- Fixed broken logs for namespace webhook where username and namespace were interchangeably used after a recent update
- Made log messages more elaborative and consistent on one format for namespace webhook
TemplateGroupInstancecontroller now correctly updates the
TemplateGroupInstancecustom resource status and the namespace count upon the deletion of a namespace.
- Conflict between
kube-contoller-managerover mentioning of secret names in
ServiceAccountshas been fixed by temporarily ignoring updates to or from
- Privileged service accounts mentioned in the
IntegrationConfighave now access over all types of namespaces. Previously operations were denied on orphaned namespaces (the namespaces which are not part of both privileged and tenant scope). More info in FAQs
TemplateGroupInstancecontroller now ensures that its underlying resources are force-synced when a namespace is created or deleted.
- Optimizations were made to ensure the reconciler in the TGI controller runs only once per watch event, reducing reconcile times.
TemplateGroupInstancereconcile flow has been refined to process only the namespace for which the event was received, streamlining resource creation/deletion and improving overall efficiency.
- Introduced new metrics to enhance the monitoring capabilities of the operator. Details at TGI Metrics Explanation
- Added support for caching for MTO Console using PostgreSQL as caching layer.
- Added support for custom metrics with Template, Template Instance and Template Group Instance.
- Graph visualization of Tenant and its associated resources on MTO Console.
- Tenant and Admin level authz/authn support within MTO Console and Gateway.
- Now in MTO console you can view cost of different Tenant resources with different date, resource type and additional filters.
- MTO can now create a default keycloak realm, client and
mto-adminuser for Console.
- Implemented Cluster Resource Quota for vanilla Kubernetes platform type.
- Dependency of TLS secrets for MTO Webhook.
- Added Helm Chart that would be used for installing MTO over Kubernetes.
- And it comes with default Cert Manager manifests for certificates.
- Support for MTO e2e.
- Updated CreateMergePatch to MergeMergePatches to address issues caused by losing
resourceVersionand UID when converting
newObject. This prevents problems when the object is edited by another controller.
- In Template Resource distribution for Secret type, we now consider the source's Secret field type, preventing default creation as Opaque regardless of the source's actual type.
- Enhanced admin permissions for tenant role in Vault to include Create, Update, Delete alongside existing Read and List privileges for the common-shared-secrets path. Viewers now have Read permission.
- Started to support Kubernetes along with OpenShift as platform type.
- Support of MTO's PostgreSQL instance as persistent storage for keycloak.
kube:adminis now bypassed by default to perform operations, earlier
kube:adminneeded to be mentioned in respective tenants to give it access over namespaces.
- enhance: Removed Quota's default support of adding it to Tenant CR in
quota.tenantoperator.stakater.com/is-default: "true"annotation is present
- fix: ValidatingWebhookConfiguration CRs are now owned by OLM, to handle cleanup upon operator uninstall
- enhance: TemplateGroupInstance CRs now actively watch the resources they apply, and perform functions to make sure they are in sync with the state mentioned in their respective Templates
More information about TemplateGroupInstance's sync at Sync Resources Deployed by TemplateGroupInstance
- fix: Values within TemplateInstances created via Tenants will no longer be duplicated on Tenant CR update
- fix: Fixed a bug that made private namespaces become public
- fix: Allow namespace controller to reconcile without crashing, if no IC exists
- fix: In case a group mentioned in IC doesn't exist, it won't block reconciliation or editing of MTO's manifests
- feat: Added console for tenants, templates and integration config
- feat: Added support for custom realm name for RHSSO integration in Integration Config
- feat: Add multiple status conditions to tenant and TGI for success and failure cases
- feat: Show error messages with tenant and TGI status
- fix: Stop reconciliation breaking for tenant and TGI, instead continue and show warnings
- fix: Disable TGI/TI reconcile if mentioned template is not found.
- fix: Disable repeated users webhook in tenant
- enhance: Reduced API calls
- enhance: General enhancements and improvements
- chore: Update dependencies
- To enable console visit Installation, and add config to subscription for OperatorHub based installation.
- fix: Reconcile namespaces when the group spec for tenants is changed, so new rolebindings can be created for them
- fix: Updated release pipelines
- feat: Allow custom roles for each tenant via label selector, more details in custom roles document
- Roles mapping is a required field in MTO's IntegrationConfig. By default, it will always be filled with OpenShift's admin/edit/view roles
- Ensure that mentioned roles exist within the cluster
- Remove coupling with OpenShift's built-in admin/edit/view roles
- feat: Removed coupling of ResourceSupervisor and Tenant resources
- Added list of namespaces to hibernate within the ResourceSupervisor resource
- Ensured that the same namespace cannot be added to two different Resource Supervisors
- Moved ResourceSupervisor into a separate pod
- Improved logs
- fix: Remove bug from tenant's common and specific metadata
- fix: Add missing field to Tenant's conversion webhook
- fix: Fix panic in ResourceSupervisor sleep functionality due to sending on closed channel
- chore: Update dependencies
- maintain: Automate certification of new MTO releases on RedHat's Operator Hub
- feat: Updated Tenant CR to provide Tenant level AppProject permissions
- feat: Add support to map secrets/configmaps from one namespace to other namespaces using TI. Secrets/configmaps will only be mapped if their namespaces belong to same Tenant
- feat: Add option to keep AppProjects created by Multi Tenant Operator in case Tenant is deleted. By default, AppProjects get deleted
- fix: Status now updates after namespaces are created
- maintain: Changes to Helm chart's default behaviour
- feat: Add support to map secrets/configmaps from one namespace to other namespaces using TGI. Resources can be mapped from one Tenant's namespaces to some other Tenant's namespaces
- feat: Allow creation of sandboxes that are private to the user
- feat: Allow creation of namespaces without tenant prefix from within tenant spec
- fix: Webhook changes will now be updated without manual intervention
- maintain: Updated Tenant CR version from v1beta1 to v1beta2. Conversion webhook is added to facilitate transition to new version
- see Tenant spec for updated spec
- enhance: Better automated testing
- fix: Update MTO service-account name in environment variable
- feat: Add support to ArgoCD AppProjects created by Tenant Controller to have their sync disabled when relevant namespaces are hibernating
- feat: Add validation webhook for ResourceSupervisor
- fix: Delete ResourceSupervisor when hibernation is removed from tenant CR
- fix: CRQ and limit range not updating when quota changes
- fix: ArgoCD AppProjects created by Tenant Controller not updating when Tenant label is added to an existing namespace
- fix: Namespace workflow for TGI
- fix: ResourceSupervisor deletion workflow
- fix: Update RHSSO user filter for Vault integration
- fix: Update regex of namespace names in tenant CRD
- enhance: Optimize TGI and TI performance under load
- maintain: Bump Operator-SDK and Dependencies version
- fix: Update Helm dependency to v3.8.2
- fix: Add support for parameters in Helm chartRepository in templates
- fix: Add service name prefix for webhooks
- fix: ResourceSupervisor CR no longer requires a field for the Tenant name
- feat: Add support for tenant namespaces off-boarding. For more details check out onDelete
feat: Add tenant webhook for spec validation
fix: TemplateGroupInstance now cleans up leftover Template resources from namespaces that are no longer part of TGI namespace selector
fix: Fixed hibernation sync issue
enhance: Update tenant spec for applying common/specific namespace labels/annotations. For more details check out commonMetadata & SpecificMetadata
enhance: Add support for multi-pod architecture for Operator-Hub
chore: Remove conversion webhook for Quota and Tenant
- feat: Add hibernation of StatefulSets and Deployments based on a timer
- feat: New custom resource that handles hibernation
- fix: Revert v0.4.4
- feat: Add support for applying labels/annotation on specific namespaces
- fix: Update
- fix: IntegrationConfig will now be synced in all pods
- feat: Added support to distribute common labels and annotations to tenant namespaces
- fix: Update dependencies to latest version
- feat: Controllers are now separated into individual pods
- fix: Optimize namespace reconciliation
- fix: Revert v0.3.29 change till webhook network issue isn't resolved
- fix: Execute webhook and controller of matching custom resource in same pod
- feat: Namespace controller will now trigger TemplateGroupInstance when a new matching namespace is created
- feat: Controllers are now separated into individual pods
- fix: Enhancement of TemplateGroupInstance Namespace event listener
- feat: TemplateGroupInstance will create resources instantly whenever a Namespace with matching labels is created
- fix: Update reconciliation frequency of TemplateGroupInstance
- feat: TemplateGroupInstance will now directly create template resources instead of creating TemplateInstances
Migrating from pervious version#
- To migrate to Tenant-Operator:v0.3.25 perform the following steps
- Downscale Tenant-Operator deployment by setting the replicas count to 0
- Delete TemplateInstances created by TemplateGroupInstance (Naming convention of TemplateInstance created by TemplateGroupInstance is
- Update version of Tenant-Operator to v0.3.25 and set the replicas count to 2. After Tenant-Operator pods are up TemplateGroupInstance will create the missing resources
- feat: Add feature to allow ArgoCD to sync specific cluster scoped custom resources, configurable via Integration Config. More details in relevant docs
- feat: Added concurrent reconcilers for template instance controller
- feat: Added validation webhook to prevent Tenant owners from creating RoleBindings with kind 'Group' or 'User'
- fix: Removed redundant logs for namespace webhook
- fix: Added missing check for users in a tenant owner's groups in namespace validation webhook
- fix: General enhancements and improvements
⚠️ Known Issues
caBundlefield in validation webhooks is not being populated for newly added webhooks. A temporary fix is to edit the validation webhook configuration manifest without the
caBundlefield added in any webhook, so OpenShift can add it to all fields simultaneously
- Edit the
multi-tenant-operator-validating-webhook-configurationby removing all the
caBundlefields of all webhooks
- Save the manifest
- Verify that all
caBundlefields have been populated
- Restart Tenant-Operator pods
- Edit the
- feat: Added ClusterRole manager rules extension
- fix: Fixed the recreation of underlying template resources, if resources were deleted
- feat: Namespace webhook FailurePolicy is now set to Ignore instead of Fail
- fix: Fixed config not being updated in namespace webhook when Integration Config is updated
- fix: Fixed a crash that occurred in case of ArgoCD in Integration Config was not set during deletion of Tenant resource
v1alpha1of Tenant and Quota custom resources has been deprecated and is scheduled to be removed in the future. The following links contain the updated structure of both resources
- fix: Add ArgoCD namespace to destination namespaces for App Projects
- fix: Cluster administrator's permission will now have higher precedence on privileged namespaces
- fix: Add groups mentioned in Tenant CR to ArgoCD App Project manifests' RBAC
- feat: Add validation webhook for TemplateInstance & TemplateGroupInstance to prevent their creation in case the Template they reference does not exist
- feat: Added Validation Webhook for Quota to prevent its deletion when a reference to it exists in any Tenant
- feat: Added Validation Webhook for Template to prevent its deletion when a reference to it exists in any Tenant, TemplateGroupInstance or TemplateInstance
- fix: Fixed a crash that occurred in case Integration Config was not found
- feat: Multi Tenant Operator will now consider all namespaces to be managed if any default Integration Config is not found
- fix: General enhancements and improvements
- fix: Fix Quota's conversion webhook converting the wrong LimitRange field
- fix: Fix Quota's LimitRange to its intended design by being an optional field
- feat: Add ability to prevent certain resources from syncing via ArgoCD
- feat: Add default annotation to OpenShift Projects that show description about the Project
- fix: Fix a typo in Multi Tenant Operator's Helm release
- fix: Fix ArgoCD's
destinationNamespacescreated by Multi Tenant Operator
- fix: Change sandbox creation from 1 for each group to 1 for each user in a group
- feat: Support creation of sandboxes for each group
- feat: Add ability to create namespaces from a list of namespace prefixes listed in the Tenant CR
- refactor: Restructure Quota CR, more details in relevant docs
- feat: Add support for adding LimitRanges in Quota
- feat: Add conversion webhook to convert existing v1alpha1 versions of quota to v1beta1
- feat: Add ability to create ArgoCD AppProjects per tenant, more details in relevant docs
- feat: Add support to add groups in addition to users as tenant members
- refactor: Restructure Tenant spec, more details in relevant docs
- feat: Add conversion webhook to convert existing v1alpha1 versions of tenant to v1beta1
- refactor: Restructure integration config spec, more details in relevant docs
- feat: Allow users to input custom regex in certain fields inside of integration config, more details in relevant docs
- feat: Add limit range for