Skip to content

v2.9.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 Nov 21:41
· 309 commits to main since this release
v2.9.0
49014e6

Added

  • Auth

    • Support for new AIS config options under configToUpdate.auth.cluster_key for configuring target validation of proxy-signed requests
    • TLS support for operator-to-auth service communication with spec.auth.tls.caCertPath configuration
    • Fallback to default CA bundle path (/etc/ssl/certs/auth-ca/ca.crt) when spec.auth.tls.caCertPath is not configured
    • TLS config caching (6 hour TTL) to minimize disk I/O when loading CA certificates
    • truststore package for CA certificate loading and TLS configuration management
    • TLS certificate verification for the auth service can be disabled via spec.auth.tls.insecureSkipVerify (not recommended for production)
    • Operator mounts ais-operator-auth-ca ConfigMap to /etc/ssl/certs/auth-ca for Auth CA certificates when authCAConfigmapName is specified in the helm chart
    • OIDC issuer CA configuration via spec.issuerCAConfigMap for automatic certificate mounting and auth.oidc.issuer_ca_bundle configuration

  • Autoscaling cluster size can now be limited by spec.proxySpec.autoScale.sizeLimit and spec.targetSpec.autoScale.sizeLimit

Changed

  • Auth
    • TLS configuration only applied for HTTPS URLs; HTTP connections skip
    • Return errors on TLS failures instead of silently falling back to insecure connections
    • Operator uses required audiences from AIStore cluster's spec.configToUpdate.auth.required_claims.aud to request tokens with matching audiences during token exchange
    • Configurable Helm values (authCAConfigmapName and aisCAConfigmapName) for auth service and AIStore custom CA bundle configmaps
  • Fixed a bug where resuming from shutdown state would become stuck on target scale up due to failing API calls
  • Build: mockgen now installed to LOCALBIN with versioned suffix to prevent version mismatches that cause unnecessary diffs in generated mock files
  • Use a common statefulset ready check for better enforcement of proxy rollout before starting target rollout
  • Removed deprecation notice for hostPathPrefix option, with stateStorageClass still recommended for easier host cleanup

Deprecated

  • Defining the location of the admin credentials secret via AIS_AUTHN_CM ConfigMap
    • Use spec.auth.usernamePassword.secretName and spec.auth.usernamePassword.secretNamespace for static secrets
    • Use spec.auth.tokenExchange options for token exchange

Full Changelog: v2.8.0...v2.9.0

Assets 3
Loading