Release notes for Virtual Private Cloud on-premises

Learn about new features, improvements, and changes in each release of Virtual Private Cloud On-Premises

Read time 5 minutes

Last updated 4 days ago

Version 0.12.0 — April 30, 2026

Improvements

Hardened UVCS container security

The

uvcs

(previously Plastic SCM) StatefulSet now runs as a non-root user (UID 1000) with a hardened security context. This disables privilege escalation, drops all Linux capabilities, and enforces the

RuntimeDefault

seccomp profile. This change lets you deploy in clusters that enforce strict Pod Security Standards or Kyverno policies that forbid

runAsUser: 0

. Action required before you upgrade existing deployments

Plan a maintenance window. On the first
```
uvcs
```
pod restart after the upgrade, Kubernetes recursively changes ownership of the
```
uvcs
```
persistent volume (
```
/jet
```
) to GID 1000 through
```
fsGroupChangePolicy: OnRootMismatch
```
. For large repositories, this operation can take several minutes, during which the
```
uvcs
```
pod is unavailable.
Validate that your CSI driver applies
fsGroup
correctly.
Verify the upgrade. After the upgrade completes, confirm the new security context:
- ```
kubectl exec uvcs-0 -c uvcs -- id
```
  returns
```
uid=1000 gid=1000
```
  .
- ```
kubectl exec uvcs-0 -c uvcs -- ls -ld /jet
```
  shows group
```
1000
```
  and no permission errors.
- ```
kubectl logs uvcs-0 -c uvcs
```
  shows the entrypoint creating symlinks under
```
/opt/plasticscm5/server
```
  without errors and
```
plasticd
```
  binding
```
:8087
```
  .

Version 0.11.0 — April 24, 2026

New features

Helm chart sourcing (preview)

The new

deployment.helmChartMode

manifest setting lets you choose how Helm charts are delivered:

```
local
```
(default): the process installs charts from the release package. This is the safest option for existing deployments and for air-gapped environments.
```
remote
```
: the process pulls charts from an OCI Helm registry at deployment time.

The

remote

mode and the matching

vpctl artifact sync charts

command are available as a preview in this release. Not all charts are published to the Unity OCI Helm registry yet, so a fully remote-only deployment isn't supported. For production deployments, continue to use the default

local

mode.

Default monitoring alerts

The Prometheus monitoring stack now ships with a curated set of cluster and workload alerting rules out of the box. You no longer need to assemble these rules manually before going to production.

Hardened container variant for the upc-job image

The

upc-job

image now ships in a hardened variant, which is built on a minimal base image with a reduced attack surface for stricter security baselines.

Improvements

Higher default resource allocations: MongoDB, mini-usf, and public-api now request more CPU and memory by default, which reduces the need for manual tuning to reach production-level performance.
Idempotent onboarding: the
```
upc-onboarding
```
job is now safe to rerun. The job no longer fails or duplicates resources if you retrigger it after a partial deployment.
More resilient RabbitMQ scheduling: RabbitMQ pods now schedule successfully on clusters that don't expose availability zone labels.
Reliable Keycloak tokens: Keycloak-issued tokens now include the
```
sub
```
and
```
auth_time
```
claims required by downstream services. This fixes a regression introduced by Keycloak 26's stricter scope handling.
Mini-usf routing fixes: legacy admin routes and the groups routes are now matched correctly, including the right middlewares and permissions for the global admin role.
Quieter object storage logs: RustFS no longer floods the log volume at default verbosity. The default log level is now
```
error
```
, which prevents disk pressure on the log PVC.
Organization management connectivity: the
```
organization-management
```
service now reads the correct RabbitMQ consumer queue setting and starts cleanly.

Version 0.10.0 — March 20, 2026

New features

Official Keycloak 26 image

The identity stack now runs the official Keycloak 26 image through the new keycloak-standalone chart, replacing the previous Bitnami-based Keycloak distribution. This change brings access to upstream Keycloak features and a faster security update cadence. If you previously customized the Bitnami Keycloak chart, review your manifest before upgrading.

Automation app scheduling

A new

uc-scheduler-runner

image powers scheduled jobs for automation apps such as Asset Manager and Pixyz. Scheduling now runs as part of the deployment without additional manual setup.

Improvements

The fallback namespace used for automation resource isolation (
```
UCAUTOMATION_ResourceIsolationOptions__FallbackNamespace
```
) now follows the namespace defined in your manifest instead of being hardcoded. Multi-namespace deployments work without code changes.

Version 0.9.0 — March 17, 2026

New features

Automation app management

Automation apps such as Asset Manager and Pixyz are now automatically registered during deployment. A post-deployment job handles app registration, removing the need for manual setup.

Version 0.8.0 — March 13, 2026

New features

Log storage configuration

You can now control the persistent volume size for log storage independently from data storage for the object storage component. Sizing profile defaults range from 1 GiB (

small

) to 10 GiB (

large

), and you can override the value per component.

Transformation parallelism control

A new

configuration.transformations.parallelism

manifest field lets you set the maximum number of concurrent transformation workflows. The default value is 20.

Improvements

Deployment validation now enforces that the store encryption key is exactly 32 characters, catching misconfigured keys before they cause runtime errors.

Breaking change

The

configuration.licensing

section, including FlexLM and

sdkLicenses

settings, has been removed. Built-in transformation workflows are now always enabled, and their concurrency is controlled through the new

configuration.transformations.parallelism

manifest field. Remove any licensing configuration from your manifest before upgrading.

Version 0.7.0 — March 3, 2026

New features

CLI version compatibility checks

The release package now declares the minimum required

vpctl

version. The

vpctl release generate

and

vpctl secret generate

commands check this requirement before running and block execution if the CLI version is too old. This prevents silent misconfigurations from manifest schema changes.

Improvements

Object storage distributed mode

Object storage now runs in distributed mode by default, improving data durability and availability.

Version 0.6.0 — February 23, 2026

New features

Infrastructure sizing profiles

You can now control the CPU, memory, and storage allocations for the following infrastructure components directly from the manifest: MongoDB, PostgreSQL, RabbitMQ, object storage, and Elasticsearch. Choose from three named sizing profiles:

small

medium

, or

large

. Alternatively, override the resources for individual components to match your workload.

Improved container image management

All infrastructure images, including Istio and Percona MongoDB backup images, are now sourced from your private container registry instead of public registries. This method improves reliability and security in air-gapped or restricted network environments.

Breaking change

Support for the custom Pixyz scripts has been removed. If you previously used the

automation.customPixyzScript

manifest configuration, remove it from your manifest before upgrading.

Version 0.5.0 — February 17, 2026

New features

Centralized log collection

Log collection is now available through Loki and Alloy. Enable it in your manifest with the

monitoring.logCollection.enabled

option to aggregate logs from all services in your deployment.

Improvements

Automated MongoDB backups

Percona MongoDB now automatically backs up data to RustFS S3-compatible storage, improving data durability without requiring manual backup configuration.

Version 0.4.0 — February 12, 2026

New features

Istio service mesh support

You can now enable Istio with ambient mode for service-to-service traffic management and observability. Configure Istio in your manifest under

configuration.networking.serviceMesh.istio

SDK license management

A new

sdkLicenses

setting in the manifest licensing section lets you specify how many Pixyz SDK licenses are available. This setting controls the maximum number of concurrent transformation workflows.

Improvements

Improved container image handling for workflow execution
Improved object storage reliability with automated bucket creation during deployment

Version 0.3.0 — January 28, 2026

New features

Full application suite

This release adds the complete set of application services, including:

Asset Manager: full asset management with storage, collaboration, and search
Automations and workflows: pipeline automation with Argo Workflows
Identity and access management: Keycloak for authentication and role-based access control
Notifications: event notifications through Novu
Ingress: Traefik as the ingress controller and load balancer

Version 0.2.0 — December 8, 2025

New features

Core infrastructure services

This release adds the foundational infrastructure layer, including:

Databases: PostgreSQL (via PG Operator) and Elasticsearch for relational data and search
Caching: Valkey for in-memory data storage
Messaging: RabbitMQ for asynchronous communication
Asset services: storage abstraction, collaboration, authoring, bulk operations, and catalog management

Version 0.1.0 — November 28, 2025

New features

First release of Unity Virtual Private Cloud On-Premises.