alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 4 Actions Activity

chore(deps): update dependency elastic/cloud-on-k8s to v3.4.0 #6530

Merged
alexlebens merged 1 commits from renovate/unified-cloud-on-k8s into main 2026-05-06 19:45:15 +00:00
Conversation 0 Commits 1 Files Changed 1 +1 -1
renovate-bot commented 2026-05-05 13:04:35 +00:00
Collaborator
Copy Link

This PR contains the following updates:

Package Update Change
elastic/cloud-on-k8s minor 3.3.23.4.0

Release Notes

elastic/cloud-on-k8s (elastic/cloud-on-k8s)

v3.4.0

Compare Source

Elastic Cloud on Kubernetes 3.4.0

Release Highlights
Elasticsearch client certificate authentication support

ECK now supports configuring Elasticsearch to require client certificates for authentication. This allows you to enforce mutual TLS (mTLS) between clients and Elasticsearch, strengthening security by requiring both the client and server to present valid certificates. Currently, Elasticsearch and Kibana support this feature - Kibana can be configured to present client certificates when connecting to Elasticsearch. Support for the remaining components that connect to Elasticsearch (Beats, Elastic Agent, APM Server, Logstash, and so on) will follow in future releases. For more details, refer to the client certificate authentication documentation.

Rolling restarts of Elasticsearch clusters

ECK now supports triggering rolling restarts of Elasticsearch clusters through a new annotation-based mechanism. This enables operators to gracefully restart all nodes in a cluster without manual intervention, useful for troubleshooting. The rolling restart documentation provides more details.

Simplified zone awareness configuration

ECK simplifies the configuration of zone awareness for Elasticsearch clusters, reducing the amount of boilerplate configuration needed to set up topology-aware allocation. For more details, refer to the zone awareness documentation.

ECK container image signing

ECK container images are now signed using Sigstore cosign. This allows users to verify the authenticity and integrity of ECK operator images before deployment, strengthening the supply chain security of their Kubernetes clusters.

Automatic password-protected keystore for Elasticsearch in FIPS mode

ECK now automatically manages a password-protected keystore for Elasticsearch when FIPS mode is enabled. When xpack.security.fips_mode.enabled is set to true in the Elasticsearch configuration, the operator generates, stores, and configures a password-protected keystore — eliminating the need for manual podTemplate overrides. This feature activates for Elasticsearch 9.4.0+ and respects any existing user-provided keystore password configuration. For more details, refer to the Elasticsearch FIPS keystore password documentation.

Features and enhancements
  • Implement client certificate required support for Elasticsearch #​9229
  • Implement Kibana support for presenting client certificates to Elasticsearch #​9230
  • Support rolling restarts of Elasticsearch clusters #​9172
  • Simplify zone awareness #​9148
  • Operator-managed FIPS keystore password support for Elasticsearch #​9287 (issue: #​9171)
  • Surface webhook warnings; Refactor webhooks to use controller-runtime's Validator #​9235
  • Add extraObjects support to ECK Helm charts #​9069
  • Add kubeAPIServerPort configuration option to Helm chart #​8980
  • Set seccompProfile to RuntimeDefault #​9012
  • Validate user-supplied HTTP CA certificate #​8992
  • Sign ECK container images (v2) #​9078
  • Improve license signature verification error to diagnose wrong license type #​9262
  • Improve AutoOpsAgentPolicy status reporting #​9095
  • Support runAsNonRoot true for recent versions of EPR #​8974
  • Reduce operator memory footprint by stripping managed fields from informer caches #​9321
  • Add version-gated querylog fileset to Filebeat sidecar config #​9291
  • Bump default Kibana memory limit from 1Gi to 2Gi #​9328
  • Add image digest support to eck-operator Helm chart #​9362
Fixes
  • Prevent StackConfigPolicy controller from performing unnecessary file-settings secret updates on every reconciliation #​9316
  • Correct NetworkPolicy namespace selector label for soft multi-tenancy #​9153
  • Prevent using a nodeSet name while the equivalent StatefulSet already exists #​9036
  • Skip default PVC if volume with same name exists #​9199 (issue: #​8744)
  • Avoid empty reconcile requests in StackConfigPolicy secret watch #​9179
  • Make remote-ca secret generation failures non-blocking #​9271
  • Garbage collect Agent soft-owned secrets on deletion #​9090
  • Detect stale CA in certificate chain and trigger certificates reissuance #​9197
  • Skip per-shard replica checks for GREEN clusters in require_started_replica predicate #​9188
  • Handle server side default for TrafficDistribution #​8994
  • Set default security context to Kibana init container #​9218
  • Validate user-supplied CA for the transport layer of Elasticsearch #​8953
  • Align DaemonSet UpdateReconciled with Deployment reconciler #​9256 (issue: #​9246)
Documentation improvements
  • Add recipe for manual mTLS configuration #​9124
  • Mention PodTopologyLabelsAdmission in Elasticsearch sample #​9035
  • Logstash Chart improvements #​9087
Dependency updates
  • Go 1.25.8 => 1.26.2
  • github.com/elastic/go-ucfg v0.8.9-0.20251017163010-3520930bed4f => v0.9.1
  • github.com/gkampitakis/go-snaps v0.5.19 => v0.5.21
  • github.com/google/go-containerregistry v0.20.7 => v0.21.4
  • github.com/hashicorp/vault/api v1.22.0 => v1.23.0
  • go.elastic.co/apm/v2 v2.7.2 => v2.7.6
  • golang.org/x/crypto v0.46.0 => v0.49.0
  • k8s.io/api v0.35.0 => v0.35.3
  • k8s.io/apimachinery v0.35.0 => v0.35.3
  • k8s.io/client-go v0.35.0 => v0.35.3
  • k8s.io/klog/v2 v2.130.1 => v2.140.0
  • sigs.k8s.io/controller-runtime v0.22.4 => v0.23.3
  • sigs.k8s.io/controller-tools v0.20.0 => v0.20.1
  • New direct dependencies: cloud.google.com/go/auth, cloud.google.com/go/storage, github.com/Azure/azure-sdk-for-go/sdk/storage/azblob, github.com/aws/aws-sdk-go-v2, google.golang.org/api

Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [elastic/cloud-on-k8s](https://github.com/elastic/cloud-on-k8s) | minor | `3.3.2` → `3.4.0` | --- ### Release Notes <details> <summary>elastic/cloud-on-k8s (elastic/cloud-on-k8s)</summary> ### [`v3.4.0`](https://github.com/elastic/cloud-on-k8s/releases/tag/v3.4.0) [Compare Source](https://github.com/elastic/cloud-on-k8s/compare/v3.3.2...v3.4.0) ### Elastic Cloud on Kubernetes 3.4.0 - [Quickstart guide](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s#eck-quickstart) ##### Release Highlights ##### Elasticsearch client certificate authentication support ECK now supports configuring Elasticsearch to require client certificates for authentication. This allows you to enforce mutual TLS (mTLS) between clients and Elasticsearch, strengthening security by requiring both the client and server to present valid certificates. Currently, Elasticsearch and Kibana support this feature - Kibana can be configured to present client certificates when connecting to Elasticsearch. Support for the remaining components that connect to Elasticsearch (Beats, Elastic Agent, APM Server, Logstash, and so on) will follow in future releases. For more details, refer to the [client certificate authentication documentation](https://www.elastic.co/docs/deploy-manage/security/k8s-es-client-certificate-auth). ##### Rolling restarts of Elasticsearch clusters ECK now supports triggering rolling restarts of Elasticsearch clusters through a new annotation-based mechanism. This enables operators to gracefully restart all nodes in a cluster without manual intervention, useful for troubleshooting. The [rolling restart documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/nodes-orchestration#cluster-rolling-restart) provides more details. ##### Simplified zone awareness configuration ECK simplifies the configuration of zone awareness for Elasticsearch clusters, reducing the amount of boilerplate configuration needed to set up topology-aware allocation. For more details, refer to the [zone awareness documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/advanced-elasticsearch-node-scheduling#k8s-zone-awareness). ##### ECK container image signing ECK container images are now signed using [Sigstore cosign](https://docs.sigstore.dev/cosign/). This allows users to verify the authenticity and integrity of ECK operator images before deployment, strengthening the supply chain security of their Kubernetes clusters. ##### Automatic password-protected keystore for Elasticsearch in FIPS mode ECK now automatically manages a password-protected keystore for Elasticsearch when FIPS mode is enabled. When `xpack.security.fips_mode.enabled` is set to `true` in the Elasticsearch configuration, the operator generates, stores, and configures a password-protected keystore — eliminating the need for manual `podTemplate` overrides. This feature activates for Elasticsearch 9.4.0+ and respects any existing user-provided keystore password configuration. For more details, refer to the [Elasticsearch FIPS keystore password documentation](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/deploy-fips-compatible-version-of-eck#k8s-fips-keystore-password). ##### Features and enhancements - Implement client certificate required support for Elasticsearch [#&#8203;9229](https://github.com/elastic/cloud-on-k8s/pull/9229) - Implement Kibana support for presenting client certificates to Elasticsearch [#&#8203;9230](https://github.com/elastic/cloud-on-k8s/pull/9230) - Support rolling restarts of Elasticsearch clusters [#&#8203;9172](https://github.com/elastic/cloud-on-k8s/pull/9172) - Simplify zone awareness [#&#8203;9148](https://github.com/elastic/cloud-on-k8s/pull/9148) - Operator-managed FIPS keystore password support for Elasticsearch [#&#8203;9287](https://github.com/elastic/cloud-on-k8s/pull/9287) (issue: [#&#8203;9171](https://github.com/elastic/cloud-on-k8s/issues/9171)) - Surface webhook warnings; Refactor webhooks to use controller-runtime's Validator [#&#8203;9235](https://github.com/elastic/cloud-on-k8s/pull/9235) - Add `extraObjects` support to ECK Helm charts [#&#8203;9069](https://github.com/elastic/cloud-on-k8s/pull/9069) - Add `kubeAPIServerPort` configuration option to Helm chart [#&#8203;8980](https://github.com/elastic/cloud-on-k8s/pull/8980) - Set `seccompProfile` to `RuntimeDefault` [#&#8203;9012](https://github.com/elastic/cloud-on-k8s/pull/9012) - Validate user-supplied HTTP CA certificate [#&#8203;8992](https://github.com/elastic/cloud-on-k8s/pull/8992) - Sign ECK container images (v2) [#&#8203;9078](https://github.com/elastic/cloud-on-k8s/pull/9078) - Improve license signature verification error to diagnose wrong license type [#&#8203;9262](https://github.com/elastic/cloud-on-k8s/pull/9262) - Improve AutoOpsAgentPolicy status reporting [#&#8203;9095](https://github.com/elastic/cloud-on-k8s/pull/9095) - Support `runAsNonRoot` true for recent versions of EPR [#&#8203;8974](https://github.com/elastic/cloud-on-k8s/pull/8974) - Reduce operator memory footprint by stripping managed fields from informer caches [#&#8203;9321](https://github.com/elastic/cloud-on-k8s/pull/9321) - Add version-gated querylog fileset to Filebeat sidecar config [#&#8203;9291](https://github.com/elastic/cloud-on-k8s/pull/9291) - Bump default Kibana memory limit from 1Gi to 2Gi [#&#8203;9328](https://github.com/elastic/cloud-on-k8s/pull/9328) - Add image digest support to eck-operator Helm chart [#&#8203;9362](https://github.com/elastic/cloud-on-k8s/pull/9362) ##### Fixes - Prevent StackConfigPolicy controller from performing unnecessary file-settings secret updates on every reconciliation [#&#8203;9316](https://github.com/elastic/cloud-on-k8s/pull/9316) - Correct NetworkPolicy namespace selector label for soft multi-tenancy [#&#8203;9153](https://github.com/elastic/cloud-on-k8s/pull/9153) - Prevent using a nodeSet name while the equivalent StatefulSet already exists [#&#8203;9036](https://github.com/elastic/cloud-on-k8s/pull/9036) - Skip default PVC if volume with same name exists [#&#8203;9199](https://github.com/elastic/cloud-on-k8s/pull/9199) (issue: [#&#8203;8744](https://github.com/elastic/cloud-on-k8s/issues/8744)) - Avoid empty reconcile requests in StackConfigPolicy secret watch [#&#8203;9179](https://github.com/elastic/cloud-on-k8s/pull/9179) - Make remote-ca secret generation failures non-blocking [#&#8203;9271](https://github.com/elastic/cloud-on-k8s/pull/9271) - Garbage collect Agent soft-owned secrets on deletion [#&#8203;9090](https://github.com/elastic/cloud-on-k8s/pull/9090) - Detect stale CA in certificate chain and trigger certificates reissuance [#&#8203;9197](https://github.com/elastic/cloud-on-k8s/pull/9197) - Skip per-shard replica checks for GREEN clusters in `require_started_replica` predicate [#&#8203;9188](https://github.com/elastic/cloud-on-k8s/pull/9188) - Handle server side default for `TrafficDistribution` [#&#8203;8994](https://github.com/elastic/cloud-on-k8s/pull/8994) - Set default security context to Kibana init container [#&#8203;9218](https://github.com/elastic/cloud-on-k8s/pull/9218) - Validate user-supplied CA for the transport layer of Elasticsearch [#&#8203;8953](https://github.com/elastic/cloud-on-k8s/pull/8953) - Align DaemonSet `UpdateReconciled` with Deployment reconciler [#&#8203;9256](https://github.com/elastic/cloud-on-k8s/pull/9256) (issue: [#&#8203;9246](https://github.com/elastic/cloud-on-k8s/issues/9246)) ##### Documentation improvements - Add recipe for manual mTLS configuration [#&#8203;9124](https://github.com/elastic/cloud-on-k8s/pull/9124) - Mention `PodTopologyLabelsAdmission` in Elasticsearch sample [#&#8203;9035](https://github.com/elastic/cloud-on-k8s/pull/9035) - Logstash Chart improvements [#&#8203;9087](https://github.com/elastic/cloud-on-k8s/pull/9087) ##### Dependency updates - Go 1.25.8 => 1.26.2 - github.com/elastic/go-ucfg v0.8.9-0.20251017163010-3520930bed4f => v0.9.1 - github.com/gkampitakis/go-snaps v0.5.19 => v0.5.21 - github.com/google/go-containerregistry v0.20.7 => v0.21.4 - github.com/hashicorp/vault/api v1.22.0 => v1.23.0 - go.elastic.co/apm/v2 v2.7.2 => v2.7.6 - golang.org/x/crypto v0.46.0 => v0.49.0 - k8s.io/api v0.35.0 => v0.35.3 - k8s.io/apimachinery v0.35.0 => v0.35.3 - k8s.io/client-go v0.35.0 => v0.35.3 - k8s.io/klog/v2 v2.130.1 => v2.140.0 - sigs.k8s.io/controller-runtime v0.22.4 => v0.23.3 - sigs.k8s.io/controller-tools v0.20.0 => v0.20.1 - New direct dependencies: cloud.google.com/go/auth, cloud.google.com/go/storage, github.com/Azure/azure-sdk-for-go/sdk/storage/azblob, github.com/aws/aws-sdk-go-v2, google.golang.org/api </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjQuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE2NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
renovate-bot added 1 commit 2026-05-06 19:09:30 +00:00
chore(deps): update dependency elastic/cloud-on-k8s to v3.4.0
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 1m37s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 18s
Details
render-manifests / render-manifests (pull_request) Successful in 35s
Details
fd180f59e0
renovate-bot force-pushed renovate/unified-cloud-on-k8s from 6a22262358 to fd180f59e0 2026-05-06 19:09:30 +00:00 Compare
alexlebens merged commit 44a50c20e9 into main 2026-05-06 19:45:15 +00:00
alexlebens deleted branch renovate/unified-cloud-on-k8s 2026-05-06 19:45:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Renovate
Issue generated by Renovate.
 automerge
This PR will be automerged by Renovate.
 chart
Chart update generated by Renovate.
 docker
Docker update generated by Renovate.
github-actions
Github Action update generated by Renovate.
github-releases
Github Release generated by Renovate
 helm
Helm update generated by Renovate.
image
Image update generated by Renovate.
 stale
PR or Issue that has not been updated recently.
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
gitea-bot renovate-bot alexlebens
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#6530
Delete Branch "renovate/unified-cloud-on-k8s"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?