v0.5.2

[gardener/gardener-extension-shoot-rsyslog-relp]

🐛 Bug Fixes

• [OPERATOR] Fixed an issue that caused the -a exit,always -F arch=b64 -S mount_setattr -F auid!=-1 -F key=privileged_special audit rule to not get correctly applied. by @plkokanov [#151]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.5.2
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.5.2

v0.5.1

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The memory of the rsyslog.service systemd unit is now limited via a drop-in config. The following configurations are used: MemoryMin=15M, MemoryHigh=150M, MemoryMax=300M, MemorySwapMax=0 by @plkokanov [#139]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.5.1
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.5.1

v0.5.0

[gardener/gardener-extension-shoot-rsyslog-relp]

⚠️ Breaking Changes

• [USER] When changing referenced TLS secret in shoot.spec.resources[] the user should provide only immutable secret by @Kostov6 [#76]

🐛 Bug Fixes

• [OPERATOR] Fixed an issue that caused audit logs to be duplicated in journald if the system-journald-audit socket was enabled. Now if the system-journald-audit socket exists on the node, it is disabled and stopped when this extension is used. by @plkokanov [#104]
• [USER] Rsyslog processes logs on nodes with os suse-chost 15 SP3 by @Kostov6 [#123]

🏃 Others

• [OPERATOR] Errors that can occur when loading audit rules are now ignored and reported as warnings. This allows all correct audit rules to be loaded. by @plkokanov [#128]
• [OPERATOR] The rsyslog-relp action which is used to forward logs to a RELP server now uses a separate in-memory queue of 100000 messages. Additionally, it also uses a disk queue of max 48 MiB which is used to store messages after the in-memory queue is exhausted or to save the current messages in the in-memory queue when the rsyslog service is restarted. by @plkokanov [#115]
• [OPERATOR] This extension is now using the new way of providing monitoring configuration (ref GEP-19) in case a shoot cluster's Prometheus has been migrated to management via prometheus-operator. by @rfranzke [#99]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.5.0
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.5.0

v0.4.4

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The directory where the tls certificates are copied on the node - /etc/ssl/rsyslog, is now created with default (0755) permissions so that it can be read by an rsyslog process that is started without cap_dac_override capability. by @plkokanov [#112]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.4
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.4

v0.4.3

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] If the certificates used for the rsyslog-relp tls connection are changed, the rsyslog service on the nodes is restarted so that it can properly load the new certificates. by @plkokanov [#107]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.3
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.3

v0.4.2

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The reconciliation of the shoot-rsyslog-relp extension no longer waits for the extension-shoot-rsyslog-relp-shoot MangedResource to be deleted during reconciliations, if the Shoot cluster is hibernated. The wait will still be executed when the Shoot is woken up to ensure that the resources deployed in the Shoot are removed. by @plkokanov [#93]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.2
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.2

v0.4.1

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] The ConfigMap deployed for the monitoring configuration of the shoot-rsyslog-relp extension in Shoot control planes is no longer immutable. This fixes an issue that could cause prometheus-0 pods to get stuck in CrashLoopBackOff. by @plkokanov [#91]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.1
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.1

v0.4.0

[gardener/gardener-extension-shoot-rsyslog-relp]

⚠️ Breaking Changes

• [OPERATOR] CA and server certificates for the admission component are managed automatically. Passing custom certificates via Helm values is not supported anymore. by @timuthy [#57]
• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [#47]
• [OPERATOR] extension-shoot-rsyslog-relp no longer supports Shoots with Кubernetes version == 1.24. by @Kostov6 [#79]

📰 Noteworthy

• [DEVELOPER] The charts/images.yaml file was moved to imagevector/images.yaml. by @plkokanov [#66]

🐛 Bug Fixes

• [OPERATOR] Fixed an issue where the extension-shoot-rsyslog-relp-configuration-cleaner ManagedResource could block Shoot deletion if the shoot-rsyslog-relp was disabled before the Shoot deletion was triggered, and disabling the extension failed while trying to deploy the said ManagedResource and wait for it to become ready. by @plkokanov [#80]

🏃 Others

• [OPERATOR] Bumped github.com/gardener/gardener to v1.89.0. by @plkokanov [#73]
• [OPERATOR] The extension now deploys the rsyslog configuration files by mutating the OperatingSystemConfig resource via a mutating webhook. Cleanup of the rsyslog configuration files is still handled by the rsyslog-relp-configuration-cleaner daemonset. by @plkokanov [#41]
• [OPERATOR] Bump github.com/gardener/gardener to 1.86.0. by @timuthy [#57]
• [OPERATOR] Fixed an issue where rsyslog.service would never get enabled if it was not already enabled by default. by @plkokanov [#58]
• [OPERATOR] The name of the gardener-extension-shoot-rsyslog-relp-admission chart is now correctly specified as gardener-extension-shoot-rsysloog-relp-admission. Previously it was gardener-extension-shoot-rsyslog-relp. This should not require anything to be done by operators when upgrading the chart. by @plkokanov [#39]
• [OPERATOR] The repository is now compliant with the REUSE license format. by @plkokanov [#71]
• [DEVELOPER] The vendor directory was removed in favor of the go mod cache. by @timuthy [#57]
• [DEVELOPER] Bumped golang to v1.22.0 by @plkokanov [#73]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.4.0
• gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.4.0

v0.3.1

[gardener/gardener-extension-shoot-rsyslog-relp]

🏃 Others

• [OPERATOR] Incresed memory limits for the init containers of the rsyslog-relp-configurator and rsyslog-relp-configuration-cleaner daemonsets from 16Mi to 32Mi by @plkokanov [#51]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: eu.gcr.io/gardener-project/gardener/extensions/shoot-rsyslog-relp-admission:v0.3.1
• gardener-extension-shoot-rsyslog-relp: eu.gcr.io/gardener-project/gardener/extensions/shoot-rsyslog-relp:v0.3.1

v0.3.0

[gardener/gardener-extension-shoot-rsyslog-relp]

⚠️ Breaking Changes

• [OPERATOR] The security.gardener.cloud/pod-security-enforce annotation in the ControllerRegistration is set to baseline. With this, the pods running in the extension namespace should comply with baseline pod-security standard. by @AleksandarSavchev [#17]

✨ New Features

• [USER] The shoot-rsyslog-relp configuration now allows users to specify which tls library should be used by librerlp when tls communication is enabled via the tls.tlsLib optional field. The possible options are gnutls and openssl. When the field is omitted, librelp uses its default tls library which in most cases is gnutls. More information can be found here: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html#tls-tlslib by @plkokanov [#27]
• [USER] shoot-rsyslog-relp extension now supports Shoot Force Deletion. by @acumino [#24]

🏃 Others

• [OPERATOR] Metrics for the rsyslog service running on the shoot nodes are now exposed and collected according to the following:
  • The metrics are available on the node-exporter's /metrics endpoint.
  • The names of the new metrics match the rsyslog_pstat_.+ regex.
  • The metrics are scraped and collected in the shoot's prometheus instance.
  • A dedicated plutono dashboard is added which displays the rsyslog metrics. by @plkokanov [#32]
• [OPERATOR] Fixed an issue where the rsyslog systemd unit could become stuck in a failed state immediately after it is installed on the shoot's nodes, if the shoot-rsyslog-relp extension was enabled on the shoot before that. The configure-rsyslog.sh script which is responsible for configuring and restarting the rsyslog systemd unit will now wait for the syslog.service symlink to be created before attempting to configure and restart the rsyslog systemd unit. by @plkokanov [#34]
• [OPERATOR] The shoot-rsyslog-relp extension is now aligned with Gardener's component checklist:
  • RBAC for the shoot-rsyslog-relp extension controller have been drastically reduced to only the required ones.
  • The deployment for the shoot-rsyslog-relp extension controller now contains the proper label for HA - high-availability-config.resources.gardener.cloud/type: controller
  • The shoot-rsyslog-relp admission pod no longer has a SecurityContext. This will be automatically added by the seccomp-profile webhook of the gardener-resource-manager
  • The rsyslog-relp-configurator and rsyslog-relp-configuration-cleaner pods now use the RuntimeDefault seccomp profile.
  • The init containers of the rsyslog-relp-configurator and rsyslog-relp-configuration-cleaner pods no longer run in privileged mode.
  • The rsyslog-relp-configurator and rsyslog-relp-configuration-cleaner now specify resource requests and limits.
  • PodSecurityPolicys for the rsyslog-relp-configurator and rsyslog-relp-configuration-cleaner are now deployed in the shoot cluster, if its kubernetes version is 1.24.x. by @plkokanov [#29]
• [OPERATOR] The healthcheck controller is now removed. Starting v1.65.0, gardenlet perform health checks for all ManagedResources in the Shoot control plane in the Seed. There is no longer need of the custom healthcheck controller in the shoot-rsyslog-relp extension as it was doing the same job. It was performing health check for the ManagedResource it deploys. by @plkokanov [#28]
• [OPERATOR] The rsyslog-relp-configuration-cleaner is no longer deployed on Shoot deletion with shoot-rsyslog-relp extension enabled. The Extension deletion occurs after the Worker deletion. There are no Nodes, hence there is no need to clean up registry configuration. by @plkokanov [#30]

Docker Images

• gardener-extension-shoot-rsyslog-relp-admission: eu.gcr.io/gardener-project/gardener/extensions/shoot-rsyslog-relp-admission:v0.3.0
• gardener-extension-shoot-rsyslog-relp: eu.gcr.io/gardener-project/gardener/extensions/shoot-rsyslog-relp:v0.3.0