NuoDB Control Plane 2.11.2

Changelog

• Check tier revisions on feature finalization
• Evaluate license name as template in HelmFeature
• Revert immutable Helm values on HelmApp reconciliation

NuoDB Control Plane 2.11.1

Changelog

• Fix performance issue with project list API
• Bump golang Docker image version

NuoDB Control Plane 2.11.0

Changelog

New features

• Automatic resize capability for archive and journal volumes based on configurable usage thresholds.
• productVersionSelector property of project and database resources that allows constraints to be specified in order to select productVersion dynamically.
• Support for ProjectClaim and DatabaseClaim resources as CanaryRollout targets.
• Field management capability for ProjectClaim and DatabaseClaim resources that allows changes to system-generated configuration properties made by the system to be retained.
• HTTP server in External Operator that exposes GET /health and GET /metrics endpoints used to implement readiness and liveness probes and to scrape OpenMetrics data respectively.
• nuodb-cp license subcommand to allow NuoDB license to be decoded and checked.
• OpenMetrics gauge that exposes NuoDB license expiration.
• OpenMetrics gauge that exposes the limit and usage for each resource limited by ResourceQuotas in the NuoDB Control Plane namespace.
• Ability to suppress finalizer behavior for PersistentVolumeRebinding resources.

Resolved issues

• The JSONSchema validation constraint for the dbaPassword property of the database model did not specify it as immutable.
• JSONSchema validation constraints for tier parameters that specified type string were not applicable to values that were not explicitly quoted. This was fixed by automatically quoting the tier parameter value when applying such a validation constraint if the value is not already quoted.
• It was possible for rollback to be skipped on failed CanaryRollout targets.
• It was possible for changes to HelmFeatures or ServiceTiers to generate changes to immutable resource properties, resulting in the upgrade failing. Such changes are now suppressed.

Commits

• Quote strings to allow JSONSchema validation
• Revert immutable Helm values for Domain
• Populate volume provisionner annotation on PVC creation
• Add release label to target PVC to ensure cleanup
• Added CSI volume expansion capability option
• Fix typo in metric description
• Add gauges for project and database claim status
• Add gauges exposing limits and usage for resource quotas
• Fix adding test Helm features multiple times
• Misc improvements on canary rollouts
• Added database auto-resize fields in REST API
• Miscellaneous improvements to metrics collection
• Database volumes resizer service
• Add nuodb-cp license subcommand and OpenMetric gauge
• Add property to control merging of resource content
• Add field management based on metadata.managedFields
• Allow finalize behavior to be controlled
• Fix readiness probe for External Operator
• Fix CP docs publishing
• Bump com.github.spotbugs:spotbugs-maven-plugin in /rest-service
• Bump the minor-versions group across 1 directory with 10 updates
• Add HTTP server with /metrics and /health endpoints
• Added product version selector
• Support claims as canary rollout targets
• Make database dbaPassword immutable in openapi spec
• Update version to 2.11.0

NuoDB Control Plane 2.10.0

Changelog

New features

• Added PersistentVolumeRebinding Custom Resource Definition (CRD) and controller, which allows data bound to a PersistentVolumeClaim (PVC) in one namespace to be made available to a PVC in another namespace.
• Added resource dependencies to ProjectClaim and DatabaseClaim resources which are enforced by the External Operator before creating DBaaS resources.
• Added parameterized HelmFeature that enables data migration support available in NuoDB Helm Charts 3.11.0.
• Allow user-defined labels to be injected into ProjectClaim and DatabaseClaim resources.
• Allow user-defined annotations to be injected into Domain and Database resources.
• Made secret resource used to store backup metadata immutable to improve scalability.
• Added readiness and liveness probes to External Operator workload, and add sidecar that allows OpenMetrics probes to be exposed.

Resolved issues

• It was possible for ProjectClaim or DatabaseClaim resources to leave behind orphaned DBaaS resources because finalizers were not set before creating the DBaaS resource.
• The state parameter generated when using OIDC providers was not properly encoded, resulting in decoding errors.
• Access rules for DBaaS users were not considered when resolving users from IdentityProvider resources.
• TLS verification was not skipped when spec.oidc.tlsSkipVerify was set to true when communicating with the provider.
• Suspended canary rollout would be reset on resume due to falsely generated updates to their spec.

Commits

• Add job to scan Docker image and update dependencies
• Make nuodb-data-migration feature optional
• Add envFrom property to pre-delete container
• Add basic liveness and readiness probes for External Operator
• Enable linting Java code on build
• Bump the minor-versions group across 1 directory with 17 updates
• Bump golang from 1.25.1 to 1.25.2 in /docker in the minor-versions group
• Added publish-docs build step
• publish -latest docker/helm charts
• Allow labels on target PVCs to be specified
• Fetch target PVC from API server
• Fix teMaxReplicas parameter rendering
• Fix nuodb-cp-operator chart rendering with image override
• Integrate HelmFeature enabling data migration
• Remove CIR CiliumNetworkPolicy
• Inject templated annotations into domain/database
• Add External Operator configuration property to inject labels
• Omit the suspended field from the canary configuration checksum
• Misc test improvements
• Allow NuoDB operator to communicate with container registry
• Generate HTML reports for tests and coverage
• Add dependencies mechanism to claim resources
• enable LDAP authentication support
• Make backup metadata secrets immutable
• Inject service tier labels to CanaryRollout resource
• Add finalizer before reconciliation
• Helm template the canary rollout template name
• Fix metric names
• Add external-operator sidecar that exposes OpenMetrics probes
• Use access rule from user instead of resolved from IdP
• Do not rely on status.lastPhaseTransitionTime
• Bump operator Helm dependency version
• Disable TLS verification if spec.oidc.tlsSkipVerify=true
• Add PersistentVolumeRebinding CRD and controller
• Dependabot updates
• Do not decode query string before encryption
• Update version to 2.10.0

NuoDB Control Plane 2.9.2

Changelog v2.9.2 (2025-10-30)

Full Changelog

• 11e0815e Remove CIR CiliumNetworkPolicy #822
• d1d37653 Use blocking client for database restore transitions #820
• 01ec94eb Inject templated annotations into domain/database #820
• 02ccef2d Add External Operator configuration property to inject labels #818
• 0c81833b Omit the suspended field from the canary configuration checksum #816
• 33c9ae59 Allow NuoDB operator to communicate with container registry #812
• 647c6c28 Inject service tier labels to CanaryRollout resource #810

NuoDB Control Plane 2.9.1

Changelog

• Add finalizer before reconciliation
• Helm template the canary rollout template name
• Add external-operator sidecar that exposes OpenMetrics probes
• Use access rule from user instead of resolved from IdP
• Bump operator Helm dependency version
• Disable TLS verification if spec.oidc.tlsSkipVerify=true
• Use newer version of Vert.x transitive dependency to avoid CVE
• Do not decode query string before encryption

NuoDB Control Plane 2.9.0

Changelog

New features

• Added integration with external identity providers. Supported protocols are OpenID Connect (OIDC) and Central Authentication Service (CAS).
  When logging in using an external identity provider, an internal DBaaS user is provisioned using attributes and access defined in the corresponding IdentityProvider custom resource.
• Added RoleTemplates and IdentityProviders to the nuodb-cp-config Helm chart. The standard RoleTemplates grant access at various levels, e.g. database, project, organization, etc.
• Added metrics to the Control Plane that integrate with Prometheus.
• Added integration with Prometheus Alertmanager, which generates alerts containing links to runbooks in the NuoDB Control Plane documentation.
• Improved performance of GET /openapi endpoint, by enabling client-side caching using ETag and If-None-Match headers and by internally caching the serialized content of the OpenAPI specification.

Resolved issues

• The Java Operator SDK (JOSDK) generated logging noise and could become wedged when concurrent update failures (409 Conflict) occurred. This has been addressed by replacing JOSDK with a custom framework.
• GET requests made immediately after PUT requests could return stale data with the introduction of resource caching.
• The lease resource created by Kubernetes-Aware Admin would be left behind on domain deletion, resulting in an accumulation of lease resources.
• Canary rollout would hang if a resource pending upgrade was deleted.
• Canary rollout would previously not coordinate upgrade of a database with upgrade of the domain that it belongs to.
• The REST service used to fail with 500 Internal Server Error when attempting to deserialize custom resources with unrecognized properties returned by the Kubernetes API server. To enable forward-compatibility with newer CRDs, the REST service now ignores unrecognized properties when deserializing custom resources stored in Kubernetes.

Commits

• Implement forward-compatible deserialization in REST service
• Configure additional network segmentation policies
• Allow reprovisioning of users belonging to defunct IdPs
• Cache serialized /openapi responses by URL
• Sync NuoDB versions from OCI repostory
• Fix templating support for extraRoles
• Allow ConfigMap injector to prefer internal domain hostname
• Change DomainUnavailable and DatabaseUnavailable alerts severity
• Allow browser to cache OpenAPI spec
• Update image tags and use all processors on Maven build
• Improve role resolution and allow custom validation for CAS
• Log event when canary step does not match targets
• Allow transformation and validation of IdP user attributes
• Added TE autoscaler Helm feature
• Fix anlysis tests
• Unblock domain version upgrade
• Fix data race in controller tests
• Update nuodb-cp-rest Helm chart
• Allow canary rollout to be suspended
• Normalize pattern validation constraints
• Adding alerting rules for NuoDB operator
• Refactor metrics generation
• Allow images to be published to ECR for branches
• Accept '{name}' placeholder in redirectUrl
• Generalize integration with IdPs and add OIDC support
• Added E2E tests for metrics collection
• Enable NuoDB collector in nuodb-cp-config Helm chart
• Added metrics to NuoDB operator
• Serialize domain and database upgrade
• Limit the number of concurrent test compilations
• Skip promoted targets which has been deleted
• Add CAS support to IdentityProvider CRD
• Keycloak CAS E2E test
• Wait for the pending validation annotation to be removed
• Validate canary template step limits and analysis
• Add IdentityProvider CRD and controller
• Improve the validation of canary template references
• Misc changes to support PSBR 1.13.0
• Improve nuodb-cp-operator chart pre-delete Helm hook
• Propagate reconciliation requests on delete
• Replace JOSDK dependency with custom implementation
• Added global cache label selector for NuoDB operator
• Add CAS authentication provider support
• Added support for multiple CP instances in one namespace
• Allow Helm feature overrides for Domain and Database
• Added Metric and MetricSource CRDs
• Expose service tier update strategy
• Add /cluster/roletemplates/{name}/users sub-resource
• Bump CPU limits for backup hooks container
• Remove labels from publish targets in claim operator
• Relax mandatory feature validation if Helm version is not set
• Remove KAA lease on domain finalization
• Template extraFeatures and bool values in nuodb-cp-config
• Expose pod labels in the pre-delete Job
• add CORS support
• Wait for created or updated resource to appear in cache

NuoDB Control Plane 2.8.1

Changelog

• Remove labels from publish targets in claim operator
• Relax mandatory feature validation if Helm version is not set
• Remove KAA lease on domain finalization
• Template extraFeatures and bool values in nuodb-cp-config
• Expose pod labels in the pre-delete Job

NuoDB Control Plane 2.8.0

Changelog

New features

• Added the ability to deploy NuoDB Control Plane into 3DS environments.
• Added canary upgrade capabilities. The CanaryRollout and CanaryRolloutTemplate CRDs allow version upgrades and configuration changes to be gradually rolled out in a controlled fashion.
• Added versioning of ServiceTiers and HelmFeatures, which enables gradual rollout of configuration changes. References to ServiceTiers and HelmFeatures now specify pinned versions, which must be explicitly updated in order for changes to take effect.
• Added RoleTemplate CRD to allow parameterized roles to be defined.
• Added role-based access control (RBAC). The roles property to DBaaS users allows access to be granted to all REST API endpoints associated with the referenced role template and parameters.
• Added the ability to update status fields for /cluster resources.
• Added the backup-util command-line tool for performing snapshot-based database backups outside the NuoDB Control Plane.
• Added injection of enum constraints for properties in the OpenAPI spec returned by GET /openapi. The list of available ServiceTiers and RoleTemplates is injected into the enum constraint of properties that reference them.
• Improved performance of list APIs for organization-scoped resources by adding caching of DBaaS resources.
• Improved isolation between DBaaS users by adding denial of service (DoS) protection to the DBaaS REST API.
• Added the ability to specify field filters when listing DBaaS resources.

Resolved issues

• Having a very large number of Secret resources for DBaaS users previously affected the stability of the underlying Kubernetes cluster. This issue was resolved by making Secret resources for DBaaS users immutable.
• Users could previously attempt to restore backups with an older database version, which would never complete. A validation check on database creation now prevents this incorrect operation.
• The Control Plane Operator would previously attempt TLS key rotation on disabled Domains, which would never complete. This process now skips disabled Domains.
• The request filter that performs path rewrite previously attempted to evaluate path parameters appearing in the request path. The request paths are now interpreted literally, which is the correct behavior.
• The DBaaS External Operator previously generated a NullPointerException when processing a finalizer for a resource that was already deleted. This prevented Secret resource entries published from the resource from being unpublished. This issue has been resolved.

Commits

• Added pre-delete hook
• Package OpenAPI spec in JAR to avoid initial delay
• Dynamically resolve role templates and descriptions
• Move samples in separate Helm chart
• Added validation for CanaryRollout and CanaryRolloutTemplate
• Added finalizer for RoleTemplates
• Perform canary analysis based on status conditions
• Use cache for all non-/cluster list APIs
• Add /cluster/canaryrollout resource to REST API
• Move roles property to user model
• Add RBAC to DBaaS REST API
• Add denial of service protection using concurrency limiter
• Specify label selector on External Operator shared informers
• Improve and simplify declaring of server properties
• Update OpenAPI doc generators
• Add description field for HelmFeature parameters
• Added option to disable external access
• Fix 'should delete obsolete backups' tests
• Do not update type for user secret
• Add RoleTemplate CRD and /cluster/roletemplates REST endpoint
• Generate models and resources for /cluster endpoint
• Sync 3DS chart
• Added backup-util to Docker build
• Initial version of backup-util snapshot create
• Improve caching and get users from cache
• Expose topologySpreadConstraints Helm value
• Set user secret resources as immutable to improve performance
• Added canary rollout reconciler
• Support JWS tokens and other auth improvements
• Avoid 500 error if unable to list service tiers for GET /openapi
• Canary rollout CRDs
• Discover all non-unique generated classes and inject schema name
• Override schema name for duplicate classes
• add service tier values to runtime openapi spec
• Revert Swagger version to avoid logging noise
• HelmFeature and ServiceTier versioning
• Changes to enable 3DS pipeline deployments
• Skip disabled databases during TLS rotation
• Test failure: service tier parameters in AWS DBaaS
• Unmanaged volume snapshot cause panic in backup controller
• Validate minimum database version on restore
• Improvements to list APIs
• Wait for project before getting certificates
• Several changes to enable 3DS pipeline deployments
• Fix and update fuzz test
• Avoid NPE in finalizer when DBaaS resource does not exist
• Avoid evaluating template parameters on path rewrite
• Reset HelmApp components status after a successful Helm install/upgrade
• Migrate from Kuttl to Chainsaw
• Add network policy for External Operator
• Fix end-to-end tests broken by environmental issues
• Create separate job for KUTTL tests

NuoDB Control Plane 2.7.0

Changelog

New features

• Added automatic TLS key rotation for Domain and Database custom resources.
• Added /events REST endpoints for DBaaS resources, which stream resource updates as server-sent events.
• Added --watch option for nuodb-cp <resource> get subcommands, which streams updates to the resource.
• Added DBaaS External Operator to allow declarative management of DBaaS resources via the REST API.
• Added retention.settings to the backup policy resource exposed by the REST API, allowing various aspects of the retention policy to be controlled.
• Added status.retainedAs field to the backup resource by the REST API, listing the retention cycles that apply to the backup.
• Added the ability to propagate certain labels to resources verbatim via the REST API.
• Changed the default repository for NuoDB images from docker.io/nuodb/nuodb-ce to docker.io/nuodb/nuodb.

Resolved issues

• Fixed issues related to backups and backup policies.

Commits

• Add properties to control reconciliation
• Database TLS certificates rotation may complete prematurely
• Omit certain labels when propagating to Helm resources
• Minor backup fixes caused by client cache misses
• Add config options for External Operator
• Record backups not scheduled by a backup policy
• Fix failed backups retention
• Inject size constraints into OpenAPI schemas
• Fix empty ConfigMap key
• Perform retry on unpublish DBA password
• Generate and publish DBA password on database creation
• Allow publishing of resource fields to Secrets, ConfigMaps
• Finalize backup even if backup handle is missing
• Relax database backup validation inside webhook
• Create normal event for backup when database is disabled
• Add passthroughLabelKeyPrefixes to claim CRDs
• Enable Hotsnap in backup hooks via Helm feature
• Add validation constraints and additional printer columns to CRDs
• Add nuodb-cp subcommands, Helm chart for External Operator
• Replace nuodb/nuodb-ce with nuodb/nuodb
• Make id field in event message relative to request path
• Certificate rotation for NuoDB database
• Add DBaaS external operator (claim operator)
• Reconcile target on Domain update
• Add watchAll query parameter to events endpoints
• make openapi URL available to all authenticated users
• Refactor events framework to remove code duplication
• Certificate rotation for NuoDB domain
• Added retainedAs field to backup status
• Fix policy retention for multiple databases
• Add --watch to nuodb-cp <resource> get subcommands
• Add event publishing for all resources
• Allow labels with special prefixes to be passed through
• Revert picocli to avoid bug displaying duplicate help text
• Support events for lists of resources
• Expose backup rotation settings in REST API
• Add event streaming framework