Skip to content

Releases: datum-cloud/network-services-operator

v0.23.12

Choose a tag to compare

@ecv ecv released this 13 Jul 16:41
411d117

What's Changed

  • fix: flag inverted TrafficProtectionPolicy paranoia levels via status condition by @ecv in #252

Full Changelog: v0.23.11...v0.23.12

v0.23.11

Choose a tag to compare

@ecv ecv released this 13 Jul 16:28
b7f5d29

What's Changed

  • fix(test): wait for CA Certificate Ready before reading its secret by @drewr in #180
  • chore: configure Claude Code datum plugins by @scotwells in #114
  • fix: pin e2e coraza-waf to a pullable fixed image by @ecv in #264

Full Changelog: v0.23.10...v0.23.11

v0.23.10

Choose a tag to compare

@ecv ecv released this 13 Jul 02:52
4a1da1e

What's Changed

  • feat: add automatic re-issuance of failed custom hostname certificates by @ecv in #259

Full Changelog: v0.23.9...v0.23.10

v0.23.9

Choose a tag to compare

@ecv ecv released this 13 Jul 02:01
017f788

What's Changed

  • fix: default TPP paranoiaLevels so CRD applies by @ecv in #258

Full Changelog: v0.23.8...v0.23.9

v0.23.8

Choose a tag to compare

@ecv ecv released this 12 Jul 23:48
f3a0132

What's Changed

  • fix: reject inverted TrafficProtectionPolicy paranoia levels at admission by @ecv in #251
  • fix: retrigger EG translation on TPP spec changes by @ecv in #255

Full Changelog: v0.23.7...v0.23.8

v0.23.7

Choose a tag to compare

@ecv ecv released this 10 Jul 19:40
e159acf

What's Changed

  • docs: add WASM filter emitter as the recommended approach for telemetry and billing attribution by @JoseSzycho in #177
  • docs: refactor service registration brief to HTTP traffic metering by @JoseSzycho in #181
  • docs: design brief for service catalog registration by @kevwilliams in #156
  • fix: make error-page body Envoy-safe via operator allowlist + startup validation (#243) by @ecv in #244
  • test: e2e for TrafficProtectionPolicy Enforce serving traffic (#243) by @ecv in #245
  • fix: clone RouteBaseDirectives before per-policy append (#246) by @ecv in #249

New Contributors

Full Changelog: v0.23.6...v0.23.7

v0.23.6: detachHTTPRoutes Spec fix

Choose a tag to compare

@ecv ecv released this 29 Jun 15:12
2355d20

What's Changed

  • docs: add CLAUDE.md for Claude Code guidance by @ecv in #229
  • fix: detachHTTPRoutes uses Spec.ParentRefs not Status.Parents by @ecv in #232

Full Changelog: v0.23.5...v0.23.6

v0.23.5: Reject Hostnameless Listeners

Choose a tag to compare

@ecv ecv released this 26 Jun 19:32
40ca7d3

What's Changed

  • fix: show newly created networking resources in the activity feed by @scotwells in #223
  • test(e2e): reproduce #219 hostname-less listener collision by @ecv in #221
  • fix: clear error for hostname-less tenant listeners by @ecv in #220

New Contributors

  • @ecv made their first contribution in #221

Full Changelog: v0.23.4...v0.23.5

v0.23.4 — Isolate invalid TLS certificates

Choose a tag to compare

@scotwells scotwells released this 24 Jun 14:35
b1eded2

Fixes

  • Invalid TLS certificates no longer take down a whole edge listener (#212, #217). Every HTTPS hostname on a gateway shares one Envoy :443 listener; previously one customer's unusable certificate (expired, withdrawn, mismatched) made Envoy reject the entire listener, dropping HTTPS for every tenant on that edge. A listener whose certificate is expired, not-yet-valid, missing, mismatched, or not yet issued is now withheld from the downstream gateway, so a bad certificate only affects its own hostname. The listener reports clear, non-technical Programmed / ResolvedRefs status, and self-heals automatically once the certificate issues. A data-plane backstop in the extension server drops only the offending filter chain if a bad certificate ever reaches the edge.

Observability

  • Per-listener metrics (withheld listeners, certificate expiry time, gating counter) and extension-server backstop gauges, labelled by gateway/listener/hostname.
  • Four alerts: customer listener withheld for a bad certificate, certificate expiring soon, the backstop actively dropping certificates, and — critical — a listener that can't be protected and will have its edge update rejected.
  • Runbooks for each alert and ServiceMonitors so operator and extension-server metrics reach Prometheus.

Validated end-to-end on staging: a connector tunnel's :443 listener programs and serves cleanly (200 round-trip) with zero listener rejections.

Full changes: #217

v0.23.3

Choose a tag to compare

@scotwells scotwells released this 23 Jun 21:39
a474ece

What's Changed

  • Fix tunnels staying offline at the edge after a connector connects by @scotwells in #211
  • fix(extension-server): unique connector domain to stop Envoy config NACK by @scotwells in #214
  • docs(extension-server): document edge re-translation for connector liveness by @scotwells in #213
  • chore: remove unknown field by @zachsmith1 in #133
  • test(e2e): fix flaky CA-secret race in gateway-accepted by @scotwells in #215

Full Changelog: v0.23.2...v0.23.3