Skip to main content
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.18.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.17.0…ngrok-operator-0.18.0 Warning: The ngrok-operator image version 0.18.0 and above include a breaking change due to the sunsetting of some ngrok platform features. Before you upgrade to this version of the image, please see https://github.com/ngrok/ngrok-operator/discussions/654.

Removed

  • [Breaking Change!] Remove Deprecated CRDs by @jonstacks in #664.

Changed

  • chore(deps): bump golang.org/x/oauth2 from 0.23.0 to 0.27.0 by @dependabot in #668.
  • feat: Migrate to ngrok-go v2 by @jonstacks in #667.

0.17.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.16.1…ngrok-operator-0.17.0

Added

  • feat: Add a reclaimPolicy to domains by @jonstacks in #641
  • Add gatewayclass to store by @jonstacks in #650
  • feat(gateway-api): Set accepted conditions on gateways & httproutes by @jonstacks in #651
  • feat(gateway-api): Add gateay status addresses by @jonstacks in #653
  • feat(gateway-api): Validate gateway listeners hostname and port by @jonstacks in #658
  • feat(cloud-endpoints): Add CloudEndpoint ID to printer column by @jonstacks in #647

Changed

  • bake ca into image by @Megalonia in #626
  • chore(testing): Add tests for Domain Reconciler by @jonstacks in #646
  • Combine binaries by @masonj5n in #648
  • refactor: Update statuses concurrently and pre-calculate domains by @jonstacks in #649
  • perf: Enable ‘use-errors-new’ revive linter by @jonstacks in #659
  • chore(deprecation): Add deprecation notice to CRDs by @jonstacks in #655. See discussion for details.
  • chore(deps): Updated to go 1.24 by @jonstacks in #642 and #661.
  • chore: Use slices and maps from stdlib by @jonstacks in #638

Fixed

  • Periodically re-reconcile boundendpoints and refactor connectivity check by @masonj5n in #628.
  • fix: Hanging connections by @jonstacks in #657
  • fix: httproute should enqueue requests when gateways are deleted by @jonstacks in #660

0.16.1

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.16.0…ngrok-operator-0.16.1

Added

  • enable more golangci linters by @Alice-Lilith in #630

Removed

  • remove generated bindings from ingress/gateway resources by @Alice-Lilith in #635

Fixed

  • fix(api-manager): panic when TCP/TLS Route CRDs are not installed. by @jonstacks in #636

0.16.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.15.1…ngrok-operator-0.16.0

Added

  • Consume IngressEndpoint from status by @masonj5n in #607
  • add new mapping strategy by @Alice-Lilith in #612
  • add support for TCPRoute & TLSRoute by @Alice-Lilith in #621
  • Lb services reserve tcp addr for endpoints by @jonstacks in #622

Changed

  • unconditionally create operator with ngrok api by @masonj5n in #614
  • only make tunnels for edges strategy by @Alice-Lilith in #623

Fixed

  • add deployment name and version to _update calls by @Megalonia in #610
  • fix: Agent endpoint domain strategy by @jonstacks in #613
  • fix: Empty TLS cert on creation when bindings are enabled by @jonstacks in #615
  • fix: traffic-policy annotation not working when using mapping-strategy of edges by @jonstacks in #616
  • set operator description from values.yaml description by @masonj5n in #605
  • fix: Retry cloud endpoint creation on pooling state errors by @jonstacks in #624

0.15.1

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.15.0…ngrok-operator-0.15.1

Changed

  • chore(deps): Upgrade go to 1.24.1 by @jonstacks in #601
  • chore(lint): Enable go-critic by @jonstacks in #604

Fixed

  • fix: HTTP/2 upstreams for edges & endpoints by @jonstacks in #606. Fixes #572.
  • fix: add support for https agent endpoints from ingress/gwapi by @Alice-Lilith in #599

0.15.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.14.3…ngrok-operator-0.15.0

Added

  • Gateway API to Endpoints conversion by @Alice-Lilith in #588
  • Gateway API ReferenceGrant support (endpoints only) by @Alice-Lilith in #589. When using the Gateway API configuration and translating to endpoints, ReferenceGrants will be required for cross-namespace references as dictated by Gateway API. You may opt-out of support for ReferenceGrants and always allow cross namespace references using the --disable-reference-grants in the pod arguments or using the helm value gateway.disableReferenceGrants.
  • Support for the k8s.ngrok.com/bindings annotation (endpoints only) to set bindings on endpoints generated from Ingresses and Gateway API config by @Alice-Lilith in #593.
  • Implemented support for configuring upstream client certificates in the AgentEndpoint respirces and Gateway API Gateway Backend TLS config to configure client certificates to be sent to upstream services (endpoints only) bby @Alice-Lilith in #594

Changed

  • Endpoints are now the default for translations from Ingress, LoadBalancer Service, and Gateway API config by @Alice-Lilith in #596 The k8s.ngrok.com/mapping-strategy: endpoints annotation is no longer required for endpoints conversion. Similarly, you may still use Edges instead with the k8s.ngrok.com/mapping-strategy: edges annotation, but Edges will be removed in a future release.
  • Auto enable Gateway API support by @Alice-Lilith in #592. Instead of needing to opt-in to Gateway API support, we now enable it by default if the Gateway API CRDs are detected. You may still opt-out using the enable-feature-gateway flag on the pod arguments or using the helm value gateway.enabled.
  • Replaced binding name printcolumn with endpoint selectors for KubernetesOperator resources by @masonj5n in #586
  • Updated notes.txt to reflect bindings API changes by @masonj5n in #585
  • Support for latest bindings configuration (endpoints only) with the k8s.ngrok.com/bindings annotation to set bindings on endpoints generated from LoadBalancer Service resoruces by @Megalonia in #590

0.14.3

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.14.2…ngrok-operator-0.14.3

Added

  • Endpoint pooling SDK support and auto pooling for AgentEndpoint resources by @jonstacks in #581
  • Endpoint pooling support for CloudEndpoint resources (default=false), also supported on Ingress/Service resources that create endpoints using the "k8s.ngrok.com/mapping-strategy": "endpoints" annotation when "k8s.ngrok.com/pooling-enabled": "true" annotation is supplied by @Alice-Lilith in #582

0.14.2

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.14.1…ngrok-operator-0.14.2

Added

  • Add conversion support from ingress to endpoints by @Alice-Lilith in #562
  • feat: Add trafficpolicy package and conversion util by @jonstacks in #564
  • feat: Copy domain status to cloud endpoint status by @jonstacks in #566
  • feat: Opt-in to endpoints for Load balancer Services by @jonstacks in #568
  • feat(ci): Use codecov for coverage reports by @jonstacks in #571

Changed

  • chore(deps): Update ngrok-api-go by @jonstacks in #560
  • Change allowed_urls to endpoint_selectors by @masonj5n in #573
  • chore(ci): Make codecov patch status informational for now as well by @jonstacks in #577
  • update use endpoints annotation by @Alice-Lilith in #579

Fixed

  • fix(service-controller): Service controller uses configured cluster domain by @jonstacks in #552
  • fix(ngrok-api-go): Update to client that doesn’t panic for get_bound_endpoints by @jonstacks in #561
  • fix: managerdriver tests not being run by @jonstacks in #569
  • fix(ci): Disable bindings for e2e tests by @jonstacks in #570
  • add newly created agent endpoints to the map by @Alice-Lilith in #574
  • fix(httpsedges): HTTPS Edges should retry on hostport already in use by @jonstacks in #576

Removed

  • Remove binding name by @masonj5n in #567

0.14.1

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.14.0…ngrok-operator-0.14.1

Fixed

  • Fix http endpoint scheme by @jonstacks in #549

0.14.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.7…ngrok-operator-0.14.0
  • Update ngrok-operator version to 0.14.0
  • Update Helm chart version to 0.17.0-rc.1

Added

  • add agentendpoint crd by @Alice-Lilith in #525
  • agent endpoints work continued by @Alice-Lilith in #538
  • make protocol optional for agentendpoint upstreams by @Alice-Lilith in #547
  • remove boilerplate type field from trafficPolicy field by @Alice-Lilith in #548

Changed

  • Error with invalid API key by @hjkatz in #524

Fixed

  • fix: Re-create tunnel if forwardsTo or appProto changes by @jonstacks in #527
  • adjust bindings-forwarder deployment template by @masonj5n in #529
  • skip no-op status and annotation updates for boundendpoint reconciliation by @masonj5n in #537
  • fix endpoint url validation helper and add tests by @Alice-Lilith in #544
  • fix(agent-endpoints): Delete agent endpoint instead of tunnel by @jonstacks in #543

Internal / CI

  • Add artifacthub badge by @hjkatz in #513
  • feat: add chainsaw based e2e tests by @eddycharly in #506
  • e2e updates / fixes 1 by @hjkatz in #526
  • Trigger ci e2e with Makefile change by @hjkatz in #528
  • Use correct namespace for debugging by @hjkatz in #530
  • Ensure build-and-test runs on push events by @hjkatz in #531
  • E2E 5, E5E by @hjkatz in #532
  • Fix typo for changes to tests ; Add scripts/e2e.sh too by @hjkatz in #534
  • Checkout fork PR HEAD for e2e tests by @hjkatz in #535
  • Enable deny gate for ‘safe to test’ label by @hjkatz in #539
  • Add found labels debug message by @hjkatz in #540
  • feat: Use a merge group for e2e tests by @jonstacks in #542
  • Add some e2e tests as a feature branch by @hjkatz in #533
  • feat(ci): Update release script by @jonstacks in #545

New Contributors

0.13.7

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.6…ngrok-operator-0.13.7
  • Update ngrok-operator version to 0.13.7
  • Update Helm chart version to 0.16.4

Fixed

  • Use GPG Key name instead of ID

0.13.6

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.5…ngrok-operator-0.13.6
  • Update ngrok-operator version to 0.13.6
  • Update Helm chart version to 0.16.3

Changed

  • Updated GPG Key

0.13.5

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.4…ngrok-operator-0.13.5
  • Update ngrok-operator version to 0.13.5
  • Update Helm chart version to 0.16.2

Added

  • Sign ngrok-operator Helm chart with GPG key by @hjkatz in #514

Fixed

  • Update README.md with new rename by @hjkatz in #516

0.13.4

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.3…ngrok-operator-0.13.4
  • Update ngrok-operator version to 0.13.4
  • Update Helm chart version to 0.16.1

Added

  • Add scripts/release.sh and make release by @hjkatz in #507 #509 #510

0.13.3

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.1…ngrok-operator-0.13.3

Added

  • Add support for 1-click demo mode by @hjkatz in #503
  • Enable automatic Helm releases for ngrok/ngrok-operator in .github/workflows by @hjkatz in (this PR)

Fixed

  • Hide kind: KubernetesOperator API registration behind the bindings.enable feature flag by @hjkatz in #504

0.13.2

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.1…ngrok-operator-0.13.2

Added

  • Support allowedURLs by @hjkatz in #496

Fixed

  • fix: Clear status and re-reconcile if httpsedge is not found by @jonstacks in #501
  • Use the previously ingress in the error messages by @alex-bezek in #500

0.13.1

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/ngrok-operator-0.13.0…ngrok-operator-0.13.1

Changed

  • Use goroutine instead of errGroup by @hjkatz in #497
  • Reduce polling interval to 10 seconds by @hjkatz in #491

Fixed

  • fix: domain stuck when ID is not found by @jonstacks in #488
  • Ensure the TLS secret is valid otherwise upsert by @hjkatz in #486
  • Use unique context for endpoint poller reconcile actions by @hjkatz in #489
  • fix: Make sure we update the status by @jonstacks in #493
  • Add more logging for binding forwarder mux handshake by @hjkatz in #494
  • fix: Better migration path from the ngrok kuberntes-ingress-controller to the ngrok-operator by @jonstacks in #495

0.13.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/kubernetes-ingress-controller-0.12.2…ngrok-operator-0.13.0

:warning: :warning: :warning: Notice :warning: :warning: :warning:

This version of the controller is not backwards compatible with previous versions and is only compatible with version 0.16.0 of the ngrok/ngrok-operator helm chart and later. Using this version or later of the controller with the ngrok/kubernetes-ingress-controller helm chart will result in the controller not functioning correctly. Even though we are in major version 0, and semver v2.0.0 allows that anything may change until a 1.0.0 release, we try not to break backwards compatibility. However, this change is necessary to support new features and improvements in the operator.

Added

Kubernetes Operator

The operator installation will now be registered with the ngrok API. This will allow you to view the status of the operator in the ngrok dashboard, see what version of the operator is running, and power new features in the future. This is powered by a new KubernetesOperator CRD that is created by the operator in its own namespace when it starts up.
  • Register operator by @jonstacks in #457
  • Add status to KubernetesOperator by @hjkatz in #467
  • fix: Add nil checks to prevent potential panics by @jonstacks in #483

Endpoint Bindings (private beta)

Endpoint bindings is a new feature that allows you to securely access a ngrok endpoint no matter where it is running. Specifically, Kubernetes bound endpoints allow you to project services running outside of your Kubernetes cluster or in other clusters into your cluster as native Kubernetes services.
  • Add feature flag support for bindings by @hjkatz in #424
  • feat: Initial bindings driver by @stacks in #450
  • Modify EndpointBinding CRD to reflect cardinality of bound Endpoints by @hjkatz in #452
  • Implement AggregateBindingEndpoints for interacting with the ngrok api by @hjkatz in #453
  • Implement BindingEndpoint polling by @hjkatz in #458
  • Implement EndpointBinding -> Services creation by @hjkatz in #459
  • Implement port allocation by @hjkatz in #460
  • Bindings forwarder by @jonstacks in #465
  • Add endpoint status to EndpointBinding kubectl output by @hjkatz in #464
  • chore: Update ngrok-api-go to pull in new changes by @jonstacks in #468
  • Ensure endpoint poller does not start until k8sop is regestered with API by @hjkatz in #470
  • Rename EndpointBinding to BoundEndpoint by @hjkatz in #475
  • Implement Target Metadata by @hjkatz in #477
  • Bindings forwarder implementation by @jonstacks in #476
  • Ensure KubernetesOperator.Status.EnabledFeatures is set properly from the API by @hjkatz in #480
  • Add equality tests for Target.Metadata by @hjkatz in #482
  • feat: BoundEndpointPoller polls from the API by @jonstacks in #481

Cloud Endpoints (private beta)

Cloud Endpoints can now be created and managed by the operator via a new CloudEndpoint CRD.
  • Allow configuring ngrok Cloud Endpoints using CRDs by @alex-bezek in #471

Changed

Ingress/Gateway

  • Seed additional types when first starting by @alex-bezek in #431.

Traffic Policy

Updates TrafficPolicy CRD and inline policy to support new phase-based names as well as the new TrafficPolicy API.
  • update traffic policy for phase-based naming by @TheConcierge in #456

Splitting controllers into multiple manager instances

The controllers have been split into multiple manager instances to improve performance and scalability. This now allows the ngrok agent manager which handles traffic to run independently of the API managers which reconcile CRDs with the ngrok API. This change also allows for more fine-grained control over the controllers and their resources.
  • refactor: Split the agent and API controllers by @jonstacks in #446

Fixes

Gateway API

  • fix: Add GatewayClass controller by @jonstacks in #484

Documentation

  • Update README.md to use ngrok Kubernetes Operator instead of ingress controller. by @stmcallister in #433

New Contributors

  • @TheConcierge made their first contribution in #456

0.12.2

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/kubernetes-ingress-controller-0.12.1…kubernetes-ingress-controller-0.12.2

Added

  • feat: Ability to specify cluster domain #339. Thank you, @fr6nco !
  • feat: Support for wildcard domains #412

Changed

  • chore: Clean up predicate filters #409
  • refactor: Easier to read driver seed #411

Fixed

  • fix(store): Multiple ingress rules per ingress not working #413

0.12.1

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/kubernetes-ingress-controller-0.12.0…kubernetes-ingress-controller-0.12.1

Fixed

  • fix(service-controller): Updates not working #406
  • fix: Deleting ngrok LoadBalancer services hanging #404

0.12.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/kubernetes-ingress-controller-0.11.0…kubernetes-ingress-controller-0.12.0

Added

  • feat: Auto-provision domain for TLS Edges #386
  • feat: Support for Load Balancer services #387
  • feat: Support TLS termination in modulesets for Load Balancer Services #388

Changed

  • Switching over README to Operator #351
  • chore: Remove custom code for non leader-elected controllers #383
  • refactor: annotations parsers to handle client.Object instead of just networking.Ingress by #384
  • chore: Turn on golangci-lint #385

Fixed

  • fix: TLSEdge not reconciling changes to hostports #390
  • assign tunnel group lable by httproute namespace #393

0.11.0

Full Changelog: https://github.com/ngrok/ngrok-operator/compare/kubernetes-ingress-controller-0.10.4…kubernetes-ingress-controller-0.11.0

Added

  • create policy kind #361
  • initial policy controller update #364
  • root-cas setting #371 Takes an install option for —set rootCAs=host and plumb the isHostCA check into the caCerts for it to just get the host certs.
  • feat: Add support for mutualTLS #373
  • Add GatewayClass to cachestore #376
  • Add extensionRef support for policy crd inclusion #377

Changed

  • ngrok client api update #367
  • switch edge kinds to raw json policy #368
  • modules to traffic policy #370
  • Update nix flake, go version, and Makefile dep versions #379

Fixes

  • fix: panics in oauth providers #374
  • Handle non-existent backend IDs more gracefully #380
  • Fixes not all reserved addrs being returned while iterating #381

0.10.4

Added

  • Add the --api-url option This can be used to set the endpoint for the ngrok API. It can be set through via the helm apiURL value.
  • Set metadata for edges created by the gateway
  • Add gateway to client info comment

Changed

  • Controller will now start without having session established. Any operations that require tunnels will return error, while it is trying to create a session. Its ready and health checks now depend on the status of this session - ready will not return ok until connection was established, and health check will return error if this connection had authentication issues.

Fixed

  • Search for backend service using the HTTPRoute namepace

0.10.3

Added

  • Support for Gateway api

0.10.2

Added

Fixed

  • The Status.LoadBalancer[].Hostname field is now propagated from Domain CNAME status updates. #342

0.10.1

Fixed

  • IPPolicy controller wasn’t applying the attached rules, leaving the IP policy in its current state #315

0.10.0

Added

Fixed

  • Added support for TLS Renegotiation for backends that use it #314

0.9.1

Fixed

  • Send FQDN in SNI when using backend https #304

0.9.0

Changed

  • Update ngrok-go to 1.4.0 #298
  • Tunnels are now unique in their respective namespace, not across the cluster #281
  • The CRs that ingress controller creates are uniquely marked and managed by it. Other CRs created manually are no longer deleted when the ingress controller is not using them #267; fixed for tunnel in #285 and for https edges in #286
  • Better error handling and retry, specifically for the case where we try to create an https edge for a domain which is not created yet #283; fixed in #288
  • Watch and apply ngrok module set CR changes #287; fixed in #290
  • Label https edges and tunnels with service UID to make them more unique within ngrok #291; fixed in #293 and #302

Fixed

  • The controller stopping at the first resource create #270
  • Using make deploy now requires NGROK_AUTHTOKEN and NGROK_API_KEY to be set #292

0.8.1

Fixed

  • Handle special case for changing auth types that causes an error during state transition #259
  • Handle IP Policy CRD state transitions in a safer way #260
  • Better handling when changing pathType between ‘Exact’ and ‘Prefix’ #262

0.8.0

Changed

  • tunneldriver: plumb the version through ngrok-go #228
  • Support HTTPS backends via service annotation #238

Fixed

  • Initialize route backends after module updates #243
  • validate ip restriction rules, before creating the route #241
  • Don’t shadow remoteIPPolicies #230
  • resolve some linter warnings #229

Documentation

  • Use direnv layout feature #248
  • chore(readme): improve structure and content #246
  • Added direnv and a nix devshell #227

Testing Improvements

  • fix route modules, using ngrokmoduleset instead #239
  • Use raw yq output, split e2e runner from deployment #235
  • Added e2e config init script #234
  • Some updates to handle different cases for e2e run #226.

0.7.0

Changed

  • Don’t log errors on normal connection closing #206.
  • Updated golang.org/x/net to 0.9.0 #215.

Fixed

  • Add support for named service ports #222.

0.6.0

Changed

  • Added Ingress controller version to user-agent #198.
  • Don’t default to development mode for logging #199.

Fixed

  • Leaking TCP connections for every tunnel dial #203.

0.5.0

Changed

  • Bumped go version to 1.20 #167
  • Refactored Route Module Updates to be lazy #168
  • Annotations for configuration have been removed in favor of grouping module configurations together in NgrokModuleSet custom resources #170

Added

  • Ran go mod tidy and added check to make sure its tidy before merge #166
  • Added NgrokModuleSet CRD #170
  • Added support for Circuit Breaker route module #171
  • Added support for OIDC route module #173
  • Added support for SAML route module #186
  • Added support for OAuth route module #192

0.4.0

Changed

  • When no region override is passed to helm, the controller now does not default to the US and instead uses the closes geographic edge servers #160
  • Ingress Class has Default set to false #109

Added

  • Allow controller name to be configured to support multiple ngrok ingress classes #159
  • Allow the controller to be configured to only watch a single namespace #157
  • Pass key/value pairs to helm that get added as json string metadata in ngrok api resources #156
  • merge all ingress objects into a single store to derive Edges. #129, #10, #131, #137
  • Minimum TLS Version Route Module #125
  • Webhook Verification Route Module #122
  • Add/Remove Header Route Module #121
  • Add IP Policy CRD and IP Policy Route Module #120
  • Load certs from the directory "/etc/ssl/certs/ngrok/" for ngrok-go if present #111

Fixed

  • Fix bug from Driver and Store refactor so ingress status has CNAME Targets for custom domains updated correctly #162
  • Reduce domain controller reconcile counts by not updating domains if they didn’t change #140
  • Remove routes from remote API when they are removed from the ingress object #124

0.3.0

Changed

  • Renamed docker image from ngrok/ngrok-ingress-controller to ngrok/kubernetes-ingress-controller.
  • Added new controllers for domains, tcpedges, and httpsedges.
  • Updated go dependencies
  • Moved main.go to root of project to match what kubebuilder expects.
  • Updated Makefile to match what kubebuilder currently outputs.
  • Created serverAddr flag and plumbed it through to ngrok-go
  • Read environment variable NGROK_API_ADDR for an override to the ngrok API address.

0.2.0

Changed

  • Moved from calling ngrok-agent sidecar to using the ngrok-go library in process.

0.1.X

Initial Alpha Releases

The ngrok ingress controller is currently in alpha. Releases will have varying features with breaking changes.