider names or ones that clash with the default OIDC provider are now prevented
• change default scheduler scope to 'Cluster' #153
  • [OPERATOR][BREAKING] The scheduler's default scope has been changed to Cluster (was Namespaced before).
• make logging verbosity case-insensitive #155
  • [OPERATOR][OTHER] It is now possible to specify the logging verbosity in the PlatformService, ClusterProvider, and ServiceProvider resources also in lowercase.

🚀 Features

• sync Cluster conditions to MCP #152
  • [USER][FEATURE] The MCPv2 resource now syncs conditions from its primary Cluster into its own status.
• MCP purpose override #151
  • [USER][FEATURE] The label core.openmcp.cloud/purpose can now be used on ManagedControlPlaneV2 resources to override the default cluster purpose.

Release v0.13.1

Changes included in v0.13.1:

🐛 Fixes

• mcpv2 conditions #150
  • [USER][BUGFIX] Fixed an invalid condition type in the MCPv2 resource that prevent status updates and by that the MCPv2 from becoming ready.

Release v0.13.0

Changes included in v0.13.0:

🚀 Features

• [feature] [operator] MCPv2 controller #115: The MCPv2 controller is now part of the openmcp-operator.

Release v0.12.0

Changes included in v0.12.0:

🔨 Refactoring

• [breaking] [operator] AccessRequest api #141: The AccessRequest resource has been refactored for a better differentiation between token and oidc access requests.

🐛 Fixes

• [bugfix] [operator] fix cluster printer columns #140: The additional printer columns for the Cluster resource will now correctly show up on kubectl get.
• [bugfix] [operator] remove namespace from ClusterProfile's provider and providerconfig references #138: The providerRef and providerConfigRef fields in the ClusterProfile's spec now only take a name and no namespace, as intended.

Release v0.11.2

Changes included in v0.11.2:

🚀 Features

• [feature] [developer] add RoleRef support #137: Adding support in the lib to reference RoleRefs in the ClusterAccess reconciler.
• [feature] [user] cluster- and access-request names #134: - Prevent name conflicts for ClusterRequests and AccessRequests
• [feature] [user] package crds in component #133: Package the custom ressource definition manifests for the openmcp-operator into the OCM component
• [feature] [operator] install providers in system namespace #126: Install all providers in a common namespace "openmcp-system"
• [feature] [operator] Allow override for 'run' and 'init' command in providers #129: The init and run commands for providers can now be overwritten by using the respective fields in the spec of ServiceProvider, ClusterProvider, and PlatformService` resources.

🔧 Chores

• [breaking] [operator] remove onboarding cluster kubeconfig argument #130: The openmcp-operator now takes a --kubeconfig argument for the platform cluster kubeconfig instead of the previous --platform-cluster argument. The --onboarding-cluster argument has been removed to make the operator work without an existing onboarding cluster.

Release v0.11.1

Changes included in v0.11.1:

🚀 Features

• [feature] [user] add RoleRefs to AccessRequest API ##128: Adding support for role references in AccessRequests to bind the ServiceAccount to an existing role or cluster role.
• [feature] [operator] use K8sNameUUID instead of K8sNameHash and let each mcp have its own namespace ##114: The library functions regarding stable MCP namespace and request names have been adapted to use the new UUID-style hash functions and the concept of each MCP having its own namespace on the platform cluster.