Option to run the K8s API private
As of today we have the option to only allow access to the Kubernetes API over a private network connection.
More …New container to authenticate to aws-ecr
We added a new docker image called concourse-ecr-login. This image has the AWS cli and docker installed.
Upgraded several cluster components
As part of our regular upgrade cycle, the following Kubernetes cluster components have been updated. We’ve already rolled these out to all clusters.
More …Auto-assigned Elastic IPs for K8s nodes (optional)
We’re releasing an optional feature where it’s possible to assign Elastic IPs to nodepools. This can be useful for whitelisting purposes. For example when nodes, running in public subnets, need to connect to services behind enterprise firewalls.
More …Striving for more automation on the K8s reference solution
We’ve recently improved in the automation of our Kubernetes reference solution in several ways. Automation is very important for us to be able to quickly deliver new features and bug fixes to our customers, while performing seamless rollouts that cause no disruption to running workloads.
More …Grafana main dashboard updated
By default we integrated our Grafana deployments with Dex for handling authentication. We’ve now also made it possible to configure any other supported Grafana authentication backend, for example to use Azure AD directly.
Automated AWS ELasticsearch Service backups to S3
By default, the AWS Elasticsearch Service already comes with regular automated snapshots. However these snapshots can not be used for recovery or migration to a new Elasticsearch cluster and furthermore can only be accessed as long as the Elasticsearch API of the cluster is available.
More …Velero S3 backups replication
Our reference solution eks-based Velero backups on AWS S3 now supports automatic replication to an additional S3 bucket on an AWS region of choice. The feature is disabled by default, contact your lead engineer to discuss about enabling it for your cluster(s) if needed.
Monitoring upgrades
As part of our regular upgrade cycle, the following Kubernetes cluster components have been updated. These updates are being rolled out to all clusters and will be finished by the end of the week.
More …Concourse upgraded to v6.7.3
We have upgraded our Concourse setups to the latest version 6.7.3.
More …Vault upgraded to 1.6.1
We have updated our Kubernetes based Vault setups to the latest version 1.6.1 in the past days.
Grafana main dashboard updated
We have fixed a problem in our main Grafana dashboard. Previously we counted the resources for all pods (including those who already completed). This gave an incorrect indication on the cluster usage. Now we filter out the failed and succeeded pods so the dashboard indicates a more correct usage of the cluster.
More …Upgraded Dex version with security patch
We’ve upgraded Dex on all our clusters with a new version (v2.27.0) that contains a fix for a security vulnerability.
More …Configurable default certificate and default backend on nginx-ingress
The Nginx Ingress Controller has configuration options for setting a default TLS certificate and a default backend. We have now exposed this settings to be configurable on a per-cluster basis.
More …New log shipper added - Fluent Bit
We already offer a cost-effective and default logging solution based on Grafana Loki. However we realize this logging solution is not a perfect fit for everybody and thus now also allow deploying and configuring Fluent Bit through our reference solution offering, including all the benefits like regular updates.
More …Updated Teleport to version 4.4.5
We’ve updated all Teleport clusters to version 4.4.5. This is a minor release, which includes mostly bugfixes and small improvements.
More …Upgrade EKS to 1.18
We have started rolling out EKS 1.18. This brings EKS on Kubernetes v1.18.9.
Fixed issue with Vault certificate renewal
For increased security, our Vault setups are configured to terminate TLS sessions directly at the Vault server process. To do so, we use cert-manager to provision LetsEncrypt certificates that the Vault server Pods can use. There was an issue with this setup, where the Vault servers didn’t reload the certificate when this was renewed by cert-manager, rendering Vault insecure / unavailable.
More …Fall component upgrades
As part of our regular upgrade cycle, the following Kubernetes cluster components have been updated. We’ve already rolled these out to all staging clusters. Production clusters will follow in the coming days.
More …Support for GPU node pools in Azure Kubernetes Service (AKS)
We’re adding support for GPU node pools in AKS (Azure Kubernetes Service). GPU nodes are great for compute-intensive workloads such as graphics and visualization workloads, or machine-learning processes. Azure uses the NVIDIA device plugin to make the GPU capacity of a node available to Kubernetes workloads.
More …