This repository has been archived by the owner on Apr 2, 2024. It is now read-only.
Releases: AMRC-FactoryPlus/acs-krb-keys-operator
Releases · AMRC-FactoryPlus/acs-krb-keys-operator
v1.3.1
What's Changed
- Don't attempt to trim keys for presets by @amrc-benmorrow in #17
Full Changelog: v1.3.0...v1.3.1
Test cosign
v1.3.1-test.1 Update GH Actions
v1.3.0
- Create Sparkplug address entries from KerberosKey CRs
Support for edge clusters
- Extend the KerberosKey CRD to allow Factory+ account information to be specified.
- Create an account in the Factory+ services and link it to a Kerberos principal.
- Provide a bootstrap script to set up a krbkeys operator on an edge cluster.
Test cosign
Fix cosign on build (#13) Only run the build on releases, but run for any release.
Seal secrets to edge clusters.
Add a field to the CRD requesting that the generated secrets are passed to the Edge Deployment Operator for sealing and transport to an edge cluster.
What has changed
- Become a full F+ client with our own credentials.
- Update the CRD to allow specifying an edge cluster to transport the secret to.
- Pass the secret to the EDO where requested.
Deployment notes
- The required deployment configuration has changed:
- The operator now requires two ccaches, one with
kadmin/admin
credentials and one with a TGT. This is because akadmin
ticket must be acquired as initial credentials. - The name of the
kadmin
ccache must be passed in theKADMIN_CCACHE
environment variable. - The operator requires a
DIRECTORY_URL
to bootstrap F+ service discovery.
- The operator now requires two ccaches, one with
- The CRD has changed and must be updated on the cluster. Note that the ACS Helm chart will not do this automatically.
Support creating cross-realm trusts.
- Support a new 'Trust' key type, which creates a JSON structure containing the information needed for a cross-realm trust key.
- Support server key rotation better by allowing old keys to be left in the keytab for a period of time.
- Don't re-key unless it's necessary. Support a forced re-key via an annotation.
- Label our secrets, and refuse to edit secrets we didn't label.
Upgrading requires a few shell commands to be run to label any existing secrets.
v1.0.1
What's Changed
- Update bootstrap script to include namespace watching changes by @AlexGodbehere in #1
New Contributors
- @AlexGodbehere made their first contribution in #1
Full Changelog: v1.0.0...v1.0.1