v2.2.0 Breaking Changes
ManagedClusters ManagedClusterServicePrincipalProfile.Secret field is now marked as a SecretReference
We always try to avoid breaking changes, but in this case, allowing raw passwords in the spec is a security problem and as such we’ve decided to make a break to correct this issue.
Action required: If the ContainerService/ManagedClusters
resource is used in your cluster and the ManagedClusterServicePrincipalProfile.Secret
property is set, do the following before upgrading ASO:
- Annotate the resource with
serviceoperator.azure.com/reconcile-policy: skip
to prevent ASO from trying to reconcile the resource while you are upgrading. - Download the current YAML for the resource using
kubectl
if you don’t have it elsewhere. - Create a kubernetes secret containing the value for
ManagedClusterServicePrincipalProfile.Secret
. - Edit downloaded YAML in step 2, and add a secret key and name reference. Example here.
- Delete the resource from your cluster using
kubectl delete
. Your Azure resource will be left untouched because of thereconcile-policy
annotation you added above. - Upgrade ASO in your cluster.
- Apply the updated YAML to your cluster using
kubectl apply
. If any errors occur, address them. - If the
reconcile-policy
annotation is still present, remove it from the resource.
Removed un-used Status properties
These fields are never returned from the service and end up being an empty string always. The changes here do not affect the users, hence no action is required.
-
MachineLearningServices:
- UserAccountCredentials_STATUS.AdminUserPassword
- UserAccountCredentials_STATUS.AdminUserSshPublicKey
- VirtualMachineSshCredentials_STATUS.Password
-
Synapse:
- Workspace_STATUS.SqlAdministratorLoginPassword