Releases: open-telemetry/opentelemetry-operator
Release v0.148.0
0.148.0
💡 Enhancements 💡
collector: make the statefulset PodManagementPolicy configurable (#4875)
Components
Release v0.147.0
0.147.0
🛑 Breaking changes 🛑
apis/v1beta1: Move webhooks from the apis/v1beta1 package to the internal package internal/webhook (#4846)v1alpha1: Move webhooks from the apis/v1alpha1 package to the internal package internal/webhook (#4837)
🧰 Bug fixes 🧰
target allocator: Fix Service Monitor/Pod Monitor in TargetAllocator doesnt pick up updates to secrets (#4091)
Fixes issue where service/pod Monitors don't pick up updates to secrets.
Components
Release v0.146.0
0.146.0
💡 Enhancements 💡
-
target allocator: Expose missing Prometheus CR fields in the Operator API (#1934)
AddedpodMonitorNamespaceSelector,serviceMonitorNamespaceSelector,scrapeConfigNamespaceSelector,
probeNamespaceSelector,evaluationInterval, andscrapeProtocolsto theprometheusCR
configuration within theTargetAllocatorandOpenTelemetryCollector
APIs to achieve feature parity with the underlying Target Allocator. -
collector: Add the hostUsers field to OpenTelemetryCommonFields to enable toggling support for isolating pod processes under a separate user namespace (#4366) -
auto-instrumentation: Add support for initContainers to instrumentation injector (#3308)
Add support for instrumenting init containers.
Init container support is available for Java, Python, Node.js, .NET and SDK-only, and works using the same annotation as for regular containers. -
operator, collector: Allow operator to get TLS settings from OpenShiftAPIServerCR and configure operands TLS settings. (#4669)
Added operator flag--tls-cluster-profilewhich obtains the TLS min version and cipher suites from the OpenShiftAPIServerclustercustom resource (CR).
It overrides the--tls-min-versionand--tls-cipher-suitesflags if set.
The flags is disabled by default on Kubernetes and enabled on OpenShift.Added operator flag
--tls-configure-operandswhich configures operands TLS settings (min version, cipher suites)
based on the supplied operator TLS flags (--tls-cipher-suitesand--tls-min-version) or from the OpenShiftAPIServerCR
if--tls-cluster-profileis enabled.
The flag is disabled by default on Kubernetes and enabled on OpenShift.The
--tls-min-versiondefaults toTLSv1.2which matches the collector's default.
The--tls-cipher-suitesis empty by default which matches the collector's default.
Therefore enabling--tls-configure-operandswith the default TLS flags should not change the collector's behavior. -
operator: Add webhook server readiness check to the operator's /readyz endpoint so the pod is not marked ready before the webhook server is listening. (#3772)
Previously the readiness probe used only healthz.Ping, causing a race where CRs
created right after deployment could hit "connection refused" from the webhook.
Now the readyz endpoint includes a check using controller-runtime's
StartedChecker which verifies the webhook TLS listener is actually accepting connections.
🧰 Bug fixes 🧰
collector: Remove legacy finalizer from OpenTelemetryCollector CR when RBAC not available. (#4769)
Finalizer usage was restricted to cluster scoped resources only. Legacy finalizer added by OpenTelemetry Operator
<= v0.141.0 still blocks namespace deletion if the operator is removed first. The change removes finalizer with
cluster-level RBAC availability.
Components
Release v0.145.0
0.145.0
🛑 Breaking changes 🛑
collector: Remove operator.collector.default.config feature gate (#4473)
🚀 New components 🚀
clusterObservability: Inital implementation of ClusterObservability CRD (#3820)
This change provides an initial implementation of the Cluster Observability CRD and operator control loop.
Reconcilation is disabled by default.
Currently, the CRD is not included in the operator bundle and must be installed manually.
To enable reconciliation, enable the--feature-gates=+operator.clusterobservabilityfeature gate.
💡 Enhancements 💡
target allocator: Add readiness and liveness probe configurations for target allocator CRD (#4639)target allocator: Make the least-weighted target allocation strategy take job name into account. (#3128)
Uses job name instead of "first match" to when number of targets is equal. The effect is to spread out targets with the same job name across collectors.
🧰 Bug fixes 🧰
-
target allocator: Fix TLS certificate hot-reload for mTLS connections (#4368)
The Target Allocator now automatically reloads TLS certificates when they are renewed
by cert-manager. Previously, certificate renewals required a pod restart because
certificates were only loaded once at startup. The fix uses fsnotify to watch the
certificate directory and dynamically reloads certificates via the GetCertificate
callback, enabling seamless certificate rotation without downtime. -
collector: Configure collector to reload client certificate periodically (#4657)
When the collector connects to the target allocator over mTLS, certificates were not automatically reloaded after expiration. This adds reload_interval to the TLS configuration, enabling the Prometheus receiver to periodically reload certificates from disk.The default interval of 5 minutes provides a good balance between picking up renewed certificates promptly and avoiding unnecessary overhead.
-
operator: Set Kubernetes API server egress network policy port dynamically. (#4411)
The operator network policy egress rule for the Kubernetes API server was hardcoded to port 6443.
This PR uses usesendpointslices.discovery.k8s.io -n default kubernetesto get the port and IP addresses of the Kubernetes API server
for the operator egress network policy.
Components
Release v0.144.0
0.144.0
💡 Enhancements 💡
-
operator: change operator args in bundle to env variables (#4612)
The default configuration in the OLM bundle has been changed from command-line arguments to environment variables,
making it easily overwritable when deployed using OLM's Subscription config. Command-line flags continue to work.
All Config struct fields now support environment variable configuration.Configuration set via the Subscription's config section will persist and be reapplied after operator upgrades.
Example of overriding configuration via OLM Subscription:
apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: opentelemetry-operator spec: channel: stable name: opentelemetry-operator source: operatorhubio-catalog sourceNamespace: olm config: env: - name: FEATURE_GATES value: "operator.networkpolicy,operand.networkpolicy" - name: ENABLE_GO_AUTO_INSTRUMENTATION value: "true" - name: METRICS_SECURE value: "false"
🧰 Bug fixes 🧰
collector: Fix PodDisruptionBudget using all labels instead of selector labels, preventing PDB breakage during rollouts (#4623)
Use stable selector labels instead of all CR labels to prevent PDB breakage when mutable labels change during rollouts.auto-instrumentation: Fix NGINX and Apache instrumentation init container creation to avoid copying init-container-incompatible fields. (#3729)
The NGINX and Apache instrumentation init containers are now created from scratch instead of
cloning the main container, preventing probes, lifecycle hooks, and resize policies from being
applied to init containers.
Components
Release v0.143.0
0.143.0
🧰 Bug fixes 🧰
operator: Fix operator ServiceMonitor not created on OpenShift (#4603)
Two issues prevented the operator ServiceMonitor from being created on OpenShift:- The OpenShift kustomize patches were incorrectly overwriting operator args, removing flags like
--create-sm-operator-metrics=true. - The prometheus-operator library
SchemeHTTPSconstant uses uppercase "HTTPS" which is rejected by ServiceMonitor CRD validation.
- The OpenShift kustomize patches were incorrectly overwriting operator args, removing flags like
Components
Release v0.142.0
0.142.0
🛑 Breaking changes 🛑
-
operator: Remove kube-rbac-proxy from operator deployment and use controller-runtime built-in auth (#3369)
The operator now uses controller-runtime built-in auth for the metrics server. It is disabled by default.
The client accessing the metrics endpoint must have the following RBAC rulenonResourceURLs: "/metrics", verbs: get.
Which didn't change from the previous approach of using kube-rbac-proxy.This changes adds following flags to the operator:
metrics-secure- enables authentication and authorization for the metrics server. If no TLS certificates are provided, self signed certificates will be generated.
metrics-tls-cert-file- TLS certificate file for the metrics server
metrics-tls-key-file- TLS private key file for the metrics serverThis change changes the following flags on the operator:
--metrics-addr- changes from127.0.0.1:8080to:8443which matches the operator's metrics service port.
💡 Enhancements 💡
target allocator: Add support for prometheus scrape classes (#3600)
Added support for configuringscrapeClasseswhen using the PrometheusCR-feature of the target allocator. The format of thescrapeClassesarray is exactly as same asspec.scrapeClassesof thePrometheusCRD.operator: Add support for Kubernetes 1.35 (#4575)collector: exposes thespec.hostPIDfield for the collector. (#4214)
This will allow to set the spec.HostPID field for the collector. By default this the field is false.
🧰 Bug fixes 🧰
-
target allocator: Fix CA certificate race condition with client cert renewals by extending its duration and and renewal attempt. (#4441)
The CA certificate now has a 2-year duration (instead of the default 90 days) to prevent race conditions
where client and server certificates could be signed by different CA versions during simultaneous renewal.
This ensures the CA remains stable while dependent certificates renew regularly. -
collector: Add finalizers to OpenTelemetryCollector CR only when cluster roles and bindings for SA are created by Operator. (#4367)
Finalizer usage was restricted to cluster scoped resources only. Namespaced resources no longer receive finalizers,
preventing blocked namespace deletion if the operator is removed first. The change aligns finalizer behavior with
cluster-level RBAC availability, ensuring finalizers are applied only when the operator has the required
cluster scoped permissions. -
config: Fix manager logger initialization (#4584)
Apply config before setting up logger to configure it properly. -
operator: Fix the --annotations-filter and --labels-filter CLI flags. (#4594)
Components
Release v0.141.0
0.141.0
💡 Enhancements 💡
collector: Ensure the collector container is always listed first in the podspec (#4548)
This is so tools like kubectx logs will always default to the collector container instead of any additional containers that are configured.target allocator: make evaluation_interval configurable for Prometheus CR watcher (#4520)operator: Support for Kubernetes1.34version. (#4415)
Components
Release v0.140.0
0.140.0
🛑 Breaking changes 🛑
operator: Remove native sidecar feature gate (#4451)
The feature gateoperator.sidecarcontainers.nativehas been removed.
It was introduced in v0.111.0, enabled by default since v0.132.0, and marked as stable in v0.139.0.
Native sidecars are now automatically enabled on Kubernetes v1.29+ without requiring a feature gate.
If you were explicitly enabling or disabling this feature gate with--feature-gates=+operator.sidecarcontainers.native,
you must remove that flag.
💡 Enhancements 💡
-
collector: Promote theoperator.golang.flagsfeature flag to Beta (#4452)
The operator will set the GOMEMLIMIT and GOMAXPROCS environment variables based
on the pod configuration of the collector container by default. -
operator: Use pod and namespace label selector in operator NetworkPolicy for the API server Egress on OpenShift. (#4490)
On OpenShift use pod ("apiserver": "true") and namespace (kubernetes.io/metadata.name": "openshift-kube-apiserver")
label selectors in API server Egress network policy.
🧰 Bug fixes 🧰
-
auto-instrumentation: Fixes the precedence ofspec.envin Instrumentation CR so global env vars correctly override defaults. (#4068)
Previously, environment variables set underspec.envwere ignored in favor of default instrumentation config,
unless duplicated in each language block. This change ensures the correct order of precedence is applied:
language-specific env vars > spec.env > defaults. -
collector: Fix mounting spec.configmaps in sidecar mode (#4489)
Configmaps defined inspec.configmapswere not properly mounted in the sidecar mode. -
github action: Remove unused VERSION and VERSION_DATE environment variables from publish workflows (#4470)
Removed the unused "Read version" step that set VERSION and VERSION_DATE environment variables in both publish-target-allocator.yaml and publish-operator-opamp-bridge.yaml workflows. These variables were never referenced anywhere in the workflows.
Components
Release v0.139.0
0.139.0
💡 Enhancements 💡
-
operator: Promote theoperator.sidecarcontainers.nativefeature flag to Stable. (#4451)
By default, the operator will continue to use native sidecars on Kubernetes versions
newer than 1.29. This behaviour cannot be disabled.
The operator flag will be removed with the release of version0.140.0. -
collector: Promote theoperator.collector.default.configfeature gate to Stable (#4453)