Skip to content




  • fix: Reconcile namespaces when the group spec for tenants is changed, so new rolebindings can be created for them


  • fix: Updated release pipelines


  • feat: Allow custom roles for each tenant via label selector, more details in custom roles document
  • Roles mapping is a required field in MTO's IntegrationConfig. By default, it will always be filled with OpenShift's admin/edit/view roles
  • Ensure that mentioned roles exist within the cluster
  • Remove coupling with OpenShift's built-in admin/edit/view roles
  • feat: Removed coupling of ResourceSupervisor and Tenant resources
  • Added list of namespaces to hibernate within the ResourceSupervisor resource
  • Ensured that the same namespace cannot be added to two different Resource Supervisors
  • Moved ResourceSupervisor into a separate pod
  • Improved logs
  • fix: Remove bug from tenant's common and specific metadata
  • fix: Add missing field to Tenant's conversion webhook
  • fix: Fix panic in ResourceSupervisor sleep functionality due to sending on closed channel
  • chore: Update dependencies



  • maintain: Automate certification of new MTO releases on RedHat's Operator Hub


  • feat: Updated Tenant CR to provide Tenant level AppProject permissions


  • feat: Add support to map secrets/configmaps from one namespace to other namespaces using TI. Secrets/configmaps will only be mapped if their namespaces belong to same Tenant


  • feat: Add option to keep AppProjects created by Multi Tenant Operator in case Tenant is deleted. By default, AppProjects get deleted
  • fix: Status now updates after namespaces are created
  • maintain: Changes to Helm chart's default behaviour


  • feat: Add support to map secrets/configmaps from one namespace to other namespaces using TGI. Resources can be mapped from one Tenant's namespaces to some other Tenant's namespaces
  • feat: Allow creation of sandboxes that are private to the user
  • feat: Allow creation of namespaces without tenant prefix from within tenant spec
  • fix: Webhook changes will now be updated without manual intervention
  • maintain: Updated Tenant CR version from v1beta1 to v1beta2. Conversion webhook is added to facilitate transition to new version
  • see Tenant spec for updated spec
  • enhance: Better automated testing



  • fix: Update MTO service-account name in environment variable


  • feat: Add support to ArgoCD AppProjects created by Tenant Controller to have their sync disabled when relevant namespaces are hibernating
  • feat: Add validation webhook for ResourceSupervisor
  • fix: Delete ResourceSupervisor when hibernation is removed from tenant CR
  • fix: CRQ and limit range not updating when quota changes
  • fix: ArgoCD AppProjects created by Tenant Controller not updating when Tenant label is added to an existing namespace
  • fix: Namespace workflow for TGI
  • fix: ResourceSupervisor deletion workflow
  • fix: Update RHSSO user filter for Vault integration
  • fix: Update regex of namespace names in tenant CRD
  • enhance: Optimize TGI and TI performance under load
  • maintain: Bump Operator-SDK and Dependencies version



  • fix: Update Helm dependency to v3.8.2


  • fix: Add support for parameters in Helm chartRepository in templates


  • fix: Add service name prefix for webhooks


  • fix: ResourceSupervisor CR no longer requires a field for the Tenant name


  • feat: Add support for tenant namespaces off-boarding. For more details check out onDelete
  • feat: Add tenant webhook for spec validation

  • fix: TemplateGroupInstance now cleans up leftover Template resources from namespaces that are no longer part of TGI namespace selector

  • fix: Fixed hibernation sync issue

  • enhance: Update tenant spec for applying common/specific namespace labels/annotations. For more details check out commonMetadata & SpecificMetadata

  • enhance: Add support for multi-pod architecture for Operator-Hub

  • chore: Remove conversion webhook for Quota and Tenant



  • feat: Add hibernation of StatefulSets and Deployments based on a timer
  • feat: New custom resource that handles hibernation


  • fix: Revert v0.4.4


  • feat: Add support for applying labels/annotation on specific namespaces


  • fix: Update privilegedNamespaces regex


  • fix: IntegrationConfig will now be synced in all pods


  • feat: Added support to distribute common labels and annotations to tenant namespaces


  • fix: Update dependencies to latest version


  • feat: Controllers are now separated into individual pods



  • fix: Optimize namespace reconciliation


  • fix: Revert v0.3.29 change till webhook network issue isn't resolved


  • fix: Execute webhook and controller of matching custom resource in same pod


  • feat: Namespace controller will now trigger TemplateGroupInstance when a new matching namespace is created


  • feat: Controllers are now separated into individual pods


  • fix: Enhancement of TemplateGroupInstance Namespace event listener


  • feat: TemplateGroupInstance will create resources instantly whenever a Namespace with matching labels is created


  • fix: Update reconciliation frequency of TemplateGroupInstance


  • feat: TemplateGroupInstance will now directly create template resources instead of creating TemplateInstances

Migrating from pervious version

  • To migrate to Tenant-Operator:v0.3.25 perform the following steps
    • Downscale Tenant-Operator deployment by setting the replicas count to 0
    • Delete TemplateInstances created by TemplateGroupInstance (Naming convention of TemplateInstance created by TemplateGroupInstance is group-{Template.Name})
    • Update version of Tenant-Operator to v0.3.25 and set the replicas count to 2. After Tenant-Operator pods are up TemplateGroupInstance will create the missing resources


  • feat: Add feature to allow ArgoCD to sync specific cluster scoped custom resources, configurable via Integration Config. More details in relevant docs


  • feat: Added concurrent reconcilers for template instance controller


  • feat: Added validation webhook to prevent Tenant owners from creating RoleBindings with kind 'Group' or 'User'
  • fix: Removed redundant logs for namespace webhook
  • fix: Added missing check for users in a tenant owner's groups in namespace validation webhook
  • fix: General enhancements and improvements

⚠️ Known Issues - caBundle field in validation webhooks is not being populated for newly added webhooks. A temporary fix is to edit the validation webhook configuration manifest without the caBundle field added in any webhook, so OpenShift can add it to all fields simultaneously - Edit the ValidatingWebhookConfiguration stakater-tenant-operator-validating-webhook-configuration by removing all the caBundle fields of all webhooks - Save the manifest - Verify that all caBundle fields have been populated - Restart Tenant-Operator pods


  • feat: Added ClusterRole manager rules extension


  • fix: Fixed the recreation of underlying template resources, if resources were deleted


  • feat: Namespace webhook FailurePolicy is now set to Ignore instead of Fail
  • fix: Fixed config not being updated in namespace webhook when Integration Config is updated
  • fix: Fixed a crash that occurred in case of ArgoCD in Integration Config was not set during deletion of Tenant resource

⚠️ ApiVersion v1alpha1 of Tenant and Quota custom resources has been deprecated and is scheduled to be removed in the future. The following links contain the updated structure of both resources


  • fix: Add ArgoCD namespace to destination namespaces for App Projects


  • fix: Cluster administrator's permission will now have higher precedence on privileged namespaces


  • fix: Add groups mentioned in Tenant CR to ArgoCD App Project manifests' RBAC


  • feat: Add validation webhook for TemplateInstance & TemplateGroupInstance to prevent their creation in case the Template they reference does not exist


  • feat: Added Validation Webhook for Quota to prevent its deletion when a reference to it exists in any Tenant
  • feat: Added Validation Webhook for Template to prevent its deletion when a reference to it exists in any Tenant, TemplateGroupInstance or TemplateInstance
  • fix: Fixed a crash that occurred in case Integration Config was not found


  • feat: Multi Tenant Operator will now consider all namespaces to be managed if any default Integration Config is not found


  • fix: General enhancements and improvements


  • fix: Fix Quota's conversion webhook converting the wrong LimitRange field


  • fix: Fix Quota's LimitRange to its intended design by being an optional field


  • feat: Add ability to prevent certain resources from syncing via ArgoCD


  • feat: Add default annotation to OpenShift Projects that show description about the Project


  • fix: Fix a typo in Multi Tenant Operator's Helm release


  • fix: Fix ArgoCD's destinationNamespaces created by Multi Tenant Operator


  • fix: Change sandbox creation from 1 for each group to 1 for each user in a group


  • feat: Support creation of sandboxes for each group


  • feat: Add ability to create namespaces from a list of namespace prefixes listed in the Tenant CR


  • refactor: Restructure Quota CR, more details in relevant docs
  • feat: Add support for adding LimitRanges in Quota
  • feat: Add conversion webhook to convert existing v1alpha1 versions of quota to v1beta1


  • feat: Add ability to create ArgoCD AppProjects per tenant, more details in relevant docs


  • feat: Add support to add groups in addition to users as tenant members



  • refactor: Restructure Tenant spec, more details in relevant docs
  • feat: Add conversion webhook to convert existing v1alpha1 versions of tenant to v1beta1


  • refactor: Restructure integration config spec, more details in relevant docs
  • feat: Allow users to input custom regex in certain fields inside of integration config, more details in relevant docs


  • feat: Add limit range for kube-RBAC-proxy

Copyright © 2022 Stakater AB – Change cookie settings