0.1.0-rc.1

0.1.0-rc.1

Published 2026-02-26.

Docs snapshot unavailable

This release note is archived, but a matching versioned docs snapshot is not published in this site yet.

GitHub release

View release assets, tag metadata, and the GitHub release entry.

Open

⚠ BREAKING CHANGES

• core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics (#73)
• core: remove Sentinel drift detection (VAP hardening) (#39)
• upgrade: simplify blue/green cutover and split rolling strategy (#37)
• config: openbaocluster config renderer
• upgrade: upgrade manager; blue/green upgrades
• controller: openbaocluster refactor; sentinel improvements

Features

• api: improve sentinel observability (b9d4168)
• backup;restore: azure blob storage and GCS support as backup provider (#71) (e8a2f2d)
• bluegreen: blue/green traffic switching improvements (5e5f815)
• charts: operator helm chart (c00ff58)
• config: structured config for self-init (abf2259)
• controller;chart;rbac: controller hardening, Helm sync automation, and RBAC race fix (#40) (c9dd0b5)
• controller: add extra metrics (3ed3915)
• controller: improve event filtering using centralized predicates (968df6c)
• controller: single tenancy support (49b7327)
• core: add perf baseline harness and gates (#118) (bf91ce2)
• core: blue/green upgrades (1a6783e)
• core: cluster lifecycle hardening; e2e suite refactor (#72) (3de5142)
• core: enable Raft Autopilot for automatic dead server cleanup (#44) (61aa711)
• core: helm manifest values and templates (6060fbd)
• core: Improve OIDC/JWT bootstrap, update strategy configuration and configuration ergonomics (#73) (446e494)
• core: introduce restore CRD (4d19b72)
• core: introduce structured error types (0b17ae1)
• core: make JWT audience configurable and plumb JWT bootstrap config across backup/upgrade/restore (#57) (3057c61)
• core: OpenShift compatibility support (#62) (47d7770)
• e2e: end-to-end testing (47bed1f)
• infra;controller: implement support for online PVC expansion of running OpenBao Clusters (#75) (42fabd3)
• infra: Expose listenerName field for Gateway API HTTPRoute targeting (#30) (5babd3f)
• infra: improve hardened and ACME deployments (#63) (d40600e)
• infra: make DNS namespace configurable in NetworkPolicies (#58) (a675dfa)
• infra: operator security hardening (34e703f)
• infra: standardize sub reconciler pattern (ae79ef5)
• manifests: admission validation policies; backup auth (a76541d)
• manifests: install manifest (ffc63c6)
• manifests: optional sentinel deployment for quicker reconcile (081a17a)
• manifests: security; rbac; backup and upgrade improvements (89a5ee9)
• manifests: self-service tenant onboarding (2a8d4d0)
• manifests: structured configuration (503961d)
• manifests: wire-in image verification for all components (d94d1f9)
• observability: add metrics, dashboards, e2e assertions; upgrade stability (#101) (d4ce07d)
• perf: refresh kind performance baseline (#120) (69e5366)
• policy: enforce Hardened profile requires replicas >= 3 via VAP (#23) (c15ab9f)
• provisioner: configurable tenant resource quotas (#50) (4c6fc29)
• restore: add RBAC for restore jobs and validate authentication (#16) (e7772a1)
• security: Add admission-time protections for SSRF, TLS secrets, and tenant self-service (#51) (ae2f86c)
• security: add operatorimageVerification field to CRD to allow separate verification of both OpenBao and Operator images (#8) (4c1b8cc)
• security: cosign keyless image verification (0c60a60)
• security: expand control-plane audit coverage for startup, operations, and RBAC mutations (#109) (b32dc97)
• security: harden image verification and align edge/nightly signed manifest streams (#112) (b755ca3)
• security: harden image verification defaults and sign edge/nightly images (#111) (5ffed83)
• security: harden operator RBAC with ValidatingAdmissionPolicy guardrails (#100) (643fd94)
• test: tlsroute; monitoring; backup/upgrade (bc8497a)
• upgrade: harden backup and restore flows (cb542ab)
• upgrade: improve upgrade manager stability by using SSA for status updates and make pre-upgrade backup job names deterministic (#17) (78f6124)
• vap: harden OpenBaoRestore VAP guardrails + allow default backup executor image (#76) (93524c8)

Bug Fixes

• admission: add admission check (50d3af0)
• admission: implement security/rbac improvements (95cd1b2)
• api,security: harden CRD/admission contracts and guardrails (#106) (40f49d8)
• api: switch SecretReference to LocalObjectReference (c3b8fef)
• auth: harden OIDC discovery and add least-privilege RBAC + admission guardrails (#86) (d128a5d)
• backup: align retention behavior across providers and refactor backup/restore flow (#105) (2e1fa9d)
• backup: backup (8bdc5fa)
• backup: make sure backup jobs are idempotent (#47) (8e2ec6f)
• backup: manual / scheduled backups (f68172e)
• backup: pod security context hardening for init and backup containers (cec43e6)
• backup: remove unused function (556161f)
• backup: upgrade paths (e2bb9b5)
• bluegreen: harden deterministic upgrade flow, tests, and docs (#104) (bb64c2e)
• chart: sync helm chart (9c22829)
• chart: sync helm chart (#7) (507c364)
• ci: handle kind load failures for multi-arch OpenBao images (#125) (05038ba)
• ci: restore security and bot PR pipeline stability (#129) (ae8d297)
• ci: stabilize nightly e2e image refs and matrix check naming (#121) (c69993d)
• controller: infer BlueImage from running pods to prevent premature upgrades (#95) (dfdc11e)
• controller: persist initialized status (c2ebbd1)
• controller: Prevent data loss by orphaning secrets when DeletionPolicy is Retain (#11) (0899cfa)
• controller: prevent OpenBaoCluster resourceVersion churn (#49) (c0e4fe8)
• controller: remove force ownership of status (#70) (e59e5da)
• controller: strengthen status updates with patching (6c54a5e)
• controller: timeout for image verification (cbcd9cf)
• core: add temporary transient error (e0aeb21)
• core: centralize constants into internal/constants (058b0a3)
• core: check token existence (f4669f5)
• core: decouple openbao client logic (d3a0acc)
• core: harden controller determinism and idempotency (#107) (e573bf9)
• core: improve container status checking (e357dcc)
• core: rbac and admission hardening (477be64)
• deps: resolve security vulnerabilities in go-tuf/v2 and rekor dependencies (#74) (ecbfba8)
• e2e: sentinel drift detection robustness (648f3df)
• e2e: unused param (b7a9c02)
• images: fail-fast on missing OPERATOR_VERSION environment variable (#25) (1a42097)
• Implement versioned default images for backup, upgrade, and init container (#14) (1b34f78)
• infra: add IPv6/dual-stack support for listener binding and development egress rules (#56) (7bfdb41)
• infra: exclude job pods from pdb (#9) (825a191)
• infra: improve initialization robustness by treating transient Secret/RBAC errors as retriable and hardening root-token creation (#55) (f760ac5)
• infra: resolve BackendTLSPolicy mismatch and cleanup stale services after Blue/Green upgrade (#10) (7052a54)
• infra: stop apiserver endpoint autodetection; use service VIP allow-list with optional endpoint IPs (#54) (d73179a)
• init: retrty writing root token to secret to handle transient cr… (#84) (e100176)
• kube: add job check (a7439a9)
• manifests: improve operator rbac (8a17db3)
• manifests: make JWT auth bootstrap a opt-in feature (ded02a3)
• manifests: operator namespace detection (139450a)
• manifests: rbac; upgrade deps (8b7d4e8)
• manifests: secure defaults and profiles (6617383)
• nightly: harden init token persistence and e2e autopilot reliability (#117) (f85886f)
• openbao: handle 403 forbidden gracefully (#94) (4243f67)
• security;e2e: verify signed hardened/acme flows in CI/nightly and support digest-safe keyless defaults (#116) (3b966fe)
• security: implement image verification LRU cache; docker auth handeling (#18) (a4b7203)
• security: performance issue image verification by reording cache lookups (#12) (a5ca5eb)
• sentinel: prevent noisy neighbors and thundering herd behavior (57eb7bd)
• sentinel: rely on uuids instead of timestamps as sentinel triggerid (#6) (f88b697)
• upgrade: add metrics for upgrade (936d71e)
• upgrade: improve upgrade manager stability (#13) (c6a1b34)
• upgrade: make rolling upgrades deterministic and harden rolling upgrade coverage (#103) (5f3edfd)
• upgrade: revert partition update to MergeFrom to fix StatefulSet validation (#52) (504c319)
• upgrade: use SSA for upgrade manager (d0c289c)
• vap: require self init requests when self initialization is enabled (#82) (c572aaa)
• vap: stuck Job deletions by allowing GC Job-finalizer updates in lock-managed-resource-mutations VAP (#53) (0c56a87)

Miscellaneous Chores

• release: set release target to 0.1.0-rc.1 (#133) (ad509ed)

Code Refactoring

• config: openbaocluster config renderer (a230262)
• controller: openbaocluster refactor; sentinel improvements (9d0de98)
• core: remove Sentinel drift detection (VAP hardening) (#39) (d289cf2)
• upgrade: simplify blue/green cutover and split rolling strategy (#37) (7453e23)
• upgrade: upgrade manager; blue/green upgrades (2ba56a4)

0.1.0

Initial release.

Highlights

• Core OpenBao operator (controller + provisioner).
• Helm chart and install manifests (including CRDs).
• Backup/restore and upgrade workflows (including rolling and blue/green).
• Admission and supply-chain guardrails for hardened environments.
• E2E suite and CI pipelines for multi-Kubernetes validation.