Release v1.28.2

Kubernetes Fury Distribution Release v1.28.2

Welcome to KFD release v1.28.2.

The distribution is maintained with ❤️ by the team SIGHUP it is battle tested in production environments.

New Features since v1.28.1

Installer Updates

• on-premises 📦 installer: v1.29.3-rev.2
  • Added support for HAProxy monitoring
  • Added support for containerd mirror without authentication
  • Fixed OIDC override settings for the APIserver
• eks 📦 installer: v3.1.2
  • Introduced iam role name override
  • Added volume_type variable for node pools

Module updates

• monitoring 📦 core module: v3.2.0
  • mimir: set unlimited max_global_series_per_user
  • haproxy: add rules and dashboard
  • prometheus-operated: enable scrapeConfigs
  • grafana: use dynamic datasource in fury-cluster-overview dashboard
• logging 📦 core module: v3.4.1
  • fix: keep k8s labels for ingress-flow
• ingress 📦 core module: v2.3.2
  • fix: prometheus rule on nginx to check certificate expiration
• auth 📦 core module: v0.3.0
  • gangplank: update to v1.1.0
  • dex: add custom Fury branding
• aws 📦 module: v4.2.1
  • added override on the names of the IAM roles in the terraform modules

New features 🌟

• Certificates renewal command: Added to the OnPremises provider a command on furyctl to renew all the cluster certificates: furyctl renew certificates.
• DR configurable schedules: Now the cron for the velero schedules on the DR module can be changed, they can also be disabled altogether. An example configuration:

  ...
      dr:
        velero:
          schedules:
            install: true
            cron:
              manifests: "*/15 * * * *"
              full: "0 1 * * *"
  ...

• PKI can now be generated with furyctl: Added a command on furyctl to generate the PKI needed for the OnPremises provider: furyctl create pki.
• New hubble ingress: By default, when using Cilium, an ingress for the Hubble component will be deployed.
• Prometheus Agent mode: The Agent mode optimizes Prometheus for the remote write use case. It disables querying, alerting, and local storage, and replaces it with a customized TSDB WAL. Everything else stays the same: scraping logic, service discovery and related configuration. It can be used as a drop-in replacement for Prometheus if you want to just forward your data to a remote Prometheus server or any other Remote-Write-compliant project. See more information on the PR.
• Log type customOutputs: This is a set of changes that introduce a new customOutputs logging type that allows configuring the Logging stack to ship the logs to a custom (remote or not) server instead of sending them to a local OpenSearch or Loki deployment. See more information on the PR.
• Improved SSO configurations: With auth provider type SSO, Pomerium and Grafana integration is now enhanced by disabling Grafana's basic auth when Pomerium authentication is active. Pomerium configuration now includes under .spec.distribution.modules.auth.pomerium a routes field to allow custom routes, a defaultRoutesPolicy field to allow customization of the policies for default routes, and a SIGNING_KEY under secrets. New Grafana settings under .spec.distribution.modules.monitoring.grafana include usersRoleAttributePath to use JMESPath expressions for role mapping and basicAuthIngress to reactivate basic auth on a different ingress. An example configuration:

  ...
        monitoring:
          grafana:
            usersRoleAttributePath: contains(groups[*], 'editor') && 'Editor' || contains(groups[*], 'viewer') && 'Viewer'
            basicAuthIngress: false
        auth:
          pomerium:
            secrets:
              COOKIE_SECRET: xxxx
              IDP_CLIENT_SECRET: xxxx
              SHARED_SECRET: xxxx
              SIGNING_KEY: xxxx
            defaultRoutesPolicy:
              grafana:
                - allow:
                  and:
                    - authenticated_user: true
              prometheus:
                - allow:
                  and:
                    - authenticated_user: true
              alertmanager:
                - allow:
                  and:
                    - authenticated_user: true
            routes:
              - from: https://some-url.ext
                to: http://service.namespace.svc.cluster.local
  ...

• Forecastle grouping when SSO enabled: Now, when using auth provider sso, forecastle will group the ingresses based on a logical grouping instead of using the namespace.
• Embedded yaml language server directive on default configs: Now, when creating a project from scratch generating a new furyctl.yaml file, a line containing the yaml-language-server directive will be added to make vscode and similar IDEs to validate the schema, and autocomplete fields.
• volume_type on EKSCluster provider: Now the volume_type can be choosen while using the EKSCluster provider on the node pools.
• EKSCluster cluster name length and iam role name override: Increased the maximum cluster name length from 19 to 56 characters and added the ability to override the IAM role names on the EKSCluster provider for the clusterAutoscaler, ebsCsiDriver and loadBalancerController modules under the respective keys .spec.distribution.modules.aws.clusterAutoscaler.overrides.iamRoleName, .spec.distribution.modules.aws.ebsCsiDriver.overrides.iamRoleName and .spec.distribution.modules.aws.loadBalancerController.overrides.iamRoleName.

Fixes 🐞

• DR module selectors: Now the common node selector and tolerations are honored on velero and minio deployment for the DR module.
• OIDC advanced parameters: Now the oidc advanced parameter are all fixed and working.
• Websocket support with SSO: The websocket of the applications behind ingresses protected by pomerium are now working.

Breaking changes 💔

• SIGNING_KEY required on pomerium: While using auth provider type SSO, the pomerium key SIGNING_KEY is now required. See more informations here.

Upgrade procedure

Check the upgrade docs for the detailed procedure.