v1.40.0

v1.40.0

Additions

• (go/v4) For Go-based operators, a devcontainer is now available to allow users to develop and test the operator in a local environment and leverage on solutions such as VS Code Remote Containers and GitHub Codespaces to have a consistent development environment. (#6928)
• (go/v4) For Go-based operators, new GitHub Actions are available to ensure better quality of their code. (#6928)
• (go/v4) For Go-based operators, controllers now use .Named("<Kind>") in SetupWithManager to prevent naming conflicts in multi-group projects. (More info). (#6928)
• (go/v4) For Go-based operators, a new Makefile target named lint-config has been added to verify that your .golangci.yaml configuration file is valid. This helps catch issues early when customizing lint rules.
  (More info). (#6928)
• For ALL-based operators, scaffolded resources now include the app.kubernetes.io/name label to support Kubernetes best practices for app identification. (More info). (#6928)
• For ALL-based operators, new role manifests are now scaffolded under the config/rbac/ directory to assist cluster administrators. For each API defined in the project, three role files are generated: <kind>_admin_role.yaml, <kind>_editor_role.yaml, and <kind>_viewer_role.yaml.
  These roles are not applied by default. Instead, they are provided as helpers, allowing cluster administrators to customize and apply appropriate permissions as needed.
  The primary motivation for scaffolding these roles is to simplify integration with Kubernetes' aggregated roles mechanism. By including annotations such as rbac.authorization.k8s.io/aggregate-to-admin: "true", rbac.authorization.k8s.io/aggregate-to-edit: "true", and rbac.authorization.k8s.io/aggregate-to-view: "true", these role definitions can automatically contribute permissions to the default admin, edit, and view roles in a cluster when applied.
  For more information on Kubernetes RBAC and aggregated roles, see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. (#6928)
• For ALL-based operators, new role manifests are now scaffolded under the config/rbac/ directory to assist cluster administrators. For each API defined in the project, three role files are generated: <kind>_admin_role.yaml, <kind>_editor_role.yaml, and <kind>_viewer_role.yaml.
  These roles are not applied by default. Instead, they are provided as helpers, allowing cluster administrators to customize and apply appropriate permissions as needed.
  The primary motivation for scaffolding these roles is to simplify integration with Kubernetes' aggregated roles mechanism. By including annotations such as rbac.authorization.k8s.io/aggregate-to-admin: "true", rbac.authorization.k8s.io/aggregate-to-edit: "true", and rbac.authorization.k8s.io/aggregate-to-view: "true", these role definitions can automatically contribute permissions to the default admin, edit, and view roles in a cluster when applied.
  For more information on Kubernetes RBAC and aggregated roles, see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. (#6928)

Changes

• The bundle build target now respects the CONTAINER_TOOL variable, allowing users to use alternative container tools like podman instead of docker. (#6932)
• For All-based Operators, upgrade OPM to version from v1.23.0 to v1.55.0, which includes several bug fixes and improvements. For further information, see: https://github.com/operator-framework/operator-registry/releases. (#6953)
• (go/v4) For Go-based Operators, the main.go file has been enhanced to support real TLS certificates for both webhooks and the metrics server, with automated certificate rotation via cert-manager. This change improves security and aligns with production-grade best practices.
  Previously, setups relied on kube-rbac-proxy (deprecated in Operator SDK and Kubebuilder, see: kubebuilder/discussions/3907), which generated TLS certificates dynamically — a method no longer recommended for secure environments. The updated approach adopts static certificates managed by cert-manager.
  Additionally, integrations with Prometheus now support scraping metrics using the cert-manager generated certificates. A related fix was introduced to ensure that CA injection patches are only applied to CRDs with a conversion webhook, avoiding unnecessary annotations.
  To support these improvements, changes to config/default/kustomization.yaml are required. These include: configuring webhook and metrics server certificates, enabling Prometheus scraping with TLS, and correcting CA injection behavior.
  These updates also introduce flexible opt-in mechanisms, allowing users to selectively enable or disable: - TLS for the metrics server via cert-manager - TLS for webhooks via cert-manager - TLS configuration for Prometheus scraping
  Together, these changes are part of a broader effort to elevate the default security posture and configurability of Go-based operators. (#6928)
• (go/v4) For Go-based operators, a fix has been implemented to ensure that the Prometheus configuration can properly scrape metrics from the operator's metrics server when TLS is enabled. (#6928)
• (go/v4) For Go-based operators, a fix has been implemented to ensure that CA injection patches are applied only to CRDs that define a conversion webhook.
  Previously, the CA injection patch logic was overly broad — applying injection annotations to all CRDs whenever a webhook was scaffolded with the --conversion flag. This behavior was introduced in Kubebuilder release v3.5.0 when replacements were introduced in place of legacy vars and the kustomize/v2-alpha plugin was adopted.
  The incorrect behavior likely went unnoticed due to incomplete support for conversion webhooks in earlier versions. This release addresses that gap, enabling proper scaffolding and CA injection behavior specifically for CRDs with conversion webhooks.
  To support this improvement, a new marker has been introduced: +kubebuilder:scaffold:crdkustomizecainjectionns. This marker ensures that the correct replacements are generated in config/default/kustomization.yaml for CA injection. Additionally, the kubebuilder:scaffold:crdkustomizewebhookpatch marker was created to ensure that the webhook patch is only applied to CRDs that have a conversion webhook in the config/crd/kustomization.yaml file.
  For more information on this and other scaffolding markers, refer to the official Kubebuilder documentation: https://book.kubebuilder.io/reference/markers/scaffold. (#6928)
• (go/v4) For Go-based operators, ENVTEST version management is now automated by deriving values from go.mod, and controller tests now locate binaries dynamically. (More info)
  These updates improve the developer experience by: - Reducing manual configuration for ENVTEST. - Ensuring IDEs or test runners can locate the binaries reliably. - Making controller test scaffolding more robust and portable. (#6928)
• (go/v4) For Go-based operators, updated GolangCI-Lint configuration to replace the deprecated exportloopref linter with the copyloopvar linter. (#6928)
• (go/v4) For Go-based operators, upgraded project scaffolding to Go 1.23, Kubernetes v0.32.1, and controller-runtime v0.20.4.
  The default project scaffolding for Go-based operators has been updated to use:
  • Go 1.23
  • Kubernetes modules v0.32.1
  • controller-runtime v0.20.4
  • Ginkgo v2.22.0 and Gomega v1.36.1. (#6928)
• Breaking change: (go/v4) For Go-based operators, upgraded controller-runtime from v0.19.4 to v0.20.0 and added support for Kubernetes 1.32. Removed deprecated webhook.Validator and webhook.Defaulter interfaces from the runtime. Webhooks should no longer reside under the api/ directory—this has been the default behavior since Kubebuilder rlease [v4.3.0)(https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v4.3.0).
  A --legacy=true flag was added to support scaffolding webhooks in the old layout when needed. (More info · Migration guide). (#6928)

v1.39.2

What's Changed

• fix: primary-resouce is created in wrong place. by @holyspectral in #6872
• docs: Replace memcached-operator in v1.39.0 update instructions by @blu3r4y in #6898
• Fix Allow IfNotPresent policy when operator-sdk run bundle #6795 by @kaovilai in #6851
• Bump github.com/containerd/containerd from 1.7.23 to 1.7.27 by @dependabot in #6916
• updating dependencies to address CVE's by @acornett21 in #6917
• Bump github.com/distribution/distribution/v3 from 3.0.0-rc.1 to 3.0.0-rc.3 by @dependabot in #6918
• adding logic to GHA's to remove unused diskspace by @acornett21 in #6920
• Release v1.39.2 by @acornett21 in #6919

New Contributors

• @blu3r4y made their first contribution in #6898
• @kaovilai made their first contribution in #6851

Full Changelog: v1.39.1...v1.39.2

v1.39.1

v1.39.1

What's Changed

• re-generate scaffolding post release by @acornett21 in #6893
• fix constant reconcilation issue in helm controller by @acornett21 in #6892
• fix constant reconcilation issue in helm controller by @acornett21 in #6895
• Release v1.39.1 by @acornett21 in #6896

Full Changelog: v1.39.0...v1.39.1

v1.39.0

v1.39.0

Changes

• For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.31 API's and Kubebuilder v4 Scaffolding, specifically utilizing the v4.2.0 version. The update to Kubebuiler results in some scaffolding changes which more information can be found below: - Add support to protect project with network policies (#3853). (#6878)

v1.38.0

v1.38.0

Changes

• For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.30 API's and Kubebuilder v4 Scaffolding,
  specifically utilizing the v4.1.1 version. The update to Kubebuiler results in some scaffolding changes which more information can be found below:
  • Discontinue usage of kube-rbac-proxy in the default scaffolding of new projects. For further information,
    see: Action Required: Ensure that you no longer use gcr.io/kubebuilder images
  • The go/v2 or go/v3 layouts have been removed, you must upgrade to go/v4 to be compatible with this release and future updates.
    To know how to upgrade,check the migration documentation.
  • Re-introduces authn/authz protection for the metrics endpoint using WithAuthenticationAndAuthorization provided by controller-runtime instead of kube-rbac-proxy; which usage was discontinued in the project. Please, ensure that you no longer use the image gcr.io/kubebuilder/kube-rbac-proxy. Images provided under gcr.io/kubebuilder/ will be unavailable from March 18, 2025. To learn more about any of the metrics changes please look at the Kubebuilder book metrics page. For Helm-based and Ansible-based operators, a new flag called metrics-require-rbac was introduced into the runtime/binary, to control adding WithAuthenticationAndAuthorization to Metrics.FilterProvider of controller-runtime. This was done to ensure forwards and backwards compatibility of the binary and images with any scaffolded content. (#6862)

Bug Fixes

• An additional condition is included for matching apiVersion of example CRs with CRD version when searching for the CRD in the CSV. Previously, The olm-spec-descriptors scorecard test failed when multiple versions of CRD is included in the CSV. The CR specified in alm-examples annotations are validated only against the first matched CRD (by name), which is incorrect. This ensures the correct CRD version is selected for validations. (#6784)
• Fix naive YAML split in run bundle command. (#6829)

v1.37.0

v1.37.0

Removals

• Breaking change: Remove the Quarkus plugin (java-operator-plugins integration). (#6824)
• Breaking change: (hybrid.helm/v1-alpha) Remove hybrid-helm v1-alpha support, due to low adoption, in favor of maintenance simplicity. (#6833)

v1.36.1

v1.36.1

No changes for this release!

v1.36.0

v1.36.0

Changes

• • Upgrade Kubernetes dependencies from 1.28 to 1.29. (#6736)

v1.35.0

v1.35.0

Changes

• For Ansible-based operators, upgrade the version of the Ansible Operator Plugin used in operator-sdk to v1.34.2. (#6749)

Bug Fixes

• (helm/v1) Fix broken helm-operator role scaffolding which causes reconciler to hang due to lack of permissions. (#6769)

v1.34.2

v1.34.2

No changes for this release!