Skip to content

v0.3.0

Choose a tag to compare

@achetronic achetronic released this 15 Jun 19:23

If you ran an earlier version, this one is much steadier under failure: reboots, restarts, scale-downs and bad input no longer leave things wedged.

Added

  • PortBinding now reports readiness honestly. Ready only turns true once the binding is actually live on the edge, not just queued.
  • New --leader-elect-namespace flag, so you can run the manager outside the cluster (for example with make run).
  • spec.uplink.namespace is now immutable, so changing it can't strand resources behind.

Fixed: control plane

  • The EdgeNode no longer reconciles itself in a loop, so it stops hammering the VPS over SSH.
  • Applied bindings are recorded as soon as enrollment succeeds, so a later hiccup can't leave a binding stuck as "not applied".
  • The manager skips status writes when nothing changed.
  • Uplink resources owned by another EdgeNode are left alone instead of being deleted.
  • Reconcile concurrency is bounded, and inputs are checked more strictly.

Fixed: data path (VPS)

  • A healthy uplink no longer gets dropped by its own health check. Each check now uses a fresh connection, which fixes spurious failures that could reset live traffic.
  • The generated Envoy config is now valid in all cases (proxy-protocol health checks, durations, TLS passthrough).
  • The tunnel survives a VPS reboot: WireGuard comes back before Envoy starts.
  • The uplink drains cleanly on shutdown, so rolling updates don't drop in-flight connections.
  • A pod only reports ready once WireGuard and nftables are actually applied and the handshake is fresh.
  • The first apply retries on failure instead of leaving a pod stuck not-ready.
  • Stale routes are cleaned up when you scale uplinks down.
  • A dead SSH connection can no longer freeze a worker.
  • Same port can be used for TCP and UDP at once.
  • VPS state now lives in /etc/tunnel (renamed from /etc/tunnel-operator).

Fixed: security

  • SSH host-key checking now verifies the key against the right host, not just any host in the file.
  • The Envoy version is validated before it ever reaches a shell command.
  • VPS binaries are called by absolute path.
  • The Envoy admin address follows your tunnel network, so a custom network no longer breaks enrollment.
  • uplink.replicas is capped to avoid a denial-of-service through key generation.

Testing

  • Rendered Envoy config is now checked against a real Envoy in CI (make test), catching problems plain text comparisons miss.

Docs

  • Refreshed the guides, the manager flags table in the README, and code comments.

Upgrade note

The VPS state directory was renamed from /etc/tunnel-operator to /etc/tunnel. There's no migration: an already-enrolled VPS simply re-enrolls itself cleanly on the next reconcile.