v0.7.0

[gardener/gardener-extension-shoot-rsyslog-relp]

📰 Noteworthy

• [DEVELOPER] gosec is made available for SAST(static application security testing), it can be run with make sast or make sast-report, but is also incorporated in the verify and verify-extended makefile targets. by @Kostov6 [#189]

🐛 Bug Fixes

• [DEVELOPER] An issue causing make extension-up to fail to patch the ControllerDeployment is now mitigated. by @ialidzhikov [#194]
• [DEVELOPER] An issue causing make extension-up to do NOT generate a new tag for local source code changes is now fixed. by @ialidzhikov [#194]

Helm Charts

• shoot-rsyslog-relp-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp-admission-application:v0.7.0
• shoot-rsyslog-relp-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp-admission-runtime:v0.7.0
• shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp:v0.7.0

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.7.0
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.7.0

v0.6.0

[gardener/gardener-extension-shoot-rsyslog-relp]

📰 Noteworthy

• [DEVELOPER] Monitoring config is now getting deleted on extension removal by @Kostov6 [#185]

✨ New Features

• [OPERATOR] A new api object rsyslog-relp.extensions.gardener.cloud/v1alpha1.Auditd is introduced which is used to specify a configuration for the linux audit daemon on the shoot nodes. by @plkokanov [#149]
• [OPERATOR] Helm charts of extension and admission controller are published as OCI artifacts now. by @oliver-goetz [#147]
• [OPERATOR] Two new fields have been added to the provider config for the shoot-rsyslog-relp extension:
  • .auditConfig.enabled allows users to opt in whether to enable the reconfiguration of audit rules on the shoot's nodes and to also configure auditd to send logs to rsyslog. By default this field is true.
  • .auditConfig.configMapReferenceName is a reference to a ConfigMap shoot resource which contains audit configuration. This field is only taken into account if .auditRulesConfig.enabled is true. The ConfigMap must contain a data key auditd which must contain a value of type rsyslog-relp.extensions.gardener.cloud/v1alpha1.Auditd. by @plkokanov [#149]

🏃 Others

• [OPERATOR] A priorityClassName can now be set for the admission deployment via the gardener-extension-shoot-rsyslog-relp-admission Helm chart. by @timuthy [#135]

Helm Charts

• shoot-rsyslog-relp-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp-admission-application:v0.6.0
• shoot-rsyslog-relp-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp-admission-runtime:v0.6.0
• shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp:v0.6.0

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.6.0
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.6.0

v0.5.2

[gardener/gardener-extension-shoot-rsyslog-relp]

🐛 Bug Fixes

• [OPERATOR] Fixed an issue that caused the -a exit,always -F arch=b64 -S mount_setattr -F auid!=-1 -F key=privileged_special audit rule to not get correctly applied. by @plkokanov [#151]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.5.2
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.5.2

v0.5.1

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The memory of the rsyslog.service systemd unit is now limited via a drop-in config. The following configurations are used: MemoryMin=15M, MemoryHigh=150M, MemoryMax=300M, MemorySwapMax=0 by @plkokanov [#139]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.5.1
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.5.1

v0.5.0

[gardener/gardener-extension-shoot-rsyslog-relp]

⚠️ Breaking Changes

• [USER] When changing referenced TLS secret in shoot.spec.resources[] the user should provide only immutable secret by @Kostov6 [#76]

🐛 Bug Fixes

• [OPERATOR] Fixed an issue that caused audit logs to be duplicated in journald if the system-journald-audit socket was enabled. Now if the system-journald-audit socket exists on the node, it is disabled and stopped when this extension is used. by @plkokanov [#104]
• [USER] Rsyslog processes logs on nodes with os suse-chost 15 SP3 by @Kostov6 [#123]

🏃 Others

• [OPERATOR] Errors that can occur when loading audit rules are now ignored and reported as warnings. This allows all correct audit rules to be loaded. by @plkokanov [#128]
• [OPERATOR] The rsyslog-relp action which is used to forward logs to a RELP server now uses a separate in-memory queue of 100000 messages. Additionally, it also uses a disk queue of max 48 MiB which is used to store messages after the in-memory queue is exhausted or to save the current messages in the in-memory queue when the rsyslog service is restarted. by @plkokanov [#115]
• [OPERATOR] This extension is now using the new way of providing monitoring configuration (ref GEP-19) in case a shoot cluster's Prometheus has been migrated to management via prometheus-operator. by @rfranzke [#99]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.5.0
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.5.0

v0.4.4

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The directory where the tls certificates are copied on the node - /etc/ssl/rsyslog, is now created with default (0755) permissions so that it can be read by an rsyslog process that is started without cap_dac_override capability. by @plkokanov [#112]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.4
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.4

v0.4.3

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] If the certificates used for the rsyslog-relp tls connection are changed, the rsyslog service on the nodes is restarted so that it can properly load the new certificates. by @plkokanov [#107]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.3
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.3

v0.4.2

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The reconciliation of the shoot-rsyslog-relp extension no longer waits for the extension-shoot-rsyslog-relp-shoot MangedResource to be deleted during reconciliations, if the Shoot cluster is hibernated. The wait will still be executed when the Shoot is woken up to ensure that the resources deployed in the Shoot are removed. by @plkokanov [#93]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.2
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.2

v0.4.1

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The ConfigMap deployed for the monitoring configuration of the shoot-rsyslog-relp extension in Shoot control planes is no longer immutable. This fixes an issue that could cause prometheus-0 pods to get stuck in CrashLoopBackOff. by @plkokanov [#91]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.1
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.1

v0.4.0

[gardener/gardener-extension-shoot-rsyslog-relp]

⚠️ Breaking Changes

• [OPERATOR] CA and server certificates for the admission component are managed automatically. Passing custom certificates via Helm values is not supported anymore. by @timuthy [#57]
• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [#47]
• [OPERATOR] extension-shoot-rsyslog-relp no longer supports Shoots with Кubernetes version == 1.24. by @Kostov6 [#79]

📰 Noteworthy

• [DEVELOPER] The charts/images.yaml file was moved to imagevector/images.yaml. by @plkokanov [#66]

🐛 Bug Fixes

• [OPERATOR] Fixed an issue where the extension-shoot-rsyslog-relp-configuration-cleaner ManagedResource could block Shoot deletion if the shoot-rsyslog-relp was disabled before the Shoot deletion was triggered, and disabling the extension failed while trying to deploy the said ManagedResource and wait for it to become ready. by @plkokanov [#80]

🏃 Others

• [OPERATOR] Bumped github.com/gardener/gardener to v1.89.0. by @plkokanov [#73]
• [OPERATOR] The extension now deploys the rsyslog configuration files by mutating the OperatingSystemConfig resource via a mutating webhook. Cleanup of the rsyslog configuration files is still handled by the rsyslog-relp-configuration-cleaner daemonset. by @plkokanov [#41]
• [OPERATOR] Bump github.com/gardener/gardener to 1.86.0. by @timuthy [#57]
• [OPERATOR] Fixed an issue where rsyslog.service would never get enabled if it was not already enabled by default. by @plkokanov [#58]
• [OPERATOR] The name of the gardener-extension-shoot-rsyslog-relp-admission chart is now correctly specified as gardener-extension-shoot-rsysloog-relp-admission. Previously it was gardener-extension-shoot-rsyslog-relp. This should not require anything to be done by operators when upgrading the chart. by @plkokanov [#39]
• [OPERATOR] The repository is now compliant with the REUSE license format. by @plkokanov [#71]
• [DEVELOPER] The vendor directory was removed in favor of the go mod cache. by @timuthy [#57]
• [DEVELOPER] Bumped golang to v1.22.0 by @plkokanov [#73]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.0
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.0