Skip to content

CHANGELOG.md

Latest commit

 

History

History
725 lines (406 loc) · 57.3 KB

CHANGELOG.md

File metadata and controls

725 lines (406 loc) · 57.3 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.16.2 (2026-03-13)

Bug Fixes

  • add npm skill bin path to container PATH (9237c68)
  • add npm skill binaries to PATH via global install (#335) (926e034)
  • update e2e test to expect npm install -g (02944f0)

0.16.1 (2026-03-13)

Bug Fixes

  • Add get and watch RBAC permissions for pods (69c6c8b)
  • add get and watch verbs for pods RBAC permission (ad04174)
  • chromium: inject attachOnly, remoteCdpTimeoutMs, and resolved cdpUrl (8bc75f3), closes #270
  • chromium: inject attachOnly, timeout, and resolved cdpUrl (3019c6d)

0.16.0 (2026-03-12)

Features

  • add PodAnnotations field to pod template (d7c9fdd)
  • add PodAnnotations field to pod template (2ecd1f0)

0.15.1 (2026-03-12)

Bug Fixes

  • backup: use secretKeyRef instead of plaintext credentials in Job specs (e45ef9c)
  • backup: use secretKeyRef instead of plaintext credentials in Job specs (e4f2f4d), closes #322
  • resolve variable shadowing lint errors in mirror secret calls (a673e60)

0.15.0 (2026-03-12)

Features

  • backup: add S3_PROVIDER for multi-cloud workload identity support (93e22b5)
  • backup: support IRSA and Pod Identity for S3 backup credentials (8a06d85), closes #320
  • backup: support workload identity and configurable S3 provider for backup credentials (4b8e3ca)

Bug Fixes

  • backup: validate partial S3 credentials configuration (e89c4a3)

0.14.1 (2026-03-11)

Bug Fixes

  • autoupdate: scale StatefulSet back up after pre-update backup (2f52f73)
  • autoupdate: scale StatefulSet back up after pre-update backup (083d752), closes #299

0.14.0 (2026-03-11)

Features

  • inject BOOTSTRAP.md for first-run agent onboarding (bd58ad9)

0.13.0 (2026-03-11)

Features

  • init-skills: propagate spec.env and spec.envFrom to skills init container (d3a08f3)
  • init-skills: propagate spec.env and spec.envFrom to skills init container (44aff0c), closes #307

Bug Fixes

  • chromium: use rewrite + bare proxy_pass in named location (53f23d9)
  • chromium: use rewrite + bare proxy_pass in named location (#270) (f4f0a58)
  • combine consecutive appends to satisfy gocritic lint (da357de)
  • skills: persist ClawHub-installed skills on PVC (b17bad4)
  • skills: persist ClawHub-installed skills on PVC (#313) (7a7dbfd)
  • web-terminal: pass -W flag when ReadOnly is false (a7f806b)
  • web-terminal: pass -W flag when ReadOnly is false (ff87cfd)

0.12.0 (2026-03-10)

Features

  • apply registry override to init container images (34aca73)
  • operator: add global container image registry override field (589ddf4)
  • operator: add global container image registry override field (3dfa1d0)

Bug Fixes

  • chromium: route WebSocket connections to /chromium endpoint for launch args (c39bc45), closes #270
  • chromium: route WebSocket to /chromium endpoint for launch args (0e39b89)
  • resources: handle trailing slash in registry override. (6ba4b94)

0.11.2 (2026-03-10)

Bug Fixes

  • normalize ClawHub skill slugs and fix documentation (f738e67)
  • normalize ClawHub skill slugs and fix documentation format (ab4af55), closes #288
  • update E2E test to expect normalized skill slug (7f71bc9)

0.11.1 (2026-03-10)

Bug Fixes

  • redirect nginx http temp dirs to /tmp for read-only rootfs (#295) (ef98bc9)

0.11.0 (2026-03-10)

Features

  • add chromium CDP proxy to inject anti-bot Chrome launch args (1e30d22), closes #270
  • chromium CDP proxy for anti-bot launch args (e7d9d86)
  • resources: add logging and validation for resource quantities (0dc3508)
  • validate existing PVC and improve resource parsing (351c87a)

Bug Fixes

  • handle merge commits in release tag creation step (370edf6)
  • handle merge commits in release tag creation step (07b45bf)
  • resolve chromium sidecar startup race and NetworkPolicy gaps (8579946)
  • resolve chromium sidecar startup race and NetworkPolicy gaps (8e7fc99), closes #270

0.10.30 (2026-03-10)

Features

  • idempotent ClawHub skill installs for persistent storage (b02c5f2)

Bug Fixes

  • add activeDeadlineSeconds and startingDeadlineSeconds to backup CronJob (d5a5a0a), closes #286
  • add deadline safeguards to backup CronJob (5f3715d)
  • add K8s API port 6443 egress when tailscale is enabled (5968cc1)
  • inject POD_NAMESPACE env via Downward API (b793c0f)
  • inject POD_NAMESPACE env via Downward API in operator deployment (8b5ae53), closes #281

0.10.29 (2026-03-09)

Bug Fixes

  • increase chromium startup probe timeout from 2s to 5s (#279) (2ccf3ec), closes #270

0.10.28 (2026-03-09)

Bug Fixes

  • auto-inject 127.0.0.0/8 into gateway.trustedProxies (#276) (e7ecc5c), closes #274
  • handle OCI pagination in registry tag resolver (#275) (2fcf3dd)

0.10.27 (2026-03-09)

Features

  • support persistent Chromium browser profiles via PVC (#271) (9d80414), closes #267

0.10.26 (2026-03-09)

Features

  • persist Tailscale state across pod restarts via TS_KUBE_SECRET (#265) (0a9601d), closes #262

Bug Fixes

  • remove invalid llmConfig from webhook validation and docs (#261) (e8f7399)
  • respect pod-level runAsNonRoot in container security contexts (#266) (ad21b4c), closes #263

0.10.25 (2026-03-07)

Features

  • enable writable package installs on read-only root filesystem (#254) (8d5f4ba)

0.10.24 (2026-03-06)

Bug Fixes

  • use service DNS for Chromium CDP URL instead of localhost (#252) (70b9ec4)

0.10.23 (2026-03-06)

Bug Fixes

  • correct attachOnly field placement in browser configuration (#250) (04d44af)

0.10.22 (2026-03-05)

Features

  • inject default anti-bot-detection flags for Chromium sidecar (#247) (4a38b4d)

0.10.21 (2026-03-05)

Bug Fixes

  • disable device auth for Control UI in K8s environments (#238) (c5c420c), closes #233
  • propagate nodeSelector and tolerations to backup CronJob pods (#245) (98ef456), closes #244
  • use localhost for Chromium CDP URL to support IPv6 clusters (#243) (08dc2c2), closes #228

0.10.20 (2026-03-04)

Features

  • add attachOnly and disable device auth in browser profiles (#236) (44dd9ce)

0.10.19 (2026-03-04)

Features

0.10.18 (2026-03-03)

Features

0.10.17 (2026-03-02)

Bug Fixes

  • add configurable timeout for BackingUp phase to prevent stuck instances (#226) (778a642), closes #224
  • make skill pack resolution non-blocking to prevent provisioning failures (#227) (ffb2485), closes #225

0.10.16 (2026-03-01)

Bug Fixes

  • propagate nodeSelector and tolerations to backup/restore Jobs (#221) (342c7ae)

0.10.15 (2026-02-27)

Features

0.10.14 (2026-02-27)

Bug Fixes

  • prevent StatefulSet reconciliation loop from server-side defaults (#217) (0617b46)

0.10.13 (2026-02-27)

Bug Fixes

  • use Node.js TCP connect for health probes instead of wget (#215) (ecb7474)

0.10.12 (2026-02-26)

Features

  • add periodic scheduled backups via CronJob (#207) (bf29965)

Bug Fixes

  • add optional S3_REGION support for MinIO backups (#212) (c5e96c8), closes #205
  • chromium: pass extraArgs via DEFAULT_LAUNCH_ARGS env instead of container Args (#211) (ec79758), closes #209

0.10.11 (2026-02-26)

Bug Fixes

  • store plaintext username and password in auto-generated basic auth secret (#208) (179b4a6), closes #201

0.10.10 (2026-02-26)

Features

  • add performance benchmarks for resource builders (#197) (41efb29)

0.10.9 (2026-02-26)

Features

  • add Operator SDK scorecard testing (#198) (3b44d9a)
  • add topology spread constraints support (#196) (98ba176)

0.10.8 (2026-02-26)

Features

  • chromium: add extraArgs and extraEnv fields to ChromiumSpec (#187) (2878482)
  • chromium: add extraArgs/extraEnv to ChromiumSpec, fix issues #189-#193 (#194) (cba8d1a)

0.10.7 (2026-02-25)

Bug Fixes

  • resolve chromium sidecar port conflict and unreachable CDP (#183) (2d3d212), closes #180

0.10.6 (2026-02-24)

Bug Fixes

  • make Probes a pointer type to accept null/omitted values (#181) (df42069), closes #179

0.10.5 (2026-02-24)

Features

  • add Tailscale sidecar for working tailnet integration (#177) (d956925)

0.10.4 (2026-02-24)

Features

  • add nginx gateway proxy sidecar for loopback-bound gateway (#175) (a52383b)

0.10.3 (2026-02-23)

Bug Fixes

  • auto-set gateway.bind=loopback and use exec probes for Tailscale serve/funnel (#170) (e26694b), closes #167
  • expose metrics port in Service, StatefulSet, and ServiceMonitor (#169) (049d097), closes #166
  • move CRDs from Helm crds/ to templates/ for upgrade support (#173) (599b394), closes #168

0.10.2 (2026-02-23)

Bug Fixes

  • break reconciliation tight loop caused by unconditional status writes (#163) (88921b7), closes #161
  • use single-quoted node -e argument in merge mode scripts (#164) (a661ed8), closes #162

0.10.1 (2026-02-22)

Features

  • add ttyd web terminal managed sidecar (#159) (a9e1bce)

0.10.0 (2026-02-22)

⚠ BREAKING CHANGES

  • The backup credentials Secret name changes from b2-backup-credentials to s3-backup-credentials, and the expected keys change from B2_BUCKET/B2_KEY_ID/B2_APP_KEY/B2_ENDPOINT to S3_BUCKET/S3_ACCESS_KEY_ID/S3_SECRET_ACCESS_KEY/S3_ENDPOINT.

Features

  • rename B2/Backblaze to generic S3-compatible storage (#157) (df76683)

0.9.23 (2026-02-22)

Features

  • add HPA auto-scaling and Auto Pilot capability level (#155) (024e51a)

0.9.22 (2026-02-22)

Features

  • add OpenClawSelfConfig CRD for agent self-modification (#146) (2351737)

0.9.21 (2026-02-21)

Bug Fixes

  • set CSV capabilities to Deep Insights (Level 4) (#152) (1fe72ed)

0.9.20 (2026-02-21)

Features

  • add Level 4 Deep Insights - auto-provisioned PrometheusRule and Grafana dashboards (#149) (3c46765)

0.9.19 (2026-02-21)

Features

  • add custom service ports and ingress backend port support (#144) (#145) (d0604c1)

0.9.18 (2026-02-20)

Features

  • improve OperatorHub and ArtifactHub listing quality (#142) (b15937c)

0.9.17 (2026-02-20)

Bug Fixes

  • configMapRef bypasses gateway auth enrichment (#138) (1322d5e)

0.9.16 (2026-02-20)

Features

  • support npm packages in skills field and disable lifecycle scripts (#137) (a9db9d0), closes #131 #91

0.9.15 (2026-02-19)

Bug Fixes

  • prevent StatefulSet spec drift on every reconcile (#133) (b6fa7b3)

0.9.14 (2026-02-19)

Bug Fixes

  • restore config on container restart via postStart hook (#128) (38ea2c5)

0.9.13 (2026-02-19)

Bug Fixes

  • inject browser config for Chromium sidecar (#126) (570344e)
  • use copyFileSync instead of renameSync in merge mode init container (#121) (72bd962), closes #120

0.9.12 (2026-02-18)

Features

  • add first-class Ollama sidecar support (860225e)
  • add native Tailscale integration via CRD fields (#115) (c3a2ae4)

0.9.11 (2026-02-18)

Bug Fixes

  • resolve flaky backup/restore tests and autorelease label API (#117) (da7a2a5)

0.9.10 (2026-02-18)

Bug Fixes

  • emit provider-aware ingress annotations based on className (#109) (#110) (c040df6)
  • graceful deletion when B2 backup credentials are not configured (#112) (10b59be), closes #111
  • use shell-capable images for distroless init containers (#108) (2c87e68)

0.9.9 (2026-02-17)

Bug Fixes

  • inject gateway.bind=lan so vanilla deployments pass health probes (#102) (7c63d86), closes #101

0.9.8 (2026-02-17)

Bug Fixes

  • sync Helm RBAC and add gateway.existingSecret (#98) (33dbc2c)

0.9.7 (2026-02-17)

Bug Fixes

  • use server-side apply for CRD installation and update README (#94) (73b0677)

0.9.6 (2026-02-16)

Features

  • add runtime dependency init containers for pnpm and Python/uv (#89) (#90) (b6a583c)

0.9.5 (2026-02-16)

Features

  • add Phase 2+3 features and CVE-2025-22868 fix (#84) (94d4273)
  • add read-only rootfs, config merge mode, skill installation, and secret rotation detection (#82) (abd7911)
  • auto-generate gateway token auth for OpenClaw instances (#85) (6ee7eca), closes #83

0.9.4 (2026-02-16)

Bug Fixes

  • auto-label release PRs to prevent release-please stalling (#80) (c1bce0a)

0.9.3 (2026-02-16)

Features

  • add auto-rollback on failed update with health check monitoring (#75) (1dff347)

0.9.2 (2026-02-16)

Features

  • add opt-in auto-update for OCI registry version tracking (#71) (5ce624e)
  • add webhook warning for latest image tag (#67) (6791624)

Bug Fixes

  • add skip-backup annotation to E2E test instance (#69) (33ab056)
  • extract imageTagLatest constant to satisfy goconst linter (#68) (fc14d1a)
  • suppress gosec false positive and handle existing releases (aef5468)
  • suppress gosec G101 false positive and handle existing releases (182fafb)
  • sync release-please manifest to v0.9.1 (#72) (88f50a9)

0.6.0 (2026-02-13)

⚠ BREAKING CHANGES

  • CRD API group changed from openclaw.openclaw.io to openclaw.openclaw.rocks. Existing CRDs must be deleted and re-created. This is acceptable at v1alpha1 stability level.

Features

  • Add nautical banner image with crab captain at Kubernetes helm (84d1854)
  • Add observability, testing, docs, and dev tooling (5af27e1)
  • Add observability, testing, docs, and dev tooling for production readiness (a8c063b)
  • Add support for custom sidecar containers (#27) (f0071f7), closes #24
  • Initial OpenClaw Kubernetes Operator implementation (6d873ff)
  • Inject CHROMIUM_URL env var into main container when sidecar is enabled (8553cc7)
  • Inject CHROMIUM_URL env var when sidecar is enabled (b80dabe)
  • Replace manual release steps with GoReleaser (#2) (fedc497)
  • Support custom egress rules in NetworkPolicy (#15) (#16) (c62dc09)
  • update banner with real OpenClaw logo and Kubernetes logo (#37) (840adb9)

Bug Fixes

  • Add leader election RBAC and E2E test infrastructure (4eb6019)
  • Apply same CreateOrUpdate pattern to ServiceMonitor reconciler (#30) (c1aaa36)
  • Bump chromium /dev/shm from 256Mi to 1Gi (925d7b8)
  • Bump chromium /dev/shm sizeLimit from 256Mi to 1Gi (a4b3fbb)
  • change CRD API group domain from openclaw.io to openclaw.rocks (#41) (5bae852)
  • Chromium sidecar crash (UID mismatch + read-only rootfs) and lint (#14) (febe1d3)
  • Disable SBOM upload-release-assets to avoid race condition (d909808)
  • Downgrade to Go 1.23 for golangci-lint compatibility (dd33c08)
  • Increase golangci-lint timeout and update to v1.63.4 (1d982ca)
  • Link OpenClaw to openclaw.ai, not openclaw.rocks (679b043)
  • Link OpenClaw to openclaw.ai, not openclaw.rocks (#22) (9bfdbd8)
  • Polish README copy and diagram alignment (#19) (ef6a8d1)
  • Pre-enable channel modules in config to prevent EBUSY on startup (#13) (21ee585), closes #11
  • Prevent endless Deployment reconciliation loop (#29) (db942b9), closes #28
  • Remove chart-releaser, keep OCI-only Helm distribution (#3) (99e3cdb)
  • Replace config subPath mount with init container to avoid EBUSY (#10) (38b60d3), closes #9
  • Resolve variable shadowing of err in PVC reconciliation (a9ea85b)
  • Set HOME env var to match config mount path (#5) (175ff92), closes #4
  • skip GitHub release creation in release-please (#47) (96a5be9)
  • Specify kind cluster name for image loading (7ac2116)
  • update banner alt text (#38) (d00dc23)
  • Update Chart.yaml version/appVersion to match latest release v0.2.4 (#26) (c475ffc)
  • Update copyright to 2026 OpenClaw.rocks (bca1f0f)
  • Update copyright to 2026 OpenClaw.rocks (4d462f9)
  • Update Go version to 1.24 for CI compatibility (5c13d06)
  • Use correct GitHub org name (OpenClaw-rocks) in all references (#20) (c157899)
  • Use direct append instead of loop for image pull secrets (187477c)
  • Use Go 1.24 with goinstall mode for golangci-lint (3dd40c8)
  • Use govet enable list for shadow analyzer (3f04b1b)
  • Use lowercase image names for OCI registry compatibility (2d3c87e)
  • Use lowercase owner name for Helm OCI registry (67bc33e)
  • use PAT for release-please to trigger downstream workflows (#45) (21191ed)

0.5.0 (2026-02-13)

⚠ BREAKING CHANGES

  • CRD API group changed from openclaw.openclaw.io to openclaw.openclaw.rocks. Existing CRDs must be deleted and re-created. This is acceptable at v1alpha1 stability level.

Features

  • Add nautical banner image with crab captain at Kubernetes helm (84d1854)
  • Add observability, testing, docs, and dev tooling (5af27e1)
  • Add observability, testing, docs, and dev tooling for production readiness (a8c063b)
  • Add support for custom sidecar containers (#27) (f0071f7), closes #24
  • Initial OpenClaw Kubernetes Operator implementation (6d873ff)
  • Inject CHROMIUM_URL env var into main container when sidecar is enabled (8553cc7)
  • Inject CHROMIUM_URL env var when sidecar is enabled (b80dabe)
  • Replace manual release steps with GoReleaser (#2) (fedc497)
  • Support custom egress rules in NetworkPolicy (#15) (#16) (c62dc09)
  • update banner with real OpenClaw logo and Kubernetes logo (#37) (840adb9)

Bug Fixes

  • Add leader election RBAC and E2E test infrastructure (4eb6019)
  • Apply same CreateOrUpdate pattern to ServiceMonitor reconciler (#30) (c1aaa36)
  • Bump chromium /dev/shm from 256Mi to 1Gi (925d7b8)
  • Bump chromium /dev/shm sizeLimit from 256Mi to 1Gi (a4b3fbb)
  • change CRD API group domain from openclaw.io to openclaw.rocks (#41) (5bae852)
  • Chromium sidecar crash (UID mismatch + read-only rootfs) and lint (#14) (febe1d3)
  • Disable SBOM upload-release-assets to avoid race condition (d909808)
  • Downgrade to Go 1.23 for golangci-lint compatibility (dd33c08)
  • Increase golangci-lint timeout and update to v1.63.4 (1d982ca)
  • Link OpenClaw to openclaw.ai, not openclaw.rocks (679b043)
  • Link OpenClaw to openclaw.ai, not openclaw.rocks (#22) (9bfdbd8)
  • Polish README copy and diagram alignment (#19) (ef6a8d1)
  • Pre-enable channel modules in config to prevent EBUSY on startup (#13) (21ee585), closes #11
  • Prevent endless Deployment reconciliation loop (#29) (db942b9), closes #28
  • Remove chart-releaser, keep OCI-only Helm distribution (#3) (99e3cdb)
  • Replace config subPath mount with init container to avoid EBUSY (#10) (38b60d3), closes #9
  • Resolve variable shadowing of err in PVC reconciliation (a9ea85b)
  • Set HOME env var to match config mount path (#5) (175ff92), closes #4
  • Specify kind cluster name for image loading (7ac2116)
  • update banner alt text (#38) (d00dc23)
  • Update Chart.yaml version/appVersion to match latest release v0.2.4 (#26) (c475ffc)
  • Update copyright to 2026 OpenClaw.rocks (bca1f0f)
  • Update copyright to 2026 OpenClaw.rocks (4d462f9)
  • Update Go version to 1.24 for CI compatibility (5c13d06)
  • Use correct GitHub org name (OpenClaw-rocks) in all references (#20) (c157899)
  • Use direct append instead of loop for image pull secrets (187477c)
  • Use Go 1.24 with goinstall mode for golangci-lint (3dd40c8)
  • Use govet enable list for shadow analyzer (3f04b1b)
  • Use lowercase image names for OCI registry compatibility (2d3c87e)
  • Use lowercase owner name for Helm OCI registry (67bc33e)
  • use PAT for release-please to trigger downstream workflows (#45) (21191ed)

0.4.0 (2026-02-13)

⚠ BREAKING CHANGES

  • CRD API group changed from openclaw.openclaw.io to openclaw.openclaw.rocks. Existing CRDs must be deleted and re-created. This is acceptable at v1alpha1 stability level.

Features

  • Add nautical banner image with crab captain at Kubernetes helm (84d1854)
  • update banner with real OpenClaw logo and Kubernetes logo (#37) (840adb9)

Bug Fixes

  • Apply same CreateOrUpdate pattern to ServiceMonitor reconciler (#30) (c1aaa36)
  • change CRD API group domain from openclaw.io to openclaw.rocks (#41) (5bae852)
  • Prevent endless Deployment reconciliation loop (#29) (db942b9), closes #28
  • update banner alt text (#38) (d00dc23)

[Unreleased]

Added

  • Custom Prometheus metrics (reconciliation duration, instance phases, resource failures)
  • ServiceMonitor resource creation for Prometheus Operator integration
  • Defaulting webhook for setting sensible defaults
  • Comprehensive resource builder unit tests
  • Webhook validation unit tests
  • .golangci.yaml linter configuration
  • .dockerignore for optimized Docker builds
  • Architecture documentation
  • API reference documentation
  • Troubleshooting guide
  • Deployment guides for EKS, GKE, AKS
  • Grafana dashboard example
  • PrometheusRule alert examples

[0.1.0] - 2024-01-01

Added

  • Initial release of OpenClaw Kubernetes Operator
  • OpenClawInstance CRD (v1alpha1)
  • Controller with full reconciliation lifecycle
  • Security-first design (non-root, dropped capabilities, seccomp, NetworkPolicy)
  • Validating webhook (blocks root, warns on insecure config)
  • Managed resources: Deployment, Service, ServiceAccount, Role, RoleBinding, NetworkPolicy, PDB, ConfigMap, PVC, Ingress
  • Chromium sidecar support for browser automation
  • Helm chart for installation
  • CI/CD with GitHub Actions (lint, test, security scan, multi-arch build)
  • Container image signing with Cosign
  • SBOM generation
  • E2E test infrastructure