chore(deps): update ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator docker tag to v0.150.0#1588
Open
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
…ntelemetry-operator docker tag to v0.150.0
Contributor
|
📌 The README.md for one or more plugins is outdated due to changes in values.yaml. Please update it by running the following command(s): make generate-readme PLUGIN=logs✅ Once you've done that, commit the updated README and push it to this branch. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.145.0→v0.150.0Release Notes
open-telemetry/opentelemetry-operator (ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator)
v0.150.0Compare Source
0.150.0
🛑 Breaking changes 🛑
auto-instrumentation: Update default .NET auto-instrumentation version from 1.2.0 to 1.15.0 (#4996)This update addresses security vulnerabilities in versions older than 1.15.0 (CVE-2026-40894, GHSA-g94r-2vxg-569j).
This is a breaking change due to HTTP semantic convention changes between versions.
Existing Instrumentation CRs using version 1.2.0 will NOT be automatically upgraded.
To upgrade, manually update the image in your Instrumentation CR after reviewing the migration guide.
See #2542 for details.
💡 Enhancements 💡
operator: Expose watch-namespace scope via the--watch-namespaceCLI flag and thewatch-namespaceconfig file field. TheWATCH_NAMESPACEenvironment variable continues to work. (#4379)auto-instrumentation: Addspec.initContainerSecurityContextto the Instrumentation CRD so users can explicitly set the security context of the auto-instrumentation init containers (Java, NodeJS, Python, DotNet, Apache HTTPD, Nginx). Addspec.go.securityContextfor overriding the Go sidecar's defaults. (#4894)When unset, existing behavior is preserved — init containers inherit the security context
of the first application container being instrumented, and the Go sidecar keeps the hardcoded
defaults required for eBPF (Privileged, RunAsUser: 0). Setting either field explicitly lets
restricted PSA environments declare the exact capabilities they want.
auto-instrumentation: Allow instrumentation upgrades to be blocked for versions containing major breaking changes. (#4646, #2542)Some instrumentation upgrades involve major breaking changes. The operator can't help with those, but it can
alert the user about them. This change makes this possible. It will also allow us to set the latest version
for new Instrumentation resources by default.
See #2542 for the primary example.
Components
v0.150.0Compare Source
🛑 Breaking changes 🛑
auto-instrumentation: Update default .NET auto-instrumentation version from 1.2.0 to 1.15.0 (#4996)This update addresses security vulnerabilities in versions older than 1.15.0 (CVE-2026-40894, GHSA-g94r-2vxg-569j).
This is a breaking change due to HTTP semantic convention changes between versions.
Existing Instrumentation CRs using version 1.2.0 will NOT be automatically upgraded.
To upgrade, manually update the image in your Instrumentation CR after reviewing the migration guide.
See #2542 for details.
💡 Enhancements 💡
operator: Expose watch-namespace scope via the--watch-namespaceCLI flag and thewatch-namespaceconfig file field. TheWATCH_NAMESPACEenvironment variable continues to work. (#4379)auto-instrumentation: Addspec.initContainerSecurityContextto the Instrumentation CRD so users can explicitly set the security context of the auto-instrumentation init containers (Java, NodeJS, Python, DotNet, Apache HTTPD, Nginx). Addspec.go.securityContextfor overriding the Go sidecar's defaults. (#4894)When unset, existing behavior is preserved — init containers inherit the security context
of the first application container being instrumented, and the Go sidecar keeps the hardcoded
defaults required for eBPF (Privileged, RunAsUser: 0). Setting either field explicitly lets
restricted PSA environments declare the exact capabilities they want.
auto-instrumentation: Allow instrumentation upgrades to be blocked for versions containing major breaking changes. (#4646, #2542)Some instrumentation upgrades involve major breaking changes. The operator can't help with those, but it can
alert the user about them. This change makes this possible. It will also allow us to set the latest version
for new Instrumentation resources by default.
See #2542 for the primary example.
Components
v0.149.0Compare Source
0.149.0
💡 Enhancements 💡
collector: Add support for Gateway API HTTPRoute creation via OpenTelemetryCollector CR (#4361)operator: Added hostAliases support for OpenTelemetryCollector and TargetAllocator pods (#896)collector: Support RBAC generation fork8s_leader_electorextension (#4802)Automatically generates a ClusterRole with permissions to manage
leasesin thecoordination.k8s.ioAPI group for leader election among multiple collector replicas.collector: Add TLS security profile injection for health_check and jaeger_query extensions (#4871)When a TLS profile is configured on the cluster, the operator now injects min_version and cipher_suites
into health_check and jaeger_query extension configs
🧰 Bug fixes 🧰
auto-instrumentation: Fix instrumentation init container security context (#4848)auto-instrumentation: Fix duplicated container names validation to allow the same container name across different language instrumentations. (#4357)operator: Fix AnyConfig.DeepCopyInto performing shallow copy, causing TargetAllocator Deployment infinite reconciliation loop (#4950)AnyConfig.DeepCopyInto used maps.Copy which only copied top-level map entries, leaving nested
maps as shared references. When ApplyDefaults injected TLS profile settings (min_version) into
the collector's scrape config, it mutated the informer cache through the shared reference. This
caused the TargetAllocator config hash to alternate between two values on every reconciliation,
triggering an infinite Deployment update loop. The fix uses JSON round-tripping for a true deep copy.
opamp: Fix nil pointer dereference in OpAMP Bridge when validating a remote collector config that omits theprocessorssection (#4970)v1beta1.Config.Processorsis an optional*AnyConfig, butvalidateComponentsdereferenced it unconditionally.When a remote config without a
processorssection is applied through a bridge that hadcomponentsAllowedconfigured, it panicked and pod restarted. The nil case is now skipped during validation.
operator: Add missing RBAC permission for events.k8s.io API group (#4950)The operator uses k8s.io/client-go/tools/events which targets the events.k8s.io API group,
but the ClusterRole only granted permission for the core API group. This caused "Server rejected
event" errors when recording events on managed resources in other namespaces.
collector: Register thek8s_attributesspelling alongsidek8sattributeswhen generating RBAC from a Collector CR so either processor name produces the pods/replicasets/etc. permissions the processor needs. (#4922)The underlying processor was renamed to snake_case in
open-telemetry/opentelemetry-collector-contrib#45901 while keeping the
original spelling accepted, but the operator only parsed the camel form
and emitted no RBAC for configs using the new name.
collector: Generate RBAC for the k8s_attributes processor under its snake_case spelling, matching the camelCase k8sattributes it was renamed from. (#4922)collector: Expose prometheus receiver api_server port on collector Service and NetworkPolicy (#4949)auto-instrumentation, opamp, target allocator: Fix Env slice aliasing in Apache HTTPD, Nginx, OpAMP Bridge, and Target Allocator container builders when the spec slice has spare backing-array capacity (#4954)collector: Remove the kubebuilder default from the sts pod management policy field so it can be properlyomitempty(#4875)This field should not be set on deployment or daemonset collectors.
Components
v0.149.0Compare Source
💡 Enhancements 💡
collector: Add support for Gateway API HTTPRoute creation via OpenTelemetryCollector CR (#4361)operator: Added hostAliases support for OpenTelemetryCollector and TargetAllocator pods (#896)collector: Support RBAC generation fork8s_leader_electorextension (#4802)Automatically generates a ClusterRole with permissions to manage
leasesin thecoordination.k8s.ioAPI group for leader election among multiple collector replicas.collector: Add TLS security profile injection for health_check and jaeger_query extensions (#4871)When a TLS profile is configured on the cluster, the operator now injects min_version and cipher_suites
into health_check and jaeger_query extension configs
🧰 Bug fixes 🧰
auto-instrumentation: Fix instrumentation init container security context (#4848)auto-instrumentation: Fix duplicated container names validation to allow the same container name across different language instrumentations. (#4357)operator: Fix AnyConfig.DeepCopyInto performing shallow copy, causing TargetAllocator Deployment infinite reconciliation loop (#4950)AnyConfig.DeepCopyInto used maps.Copy which only copied top-level map entries, leaving nested
maps as shared references. When ApplyDefaults injected TLS profile settings (min_version) into
the collector's scrape config, it mutated the informer cache through the shared reference. This
caused the TargetAllocator config hash to alternate between two values on every reconciliation,
triggering an infinite Deployment update loop. The fix uses JSON round-tripping for a true deep copy.
opamp: Fix nil pointer dereference in OpAMP Bridge when validating a remote collector config that omits theprocessorssection (#4970)v1beta1.Config.Processorsis an optional*AnyConfig, butvalidateComponentsdereferenced it unconditionally.When a remote config without a
processorssection is applied through a bridge that hadcomponentsAllowedconfigured, it panicked and pod restarted. The nil case is now skipped during validation.
operator: Add missing RBAC permission for events.k8s.io API group (#4950)The operator uses k8s.io/client-go/tools/events which targets the events.k8s.io API group,
but the ClusterRole only granted permission for the core API group. This caused "Server rejected
event" errors when recording events on managed resources in other namespaces.
collector: Register thek8s_attributesspelling alongsidek8sattributeswhen generating RBAC from a Collector CR so either processor name produces the pods/replicasets/etc. permissions the processor needs. (#4922)The underlying processor was renamed to snake_case in
open-telemetry/opentelemetry-collector-contrib#45901 while keeping the
original spelling accepted, but the operator only parsed the camel form
and emitted no RBAC for configs using the new name.
collector: Generate RBAC for the k8s_attributes processor under its snake_case spelling, matching the camelCase k8sattributes it was renamed from. (#4922)collector: Expose prometheus receiver api_server port on collector Service and NetworkPolicy (#4949)auto-instrumentation, opamp, target allocator: Fix Env slice aliasing in Apache HTTPD, Nginx, OpAMP Bridge, and Target Allocator container builders when the spec slice has spare backing-array capacity (#4954)collector: Remove the kubebuilder default from the sts pod management policy field so it can be properlyomitempty(#4875)This field should not be set on deployment or daemonset collectors.
Components
v0.148.0Compare Source
0.148.0
💡 Enhancements 💡
collector: make the statefulset PodManagementPolicy configurable (#4875)Components
v0.148.0Compare Source
💡 Enhancements 💡
collector: make the statefulset PodManagementPolicy configurable (#4875)Components
v0.147.0Compare Source
0.147.0
🛑 Breaking changes 🛑
apis/v1beta1: Move webhooks from the apis/v1beta1 package to the internal package internal/webhook (#4846)v1alpha1: Move webhooks from the apis/v1alpha1 package to the internal package internal/webhook (#4837)🧰 Bug fixes 🧰
target allocator: Fix Service Monitor/Pod Monitor in TargetAllocator doesnt pick up updates to secrets (#4091)Fixes issue where service/pod Monitors don't pick up updates to secrets.
Components
v0.147.0Compare Source
🛑 Breaking changes 🛑
apis/v1beta1: Move webhooks from the apis/v1beta1 package to the internal package internal/webhook (#4846)v1alpha1: Move webhooks from the apis/v1alpha1 package to the internal package internal/webhook (#4837)🧰 Bug fixes 🧰
target allocator: Fix Service Monitor/Pod Monitor in TargetAllocator doesnt pick up updates to secrets (#4091)Fixes issue where service/pod Monitors don't pick up updates to secrets.
Components
v0.146.0Compare Source
0.146.0
💡 Enhancements 💡
target allocator: Expose missing Prometheus CR fields in the Operator API (#1934)Added
podMonitorNamespaceSelector,serviceMonitorNamespaceSelector,scrapeConfigNamespaceSelector,probeNamespaceSelector,evaluationInterval, andscrapeProtocolsto theprometheusCRconfiguration within the
TargetAllocatorandOpenTelemetryCollectorAPIs to achieve feature parity with the underlying Target Allocator.
collector: Add the hostUsers field to OpenTelemetryCommonFields to enable toggling support for isolating pod processes under a separate user namespace (#4366)auto-instrumentation: Add support for initContainers to instrumentation injector (#3308)Add support for instrumenting init containers.
Init container support is available for Java, Python, Node.js, .NET and SDK-only, and works using the same annotation as for regular containers.
operator, collector: Allow operator to get TLS settings from OpenShiftAPIServerCR and configure operands TLS settings. (#4669)Added operator flag
--tls-cluster-profilewhich obtains the TLS min version and cipher suites from the OpenShiftAPIServerclustercustom resource (CR).It overrides the
--tls-min-versionand--tls-cipher-suitesflags if set.The flags is disabled by default on Kubernetes and enabled on OpenShift.
Added operator flag
--tls-configure-operandswhich configures operands TLS settings (min version, cipher suites)based on the supplied operator TLS flags (
--tls-cipher-suitesand--tls-min-version) or from the OpenShiftAPIServerCRif
--tls-cluster-profileis enabled.The flag is disabled by default on Kubernetes and enabled on OpenShift.
The
--tls-min-versiondefaults toTLSv1.2which matches the collector's default.The
--tls-cipher-suitesis empty by default which matches the collector's default.Therefore enabling
--tls-configure-operandswith the default TLS flags should not change the collector's behavior.operator: Add webhook server readiness check to the operator's /readyz endpoint so the pod is not marked ready before the webhook server is listening. (#3772)Previously the readiness probe used only healthz.Ping, causing a race where CRs
created right after deployment could hit "connection refused" from the webhook.
Now the readyz endpoint includes a check using controller-runtime's
StartedChecker which verifies the webhook TLS listener is actually accepting connections.
🧰 Bug fixes 🧰
collector: Remove legacy finalizer from OpenTelemetryCollector CR when RBAC not available. (#4769)Finalizer usage was restricted to cluster scoped resources only. Legacy finalizer added by OpenTelemetry Operator
<= v0.141.0 still blocks namespace deletion if the operator is removed first. The change removes finalizer with
cluster-level RBAC availability.
Components
v0.146.0Compare Source
💡 Enhancements 💡
target allocator: Expose missing Prometheus CR fields in the Operator API (#1934)Added
podMonitorNamespaceSelector,serviceMonitorNamespaceSelector,scrapeConfigNamespaceSelector,probeNamespaceSelector,evaluationInterval, andscrapeProtocolsto theprometheusCRconfiguration within the
TargetAllocatorandOpenTelemetryCollectorAPIs to achieve feature parity with the underlying Target Allocator.
collector: Add the hostUsers field to OpenTelemetryCommonFields to enable toggling support for isolating pod processes under a separate user namespace (#4366)auto-instrumentation: Add support for initContainers to instrumentation injector (#3308)Add support for instrumenting init containers.
Init container support is available for Java, Python, Node.js, .NET and SDK-only, and works using the same annotation as for regular containers.
operator, collector: Allow operator to get TLS settings from OpenShiftAPIServerCR and configure operands TLS settings. (#4669)Added operator flag
--tls-cluster-profilewhich obtains the TLS min version and cipher suites from the OpenShiftAPIServerclustercustom resource (CR).It overrides the
--tls-min-versionand--tls-cipher-suitesflags if set.The flags is disabled by default on Kubernetes and enabled on OpenShift.
Added operator flag
--tls-configure-operandswhich configures operands TLS settings (min version, cipher suites)based on the supplied operator TLS flags (
--tls-cipher-suitesand--tls-min-version) or from the OpenShiftAPIServerCRif
--tls-cluster-profileis enabled.The flag is disabled by default on Kubernetes and enabled on OpenShift.
The
--tls-min-versiondefaults toTLSv1.2which matches the collector's default.The
--tls-cipher-suitesis empty by default which matches the collector's default.Therefore enabling
--tls-configure-operandswith the default TLS flags should not change the collector's behavior.operator: Add webhook server readiness check to the operator's /readyz endpoint so the pod is not marked ready before the webhook server is listening. (#3772)Previously the readiness probe used only healthz.Ping, causing a race where CRs
created right after deployment could hit "connection refused" from the webhook.
Now the readyz endpoint includes a check using controller-runtime's
StartedChecker which verifies the webhook TLS listener is actually accepting connections.
🧰 Bug fixes 🧰
collector: Remove legacy finalizer from OpenTelemetryCollector CR when RBAC not available. (#4769)Finalizer usage was restricted to cluster scoped resources only. Legacy finalizer added by OpenTelemetry Operator
<= v0.141.0 still blocks namespace deletion if the operator is removed first. The change removes finalizer with
cluster-level RBAC availability.
Components
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.