Release v1.33.2

SIGHUP Distribution Release v1.33.2

Welcome to SD release v1.33.2.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

This patch release backports the v1.34.0 module updates and features to the v1.33 line, while keeping Kubernetes 1.33 as the supported minor version. It targets Kubernetes v1.33.7 on-premises (bumped from 1.33.4 in v1.33.1) and continues to support EKS 1.33.

This release also includes some breaking changes, please make sure to read the relevant section below.

Installer Updates

• on-premises 📦 installer: v1.34.4
  • Installs Kubernetes version 1.34.4, adds support for Kubernetes v1.33.7, v1.32.11 and updates runc (among other components) in order to cover the CVE-2025-31133.
• eks 📦 installer: v3.4.0
  • This release introduces the new vpn_furyagent_path variable to the VPN Terraform module to avoid embedding furyagent binaries in the repository. In this backport the target Kubernetes version remains 1.33.

Module updates

• networking 📦 core module: v3.1.0
  • This release updates the Tigera Operator to version 1.40.3 (Calico v3.31.3), Cilium to v1.18.7 and adds support for Kubernetes 1.34.
• ingress 📦 core module: v5.0.1
  • This release updates several packages included in the ingress module, to officially support Kubernetes v1.34.
  • Adds HAProxy Kubernetes Ingress Controller as a new ingress option, supporting both single and dual deployment modes.
  • Forecastle has been moved from the ingress-nginx namespace to its own dedicated forecastle namespace.
  • External-DNS has been moved from the ingress-nginx namespace to its own dedicated external-dns namespace.
• monitoring 📦 core module: v4.1.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• tracing 📦 core module: v1.4.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• dr 📦 core module: v3.3.0
  • This release updates Velero to v1.17.1, the Velero plugins to v1.13.1 and the Snapshot Controller to v8.4.0 .
• logging 📦 core module: v5.3.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• policy 📦 core module: v1.16.0
  • This release updates Kyverno to version 1.16.0 and Gatekeeper to version 3.21.0.
• auth 📦 core module: v0.6.1
  • This release updates Pomerium and particularly includes an update to Envoy v1.35.6, to address the following CVEs in Envoy and its dependencies: CVE-2025-62504, CVE-2025-62409, CVE-2025-27818, CVE-2025-27817, CVE-2025-0913, CVE-2024-25178, CVE-2024-25177, CVE-2024-25176.

New features 🌟

• [#483] Added support for HAProxy ingress controller and BYOIC (Bring Your Own Ingress Controller) mode. HAProxy Kubernetes Ingress Controller is adopted as the new reference ingress controller following the official retirement announcement of the Ingress NGINX Controller. When both Ingress NGINX Controller and HAProxy KIC are enabled, NGINX takes priority for infrastructure ingresses. To use HAProxy KIC for infrastructure ingresses instead, set spec.distribution.modules.ingress.infrastructureIngressController to haproxy. BYOIC mode allows using a custom ingress controller deployed as a distribution plugin, not managed by the SD lifecycle.

• [#468] Replaced Terraform with OpenTofu: furyctl now uses the OpenTofu v1.10.0 binary instead of Terraform. A new spec.toolsConfiguration.opentofu field is available for state backend configuration. The spec.toolsConfiguration.terraform field is deprecated and will be removed in a future version. To use the new field, add the opentofu key to your furyctl.yaml file with the same S3 backend:

  spec:
    toolsConfiguration:
      opentofu:     # Before was terraform
        state:
          s3:
            bucketName: your-bucket-name       # Same as terraform
            keyPrefix: your-key-prefix          # Same as terraform
            region: your-region                 # Same as terraform

• [#479] Add vpn_furyagent_path to infrastructure terraform template for EKSCluster provider to avoid re-download.

• [#482] Added kubeadmDownloadUrl, kubeadmChecksum, and kubeadmBinaryDir fields to spec.kubernetes.advanced.airGap for air-gapped on-premises clusters, used on dedicated etcd nodes for certificate management.

• [#459] Support for kube-proxy-less clusters: on-premises clusters can be now created without kube-proxy. Disabling kube-proxy will enable Calico in eBPF mode and Cilium's kube-proxy-replacement mode in the networking module. You can disable the kube-proxy like so:

  apiVersion: kfd.sighup.io/v1alpha2
  kind: OnPremises
  metadata:
    name: kube-proxy-less
  spec:
    kubernetes:
      advanced:
        kubeProxy:
          enabled: false
      ...

• [#442] Added GCS (Google Cloud Storage) as a supported backend for the DR module configuration and added support for new fields.

• [#490] Added support for Velero's node-agent prepareQueueLength configuration via spec.distribution.modules.dr.velero.nodeAgent.prepareQueueLength.

Bug Fixes 🐛

• [#480] The x509-certificate-exporter-data-plane DaemonSet was incorrectly patched with the common nodeSelector (e.g., infra nodes), so was unable to monitor kubelet certificates on all worker nodes.

• [#477] Both control-plane Pods and Etcd systemd service make use of several kubeadm-generated PKI files. These files are generated using a dedicated CA PKI that is expected to be already available in the target node. This PR makes sure that these CA PKI are uploaded to targets nodes in a way that prevents any inconsistencies on file permissions and ownership, which could case errors during etcd or control-plane Pods startup.

• [#497] When the distribution network-policies are enabled, traffic between SD monitoring and logging namespaces, and from haproxy ingress controller to the monitoring namespace, is now allowed.

• [#498] Fixes schema validation error caused by missing nginx field in the generated configuration file for all providers.

• [#501] This resolves the issue where the etcd Grafana dashboard did not display data when etcd is running on dedicated nodes. Now, when spec.kubernetes.etcd is configured, a ScrapeConfig resource is generated to collect etcd metrics directly from the dedicated etcd nodes.

Breaking Changes 💔

Pomerium policy key renaming

The Pomerium default route policy key for Forecastle has been renamed from ingressNgnixForecastle to ingressForecastle to reflect that Forecastle is no longer tied to NGINX (now supports also HAProxy and BYOIC mode).

Before:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressNgnixForecastle:  # Old key
              - allow:

After:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressForecastle:  # New key
              - allow:

Terraform key deprecation

The spec.toolsConfiguration.terraform field is deprecated in favor of spec.toolsConfiguration.opentofu. Users are encouraged to migrate to opentofu configuration, as the terraform field will be removed in a future version.

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.

NGINX to HAProxy migration guide

Follow the migration guide from NGINX to HAProxy KIC for a smooth transition.

Release v1.32.2

SIGHUP Distribution Release v1.32.2

Welcome to SD release v1.32.2.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

This patch release backports the v1.34.0 module updates and features to the v1.32 line, while keeping Kubernetes 1.32 as the supported minor version. It targets Kubernetes v1.32.11 on-premises (bumped from 1.32.8 in v1.32.1) and continues to support EKS 1.32.

This release also includes some breaking changes, please make sure to read the relevant section below.

Installer Updates

• on-premises 📦 installer: v1.34.4
  • Installs Kubernetes version 1.34.4, adds support for Kubernetes v1.33.7, v1.32.11 and updates runc (among other components) in order to cover the CVE-2025-31133.
• eks 📦 installer: v3.4.0
  • This release introduces the new vpn_furyagent_path variable to the VPN Terraform module to avoid embedding furyagent binaries in the repository. In this backport the target Kubernetes version remains 1.32.

Module updates

• networking 📦 core module: v3.1.0
  • This release updates the Tigera Operator to version 1.40.3 (Calico v3.31.3), Cilium to v1.18.7 and adds support for Kubernetes 1.34.
• ingress 📦 core module: v5.0.1
  • This release updates several packages included in the ingress module, to officially support Kubernetes v1.34.
  • Adds HAProxy Kubernetes Ingress Controller as a new ingress option, supporting both single and dual deployment modes.
  • Forecastle has been moved from the ingress-nginx namespace to its own dedicated forecastle namespace.
  • External-DNS has been moved from the ingress-nginx namespace to its own dedicated external-dns namespace.
• monitoring 📦 core module: v4.1.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• tracing 📦 core module: v1.4.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• dr 📦 core module: v3.3.0
  • This release updates Velero to v1.17.1, the Velero plugins to v1.13.1 and the Snapshot Controller to v8.4.0 .
• logging 📦 core module: v5.3.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• policy 📦 core module: v1.16.0
  • This release updates Kyverno to version 1.16.0 and Gatekeeper to version 3.21.0.
• auth 📦 core module: v0.6.1
  • This release updates Pomerium and particularly includes an update to Envoy v1.35.6, to address the following CVEs in Envoy and its dependencies: CVE-2025-62504, CVE-2025-62409, CVE-2025-27818, CVE-2025-27817, CVE-2025-0913, CVE-2024-25178, CVE-2024-25177, CVE-2024-25176.

New features 🌟

• [#483] Added support for HAProxy ingress controller and BYOIC (Bring Your Own Ingress Controller) mode. HAProxy Kubernetes Ingress Controller is adopted as the new reference ingress controller following the official retirement announcement of the Ingress NGINX Controller. When both Ingress NGINX Controller and HAProxy KIC are enabled, NGINX takes priority for infrastructure ingresses. To use HAProxy KIC for infrastructure ingresses instead, set spec.distribution.modules.ingress.infrastructureIngressController to haproxy. BYOIC mode allows using a custom ingress controller deployed as a distribution plugin, not managed by the SD lifecycle.

• [#468] Replaced Terraform with OpenTofu: furyctl now uses the OpenTofu v1.10.0 binary instead of Terraform. A new spec.toolsConfiguration.opentofu field is available for state backend configuration. The spec.toolsConfiguration.terraform field is deprecated and will be removed in a future version. To use the new field, add the opentofu key to your furyctl.yaml file with the same S3 backend:

  spec:
    toolsConfiguration:
      opentofu:     # Before was terraform
        state:
          s3:
            bucketName: your-bucket-name       # Same as terraform
            keyPrefix: your-key-prefix          # Same as terraform
            region: your-region                 # Same as terraform

• [#479] Add vpn_furyagent_path to infrastructure terraform template for EKSCluster provider to avoid re-download.

• [#482] Added kubeadmDownloadUrl, kubeadmChecksum, and kubeadmBinaryDir fields to spec.kubernetes.advanced.airGap for air-gapped on-premises clusters, used on dedicated etcd nodes for certificate management.

• [#459] Support for kube-proxy-less clusters: on-premises clusters can be now created without kube-proxy. Disabling kube-proxy will enable Calico in eBPF mode and Cilium's kube-proxy-replacement mode in the networking module. You can disable the kube-proxy like so:

  apiVersion: kfd.sighup.io/v1alpha2
  kind: OnPremises
  metadata:
    name: kube-proxy-less
  spec:
    kubernetes:
      advanced:
        kubeProxy:
          enabled: false
      ...

• [#442] Added GCS (Google Cloud Storage) as a supported backend for the DR module configuration and added support for new fields.

• [#490] Added support for Velero's node-agent prepareQueueLength configuration via spec.distribution.modules.dr.velero.nodeAgent.prepareQueueLength.

Bug Fixes 🐛

• [#480] The x509-certificate-exporter-data-plane DaemonSet was incorrectly patched with the common nodeSelector (e.g., infra nodes), so was unable to monitor kubelet certificates on all worker nodes.

• [#477] Both control-plane Pods and Etcd systemd service make use of several kubeadm-generated PKI files. These files are generated using a dedicated CA PKI that is expected to be already available in the target node. This PR makes sure that these CA PKI are uploaded to targets nodes in a way that prevents any inconsistencies on file permissions and ownership, which could case errors during etcd or control-plane Pods startup.

• [#497] When the distribution network-policies are enabled, traffic between SD monitoring and logging namespaces, and from haproxy ingress controller to the monitoring namespace, is now allowed.

• [#498] Fixes schema validation error caused by missing nginx field in the generated configuration file for all providers.

• [#501] This resolves the issue where the etcd Grafana dashboard did not display data when etcd is running on dedicated nodes. Now, when spec.kubernetes.etcd is configured, a ScrapeConfig resource is generated to collect etcd metrics directly from the dedicated etcd nodes.

Breaking Changes 💔

Pomerium policy key renaming

The Pomerium default route policy key for Forecastle has been renamed from ingressNgnixForecastle to ingressForecastle to reflect that Forecastle is no longer tied to NGINX (now supports also HAProxy and BYOIC mode).

Before:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressNgnixForecastle:  # Old key
              - allow:

After:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressForecastle:  # New key
              - allow:

Terraform key deprecation

The spec.toolsConfiguration.terraform field is deprecated in favor of spec.toolsConfiguration.opentofu. Users are encouraged to migrate to opentofu configuration, as the terraform field will be removed in a future version.

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.

NGINX to HAProxy migration guide

Follow the migration guide from NGINX to HAProxy KIC for a smooth transition.

Release v1.34.1

SIGHUP Distribution Release v1.34.1

Welcome to SD release v1.34.1.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

Module updates

• ingress 📦 core module: v5.0.1
  • Addresses two security vulnerabilities in ingress-nginx.

Bug Fixes 🐛

• [#497] When the distribution network-policies are enabled, traffic between SD monitoring and logging namespaces, and from haproxy ingress controller to the monitoring namespace, is now allowed.
• [#498] Fixes schema validation error caused by missing nginx field in the generated configuration file for all providers.
• [#501] This resolves the issue where the etcd Grafana dashboard did not display data when etcd is running on dedicated nodes. Now, when spec.kubernetes.etcd is configured, a ScrapeConfig resource is generated to collect etcd metrics directly from the dedicated etcd nodes.

Breaking changes 💔

None.

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.

Prerelease v1.34.1-rc.0

SIGHUP Distribution Release v1.34.1

Welcome to SD release v1.34.1.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

Module updates

• ingress 📦 core module: v5.0.1
  • Addresses two security vulnerabilities in ingress-nginx.

Bug Fixes 🐛

• [#497] When the distribution network-policies are enabled, traffic between SD monitoring and logging namespaces, and from haproxy ingress controller to the monitoring namespace, is now allowed.
• [#498] Fixes schema validation error caused by missing nginx field in the generated configuration file for all providers.
• [#501] This resolves the issue where the etcd Grafana dashboard did not display data when etcd is running on dedicated nodes. Now, when spec.kubernetes.etcd is configured, a ScrapeConfig resource is generated to collect etcd metrics directly from the dedicated etcd nodes.

Breaking changes 💔

None.

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.

Release v1.34.0

SIGHUP Distribution Release v1.34.0

Welcome to SD release v1.34.0.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

This version adds support for Kubernetes 1.34, updates all modules and the SD installers.

This release also includes some breaking changes, please make sure to read the relevant section below.

Installer Updates

• on-premises 📦 installer: v1.34.4
  • Installs Kubernetes version 1.34.4, adds support for Kubernetes v1.33.7, v1.32.11 and updates runc (among other components) in order to cover the CVE-2025-31133.
• eks 📦 installer: v3.4.0
  • Installs Kubernetes version 1.34 and introduces the new vpn_furyagent_path variable to the VPN Terraform module to avoid embedding furyagent binaries in the repository.

Module updates

• networking 📦 core module: v3.1.0
  • This release updates the Tigera Operator to version 1.40.3 (Calico v3.31.3), Cilium to v1.18.7 and adds support for Kubernetes 1.34.
• ingress 📦 core module: v5.0.0
  • This release updates several packages included in the ingress module, to officially support Kubernetes v1.34.
  • Adds HAProxy Kubernetes Ingress Controller as a new ingress option, supporting both single and dual deployment modes.
  • Forecastle has been moved from the ingress-nginx namespace to its own dedicated forecastle namespace.
  • External-DNS has been moved from the ingress-nginx namespace to its own dedicated external-dns namespace.
• monitoring 📦 core module: v4.1.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• tracing 📦 core module: v1.4.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• dr 📦 core module: v3.3.0
  • This release updates Velero to v1.17.1, the Velero plugins to v1.13.1 and the Snapshot Controller to v8.4.0 .
• logging 📦 core module: v5.3.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• policy 📦 core module: v1.16.0
  • This release updates Kyverno to version 1.16.0 and Gatekeeper to version 3.21.0.
• auth 📦 core module: v0.6.1
  • This release updates Pomerium and particularly includes an update to Envoy v1.35.6, to address the following CVEs in Envoy and its dependencies: CVE-2025-62504, CVE-2025-62409, CVE-2025-27818, CVE-2025-27817, CVE-2025-0913, CVE-2024-25178, CVE-2024-25177, CVE-2024-25176.

New features 🌟

• [#483] Added support for HAProxy ingress controller and BYOIC (Bring Your Own Ingress Controller) mode. HAProxy Kubernetes Ingress Controller is adopted as the new reference ingress controller following the official retirement announcement of the Ingress NGINX Controller. When both Ingress NGINX Controller and HAProxy KIC are enabled, NGINX takes priority for infrastructure ingresses. To use HAProxy KIC for infrastructure ingresses instead, set spec.distribution.modules.ingress.infrastructureIngressController to haproxy. BYOIC mode allows using a custom ingress controller deployed as a distribution plugin, not managed by the SD lifecycle.

• [#468] Replaced Terraform with OpenTofu: furyctl now uses the OpenTofu v1.10.0 binary instead of Terraform. A new spec.toolsConfiguration.opentofu field is available for state backend configuration. The spec.toolsConfiguration.terraform field is deprecated and will be removed in a future version. To use the new field, add the opentofu key to your furyctl.yaml file with the same S3 backend:

  spec:
    toolsConfiguration:
      opentofu:     # Before was terraform
        state:
          s3:
            bucketName: your-bucket-name       # Same as terraform
            keyPrefix: your-key-prefix          # Same as terraform
            region: your-region                 # Same as terraform

• [#479] Add vpn_furyagent_path to infrastructure terraform template for EKSCluster provider to avoid re-download.

• [#482] Added kubeadmDownloadUrl, kubeadmChecksum, and kubeadmBinaryDir fields to spec.kubernetes.advanced.airGap for air-gapped on-premises clusters, used on dedicated etcd nodes for certificate management.

• [#459] Support for kube-proxy-less clusters: on-premises clusters can be now created without kube-proxy. Disabling kube-proxy will enable Calico in eBPF mode and Cilium's kube-proxy-replacement mode in the networking module. You can disable the kube-proxy like so:

  apiVersion: kfd.sighup.io/v1alpha2
  kind: OnPremises
  metadata:
    name: kube-proxy-less
  spec:
    kubernetes:
      advanced:
        kubeProxy:
          enabled: false
      ...

• [#442] Added GCS (Google Cloud Storage) as a supported backend for the DR module configuration and added support for new fields.

• [#490] Added support for Velero's node-agent prepareQueueLength configuration via spec.distribution.modules.dr.velero.nodeAgent.prepareQueueLength.

Bug Fixes 🐛

• [#480] The x509-certificate-exporter-data-plane DaemonSet was incorrectly patched with the common nodeSelector (e.g., infra nodes), so was unable to monitor kubelet certificates on all worker nodes.

• [#477] Both control-plane Pods and Etcd systemd service make use of several kubeadm-generated PKI files. These files are generated using a dedicated CA PKI that is expected to be already available in the target node. This PR makes sure that these CA PKI are uploaded to targets nodes in a way that prevents any inconsistencies on file permissions and ownership, which could case errors during etcd or control-plane Pods startup.

Breaking Changes 💔

Pomerium policy key renaming

The Pomerium default route policy key for Forecastle has been renamed from ingressNgnixForecastle to ingressForecastle to reflect that Forecastle is no longer tied to NGINX (now supports also HAProxy and BYOIC mode).

Before:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressNgnixForecastle:  # Old key
              - allow:

After:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressForecastle:  # New key
              - allow:

Terraform key deprecation

The spec.toolsConfiguration.terraform field is deprecated in favor of spec.toolsConfiguration.opentofu. Users are encouraged to migrate to opentofu configuration, as the terraform field will be removed in a future version.

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.

NGINX to HAProxy migration guide

Follow the migration guide from NGINX to HAProxy KIC for a smooth transition.

Prerelease v1.34.0-rc.0

SIGHUP Distribution Release v1.34.0

Welcome to SD release v1.34.0.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

This version adds support for Kubernetes 1.34, updates all modules and the SD installers.

This release also includes some breaking changes, please make sure to read the relevant section below.

Installer Updates

• on-premises 📦 installer: v1.34.4
  • Installs Kubernetes version 1.34.4, adds support for Kubernetes v1.33.7, v1.32.11 and updates runc (among other components) in order to cover the CVE-2025-31133.
• eks 📦 installer: v3.4.0
  • Installs Kubernetes version 1.34 and introduces the new vpn_furyagent_path variable to the VPN Terraform module to avoid embedding furyagent binaries in the repository.

Module updates

• networking 📦 core module: v3.1.0
  • This release updates the Tigera Operator to version 1.40.3 (Calico v3.31.3), Cilium to v1.18.7 and adds support for Kubernetes 1.34.
• ingress 📦 core module: v5.0.0
  • This release updates several packages included in the ingress module, to officially support Kubernetes v1.34.
  • Adds HAProxy Kubernetes Ingress Controller as a new ingress option, supporting both single and dual deployment modes.
  • Forecastle has been moved from the ingress-nginx namespace to its own dedicated forecastle namespace.
  • External-DNS has been moved from the ingress-nginx namespace to its own dedicated external-dns namespace.
• monitoring 📦 core module: v4.1.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• tracing 📦 core module: v1.4.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• dr 📦 core module: v3.3.0
  • This release updates Velero to v1.17.1, the Velero plugins to v1.13.1 and the Snapshot Controller to v8.4.0 .
• logging 📦 core module: v5.3.0
  • This release adds the support to Kubernetes 1.34 and updates MinIO.
• policy 📦 core module: v1.16.0
  • This release updates Kyverno to version 1.16.0 and Gatekeeper to version 3.21.0.
• auth 📦 core module: v0.6.1
  • This release updates Pomerium and particularly includes an update to Envoy v1.35.6, to address the following CVEs in Envoy and its dependencies: CVE-2025-62504, CVE-2025-62409, CVE-2025-27818, CVE-2025-27817, CVE-2025-0913, CVE-2024-25178, CVE-2024-25177, CVE-2024-25176.

New features 🌟

• [#483] Added support for HAProxy ingress controller and BYOIC (Bring Your Own Ingress Controller) mode. HAProxy Kubernetes Ingress Controller is adopted as the new reference ingress controller following the official retirement announcement of the Ingress NGINX Controller. When both Ingress NGINX Controller and HAProxy KIC are enabled, NGINX takes priority for infrastructure ingresses. To use HAProxy KIC for infrastructure ingresses instead, set spec.distribution.modules.ingress.infrastructureIngressController to haproxy. BYOIC mode allows using a custom ingress controller deployed as a distribution plugin, not managed by the SD lifecycle.

• [#468] Replaced Terraform with OpenTofu: furyctl now uses the OpenTofu v1.10.0 binary instead of Terraform. A new spec.toolsConfiguration.opentofu field is available for state backend configuration. The spec.toolsConfiguration.terraform field is deprecated and will be removed in a future version. To use the new field, add the opentofu key to your furyctl.yaml file with the same S3 backend:

  spec:
    toolsConfiguration:
      opentofu:     # Before was terraform
        state:
          s3:
            bucketName: your-bucket-name       # Same as terraform
            keyPrefix: your-key-prefix          # Same as terraform
            region: your-region                 # Same as terraform

• [#479] Add vpn_furyagent_path to infrastructure terraform template for EKSCluster provider to avoid re-download.

• [#482] Added kubeadmDownloadUrl, kubeadmChecksum, and kubeadmBinaryDir fields to spec.kubernetes.advanced.airGap for air-gapped on-premises clusters, used on dedicated etcd nodes for certificate management.

• [#459] Support for kube-proxy-less clusters: on-premises clusters can be now created without kube-proxy. Disabling kube-proxy will enable Calico in eBPF mode and Cilium's kube-proxy-replacement mode in the networking module. You can disable the kube-proxy like so:

  apiVersion: kfd.sighup.io/v1alpha2
  kind: OnPremises
  metadata:
    name: kube-proxy-less
  spec:
    kubernetes:
      advanced:
        kubeProxy:
          enabled: false
      ...

• [#442] Added GCS (Google Cloud Storage) as a supported backend for the DR module configuration and added support for new fields.

• [#490] Added support for Velero's node-agent prepareQueueLength configuration via spec.distribution.modules.dr.velero.nodeAgent.prepareQueueLength.

Bug Fixes 🐛

• [#480] The x509-certificate-exporter-data-plane DaemonSet was incorrectly patched with the common nodeSelector (e.g., infra nodes), so was unable to monitor kubelet certificates on all worker nodes.

• [#477] Both control-plane Pods and Etcd systemd service make use of several kubeadm-generated PKI files. These files are generated using a dedicated CA PKI that is expected to be already available in the target node. This PR makes sure that these CA PKI are uploaded to targets nodes in a way that prevents any inconsistencies on file permissions and ownership, which could case errors during etcd or control-plane Pods startup.

Breaking Changes 💔

Pomerium policy key renaming

The Pomerium default route policy key for Forecastle has been renamed from ingressNgnixForecastle to ingressForecastle to reflect that Forecastle is no longer tied to NGINX (now supports also HAProxy and BYOIC mode).

Before:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressNgnixForecastle:  # Old key
              - allow:

After:

spec:
  distribution:
    modules:
      auth:
        pomerium:
          defaultRoutesPolicy:
            ingressForecastle:  # New key
              - allow:

Terraform key deprecation

The spec.toolsConfiguration.terraform field is deprecated in favor of spec.toolsConfiguration.opentofu. Users are encouraged to migrate to opentofu configuration, as the terraform field will be removed in a future version.

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one version to the next using furyctl.

Release v1.33.1

SIGHUP Distribution Release v1.33.1

Welcome to SD release v1.33.1.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

New features 🌟

• [#453] Kustomize v5 migration: Updated distribution manifest templates (AWS, DR, Ingress, Policy, Tracing) to use Kustomize v5 syntax, migrating deprecated patchesStrategicMerge and patchesJson6902 to the unified patches field

Updates 📦

Installer Updates

• on-premises 📦 installer: v1.33.4-rev.1
  • Fixes incorrect recursive permission and ownership changes applied when configuring etcd and control-plane PKI files
  • CIS Benchmark: Updates the customized kube-bench configuration (CIS-1.11 for Kubernetes 1.32) to reduce false positives
  • Documentation: Adds maintenance documentation for CIS Kubernetes Benchmark compliance testing

Module updates

• monitoring 📦 core module: v4.0.1
  • Adds liveness and readiness probes to the x509-exporter control-plane and data-plane DaemonSets

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one versions to the next using furyctl.

Prerelease v1.33.1-rc.1

SIGHUP Distribution Release v1.33.1

Welcome to SD release v1.33.1.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

New features 🌟

• [#453] Kustomize v5 migration: Updated distribution manifest templates (AWS, DR, Ingress, Policy, Tracing) to use Kustomize v5 syntax, migrating deprecated patchesStrategicMerge and patchesJson6902 to the unified patches field

Updates 📦

Installer Updates

• on-premises 📦 installer: v1.33.4-rev.1
  • Fixes incorrect recursive permission and ownership changes applied when configuring etcd and control-plane PKI files
  • CIS Benchmark: Updates the customized kube-bench configuration (CIS-1.11 for Kubernetes 1.32) to reduce false positives
  • Documentation: Adds maintenance documentation for CIS Kubernetes Benchmark compliance testing

Module updates

• monitoring 📦 core module: v4.0.1
  • Adds liveness and readiness probes to the x509-exporter control-plane and data-plane DaemonSets

Upgrade procedure

Check the upgrade docs for the steps to upgrade the SIGHUP Distribution from one versions to the next using furyctl.

Release v1.32.1

SIGHUP Distribution Release v1.32.1

Welcome to SD release v1.32.1.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

New Features since v1.32.0

• [#453] Kustomize v5 migration: Updated distribution manifest templates (AWS, DR, Ingress, Policy, Tracing) to use Kustomize v5 syntax, migrating deprecated patchesStrategicMerge and patchesJson6902 to the unified patches field

Installer Updates

• on-premises 📦 installer: v1.33.4-rev.1
  • Add support for Kubernetes v1.32.8, v1.31.12 and install Kubernetes v1.33.4
  • Fixes incorrect recursive permission and ownership changes applied when configuring etcd and control-plane PKI files
  • CIS Benchmark: Updates the customized kube-bench configuration (CIS-1.11 for Kubernetes 1.32) to reduce false positives
  • Documentation: Adds maintenance documentation for CIS Kubernetes Benchmark compliance testing

Module updates

• networking 📦 core module: v3.0.0
  • This release updates both the Tigera Operator to version 1.38.6 (Calico v3.30.3) and Cilium to version 1.18.1
  • ip-masq package has been completely removed from the module
• ingress 📦 core module: v4.1.1
  • This release updates the NGINX Ingress Controller to version 1.13.3, cert-manager to v1.18.2, Forecastle to v1.0.157, External-DNS to v0.18.0
• monitoring 📦 core module: v4.0.1
  • This major release removes Thanos and Karma packages, updates to kube-prometheus v0.16.0 including Prometheus v3 and general bug fixes and new features
• tracing 📦 core module: v1.3.0
  • This release updates Tempo to version 2.8.2
• dr 📦 core module: v3.2.0
  • This release updates Velero to v1.16.2, the Velero plugins to v1.12.2 and the Snapshot Controller to v8.3.0
• logging 📦 core module: v5.2.0
  • This release updates Logging Operator from to v6.0.3, OpenSearch Components to v3.2.0 and Loki Components to v3.5.3
• policy 📦 core module: v1.15.0
  • This release updates Kyverno to version 1.15.1, Gatekeeper to version 3.20.1 and Gatekeeper Policy Manager to version 1.1.0
• auth 📦 core module: v0.6.0
  • This release updates Dex to v2.44.0, Pomerium to v0.30.5

Breaking changes 💔

• [#433] Kubelet cipher suites management through tlsCipherSuitesKubelet

  • TLS ciphers for the Kubelet are now configured using the new tlsCipherSuitesKubelet parameter, to clearly separate them from those used by the API Server and etcd. Going forward, if tlsCipherSuitesKubelet is not set, a separate set of default values (different from tlsCipherSuites) will be applied.

    Action required: If you need to customize the TLS ciphers for the Kubelet, explicitly define the tlsCipherSuitesKubelet parameter.

New features 🌟

• [#433] Introducing CIS Benchmark Compliance customizations:

  • tlsCipherSuites and tlsCipherSuitesKubelet to the spec.kubernetes.advanced.encryption to configure the TLS cipher suites for the API Server and etcd with the former, and for the Kubelet with the latter:

    spec:
      kubernetes:
        advanced:
          encryption:
            tlsCipherSuites:
              - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
              - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
              - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
              - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
              - "TLS_AES_128_GCM_SHA256"
              - "TLS_AES_256_GCM_SHA384"
              - "TLS_CHACHA20_POLY1305_SHA256"
            tlsCipherSuitesKubelet:
              - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"

    When not explicitly defined, the following default values will be applied:

    tls_cipher_suites:
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    
    kubelet_tls_cipher_suites:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • streamingConnectionIdleTimeout to the spec.kubernetes.advanced.kubeletConfiguration to configure idle timeouts ensuring protection against Denial-of-Service attacks, inactive connections and running out of ephemeral ports:

    spec:
      kubernetes:
        advanced:
          kubeletConfiguration:
            streamingConnectionIdleTimeout: "5m"

  • gcThreshold to the spec.kubernetes.advanced.controllerManager to set the garbage collection threshold ensuring sufficient resource availability and avoiding
    degraded performance and availability:

    spec:
      kubernetes:
        advanced:
          controllerManager:
            gcThreshold: 2000

  • eventRateLimits to the spec.kubernetes.advanced to enforce a limit on the number of events that the API Server will accept in a given time slice:

    spec:
      kubernetes:
        advanced:
          eventRateLimits:
            - type: "User"
              qps: 20
              burst: 100
              cacheSize: 4096

• [#415] Adds customizations to make it easier to install SD on bare metal nodes:

  • blockSize and podCidr to the spec.distribution.modules.networking.tigeraOperator section of the OnPremises and KFDDistribution schemas, allowing customizations to the assigned CIDR for each node.
    How to use it:

    spec:
      distribution:
        modules:
          networking:
            type: calico
            tigeraOperator:
              blockSize: 26
              podCidr: 172.16.0.0/16

  • kernelParameters to the .spec.kubernetes.advanced, .spec.kubernetes.masters and .spec.kubernetes.nodes[] sections, to allow customization of kernel parameters of each Kubernetes node. Example:

    spec:
      kubernetes:
        masters:
          kernelParameters:
          - name: "fs.file-max"
            value: "9223372036854775804"

• [#425] Adds trusted CA certificate support in OIDC authentication with self-signed certificates:

  • oidcTrustedCA key under spec.distribution.modules.auth allows automatic provisioning of custom CA certificates for auth components.

  • Adds secret generation and volume mounting for Gangplank, Pomerium, and Dex deployments.

  • Supports {file://path} notation.

    spec:
      distribution:
        modules:
          auth:
            oidcTrustedCA: "{file://my-ca.crt}"

• [#428] Configuration for Logging Operator's Fluentd and Fluentbit resources:

  • Added new configuration options to the logging module that allows to set Fluentd's resources and replicas number and Fluentbit's resources. Example:

    spec:
      distribution:
        modules:
          logging:
            operator:
              fluentd:
                replicas: 1
                  resources:
                    limits:
                      cpu: "2500m"
              fluentbit:
                resources:
                  requests:
                    memory: "1Mi"

• [#429] Control Plane taints for OnPremises clusters:

  • Added new configuration option to set the control plane nodes taints at cluster creation time. Example:

    # custom taint. NOTE: the default taint won't be added, just the ones defined.
    spec:
      kubernetes:
        masters:
          taints:
            - effect: NoExecute
              key: soft-cell
              value: tainted-love

    # no taints
    spec:
      kubernetes:
        masters:
          taints: []

• [#435] Repository management lifecycle configuration for OnPremises provider:

  • Added new boolean configuration fields for environments where package repositories are configured outside of fury...

Release v1.31.2

SIGHUP Distribution Release v1.31.2

Welcome to SD release v1.31.2.

The distribution is maintained with ❤️ by the team SIGHUP by ReeVo.

New Features since v1.31.1

• [#453] Kustomize v5 migration: Updated distribution manifest templates (AWS, DR, Ingress, Policy, Tracing) to use Kustomize v5 syntax, migrating deprecated patchesStrategicMerge and patchesJson6902 to the unified patches field

Installer Updates

• on-premises 📦 installer: v1.33.4-rev.1
  • Add support for Kubernetes v1.32.8, v1.31.12 and install Kubernetes v1.33.4
  • Fixes incorrect recursive permission and ownership changes applied when configuring etcd and control-plane PKI files
  • CIS Benchmark: Updates the customized kube-bench configuration (CIS-1.11 for Kubernetes 1.32) to reduce false positives
  • Documentation: Adds maintenance documentation for CIS Kubernetes Benchmark compliance testing

Module updates

• networking 📦 core module: v3.0.0
  • This release updates both the Tigera Operator to version 1.38.6 (Calico v3.30.3) and Cilium to version 1.18.1
  • ip-masq package has been completely removed from the module
• ingress 📦 core module: v4.1.1
  • This release updates the NGINX Ingress Controller to version 1.13.3, cert-manager to v1.18.2, Forecastle to v1.0.157, External-DNS to v0.18.0
• monitoring 📦 core module: v4.0.1
  • This major release removes Thanos and Karma packages, updates to kube-prometheus v0.16.0 including Prometheus v3 and general bug fixes and new features
• tracing 📦 core module: v1.3.0
  • This release updates Tempo to version 2.8.2
• dr 📦 core module: v3.2.0
  • This release updates Velero to v1.16.2, the Velero plugins to v1.12.2 and the Snapshot Controller to v8.3.0
• logging 📦 core module: v5.2.0
  • This release updates Logging Operator from to v6.0.3, OpenSearch Components to v3.2.0 and Loki Components to v3.5.3
• policy 📦 core module: v1.15.0
  • This release updates Kyverno to version 1.15.1, Gatekeeper to version 3.20.1 and Gatekeeper Policy Manager to version 1.1.0
• auth 📦 core module: v0.6.0
  • This release updates Dex to v2.44.0, Pomerium to v0.30.5

Breaking changes 💔

• [#433] Kubelet cipher suites management through tlsCipherSuitesKubelet

  • TLS ciphers for the Kubelet are now configured using the new tlsCipherSuitesKubelet parameter, to clearly separate them from those used by the API Server and etcd. Going forward, if tlsCipherSuitesKubelet is not set, a separate set of default values (different from tlsCipherSuites) will be applied.

    Action required: If you need to customize the TLS ciphers for the Kubelet, explicitly define the tlsCipherSuitesKubelet parameter.

New features 🌟

• [#433] Introducing CIS Benchmark Compliance customizations:

  • tlsCipherSuites and tlsCipherSuitesKubelet to the spec.kubernetes.advanced.encryption to configure the TLS cipher suites for the API Server and etcd with the former, and for the Kubelet with the latter:

    spec:
      kubernetes:
        advanced:
          encryption:
            tlsCipherSuites:
              - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
              - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
              - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
              - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
              - "TLS_AES_128_GCM_SHA256"
              - "TLS_AES_256_GCM_SHA384"
              - "TLS_CHACHA20_POLY1305_SHA256"
            tlsCipherSuitesKubelet:
              - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
              - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"

    When not explicitly defined, the following default values will be applied:

    tls_cipher_suites:
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    
    kubelet_tls_cipher_suites:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • streamingConnectionIdleTimeout to the spec.kubernetes.advanced.kubeletConfiguration to configure idle timeouts ensuring protection against Denial-of-Service attacks, inactive connections and running out of ephemeral ports:

    spec:
      kubernetes:
        advanced:
          kubeletConfiguration:
            streamingConnectionIdleTimeout: "5m"

  • gcThreshold to the spec.kubernetes.advanced.controllerManager to set the garbage collection threshold ensuring sufficient resource availability and avoiding
    degraded performance and availability:

    spec:
      kubernetes:
        advanced:
          controllerManager:
            gcThreshold: 2000

  • eventRateLimits to the spec.kubernetes.advanced to enforce a limit on the number of events that the API Server will accept in a given time slice:

    spec:
      kubernetes:
        advanced:
          eventRateLimits:
            - type: "User"
              qps: 20
              burst: 100
              cacheSize: 4096

• [#415] Adds customizations to make it easier to install SD on bare metal nodes:

  • blockSize and podCidr to the spec.distribution.modules.networking.tigeraOperator section of the OnPremises and KFDDistribution schemas, allowing customizations to the assigned CIDR for each node.
    How to use it:

    spec:
      distribution:
        modules:
          networking:
            type: calico
            tigeraOperator:
              blockSize: 26
              podCidr: 172.16.0.0/16

  • kernelParameters to the .spec.kubernetes.advanced, .spec.kubernetes.masters and .spec.kubernetes.nodes[] sections, to allow customization of kernel parameters of each Kubernetes node. Example:

    spec:
      kubernetes:
        masters:
          kernelParameters:
          - name: "fs.file-max"
            value: "9223372036854775804"

• [#425] Adds trusted CA certificate support in OIDC authentication with self-signed certificates:

  • oidcTrustedCA key under spec.distribution.modules.auth allows automatic provisioning of custom CA certificates for auth components.

  • Adds secret generation and volume mounting for Gangplank, Pomerium, and Dex deployments.

  • Supports {file://path} notation.

    spec:
      distribution:
        modules:
          auth:
            oidcTrustedCA: "{file://my-ca.crt}"

• [#428] Configuration for Logging Operator's Fluentd and Fluentbit resources:

  • Added new configuration options to the logging module that allows to set Fluentd's resources and replicas number and Fluentbit's resources. Example:

    spec:
      distribution:
        modules:
          logging:
            operator:
              fluentd:
                replicas: 1
                  resources:
                    limits:
                      cpu: "2500m"
              fluentbit:
                resources:
                  requests:
                    memory: "1Mi"

• [#429] Control Plane taints for OnPremises clusters:

  • Added new configuration option to set the control plane nodes taints at cluster creation time. Example:

    # custom taint. NOTE: the default taint won't be added, just the ones defined.
    spec:
      kubernetes:
        masters:
          taints:
            - effect: NoExecute
              key: soft-cell
              value: tainted-love

    # no taints
    spec:
      kubernetes:
        masters:
          taints: []

• [#435] Repository management lifecycle configuration for OnPremises provider:

  • Added new boolean configuration fields for environments where package repositories are configured outside of furyc...