What's Changed

🚚 Dependencies Management

• [ReadTheDocs] update python version by @cheina97 in #3205

Full Changelog: v1.1.0...v1.1.1

What's Changed

🚀 New Features

• [Network] TCP MSS clamping in Gateway by @cheina97 in #3176
• [Webhook]: added skip label by @cheina97 in #3183
• feat: add skip webhook label to non cross-cluster resources by @fra98 in #3185
• [Networking] disable leader election in gateway by @cheina97 in #3186
• [VirtualKubelet] shadowpod event reflection by @cheina97 in #3189
• feat(vkoptions): add tolerations support for virtual kubelet pod by @aleoli in #3191
• [Liqo-CRDs] CRD upgrade job by @cheina97 in #3192
• feat(helm): support priorityClassName in default gateway templates by @fra98 in #3195
• feat: avoid kyverno dependency in tests by @cheina97 in #3128
• [API] Firewall: support IP ranges and accept/drop by @Wekkser in #2966
• feat(gateway): add tolerations option for gateway pods by @aleoli in #3193
• feat(pod-security): add pod security labels to tenant ns by @aleoli in #3184
• [Core] feat: mark foreigncluster as permanently unreachable by @claudiolor in #3122
• [Liqoctl] Force unpeer command by @giuliafalaschi in #3126

🐛 Bug Fixes

• [Networking] fwcfg match port fix by @cheina97 in #3181
• fix: fix a bug that CN should be consumer cluster id by @likakuli in #3171
• fix: bind cluster-wide clusterroles with TolerateNoHandshake peering by @fra98 in #3201
• fix: ignore not found InternalNode on deletion by @claudiolor in #3200
• [Networking] Relieve stress on the Kubernetes API server. by @cheina97 in #3202

🧹 Code Refactoring

• [Copyright] 2026 update by @cheina97 in #3175
• refactor: align wireguard gateway templates by @fra98 in #3203

📝 Documentation

• [Network] Cilium MTU autodiscovery by @cheina97 in #3178
• [Liqo-CRDs] helm docs generation by @cheina97 in #3197
• Fix minor doc inconsistencies around mariadb invokation by @topiaruss in #3019

✅ Tests

• [Unit Tests] macos run fix by @cheina97 in #3190

🚚 Dependencies Management

• chore: bump golang from v1.24.0 to v1.25.5 by @cheina97 in #3177
• [Sphinx] update docs python packages by @cheina97 in #3198

📦 Builds Management

• build(liqo-test): switch to setup‑envtest for envtest binaries by @aleoli in #3199

👷 CI/CD

• [CRD-Upgrade] excludes arm/v7 from build by @cheina97 in #3204

New Contributors

• @Wekkser made their first contribution in #2966
• @giuliafalaschi made their first contribution in #3126

Full Changelog: v1.0.3...v1.1.0

What's Changed

🐛 Bug Fixes

• fix: TolerateNoHandshake ResourceSlice approval by @claudiolor in #3168

Full Changelog: v1.0.2...v1.0.3

What's Changed

🚀 New Features

• [Network] wireguard-go post new build pipeline by @cheina97 in #3089
• feat(auth): add TLS compatibility mode for authentication keys by @aleoli in #3109
• [Liqoctl] Specify other (non-standard) resources with liqoctl commands by @claudiolor in #3138
• feat: add helm values for affinity and ns on fabric ds by @fra98 in #3150

🐛 Bug Fixes

• fix(reflection): handle errors when getting metadata accessor by @aleoli in #3106
• fix(reflection): terminated pod reflection logic by @aleoli in #3107
• [virtual-kubelet] Allow scheduling pods with name > 63 chars by @fra98 in #3111
• [Auth module] fix: enable healthcheck with missing identity by @claudiolor in #3114
• fix: handle nil chain type in FromChainToRulesArray by @riccardotornesello in #3131
• [Network] Internalfabric get fix by @cheina97 in #3125
• fix: backward compatibility with ed25519-only keys clusters by @claudiolor in #3165
• [Network] fullmasquerade idempotency by @cheina97 in #3167

🧹 Code Refactoring

• [Network] refactor InternalFabric name source by @cheina97 in #3077
• [Controller-Manager] flags refactoring by @cheina97 in #3088

📝 Documentation

• [Linter] fix broken links by @cheina97 in #3087
• docs(install): add Cilium device config note by @aleoli in #3151

✅ Tests

• [E2E] forge kubeconfig from service-account by @cheina97 in #3146
• test(cni): update Cilium CLI version to v0.18.8 by @aleoli in #3149

🚚 Dependencies Management

• [Linting] ignore broken link by @cheina97 in #3078
• chore: bump k8s libs to v1.33 by @fra98 in #3116

👷 CI/CD

• [Build] faster pipeline by @cheina97 in #3065

New Contributors

• @riccardotornesello made their first contribution in #3131

Full Changelog: v1.0.1...v1.0.2

What's Changed

🚀 New Features

• [ArgoCD] support for v3.0 by @claudiolor in #3043
• feat(offload): Add the liqoctl offload namespaces command. by @mayooot in #3060

🐛 Bug Fixes

• [liqoctl] fix help commands templating by @claudiolor in #2986
• Permission for in-band peering by @aleoli in #3030
• [Telemetry] UUID by @cheina97 in #3039
• fix: show correct err when update local pod status failed by @likakuli in #3041
• fix: escape the shadowpod creator label by @claudiolor in #3052
• [Network] avoid panic when setting gateway secretRef by @fra98 in #3049
• [Auth] Tenant idempotency fix by @cheina97 in #3061
• [Network] fix SNAT remaping CIDR by @cheina97 in #3064

🧹 Code Refactoring

• [Firewall] moved FwCfg util functions out of apis types folder by @fra98 in #2995
• [Docs] update mariadb-galera version by @cheina97 in #3001
• [Makefile] removed useless command by @cheina97 in #3056

📝 Documentation

• [Docs] add liqoctl commands documentation by @claudiolor in #2989
• Update text to the content of the latest community repository by @frisso in #3005
• [Sphinx] ignore google scholar in linting by @cheina97 in #3036
• [ArgoCD] installation instructions by @cheina97 in #3035
• [IPAM] improved error logs by @cheina97 in #3034
• [Telemetry] ResourceSliceNumber by @cheina97 in #3038
• [Network] Debugging FAQ by @cheina97 in #2999
• docs: Add missing labels in resource slice for declarative peering by @laurall974 in #3050
• docs: fixed network configuration example by @fra98 in #3059
• [Project] devcontainer docs by @cheina97 in #3063

🚚 Dependencies Management

• chore: bump deprecated ubuntu 20.04 runner by @fra98 in #3027
• chore: bump golangci-lint to v2 by @fra98 in #3009
• chore: bump controller-runtime to v0.20.4 by @fra98 in #3028
• Add image pull policy and secret handling across components by @aleoli in #3029

Other Changes

• Adding information about community (how-to, meetings, etc) by @frisso in #2955
• Update reflection.md to fix two trivial typos by @topiaruss in #3015
• [Project] DevContainer configuration by @cheina97 in #3062

New Contributors

• @topiaruss made their first contribution in #3015
• @likakuli made their first contribution in #3041
• @laurall974 made their first contribution in #3050
• @mayooot made their first contribution in #3060

Full Changelog: v1.0.0...v1.0.1

🚀 Liqo v1.0.0 Release Notes 🚀

🚨 Breaking Changes Alert

This release contains significant breaking changes.

The Liqo v1.0.0 release includes many breaking changes, due to the necessity to bring more modularity and flexibility to the project, a cleaner and more granular control (e.g., fully declarative APIs to control the most important features of Liqo), and other features.

Even more important, the Liqo team believes that the project is now mature and stable enough to be safely deployed in production environments, and to consolidate most of its APIs that were defined as alpha in the past.

📝 Fully declarative APIs

This approach allows users to support gitops and automation use cases, as Liqo can be completely configured via CRs, without necessarily relying on liqoctl (e.g., perform peering declaratively, easily integrate Liqo with other services).

🧩 Modularity

Liqo is now structured in three core modules (network, authentication, and offloading) that are totally independent and can be individually configured and used (e.g. you can enable offloading or resource reflection without necessarily setting up the network connectivity between the clusters, which can be provided by other third-party tools).

🌐 Network Module

Complete re-design of the network fabric, involving:

• A new communication model inside the cluster (i.e., intra-cluster traffic now flows inside the CNI thanks to node-to-gateway geneve tunnels replacing the old node-to-node vxlan overlay)
• A new, simplified model for the inter-cluster connectivity (still based on wireguard, but more robust and open to other technologies)

🔐 Authentication Module

The peering authentication between clusters is now:

• Fully declarative and simpler (it does not require exposing a dedicated auth service anymore as well as no API server exposition is necessary from the consumer side)
• More robust overall (e.g., fixing a broken peer is easier and faster)
• Minimized permissions required on the provider cluster to establish a peering connection with liqoctl
• New ResourceSlice CR allows a more granular and flexible control of the resources requested to provider clusters

🚢 Offloading Module

• It is now possible to have multiple virtual nodes targeting the same remote provider cluster
• This allows splitting the resources of bigger clusters across multiple virtual nodes
• Support for nodes with specific resources (e.g. GPUs) or characteristics (e.g. specific architectures)
• Share huge resource pools with another cluster while keeping the virtual nodes size quite small, avoiding a "black hole" effect during scheduling

🔮 What's Next?

There are many more news and features that will be presented in dedicated blog posts and community meetings.

Stay tuned! 📢

The Liqo Team

What's Changed

🚀 New Features

• [Feat] Webhook HA by @aleoli in #2759
• [Feat] VirtualKubelet HA by @aleoli in #2770
• [Feat] Gateway external secrets by @aleoli in #2747
• [Feat] Gateway HA by @cheina97 in #2767
• Improve declarative usage of authentication module by @claudiolor in #2766
• [Feat] liqoctl gateway template check by @cheina97 in #2791
• [Feat] Add nodePort and loadbalancerIPAddress as optional fields in WG gateway template by @claudiolor in #2799
• [Feat] Golang http proxy by @aleoli in #2819
• [liqoctl] allow override gateway client address and port by @claudiolor in #2831
• Add global labels and annotations to liqo-created resources by @aleoli in #2832
• [Offloading] Allow coexistence of podoffloadingpolicy and runtimeclass by @claudiolor in #2861
• [IPAM] Major refactoring by @fra98 in #2852

🐛 Bug Fixes

• add missing ClusterRole to liqo-webhook by @EladDolev in #2726
• fix: retrieve GatewayServer/GatewayClient resources by labels by @fra98 in #2758
• Assign unique names to all controllers by @fra98 in #2771
• fix: retrieve configuration resources by labels by @fra98 in #2772
• fix: retrieve publickey resources by labels by @fra98 in #2773
• fix: network status in ForeignCluster resource by @claudiolor in #2783
• fix: avoid creation of VirtualNode if ResourceSlice deleting by @fra98 in #2786
• fix: wggateway controllers pod watch by @cheina97 in #2815
• test: fix HA replicas checks by @fra98 in #2804
• fix: liqoctl cluster labels and API server addr override collection by @claudiolor in #2781
• fix: nil pointer in network checker of liqoctl info peer by @claudiolor in #2797
• [Fix] argocd install by @aleoli in #2794
• [Fix] improve liqoctl uninstall error message by @claudiolor in #2825
• [virtual-kubelet] namespacemap bidirectional fix by @cheina97 in #2870
• [Deploy] Fixes for smooth ArgoCD uninstall by @claudiolor in #2847

🧹 Code Refactoring

• Metrics: changed port from 8080 to 8082 by @cheina97 in #2818
• refactor: use standard maps lib instead of experimental one by @fra98 in #2860
• [Helm] uniform flag names by @aleoli in #2855

📝 Documentation

• docs: added section for liqo pods in HA by @fra98 in #2780
• [Docs] Add declarative peering section by @claudiolor in #2813
• docs: removed community meeting from readme by @fra98 in #2822
• [Docs] improve NAT and manual peering documentation by @claudiolor in #2827
• [Docs] resource templating by @aleoli in #2872

Other Changes

• Bump controller-runtime from 0.18.5 to 0.19.0 by @cheina97 in #2751
• Bump sphinx from 7.2.6 to 8.0.2 and sphinxawesome-theme from 5.2.0 to 5.3.1 by @cheina97 in #2765
• CI: arm32 build by @cheina97 in #2779
• Nftables monitor disable by @cheina97 in #2817
• Updated legend in grafana Liqo dashboard by @frisso in #2820
• chore: bump to controller-runtime v0.19.2 and go 1.23.3 by @fra98 in #2844
• chore: bump alpine to 3.21.0 by @aleoli in #2853
• fix: peer command default network resources namespace by @fra98 in #2846
• [Liqoctl] interaction schema by @cheina97 in #2856
• [Liqoctl] network test exit error code by @cheina97 in #2865
• [Liqoctl] control-planes in liqoctl network np-nodes flag by @cheina97 in #2867
• [dependabot] add chore prefix to commit messages by @fra98 in #2875

Full Changelog: v1.0.0-rc.2...v1.0.0-rc.3

What's Changed

🚀 New Features

• [Test] e2e plugin for eks by @aleoli in #2643
• [Test] e2e plugin for aks by @fra98 in #2647
• Geneve port configurable by @cheina97 in #2722
• [Feat] New In-Band Peering by @aleoli in #2720
• New liqoctl info command by @claudiolor in #2718
• [E2E] k3s test plugin by @aleoli in #2730
• [Test] e2e plugin for gke by @cheina97 in #2651
• [Feat] support cluster ip in gateway services by @aleoli in #2746
• [Feat] New liqoctl info peer command by @claudiolor in #2741

🐛 Bug Fixes

• [Test] fix e2e by @aleoli in #2707
• Fix providers overwrite flags liqoctl install by @fra98 in #2704
• Avoid retrieval of tenant namespace by name by @fra98 in #2703
• Fix logs follow by @aleoli in #2524
• [Fix] Node IP by @aleoli in #2713
• Fix bug deletion routine of virtualnodes with createNode=false by @fra98 in #2721
• Support for gcloud subnet in different project by @cheina97 in #2723
• Fix default wireguard MTU by @cheina97 in #2736
• [Fix] Tenant cleanup & bidirectional peering by @aleoli in #2740
• Fix liqoctl disconnect on bidirectional peering by @fra98 in #2750

🧹 Code Refactoring

• E2E: add kyverno install as pipeline step by @fra98 in #2708
• Update CodeQL action by @fra98 in #2717
• Flags package refactoring: from "flag" to "pflag" by @cheina97 in #2725

📝 Documentation

• Updating the roadmap based on recent discussions within the Liqo maintainers by @frisso in #2475
• Docs: fix Liqo version in Helm installation by @cheina97 in #2739
• docs: add liqoctl info documentation by @claudiolor in #2753
• Docs: in-band docs refactored by @cheina97 in #2754

Other Changes

• Bump golangci-lint and gci by @fra98 in #2706
• Bump controller-runtime to v0.18.5 and k8s libs to v.1.30.3 by @fra98 in #2705
• Bump alpine images to v3.20 by @fra98 in #2714
• Bump go version to 1.23 by @fra98 in #2724
• Bump Alpine from 3.20 to 3.20.3 by @cheina97 in #2749
• Disable docker artifacts in CI by @cheina97 in #2756

Full Changelog: v1.0.0-rc.1...v1.0.0-rc.2

New Liqo v1.0.0-rc.1 release

Liqo v1.0.0-rc.1 is here! 🚀

This is a major milestone for the project, bringing us closer to the stable 1.0 release. We encourage you to try out this release candidate and provide feedback. Your input is invaluable as we refine Liqo and prepare for the 1.0 release.

This major version includes a new suite of features and a big refactoring of the codebase:

• fully declarative approach on all functionalities (install, peering, offloading, etc..)
• a new division in 3 main modules: networking, authentication, offloading
• modularity and independence between the 3 modules (e.g., the possibility to turn off individual modules)
• new networking fabric
• possibility to implement new networking technologies
• new authentication workflow
• possibility to have multiple virtual nodes targeting the same remote cluster, giving more flexibility and allowing to target specific node pools on the remote provider cluster
• docs: new structure, improvements, new pages (e.g., advanced usage examples), fix deprecated features, and a lot more

We are pleased to release Liqo v0.11.0-rc.3 which includes a major refactoring of Liqo and it's the first RC containing all new Liqo modules.

Summary of changes

• new authentication and offloading modules
• several fixes and improvements to the new networking module
• new liqoctl commands:
  • network init, network connect, network reset to configure the networking module
  • authenticate, unauthenticate to authenticate a consumer cluster with a provider cluster
  • create resourceslice to ask the provider for resources and obtain an associated VirtualNode
  • peer and unpeer, wrapper commands that automate all of the above commands in a single command, performing a full peering between a consumer and a provider

Warning

⚠️ The documentation for the new Liqo is still a work in progress, part of the documentation may be outdated. Please refer to the Peer two clusters and Quick start sections for a basic overview of the new functionalities and commands. ⚠️

Changelog

• fix remote cm name by @aleoli - 2 Jul 2024 11:53
• Docs: updated quick-start by @fra98 - 2 Jul 2024 11:43
• Network: gateway prometheus metrics by @cheina97 - 2 Jul 2024 09:08
• remove duplicated cluster id labels by @aleoli - 1 Jul 2024 15:02
• Docs: peering usage by @fra98 - 1 Jul 2024 15:01
• move discovery api to core by @aleoli - 1 Jul 2024 13:03
• CI: added release branch for building by @cheina97 - 1 Jul 2024 12:54
• cleanup old values by @aleoli - 1 Jul 2024 12:08
• offloading fixes by @aleoli - 1 Jul 2024 10:24
• Liqoctl unpeer command by @fra98 - 1 Jul 2024 09:58
• Reorganize controllers in offloading module folder by @fra98 - 1 Jul 2024 09:58
• quota enforcement type by @aleoli - 1 Jul 2024 09:58
• user-defined resources by @aleoli - 1 Jul 2024 09:58
• add quota creator controller by @aleoli - 1 Jul 2024 09:58
• Liqoctl peer command by @fra98 - 1 Jul 2024 09:58
• Move webhook in a separate folder by @fra98 - 1 Jul 2024 09:54
• resource webhook by @aleoli - 1 Jul 2024 09:54
• Replace IP and Network webhooks with CEL validation by @fra98 - 1 Jul 2024 09:54
• Fix liqoctl build on non-unix based systems by @fra98 - 1 Jul 2024 09:54
• Refactoring ReflectorsConfig in VK Options by @fra98 - 1 Jul 2024 09:54
• Liqoctl: preuninstall check ForeignCluster modules by @fra98 - 1 Jul 2024 09:54
• Fixed createNode and disableNetworkCheck booleans by @fra98 - 1 Jul 2024 09:54
• Added labels and annotations not reflected enforcement by @fra98 - 1 Jul 2024 09:54
• VirtualKubelet options as CRD by @fra98 - 1 Jul 2024 09:54
• move webhooks to separate pod by @aleoli - 1 Jul 2024 09:53
• shadopod enforce creator labels by @aleoli - 1 Jul 2024 09:53
• remove ipam client from kubelet by @aleoli - 1 Jul 2024 09:53
• Fix panic identity creator when resourceslice has no provider by @fra98 - 1 Jul 2024 09:53
• NamespaceMap handle multiple virtualnodes by @fra98 - 1 Jul 2024 09:53
• support remote api server access by @aleoli - 1 Jul 2024 09:53
• NodeProvider disable check network by @fra98 - 1 Jul 2024 09:53
• Network Module and Network + Offloading Cross Module refactoring by @cheina97 - 1 Jul 2024 09:53
• Crd repliactor remove peering phases by @fra98 - 1 Jul 2024 09:53
• fix prometheus metrics by @aleoli - 1 Jul 2024 09:53
• ForeignCluster controller by @fra98 - 1 Jul 2024 09:53
• unify cluster id and cluster name by @aleoli - 1 Jul 2024 09:53
• Refactor API ForeignCluster by @fra98 - 1 Jul 2024 09:52
• Move controllers to offloading module by @fra98 - 1 Jul 2024 09:52
• small fixes by @aleoli - 1 Jul 2024 09:50
• olloading patch node selector by @aleoli - 1 Jul 2024 09:50
• liqoctl remove old peer and unpeer commands by @aleoli - 1 Jul 2024 09:50
• CRD Replicator handle lost permissions on drained tenant by @fra98 - 1 Jul 2024 09:50
• Disable and drain Tenant by @fra98 - 1 Jul 2024 09:50
• cordon resource slices by @aleoli - 1 Jul 2024 09:50
• Removed unused discovery flag by @fra98 - 1 Jul 2024 09:50
• discovery cleanup by @aleoli - 1 Jul 2024 09:50
• Cordon Tenant by @fra98 - 1 Jul 2024 09:50
• Added kubectl printed fields to Authentication API resources by @fra98 - 1 Jul 2024 09:50
• Tenant conditions in Spec API by @fra98 - 1 Jul 2024 09:50
• auth cleanup by @aleoli - 1 Jul 2024 09:50
• slice status by @aleoli - 1 Jul 2024 09:50
• Liqoctl authenticate command by @fra98 - 1 Jul 2024 09:50
• Automatatic creation of VirtualNodes from ResourceSlices by @fra98 - 1 Jul 2024 09:50
• refactor iam auth by @aleoli - 1 Jul 2024 09:50
• improve check csr for resource slices by @aleoli - 1 Jul 2024 09:50
• Create Identity from ResourceSlice by @fra98 - 1 Jul 2024 09:50
• Auth minor fixes by @fra98 - 1 Jul 2024 09:50
• Liqoctl get kubeconfig by @fra98 - 1 Jul 2024 09:50
• handle resourceslice lifecycle by @aleoli - 1 Jul 2024 09:50
• Refactor crd replicator to work with new kubeconfig secret by @fra98 - 1 Jul 2024 09:50
• CA encoding fix by @fra98 - 1 Jul 2024 09:50
• control plane rbacs by @aleoli - 1 Jul 2024 09:50
• Liqoctl get nonce by @fra98 - 1 Jul 2024 09:50
• Fix CRDs mapper by @fra98 - 1 Jul 2024 09:50
• Identity controller by @fra98 - 1 Jul 2024 09:50
• Liqoctl generate identity by @fra98 - 1 Jul 2024 09:50
• tenant controller by @aleoli - 1 Jul 2024 09:50
• nonce controller by @aleoli - 1 Jul 2024 09:50
• Sign nonce controller by @fra98 - 1 Jul 2024 09:50
• Refactor auth module in main.go by @fra98 - 1 Jul 2024 09:50
• Initialize cluster auth keys by @fra98 - 1 Jul 2024 09:50
• Authentication API by @fra98 - 1 Jul 2024 09:50
• Network: IP masquerade works locally by @cheina97 - 26 Jun 2024 16:24
• Network: firewallconfiguration rename by @cheina97 - 26 Jun 2024 16:19
• Remove Security Mode by @cheina97 - 25 Jun 2024 16:23
• Network: provider liqoctl values by @cheina97 - 25 Jun 2024 16:23
• Move networking controllers in a common folder by @fra98 - 21 Jun 2024 10:56
• Move forge utilities out of liqoctl package by @fra98 - 21 Jun 2024 10:50
• Network: gateway masquerade bypass by @cheina97 - 19 Jun 2024 14:44
• Network: firewallconfiguration port and protocol match by @cheina97 - 19 Jun 2024 14:44
• Network: firewallconfiguration port and protocol match by @cheina97 - 18 Jun 2024 15:56