Apr
v1.1.46 - Terraform Provider¶
22 Apr, 2025
This update of the Terraform provider includes the following improvements/bug fixes.
Bug Fixes¶
| Bug ID | Description |
|---|---|
| RC-41378 | Added validation to the rafay_cluster_sharing resource to highlight incorrect project configurations |
| RC-40860 | Resolved a Terraform diff issue in the rafay_cluster_sharing_single resource when used with Upstream (MKS) clusters |
| RC-40556 | Fixed an issue where terraform plan showed incorrect diffs for sharing attributes of the cloud_credentials_v3 resource, even when no changes were present |
| RC-39009 | When a cluster is unshared with a project through a non-TF interface, TF plan is not showing the expected diff |
| RC-41488 | Fixed an error related to project ID in the rafay_cluster_sharing resource during TF plan |
| RC-41554 | Fixed an issue where deleting a cloud credential after attempting to rename it through the TF provider results in an error |
| RC-40541 | Implemented compatibility improvements to ensure rafay_eks_cluster and rafay_cluster_sharing_single resources work seamlessly with each other |
| RC-21665 | Fixed an issue where updating a cloud credential's sharing setting from "specific projects" to "all projects" via Terraform caused an error and created a duplicate credential in the UI |
| EE-912 | Addressed an issue where the rafay_mks_cluster resource would overwrite NVIDIA node label values added out of band leading to GPU driver crashes |
System Template Catalog Updates¶
11 Apr, 2025
This section outlines recent enhancements and additions to templates available in the System Catalog.
Enhancements to existing templates¶
Google Kubernetes Engine (GKE)¶
| Template | Change Summary | Input Variable Selector | Additional Notes |
|---|---|---|---|
system-gke |
Support for Kubernetes version 1.32 | resource.res-gke-cluster.kubernetes_version |
|
system-gke |
Support for enabling multi-networking | resource.res-gke-cluster.enable_multi_networking |
|
system-gke |
Support for FQDN-based network policy | resource.res-gke-cluster.enable_fqdn_network_policy |
|
system-gke |
Support for vertical pod autoscaling | resource.res-gke-cluster.enable_vertical_pod_autoscaling |
|
system-gke |
Support for Cilium cluster-wide network policies | resource.res-gke-cluster.enable_cilium_clusterwide_network_policy |
Multi-Tenancy on K8s¶
| Template | Change Summary | Input Variable Selector | Additional Notes |
|---|---|---|---|
system-vcluster-anyk8s |
Enable Kata QEMU support for vClusters | resource.res-gen-vcluster.enable_kata_runtime |
Pods in vClusters will run as Kata containers. Requires Kata support on the host cluster |
system-vcluster-anyk8s |
Flexible kubeconfig output options | resource.res-gen-kubeconfig.enable_kubeconfig |
When set to True, a custom RBAC policy grants access only to the provisioned vCluster. When set to False, users are shown a link to download kubeconfig based on the platform role that is already assigned to the user. Default is True |
Rafay K8s Distro on Private Cloud¶
| Template | Change Summary | Input Variable Selector | Additional Notes |
|---|---|---|---|
system-mks |
Enable Kata QEMU on the host cluster | resource.res-kata-qemu.enable_kata |
Deploy Kata with runtime class for pod isolation. An admission controller applies this runtime to pods in namespaces labeled runtimeClassName=kata |
system-mks |
Enable OPA Gatekeeper policies | Multiple: • resource.res-opa-gatekeeper.enable_opa_gatekeeper• resource.res-opa-gatekeeper.constraints_yaml• resource.res-opa-gatekeeper.templates_yaml• resource.res-opa-gatekeeper.opa_excluded_namespaces |
Supports customizable constraints and templates. Specific namespaces can be excluded from policy enforcement |
Newly Available System Templates¶
These templates are now available in the Catalog. Additional templates will be introduced progressively, along with continuous updates to existing ones.
Cluster Lifecycle¶
| # | Template Name | Description |
|---|---|---|
| 1 | system-eks |
Standardize Cluster Provisioning and Management with Amazon Elastic Kubernetes Service (EKS) |
AI/ML¶
| # | Template Name | Description |
|---|---|---|
| 1 | system-inference-vllm |
Deploy and operate an inference service in Kubernetes based on popular LLMs |
v1.1.45 - Terraform Provider¶
07 Apr, 2025
This update of the Terraform provider includes the following improvements/bug fixes.
Note
In a previous release, 'Drivers' were renamed to 'Workflow Handlers' for improved clarity. As a result, TF may show diffs if driver is still referenced in the spec of resource or environment templates. It is recommended to update such references to workflow handler to avoid unnecessary diffs.
Enhancements¶
Resources¶
rafay_cloud_credentials_v3
Support has been added for managing cloud credentials specifically for the MKS cluster type using the rafay_cloud_credentials_v3 resource.
rafay_eks_cluster
Introduced support for Day-2 operations to update Bottlerocket-based managed node group settings, such as certificate data and other Bottlerocket-specific configurations.
Note: This enhancement applies only to managed node groups using amiFamily as Bottlerocket.
Data Sources¶
rafay_cloud_credential
This release adds a data source for retrieving cloud credentials, enabling users to list and reference existing cloud credential configurations within their infrastructure as code workflows.
Bug Fixes¶
| Bug ID | Description |
|---|---|
| RC-40584 | Documentation: Updated rafay_blueprint resource spec to add references to the attributes, 'type' and 'driftWebhook' |
| RC-40553 | Documentation: Updated rafay_driver resource spec to add references to the attributes, 'affinity' and 'resources' under spec -> config -> containers -> kube_options |
| RC-40594 | Documentation: Corrected rafay_blueprint resource spec to indicate 'base' attribute is Optional |
| RC-40604 | Updated Terraform import and refresh behavior to skip sensitive fields (e.g. image pull registry passwords, environment variables, files, kubeconfigs, HTTP headers) in custom provider resource templates |
| RC-40614 | Resolved issues with creating inline config contexts in resource and environment templates |
| RC-40691 | Resolved an issue where errors were not displayed when attaching a non-existent GitOps agent to a repository |
| RC-40725 | Fixed an issue where terraform plan showed incorrect diffs for base, namespace_config, and sharing attributes of the rafay_blueprint resource, even when no changes were present |
| RC-40812 | To prevent diff-related issues, the override type for input variables in all Environment Manager resources as well as environment variables and files is now required |
| RC-40839 | Fixed an issue where terraform plan showed diffs for sensitive environment variable values in container-type hooks within resource and environment templates |
| RC-40907 | Addressed incorrect diff outputs in terraform plan for Environment Manager resources when project sharing was explicitly set to false without any actual changes |
| RC-40584 | Documentation: Fixed an issue where inputs and outputs were incorrectly marked as required fields under the spec for the rafay_driver resource |
| RC-41039 | Fixed an issue where disabled resource or environment templates could not be refreshed or imported using Terraform |
| RC-41026 | Fixed an issue where defining a resources TypeList under spec -> config -> container -> kube_options resulted in an 'Unsupported block type' error |
| RC-41045 | Addressed incorrect diff behavior when the version state of a template was updated from draft to disabled |
| RC-41050 | Fixed an issue where the polling_config TypeList in the rafay_driver resource, configured via Terraform, was not reflected in the GET response from the UI or Swagger API |
| RC-40996 | Documentation: Updated rafay_driver resource to include the optional resources attribute under spec → config → container → kube_options |
| RC-40551 | Fixed TF plan errors related to unsupported argument and block types for selectors and schema for rafay_config_context resource |
| RC-41000 | Documentation: Added rafay_workflow_handler resource |
| RC-40997 | Fixed an issue where the optional tolerations attribute under spec → config → container → kube_options triggered an 'Unsupported argument' error for rafay_driver resource |
| RC-41079 | Documentation: Updated SSH endpoint in the example for rafay_repositories resource |
| RC-40507 | Fixed an issue where terraform plan showed a diff for version_state in resource and environment templates even when the field was not specified |
| RC-40498 | Documentation: Fixed a typo under spec.files section for rafay_config_context resource |
| RC-41098 | Backward Compatibility: Fixed diff issues in the rafay_driver resource of type http related to display_metadata TypeList fields |
| RC-41096 | Backward Compatibility: Fixed diff issues in the rafay_driver resource of type container related to kube_options TypeList fields |
| RC-40552 | Fixed an issue where changes made to the rafay_config_context resource outside of Terraform (e.g., via the UI) were not accurately reflected in terraform plan |
| RC-40523 | Fixed an issue where running TF plan after an initial apply on a rafay_config_context resource showed an unexpected diff in spec.files. The plan incorrectly indicated additions for data and name, and deletions for options |
| RC-40080 | Fixed TF diff issues in the rafay_driver resource related to driver name and container environment variable attributes |
| RC-35895 | Fixed an issue where terraform plan/apply showed unnecessary diffs in mount_path for environment file data |
| RC-41154 | Fixed a diff issue in the sharing spec for all Environment Manager resources, where TF plan showed changes even when no sharing configuration was defined |
v3.3 - SaaS¶
04 Apr, 2025
The section below provides a brief description of the new functionality and enhancements in this release.
Amazon EKS¶
Bottlerocket¶
This enhancement allows users to update PKI-related settings of Bottlerocket nodes during Day 2 operations. While updates to fields such as data and trusted have been validated, other valid Bottlerocket settings may also be configurable through this mechanism. For a list of valid settings, refer to the Bottlerocket settings index. However, support for additional fields is currently considered beta.
Note: The settings must be specified in YAML format when using
rctland in JSON format when using the UI. TOML is not supported.
Previously, modifying Bottlerocket settings for a managed node group was not supported. Users can now update configurations such as:
bottlerocket:
settings:
pki:
my-trusted-bundle:
data: LS0tLS1CRUxxxxxxxxxxxxxxxxxxxxxBase 64 Certificate Dataxxxxxxxx
trusted: true
Since this property change requires creating a new launch template version internally, updating Bottlerocket settings will result in a rolling replacement of EC2 instances within the same node group. This ensures that the new Bottlerocket settings are applied as part of the bootstrapping process for EC2 machines.
Note
Support for updating Bottlerocket settings is available in interfaces such as RCTL, Terraform, API, and SystemSync. UI support will be added in the next release.
Day 2 Support for Updating Tags in Managed Node Groups¶
Previously, tag updates made during Day 2 operations were not reflected in the launch template of the managed node group. This is now being addressed.
With this enhancement, users can add new tags, and these updates will be correctly applied to the launch template as part of the managed node group configuration.
To apply Day 2 tag changes, a new launch template version will be created incorporating the updated tags. As a result, the nodes in the managed node group will be recycled, ensuring the new tags are effectively applied.
Blueprints¶
Support for Draft Versions¶
Support has been added to mark versions as 'Draft' for Add-ons and Blueprints, providing the following benefits:
-
The platform team can modify Add-ons and Blueprints multiple times during the testing and validation phase without creating a new version each time. Once all necessary changes are complete, the version can be marked as 'Active'
-
Draft versions are project-scoped, meaning they are not shared with downstream projects. This ensures that only fully vetted Blueprints, explicitly marked as 'Active', are accessible to downstream projects and users.
Note
This feature will initially be supported with non-UI interfaces. Support with UI interface will be added in a subsequent release.
For more information about this feature, click here.
Configurable Add-on/Workload Retries¶
Blueprints and Workloads incorporate health readiness checks to determine when a deployment of YAML/Helm manifest is successful.
In some cases, the failure status takes longer than expected to appear, even when an issue with the deployment is evident. This delay occurs due to multiple readiness check retries.
With this enhancement, users can now configure the number of readiness check retries, offering greater flexibility to fine-tune the process based on the type of manifest being deployed. This setting can be adjusted through Add-on/Workload overrides.
Info
By default, the number of readiness retries is set to 5.
For more information about this feature, click here for add-ons and workloads.
Integrations¶
OCI Helm Repository¶
Support is being added for OCI Helm repositories, enabling users to deploy Helm charts directly from OCI-compliant container registries. This enhancement allows seamless integration with OCI-based repositories. With this capability, users can also create a custom catalog and leverage OCI-based repositories for efficient Helm chart management and distribution.
For more information about this feature, click here.
Secrets Management¶
Search by name has been added to the Secrets Provider Classes page to make it easier to find specific entries.
For more information about this feature, click here.
Workloads & GitOps Pipelines¶
UI improvements¶
Several backend enhancements have been implemented to improve the loading speed of the workload listing page, including faster retrieval of deployment status.
Error Handling and Reporting¶
Several improvements are being implemented to simplify troubleshooting for Workload failures. These enhancements include co-relating Kubernetes events to surface more meaningful error messages from the cluster, making it easier to identify the root cause of deployment failures.
For more information about this feature, click here.
Deploy Workload Stage¶
When creating a Deploy Workload stage within a GitOps pipeline, workloads are now listed in alphabetical order in the dropdown. Additionally, type-ahead search with auto-suggestions is supported as characters are entered.
Filtering¶
Now, when navigating into a workload or pipeline, making changes, and returning, your previously applied filters are retained—eliminating the need to reapply them.
Environment Manager¶
Skip Condition for hooks¶
A previous release introduced the "Skip Condition" feature for tasks and hooks. This functionality is now also supported in the UI interface
Environment Templates¶
A search box has been added to the resource template selection step, making it easier to find the desired template when creating an environment—especially when many resource templates are available.
For more information about this feature, click here)
Projects¶
Delete Project API in v3¶
Support is being added for project deletion using the v3 API.
For more information about this feature, click here
Helm App Catalog¶
The Helm App Catalog has been updated to add support for the following repositories.
| Category | Description |
|---|---|
| AI/ML | Apache Yunikorn |
| AI/ML | Kueue |
| Kubernetes Lifecycle Management | Karpenter |
| AI/ML | JobSet |
| AI/ML | KAI Scheduler by NVIDIA |
| AI/ML | NVIDIA K8s NIM Operator |
For more information about this feature, click here
Bug Fixes¶
| Bug ID | Description |
|---|---|
| RC-40716 | Resolved an issue where AKS clusters created prior to the 3.2 release without the create_account field under workload-identities would fail validation during blueprint updates via Terraform |
| RC-40503 | Fixed an issue where EKS add-on configuration values were unintentionally overwritten during cluster upgrades |
| RC-39697 | Fixed an issue where opting out of schedules in an environment would reset parameters to their default values |
| RC-39669 | Resolved an issue where users with both "Infrastructure Read-Only" and "Namespace Admin" roles were granted unintended access to view registries |
| RC-40491 | Resolved an issue where non-UI interfaces would return an error if a node label started with topology.kubernetes.io/ |