v2.2.0

Release notes

Breaking changes

AKS ManagedClusterServicePrincipalProfile.Secret changed from string to genruntime.SecretReference (#3026)

We always try to avoid breaking changes, but in this case, allowing raw passwords in the spec is a security problem and as such we've
decided to take a break to correct this issue.

Action required: If the ContainerService/ManagedClusters resource is installed in your cluster and the ManagedClusterServicePrincipalProfile.Secret property is set on your ManagedCluster resource, follow the steps in breaking changes document.

Removed the following Status properties, which were never populated (#3034):

• MachineLearningServices:

  • UserAccountCredentials_STATUS.AdminUserPassword
  • UserAccountCredentials_STATUS.AdminUserSshPublicKey
  • VirtualMachineSshCredentials_STATUS.Password

• Synapse:

  • Workspace_STATUS.SqlAdministratorLoginPassword

Upcoming Breaking changes

Beta CRD deprecation

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.3.0. We recommend you start using v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

Tools

• Tolerate some errors during asoctl import (#3151)
• Fix asoctl when importing resources with fixed names (#3099)

New resources

• DataProtection/BackupVaults (#3078)
• Devices/IotHub (#2999)
• Network/DnsResolver, Network/DnsResolvers/InboundEndpoint and Network/DnsResolvers/OutboundEndpoint (#3046)
• Network/DnsForwardingRuleSet and Network/DnsForwardingRuleSet/ForwardingRule (#3046)
• ContainerService/ManagedCluster/TrustedAccessRoleBinding

Features

• Improve pod securityContext parameters (#3072)
• Export API keys(AdminPrimaryKey, AdminSecondaryKey, QueryKey) for Search/SearchService (#3065)
• Support autogenerating RoleAssignment GUID for AzureName (#3094)
• Export FederatedIdentityCredential.Issuer and FederatedIdentityCredential.Subject as ConfigMaps (#3125)
• Bump cert-manager version to v1.12.1 (#3073)
• Bump controller-runtime version to 0.15.0 (#3138)

Bug Fixes

• Prevent resource drift that could occur without correction by ASO for Resource Providers which work more as a PATCH than a PUT (#3060)
• Resource with reconcile-policy: skip now populates ConfigMap (#2985)
• Fix bug where pre-upgrade check could mistakenly check CRDs that weren't ASO CRDs, causing upgrade to fail (#3128)
• SecurityRules are now merged with NetworkSecurityGroup to avoid clearing and re-create them during reconciliation (#3121)
• Fix networking resources deletion of child resources during adoption (#3136)

Documentation

• Improve our documentation for Dev Setup (#3041)
• Include hand-crafted resources in documentation indexes (#3055)
• Update Managed Identity documentation (#3071)
• Add CRD pattern docs for each group (#3147)

External Contributors

• @shay-ag made their first contribution in #3078
• @khareyash05 made a contribution to increase test coverage in #3134

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Release notes

Breaking changes

The operator no longer installs CRDs by default

Action required: When installing ASO for the first time, you must now specify crdPattern (for Helm) or --crd-patterns (in operator pod cmdline for raw YAML) to select the subset of CRDs you would like to install.

When upgrading ASO, existing CRDs will be automatically updated to the new version but new CRDs added in that release will not automatically be installed. This means that when upgrading the operator, if you don't want to use any CRDs newly added in that release you don't need to do anything.

Action required: When upgrading ASO, if you want to install new CRDs (for example CRDs just added in the version of ASO you are upgrading to) you must specify crdPattern (Helm) or --crd-patterns (YAML) to install the CRDs. For example: if you do want to use a newly added CRD (such as network.azure.com/bastionHosts mentioned below), you would need to specify crdPatterns=network.azure.com/* when performing the upgrade.

See CRD management in ASO for more details about this change and why it was made.

serviceoperator.azure.com/credential-from no longer supports cross namespace secret references

This was never documented as supported but worked unintentionally. The feature now works as it was always documented: allowing references to secrets only if the secret is in the same namespace as the resource itself.

This was a security issue which we had to close.

See #2919 for more details.

Upgrades from releases prior to v2.0.0-beta.5 are still disallowed

We recommend upgrading from v2.0.0-beta.5 to v2.0.0 and then to v2.1.0.

Upgrading to v2.1.0 from a version prior to v2.0.0-beta.5 is blocked in Helm by a Helm upgrade hook.

Upcoming Breaking changes

Beta CRD deprecation

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.3.0. We recommend you start using v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

AKS ManagedClusterServicePrincipalProfile.Secret will change from string to genruntime.SecretReference

We realized that this field contains a secret and as such should not be specified. Secrets should not appear in plain text in CRs. We will be making a breaking change in 2.2.0 to resolve this issue.

In the meantime: We strongly recommend you use managed identity (the default) for your clusters.

Tools

• asoctl can now import entire Resource Groups (#2908)
• asoctl can now save imported resources to separate YAML files (#2963)

New resources

• Support Azure DataFactory (#2883)
• Support Microsoft.Network/bastionHosts (#2913)
• Support Microsoft.DBForPostgreSQL FlexibleServer Users (#2834)
• Support Microsoft.Network/natGateways (#2906)
• Support Microsoft.Network/dnszone and Microsoft.Network/dnszone/recordSets (#2918)
• Support Microsoft.Search/searchService (#2916)
• Support Microsoft.DBForMySQL/flexibleServers/configuration #(2987)
• Support Microsoft.ServiceBus/authorizationRules (#2988)
• Support Microsoft.Network/loadBalancers/inboundNatRule (#2984)
• Support Microsoft.Storage/accounts/fileService, tableService, fileShare and table (#2960)

Features

• Updated kind and other dependencies (#2897)
• Support export of AppInsights/Component ConnectionString and InstrumentationKey (#2899)
• Support AAD users for MySQL via existing MySQL User resource (#2954)
• Allow users to configure a subset of CRDs to install (#3007)

Bug fixes

• Fixed bug where we mistakenly retried on OperationNotAllowed for all resources, instead of just a few (#2946)

Documentation

• Regenerate API documentation (#2925)
• Fix various broken links, for example in (#2991)
• Split resources indexes into groups (#3000)

New Contributors

• @johgoe made their first contribution in #2834
• @khareyash05 made their first contribution in #2956

Full Changelog: v2.0.0...v2.1.0

1.0.59040

Changes:

• Add support for subscriptionID on AzureSQL types #2910

v2.0.0

Release notes

This is ASO's first GA release!

Breaking changes

Upgrades from releases prior to v2.0.0-beta.5 are disallowed

We changed how we manage CRDs in this release (see #2769), and as a result if using Helm you must upgrade from v2.0.0-beta.5 to v2.0.0.
You cannot upgrade from v2.0.0-beta.4 or earlier directly to v2.0.0. This is enforced with a Helm upgrade hook.

This restriction is just for upgrades to the v2.0.0 version, although we always recommend upgrading one version at a time.

Alpha CRD versions have been removed

You cannot successfully upgrade to v2.0.0 until you have followed our migration guide.

Fresh installations of v2.0.0 are unaffected.

ResourceGroup Status.ProvisioningState field is now Status.Properties.ProvisioningState

We believe that this is unlikely to break users as tooling always uses the Conditions field rather than ProvisioningState to track resource provisioning
progress, but calling it out nonetheless for completeness.

Upcoming Breaking changes

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.3.0. We recommend you start using
v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

Tools

• New asoctl tool can be used to import existing resources from Azure and remove deprecated CRD versions. See asoctl for more details.

New resources

• Support new AKS ManagedCluster version 20230201 (#2727)
• Support Azure SQL and 20+ associated resources (#2698)
• Support PrivateLinkService (#2733)
• Support PrivateEndpoint (#2733)
• Support PrivateDNSZone Records (#2733)
• Support Synapse Workspace and BigDataPool (#2860)

Features

• Use v1 version for webhook conversionReviewVersions (#2760)
• Code generate ResourceGroup (#2748)
• Make the default credential optional (#2758)
• The operator pod now manages ASO CRDs, rather than Helm (#2769)
• Add support for Azure client certificate auth (#2786)
• Increase initialDelaySeconds for readiness and liveness probe (#2844)
• Support UserAssignedIdentities on all relevant resources (#2850)

Bug fixes

• NamespacesTopicsSubscription no longer gets stuck when attempting to use the forwardTo field if the Queue being forwarded to is being created (#2777)

Documentation

• Improve insights samples (#2827)

Full Changelog: v2.0.0-beta.5...v2.0.0

New Contributors

• @emilychu9318 made their first contribution in #2781

v2.0.0-beta.5

Release notes

This is a small maintenance release containing mostly security updates and bug fixes.

Features

• Bump go version to 1.20.1 (#2735)
• Bump github.com/Azure/aad-pod-identity from 1.6.3 to 1.8.13 (#2667)
• Bump golang.org/x/net from 0.4.0 to 0.7.0 (#2730)
• Bump kube-rbac-proxy to version 0.13.1 (#2745)
• Add keep annotation to CRDs in Helm (#2754)
• Export controllers.CreateScheme to make creating clients easier (#2714)

Bug fixes

• Use correct API version for DELETE requests (#2709)
• Postpone update of PostgreSQL Flexible Server if it's already updating (#2688)
• Postpone update of containerservice ManagedCluster and AgentPool if they're already updating (#2686)

Documentation

• Document ASO controller settings (#2658)
• FAQ updates (#2676, #2696)
• Fix multitenancy creds options list in docs (#2737)

Full Changelog: v2.0.0-beta.4...v2.0.0-beta.5

v2.0.0-beta.4

Breaking changes

In the beta.4 release of Azure Service Operator (ASO) we are pivoting to using Azure Swagger API Specifications as the sole source of truth for our code generator. This change brings with it a significant improvement in fidelity, and some breaking changes which you can find on the breaking changes documentation.

Release Notes

New resources

• Version 2022-01-20preview of Dbforpostgresql/FlexibleServer (#2642)

Features

• Updated versions of a few dependencies for CVE reasons (#2566)
• Increase AZURE_SYNC_PERIOD default from 15m to 1h (#2578)
• Add ability to support namespaced credential - single-operator multitenancy (#2559)
• Add ability to support per-resource credential - single-operator multitenancy (#2576)
• Add support to import tenantID, applicationID and objectID for Keyvault AccessPolicies from Configmap reference (#2595)
• Add workload identity support for single-operator multitenancy (#2612)
• Use Swagger as sole input for CRD generation (#2323)
• Workload Identity improvements: Eliminate the requirement for Workload Identity deployment (#2651)

Bug Fixes

• Configure rate limiter to accommodate ARM throttling (#2601)
• Fix helm annotations indentation (#2617)
• Fix an issue where ASO metrics were not exposed properly (#2648)

Full Changelog: v2.0.0-beta.3...v2.0.0-beta.4

v2.0.0-beta.3

Release notes

New resources

• Add managedidentity.FederatedIdentityCredential (#2470)
• Add appconfiguration.ConfigurationStore (#2472)
• Add documentdb.SqlRoleAssignment (#2487)
• Add web.Site and web.ServerFarm (#2465)
• Add servicebus.Subscription (#2524)

Features

• Support installing ASO into a custom namespace in Helm chart (#2458)
• Support installing ASO in multi-tenant mode via the Helm chart (#2460)
• Logging improvements: remove duplicate log messages and add useful logs on delete path (#2469, #2536)
• Allow users to export ServiceBusEndpoint for ServiceBusNamespace (#2490)
• Add support for Workload Identity (#2464)
• Allow users to export certain interesting properties to a ConfigMap via the operatorSpec.ConfigMaps property (#2530)
• Update dependencies (client-go, apimachinery, controller-runtime) (#2543)
• Enable ConfigMap input for RoleAssignment PrincipalId (#2550)
• Move samples to more easily discoverable location (#2554)

Bug fixes

• Fix an issue during resource deletion where the Ready condition could fail to contain details about delete errors (#2462)
• Fix an issue where ResourceGroup could be created with an invalid AzureName (#2488)
• Fix an issue where ASO would fail to create resources in subscriptions where the RP of that resource was not yet registered (#2516)
• Fix an issue when deleting a resource that could cause the resource to not actually be deleted in Azure (#2560)

Upcoming deprecations

The v1alpha1 resources will be deprecated in a future release.

Please migrate away from these resources by updating the apiVersion to the corresponding v1beta... API. See supported resources for details about the specific apiVersion to use for each type of resource.

New Contributors

• @mehighlow made their first contribution in #2532

New community channel

Come join us on the Kubernetes Slack in the #azure-service-operator channel!

Full Changelog: v2.0.0-beta.2...v2.0.0-beta.3

v2.0.0-beta.2

New resources

• Version 2022-03-01 of Compute resources (#2409)
• networking.PrivateDnsZone (#2430)
• subscription.Alias (#2446)
• machinelearning.Workspaces, machinelearing.WorkspacesCompute, and machinelearning.WorkspacesConnection (#2319)

Features

• Samples are now tested in CI to make sure they work out of the box. Note that you may still need to change names if the sample names are taken.
• Support for national clouds (#2441)
• Updated versions of a few dependencies for CVE reasons (#2384)
• Expose metrics container port for scraping (#2380)

Bug fixes

• Fix bug where a resource would continue to display a Ready condition with Severity Warning due to a required Secret not existing after the secret was already created. (#2422)
• Resources no longer have reconcile triggered if a secret named the same as their secret is updated in a different namespace (#2403)
• Fixed bug where resources could report successful resource creation when in reality resource creation failed. Operator would then continuously hit error attempting to get resource because it didn't exist. (#2381).

Upcoming deprecations

The v1alpha1 resources will be deprecated in a future release.

Please migrate away from these resources by updating the apiVersion to the corresponding v1beta... API. See supported resources for details about the specific apiVersion to use for each type of resource.

Full Changelog: v2.0.0-beta.1...v2.0.0-beta.2

1.0.45297: Fix ADO job cluster query (#2421)

Changes:

• Fix CVEs in ASOv1 (#2374)

v2.0.0-beta.1

Breaking changes

• Removed the password field of osProfile in virtualmachinescalesets.compute.azure.com status. This field was never returned by the underlying API and so was always empty.
• Renamed eTag to etag in the status of workspaces.operationalinsights.azure.com. This field was always empty previously. See the upstream change for more context.

If you have not taken an explicit dependency on one of the status fields mentioned above you should be able to directly upgrade from v2.0.0-beta.0 to v2.0.0-beta.1 .

Helm chart breaking changes

• CRDs are now managed as resources by Helm. This was necessary for Helm to apply CRD updates. See #2338 for more details.

Warning: If you deployed v2.0.0-beta.0 with Helm, you must manually adopt the CRDs into the Helm release before upgrading to v2.0.0-beta.1 or helm upgrade will fail. You can use the script below to do this.

First set set HELM_RELEASE=<your helm release name> and HELM_RELEASE_NAMESPACE=azureserviceoperator-system

#!/bin/bash

set -euo pipefail

echo "Annotating ASO CRDs with release-name=${HELM_RELEASE}, release-namespace=${HELM_RELEASE_NAMESPACE}"

for CRD in $(kubectl get crds -o='custom-columns=Name:.metadata.name' | grep azure.com)
do
    kubectl label crd ${CRD} app.kubernetes.io/managed-by=Helm --overwrite
    kubectl annotate crd ${CRD} meta.helm.sh/release-name=${HELM_RELEASE} --overwrite
    kubectl annotate crd ${CRD} meta.helm.sh/release-namespace=${HELM_RELEASE_NAMESPACE} --overwrite
done

Release notes

New resources

• containerinstance.ContainerGroup by @majguo (#2330)
• cdn.Profile and cdn.ProfilesEndpoint (#2286)
• dbformariadb.Server, dbformariadb.Database and dbformariadb.Configuration (#2306)
• keyvault.Vault (#2310)
• networking.RouteTable and networking.RouteTablesRoute (#2302)
• dbformysql.User (#2328)

Features

• A number of documentation improvements, including changing the format of the documentation website to look nicer while also being easier to navigate.
• Added liveness probe to operator pod (#2254)
• Add validation for AzureName and Owner immutability (#2260)
• Added infrastructure to support reconciling resources that aren't ARM resources. The first example of this is the new dbformysql.User support (#2328)
• Expose fullyQualifiedDomainName as a secret for postgres and mysql (#2297)
• Make manager container the default for kubectl logs (#2303)
• Update version of gopkg.in/yaml.v3 to address CVE-2022-28948 (#2320)
• Update azcore, azidentity and azure-sdk to v1.0.0 (#2331)
• Add support for AKS ManagedCluster credentials (#2355)

Bug fixes

• Add missing secret permissions to ASO service account (#2346)
• Fix bug where controller could crash if attempting to emit metric for HTTP response that timed out (#2347)
• Add leases access to leader role (#2365)
• Clearer error if AzureName is not set (#2366)

Upcoming deprecations

The v1alpha1 resources will be deprecated no sooner than v2.0.0-beta.2.

Please migrate away from these resources by updating the apiVersion to the corresponding v1beta... API. See supported resources for details about the specific apiVersion to use for each type of resource.

New Contributors

• @majguo made their first contribution in #2330

Full Changelog: v2.0.0-beta.0...v2.0.0-beta.1