v0.7.0
馃帀 Acorn v0.7.0 is available with many new features and improvements! 馃帀
New Features
Services and nested acorns - Service acorns open up a world of external cloud integrations to your applications. Nested acorns let's you build acorns of acorns, which is incredibly complex micro-service based applications. Check out our blog for demos and examples.
Security Enhancements - We've implemented project-level network isolation, which is on by default. We've also introduced alpha support for image signature policies, which we're calling ImageAllowRules. These features help you secure your software pipeline as well as your runtime.
Development and Debugging Enhancements - We've introduced the acorn dev and acorn port-forward
commands. We've revamped the acorn run
and update
commands to be more intuitive and consistent. We've also introduced acorn events to surface useful information about what is happening with your applications. Try them out in the cli!
Known Issues and Considerations
Attention: With this release, the domain used to create endpoints when you launch an acorn app is changing from alpha.on-acorn.io
to oss-acorn.io
. Additionally, alpha.on-acorn.io
endpoints will be retired in the near future.
The --default-publish-mode
installation flag has been removed.
There are a few known issues related to service acorns and nested acorns. Of note, locally built images do not work as service or nested acorns. You must first publish the image to a remote registry such as ghcr.io or Docker Hub.
What's Changed
- Add docs for v0.6 by @thedadams in #1295
- Tell goreleaser to use correct tag by @thedadams in #1306
- Add controlplane taints and node selector to acorn system components (#1231) by @StrongMonkey in #1230
- Remove linkerd containers from acorn logs output by @g-linville in #1281
- ensure service-accounts are applied before deployments by @jsilverio22 in #1315
- add workflow for promoting to prod by @jsilverio22 in #1322
- Change to HTTP readiness probe for build-server (#1323) by @thedadams in #1324
- Ensure ComputeClasses and Apps created for ComputeClass tests are deleted before next test by @tylerslaton in #1312
- Add two approval requirement to PR template checklist by @g-linville in #1318
- add check to project default to ensure it exists (#1335) by @jsilverio22 in #1336
- Add fmt by @ibuildthecloud in #1338
- Create network policies to block cross-project traffic (#456) by @g-linville in #1330
- add check for project agnostic cmd for default project validation (#1335) by @jsilverio22 in #1342
- Revert default project validation (#1335) by @jsilverio22 in #1343
- Revert networkpolicies by @g-linville in #1345
- Create allow-all-ingress NetPol for each app and clean up all other NetPols created by Acorn by @g-linville in #1348
- Lay foundation for nested acorns and first class services by @ibuildthecloud in #1290
- Fix panic when no ports are set by @ibuildthecloud in #1349
- Handle unset port in http expose/publish by @ibuildthecloud in #1350
- Improve nightly test visibility on failures by @tylerslaton in #1346
- Aggregate all validation needed into "make validate" by @tylerslaton in #1271
- Print username on successful login attempt by @njhale in #1351
- Fix port publishing bugs from refactor by @ibuildthecloud in #1354
- update renovate config to add labels and add renovate.json validator by @jacobdonenfeld in #1333
- Fix VolumceClass GVK reported by clients (#1355) by @thedadams in #1356
- Add missing toleration for router deployments by @StrongMonkey in #1316
- add faq on increasing dockerhub rate limits (#1334) by @jsilverio22 in #1337
- Don't expose ports in test by @ibuildthecloud in #1361
- Add back build profiles by @ibuildthecloud in #1365
- Cache golang setup and change fetch depth to speed up CI by @jacobdonenfeld in #1321
- Fix publishing builders by @ibuildthecloud in #1368
- Dont use local.on-acorn.io when acorn-dns disabled (#1370) by @cjellick in #1371
- Fix sidecar container exec (#1216) by @rmodpur in #1317
- Add ability to interpolate any file content or env value by @ibuildthecloud in #1373
- Add comments explaining the need for defaults.Calculate and scheduling.Calculate by @tylerslaton in #1374
- Rewrite secret lookup logic by @ibuildthecloud in #1378
- Add json/yaml output support for volume classes (#1339) by @thedadams in #1382
- Add region to project spec by @thedadams in #1314
- Add back support for app.image and app.namespace by @ibuildthecloud in #1385
- Create containing dirs for EKS test artifacts to live in by @tylerslaton in #1360
- Decrypt secrets from external secret references by @ibuildthecloud in #1386
- Add ability to lookup service info in interpolation by @ibuildthecloud in #1387
- Upgrade to go 1.20 by @ibuildthecloud in #1376
- Ensure list types are correct for all public objects (#1383) by @thedadams in #1384
- Ensure calculated default set on project (#1388) by @thedadams in #1389
- Upgrade gomock by @cjellick in #1391
- If cert-manager annotations are set always use that tls by @ibuildthecloud in #1393
- Add goimports to lint check by @cjellick in #1395
- Replacing docker images with ghcr images (#1022) by @yashgiri in #1390
- disable cache for setup go action by @jacobdonenfeld in #1404
- Redesign NetworkPolicies (#456) by @g-linville in #1352
- add imageallowrules to require annotated image signatures (#502) by @iwilltry42 in #1240
- Address erroneous kinds (#1383) by @thedadams in #1406
- Redesign Region API and add regioned objects by @thedadams in #1405
- Enforce linting of leading and trailing whitespace in blocks by @thedadams in #1407
- change: rename ImageAllowRules to singular to avoid issues with pluralization in Kubernetes by @iwilltry42 in #1413
- add volume aliases (#1227) by @jacobdonenfeld in #1359
- Display correct field for volume class on volume (#1418) by @thedadams in #1419
- Add --service-lb-annotation flag to install command by @tylerslaton in #1417
- fix: signature verification registry authentication and rate limits (#1412 & #1414) by @iwilltry42 in #1416
- NetworkPolicies: Handle case where an Ingress routes to an ExternalName Service (#456) by @g-linville in #1408
- refactor cli/run_test.go to use gomock by @jacobdonenfeld in #1422
- Ensure app services are cleaned up after app is deleted (#1423) by @thedadams in #1424
- Get volume class information from bound existing volume (#1420) by @thedadams in #1421
- fix: make sure that ingress-check resources get deleted (#1430) by @iwilltry42 in #1431
- Disable NetworkPolicies for the nightly EKS test by @g-linville in #1432
- add project validation to project client (#1335) by @jsilverio22 in #1344
- Remove project placements by @thedadams in #1415
- Update alpine image that wasn't using the mirror by @tylerslaton in #1438
- Ensure default volume class region is validated (#1435) by @thedadams in #1437
- Fix faulty merging and update tests for Config by @tylerslaton in #1436
- add acorn dev and refactor acorn run/update (#1059) by @jsilverio22 in #1369
- fix: custom Digest() func to error out on HEAD 404 (#1414) by @iwilltry42 in #1441
- Add the volume class name to the invalid error message (#1435) by @thedadams in #1442
- fix faq to allow docker credentials to be used for acorn cmds (#1334) by @jsilverio22 in #1429
- Fix typo in regions implementation by @thedadams in #1447
- fix: enable referencing images by repo digest/SHA256 (#1320) by @iwilltry42 in #1327
- fix: match transport error to catch 404 on HEAD to get digests (#1414) by @iwilltry42 in #1449
- change: add appnamespace label to LE challenge resources (#1434) by @iwilltry42 in #1440
- fix acorn run --update behavior to allow --name flag (#1444 #1457) by @jsilverio22 in #1445
- Handle issues when stdin is closed on exec start by @ibuildthecloud in #1453
- Changes to prevent pull every upgrade interval for private images (#1398) by @yashgiri in #1433
- First class services by @ibuildthecloud in #1463
- fix: default to :latest for non-SHA-like image inputs (#1450) by @iwilltry42 in #1452
- Ensure app is removed before deleting other objects by @thedadams in #1461
- change: also check imageAllowRules for auto-upgrade without pattern (#1428) by @iwilltry42 in #1451
- fix autoupgrade acorns from losing autoupgrade image format on updates (#1456) by @jsilverio22 in #1462
- Add check to make sure NetPols are for real Acorn apps by @g-linville in #1471
- add regions to project output (#1460) by @jsilverio22 in #1465
- Fix permissions openapi schema by @ibuildthecloud in #1481
- Handle edge-cases around auto-upgrade patterns (#1377) by @thedadams in #1480
- fix: only consider current image when checking appinstance against imageAllowRules (#1428) by @iwilltry42 in #1476
- Fix missing digest on @{app.image} by @ibuildthecloud in #1483
- Refactor acornfile and image handling by @ibuildthecloud in #1484
- Add regions to offerings CLI output by @thedadams in #1477
- fix: leftover trimPrefix on digest was breaking imageAllowRules check (#1482) by @iwilltry42 in #1485
- Only add default toleration when it is empty by @StrongMonkey in #1489
- Support old clusterRules syntax in aml and k8s yaml by @ibuildthecloud in #1495
- remove nightly staging upgrade by @jsilverio22 in #1494
- Prefer remote digest for autoupgrade by @cjellick in #1492
- Create local image records for images used by acorns by @ibuildthecloud in #1491
- Fix service image reference by @ibuildthecloud in #1500
- Add functionality to observe changes in ImageDigests by @tylerslaton in #1498
- Move NetworkPolicy handlers to their own package by @g-linville in #1501
- Update go.mod to 1.20 by @tylerslaton in #1497
- Add back appImage.ID field by @ibuildthecloud in #1505
- refactor go routine for project region output (#1479) by @jsilverio22 in #1506
- Temporarily blank app image name if id is blank by @thedadams in #1507
- Revert "Temporarily blank app image name if id is blank" by @thedadams in #1508
- refactor acorn project routine (#1479) by @jsilverio22 in #1509
- Change app validation to use apiv1 types by @thedadams in #1510
- Remove a space for uniformity by @thedadams in #1516
- Add ability to manage AWS IAM permissions by @ibuildthecloud in #1515
- Add controller-service-account-annotation to installation by @ibuildthecloud in #1519
- Add HasRegion methods to all EnsureRegion objects by @thedadams in #1521
- Must use StringEquals for exact matches by @ibuildthecloud in #1520
- Ensure we return all permissions needed, not just the missing ones by @ibuildthecloud in #1522
- Make the api App object a region getter by @thedadams in #1523
- Update aml by @ibuildthecloud in #1524
- Fix goreleaser version to v1.15.2 by @thedadams in #1525
- Use Go's built-in DNS resolver to avoid DNS issues when building Acorns by @g-linville in #1518
- Revert "Use Go's built-in DNS resolver to avoid DNS issues when building Acorns" by @cjellick in #1526
- Fix typos by @jacobdonenfeld in #1528
- fix: handling untagged images when tagging and removing (#1511 + #1512) by @iwilltry42 in #1513
- Linked services: add label to resulting ExternalName Service by @g-linville in #1529
- Prevent users from logging in to 'gchr.io' (#1375) by @g-linville in #1530
- Goreleaser: use separate tags field for netgo by @g-linville in #1527
- Update mink to latest by @g-linville in #1537
- create and update a projects default and supported regions (#1478) by @jsilverio22 in #1488
- Move region to spec of container replicas and volumes by @thedadams in #1539
- Add -tags netgo to Makefile build target by @g-linville in #1543
- fix TestProjectUpdate on eks (#1478) by @jsilverio22 in #1544
- Revert "remove nightly staging upgraded" by @jsilverio22 in #1547
- add watch client to TestProjectUpdate for eks by @jsilverio22 in #1552
- retry for eks test by @jsilverio22 in #1553
- remove project validation checks from client (#1212 #1069) by @jsilverio22 in #1558
- make compute class errors more user friendly (#1291) by @jsilverio22 in #1565
- Service fixes by @ibuildthecloud in #1541
- Refactor info to support multiple regions by @thedadams in #1567
- Print extra data field in info by @thedadams in #1570
- simplify acorn run --help and add --help-advanced (#1358) by @jsilverio22 in #1455
- Change container name to match app public name by @ibuildthecloud in #1572
- Add acorn port-forward by @ibuildthecloud in #1574
- Block EC2 metadata access for all apps by @g-linville in #1568
- Create NetworkPolicies for builders by @g-linville in #1554
- Add missing endpoints permission for the acorn controller by @ibuildthecloud in #1576
- Initial work for hub on hub feature set by @ibuildthecloud in #1582
- Fix app and project region validation (#1542) by @thedadams in #1581
- Adding acorn version as command (#1569) by @imrajdas in #1591
- Determine app readiness based on deployment spec.Replicas rather than status.Replicas by @g-linville in #1589
- change: restructure and re-use image finding logic to make image rm output more concise (#1556 & #1551) by @iwilltry42 in #1593
- Disallow removing a supported region if a volume exists in that region by @thedadams in #1606
- Drop arm32v7 support by @cjellick in #1611
- Don't run validate-docs workflow all the time by @cjellick in #1613
- Block login to ghrc by @cjellick in #1560
- Add test summaries for test runs by @tylerslaton in #1612
- Make app.namespace point to app.Status.Namespace by @ibuildthecloud in #1620
- chore: update defaults to use oss-dns.acrn.io and .oss-acorn.io domains by @drpebcak in #1619
- Add basic
acorn events
subcommand (#1562) by @njhale in #1604 - Only build test summary when tests run by @tylerslaton in #1624
- fix: reprovision wildcard certificates on cluster domain change (#1625) by @iwilltry42 in #1626
- Add quota management system by @tylerslaton in #1566
- Add job events by @ibuildthecloud in #1637
- Make public name labels safe for k8s by @g-linville in #1644
- Update README.md: change copyright date to 2023 by @sheng-liang in #1648
- Stop checking status for jobs that won't run (#1646) by @thedadams in #1647
- Disable nightly staging upgrade by @cjellick in #1650
- Add events to view role by @njhale in #1651
- Ensure create jobs are only run once (#1642) by @thedadams in #1654
- Add dev ports and app locking by @ibuildthecloud in #1614
- Check permission on devsession update by @ibuildthecloud in #1659
- Make service default a bit more explicit by @ibuildthecloud in #1660
- Revert "Make service default a bit more explicit" by @thedadams in #1661
- Get Project before modifying it in Quota test by @tylerslaton in #1641
- Deterministically set default service base on acornfile definition by @ibuildthecloud in #1663
- Fix volume binding name bug (#1561) by @g-linville in #1615
- Enable nightly staging upgrade by @cjellick in #1667
- Refactor App Status by @ibuildthecloud in #1668
- Fix job depends out of order by @ibuildthecloud in #1669
- Add missing space in messages by @ibuildthecloud in #1670
- change: appname must be DNS-1035 compliant (no leading numeric char) (#1590) by @iwilltry42 in #1671
- Fix nightly EKS failures by @tylerslaton in #1674
- Fix nightly EKS tests and up test-summary action's version by @tylerslaton in #1676
- Add remotes to VCS info (#1622) by @njhale in #1640
- fix: retrieve logs for sidecars (: notation in cli) (#1597) by @iwilltry42 in #1673
- Prioritize remote images for auto-upgrade (#1496) by @g-linville in #1653
- change: feature flags for image-allow-rules + secure-by-default policy (#1549) by @iwilltry42 in #1571
- Explicitly callout dev profiles being used in dev mode by @tylerslaton in #1486
- Change behavior of update jobs and add stop jobs (#1656) by @thedadams in #1664
- Stop using public names for Acorn Volumes (#1561) by @g-linville in #1677
- Determine container port uniqueness based on targetPort rather than port (#1402) by @g-linville in #1681
- Debug logs for hub client by @cjellick in #1686
- Fixes for app status reporting (#1675) by @thedadams in #1680
- Bump ggcr to v0.15.2 by @njhale in #1580
- fix: make IARs without signature rules work again (#1678) by @iwilltry42 in #1683
- Fix collectPorts by detecting duplicate ports and targetPorts (#1402) by @g-linville in #1685
- Allow stop job events (#1688) by @thedadams in #1699
- Reset statuses to ensure dependencies are handled correctly (#1657) by @thedadams in #1696
- Initial docs for services by @cloudnautique in #1602
- Give event timestamps microsecond precision (#1694) by @njhale in #1701
- Downgrade ggcr to prevent regression in downstream acorn dependents by @njhale in #1702
- Disable pruning for endpoints on the rendering handler for ServiceInstances by @g-linville in #1700
- fix: use remote images by short ID (#1563) by @iwilltry42 in #1682
- fix: ImageAllowRules to allow images by ID or build (#1684) by @iwilltry42 in #1692
- Revert "fix: resolvelocal should always return full ID if image is found (#1682)" by @cjellick in #1705
- Fix event table timestamp formatting and name generation (#1694) by @njhale in #1703
- Correctly report status for Acorn services that don't have k8s services (#1689) by @thedadams in #1697
- Clean up output of help messages for acorn run and update commands (#1358) by @g-linville in #1687
- Properly set auto-upgrade config for nested Acorns (#1598) by @g-linville in #1723
- Bump baaah dependency for alternate no-prune strategy by @thedadams in #1722
- Return a more useful error if the user tries to update a dependent acorn (#1710) by @g-linville in #1711
- Stop processing tags on app creation (#1502) by @thedadams in #1714
- Don't record "null" AppSpecUpdate events by @njhale in #1727
- Create separate UpdateArgs struct in order to remove --name from the update command by @g-linville in #1716
- Add TTL for Events (#1708) by @njhale in #1719
- Add name validation to acorn update --pull to block nested acorns by @g-linville in #1725
- Support auto-upgrade patterns in nested acorns by @g-linville in #1729
- Add a unit test for nested acorn by @g-linville in #1724
- fix: resolvelocal should always return full ID if image is found (#1563) by @iwilltry42 in #1718
- Ensure that a built image is properly marked as not remote (#1662) by @thedadams in #1721
- fix/regression: use user-defined ingressclassname during pre-install checks (#1665) by @iwilltry42 in #1730
- Don't process app image unless image digest changes (#1502) by @thedadams in #1732
- add: basic docs on alpha feature imageallowrules by @iwilltry42 in #1737
- Generate 0.7.0 docs by @njhale in #1734
New Contributors
- @njhale made their first contribution in #1351
- @rmodpur made their first contribution in #1317
- @yashgiri made their first contribution in #1390
- @imrajdas made their first contribution in #1591
- @drpebcak made their first contribution in #1619
Full Changelog: v0.6.0...v0.7.0