Skip to content

v1.1.0
Compare
Choose a tag to compare
@turkenf turkenf released this 15 Feb 19:12
· 383 commits to main since this release
v1.1.0
069ec0a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

The v1.1.0 release introduces a new family provider, new resources, important bug fixes, dependency updates, and a new ProviderConfig API regarding the WebIdentity authentication.

Support for New Resources

  • StackSetInstance.cloudformation.aws.upbound.io/v1beta1
  • AccessPolicy.opensearchserverless.aws.upbound.io/v1beta1
  • Collection.opensearchserverless.aws.upbound.io/v1beta1
  • LifecyclePolicy.opensearchserverless.aws.upbound.io/v1beta1
  • SecurityConfig.opensearchserverless.aws.upbound.io/v1beta1
  • SecurityPolicy.opensearchserverless.aws.upbound.io/v1beta1
  • VPCEndpoint.opensearchserverless.aws.upbound.io/v1beta1

Bug Fixes

We also have several bug fixes with this release:

  • [Bug]: Secret never Sync #1128
  • [Bug]: Can't install provider-aws 1.0.0 on crossplane versions before 1.14 #1147
  • There’s also a fix in the implementation of the LateInitialize management policy in the context of the no-fork architecture. Previously, we were relying solely on the managed reconciler for preventing the late-initialization of the managed resources if the specified policies do not contain it. Now, we also explicitly skip the late-initialization in upjet to prevent some accidental updates to the spec.forProvider while, for example, updating the annotations.

New API for WebIdentity authentication support in ProviderConfig

It’s now possible to specify the WebIdentity tokens to be used in ProviderConfigs for WebIdentity authentication. Previously, it was only possible to do so via the environment variables.

ProviderConfig API specification is expanded with spec.credentials.webIdentity.tokenConfig, which allows consumers to configure the token to be used for WebIdentity authentication.
Consumers can reference a secret or filesystem location for the token to be used for WebIdentity authentication.

  • Each ProviderConfig using WebIdentity authentication can now use different tokens per ProviderConfig object, allowing multiple WebIdentity configurations in a single cluster.

  • ℹ️ The change is backward compatible for consumers relying on the old behavior where they set both of the AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables. When spec.credentials.webIdentity.tokenConfig is not specified, the old behavior is assumed.

  • ⚠️ Deprecation Notice: Configuring the WebIdentity authentication using the AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables is now deprecated in favor of the new spec.credentials.webIdentity.tokenConfig API.

An example WebIdentity token configuration where the token is read from a Kubernetes secret is as follows:

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: webidentity-example
spec:
  credentials:
    source: WebIdentity
    webIdentity:
      roleARN: arn:aws:iam::123456789012:role/providerexamplerole
      tokenConfig:
        source: Secret
        secretRef:
          key: token
          name: example-web-identity-token-secret
          namespace: upbound-system

Another example using a filesystem location is as follows:

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: webidentity-example
spec:
  credentials:
    source: WebIdentity
    webIdentity:
      roleARN: arn:aws:iam::123456789012:role/providerexamplerole
      tokenConfig:
        source: Filesystem
        fs:
          path: /path/to/token/file

Please note that the Filesystem source option needs the token to be mounted as a file in the filesystem of the provider pod, e.g,. via a DeploymentRuntimeConfig.

The difference is that the new API effectively allows specifying the token per ProviderConfig.

Changes in conversion Webhook TLS Certificate & Key Configuration

This PR implements the following protocol for configuring the conversion Webhook TLS certificate & key for the provider:

If the --certs-dir command-line option is supplied, it's used.
If the --certs-dir command-line option is not supplied, the following environment variables are used in the given order: CERTS_DIR (for backwards-compatibility reasons), TLS_SERVER_CERTS_DIR (the new environment variable, which has replaced the WEBHOOK_TLS_CERT_DIR env. variable in Crossplane), and WEBHOOK_TLS_CERT_DIR (for backwards-compatibility).
This change in the configuration API is backwards-compatible.

What's Changed

  • complete example for securitygrouprule with self=null by @mbbush in #1072
  • Update kubernetes patches to v0.29.1 by @renovate in #1094
  • Update actions/upload-artifact digest to 5d5d22a by @renovate in #1125
  • Add aws_cloudformation_stack_set_instance resource by @sergenyalcin in #1129
  • Update alpine Docker tag to v3.19.1 by @renovate in #1127
  • Update dependency kubernetes-sigs/kind to v0.21.0 by @renovate in #1143
  • Function type config.ConfigurationInjector now returns an error by @ulucinar in #1150
  • fix Secret/secretmanager.aws custom diff logic when replica config is empty by @erhancagirici in #1144
  • Honour the WEBHOOK_TLS_CERT_DIR env. variable for finding the Webhook TLS certificate by @ulucinar in #1157
  • Add opensearch serverless group resources to v1beta1 by @turkenf in #1130
  • add web identity token configuration to ProviderConfig spec by @erhancagirici in #1148
  • Bump crossplane-runtime to commit 7fcb8c5cad6f by @ulucinar in #1159

Full Changelog: v1.0.0...v1.1.0

Contributors

mbbush, renovate, and 4 other contributors
Assets 2
Loading