Skip to content





  • Fixed a recurring issue in the Extensions controller where status changes were triggering unnecessary reconciliation loops.
  • Resolved a visibility issue where labels and annotations for sandbox namespaces were not appearing in the extension's status.
  • Addressed an issue where AppProject was being deleted upon extension CR deletion, regardless of the onDeletePurgeAppProject field value.
  • Optimized memory usage for Keycloak to address high consumption issues.
  • Resolved an issue that was causing a panic in the Extension Controller when the IntegrationConfig (IC) was not present.
  • Fixed an issue where the status was not being correctly updated when the entire Metadata block was removed from the Tenant specification.



  • Resolved an issue that was preventing Vault from authenticating using the kubernetes authentication method.
  • Addressed an issue where changes to the IntegrationConfig were not updating the destination namespaces in ArgoCD's AppProject.
  • Fixed a problem where the tenant controller was preventing namespace deletion if it failed to delete external dependencies, such as Vault.



  • Resolved memory consumption problems in multiple controllers by reducing the number of reconciliations.




  • Updated Tenant CR to v1beta3, more details in Tenant CRD
  • Added custom pricing support for Opencost, more details in Opencost


  • Resolved an issue in Templates that prevented the deployment of public helm charts.




  • Added support for configuring external keycloak in integrationconfig.
  • Added free tier support that allows creation of 2 tenants without license.




  • Fixed broken logs for namespace webhook where username and namespace were interchangeably used after a recent update


  • Made log messages more elaborative and consistent on one format for namespace webhook



  • TemplateGroupInstance controller now correctly updates the TemplateGroupInstance custom resource status and the namespace count upon the deletion of a namespace.
  • Conflict between TemplateGroupInstance controller and kube-contoller-manager over mentioning of secret names in secrets or imagePullSecrets field in ServiceAccounts has been fixed by temporarily ignoring updates to or from ServiceAccounts.


  • Privileged service accounts mentioned in the IntegrationConfig have now access over all types of namespaces. Previously operations were denied on orphaned namespaces (the namespaces which are not part of both privileged and tenant scope). More info in Troubleshooting Guide
  • TemplateGroupInstance controller now ensures that its underlying resources are force-synced when a namespace is created or deleted.
  • Optimizations were made to ensure the reconciler in the TGI controller runs only once per watch event, reducing reconcile times.
  • The TemplateGroupInstance reconcile flow has been refined to process only the namespace for which the event was received, streamlining resource creation/deletion and improving overall efficiency.
  • Introduced new metrics to enhance the monitoring capabilities of the operator. Details at TGI Metrics Explanation



  • Added support for caching for MTO Console using PostgreSQL as caching layer.
  • Added support for custom metrics with Template, Template Instance and Template Group Instance.
  • Graph visualization of Tenant and its associated resources on MTO Console.
  • Tenant and Admin level authz/authn support within MTO Console and Gateway.
  • Now in MTO console you can view cost of different Tenant resources with different date, resource type and additional filters.
  • MTO can now create a default keycloak realm, client and mto-admin user for Console.
  • Implemented Cluster Resource Quota for vanilla Kubernetes platform type.
  • Dependency of TLS secrets for MTO Webhook.
  • Added Helm Chart that would be used for installing MTO over Kubernetes.
    • And it comes with default Cert Manager manifests for certificates.
  • Support for MTO e2e.


  • Updated CreateMergePatch to MergeMergePatches to address issues caused by losing resourceVersion and UID when converting oldObject to newObject. This prevents problems when the object is edited by another controller.
  • In Template Resource distribution for Secret type, we now consider the source's Secret field type, preventing default creation as Opaque regardless of the source's actual type.
  • Enhanced admin permissions for tenant role in Vault to include Create, Update, Delete alongside existing Read and List privileges for the common-shared-secrets path. Viewers now have Read permission.


  • Started to support Kubernetes along with OpenShift as platform type.
  • Support of MTO's PostgreSQL instance as persistent storage for keycloak.
  • kube:admin is now bypassed by default to perform operations, earlier kube:admin needed to be mentioned in respective tenants to give it access over namespaces.



  • enhance: Removed Quota's default support of adding it to Tenant CR in spec.quota, if "true" annotation is present
  • fix: ValidatingWebhookConfiguration CRs are now owned by OLM, to handle cleanup upon operator uninstall
  • enhance: TemplateGroupInstance CRs now actively watch the resources they apply, and perform functions to make sure they are in sync with the state mentioned in their respective Templates

More information about TemplateGroupInstance's sync at Sync Resources Deployed by TemplateGroupInstance


  • fix: Values within TemplateInstances created via Tenants will no longer be duplicated on Tenant CR update
  • fix: Fixed a bug that made private namespaces become public


  • fix: Allow namespace controller to reconcile without crashing, if no IC exists
  • fix: In case a group mentioned in IC doesn't exist, it won't block reconciliation or editing of MTO's manifests


  • feat: Added console for tenants, templates and integration config
  • feat: Added support for custom realm name for RHSSO integration in Integration Config
  • feat: Add multiple status conditions to tenant and TGI for success and failure cases
  • feat: Show error messages with tenant and TGI status
  • fix: Stop reconciliation breaking for tenant and TGI, instead continue and show warnings
  • fix: Disable TGI/TI reconcile if mentioned template is not found.
  • fix: Disable repeated users webhook in tenant
  • enhance: Reduced API calls
  • enhance: General enhancements and improvements
  • chore: Update dependencies

Enabling console#

  • To enable console visit Installation, and add config to subscription for OperatorHub based installation.



  • fix: Reconcile namespaces when the group spec for tenants is changed, so new rolebindings can be created for them


  • fix: Updated release pipelines


  • feat: Allow custom roles for each tenant via label selector, more details in custom roles document
    • Roles mapping is a required field in MTO's IntegrationConfig. By default, it will always be filled with OpenShift's admin/edit/view roles
    • Ensure that mentioned roles exist within the cluster
    • Remove coupling with OpenShift's built-in admin/edit/view roles
  • feat: Removed coupling of ResourceSupervisor and Tenant resources
    • Added list of namespaces to hibernate within the ResourceSupervisor resource
    • Ensured that the same namespace cannot be added to two different Resource Supervisors
    • Moved ResourceSupervisor into a separate pod
    • Improved logs
  • fix: Remove bug from tenant's common and specific metadata
  • fix: Add missing field to Tenant's conversion webhook
  • fix: Fix panic in ResourceSupervisor sleep functionality due to sending on closed channel
  • chore: Update dependencies



  • maintain: Automate certification of new MTO releases on RedHat's Operator Hub


  • feat: Updated Tenant CR to provide Tenant level AppProject permissions


  • feat: Add support to map secrets/configmaps from one namespace to other namespaces using TI. Secrets/configmaps will only be mapped if their namespaces belong to same Tenant


  • feat: Add option to keep AppProjects created by Multi Tenant Operator in case Tenant is deleted. By default, AppProjects get deleted
  • fix: Status now updates after namespaces are created
  • maintain: Changes to Helm chart's default behaviour


  • feat: Add support to map secrets/configmaps from one namespace to other namespaces using TGI. Resources can be mapped from one Tenant's namespaces to some other Tenant's namespaces
  • feat: Allow creation of sandboxes that are private to the user
  • feat: Allow creation of namespaces without tenant prefix from within tenant spec
  • fix: Webhook changes will now be updated without manual intervention
  • maintain: Updated Tenant CR version from v1beta1 to v1beta2. Conversion webhook is added to facilitate transition to new version
  • enhance: Better automated testing



  • fix: Update MTO service-account name in environment variable


  • feat: Add support to ArgoCD AppProjects created by Tenant Controller to have their sync disabled when relevant namespaces are hibernating
  • feat: Add validation webhook for ResourceSupervisor
  • fix: Delete ResourceSupervisor when hibernation is removed from tenant CR
  • fix: CRQ and limit range not updating when quota changes
  • fix: ArgoCD AppProjects created by Tenant Controller not updating when Tenant label is added to an existing namespace
  • fix: Namespace workflow for TGI
  • fix: ResourceSupervisor deletion workflow
  • fix: Update RHSSO user filter for Vault integration
  • fix: Update regex of namespace names in tenant CRD
  • enhance: Optimize TGI and TI performance under load
  • maintain: Bump Operator-SDK and Dependencies version



  • fix: Update Helm dependency to v3.8.2


  • fix: Add support for parameters in Helm chartRepository in templates


  • fix: Add service name prefix for webhooks


  • fix: ResourceSupervisor CR no longer requires a field for the Tenant name


  • feat: Add support for tenant namespaces off-boarding. For more details check out onDelete
  • feat: Add tenant webhook for spec validation

  • fix: TemplateGroupInstance now cleans up leftover Template resources from namespaces that are no longer part of TGI namespace selector

  • fix: Fixed hibernation sync issue

  • enhance: Update tenant spec for applying common/specific namespace labels/annotations. For more details check out commonMetadata & SpecificMetadata

  • enhance: Add support for multi-pod architecture for Operator-Hub

  • chore: Remove conversion webhook for Quota and Tenant



  • feat: Add hibernation of StatefulSets and Deployments based on a timer
  • feat: New custom resource that handles hibernation


  • fix: Revert v0.4.4


  • feat: Add support for applying labels/annotation on specific namespaces


  • fix: Update privilegedNamespaces regex


  • fix: IntegrationConfig will now be synced in all pods


  • feat: Added support to distribute common labels and annotations to tenant namespaces


  • fix: Update dependencies to latest version


  • feat: Controllers are now separated into individual pods



  • fix: Optimize namespace reconciliation


  • fix: Revert v0.3.29 change till webhook network issue isn't resolved


  • fix: Execute webhook and controller of matching custom resource in same pod


  • feat: Namespace controller will now trigger TemplateGroupInstance when a new matching namespace is created


  • feat: Controllers are now separated into individual pods


  • fix: Enhancement of TemplateGroupInstance Namespace event listener


  • feat: TemplateGroupInstance will create resources instantly whenever a Namespace with matching labels is created


  • fix: Update reconciliation frequency of TemplateGroupInstance


  • feat: TemplateGroupInstance will now directly create template resources instead of creating TemplateInstances

Migrating from pervious version#

  • To migrate to Tenant-Operator:v0.3.25 perform the following steps
    • Downscale Tenant-Operator deployment by setting the replicas count to 0
    • Delete TemplateInstances created by TemplateGroupInstance (Naming convention of TemplateInstance created by TemplateGroupInstance is group-{Template.Name})
    • Update version of Tenant-Operator to v0.3.25 and set the replicas count to 2. After Tenant-Operator pods are up TemplateGroupInstance will create the missing resources


  • feat: Add feature to allow ArgoCD to sync specific cluster scoped custom resources, configurable via Integration Config. More details in relevant docs


  • feat: Added concurrent reconcilers for template instance controller


  • feat: Added validation webhook to prevent Tenant owners from creating RoleBindings with kind 'Group' or 'User'
  • fix: Removed redundant logs for namespace webhook
  • fix: Added missing check for users in a tenant owner's groups in namespace validation webhook
  • fix: General enhancements and improvements

⚠️ Known Issues

  • caBundle field in validation webhooks is not being populated for newly added webhooks. A temporary fix is to edit the validation webhook configuration manifest without the caBundle field added in any webhook, so OpenShift can add it to all fields simultaneously
    • Edit the ValidatingWebhookConfiguration multi-tenant-operator-validating-webhook-configuration by removing all the caBundle fields of all webhooks
    • Save the manifest
    • Verify that all caBundle fields have been populated
    • Restart Tenant-Operator pods


  • feat: Added ClusterRole manager rules extension


  • fix: Fixed the recreation of underlying template resources, if resources were deleted


  • feat: Namespace webhook FailurePolicy is now set to Ignore instead of Fail
  • fix: Fixed config not being updated in namespace webhook when Integration Config is updated
  • fix: Fixed a crash that occurred in case of ArgoCD in Integration Config was not set during deletion of Tenant resource

⚠️ ApiVersion v1alpha1 of Tenant and Quota custom resources has been deprecated and is scheduled to be removed in the future. The following links contain the updated structure of both resources


  • fix: Add ArgoCD namespace to destination namespaces for App Projects


  • fix: Cluster administrator's permission will now have higher precedence on privileged namespaces


  • fix: Add groups mentioned in Tenant CR to ArgoCD App Project manifests' RBAC


  • feat: Add validation webhook for TemplateInstance & TemplateGroupInstance to prevent their creation in case the Template they reference does not exist


  • feat: Added Validation Webhook for Quota to prevent its deletion when a reference to it exists in any Tenant
  • feat: Added Validation Webhook for Template to prevent its deletion when a reference to it exists in any Tenant, TemplateGroupInstance or TemplateInstance
  • fix: Fixed a crash that occurred in case Integration Config was not found


  • feat: Multi Tenant Operator will now consider all namespaces to be managed if any default Integration Config is not found


  • fix: General enhancements and improvements


  • fix: Fix Quota's conversion webhook converting the wrong LimitRange field


  • fix: Fix Quota's LimitRange to its intended design by being an optional field


  • feat: Add ability to prevent certain resources from syncing via ArgoCD


  • feat: Add default annotation to OpenShift Projects that show description about the Project


  • fix: Fix a typo in Multi Tenant Operator's Helm release


  • fix: Fix ArgoCD's destinationNamespaces created by Multi Tenant Operator


  • fix: Change sandbox creation from 1 for each group to 1 for each user in a group


  • feat: Support creation of sandboxes for each group


  • feat: Add ability to create namespaces from a list of namespace prefixes listed in the Tenant CR


  • refactor: Restructure Quota CR, more details in relevant docs
  • feat: Add support for adding LimitRanges in Quota
  • feat: Add conversion webhook to convert existing v1alpha1 versions of quota to v1beta1


  • feat: Add ability to create ArgoCD AppProjects per tenant, more details in relevant docs


  • feat: Add support to add groups in addition to users as tenant members



  • refactor: Restructure Tenant spec, more details in relevant docs
  • feat: Add conversion webhook to convert existing v1alpha1 versions of tenant to v1beta1


  • refactor: Restructure integration config spec, more details in relevant docs
  • feat: Allow users to input custom regex in certain fields inside of integration config, more details in relevant docs


  • feat: Add limit range for kube-RBAC-proxy