v2.10.0

2.10.0 (November 12, 2025)

NOTES:

• RunsCollector: Add new Prometheus-compatible metrics hcp_tf_runs and hcp_tf_runs_total to collect pending runs by status and the total number of pending runs, respectively. These metrics are in the alpha stage and subject to change. [GH-637]

BUG FIXES:

• Workspace: Fix an issue where sensitive Terraform or Environment variables are not updated when their sensitivity changes. [GH-629]
• AgentPool: Exclude runs awaiting user interaction from scaling to prevent agents from being kept unnecessarily active. [GH-618]
• AgentPool: Fix version parsing for Terraform Enterprise version format changes. [GH-641]

FEATURES:

• RunsCollector: Introduce a new controller that scrapes HCP Terraform run statuses from a specified Agent Pool and exposes them as Prometheus-compatible metrics. [GH-637]
• AgentToken: Introduce a new controller that manages tokens in arbitrary agent pools. [GH-628]

ENHANCEMENTS:

• Controllers: Add a new annotation, app.terraform.io/paused, to pause reconciliation for a specific CR. [GH-631]
• AgentPool: Update Kubernetes Secret synchronization to perform batch updates at the end of agent token reconciliation, reducing API calls and preventing race conditions. [GH-650]

DEPENDENCIES:

• Bump kube-rbac-proxy from 0.19.1 to 0.20.0. [GH-640]
• Bump k8s.io/api from 0.32.3 to 0.34.1. [GH-643]
• Bump k8s.io/apimachinery from 0.32.3 to 0.34.1. [GH-643]
• Bump github.com/hashicorp/go-slug from 0.16.4 to 0.16.7. [GH-644]
• Bump github.com/hashicorp/go-tfe from 1.76.0 to 1.93.0. [GH-644]
• Bump k8s.io/client-go from 0.32.3 to 0.34.1. [GH-643]
• Bump sigs.k8s.io/controller-runtime from 0.20.4 to 0.22.4. [GH-643]

Community Contributors 🙌

• @AleksaC made their contribution in #617
• @jrindy-iterable made their contribution in #618
• @nhomble made their contribution in #627

v2.9.2

2.9.2 (May 28, 2025)

BUG FIXES:

• Fix an issue where the agent can be terminated while it still has an active run during the post-plan or post-apply stage, such as, but not limited to, Sentinel policy evaluation. [GH-610]

Community Contributors 🙌

• @munnep identified and successfully reproduced the issue. Great work tracking it down! #610

v2.9.1

2.9.1 (May 14, 2025)

BUG FIXES:

• Fixed an issue where the operator could not connect to the HCP Terraform / TFE instance when using the UBI-based image due to a TLS validation error. The previous workaround required setting the TFC_TLS_SKIP_VERIFY environment variable to true in the Deployment. [GH-600]

ENHANCEMENTS:

• Helm Chart: Add the ability to configure environment variables for the Operator Deployment via operator.env. [GH-601]

DEPENDENCIES:

• Bump kube-rbac-proxy from 0.19.0 to 0.19.1. [GH-599]

v2.9.0

2.9.0 (April 24, 2025)

BREAKING CHANGES:

• AgentPool: The new field, spec.deletionPolicy, is set to retain by default, which changes the previous default controller behavior when resources are deleted. The previous behavior corresponded to the destroy deletion policy value. This change is considered safer in cases of accidental resource deletion, planned migration, or other scenarios involving the deletion of a custom resource. [GH-584]
• Projects: The new field, spec.deletionPolicy is set to retain by default, which changes the previous default controller when projects are deleted. The previous behavior corresponded to the soft deletion policy. This change takes into account migration and overall better management of resources. [GH-569]

NOTES:

• AgentPool: The field spec.autoscaling.targetWorkspaces is deprecated and will be removed in a future release. The motivation behind this change is that the field does not guarantee newly provisioned agents will pick up runs only for the listed workspaces. Additionally, using this field could lead to situations where agents are not scaled to process runs for unlisted workspaces. [GH-561]
• Module: The field spec.destroyOnDeletion is deprecated and will be removed in a future release. This change is motivated by the introduction of a new field, spec.deletionPolicy, which aligns with the approach the operator uses across all other controllers. The default value of spec.deletionPolicy is retain, which replaces the default value false of spec.destroyOnDeletion. The corresponding value true of spec.destroyOnDeletion is replaced with destroy in spec.deletionPolicy. [GH-582]
• The AgentPool CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-494]
• The Module CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-582]
• The Project CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-569]
• The Workspace CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-558]

BUG FIXES:

• AgentPool: Add a new scaling algorithm that accounts for speculative plans when calculating pending runs. This algorithm is compatible with HCP Terraform and TFE v202409-1 and later. [GH-561]
• AgentPool: Fix an issue where, in some circumstances, a newly created CR with the autoscaling feature enabled does not update its status while handling runs. [GH-580]

FEATURES:

• AgentPool: Add a new field, spec.deletionPolicy, that specifies the behavior of the custom resource and its associated agent pool when the custom resource is deleted. [GH-584]
• Module: Add a new field spec.deletionPolicy, that specifies the behavior of a custom resource and its associated module when the custom resource is deleted. This field aims to replace spec.destroyOnDeletion. [GH-582]
• Project: Add a new field, spec.deletionPolicy, that specifies the behavior of a custom resource and its associated project when the custom resource is deleted. [GH-569]

ENHANCEMENTS:

• Workspace: Add the ability to enable auto apply for run triggers via a new optional field spec.applyRunTrigger. This feature is available in HCP Terraform and Terraform Enterprise starting with version v202401-1. [GH-558]
• Workspace: Add new fields, spec.versionControl.enableFileTriggers, spec.versionControl.triggerPatterns and spec.versionControl.triggerPrefixes, which specify whether a new run should be triggered when files in the specified paths change in the connected repository. [GH-496] [GH-578]

DEPENDENCIES:

• Bump k8s.io/api from 0.31.6 to 0.32.3. [GH-586] [GH-587]
• Bump k8s.io/apimachinery from 0.31.6 to 0.32.3. [GH-586] [GH-587]
• Bump k8s.io/client-go from 0.31.6 to 0.32.3. [GH-586] [GH-587]
• Bump sigs.k8s.io/controller-runtime from 0.19.7 to 0.20.4. [GH-586]

Community Contributors 🙌

• @baptman21 made their contribution in #496

v2.8.1

2.8.1 (March 12, 2025)

ENHANCEMENTS:

• Workspace: Add support for attaching variable sets to a workspace referenced by its name. [GH-570]

DEPENDENCIES:

• Bump kube-rbac-proxy from 0.18.2 to 0.19.0. [GH-560]
• Bump github.com/hashicorp/go-tfe from 1.71.0 to 1.76.0. [GH-566]
• Bump github.com/hashicorp/go-slug from 0.16.3 to 0.16.4. [GH-566]
• Bump k8s.io/api from 0.31.3 to 0.31.6. [GH-571]
• Bump k8s.io/apimachinery from 0.31.3 to 0.31.6. [GH-571]
• Bump k8s.io/client-go from 0.31.3 to 0.31.6. [GH-571]
• Bump sigs.k8s.io/controller-runtimeg from 0.19.2 to 0.19.7. [GH-571]

v2.8.0

2.8.0 (February 10, 2025)

NOTES:

• The Workspace CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-497]

ENHANCEMENTS:

• Workspace: Add the ability to attach variable sets to a workspace via a new optional field spec.variableSets. [GH-497]

DEPENDENCIES:

• Bump github.com/hashicorp/go-slug from 0.16.1 to 0.16.3. [GH-549]

v2.7.1

2.7.1 (December 04, 2024)

BREAKING CHANGES:

• Helm Chart: The customCAcertificates value has been replaced to accept a base64-encoded CA bundle instead of a file path. This change aims to simplify the installation/upgrade workflow. [GH-516]

NOTES:

• Helm Chart: The default value of operator.syncPeriod has changed from 5 minutes to 1 hour to reduce unnecessary reconciliation. [GH-512]

BUG FIXES:

• Workspace: Fix an issue where spec.agentPool can be set even when spec.executionMode is not set to agent. [GH-504]
• Helm Chart: Fix an issue that prevented custom CA certificates from being attached to the pod volume. The customCAcertificates value now refers to a base64-encoded CRT bundle instead of a file path. [GH-516]

ENHANCEMENTS:

• Helm Chart: Add the ability to configure affinity and tolerations for the Deployment of the operator. [GH-495]
• Helm Chart: Add the ability to configure additional labels for the Operator pod. [GH-522]

DEPENDENCIES:

• Bump kube-rbac-proxy from 0.18.0 to 0.18.2. [GH-514] [GH-531]
• Bump github.com/hashicorp/go-tfe from 1.62.0 to 1.71.0. [GH-508] [GH-532]
• Bump github.com/hashicorp/go-slug from 0.15.2 to 0.16.1. [GH-508] [GH-519]
• Bump k8s.io/api from 0.30.3 to 0.31.3. [GH-525] [GH-527]
• Bump k8s.io/apimachinery from 0.30.3 to 0.31.3. [GH-525] [GH-526]
• Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.2. [GH-525]
• Bump k8s.io/client-go from 0.30.3 to 0.31.3. [GH-525] [GH-527]

Community Contributors 🙌

• @baptman21 made their contribution in #495
• @mlflr made their contribution in #522

v2.7.0

2.7.0 (October 24, 2024)

BREAKING CHANGES:

• Workspace: The new field, spec.deletionPolicy, is set to retain by default, which changes the previous default controller behavior when resources are deleted. The previous behavior corresponded to the force deletion policy value. This change is considered safer in cases of accidental resource deletion, planned migration, or other scenarios involving the deletion of a custom resource. [GH-470]

NOTES:

• The AgentPool CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-494]
• The Workspace CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-470] [GH-478] [GH-481]

FEATURES:

• Helm Chart: Add a new value called controllers.project.syncPeriod to set the CLI option --project-sync-period. [GH-479]
• Helm Chart: Add a new value called controllers.module.syncPeriod to set the CLI option --module-sync-period. [GH-480]
• Module: Add a new CLI option called --module-sync-period to set the time interval for re-queuing Module resources once they are successfully reconciled. [GH-480]
• Project: Add a new CLI option called --project-sync-period to set the time interval for re-queuing Project resources once they are successfully reconciled. [GH-479]
• Workspace: Add a new field, spec.deletionPolicy, that specifies the behavior of the custom resource and its associated workspace when the custom resource is deleted. [GH-470]
• Workspace: Add the destroy deletion policy. The spec.allowDestroyPlan must be set to true for the controller to execute a destroy run. [GH-489]

ENHANCEMENTS:

• Helm Chart: Add the ability to configure the creation of the RBAC role and role binding. [GH-491]
• AgentPool: Update agent token reconciliation logic to reduce the number of API calls. [GH-487]
• AgentPool: Add the ability to configure labels and annotations for agent deployments. [GH-494]
• Module: Update reconciliation logic to proceed to the next step immediately after the configuration version is uploaded successfully and reduce delays in output fetching. [GH-482]
• Workspace: Update Notifications reconciliation logic to reduce the number of API calls. [GH-477]
• Workspace: Update SSH key reconciliation logic to reduce the number of API calls. [GH-478]
• Workspace: Update the default project ID reconciliation logic to avoid making an API call each time a workspace object is updated. [GH-481]

DEPENDENCIES:

• Bump k8s.io/api from 0.29.4 to 0.30.3. [GH-452] [GH-466]
• Bump k8s.io/apimachinery from 0.29.4 to 0.30.3. [GH-452] [GH-456]
• Bump k8s.io/client-go from 0.29.4 to 0.30.3. [GH-452] [GH-466]
• Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.18.4. [GH-452]

Community Contributors 🙌

• @domino-sbr1 made their contribution in #491

v2.6.1

2.6.1 (August 07, 2024)

BUG FIXES:

• Workspace: Fix an issue where the controller fails to update CR Status when CR gets modified during the reconciliation. [GH-457]
• Workspace: Fix an issue where, in some circumstances, the controller cannot properly handle the deletion event. [GH-460]

ENHANCEMENTS:

• Helm Chart: Add the ability to configure the Deployment priority class. [GH-451]

Community Contributors 🙌

• @vadim-kubasov made their contribution in #451

v2.6.0

2.6.0 (July 30, 2024)

NOTES:

• The AgentPool CRD has been changed. Please follow the Helm chart instructions on how to upgrade it. [GH-441]

BUG FIXES:

• Project: Fix an issue where calls to paginated API endpoints were only fetching the first page of results. [GH-426]
• AgentPool: Fix an issue where calls to paginated API endpoints were only fetching the first page of results. [GH-426]
• Workspace: Fix an issue where calls to paginated API endpoints were only fetching the first page of results. [GH-426]

ENHANCEMENTS:

• Helm Chart: Add the ability to configure the service account. [GH-431]
• AgentPool: Add the ability to configure scale-up and scale-down autoscaling times separately via the cooldown.scaleUpSeconds and cooldown.scaleDownSeconds attributes, respectively. [GH-441]

DEPENDENCIES:

• Bump github.com/hashicorp/go-slug from 0.15.0 to 0.15.2. [GH-435]
• Bump github.com/onsi/ginkgo/v2 from 2.16.0 to 2.19.0. [GH-415]
• Bump github.com/onsi/gomega from 1.31.1 to 1.33.1. [GH-415]

Community Contributors 🙌

• @frgray made their contribution in #431
• @jtdoepke made their contribution in #426
• @omelnyk1 for sharing his Helm expertise and valuable feedback 🚀