Releases: outscale/cluster-api-provider-outscale
v1.0.0
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v1.0.0
v1.0.0 is a major release with major changes and improvements.
Tracking of resources
Tracking of resources has been refactored. Previous versions used:
- the resourceID field and/or a reference stored in status
- as a fallback, a search by name.
The following changes have been made:
- resourceId is not rewritten to the spec, to avoid triggering new reconciliation loops,
- resources id are stored in simpler status maps,
- API searches use a direct attribute when possible (client token when present, subnet ranges for subnets, ...)
Roles
Roles are added to subnets and security groups.
No need to use names to reference resources. As long as roles are defined, security groups & subnets will be automatically matched.
Public IPs
Public IP allocation is automatic, no need to define the list of public IPs in the spec.
Nodes can fetch public IPs from a pool of existing addresses.
Intelligent automatic mode
When a resource is not configured, an automatic configuration is generated.
The previous versions used a static default configuration. The new approach generates an intelligent, context-aware configuration:
- subnets use the net IP range,
- nat services are created in every public subnet (in a multi-az setup),
- route tables are created for every subnet, using the nat from the same subregion,
- bastion SSH rules are added to security groups.
You may mix automatic and static resources (e.g. static subnets with automatic route tables, static security groups with automatic subnets, ...), as long as roles are properly configured on static resources.
This automatic configuration is not written to the spec, and it will reflect changes in configuration (e.g. if you add subnets, nat services a route tables will be added).
Multi-AZ clusters
CAPOSC is able to build a multi-AZ cluster by setting subregions. This will:
- create nat, control-plane and worker subnets in all configured subregions,
- create a NAT service in all subregions,
- route all traffic from nodes in a subregions to the NAT in the same subregion.
Reuse of network resources
The useExisting attribute has been added.
With useExisting.net, you may reuse network resources (net & subnets, internet service, nat services, route tables), and with useExisting.securityGroups security groups.
You will have to provide the list of resource ids to the spec, with the associated roles, as in the following example:
useExisting
net: true
securityGroups: true
net:
resourceId: vpc-xxx
subnets:
- resourceId: subnet-xxx
roles:
- controlplane
- resourceId: subnet-xxx
roles:
- worker
- resourceId: subnet-xxx
roles:
- loadbalancer
- nat
- bastion
securityGroups:
- resourceId: sg-xxx
roles:
- controlplane
- resourceId: sg-xxx
roles:
- worker
- resourceId: sg-xxx
roles:
- loadbalancer
- resourceId: sg-xxx
roles:
- controlplane
- workerWhen using an existing net, CAPOSC will not reconcile or delete those resources. It also does not validate that everything is properly configured.
Security groups rules
A new ipRanges attribute has been added to support rules targeting multiple IP ranges. ipRange is still supported but is deprecated,
Custom rules can now be added directly, without requiring extraSecurityGroupRule,
The default rules are not rewritten to the spec. If the default rules are not suited to your configuration, you can either set your own new security groups (using securityGroups) or add rules to the default rules (using additionalSecurityRules),
By default, as in v0.4.0, rules are never removed by CAPOSC. When setting authoritative, the rules of a security group will be synchronized to the spec: rules not present in the spec (e.g. default 0.0.0.0/0 rules) will be deleted.
Security
By default, neither inbound trafic to the Kubernetes API nor the outbound trafic are restricted (0.0.0.0/0).
When setting allowFromIPRanges, inbound traffic is restricted to the list of specified ranges and all NAT services, ensuring that nodes can still access the API.
When setting allowToIPRanges, outbound traffic is restricted to the list of specified ranges.
Faster reconciliations
Defaults and resource IDs are no longer written to the spec, in order to avoid triggering unnecessary reconciliation loops.
Successful reconciliations are stored in status, and CAPOSC will only reconcile if a change has been made to the spec.
Reconciling a new OscCluster is twice as fast as v0.4.0 and do half as many API calls.
Validation
Earlier versions did very few validation checks, and invalid specs were accepted by Kubernetes api, often leading to infinite reconciliation loops.
Now, comprehensive validation checks have been added. Errors are reported immediately via kubectl when trying to apply an invalid resource.
Various changes
- CAPOSC now use the standard logger and not zap, and logs in text format by default. Use -v to set verbosity and --logging-format to set the logging format.
- Better error reporting of 409 errors in status
Changelog since v1.0.0-rc.1
What's Changed
π± Others
- π· github action: allow kustomization of generated cluster by @jfbus in #582
- π©Ή fix: Correct discord link by @outscale-rce in #583
Full Changelog: v1.0.0-rc.1...v1.0.0
The release image is: outscale/cluster-api-outscale-controllers:v1.0.0
Thanks to all our contributors!
Contributors
Assets 8
v1.0.0-rc.1
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v1.0.0-rc.1
Changelog since v1.0.0-beta.1
What's Changed
π± Others
- π· ci: restrict cluster access to runner ip by @jfbus in #565
- π docs: Update readme & contributing files respecting new standard by @outscale-rce in #575
- π§ config: Update github issues templates by @outscale-rce in #576
- π§βπ» templates: add image account id to secure template by @jfbus in #577
- π license: Update licenses by @outscale-rce in #579
- π§ config: Update PR template file by @outscale-rce in #580
- π· ci: use new Kube 1.30/1.31 images by @jfbus in #578
- π· ci: group k8s dependabot PRs by @jfbus in #581
New Contributors
- @outscale-rce made their first contribution in #575
Full Changelog: v1.0.0-beta.1...v1.0.0-rc.1
The release image is: outscale/cluster-api-outscale-controllers:v1.0.0-rc.1
Thanks to all our contributors!
Contributors
Assets 8
v1.0.0-beta.1
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v1.0.0-beta.1
What's Changed
π± Others
- π· ci: no need to patch security group rules anymore by @jfbus in #564
- build(deps): bump k8s.io/client-go from 0.30.13 to 0.30.14 by @dependabot in #569
- build(deps): bump k8s.io/kubectl from 0.30.13 to 0.30.14 by @dependabot in #570
- π fix: add missing CAPI IP to secure templates by @jfbus in #566
- π· ci: bump golangci-lint to v2 by @jfbus in #572
- π· ci: avoid being stuck during cluster deletion by @jfbus in #573
Full Changelog: v1.0.0-alpha.3...v1.0.0-beta.1
The release image is: outscale/cluster-api-outscale-controllers:v1.0.0-beta.1
Thanks to all our contributors!
Contributors
Assets 8
v1.0.0-alpha.3
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v1.0.0-alpha.3
What's Changed
β¨ Added
π οΈ Changed
- π doc: updated spec comments by @jfbus in #542
- π doc: add templates for secure and multiaz-secure flavors by @jfbus in #557
π Fixed
Full Changelog: v1.0.0-alpha.2...v1.0.0-alpha.3
The release image is: outscale/cluster-api-outscale-controllers:v1.0.0-alpha.3
Thanks to all our contributors!
Contributors
Assets 8
v1.0.0-alpha.2
Release notes for Cluster API Provider Outscale (CAPOSC) v1.0.0-alpha.2
What's Changed
π οΈ Changed
- π· ci: add deploy_cluster github action by @jfbus in #544
- β»οΈ refacto/oscmachine: requeue for 30s when waiting for VM to be ready by @jfbus in #555
- β»οΈ refacto: refactored OscMachine validation by @jfbus in #556
π Fixed
- ποΈ security: allow all CP->W applicative ports, add default Outbound rules by @jfbus in #553
- π fix: authoritative mode should not remove CCM created rules by @jfbus in #554
π± Others
- build(deps): bump github.com/outscale/osc-sdk-go/v2 from 2.26.0 to 2.27.0 by @dependabot in #561
Full Changelog: v1.0.0-alpha.1...v1.0.0-alpha.2
Contributors
Assets 6
v1.0.0-alpha.1
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v1.0.0-alpha.1
v1.0.0 is a major release with major changes and improvements.
Tracking of resources
Tracking of resources has been refactored. Previous versions used:
- the resourceID field and/or a reference stored in status
- as a fallback, a search by name.
The following changes have been made:
- resourceId is not rewritten to the spec, to avoid triggering new reconciliation loops,
- resources id are stored in simpler status maps,
- API searches use a direct attribute when possible (client token when present, subnet ranges for subnets, ...)
Roles
Roles are added to subnets and security groups.
No need to use names to reference resources. As long as roles are defined, security groups & subnets will be automatically matched.
Public IPs
Public IP allocation is automatic, no need to define the list of public IPs in the spec.
Nodes can fetch public IPs from a pool of existing addresses.
Intelligent automatic mode
When a resource is not configured, an automatic configuration is generated.
The previous versions used a static default configuration. The new approach generates an intelligent, context-aware configuration:
- subnets use the net IP range,
- nat services are created in every public subnet (in a multi-az setup),
- route tables are created for every subnet, using the nat from the same subregion,
- bastion SSH rules are added to security groups.
You may mix automatic and static resources (e.g. static subnets with automatic route tables, static security groups with automatic subnets, ...), as long as roles are properly configured on static resources.
This automatic configuration is not written to the spec, and it will reflect changes in configuration (e.g. if you add subnets, nat services a route tables will be added).
Multi-AZ clusters
CAPOSC is able to build a multi-AZ cluster by setting subregions. This will:
- create nat, control-plane and worker subnets in all configured subregions,
- create a NAT service in all subregions,
- route all traffic from nodes in a subregions to the NAT in the same subregion.
Reuse of network resources
The useExisting attribute has been added.
With useExisting.net, you may reuse network resources (net & subnets, internet service, nat services, route tables), and with useExisting.securityGroups security groups.
You will have to provide the list of resource ids to the spec, with the associated roles, as in the following example:
useExisting
net: true
securityGroups: true
net:
resourceId: vpc-xxx
subnets:
- resourceId: subnet-xxx
roles:
- controlplane
- resourceId: subnet-xxx
roles:
- worker
- resourceId: subnet-xxx
roles:
- loadbalancer
- nat
- bastion
securityGroups:
- resourceId: sg-xxx
roles:
- controlplane
- resourceId: sg-xxx
roles:
- worker
- resourceId: sg-xxx
roles:
- loadbalancer
- resourceId: sg-xxx
roles:
- controlplane
- workerWhen using an existing net, CAPOSC will not reconcile or delete those resources. It also does not validate that everything is properly configured.
Security groups rules
A new ipRanges attribute has been added to support rules targeting multiple IP ranges. ipRange is still supported but is deprecated,
Custom rules can now be added directly, without requiring extraSecurityGroupRule,
The default rules are not rewritten to the spec. If the default rules are not suited to your configuration, you can either set your own new security groups (using securityGroups) or add rules to the default rules (using additionalSecurityRules),
By default, as in v0.4.0, rules are never removed by CAPOSC. When setting authoritative, the rules of a security group will be synchronized to the spec: rules not present in the spec (e.g. default 0.0.0.0/0 rules) will be deleted.
Security
By default, neither inbound trafic to the Kubernetes API nor the outbound trafic are restricted (0.0.0.0/0).
When setting allowFromIPRanges, inbound traffic is restricted to the list of specified ranges and all NAT services, ensuring that nodes can still access the API.
When setting allowToIPRanges, outbound traffic is restricted to the list of specified ranges.
Faster reconciliations
Defaults and resource IDs are no longer written to the spec, in order to avoid triggering unnecessary reconciliation loops.
Successful reconciliations are stored in status, and CAPOSC will only reconcile if a change has been made to the spec.
Reconciling a new OscCluster is twice as fast as v0.4.0 and do half as many API calls.
Validation
Earlier versions did very few validation checks, and invalid specs were accepted by Kubernetes api, often leading to infinite reconciliation loops.
Now, comprehensive validation checks have been added. Errors are reported immediately via kubectl when trying to apply an invalid resource.
Various changes
- CAPOSC now use the standard logger and not zap, and logs in text format by default. Use -v to set verbosity and --logging-format to set the logging format.
- Better error reporting of 409 errors in status
Changelog since v0.4.0
What's Changed
β¨ Added
- β¨ feat/net: reuse existing network resources by @jfbus in #498
- β¨ feat: restrict bastion & kubernetes API to a list of IP ranges by @jfbus in #501
- β¨ oscmachine: allocate public ip from an existing pool by @jfbus in #510
π οΈ Changed
- π· release: fix changelog template by @jfbus in #487
- π§ go.mod: fix go version by @jfbus in #495
- π· ci: disable artifacts by @jfbus in #496
- β‘οΈ merge tag calls by @jfbus in #489
- π doc: updated volumes documentation by @jfbus in #502
- 𧱠docker: switch to distroless + strip binary by @jfbus in #509
ποΈ Removed
- π₯ cleanup/vm: remove GetVmState by @jfbus in #490
- π₯ cleanup/volumes: remove unused volume code by @jfbus in #491
- β°οΈ cloud: remove dead code by @jfbus in #505
- β»οΈ refacto/backoff: remove backoff on main calls, secure backoff on secondary calls by @jfbus in #492
- π go.mod: remove replace usage for k8s deps by @jfbus in #507
π± Others
- build(deps): bump golang.org/x/net from 0.34.0 to 0.38.0 by @dependabot in #500
- β¬οΈ deps: bump SDK to v2.26.0 by @jfbus in #506
- β¬οΈ deps: bump bump/k8s.io/klog/v2 to v2.130.1 by @jfbus in #508
- β¬οΈ deps: bump sigs.k8s.io/cluster-api to v1.8.12 by @jfbus in #504
- β¨ feat: authoritative security group rules by @jfbus in #512
- β¨ feat: allow managed SGs in a reused net by @jfbus in #511
- β¨ feat: add sg rules to automatic config by @jfbus in #514
- π· ci: update cred-scan workflow by @jfbus in #519
- π· dependabot by @jfbus in #521
- π· dependabot: ignore k8s major/minor updates by @jfbus in #527
- β¨ feat: filter outbound trafic by @jfbus in #517
- β°οΈ cleanup/cloud: remove dead code by @jfbus in #515
- π· dependabot: ignore sigs.k8s.io major/minor updates by @jfbus in #531
- build(deps): bump go.uber.org/mock from 0.5.0 to 0.5.2 by @dependabot in #526
- build(deps): bump k8s.io/kubectl from 0.30.9 to 0.30.12 by @dependabot in #532
- build(deps): bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.23.4 by @dependabot in #529
- build(deps): bump k8s.io/apiextensions-apiserver from 0.30.3 to 0.30.12 by @dependabot in #533
- π fix: multiaz simplification, fixes, template & e2e tests by @jfbus in #518
- feat(helm): Make the secret to start the deployment mandatory and variabilize secret name by @alistarle in #445
- β¨ feat: record event on resource creation by @jfbus in #535
- β»οΈ security groups: delete all sgs eve...
Contributors
Assets 6
v0.4.0
jfbus
Jean-François Bustarret
1322855
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v0.4.0
No changes since v0.4.0-rc.2
Changelog since v0.4.0-rc.2
Full Changelog: v0.4.0-rc.2...v0.4.0
The release image is: outscale/cluster-api-outscale-controllers:v0.4.0
Thanks to all our contributors!
v0.4.0-rc.2
jfbus
Jean-François Bustarret
1322855
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v0.4.0-rc.2
No changes since v0.4.0rc1
Changelog since v0.4.0rc1
Full Changelog: v0.4.0rc1...v0.4.0-rc.2
The release image is: outscale/cluster-api-outscale-controllers:v0.4.0-rc.2
Thanks to all our contributors!
v0.4.0rc1
jfbus
Jean-François Bustarret
Release notes for Cluster API Provider Outscale (CAPOSC) v0.4.0rc1
Changelog since v0.3.1
What's Changed
β¨ Added
- feat(OscVm): add userdata on nodes for tags usage by @sebglon in #332
- Feat(cluster-api): add watch filter arg by @sebglon in #335
- feat(controller): Add flag to change the default syncPeriod by @gvdhart in #433
- β¨ feat/images: add account filter when fetching images by name by @jfbus in #451
- πΈ usability/oscmachine: add vm id/type/subregion/state columns to kubectl get by @jfbus in #481
π οΈ Changed
- Add rke2 bootstrapper in #314
- Update Cilium Link by @outscale-mdr in #320
- Expose PublicIp for Node by @outscale-mdr in #324
- feat(helm): upgrader crds by @sebglon in #328
- feat(build): improve darwin support by @sebglon in #336
- fix boilerplate verification by @outscale-hmi in #340
- Update cluster-api + k8s + controller runtime by @outscale-hmi in #361
- fix: typo on omi by @pierreozoux in #378
- upgrade sdk go by @outscale-hmi in #390
- ensure the deletion of capi resources in githubactions by @outscale-hmi in #389
- Add caching for Trivy vulnerability database to optimize scans by @outscale-hmi in #386
- fix go version in go mod by @outscale-toa in #379
- Setting -mod=readonly ensures go modules are not inadvertently modified during builds or tests. by @outscale-hmi in #401
- Fix helm chart with default values by @alistarle in #407
- fix Kustomize install and upgrade controller-gen by @outscale-hmi in #408
- Fix typos by @arshadkazmi42 in #405
- fix: typo by @pierreozoux in #382
- π· ci: add golangci-lint by @jfbus in #412
- π¨ lint: fixes by @jfbus in #413
- π· ci: bump versions by @jfbus in #416
- π¨ lint: more fixes by @jfbus in #417
- π· ci: switch omi, vm types & versions to vars, bump versions by @jfbus in #421
- π· ci: docker + e2e actions fixes/updates by @jfbus in #424
- π¨ fix project import path by @jfbus in #420
- Fix Helm deploy by @outscale-mdr in #321
- π logs: refactored logs, based on context and not scopes by @jfbus in #422
- β»οΈ refacto: no need for Contains by @jfbus in #436
- π¨ lint: XxxScope.Close() should forward context by @jfbus in #439
- β¬οΈ deps: bump osc-sdk-go, k8s, x/crypto, x/net, testify by @jfbus in #431
- π· ci: longer timeouts by @jfbus in #449
- π§ config/helm: set the same resources limits/requests everywhere by @jfbus in #446
- β‘ perfs/backoff: no need for 1 week backoff, default is now 1 min by @jfbus in #441
- π ci: fix deprecated github action by @jfbus in #452
- π¦Ί validation: more validation, better field paths in errors by @jfbus in #448
- β»οΈ refacto/oscmachinetemplate: set status.capacity from vmspec without waiting for vm by @jfbus in #450
- π ci: longer timeouts by @jfbus in #458
- π¨ lint: some linter fixes by @jfbus in #460
- π· ci: use multiple runners by @jfbus in #455
- β tests: add new unit test framework by @jfbus in #459
- β tests: add more oscmachine unit tests, simplify sg rule check by @jfbus in #465
- β»οΈ refacto/reconcile: cleanup RequeueAfter/errors responses by @jfbus in #437
- π· ci: remove waits to speed up e2e tests by @jfbus in #472
- π₯ errors: better error messages from Outscale API by @jfbus in #474
- π· ci/e2e: upgrade e2e tests by @jfbus in #473
- π logs: remove cluster reconciliation error logs by @jfbus in #478
- π logs/oscmachine: remove duplicate error log by @jfbus in #480
- π· ci: use OKS for tests by @jfbus in #453
- π§ metadata.yaml: add 0.4.0 + updated release doc by @jfbus in #486
- fix: typo in doc by @pierreozoux in #316
- fix: typo in api upgrade doc by @pierreozoux in #317
- doc: improve doc about providerId upgrade by @pierreozoux in #318
- fix example Readme to install talos by @outscale-hmi in #329
- docs: Add example for Cluster API with MetalLB integration by @outscale-hmi in #391
- add an example for eim policy for capi controllers by @outscale-hmi in #394
- Fix eim policy: outscale provider needs this authorization to operate by @pli01 in #410
- π doc: updated clusterctl doc by @jfbus in #482
π Fixed
- fix(oscMachineTemplate): Nil pointer due to error not managed by @sebglon in #342
- fix(oscmachine): vmstate is nil by @sebglon in #348
- fix(cluster): security group rules reconcile by @sebglon in #347
- fix(natservice): delete resource from status refs by @sebglon in #359
- fix(securityGroup): create group whit flag extraSecurityGroupRule by @sebglon in #352
- fix(bastion): public ip unlink by @sebglon in #356
- fix loadBalancer error not catched by @sebglon in #366
- fix security group rule creation already exist by @sebglon in #368
- Rework reconcileVm and reconcileBastion by @outscale-hmi in #398
- π fix/helm: refactor values, fix validation webhook, rbac by @jfbus in #430
- π fix: allow tinav7 machine types by @jfbus in #429
- π fix: unable to delete oscmachinetemplate by @jfbus in #432
- π fix/oscmachine: VMs without keypair cannot be deleted by @jfbus in #440
- fix(helm): Fix watch-filter argument making pods crashing by @alistarle in #443
- β»οΈ refacto: refactored security group delete reconciler by @jfbus in #423
- π fix/oscmachine: unable to delete cp vm if vm is not registered in LBU a...
Contributors
Assets 5
v0.3.1
Release notes for Cluster API Provider Outscale (CAPO) v0.3.1
Changelog since v0.3.0
What's Changed
π Documentation
π Bug Fixes
- Set custom sg rule by @outscale-vbr in #303
- Can link publicIpName after bastion is created by @outscale-vbr in #308
- fix image capm by @outscale-vbr in #310
- Be able to use cillium by @outscale-vbr in #309
- Check keypair name is the same in vm and keypair section by @outscale-vbr in #313
- Update image by @outscale-vbr in #311
Full Changelog: v0.3.0...v0.3.1
The release image is: outscale/cluster-api-outscale-controllers:v0.3.1
Thanks to all our contributors!