Experimental

This is an experimental release which containing the most recent commits from the main branch as of commit: 7eb3030.

This release might not be stable. Use at your own risk.

⚠️ The provided YAML manifest does not configure any CRDs to install by default, but is required.
You must specify the CRDs that you want to use as part of crdPattern, for example 'resources.azure.com/*;containerservice.azure.com/*;keyvault.azure.com/*;managedidentity.azure.com/*;apimanagement.azure.com/*'.

The recommended way to supply crdPattern is using asoctl template:

asoctl export template --source https://github.com/Azure/azure-service-operator/releases/download/experimental/azureserviceoperator_experimental.yaml --crd-pattern "<pattern>" | kubectl apply --server-side=true -f -

This release is only intended for developers wishing to try out the latest features, some of which may not be fully implemented.

It is not recommended to run the experimental release for a long period of time, as the docker image referenced by the deployment is
mcr.microsoft.com/k8s/azureserviceoperator:experimental, which is always being updated. Test what you want to test and then uninstall the operator.
Running the operator for long periods of time on the experimental tag is not supported and will likely cause problems eventually.

v2.18.0

What's Changed

Breaking changes

• Storage.Tier removed from StorageAccount spec (storage/v20250601): The Tier property on StorageAccount.Spec.Sku has been removed. This field was marked as readonly in the upstream TypeSpec migration (azure-rest-api-specs openapi.json#L12317). The Tier value has always been effectively ignored by Azure - it is computed from the Name field (e.g., Standard_LRS → Standard tier). Users specifying this field in their CRDs will need to remove it.
• DataEncryption.GeoBackupEncryptionKeyStatus and DataEncryption.PrimaryEncryptionKeyStatus removed from dbforpostgresql/FlexibleServer spec (v20250801): These two fields have been removed from the DataEncryption object on the PostgreSQL FlexibleServer spec. These fields were always read-only but never documented as such until now. The upstream spec now treats these as readonly/status-only properties. Users specifying these fields will need to remove them from their CRDs.
• insights/v1api20240101preview/ScheduledQueryRule API version removed: The preview API version 2024-01-01-preview for ScheduledQueryRule has been completely removed as it was deprecated and removed upstream. Users using this API version should migrate to a supported version if they haven't already

New resources

• Add support for new appconfiguration API version v1api20240601 with new KeyValue, Replica, and Snapshot resources (#4948)
• Add support for new containerservice API version v20251002preview (#5170)
• Add support for new insights API versions v1api20240311 and v20250101preview (#5136)
• Add support for new storage API version v20250601 (#5096)

Features

• Cache configmaps for improved performance (#5080)
• Do not give up retrying on most common transient errors (#5092)
• Allow skipping delete if a resource (or its parent) has already been removed from Azure (#5040)
• Enhance Helm chart CRD pattern configuration to support list variable (#5110)
• Add subscriptionId to UserAssignedIdentity operatorSpec.secrets (#5183)
• Move batch and storage to use hybrid versioning (#5114, #5116)
• Remove usage of NewDefaultAzureCredential by (#5155)
• Allow newer MySQL Server versions (#5195)
• Add support for AllowMultiEnvManagement, allowing multiple clouds to be managed from a single ASO (#5093)
• Updated numerous dependencies

Bug fixes

• Fix bug where PreReconcileOwner check could check an out-of-date owner and continuously fail (#5140)
• Fix bug where Helm chart metrics port was not properly configurable (#5156)

Documentation

• Update samples to use well known names for global role definitions (#5073)
• Add comprehensive documentation for resource extension points (#5004)
• Update documentation for PrereconcileCheck and PrereconcileOwnerCheck (#5144)
• Add blog on why we record our tests (#5148)
• Update Redis operatorspec documentation (#5106)
• Update Redis Enterprise sample with ASO naming note, fix Cache docs (#5168)
• Remove very old prerelease warning (#5171)
• Fix formatting of User Assigned Identity Credentials link (#5123)
• Fix error in blog and rename posts (#5098)

New Contributors

• @bcho made their first contribution in #5123
• @bonddim made their first contribution in #5110
• @s4heid made their first contribution in #5183

Full Changelog: v2.17.0...v2.18.0

v2.17.0

What's Changed

Resources introduced in this release are using simplified versioning, as we're deprecating the v1api prefix (see #4831).

ASO will no longer try to delete Azure sub-resources that become a permanent part of their parent resource (e.g. FlexibleServersConfiguration for a PostgreSQL server). Instead of filling the ASO log with deletion errors, users will now see a warning (#4987)

Breaking changes

• Removed containerservice v20230315preview versions of Fleet resources as the API has been deprecated by Azure. If you allow the operator to manage its own CRDs via --crd-pattern, no action is needed the operator will take care of removing these versions. If you manage the CRD versions yourself, you'll need to run asoctl clean crds before upgrading.

Upcoming breaking changes

Will remove containerservice ManagedCluster and AgentPool api version v1api20230201 and v1api20231001 in the next release (v2.18) of ASO.
Will remove containerservice ManagedCluster and AgentPool api version v1api20240402preview in v2.19 of ASO.

New resources

• Add support for new dbforpostgresql API version v1api20250801 (#5018)
• Add support for new dbforpostgresql FlexibleServersAdministrator resource (#5041)
• Add support for new operationalinsights API version v1api20250701 (#5026)

Improvements

• Allow export of RedisEnterprise keys (#5010)
• Add shared keys secret exports for operationalinsights workspaces (#5011)
• Support reading PrivateDns A and AAAA record IP addresses from ConfigMap (#5027)
• Add secret export support to servicebus TopicAuthorizationRule (#5039)
• Default reconcile policy if unconfigured (#5044)
• Auto-detect CRD versions to deprecate (#5050)
• Foundation for migration to new versioning style (#5031, #5054)
• Migrate batch resources to new versioning style (#5032)
• Remove deprecated Fleet 2023-03-15-preview API version (#5064)
• Updated numerous dependencies

Documentation

• Update docs for v2.16 (#4993)
• Add docs for 2.16 breaking changes (#4996)
• Add badges to README (#5003)
• Document our approach for rare property conversions (#5005)
• Set up blog pages and v2.16.0 blog post for ASO website (#5008)

New Contributors

• @jakjang made their first contribution in #5008
• @tjololo made their first contribution in #5018

Full Changelog: v2.16.0...v2.17.0

v2.16.0

Feature Highlight

When creating a RoleAssignment, you can use the well-known name of any built-in Azure RoleDefinition (e.g. contributor or owner) instead of constructing the usual ARM ID with a published GUID (#4923)

What's Changed

Breaking changes

• Removed containerservice v1api20210501 v1api20231102preview api verisons. This was required to fit the new versions in the CRD. See number of versions supported in a CRD. If you allow the operator to manage its own CRDs via --crd-pattern, no action is needed the operator will take care of removing these versions. If you manage the CRD versions yourself, you'll need to run asoctl clean crds before upgrading.

Upcoming breaking changes

• Will remove containerservice fleet API version v1api20230315preview in the next release of ASO (v2.17)
• Will remove containerservice ManagedCluster and AgentPool api version v1api20230201 and v1api20231001 in v2.18 of ASO.
• Will remove containerservice ManagedCluster and AgentPool api version v1api20240402preview in v2.19 of ASO.

New resources

• Add support for new cache API version v1api20241101 (#4875)
• Add support for new network NetworkWatcher resource (#4960)
• Add support for new network NetworkWatchersFlowLog resource (#4960)
• Add support for new apimanagement API version v1api20240501 (#4909)
• Add support for new containerservice fleet API version v1api20250301 (#4952)
• Add support for new containerservice FleetsUpdateStrategy resource (#4952)
• Add support for new containerservice FleetsAutoUpgradeProfile resource (#4952)
• Add support for new containerservice API version v1api20250801 (#4951)
• Add support for new compute CapacityReservationGroup resource (#4980)
• Add support for new quota GroupQuota resource (#4979)

Features

• Extend ResourceReferences to support WellKnown names and backward compatibility (#4922)
• Allow specifying system for Identity references in app resources (#4924)
• Add config map support for UserAssignedIdentity in containerservice identityProfile (#4940)
• Allow specifying Role Assignment by using the well-known name of a RoleDefinition (#4923)
• Add PreReconcileOwnerCheck and implement for Kusto Databases (#4976)
• Updated numerous dependencies (#4901, #4912, #4930, #4938, #4932, #4950, #4963, #4984, #4983)
• Update to latest cert-manager 1.18.2 (#4977)

Bug fixes

• Add "UnsupportedResourceType" to asoctl exclusions for extension resources (#4934)
• Make NetcfgSubnetRangeOutsideVnet error retryable for VirtualNetworksSubnet (#4931)
• Fix bug preventing resource reconciliation due to "Secret not cached" (#4966)
• Fix select annotation changed predicate which could cause excess reconciliations (#4967)
• Fix up broken ResourceReferenceProperties (#4925)

Documentation

• Improve documentation comments in arm packages (#4914)
• Move completed ADRs to separate section (#4908)
• Move more ADRs to the completed section (#4955)
• Consolidate open ADRs into a single table (#4961)

v2.15.1

Bug fixes

• Fix bug preventing resource reconciliation due to "Secret not cached" (#4966)

Full Changelog: v2.15.0...v2.15.1

v2.15.0

New resources

• Add support for new app API version v1api20250101 (#4858)
• Add support for new compute AvailabilitySet resource and API version v1api20241101 (#4862)
• Add support for new cognitiveservices API version v1api20250601 (#4789)
• Add support for new insights ActivityLogAlert resource (#4821)
• Add support for new insights DataCollectionEndpoint resource (#4821)
• Add support for new insights DataCollectionRule resource (#4847)
• Add support for new insights DataCollectionRuleAssociation resource (#4821)
• Add support for new insights PricingPlan resource (#4821)
• Add support for new insights Workbook resource (#4827)
• Add support for new kusto API version v1api20240413 (#4883)
• Add support for new network AzureFirewall, FirewallPolicy and FirewallPoliciesRuleCollectionGroup resources (#4819)
• Add support for new redisenterprise API version v1api20250401 (#4833)

Features

• Add new CEL library ext.TwoVarComprehensions (#4812)
• Add azure and {group} categories to generated CRDs (#4846)
• Add crd storedVersions deprecation controller (#4874)
• Enable ConfigMap support for IPRule.Value (#4839)
• Improve Copilot-related configuration and add Copilot setup/instructions for the repo (#4845, #4840, #4866)
• Add support for additional property formats (#4676)

Bug fixes

• Allow GOMEMLIMIT to be unset (#4844)
• Set ReaderFailOnMissingInformer to avoid informer-related failures (#4857)

Documentation

• Fix docs for Entra resources (#4811)
• Replace a broken link in the documentation (#4837)
• Fix broken link to Crossplane docs (#4861)
• Improve Copilot instructions for working on ASO (#4854)
• Explicitly call out redaction of test recordings in docs (#4887)

Miscellaneous / Maintenance

• Update azure-rest-api-specs submodule (#4799)
• Remove CodeCov from PR validation builds (#4853)
• Update CODEOWNERS (#4872)
• Add Copilot Coding Agent setup (#4840)

New Contributors

@JamesJuddAVEVA made their first contribution in #4799
@Olexandr88 made their first contribution in #4837
@jlhuilier-1a made their first contribution in #4844
@Copilot made their first contribution in #4839
@GeraldLoeffler made their first contribution in #4858

Full changelog: v2.14.0...v2.15.0

v2.14.0

New resources

• Add support for new search API version v1api20231101 (#4722)
• Add support for new documentdb MongoDBRoleDefinition resource (#4760)
• Add support for new entra SecurityGroup resource (#4768)
• Add support for new documentdb MongoCluster and FirewallRule resources (#4773)

Features

• Updated numerous dependencies for bug and CVE fixes
• Improve error classification and add operationID to errors (#4757)
• Helm: Support injecting custom environment variables (#4745)
• Helm: Allow user to override tag or repositoryBase separately (#4770)
• Improve pod startup time by adding startup probe (#4791)

Bug fixes

• Fix bug where Kusto Database extension owner reference via armID did not work (#4720)
• Fix bug where owner label could be too long (#4741)
• Fix bug where metrics service was not deployed in multitenant mode (#4752)
• Fix bug where a nil panic could occur if leaderContext was nil (#4762)
• Fix bug in ownerDetails type extraction for Azure SQL User (#4765)
• Fix bug in application gateway resource API shape (#4784)

Documentation

• Remove ASO v1 Code Diagram (#4716)
• Organize FAQ page by section (#4709)
• Add more visible warning for multitenant deployment mode (#4753)
• Add TSG on handling reconciliation failures (#4749)
• Add documentation about labels written by the operator (#4758)
• Documentation cleanup (#4771)
• Fix formatting of reference documentation (#4785)
• Add docs for entra resources (#4783)
• Fix broken links (#4786)
• Add ADR on how to address version priority (#4750)

New Contributors

• @barucijah made their first contribution in #4745
• @fabian-heib made their first contribution in #4765
• @alombardo4 made their first contribution in #4773

Full Changelog: v2.13.0...v2.14.0

v2.13.0

New resources

• Add support for new dbformysql API version 2023-12-30 (#4549)
• Add support for new kubernetesconfiguration FluxConfiguration resource version 2024-11-01 (#4638)
• Add support for new servicebus TopicAuthorizationRules resource (#4688)
• Add support for new kusto Cluster, Database, and DataConnection resources (#4680)
• Add support for new dbforpostgresql API version 2024-08-01 (#4702)
• Add support for new dbforpostgresql FlexibleServersVirtualEndpoint and FlexibleServersAdvancedThreatProtectionSetting resources (#4702)

Features

• Add new authentication type UserAssignedIdentityCredential (#4565)
• Make reconcile-policy customizable (#4572)
• Update version of APIM SDK (#4603)
• Enable using JSON logging in Helm chart (#4619)
• Bump operator Go dependencies (#4656)
• Support sourcing AFDOrigin HostName from configuration (#4656)
• Retry ScopeLocked errors at a slower rate (#4695)
• Support openshift cluster secret export (#4701)
• asoctl: Set spec.owner on root resource of import (#4611)

Bug fixes

• Fix bug where multitenant authentication did not work (#4577)
• Fix bug where DNS Zone provisioning could get stuck due to targetResource lookup not found (#4651)
• Fix bug where PostgreSQL create user command couldn't add roles with caps (#4657)
• Fix bug where HTTP 409 Conflicts were not consistently retried (#4671)
• Fix bug where Replica_Spec.Sku was not marked as required (#4674)
• Fix bug where DnsForwardingRuleset resource could get stuck due to transient BadRequest errors (#4690)
• Fix bug where AFDRule resource could get stuck due to transient BadRequest errors (#4684)

Documentation

• Fix issues with broken and inaccessible documentation links (#4579)
• Add additional guides for troubleshooting (#4628)
• Restructure new resource documentation for clarity (#4683)
• Updated reference documentation to show required/optional properties in CRD docs (#3146)

v2.12.0

What's Changed

New resources

• Add support for new eventhub API version v1api20240101 (#4499)
• Add support for new web site SourceControl resource (#4491)
• Add support for new containerregistry RegistryReplication resource (#4538)
• Add support for new Microsoft.App resource (#4517)
• Add support for new Microsoft.NotificationHubs resource (#4539)
• Add support for new documentdb API version v1api20240815 and MongodbUserDefinition resource (#4550)
• Add support for new signalr API version v1api20240301 (#4560)
• Add support for new monitor API version v1api20240101preview (#4507)
• Add support for new servicebus API version v1api20240101 (#4561)

Improvements

• Add ResourceTypeNotSupported to list of skipped error codes (#4451)
• Support multiple replicas of ASO pod (#4466)
• Enable high availability (HA) configuration for ASO (#4445)
• Allow recovery if resources have a missing AzureName (#4460)
• Loosen up Owner-Child resource subscription checks (#4343)
• Improve resource indexes to make supported resources easier to scan (#4557)
• Update dependencies
• asoctl: Add commandline switch for simpler logging (#4474)
• asoctl: Improve resource naming (#4487)

Bug Fixes

• Elide subnet IPConfiguration field when it passes 2000 entries (#4448)
• Fix bug where PublicIPAddress could get blocked permanently (#4481)
• Fix bug where obj.AzureName was not used to create Azure URLs (#4516)
• Fix "missing error information" error on 409s (#4530)
• Fix bug where pod could get OOMKilled when listing CRDs (#4573)
• asoctl: Ensure asoctl simple logger shuts down properly (#4473)
• asoctl: Fix asoctl deadlock (#4475)

New Contributors

• @petrepopescu21 made their first contribution in #4550
• @AndreiBarbuOz made their first contribution in #4507

Full Changelog: v2.11.0...v2.12.0

v2.11.0

Release notes

Breaking changes

Moved all the "ARM" variants of the CRD types into dedicated subpackages

This is only breaking for consumers of the Go package, not for users of the YAML, and only for those using the ARM types directly.

Upcoming Breaking changes

Deprecated managedclusters.containerservice.azure.com API versions

• The v1api20210501 and v1api20231102preview versions will be removed in ASO release 2.12.
• The v1api20230201 version will be removed in ASO release 2.13.

We recommend you move to use a different CRD version to avoid errors.

For more details see the breaking changes document.

New resources

• Add support for new insights DiagnosticSettings resource (#4363)
• Add support for new alertsmanagement SmartDetectorAlertRule resource (#4375)
• Add support for new containerservice API version 2024-09-01 (#4419)
• Add support for new network API version 2024-03-01. This includes VNet, Subnet, and many other networking resources (#4431)
• And support for new network PrivateDNS API version 2024-06-01 (#4431)

Features

• Add support for dynamic secret or configmap export. See our documentation on Expressions (#4362, #4398)

Improvements

• Updated numerous dependencies

Bug fixes

• asoctl: Handle deprecated trustedaccessrolebinding storage version in asoctl clean crds (#4403)

Documentation

• Clarify some PostgreSQL User documentation (#4360)
• Improved CRD documentation by moving the "ARM" variants of the CRD types into dedicated subpackages.
• Capture recent advice to users in our docs (#4396)

Full Changelog: v2.10.0...v2.11.0