Skip to content




  • enhance: Removed Quota's default support of adding it to Tenant CR in spec.quota, if "true" annotation is present
  • fix: ValidatingWebhookConfiguration CRs are now owned by OLM, to handle cleanup upon operator uninstall
  • enhance: TemplateGroupInstance CRs now actively watch the resources they apply, and perform functions to make sure they are in sync with the state mentioned in their respective Templates

More information about TemplateGroupInstance's sync at Sync Resources Deployed by TemplateGroupInstance


  • fix: Values within TemplateInstances created via Tenants will no longer be duplicated on Tenant CR update
  • fix: Fixed a bug that made private namespaces become public


  • fix: Allow namespace controller to reconcile without crashing, if no IC exists
  • fix: In case a group mentioned in IC doesn't exist, it won't block reconciliation or editing of MTO's manifests


  • feat: Added console for tenants, templates and integration config
  • feat: Added support for custom realm name for RHSSO integration in Integration Config
  • feat: Add multiple status conditions to tenant and TGI for success and failure cases
  • feat: Show error messages with tenant and TGI status
  • fix: Stop reconciliation breaking for tenant and TGI, instead continue and show warnings
  • fix: Disable TGI/TI reconcile if mentioned template is not found.
  • fix: Disable repeated users webhook in tenant
  • enhance: Reduced API calls
  • enhance: General enhancements and improvements
  • chore: Update dependencies

Enabling console

  • To enable console visit Installation, and add config to subscription for OperatorHub based installation.



  • fix: Reconcile namespaces when the group spec for tenants is changed, so new rolebindings can be created for them


  • fix: Updated release pipelines


  • feat: Allow custom roles for each tenant via label selector, more details in custom roles document
    • Roles mapping is a required field in MTO's IntegrationConfig. By default, it will always be filled with OpenShift's admin/edit/view roles
    • Ensure that mentioned roles exist within the cluster
    • Remove coupling with OpenShift's built-in admin/edit/view roles
  • feat: Removed coupling of ResourceSupervisor and Tenant resources
    • Added list of namespaces to hibernate within the ResourceSupervisor resource
    • Ensured that the same namespace cannot be added to two different Resource Supervisors
    • Moved ResourceSupervisor into a separate pod
    • Improved logs
  • fix: Remove bug from tenant's common and specific metadata
  • fix: Add missing field to Tenant's conversion webhook
  • fix: Fix panic in ResourceSupervisor sleep functionality due to sending on closed channel
  • chore: Update dependencies



  • maintain: Automate certification of new MTO releases on RedHat's Operator Hub


  • feat: Updated Tenant CR to provide Tenant level AppProject permissions


  • feat: Add support to map secrets/configmaps from one namespace to other namespaces using TI. Secrets/configmaps will only be mapped if their namespaces belong to same Tenant


  • feat: Add option to keep AppProjects created by Multi Tenant Operator in case Tenant is deleted. By default, AppProjects get deleted
  • fix: Status now updates after namespaces are created
  • maintain: Changes to Helm chart's default behaviour


  • feat: Add support to map secrets/configmaps from one namespace to other namespaces using TGI. Resources can be mapped from one Tenant's namespaces to some other Tenant's namespaces
  • feat: Allow creation of sandboxes that are private to the user
  • feat: Allow creation of namespaces without tenant prefix from within tenant spec
  • fix: Webhook changes will now be updated without manual intervention
  • maintain: Updated Tenant CR version from v1beta1 to v1beta2. Conversion webhook is added to facilitate transition to new version
  • enhance: Better automated testing



  • fix: Update MTO service-account name in environment variable


  • feat: Add support to ArgoCD AppProjects created by Tenant Controller to have their sync disabled when relevant namespaces are hibernating
  • feat: Add validation webhook for ResourceSupervisor
  • fix: Delete ResourceSupervisor when hibernation is removed from tenant CR
  • fix: CRQ and limit range not updating when quota changes
  • fix: ArgoCD AppProjects created by Tenant Controller not updating when Tenant label is added to an existing namespace
  • fix: Namespace workflow for TGI
  • fix: ResourceSupervisor deletion workflow
  • fix: Update RHSSO user filter for Vault integration
  • fix: Update regex of namespace names in tenant CRD
  • enhance: Optimize TGI and TI performance under load
  • maintain: Bump Operator-SDK and Dependencies version



  • fix: Update Helm dependency to v3.8.2


  • fix: Add support for parameters in Helm chartRepository in templates


  • fix: Add service name prefix for webhooks


  • fix: ResourceSupervisor CR no longer requires a field for the Tenant name


  • feat: Add support for tenant namespaces off-boarding. For more details check out onDelete
  • feat: Add tenant webhook for spec validation

  • fix: TemplateGroupInstance now cleans up leftover Template resources from namespaces that are no longer part of TGI namespace selector

  • fix: Fixed hibernation sync issue

  • enhance: Update tenant spec for applying common/specific namespace labels/annotations. For more details check out commonMetadata & SpecificMetadata

  • enhance: Add support for multi-pod architecture for Operator-Hub

  • chore: Remove conversion webhook for Quota and Tenant



  • feat: Add hibernation of StatefulSets and Deployments based on a timer
  • feat: New custom resource that handles hibernation


  • fix: Revert v0.4.4


  • feat: Add support for applying labels/annotation on specific namespaces


  • fix: Update privilegedNamespaces regex


  • fix: IntegrationConfig will now be synced in all pods


  • feat: Added support to distribute common labels and annotations to tenant namespaces


  • fix: Update dependencies to latest version


  • feat: Controllers are now separated into individual pods



  • fix: Optimize namespace reconciliation


  • fix: Revert v0.3.29 change till webhook network issue isn't resolved


  • fix: Execute webhook and controller of matching custom resource in same pod


  • feat: Namespace controller will now trigger TemplateGroupInstance when a new matching namespace is created


  • feat: Controllers are now separated into individual pods


  • fix: Enhancement of TemplateGroupInstance Namespace event listener


  • feat: TemplateGroupInstance will create resources instantly whenever a Namespace with matching labels is created


  • fix: Update reconciliation frequency of TemplateGroupInstance


  • feat: TemplateGroupInstance will now directly create template resources instead of creating TemplateInstances

Migrating from pervious version

  • To migrate to Tenant-Operator:v0.3.25 perform the following steps
    • Downscale Tenant-Operator deployment by setting the replicas count to 0
    • Delete TemplateInstances created by TemplateGroupInstance (Naming convention of TemplateInstance created by TemplateGroupInstance is group-{Template.Name})
    • Update version of Tenant-Operator to v0.3.25 and set the replicas count to 2. After Tenant-Operator pods are up TemplateGroupInstance will create the missing resources


  • feat: Add feature to allow ArgoCD to sync specific cluster scoped custom resources, configurable via Integration Config. More details in relevant docs


  • feat: Added concurrent reconcilers for template instance controller


  • feat: Added validation webhook to prevent Tenant owners from creating RoleBindings with kind 'Group' or 'User'
  • fix: Removed redundant logs for namespace webhook
  • fix: Added missing check for users in a tenant owner's groups in namespace validation webhook
  • fix: General enhancements and improvements

⚠️ Known Issues

  • caBundle field in validation webhooks is not being populated for newly added webhooks. A temporary fix is to edit the validation webhook configuration manifest without the caBundle field added in any webhook, so OpenShift can add it to all fields simultaneously
    • Edit the ValidatingWebhookConfiguration stakater-tenant-operator-validating-webhook-configuration by removing all the caBundle fields of all webhooks
    • Save the manifest
    • Verify that all caBundle fields have been populated
    • Restart Tenant-Operator pods


  • feat: Added ClusterRole manager rules extension


  • fix: Fixed the recreation of underlying template resources, if resources were deleted


  • feat: Namespace webhook FailurePolicy is now set to Ignore instead of Fail
  • fix: Fixed config not being updated in namespace webhook when Integration Config is updated
  • fix: Fixed a crash that occurred in case of ArgoCD in Integration Config was not set during deletion of Tenant resource

⚠️ ApiVersion v1alpha1 of Tenant and Quota custom resources has been deprecated and is scheduled to be removed in the future. The following links contain the updated structure of both resources


  • fix: Add ArgoCD namespace to destination namespaces for App Projects


  • fix: Cluster administrator's permission will now have higher precedence on privileged namespaces


  • fix: Add groups mentioned in Tenant CR to ArgoCD App Project manifests' RBAC


  • feat: Add validation webhook for TemplateInstance & TemplateGroupInstance to prevent their creation in case the Template they reference does not exist


  • feat: Added Validation Webhook for Quota to prevent its deletion when a reference to it exists in any Tenant
  • feat: Added Validation Webhook for Template to prevent its deletion when a reference to it exists in any Tenant, TemplateGroupInstance or TemplateInstance
  • fix: Fixed a crash that occurred in case Integration Config was not found


  • feat: Multi Tenant Operator will now consider all namespaces to be managed if any default Integration Config is not found


  • fix: General enhancements and improvements


  • fix: Fix Quota's conversion webhook converting the wrong LimitRange field


  • fix: Fix Quota's LimitRange to its intended design by being an optional field


  • feat: Add ability to prevent certain resources from syncing via ArgoCD


  • feat: Add default annotation to OpenShift Projects that show description about the Project


  • fix: Fix a typo in Multi Tenant Operator's Helm release


  • fix: Fix ArgoCD's destinationNamespaces created by Multi Tenant Operator


  • fix: Change sandbox creation from 1 for each group to 1 for each user in a group


  • feat: Support creation of sandboxes for each group


  • feat: Add ability to create namespaces from a list of namespace prefixes listed in the Tenant CR


  • refactor: Restructure Quota CR, more details in relevant docs
  • feat: Add support for adding LimitRanges in Quota
  • feat: Add conversion webhook to convert existing v1alpha1 versions of quota to v1beta1


  • feat: Add ability to create ArgoCD AppProjects per tenant, more details in relevant docs


  • feat: Add support to add groups in addition to users as tenant members



  • refactor: Restructure Tenant spec, more details in relevant docs
  • feat: Add conversion webhook to convert existing v1alpha1 versions of tenant to v1beta1


  • refactor: Restructure integration config spec, more details in relevant docs
  • feat: Allow users to input custom regex in certain fields inside of integration config, more details in relevant docs


  • feat: Add limit range for kube-RBAC-proxy

Copyright © 2023 Stakater AB – Change cookie settings