Experimental

This is an experimental release which containing the most recent commits from the main branch as of commit: c2e052e.

This release might not be stable. Use at your own risk.

⚠️ The provided YAML manifest does not configure any CRDs to install by default, but is required.
You must specify the CRDs that you want to use as part of crdPattern, for example 'resources.azure.com/*;containerservice.azure.com/*;keyvault.azure.com/*;managedidentity.azure.com/*;apimanagement.azure.com/*'.

The recommended way to supply crdPattern is using asoctl template:

asoctl export template --source https://github.com/Azure/azure-service-operator/releases/download/experimental/azureserviceoperator_experimental.yaml --crd-pattern "<pattern>" | kubectl apply -f -

This release is only intended for developers wishing to try out the latest features, some of which may not be fully implemented.

It is not recommended to run the experimental release for a long period of time, as the docker image referenced by the deployment is
mcr.microsoft.com/k8s/azureserviceoperator:experimental, which is always being updated. Test what you want to test and then uninstall the operator.
Running the operator for long periods of time on the experimental tag is not supported and will likely cause problems eventually.

v2.7.0

Release notes

Breaking changes

Metrics endpoint has changed from 8080 to 8443 and now requires HTTPS

ASO no longer depends on kube-rbac-proxy and now correctly secures the metrics endpoint by default.

These options are configured via the following options in the Helm chart:

    --set metrics.secure=true/false (default: true)
    --set metrics.address=0.0.0.0:8443 (default)

For more details about how to scrape metrics, see the metrics guide.

Secret or ConfigMap values which cannot be written now trigger a reconcile error

Previously, if ASO couldn't find the corresponding secret/configmap value, it would just skip creating it with no error. This is almost
never what users expect: if they ask for a specific ConfigMap or Secret value to be exported they expect it to actually get exported. ASO now
behaves as expected in cases where it cannot find the value to export and will set an appropriate Ready condition warning.

See #3925 for more details.

Upcoming Breaking changes

None

New resources

• Support new MySQL API version 2023-06-30 (#3905)
• Support new Insight/Webtest API version 2022-06-15 (#3911)
• New resource Backup Instance for Microsoft.DataProtection (#3736)

Features

• Expose pprof endpoint at metrics URL when setting --set metrics.profiling=true/false (default: false) (#3833)
• Managedidentity operatorspec supports export to a secret (#3937)
• Add asoctl template command (#3968)

Improvements

• Updated numerous Golang dependencies
• Support exporting eventhub keys (#3882)
• Add namespace, label, and annotation support to asoctl import (#3884)

Bug fixes

• Fix bug where Reconciling condition would sometimes fail to overwrite AzureResourceNotFound (#3834)
• Fix bug where documentdb capacity failures had a very hard to understand error (#3906)
• Fix bug where user requested secrets or configmaps were not emtited in some edge cases (#3925)
• Fix asoctl bug that could prevent imported resources from being applied because of letter case differences in responses from ARM (#3880)
• Fix asoctl bug where attempts to list the extension resource kubernetestconfiguration/extension could abort the import (#3853)
• Fix asoctl panic when resource types case mismatched (#3862)

Documentation

• Add ASOv1 to ASOv2 migration guide (#3898)
• Improve various small doc nits (#3909)
• Add best practices documentation and update other docs (#3938)
• Improve ownership, adoption, and FAQ documentation (#3966)

External Contributors

• @mayankagg9722 made their first contribution in #3736
• @mehighlow

Full Changelog: v2.6.0...v2.7.0

v2.6.0

Release notes

Breaking changes

VirtualMachineScaleSet ProtectedSettings changed to SecretReference (#3026)

We always try to avoid breaking changes, but in this case, allowing raw passwords in the spec is a security problem and as such we've
decided to take a break to correct this issue.

Action required: If the Compute/VirtualMachineScaleSet resource is installed in your cluster and the VirtualMachineProfile.ExtensionProfile.Extension.ProtectedSettings property is set on your VirtualMachineScaleSet resource, follow the steps in breaking changes document.

Upcoming Breaking changes

None

New resources

• Microsoft.PostgreSQL 2023-06-01-preview API version for FlexibleServer, FlexibleServersConfiguration, FlexibleServersDatabase and FlexibleServersFirewallRule (#3686)
• Microsoft.ApiManagement 2023-05-01-preview version for Service, Backend, NamedValue, Subscription, Api, Product, VersionSet, Policy, and PolicyFragment (#3673)
• Microsoft.ApiManagement ProductAPI, ProductPolicy, ApiVersionSet, AuthorizationProvider, AuthorizationProvidersAuthorization and AuthorizationProvidersAuthorizationsAccessPolicy (#3552) (#3644)
• Microsoft.ContainerService 2023-11-02-preview API version for ManagedClusters
• Microsoft.Compute VirtualMachine/Extension and VirtualMachineScaleSet/Extension
• Microsoft.CDN profiles/customDomains, profiles/afdEndpoints, profiles/originGroups, profiles/originGroups/origins, profiles/afdEndpoints/routes, profiles/ruleSets, profiles/ruleSets/rule, profiles/secrets and profiles/securityPolicies (#3785)
• Microsoft.Network FrontDoorWebApplicationFirewallPolicies (#3785)
• Azure SQL User (#3701)

Features

• Provide experimental ASO image built from main (#3699)
• Add ConfigurationProtectedSettings to KubernetesConfiguration/Extension resource (#3752)
• Add affinity and tolerations to ASOv2 helm chart (#3765)
• Export EventGrid/Topic Endpoint to ConfigMap (#3766)
• Export SignalR keys to Secret (#3698)
• Arm64 support for developer setup (#3687)

Improvements

• Improve for reconcile exit logging (#3755)
• Avoid superfluous error log in DELETE case (#3751)

Documentation

• Improve our documentation for Dev Setup (#3041)
• Include hand-crafted resources in documentation indexes (#3055)
• Update Managed Identity documentation (#3071)
• Add CRD pattern docs for each group (#3147)

External Contributors

• @ansulgoenka
• @mehighlow
• @tomkerkhove
• @ross-p-smith

Full Changelog: v2.5.0...v2.6.0

v2.5.0

Release Notes

Upcoming Breaking Changes

None

New Resources

• Update Microsoft.Keyvault to support the newer 2023-07-01 API version (#3605)
• Update Microsoft.Storage to support the newer 2023-01-01 API version (#3613 )
• Update Microsoft.ManagedIdentity to support the newer 2023-01-31 API version (#3606)
• Update Microsoft.PostgreSQL to support the newer 2022-12-01 API version (#3593)
• Update Microsoft.ContainerService to support the newer 2023-10-01 API version (#3629)

Features

• Add owner-name and owner-group-kind label on resources (#3608)
• Add extension for Microsoft.Eventgrid/Topic to export keys (#3633)
• Relax enum requirement for Microsoft.Compute/VirtualMachine (#3609)
• Add validation to catch use of armID as name (#3621)

Bug Fixes

• Controller does not allow to create child objects in different subscription anymore (#3546)
• Controller now uses HEAD if GET is not available (#3530)

Full Changelog: v2.4.0...v2.5.0

v2.4.0

Release Notes

Breaking Changes

Beta CRD deprecation

Beta versions of the CRDs have been removed this release.
You cannot successfully upgrade to v2.4.0 until you have followed our migration guide.
Fresh installations of v2.4.0 are unaffected.

Upcoming Breaking Changes

None

New Resources

• Add support for containerservice Fleet (#3336)
• Add support for networking TrafficManagerProfile and TrafficManagerProfileEndpoints (#3326)
• Add support for apimanagement Service, Backend, NamedValue, Subscription, Api, Product, VersionSet, Policy, and PolicyFragment (#3368)
• Add support for insights ActionGroups, MetricAlert, AutoscaleSetting, and ScheduledQueryRule (#3340)
• Add support for networking ApplicationGateway (#3176)
• Add support for kubernetesconfiguration Extensions (#3528)
• Update authorization to support the newer v2022-04-01 API version (#3504)

Tools

• Update asoctl clean crds command to clean beta CRDs (#3418)

Features

• Publish multi architecture docker images using buildx (#3355)
• Add createOrRecover and purgeThenCreate modes to KeyVaults, to encourage IAC patterns (#3357)
• Add a cmdline flag to control CRD management (#3445)
• Allow to customize webhook server port and cert dir (#3442)

Bug Fixes

• Fix containerservice ManagedCluster could get stuck due to transient CustomKubeletIdentityMissingPermissionError (#3286)
• Fix containerservice ManagedCluster and AgentPool do not correctly clear collections that had previously been set (#3407, #3540)
• Fix incorrect string case on namespace variable in Helm Chart (#3440)
• Fix resource doesn't re-reconcile if edited again during an update (#3468)

Documentation

• Add link to redis sample (#3317)
• Fix URL to github project on website (#3324)
• Improve FAQ and other documentation (#3302)
• Clarify MySQL AAD requirements (#3349)
• Document createOrRecover and purgeThenCreate KeyVault modes (#3400)
• Use createOrRecover for keyvault samples (#3370)
• Update documentation around CRD removal (#3422)

New Contributors

• @serbrech made their first contribution in #3324
• @nibooy made their first contribution in #3336
• @ross-p-smith made their first contribution in #3368
• @vincepri made their first contribution in #3442
• @mathewpeterson made their first contribution in #3440
• @vimorra made their first contribution in #3176
• @adamdougal made their first contribution in #3470

Full Changelog: v2.3.0...v2.4.0

v2.3.0

Release Notes

Breaking Changes

None.

Upcoming Breaking Changes

Beta CRD deprecation

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.4.0. We recommend you start using v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

New Resources

• Add support for compute/DiskEncryptionSets (#3211, resolves #2927)
• Support new versions of cache RP by (#3206)
• Update versions of ServiceBus (#3216, resolves #3143)

Tools

• asoctl: Redact empty status properties from when importing resources (#3180, resolves #3163)
• generator: Improve logging output (#2964, resolves #2853)

Features

• Refactor constants from internal/.. to pkg/common package to allow reuse of ASO as a library (#3171, resolves #3149)
• Add support for NetworkPolicies in v2 Helm chart by @tongpu (#3164, resolves #3160)
• Add new labels app.kubernetes.io/name and app.kubernetes.io/version (#3184)
• Add pod identity support for namespaces and per-resource scoped auth (#3187, resolves #3215)
• Make helm chart version SemVer 2 compatible (#3222, resolves #3189)
• Support arbitrary ARM ID owners (#3245)

Bug Fixes

• Fix Workload ID docs by @nojnhuh (#3156)
• Classify SQL "PasswordNotComplex" as fatal (#3185)
• Fix for asoctl omitting some child containers when importing Storage Accounts by using fully qualified ARM ID to identity importers (#3203, resolves #3195)
• Fix for asoctl aborting import when an error occurs (#3212, resolves #3200)

Documentation

• Document TIMEOUT variable for testing (#3178)
• Create a landing page for our user guide (#3215, resolves #3215)
• Document CLI differences per shell (#3207, resolves #3142 and #3145)

New Contributors

• @tongpu made their first contribution in #3164

Full Changelog: v2.2.0...v2.3.0

v2.2.0

Release notes

Breaking changes

AKS ManagedClusterServicePrincipalProfile.Secret changed from string to genruntime.SecretReference (#3026)

We always try to avoid breaking changes, but in this case, allowing raw passwords in the spec is a security problem and as such we've
decided to take a break to correct this issue.

Action required: If the ContainerService/ManagedClusters resource is installed in your cluster and the ManagedClusterServicePrincipalProfile.Secret property is set on your ManagedCluster resource, follow the steps in breaking changes document.

Removed the following Status properties, which were never populated (#3034):

• MachineLearningServices:

  • UserAccountCredentials_STATUS.AdminUserPassword
  • UserAccountCredentials_STATUS.AdminUserSshPublicKey
  • VirtualMachineSshCredentials_STATUS.Password

• Synapse:

  • Workspace_STATUS.SqlAdministratorLoginPassword

Upcoming Breaking changes

Beta CRD deprecation

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.3.0. We recommend you start using v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

Tools

• Tolerate some errors during asoctl import (#3151)
• Fix asoctl when importing resources with fixed names (#3099)

New resources

• DataProtection/BackupVaults (#3078)
• Devices/IotHub (#2999)
• Network/DnsResolver, Network/DnsResolvers/InboundEndpoint and Network/DnsResolvers/OutboundEndpoint (#3046)
• Network/DnsForwardingRuleSet and Network/DnsForwardingRuleSet/ForwardingRule (#3046)
• ContainerService/ManagedCluster/TrustedAccessRoleBinding

Features

• Improve pod securityContext parameters (#3072)
• Export API keys(AdminPrimaryKey, AdminSecondaryKey, QueryKey) for Search/SearchService (#3065)
• Support autogenerating RoleAssignment GUID for AzureName (#3094)
• Export FederatedIdentityCredential.Issuer and FederatedIdentityCredential.Subject as ConfigMaps (#3125)
• Bump cert-manager version to v1.12.1 (#3073)
• Bump controller-runtime version to 0.15.0 (#3138)

Bug Fixes

• Prevent resource drift that could occur without correction by ASO for Resource Providers which work more as a PATCH than a PUT (#3060)
• Resource with reconcile-policy: skip now populates ConfigMap (#2985)
• Fix bug where pre-upgrade check could mistakenly check CRDs that weren't ASO CRDs, causing upgrade to fail (#3128)
• SecurityRules are now merged with NetworkSecurityGroup to avoid clearing and re-create them during reconciliation (#3121)
• Fix networking resources deletion of child resources during adoption (#3136)

Documentation

• Improve our documentation for Dev Setup (#3041)
• Include hand-crafted resources in documentation indexes (#3055)
• Update Managed Identity documentation (#3071)
• Add CRD pattern docs for each group (#3147)

External Contributors

• @shay-ag made their first contribution in #3078
• @khareyash05 made a contribution to increase test coverage in #3134

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Release notes

Breaking changes

The operator no longer installs CRDs by default

Action required: When installing ASO for the first time, you must now specify crdPattern (for Helm) or --crd-patterns (in operator pod cmdline for raw YAML) to select the subset of CRDs you would like to install.

When upgrading ASO, existing CRDs will be automatically updated to the new version but new CRDs added in that release will not automatically be installed. This means that when upgrading the operator, if you don't want to use any CRDs newly added in that release you don't need to do anything.

Action required: When upgrading ASO, if you want to install new CRDs (for example CRDs just added in the version of ASO you are upgrading to) you must specify crdPattern (Helm) or --crd-patterns (YAML) to install the CRDs. For example: if you do want to use a newly added CRD (such as network.azure.com/bastionHosts mentioned below), you would need to specify crdPatterns=network.azure.com/* when performing the upgrade.

See CRD management in ASO for more details about this change and why it was made.

serviceoperator.azure.com/credential-from no longer supports cross namespace secret references

This was never documented as supported but worked unintentionally. The feature now works as it was always documented: allowing references to secrets only if the secret is in the same namespace as the resource itself.

This was a security issue which we had to close.

See #2919 for more details.

Upgrades from releases prior to v2.0.0-beta.5 are still disallowed

We recommend upgrading from v2.0.0-beta.5 to v2.0.0 and then to v2.1.0.

Upgrading to v2.1.0 from a version prior to v2.0.0-beta.5 is blocked in Helm by a Helm upgrade hook.

Upcoming Breaking changes

Beta CRD deprecation

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.3.0. We recommend you start using v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

AKS ManagedClusterServicePrincipalProfile.Secret will change from string to genruntime.SecretReference

We realized that this field contains a secret and as such should not be specified. Secrets should not appear in plain text in CRs. We will be making a breaking change in 2.2.0 to resolve this issue.

In the meantime: We strongly recommend you use managed identity (the default) for your clusters.

Tools

• asoctl can now import entire Resource Groups (#2908)
• asoctl can now save imported resources to separate YAML files (#2963)

New resources

• Support Azure DataFactory (#2883)
• Support Microsoft.Network/bastionHosts (#2913)
• Support Microsoft.DBForPostgreSQL FlexibleServer Users (#2834)
• Support Microsoft.Network/natGateways (#2906)
• Support Microsoft.Network/dnszone and Microsoft.Network/dnszone/recordSets (#2918)
• Support Microsoft.Search/searchService (#2916)
• Support Microsoft.DBForMySQL/flexibleServers/configuration #(2987)
• Support Microsoft.ServiceBus/authorizationRules (#2988)
• Support Microsoft.Network/loadBalancers/inboundNatRule (#2984)
• Support Microsoft.Storage/accounts/fileService, tableService, fileShare and table (#2960)

Features

• Updated kind and other dependencies (#2897)
• Support export of AppInsights/Component ConnectionString and InstrumentationKey (#2899)
• Support AAD users for MySQL via existing MySQL User resource (#2954)
• Allow users to configure a subset of CRDs to install (#3007)

Bug fixes

• Fixed bug where we mistakenly retried on OperationNotAllowed for all resources, instead of just a few (#2946)

Documentation

• Regenerate API documentation (#2925)
• Fix various broken links, for example in (#2991)
• Split resources indexes into groups (#3000)

New Contributors

• @johgoe made their first contribution in #2834
• @khareyash05 made their first contribution in #2956

Full Changelog: v2.0.0...v2.1.0

1.0.59040

Changes:

• Add support for subscriptionID on AzureSQL types #2910

v2.0.0

Release notes

This is ASO's first GA release!

Breaking changes

Upgrades from releases prior to v2.0.0-beta.5 are disallowed

We changed how we manage CRDs in this release (see #2769), and as a result if using Helm you must upgrade from v2.0.0-beta.5 to v2.0.0.
You cannot upgrade from v2.0.0-beta.4 or earlier directly to v2.0.0. This is enforced with a Helm upgrade hook.

This restriction is just for upgrades to the v2.0.0 version, although we always recommend upgrading one version at a time.

Alpha CRD versions have been removed

You cannot successfully upgrade to v2.0.0 until you have followed our migration guide.

Fresh installations of v2.0.0 are unaffected.

ResourceGroup Status.ProvisioningState field is now Status.Properties.ProvisioningState

We believe that this is unlikely to break users as tooling always uses the Conditions field rather than ProvisioningState to track resource provisioning
progress, but calling it out nonetheless for completeness.

Upcoming Breaking changes

Beta CRD versions (any version with v1beta prefix) will be deprecated no sooner than v2.3.0. We recommend you start using
v1api prefixed versions now. You can easily swap from a v1beta version to a v1api version by just replacing v1beta with v1api in your CRD YAML.

Tools

• New asoctl tool can be used to import existing resources from Azure and remove deprecated CRD versions. See asoctl for more details.

New resources

• Support new AKS ManagedCluster version 20230201 (#2727)
• Support Azure SQL and 20+ associated resources (#2698)
• Support PrivateLinkService (#2733)
• Support PrivateEndpoint (#2733)
• Support PrivateDNSZone Records (#2733)
• Support Synapse Workspace and BigDataPool (#2860)

Features

• Use v1 version for webhook conversionReviewVersions (#2760)
• Code generate ResourceGroup (#2748)
• Make the default credential optional (#2758)
• The operator pod now manages ASO CRDs, rather than Helm (#2769)
• Add support for Azure client certificate auth (#2786)
• Increase initialDelaySeconds for readiness and liveness probe (#2844)
• Support UserAssignedIdentities on all relevant resources (#2850)

Bug fixes

• NamespacesTopicsSubscription no longer gets stuck when attempting to use the forwardTo field if the Queue being forwarded to is being created (#2777)

Documentation

• Improve insights samples (#2827)

Full Changelog: v2.0.0-beta.5...v2.0.0

New Contributors

• @emilychu9318 made their first contribution in #2781