chore(deps): update helm release eck-operator to v3.4.0 #6528

Merged

alexlebens merged 1 commits from renovate/unified-eck-operator into main 2026-05-06 19:43:37 +00:00

Conversation 0 Commits 1 Files Changed 2 +4 -4

renovate-bot commented 2026-05-05 12:03:26 +00:00

Collaborator

Copy Link

This PR contains the following updates:

Package	Update	Change
eck-operator	minor	3.3.2 → 3.4.0

---

Release Notes

elastic/cloud-on-k8s (eck-operator)

v3.4.0

Compare Source

Elastic Cloud on Kubernetes 3.4.0

• Quickstart guide

Release Highlights

Elasticsearch client certificate authentication support

ECK now supports configuring Elasticsearch to require client certificates for authentication. This allows you to enforce mutual TLS (mTLS) between clients and Elasticsearch, strengthening security by requiring both the client and server to present valid certificates. Currently, Elasticsearch and Kibana support this feature - Kibana can be configured to present client certificates when connecting to Elasticsearch. Support for the remaining components that connect to Elasticsearch (Beats, Elastic Agent, APM Server, Logstash, and so on) will follow in future releases. For more details, refer to the client certificate authentication documentation.

Rolling restarts of Elasticsearch clusters

ECK now supports triggering rolling restarts of Elasticsearch clusters through a new annotation-based mechanism. This enables operators to gracefully restart all nodes in a cluster without manual intervention, useful for troubleshooting. The rolling restart documentation provides more details.

Simplified zone awareness configuration

ECK simplifies the configuration of zone awareness for Elasticsearch clusters, reducing the amount of boilerplate configuration needed to set up topology-aware allocation. For more details, refer to the zone awareness documentation.

ECK container image signing

ECK container images are now signed using Sigstore cosign. This allows users to verify the authenticity and integrity of ECK operator images before deployment, strengthening the supply chain security of their Kubernetes clusters.

Automatic password-protected keystore for Elasticsearch in FIPS mode

ECK now automatically manages a password-protected keystore for Elasticsearch when FIPS mode is enabled. When xpack.security.fips_mode.enabled is set to true in the Elasticsearch configuration, the operator generates, stores, and configures a password-protected keystore — eliminating the need for manual podTemplate overrides. This feature activates for Elasticsearch 9.4.0+ and respects any existing user-provided keystore password configuration. For more details, refer to the Elasticsearch FIPS keystore password documentation.

Features and enhancements

• Implement client certificate required support for Elasticsearch #​9229
• Implement Kibana support for presenting client certificates to Elasticsearch #​9230
• Support rolling restarts of Elasticsearch clusters #​9172
• Simplify zone awareness #​9148
• Operator-managed FIPS keystore password support for Elasticsearch #​9287 (issue: #​9171)
• Surface webhook warnings; Refactor webhooks to use controller-runtime's Validator #​9235
• Add extraObjects support to ECK Helm charts #​9069
• Add kubeAPIServerPort configuration option to Helm chart #​8980
• Set seccompProfile to RuntimeDefault #​9012
• Validate user-supplied HTTP CA certificate #​8992
• Sign ECK container images (v2) #​9078
• Improve license signature verification error to diagnose wrong license type #​9262
• Improve AutoOpsAgentPolicy status reporting #​9095
• Support runAsNonRoot true for recent versions of EPR #​8974
• Reduce operator memory footprint by stripping managed fields from informer caches #​9321
• Add version-gated querylog fileset to Filebeat sidecar config #​9291
• Bump default Kibana memory limit from 1Gi to 2Gi #​9328
• Add image digest support to eck-operator Helm chart #​9362

Fixes

• Prevent StackConfigPolicy controller from performing unnecessary file-settings secret updates on every reconciliation #​9316
• Correct NetworkPolicy namespace selector label for soft multi-tenancy #​9153
• Prevent using a nodeSet name while the equivalent StatefulSet already exists #​9036
• Skip default PVC if volume with same name exists #​9199 (issue: #​8744)
• Avoid empty reconcile requests in StackConfigPolicy secret watch #​9179
• Make remote-ca secret generation failures non-blocking #​9271
• Garbage collect Agent soft-owned secrets on deletion #​9090
• Detect stale CA in certificate chain and trigger certificates reissuance #​9197
• Skip per-shard replica checks for GREEN clusters in require_started_replica predicate #​9188
• Handle server side default for TrafficDistribution #​8994
• Set default security context to Kibana init container #​9218
• Validate user-supplied CA for the transport layer of Elasticsearch #​8953
• Align DaemonSet UpdateReconciled with Deployment reconciler #​9256 (issue: #​9246)

Documentation improvements

• Add recipe for manual mTLS configuration #​9124
• Mention PodTopologyLabelsAdmission in Elasticsearch sample #​9035
• Logstash Chart improvements #​9087

Dependency updates

• Go 1.25.8 => 1.26.2
• github.com/elastic/go-ucfg v0.8.9-0.20251017163010-3520930bed4f => v0.9.1
• github.com/gkampitakis/go-snaps v0.5.19 => v0.5.21
• github.com/google/go-containerregistry v0.20.7 => v0.21.4
• github.com/hashicorp/vault/api v1.22.0 => v1.23.0
• go.elastic.co/apm/v2 v2.7.2 => v2.7.6
• golang.org/x/crypto v0.46.0 => v0.49.0
• k8s.io/api v0.35.0 => v0.35.3
• k8s.io/apimachinery v0.35.0 => v0.35.3
• k8s.io/client-go v0.35.0 => v0.35.3
• k8s.io/klog/v2 v2.130.1 => v2.140.0
• sigs.k8s.io/controller-runtime v0.22.4 => v0.23.3
• sigs.k8s.io/controller-tools v0.20.0 => v0.20.1
• New direct dependencies: cloud.google.com/go/auth, cloud.google.com/go/storage, github.com/Azure/azure-sdk-for-go/sdk/storage/azblob, github.com/aws/aws-sdk-go-v2, google.golang.org/api

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [eck-operator](https://github.com/elastic/cloud-on-k8s) | minor | `3.3.2` → `3.4.0` | --- ### Release Notes <details> <summary>elastic/cloud-on-k8s (eck-operator)</summary> ### [`v3.4.0`](https://github.com/elastic/cloud-on-k8s/releases/tag/v3.4.0) [Compare Source](https://github.com/elastic/cloud-on-k8s/compare/v3.3.2...v3.4.0) ##### Elastic Cloud on Kubernetes 3.4.0 - [Quickstart guide](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s#eck-quickstart) ##### Release Highlights ##### Elasticsearch client certificate authentication support ECK now supports configuring Elasticsearch to require client certificates for authentication. This allows you to enforce mutual TLS (mTLS) between clients and Elasticsearch, strengthening security by requiring both the client and server to present valid certificates. Currently, Elasticsearch and Kibana support this feature - Kibana can be configured to present client certificates when connecting to Elasticsearch. Support for the remaining components that connect to Elasticsearch (Beats, Elastic Agent, APM Server, Logstash, and so on) will follow in future releases. For more details, refer to the [client certificate authentication documentation](https://www.elastic.co/docs/deploy-manage/security/k8s-es-client-certificate-auth). ##### Rolling restarts of Elasticsearch clusters ECK now supports triggering rolling restarts of Elasticsearch clusters through a new annotation-based mechanism. This enables operators to gracefully restart all nodes in a cluster without manual intervention, useful for troubleshooting. The [rolling restart documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/nodes-orchestration#cluster-rolling-restart) provides more details. ##### Simplified zone awareness configuration ECK simplifies the configuration of zone awareness for Elasticsearch clusters, reducing the amount of boilerplate configuration needed to set up topology-aware allocation. For more details, refer to the [zone awareness documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/advanced-elasticsearch-node-scheduling#k8s-zone-awareness). ##### ECK container image signing ECK container images are now signed using [Sigstore cosign](https://docs.sigstore.dev/cosign/). This allows users to verify the authenticity and integrity of ECK operator images before deployment, strengthening the supply chain security of their Kubernetes clusters. ##### Automatic password-protected keystore for Elasticsearch in FIPS mode ECK now automatically manages a password-protected keystore for Elasticsearch when FIPS mode is enabled. When `xpack.security.fips_mode.enabled` is set to `true` in the Elasticsearch configuration, the operator generates, stores, and configures a password-protected keystore — eliminating the need for manual `podTemplate` overrides. This feature activates for Elasticsearch 9.4.0+ and respects any existing user-provided keystore password configuration. For more details, refer to the [Elasticsearch FIPS keystore password documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/deploy-fips-compatible-version-of-eck#k8s-fips-keystore-password). ##### Features and enhancements - Implement client certificate required support for Elasticsearch [#&#8203;9229](https://github.com/elastic/cloud-on-k8s/pull/9229) - Implement Kibana support for presenting client certificates to Elasticsearch [#&#8203;9230](https://github.com/elastic/cloud-on-k8s/pull/9230) - Support rolling restarts of Elasticsearch clusters [#&#8203;9172](https://github.com/elastic/cloud-on-k8s/pull/9172) - Simplify zone awareness [#&#8203;9148](https://github.com/elastic/cloud-on-k8s/pull/9148) - Operator-managed FIPS keystore password support for Elasticsearch [#&#8203;9287](https://github.com/elastic/cloud-on-k8s/pull/9287) (issue: [#&#8203;9171](https://github.com/elastic/cloud-on-k8s/issues/9171)) - Surface webhook warnings; Refactor webhooks to use controller-runtime's Validator [#&#8203;9235](https://github.com/elastic/cloud-on-k8s/pull/9235) - Add `extraObjects` support to ECK Helm charts [#&#8203;9069](https://github.com/elastic/cloud-on-k8s/pull/9069) - Add `kubeAPIServerPort` configuration option to Helm chart [#&#8203;8980](https://github.com/elastic/cloud-on-k8s/pull/8980) - Set `seccompProfile` to `RuntimeDefault` [#&#8203;9012](https://github.com/elastic/cloud-on-k8s/pull/9012) - Validate user-supplied HTTP CA certificate [#&#8203;8992](https://github.com/elastic/cloud-on-k8s/pull/8992) - Sign ECK container images (v2) [#&#8203;9078](https://github.com/elastic/cloud-on-k8s/pull/9078) - Improve license signature verification error to diagnose wrong license type [#&#8203;9262](https://github.com/elastic/cloud-on-k8s/pull/9262) - Improve AutoOpsAgentPolicy status reporting [#&#8203;9095](https://github.com/elastic/cloud-on-k8s/pull/9095) - Support `runAsNonRoot` true for recent versions of EPR [#&#8203;8974](https://github.com/elastic/cloud-on-k8s/pull/8974) - Reduce operator memory footprint by stripping managed fields from informer caches [#&#8203;9321](https://github.com/elastic/cloud-on-k8s/pull/9321) - Add version-gated querylog fileset to Filebeat sidecar config [#&#8203;9291](https://github.com/elastic/cloud-on-k8s/pull/9291) - Bump default Kibana memory limit from 1Gi to 2Gi [#&#8203;9328](https://github.com/elastic/cloud-on-k8s/pull/9328) - Add image digest support to eck-operator Helm chart [#&#8203;9362](https://github.com/elastic/cloud-on-k8s/pull/9362) ##### Fixes - Prevent StackConfigPolicy controller from performing unnecessary file-settings secret updates on every reconciliation [#&#8203;9316](https://github.com/elastic/cloud-on-k8s/pull/9316) - Correct NetworkPolicy namespace selector label for soft multi-tenancy [#&#8203;9153](https://github.com/elastic/cloud-on-k8s/pull/9153) - Prevent using a nodeSet name while the equivalent StatefulSet already exists [#&#8203;9036](https://github.com/elastic/cloud-on-k8s/pull/9036) - Skip default PVC if volume with same name exists [#&#8203;9199](https://github.com/elastic/cloud-on-k8s/pull/9199) (issue: [#&#8203;8744](https://github.com/elastic/cloud-on-k8s/issues/8744)) - Avoid empty reconcile requests in StackConfigPolicy secret watch [#&#8203;9179](https://github.com/elastic/cloud-on-k8s/pull/9179) - Make remote-ca secret generation failures non-blocking [#&#8203;9271](https://github.com/elastic/cloud-on-k8s/pull/9271) - Garbage collect Agent soft-owned secrets on deletion [#&#8203;9090](https://github.com/elastic/cloud-on-k8s/pull/9090) - Detect stale CA in certificate chain and trigger certificates reissuance [#&#8203;9197](https://github.com/elastic/cloud-on-k8s/pull/9197) - Skip per-shard replica checks for GREEN clusters in `require_started_replica` predicate [#&#8203;9188](https://github.com/elastic/cloud-on-k8s/pull/9188) - Handle server side default for `TrafficDistribution` [#&#8203;8994](https://github.com/elastic/cloud-on-k8s/pull/8994) - Set default security context to Kibana init container [#&#8203;9218](https://github.com/elastic/cloud-on-k8s/pull/9218) - Validate user-supplied CA for the transport layer of Elasticsearch [#&#8203;8953](https://github.com/elastic/cloud-on-k8s/pull/8953) - Align DaemonSet `UpdateReconciled` with Deployment reconciler [#&#8203;9256](https://github.com/elastic/cloud-on-k8s/pull/9256) (issue: [#&#8203;9246](https://github.com/elastic/cloud-on-k8s/issues/9246)) ##### Documentation improvements - Add recipe for manual mTLS configuration [#&#8203;9124](https://github.com/elastic/cloud-on-k8s/pull/9124) - Mention `PodTopologyLabelsAdmission` in Elasticsearch sample [#&#8203;9035](https://github.com/elastic/cloud-on-k8s/pull/9035) - Logstash Chart improvements [#&#8203;9087](https://github.com/elastic/cloud-on-k8s/pull/9087) ##### Dependency updates - Go 1.25.8 => 1.26.2 - github.com/elastic/go-ucfg v0.8.9-0.20251017163010-3520930bed4f => v0.9.1 - github.com/gkampitakis/go-snaps v0.5.19 => v0.5.21 - github.com/google/go-containerregistry v0.20.7 => v0.21.4 - github.com/hashicorp/vault/api v1.22.0 => v1.23.0 - go.elastic.co/apm/v2 v2.7.2 => v2.7.6 - golang.org/x/crypto v0.46.0 => v0.49.0 - k8s.io/api v0.35.0 => v0.35.3 - k8s.io/apimachinery v0.35.0 => v0.35.3 - k8s.io/client-go v0.35.0 => v0.35.3 - k8s.io/klog/v2 v2.130.1 => v2.140.0 - sigs.k8s.io/controller-runtime v0.22.4 => v0.23.3 - sigs.k8s.io/controller-tools v0.20.0 => v0.20.1 - New direct dependencies: cloud.google.com/go/auth, cloud.google.com/go/storage, github.com/Azure/azure-sdk-for-go/sdk/storage/azblob, github.com/aws/aws-sdk-go-v2, google.golang.org/api </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjQuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE2NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJoZWxtIl19-->

renovate-bot added the helm label 2026-05-05 12:03:26 +00:00

renovate-bot added 1 commit 2026-05-06 19:10:53 +00:00

chore(deps): update helm release eck-operator to v3.4.0 097339c7de

renovate-bot force-pushed renovate/unified-eck-operator from 03a9d4de9c to 097339c7de 2026-05-06 19:10:53 +00:00 Compare

alexlebens merged commit 3640eb4f44 into main 2026-05-06 19:43:37 +00:00

alexlebens referenced this issue from a commit 2026-05-06 19:43:37 +00:00

Merge pull request 'chore(deps): update helm release eck-operator to v3.4.0' (#6528) from renovate/unified-eck-operator into main

alexlebens deleted branch renovate/unified-eck-operator 2026-05-06 19:43:43 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Renovate

Issue generated by Renovate.

automerge

This PR will be automerged by Renovate.

chart

Chart update generated by Renovate.

docker

Docker update generated by Renovate.

github-actions

Github Action update generated by Renovate.

github-releases

Github Release generated by Renovate

helm

Helm update generated by Renovate.

image

Image update generated by Renovate.

stale

PR or Issue that has not been updated recently.

No Label helm

Milestone

No items

No Milestone

Assignees

Clear assignees

gitea-bot renovate-bot alexlebens

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#6528