SIGHUP Distribution Release v1.32.1
Welcome to SD release v1.32.1
.
The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.
New Features since v1.32.0
- [#453] Kustomize v5 migration: Updated distribution manifest templates (AWS, DR, Ingress, Policy, Tracing) to use Kustomize v5 syntax, migrating deprecated
patchesStrategicMerge
andpatchesJson6902
to the unifiedpatches
field
Installer Updates
- on-premises 📦 installer: v1.33.4-rev.1
- Adds support for Kubernetes v1.32.8, v1.31.12 and installs Kubernetes v1.33.4
- Fixes incorrect recursive permission and ownership changes applied when configuring etcd and control-plane PKI files
- CIS Benchmark: Updates the customized kube-bench configuration (CIS-1.11 for Kubernetes 1.32) to reduce false positives
- Documentation: Adds maintenance documentation for CIS Kubernetes Benchmark compliance testing
Module updates
- networking 📦 core module: v3.0.0
- This release updates both the Tigera Operator to version 1.38.6 (Calico v3.30.3) and Cilium to version 1.18.1
ip-masq
package has been completely removed from the module
- ingress 📦 core module: v4.1.1
- This release updates the NGINX Ingress Controller to version 1.13.3, cert-manager to v1.18.2, Forecastle to v1.0.157, External-DNS to v0.18.0
- monitoring 📦 core module: v4.0.1
- This major release removes Thanos and Karma packages, updates to kube-prometheus v0.16.0 including Prometheus v3 and general bug fixes and new features
- tracing 📦 core module: v1.3.0
- This release updates Tempo to version 2.8.2
- dr 📦 core module: v3.2.0
- This release updates Velero to v1.16.2, the Velero plugins to v1.12.2 and the Snapshot Controller to v8.3.0
- logging 📦 core module: v5.2.0
- This release updates Logging Operator from to v6.0.3, OpenSearch Components to v3.2.0 and Loki Components to v3.5.3
- policy 📦 core module: v1.15.0
- This release updates Kyverno to version 1.15.1, Gatekeeper to version 3.20.1 and Gatekeeper Policy Manager to version 1.1.0
- auth 📦 core module: v0.6.0
- This release updates Dex to v2.44.0, Pomerium to v0.30.5
Breaking changes 💔
- [#433] Kubelet cipher suites management through
tlsCipherSuitesKubelet
-
TLS ciphers for the Kubelet are now configured using the new
tlsCipherSuitesKubelet
parameter, to clearly separate them from those used by the API Server and etcd. Going forward, iftlsCipherSuitesKubelet
is not set, a separate set of default values (different fromtlsCipherSuites
) will be applied.Action required: If you need to customize the TLS ciphers for the Kubelet, explicitly define the
tlsCipherSuitesKubelet
parameter.
-
New features 🌟
-
[#433] Introducing CIS Benchmark Compliance customizations:
-
tlsCipherSuites
andtlsCipherSuitesKubelet
to thespec.kubernetes.advanced.encryption
to configure the TLS cipher suites for the API Server and etcd with the former, and for the Kubelet with the latter:spec:
kubernetes:
advanced:
encryption:
tlsCipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
- "TLS_AES_128_GCM_SHA256"
- "TLS_AES_256_GCM_SHA384"
- "TLS_CHACHA20_POLY1305_SHA256"
tlsCipherSuitesKubelet:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"When not explicitly defined, the following default values will be applied:
tls_cipher_suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
kubelet_tls_cipher_suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
streamingConnectionIdleTimeout
to thespec.kubernetes.advanced.kubeletConfiguration
to configure idle timeouts ensuring protection against Denial-of-Service attacks, inactive connections and running out of ephemeral ports:spec:
kubernetes:
advanced:
kubeletConfiguration:
streamingConnectionIdleTimeout: "5m" -
gcThreshold
to thespec.kubernetes.advanced.controllerManager
to set the garbage collection threshold ensuring sufficient resource availability and avoiding degraded performance and availability:spec:
kubernetes:
advanced:
controllerManager:
gcThreshold: 2000 -
eventRateLimits
to thespec.kubernetes.advanced
to enforce a limit on the number of events that the API Server will accept in a given time slice:spec:
kubernetes:
advanced:
eventRateLimits:
- type: "User"
qps: 20
burst: 100
cacheSize: 4096
-
-
[#415] Adds customizations to make it easier to install SD on bare metal nodes:
-
blockSize
andpodCidr
to thespec.distribution.modules.networking.tigeraOperator
section of the OnPremises and KFDDistribution schemas, allowing customizations to the assigned CIDR for each node. How to use it:spec:
distribution:
modules:
networking:
type: calico
tigeraOperator:
blockSize: 26
podCidr: 172.16.0.0/16 -
kernelParameters
to the.spec.kubernetes.advanced
,.spec.kubernetes.masters
and.spec.kubernetes.nodes[]
sections, to allow customization of kernel parameters of each Kubernetes node. Example:spec:
kubernetes:
masters:
kernelParameters:
- name: "fs.file-max"
value: "9223372036854775804"
-
-
[#425] Adds trusted CA certificate support in OIDC authentication with self-signed certificates:
-
oidcTrustedCA
key underspec.distribution.modules.auth
allows automatic provisioning of custom CA certificates for auth components. -
Adds secret generation and volume mounting for Gangplank, Pomerium, and Dex deployments.
-
Supports
{file://path}
notation.spec:
distribution:
modules:
auth:
oidcTrustedCA: "{file://my-ca.crt}"
-
-
[#428] Configuration for Logging Operator's Fluentd and Fluentbit resources:
-
Added new configuration options to the logging module that allows to set Fluentd's resources and replicas number and Fluentbit's resources. Example:
spec:
distribution:
modules:
logging:
operator:
fluentd:
replicas: 1
resources:
limits:
cpu: "2500m"
fluentbit:
resources:
requests:
memory: "1Mi"
-
-
[#429] Control Plane taints for OnPremises clusters:
-
Added new configuration option to set the control plane nodes taints at cluster creation time. Example:
# custom taint. NOTE: the default taint won't be added, just the ones defined.
spec:
kubernetes:
masters:
taints:
- effect: NoExecute
key: soft-cell
value: tainted-love# no taints
spec:
kubernetes:
masters:
taints: []
-
-
[#435] Repository management lifecycle configuration for OnPremises provider:
-
Added new boolean configuration fields for environments where package repositories are configured outside of furyctl.
spec.kubernetes.loadBalancers.selfmanagedRepositories
: Controls HAProxy repository setupspec.kubernetes.advanced.containerd.selfmanagedRepositories
: Controls NVIDIA container toolkit's repository setupspec.kubernetes.advanced.selfmanagedRepositories
: Controls Kubernetes package repository setup
-
All fields are optional. If omitted, the system defaults to automatic repository management (
selfmanagedRepositories: false
). -
To handle repositories manually and disable automatic repository management, set
selfmanagedRepositories: true
:spec:
kubernetes:
loadBalancers:
enabled: true
selfmanagedRepositories: true # Handle HAProxy repositories manually
advanced:
selfmanagedRepositories: true # Handle Kubernetes repositories manually
containerd:
selfmanagedRepositories: true # Handle NVIDIA container toolkit repositories manually
-
-
[#353] Add EKS self-managed node pool default override options for IDMS: add a variable to override the default properies for EKS self-managed node pools. Currently support only the IDMS ones.
Fixes 🐞
-
installer-eks/issues#88 This PR fixes an issue when using
selfmanaged
nodes withalinux2023
. The way we used to provision images relied on Amazon'sbootstrap.sh
which has been deprecated in favor ofnodeadm
. -
Plugins names are now pattern-validated in the schema to avoid potential errors at runtime when setting invalid names.
Upgrade procedure
Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one versions to the next using furyctl.