Skip to content

v0.2.0

Choose a tag to compare

@achetronic achetronic released this 11 Jun 21:55
4982f9a

What's new

  • Edge TLS certificates now rotate without downtime. When a certificate is renewed (for example by cert-manager), the operator updates Envoy on the VPS in place, with no dropped connections and no restart. Previously a renewed certificate was copied to the VPS but Envoy kept serving the old one until it expired, which could take a TLS listener down. If you use TLS offload or mutual mode, you no longer need to do anything on renewal.

Fixes

  • PortBindings no longer leak across namespaces. If you had two EdgeNodes with the same name in different namespaces, a PortBinding could be applied to the wrong one. Bindings are now matched by both name and namespace.
  • Private keys are cleaned up when you remove a TLS binding. Deleting a TLS PortBinding (or switching it away from offload/mutual) now removes its certificate and key from the VPS, instead of leaving them on disk until the node is deleted.

Upgrade notes

  • No configuration or CRD changes are required. After upgrading, EdgeNodes reconcile and move existing TLS bindings to the new mechanism automatically. Old certificate files left on the VPS by previous versions are cleaned up on the next reconcile.