Releases: datum-cloud/network-services-operator
Releases · datum-cloud/network-services-operator
Release list
v0.23.12
v0.23.11
What's Changed
- fix(test): wait for CA Certificate Ready before reading its secret by @drewr in #180
- chore: configure Claude Code datum plugins by @scotwells in #114
- fix: pin e2e coraza-waf to a pullable fixed image by @ecv in #264
Full Changelog: v0.23.10...v0.23.11
v0.23.10
v0.23.9
v0.23.8
v0.23.7
What's Changed
- docs: add WASM filter emitter as the recommended approach for telemetry and billing attribution by @JoseSzycho in #177
- docs: refactor service registration brief to HTTP traffic metering by @JoseSzycho in #181
- docs: design brief for service catalog registration by @kevwilliams in #156
- fix: make error-page body Envoy-safe via operator allowlist + startup validation (#243) by @ecv in #244
- test: e2e for TrafficProtectionPolicy Enforce serving traffic (#243) by @ecv in #245
- fix: clone RouteBaseDirectives before per-policy append (#246) by @ecv in #249
New Contributors
- @kevwilliams made their first contribution in #156
Full Changelog: v0.23.6...v0.23.7
v0.23.6: detachHTTPRoutes Spec fix
What's Changed
- docs: add CLAUDE.md for Claude Code guidance by @ecv in #229
- fix: detachHTTPRoutes uses Spec.ParentRefs not Status.Parents by @ecv in #232
Full Changelog: v0.23.5...v0.23.6
v0.23.5: Reject Hostnameless Listeners
What's Changed
- fix: show newly created networking resources in the activity feed by @scotwells in #223
- test(e2e): reproduce #219 hostname-less listener collision by @ecv in #221
- fix: clear error for hostname-less tenant listeners by @ecv in #220
New Contributors
Full Changelog: v0.23.4...v0.23.5
v0.23.4 — Isolate invalid TLS certificates
Fixes
- Invalid TLS certificates no longer take down a whole edge listener (#212, #217). Every HTTPS hostname on a gateway shares one Envoy
:443listener; previously one customer's unusable certificate (expired, withdrawn, mismatched) made Envoy reject the entire listener, dropping HTTPS for every tenant on that edge. A listener whose certificate is expired, not-yet-valid, missing, mismatched, or not yet issued is now withheld from the downstream gateway, so a bad certificate only affects its own hostname. The listener reports clear, non-technicalProgrammed/ResolvedRefsstatus, and self-heals automatically once the certificate issues. A data-plane backstop in the extension server drops only the offending filter chain if a bad certificate ever reaches the edge.
Observability
- Per-listener metrics (withheld listeners, certificate expiry time, gating counter) and extension-server backstop gauges, labelled by gateway/listener/hostname.
- Four alerts: customer listener withheld for a bad certificate, certificate expiring soon, the backstop actively dropping certificates, and — critical — a listener that can't be protected and will have its edge update rejected.
- Runbooks for each alert and ServiceMonitors so operator and extension-server metrics reach Prometheus.
Validated end-to-end on staging: a connector tunnel's :443 listener programs and serves cleanly (200 round-trip) with zero listener rejections.
Full changes: #217
v0.23.3
What's Changed
- Fix tunnels staying offline at the edge after a connector connects by @scotwells in #211
- fix(extension-server): unique connector domain to stop Envoy config NACK by @scotwells in #214
- docs(extension-server): document edge re-translation for connector liveness by @scotwells in #213
- chore: remove unknown field by @zachsmith1 in #133
- test(e2e): fix flaky CA-secret race in gateway-accepted by @scotwells in #215
Full Changelog: v0.23.2...v0.23.3