v0.63.0

0.63.0 (2026-03-10)

Release Notes

This release focuses on uptime observability improvements, adds a new crds functional layer used to create "pre-core exemptions" for pre-requisite infrastructure components, updates DoD CA Certs, and routine dependency/doc updates.

Features

• Added built-in core uptime recording rules and a new Core Uptime dashboard for out-of-the-box visibility into UDS Core component availability. Existing probe uptime reporting remains available as the Probe Uptime dashboard. See Documentation.
• Added a standalone crds functional layer for installation of UDS CRDs (Package, Exemption, ClusterConfig) before core-base which enables creation of pre-core exemptions for prerequisite infrastructure components. See Documentation.

Fixes

• Improved synchronization of Istio-derived CRD schema fields with upstream definitions to reduce schema drift and improve validation accuracy for related UDS configurations.

Dependency Updates

• Grafana 12.3.3 -> 12.4.0
• Grafana Helm chart source/version 10.5.15 -> 11.3.0 (minimum supported Kubernetes version changes from 1.8 to 1.25, upstream chart moved to grafana-community chart repo)
• Keycloak 26.5.3 -> 26.5.5 (Registry1 image changed from keycloak:26.5.3 -> keycloak-fips:26.5.5-fips)
• Loki 3.6.5 -> 3.6.7
• Pepr 1.1.0 -> 1.1.2
• Prometheus 3.9.1 -> 3.10.0
• UDS Identity Config updated to v0.24.0
• Updates DoD CA Certs to External PKI v11.5

Additional support and development dependencies were also updated as part of this release.

Documentation

• Added documentation on the use of CRL checking and revocation in airgapped environments. See [Documentation].(https://github.com/defenseunicorns/uds-core/blob/main/docs/reference/configuration/single-sign-on/keycloak-crl-airgap.md)
• 🚧 As part of an ongoing effort to improve documentation, numerous changes were made to further improve clarity and usability.

Beyond this, there are a few smaller CI and internal maintenance updates. Please see the git comparison for the full list of changes, and open GitHub issue(s) if you encounter problems using this release.

snapshot-latest

What's Changed

• chore: add gen-crds task for istio by @mjnagel in #2413
• fix: pull advancedHttp schema from istio upstream by @mjnagel in #2412
• chore(deps): update loki to v3.6.7 by @renovate[bot] in #2391
• chore(deps): bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in #2416
• chore(deps): update prometheus-stack by @renovate[bot] in #2396
• chore(deps): update keycloak to v26.5.4 by @renovate[bot] in #2399
• chore: add stubbed out new docs site by @joelmccoy in #2415
• chore: add new docs overview section by @joelmccoy in #2421
• chore(deps): update support-deps by @renovate[bot] in #2403
• chore(deps-dev): bump rollup from 4.52.5 to 4.59.0 in /test/vitest by @dependabot[bot] in #2417
• chore: add getting-started new docs by @joelmccoy in #2422
• chore(deps): bump rollup from 4.56.0 to 4.59.0 by @dependabot[bot] in #2424
• chore(docs): add uds-core concepts section to docs site by @joelmccoy in #2423
• chore(deps): update pepr to v1.1.2 by @renovate[bot] in #2401
• chore(docs): add concepts/platform section to new docs site by @joelmccoy in #2427
• chore(deps): update support-deps by @renovate[bot] in #2425
• chore(ci): split lightweight setup-tools action from setup action by @joelmccoy in #2430
• chore(docs): add concepts/configuration-and-packaging to new docs site by @joelmccoy in #2431
• feat: release standalone crd layer for pre-core exemptions by @mjnagel in #2429
• chore(docs): document airgapped certificate revocation check process by @chance-coleman in #2404
• chore(deps-dev): bump rollup from 4.53.2 to 4.59.0 in /scripts/root-ca-retriever by @dependabot[bot] in #2436
• chore: update DoD ca certs by @mjnagel in #2438
• chore(docs): add how-to guides for ha/resources on new docs site by @joelmccoy in #2433
• chore(deps): update uds-identity-config v0.24.0 by @chance-coleman in #2439
• chore(deps): update grafana to v12.4.0 by @renovate[bot] in #2406
• chore(deps): update support-deps by @renovate[bot] in #2435
• chore(deps): update iac-support-deps by @renovate[bot] in #2408
• chore: update to grafana 11.3.0 chart, community repo by @mjnagel in #2444

Full Changelog: v0.62.0...snapshot-latest

v0.62.0

0.62.0 (2026-02-24)

Release Notes

This release includes new features, fixes, dependency updates, and updated documentation.

Features

• Add uptime probe support for authservice enabled applications (see documentation)
• Enable UDS package uptime probes via blackbox exporter (see documentation)
• Falco rule overrides (see documentation)

Fixes

• Clean up stale network authpolicies when default meshmode changes
• Allow access and distribution requirements in classification banner

Dependency Updates

• AlertManager 0.31.0 -> 0.31.1
• Falco 0.42.1 -> 0.43.0
• Falco chart 7.0.2 -> 8.0.0 (see deprecations)
• Grafana to 12.3.2 -> 12.3.3
• Keycloak 26.5.2 -> 26.5.3
• Loki 3.6.4 -> 3.6.5
• Pepr 1.0.8 -> 1.1.0
• Prometheus Blackbox Exporter 11.7.0 -> 11.8.0
• Prometheus Operator 0.88.0 -> 0.89.0

Documentation

• Adjust wording/app list for private CA configuration
• Update grafana role attribute path in SSO overview
• Use latest tag in README

Beyond this, there are a few smaller dependency updates and CI support dependency changes. Please see the git comparison for the full list of changes and open GitHub issue(s) if you encounter problems using this release.

v0.61.1

Release Notes

This release includes

• A backported bug fix addressing an edge case introduced when the default service mesh mode changed from sidecar to ambient (#2368)
• A revert of a breaking change that blocked redirectUris with wildcard paths. (#2365)

We recommend you skip v0.61.0 and upgrade directly to v0.61.1.

0.61.1 (2026-02-12)

Bug Fixes

• cleanup stale network authpolicies when default meshmode changes (#2368) (backport-0.61) (#2373) (ab94ae8)
• revert breaking change that required non wildcard paths in redirecturis (#2365) (backport-0.61) (#2370) (1eb055f)

v0.60.2

Release Notes

This release includes a backported bug fix addressing an edge case introduced when the default service mesh mode changed from sidecar to ambient.

If you were running an Authservice-enabled application while upgrading to UDS Core >0.60.0 and did not explicitly set network.serviceMesh.mode, stale AuthorizationPolicies were not properly cleaned up. In some cases, this resulted in blocked access to the application.

This issue has been resolved in this release.

0.60.2 (2026-02-12)

Bug Fixes

• cleanup stale network authpolicies when default meshmode changes (#2368) (backport-0.60) (#2372) (b9a8628)

v0.61.0

0.61.0 (2026-02-10)

Release Notes

This release introduces Blackbox Exporter to the monitoring layer, improved Keycloak availability, and delivers a set of dependency updates across the stack.

Features

• Added Blackbox Exporter to UDS Core's monitoring layer
  • This is an optional component at this time, see docs here
• Improved Keycloak availability
• Added UDS Trust Bundle to all external facing UDS Core applications, see docs here
• Package validation to restrict the use of root and wildcard paths in redirectUris for Authservice protected apps, see docs here

Dependency Updates

• Grafana 12.3.1 -> 12.3.2
• Keycloak 26.5.1 -> 26.5.2
• Loki 3.6.3 -> 3.6.4
• K8s-Sidecar 2.4.0 -> 2.5.0
• Metrics-Server 0.8.0 -> 0.8.1
• Pepr 1.0.4 -> 1.0.8
• Vector 0.52.0 -> 0.53.0

v0.60.1

0.60.1 (2026-01-29)

This release resolves one known issue from 0.60.0:

• Ensures ambient mode is the default in all operator code (#2326)

Dependency Update

• Keycloak to v26.5.2

v0.60.0

0.60.0 (2026-01-29)

Known Issues

Packages with an unset spec.network.serviceMesh.mode requesting Authservice protection will not properly protect workloads/handle routing due to incorrect handling by the operator. As a workaround, explicitly selecting the expected mode (ambient or sidecar) will restore functionality. This issue is being resolved in #2326 and will be released in a 0.60.1 patch. Be aware of the slightly different constraints around Authservice protection in ambient mode (caution note in docs), you may need to adjust some selectors when switching between modes.

Release Notes

This release includes the usual mix of features, fixes, and dependency updates. This also includes a single breaking change and some deprecations of config.

⚠ BREAKING CHANGES

The default Istio service mesh mode for Packages is now ambient. If your Package custom resource does not explicitly set spec.network.serviceMesh.mode, it will automatically be switched to Ambient when you upgrade. The sidecar mode remains as an option, but it must be explicitly set in your Package. Be aware of the slightly different constraints around Authservice protection in ambient mode (caution note in docs), you may need to adjust some selectors when switching between modes.

Features

• New method for deploying Exemptions as part of your UDS Core install, supporting pre-core workloads or configurations like nodeports for Istio gateways (see docs)
• The Package SSO secret fields have been renamed/regrouped, see PR and deprecation table for examples
• Keycloak’s logout confirmation has been implemented for all clients by default (see docs for opting out and enabling this on the account consoles)
• Istio and Authservice have been updated to use the common trust bundle, ensuring that they trust the same CAs as other pods in cluster (ex: DoD CAs if configured in ClusterConfig)

We’ve also created and documented a deprecation policy and are now tracking all deprecations in a common doc. It is recommended to review and see if you’re using any deprecated configuration in your deployment.

Dependency Updates:

• Istio 1.28.1 → 1.28.3
• Keycloak 26.5.0 → 26.5.1
• Identity-config 0.22.0 → 0.23.0
• Prometheus 3.8.1 → 3.9.1
• Alertmanager 0.30.0 → 0.30.1
• Velero 1.17.1 → 1.17.2 (plugins 1.13.1 → 1.13.2)

v0.59.1

0.59.1 (2026-01-14)

This release resolves one known issue from 0.59.0:

• Grafana datasources (e.g., Loki) intermittently failing to initialize at startup due to timing issues (#2266) (backport-0.59) (#2273) (117ba42)

v0.59.0

0.59.0 (2026-01-13)

Known Issues

In testing we have noticed a race condition with Grafana loading datasources from configmaps (tracked upstream here). This issue affects different flavors of core and environments differently so you may not notice it in your deployment. This issue has been fixed in #2266 (merged to main) and will be released in a 0.59.1 patch.

Release Notes

This release introduces a new centralized ambient egress feature, documentation updates, and delivers a set of dependency updates across the stack.

Features

• Centralized Ambient Egress Per Host
  • Ambient egress now uses a centralized per-host ServiceEntry and AuthorizationPolicy model, unifying identity resolution across packages, preventing transient allow states, and automatically purging stale resources for safer, more predictable behavior.
  • Updated Egress docs
• Updated Pepr Logging
  • Now uses ISO Timestamps
  • redacts CA cert values

Dependency Updates

• Grafana 12.3.1
• k8s-sidecar 2.2.3
• Keycloak 26.5.0
• Authservice 1.1.5
• loki 3.6.3
• Pepr 1.0.4
• Alertmanager 0.30.0
• Prometheus 3.8.1
• Vector 0.52.0

Beyond these highlights, this release includes additional maintenance updates, CI stability updates, and other internal improvements.