SIGHUP Distribution Release v1.34.0
Welcome to SD release v1.34.0.
The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.
This version adds support for Kubernetes 1.34, updates all modules and the SD installers.
This release also includes some breaking changes, please make sure to read the relevant section below.
Installer Updates
- on-premises 📦 installer: v1.34.4
- Installs Kubernetes version 1.34.4, adds support for Kubernetes v1.33.7, v1.32.11 and updates runc (among other components) in order to cover the CVE-2025-31133.
- eks 📦 installer: v3.4.0
- Installs Kubernetes version 1.34 and introduces the new
vpn_furyagent_pathvariable to the VPN Terraform module to avoid embedding furyagent binaries in the repository.
- Installs Kubernetes version 1.34 and introduces the new
Module updates
- networking 📦 core module: v3.1.0
- This release updates the Tigera Operator to version 1.40.3 (Calico v3.31.3), Cilium to v1.18.7 and adds support for Kubernetes 1.34.
- ingress 📦 core module: v5.0.0
- This release updates several packages included in the ingress module, to officially support Kubernetes v1.34.
- Adds HAProxy Kubernetes Ingress Controller as a new ingress option, supporting both single and dual deployment modes.
- Forecastle has been moved from the
ingress-nginxnamespace to its own dedicated forecastle namespace. - External-DNS has been moved from the
ingress-nginxnamespace to its own dedicated external-dns namespace.
- monitoring 📦 core module: v4.1.0
- This release adds the support to Kubernetes 1.34 and updates MinIO.
- tracing 📦 core module: v1.4.0
- This release adds the support to Kubernetes 1.34 and updates MinIO.
- dr 📦 core module: v3.3.0
- This release updates Velero to v1.17.1, the Velero plugins to v1.13.1 and the Snapshot Controller to v8.4.0 .
- logging 📦 core module: v5.3.0
- This release adds the support to Kubernetes 1.34 and updates MinIO.
- policy 📦 core module: v1.16.0
- This release updates Kyverno to version 1.16.0 and Gatekeeper to version 3.21.0.
- auth 📦 core module: v0.6.1
- This release updates Pomerium and particularly includes an update to Envoy v1.35.6, to address the following CVEs in Envoy and its dependencies: CVE-2025-62504, CVE-2025-62409, CVE-2025-27818, CVE-2025-27817, CVE-2025-0913, CVE-2024-25178, CVE-2024-25177, CVE-2024-25176.
New features 🌟
-
[#483] Added support for HAProxy Kubernetes Ingress Controller and BYOIC (Bring Your Own Ingress Controller) mode. HAProxy Kubernetes Ingress Controller is adopted as the new reference ingress controller following the official retirement announcement of the Ingress NGINX Controller. When both Ingress NGINX Controller and HAProxy KIC are enabled, NGINX takes priority for infrastructure ingresses. To use HAProxy KIC for infrastructure ingresses instead, set
spec.distribution.modules.ingress.infrastructureIngressControllertohaproxy. BYOIC mode allows using a custom ingress controller deployed as a distribution plugin, not managed by the SD lifecycle. -
[#468] Replaced Terraform with OpenTofu: furyctl now uses the OpenTofu v1.10.0 binary instead of Terraform. A new
spec.toolsConfiguration.opentofufield is available for state backend configuration. Thespec.toolsConfiguration.terraformfield is deprecated and will be removed in a future version. To use the new field, add theopentofukey to your furyctl.yaml file with the same S3 backend:spec:
toolsConfiguration:
opentofu: # Before was terraform
state:
s3:
bucketName: your-bucket-name # Same as terraform
keyPrefix: your-key-prefix # Same as terraform
region: your-region # Same as terraform -
[#479] Add
vpn_furyagent_pathto infrastructure terraform template for EKSCluster provider to avoid re-download. -
[#482] Added
kubeadmDownloadUrl,kubeadmChecksum, andkubeadmBinaryDirfields tospec.kubernetes.advanced.airGapfor air-gapped on-premises clusters, used on dedicated etcd nodes for certificate management. -
[#459] Support for kube-proxy-less clusters: on-premises clusters can be now created without kube-proxy. Disabling kube-proxy will enable Calico in eBPF mode and Cilium's kube-proxy-replacement mode in the networking module. You can disable the kube-proxy like so:
apiVersion: kfd.sighup.io/v1alpha2
kind: OnPremises
metadata:
name: kube-proxy-less
spec:
kubernetes:
advanced:
kubeProxy:
enabled: false
... -
[#442] Added GCS (Google Cloud Storage) as a supported backend for the DR module configuration and added support for new fields.
-
[#490] Added support for Velero's node-agent
prepareQueueLengthconfiguration viaspec.distribution.modules.dr.velero.nodeAgent.prepareQueueLength.
Bug Fixes 🐛
-
[#480] The
x509-certificate-exporter-data-planeDaemonSet was incorrectly patched with the common nodeSelector (e.g., infra nodes), so was unable to monitor kubelet certificates on all worker nodes. -
[#477] Both control-plane Pods and Etcd systemd service make use of several kubeadm-generated PKI files. These files are generated using a dedicated CA PKI that is expected to be already available in the target node. This PR makes sure that these CA PKI are uploaded to targets nodes in a way that prevents any inconsistencies on file permissions and ownership, which could case errors during etcd or control-plane Pods startup.
Breaking Changes 💔
Pomerium policy key renaming
The Pomerium default route policy key for Forecastle has been renamed from ingressNgnixForecastle to ingressForecastle to reflect that Forecastle is no longer tied to NGINX (now supports also HAProxy and BYOIC mode).
Before:
spec:
distribution:
modules:
auth:
pomerium:
defaultRoutesPolicy:
ingressNgnixForecastle: # Old key
- allow:
After:
spec:
distribution:
modules:
auth:
pomerium:
defaultRoutesPolicy:
ingressForecastle: # New key
- allow:
Terraform key deprecation
The spec.toolsConfiguration.terraform field is deprecated in favor of spec.toolsConfiguration.opentofu. Users are encouraged to migrate to opentofu configuration, as the terraform field will be removed in a future version.
Upgrade procedure
Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.