snapshot-latest

What's Changed

• docs: readme localhost note by @mjnagel in #1826
• chore: re-add ha testing, simplify cfg loading code by @mjnagel in #1825
• fix: servicemonitor mutation logic cleanup by @joelmccoy in #1805
• chore(deps): update velero by @renovate[bot] in #1815
• chore(deps): update vector by @renovate[bot] in #1812
• chore(deps): update prometheus-stack by @renovate[bot] in #1767
• feat!: enforce block on dangerous istio annotations/labels by @joelmccoy in #1819
• chore: exclude istio-system from policy checks by @mjnagel in #1816
• docs: note on webhook troubleshooting by @mjnagel in #1830
• chore(deps): update loki by @renovate[bot] in #1802
• chore(deps): update support-deps by @renovate[bot] in #1801

Full Changelog: v0.49.0...snapshot-latest

v0.49.0

0.49.0 (2025-08-14)

Release Notes

This release is smaller in scope but includes a critical bug fix for Authservice (when configured with Redis) along with a minor breaking change for some configurations, and a few dependency updates.

Breaking Changes:

• Grafana and NeuVector now have group auth protection provided by Keycloak (#1809). If you have been allowing different groups access to these applications (beyond the default Admin/Auditor groups), you will need to provide additional overrides to ensure Keycloak allows these groups to access the applications (see docs).

Bug Fixes:

• Authservice Redis configuration will properly load on Pepr Watcher startup (#1824)

Dependency Updates:

• NeuVector curl image updated to 8.15.0 (unicorn flavor only) (#1817)
• Velero updated to 1.16.2 (plugins 1.12.2) (#1775): Note that this version bump includes an undocumented potentially breaking change (vmware-tanzu/velero#7785). If your bucket for backups contains "invalid top-level directories" (possible if sharing a bucket with other tooling) you may need to set a prefix or change your bucket.

Please see the git comparison for the full list of changes.

v0.48.1

0.48.1 (2025-08-11)

Known Issues

• When configuring Authservice with a Redis/Valkey connection you may experience Pepr pod failure at startup (#1823). If you use Authservice with Redis/Valkey it is advised to jump to 0.49.0 rather than upgrading to 0.48.x.

Release Notes

This is a patch release focused on fixing a network policy naming bug that was introduced in v0.48.0 that impacted some packages with multiple expose entries.

Full changes:

• Conflicting Network Policy Naming in muli-service deployments (#1808) (0352839)
• Dependency Update for Pepr to version v0.52.3.
• Doc update to include a full list of Istio Annotations that should not be allowed to be used.

v0.48.0

0.48.0 (2025-08-05)

Known Issues

• This release introduced a bug with Network Policy naming conflicts when using multiple expose entries. The fix for this bug is included in 0.48.1.
• When configuring Authservice with a Redis/Valkey connection you may experience Pepr pod failure at startup (#1823). If you use Authservice with Redis/Valkey it is advised to jump to 0.49.0 rather than upgrading to 0.48.x.

Release Notes

This release includes a new breaking change and new features along with the usual mix of dependency and doc updates.

Breaking Changes:

• With the creation of the ClusterConfig some values under operator for the uds-operator-config chart/component are no longer valid, see table below:
  
  

  Removed Value	Replacement
  operator.UDS_DOMAIN	cluster.expose.domain or Zarf variable DOMAIN
  operator.UDS_ADMIN_DOMAIN	cluster.expose.adminDomain or Zarf variable ADMIN_DOMAIN
  operator.UDS_CA_CERT	cluster.expose.caCert or Zarf variable CA_CERT
  operator.UDS_ALLOW_ALL_NS_EXEMPTIONS	cluster.policy.allowAllNsExemptions or Zarf variable ALLOW_ALL_NS_EXEMPTIONS
  operator.UDS_LOG_LEVEL	Zarf variable UDS_LOG_LEVEL (no bundle/Helm override available)

New Features:

• Keycloak support for pre-existing secrets (docs link)
• Policies to warn for dangerous Istio annotations (docs link)
  • Note: These policies will be blocked in a future release, if you need to use any of these Istio annotations you will need to create an exemption.
• Support Root/Apex domain in Package CR (docs link)
• Grafana Dashboards for Keycloak metrics and troubleshooting (docs link)
• Ambient Authservice Application support (docs link)
  • UDS Core now supports Authservice protected applications while in ambient mode.

Docs:

• New UDS Core Upgrade Guidance (link)
• RKE2 Metrics Configuration (link)

Additional Dependency Updates include: Grafana v12.1.0, Keycloak v26.3.2, Metrics-Server v0.8.0, Neuvector v5.4.5, Prometheus v3.5.0, Loki v3.5.3, Pepr v0.52.2

Please see the git comparison for the full list of changes.

v0.47.0

0.47.0 (2025-07-22)

This release includes a few breaking changes and new features along with the usual mix of dependency updates.

Breaking Changes:

• The uds-dev-stack namespace is no longer ignored by default for policies and operator reconciliation. If you wish to ignore this namespace or another namespace, you can continue to ignore specific namespaces with a bundle override to the Pepr chart.
• The UDS Policies now include a policy restricting usage of UID/GID 1337 for any non-istio containers/pods (i.e. ztunnel, waypoints, sidecars). This policy ensures that pods don't bypass proxy interception and other controls managed via the service mesh.

New Features:

• Expanded and documented support for using Layer 7 Loadbalancers (such as AWS ALBs), read more in the documentation.
• Support for "reloading" pods when secret values change (such as changes to an SSO secret or database credentials), read more in the documentation.

Additional dependency updates include: Keycloak 26.3.1, Pepr 0.51.6, Kubectl 1.33.3, k8s-sidecar 1.30.7

Please see the git comparison for the full list of changes.

v0.46.0

0.46.0 (2025-07-8)

This release is on the lighter side but still has several exciting changes to note:

• lifecycleHooks for Keycloak chart, primarily useful in HA clusters and rotating nodes
• Grafana logout cleanup to properly log a user out when they request it
• Updated docs on permissive traffic for authpols (Link)
• Additional Keycloak theme updates in identity-config v0.15.2
• Dependency Updates: Grafana to v12.0.2, Istio to v1.26.2, Vector to v0.48.0

We also had a number of more internal changes to improve some of our CI flow and keep our support dependencies up to date. Please see the git comparison for the full list of changes.

v0.45.1

0.45.1 (2025-06-27)

This release primarily resolves some issues with mobile responsive design for the new Keycloak theme. Also included are some smaller documentation changes and fixes:

• New/updated documentation and testing for Velero EBS snapshot backups
• Pepr update to 0.51.5
• Diagram/documentation showing the resource ownership/tree for the Package custom resource

We also have some of the usual internal support dependency updates and are now running all testing against Kubernetes 1.32.x. Please see the git comparison for the full list of changes.

v0.45.0

0.45.0 (2025-06-24)

This release is smaller in scope but includes several exciting changes, especially for Keycloak:

• The Keycloak theme has been entirely redesigned for consistency across UDS.
  • ⚠ BREAKING CHANGE: The new theme changes the themeCustomizations.resources array and now accepts only PNG images (for example: background.png instead of background.jpg). If you use this feature, ensure all images are converted into the PNG format and properly supplied to the configuration.
  • Also note that if building a custom identity-config image you may need to work through some conflicts/rebase to maintain any custom theming you were doing previously.
• Our Keycloak configuration now supports customization of the terms and conditions during sign in. Please review the documentation for how to override this and how to format your custom terms and conditions properly.
• Keycloak x509 environment variables are now set based on the x509LookupProvider value (rather than being hardcoded to nginx). This may require some changes if NOT using the default nginx provider (not common).
• Bug fix for the NeuVector updater on our unicorn flavor.
• Dependency Updates: Pepr 0.51.4, Prometheus 3.4.1 (Operator 0.83.0)

We also had a number of more internal changes to improve some of our CI flow and keep our support dependencies up to date (including migrating from Jest to Vitest). Please see the git comparison for the full list of changes.

v0.44.0

0.44.0 (2025-06-09)

This release includes the usual mix of dependency updates, bug fixes, and features. Particular changes of note:

• Support for egress gateways to control egress to specific external hosts (see docs)
• Keycloak user event metrics emitted and scraped by default (see upstream docs)
• Direct ability to add additional Grafana datasources via values (see docs)
• Image/release artifact changes:
  • Image provider has changed for Unicorn images: Please keep this in mind for the upgrade if using the unicorn flavor (it may take longer with all pods changing images)
  • Ironbank/Registry1 flavor is now being released in an arm64 architecture variant.
• Bug fixes: resolution of checkpoint issues for CI testing, fix for SSO secret name/template on client retries
• Dependency updates: Keycloak 26.2.5, Pepr 0.51.3, Curl 8.14.0, miscellaneous CI dependencies

For the full list of changes review the commit/file comparison.

Known Issues:

• #1652: NeuVector updater fails to run on Unicorn flavor (see issue for temporary mitigation)

v0.43.0

0.43.0 (2025-05-27)

⚠ BREAKING CHANGES

• UDS Core now uses Keycloak in FIPS (STRICT) mode by default (the fips Helm Chart flag is set to true by default). In some environments, this may be a breaking change that could result in the Keycloak Administrator account being locked out. Before upgrading, please ensure you have read and followed the UDS Identity v0.14.0 upgrade guide.
• If deploying on AWS with custom networking for EKS also review the v0.14.1 upgrade guide to ensure you don't encounter issues when using shared address space.

Features

• add grafana dashboard for istio mode comparison (#1582) (fc6d36b)
• enable Keycloak FIPS mode by default (#1518) (fe6482a)
• opt neuvector into ambient (#1498) (44ed89e)
• support Istio TLS certificate at server level (#1552) (3b12a40)

Bug Fixes

• allow OIDC logout from NeuVector (#1580) (9c9e51f)
• ci: add maru auth for remote tasks (#1579) (75eb53b)
• ensure uniqueness of sso client ids in cluster (#1589) (be4ff0c)
• keycloak sts devmode db settings (#1566) (e79bdf4)
• remove duplicate ha test (#1597) (7666666)
• update namespace template for pepr to use ambient label (#1568) (52b9904)

Miscellaneous

• add keycloak attributes saml.encrypt, saml_name_id_format, saml.signing.certificate (#1557) (f8a2dc4)
• change default cve scan severity to negligible (#1574) (f7ca5a0)
• ci: add HA install and upgrade nightly tests (#1578) (51fd9a4)
• ci: add renovate-readiness to HA workflow (#1587) (353347e)
• deps: update grafana to v12.0.1 (#1510) (1b5914d)
• deps: update identity-config to v0.14.1 (#1600) (892762c)
• deps: update loki to 3.5.1 (#1585) (e74ea78)
• deps: update neuvector to 5.4.4 (#1559) (4b3b10d)
• deps: update neuvector ubi9 to v9.6 (#1563) (173889f)
• deps: update pepr to v0.50.0 (#1562) (dafff9b)
• deps: update prometheus-stack (#1434) (03c92d5)
• deps: update support-deps (#1556) (79db725)
• deps: update support-deps (#1565) (60a84c6)
• deps: update ts-jest to v29.3.4 (#1573) (c741920)
• deps: update vector to v0.47.0 (#1583) (ef6e718)
• deps: update velero kubectl images (#1505) (d77901c)
• deps: update velero to v1.16.1, plugins to v1.12.1 (#1576) (bee6007)
• docs: new ambient transition policy doc (#1577) (8f9b2c2)
• docs: update ambient docs (#1571) (296838c)
• doc: update changelog (#1558) (e9f4d24)
• remove old misc cacert from admin gateway (#1561) (10cafee)
• switch gateway crd install to release artifacts (#1572) (76db3ac)
• switch to vector fips image (#1584) (f8394e6)
• update ca certs in istio gateways (#1567) (03053fd)