Skip to content

6.3.1

Latest
Latest

Choose a tag to compare

View all tags
@svc-osmo-ci svc-osmo-ci released this 22 Jun 18:28
· 84 commits to main since this release
6.3.1
ed59b69
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

  • Bulk cancel workflows — Select multiple workflows in the UI list and cancel them with a single confirmed action.
  • Gateway PodMonitors — Envoy and oauth2-proxy now expose Prometheus metrics endpoints for cluster monitoring.
  • Streaming endpoints stop timing out — Workflow log, event, and error-log streams no longer hit the default route timeout mid-stream.
  • Envoy v1.38.1 with header-sanitization refactor — Gateway image upgraded from v1.29.0 and identity-header stripping moved off the Lua filter onto Envoy's native mechanism.
  • OAuth2 callback no longer self-blocks — When oauth2-proxy is enabled, its own callback endpoints bypass the authn metadata filter so login completes.
  • Default role policy merge respects scope — Updates to the shipped default roles append actions only to policies with matching effect and resources, preserving operator-added grants.

Helm Charts

  • Gateway PodMonitors: The service chart now ships PodMonitors for Envoy's admin metrics endpoint and oauth2-proxy's /metrics endpoint when podMonitor.enabled is true and the matching gateway component is deployed. (#1095)
  • Envoy upgrade to v1.38.1: Default gateway.envoy.image bumped from envoyproxy/envoy:v1.29.0. (#1081)
  • Identity header sanitization refactor: Client x-osmo-{user,roles,allowed-pools} headers are now stripped via Envoy's native header sanitization instead of a Lua filter. JWT-only deployments (oauth2-proxy and authz disabled, JWT providers configured) now sanitize client headers as well. Minimal/demo mode (all three auth sources disabled) continues to trust them — see the chart README for the full identity-header trust table. (#1081)
  • HPA-managed deployments skip the replicas field: Gateway Envoy, oauth2-proxy, and authz deployments omit spec.replicas from their manifests, so Helm apply no longer contends with the autoscaler on each reconcile. (#1081)
  • ConfigMap extra annotations: New services.configs.extraAnnotations annotates the generated configs ConfigMap, useful for setting argocd.argoproj.io/sync-options: ServerSideApply=true on large config payloads. (#1081)
  • Streaming API route timeouts: Workflow /logs, /events, and /error_logs routes use timeout: 0s with idle_timeout: 60s so quiet-but-open streams are not cut. Other /api/ and /client/ routes get an explicit 60s timeout, up from Envoy's 15s default. (#1085)
  • OAuth2 control routes skip ext_authz: /signout and /oauth2/ routes disable the external authorization filter so the browser can complete login and logout without authz sidecar calls. (#1085)
  • OAuth2 callback added to authn skip paths: Setting gateway.oauth2Proxy.enabled now adds /oauth2/ and /signout to the authn skip set, so oauth2-proxy callbacks reach the proxy instead of being pre-checked by its own /oauth2/auth endpoint. (#1091)
  • Router affinity cookie defaults to session lifetime: gateway.envoy.routerRoute.cookie.ttl now defaults to 0s (session cookie) instead of 60s. CLI sessions no longer get reassigned to a different router pod after 60 seconds of idle activity. (#1098)
  • Logger upstream uses headless service: The gateway now connects to osmo-logger-headless:8000 so Envoy load-balances directly to pod IPs, avoiding the default 1024-connection circuit breaker that the cluster-IP service was hitting. (#1098)

Workflow Execution

  • Retry pods recreate generated file secrets: Retrying a pod that mounts file-backed credential secrets now recreates the per-pod Secret alongside the new pod, so the retry no longer fails to mount missing file references. (#1090)

Web UI

  • Bulk cancel workflows: Select multiple rows in the Workflows list and cancel them with one action behind a confirmation dialog. (#1050)

Authorization

  • Default role policy merge by scope: Default-role updates compare and append actions per (effect, resources) scope instead of flattening everything into the first policy of the existing role. Operator-added grants are preserved verbatim, and missing scopes from the shipped default are appended as new policies. (#1072)
  • Default osmo-user role narrowed to default pool: The shipped role now grants read/list actions across all resources and scopes workflow:* to pool/default only. Existing deployments retain their stored policies because the merge is append-only; fresh installs and operators who reseed defaults pick up the narrower scope. (#1072)

Getting OSMO

Helm Charts and Containers

Helm charts and container images are available on NGC.

CLI Client

Installers for the CLI client for macOS (Apple Silicon), x86-64 Linux, and ARM64 Linux are attached as assets to this release.

Assets 7
Loading