Release notes for Virtual Private Cloud on-premises

Learn about new features, improvements, and changes in each release of Virtual Private Cloud On-Premises

읽는 시간 8분

최근 업데이트: 하루 전

Version 0.13.0 — May 12, 2026

New features

Garage object storage replaces RustFS

The on-premises deployment now uses Garage as the S3-compatible object store, replacing RustFS. Garage runs as a 3-node distributed cluster (

replicationFactor: 3

) in all sizing profiles by default, and it stores Argo workflow artifacts and Percona MongoDB scheduled backups in its

argo-artifacts

and

psmdb-backups

buckets. Use the new

configuration.infrastructure.components.garage

manifest field to configure Garage. The available settings are

resources

(standard CPU and memory requests and limits),

metaStorage

dataStorage

replicas

, and

replicationFactor

(capped at 3). Requirements:

vpctl 0.10.0 or later.
At least 3 schedulable nodes in the general workloads pool. MongoDB and RabbitMQ already require this minimum because they spread their three replicas across distinct nodes by using
```
podAntiAffinity
```
. Garage uses the same model.

For the upgrade procedure and data preservation paths, refer to the Breaking change section that follows.

Customer-supplied CA bundle for internally-signed TLS

A new

configuration.networking.trustedCaSecretName

manifest field lets you mount your CA chain into the Argo workflow containers, the StorageTool, and all

asset-manager-*

Pixyz workflow templates. Use it when your Asset Manager ingress presents a TLS certificate signed by a private CA, such as a DoD PKI or an internal corporate CA, instead of a publicly trusted CA. Reference a pre-existing Kubernetes Secret that holds a PEM-encoded CA bundle under the single key

ca-bundle.crt


configuration:networking:  trustedCaSecretName: my-ca-bundle

The .NET workflow containers and the Pixyz workflow templates pick up the bundle when they start.

Improvements

Larger default PostgreSQL storage. This release increases default PostgreSQL data and pgBackRest backup persistent volume sizes by sizing profile: 50 GiB data and 100 GiB backup (
```
small
```
), 400 GiB data and 800 GiB backup (
```
medium
```
), 800 GiB data and 1600 GiB backup (
```
large
```
). For existing clusters, ensure your StorageClass has
```
allowVolumeExpansion: true
```
so that the Percona PostgreSQL operator can resize the PVCs online; otherwise, resize the PVCs manually after upgrading.
Automation step logs stream again. The
```
automation-external-secrets
```
Secret now also includes
```
AWS_ACCESS_KEY_ID
```
and
```
AWS_SECRET_ACCESS_KEY
```
, mirrored from
```
s3-api-storage-credentials
```
, which the AutomationService needs to stream Argo step logs from object storage. After upgrading, rerun
```
vpctl secret generate
```
and
```
vpctl secret deploy
```
, then run
```
kubectl -n asset-solutions rollout restart deployment/automation
```
so that the AutomationService picks up the new environment variables.

Breaking change

RustFS replaced by Garage

This release removes the

configuration.infrastructure.components.rustfs

manifest field. The S3-compatible object store is now Garage and uses the new

configuration.infrastructure.components.garage

manifest field. You must use vpctl

0.10.0

or later to deploy this release. Customer-visible side effects

The
```
s3-api-storage-credentials
```
Kubernetes Secret keeps its name, but the field names changed:
```
RUSTFS_ACCESS_KEY
```
is now
```
GARAGE_ACCESS_KEY
```
, and
```
RUSTFS_SECRET_KEY
```
is now
```
GARAGE_SECRET_KEY
```
. The
```
AWS_ACCESS_KEY_ID
```
and
```
AWS_SECRET_ACCESS_KEY
```
aliases still mirror those values for the Percona MongoDB operator. After upgrading vpctl, rerun
```
vpctl secret generate
```
and
```
vpctl secret deploy
```
to pick up the new schema.
A new
```
garage-rpc-secret
```
Kubernetes Secret (single field
```
rpcSecret
```
, 64-character hex) holds the Garage cluster RPC secret. The Garage chart consumes it through
```
existingRpcSecret
```
. vpctl creates this Secret automatically as part of
```
vpctl secret generate
```
— no extra action is required beyond the standard first-time deploy flow.
Percona MongoDB scheduled backups now write to the Garage
```
psmdb-backups
```
bucket through
```
garage:3900
```
. There's no manifest-level change required.
The
```
/rustfs
```
Traefik debug ingress route is removed. To reach the S3 API directly, use
```
kubectl port-forward svc/garage 3900:3900
```
.

Migration paths

Choose one of these paths before you run

vpctl release deploy

. Path A — wipe and redeploy (recommended for staging environments). RustFS object data isn't preserved. Argo workflow artifacts are ephemeral, Percona MongoDB regenerates backups on the next scheduled run, and Asset Manager re-ingests content on demand. Before you continue with the rest of the upgrade guide, drain the RustFS PVCs:


kubectl -n asset-solutions delete pvc -l app.kubernetes.io/name=rustfs

Then return to the upgrade guide and complete steps 4 (sync artifacts), 5 (regenerate and deploy secrets), and 6 (regenerate and deploy charts). When

vpctl release deploy

completes, Garage replaces RustFS in the same release, and the

garage-bucket-bootstrap

post-sync Job assigns the cluster layout, imports your

GARAGE_ACCESS_KEY

and

GARAGE_SECRET_KEY

into Garage, and creates the

argo-artifacts

and

psmdb-backups

buckets. Path B — preserve data with
mc mirror
. Recommended if you want to keep existing PSMDB backup dumps. This release includes a helper script,

migrate-rustfs-to-garage.sh

, under

extracted-release/common/scripts/

. Before you regenerate and deploy the new secrets (step 5 in the upgrade guide), run the backup phase from a workstation that can reach the cluster. At this point, the in-cluster

s3-api-storage-credentials

Secret still holds the old

RUSTFS_*

fields, so the script can mirror the

argo-artifacts

and

psmdb-backups

buckets from RustFS to a local directory:


export RUSTFS_ACCESS_KEY=$(kubectl -n asset-solutions get secret s3-api-storage-credentials -o jsonpath='{.data.RUSTFS_ACCESS_KEY}' | base64 -d)export RUSTFS_SECRET_KEY=$(kubectl -n asset-solutions get secret s3-api-storage-credentials -o jsonpath='{.data.RUSTFS_SECRET_KEY}' | base64 -d)NAMESPACE=asset-solutions BACKUP_DIR=./rustfs-backup ./extracted-release/common/scripts/migrate-rustfs-to-garage.sh backup

Return to the upgrade guide and complete steps 5 (regenerate and deploy secrets) and 6 (regenerate and deploy charts). After

vpctl release deploy

finishes and both the Garage StatefulSet and the

garage-bucket-bootstrap

Job are complete, restore the buckets to Garage:


export GARAGE_ACCESS_KEY=$(kubectl -n asset-solutions get secret s3-api-storage-credentials -o jsonpath='{.data.GARAGE_ACCESS_KEY}' | base64 -d)export GARAGE_SECRET_KEY=$(kubectl -n asset-solutions get secret s3-api-storage-credentials -o jsonpath='{.data.GARAGE_SECRET_KEY}' | base64 -d)NAMESPACE=asset-solutions BACKUP_DIR=./rustfs-backup ./extracted-release/common/scripts/migrate-rustfs-to-garage.sh restore

Version 0.12.0 — April 30, 2026

Improvements

Hardened UVCS container security

The

uvcs

(previously Plastic SCM) StatefulSet now runs as a non-root user (UID 1000) with a hardened security context. This disables privilege escalation, drops all Linux capabilities, and enforces the

RuntimeDefault

seccomp profile. This change lets you deploy in clusters that enforce strict Pod Security Standards or Kyverno policies that forbid

runAsUser: 0

. Action required before you upgrade existing deployments

Plan a maintenance window. On the first
```
uvcs
```
pod restart after the upgrade, Kubernetes recursively changes ownership of the
```
uvcs
```
persistent volume (
```
/jet
```
) to GID 1000 through
```
fsGroupChangePolicy: OnRootMismatch
```
. For large repositories, this operation can take several minutes, during which the
```
uvcs
```
pod is unavailable.
Validate that your CSI driver applies
fsGroup
correctly.
Verify the upgrade. After the upgrade completes, confirm the new security context:
- ```
kubectl exec uvcs-0 -c uvcs -- id
```
  returns
```
uid=1000 gid=1000
```
  .
- ```
kubectl exec uvcs-0 -c uvcs -- ls -ld /jet
```
  shows group
```
1000
```
  and no permission errors.
- ```
kubectl logs uvcs-0 -c uvcs
```
  shows the entrypoint creating symlinks under
```
/opt/plasticscm5/server
```
  without errors and
```
plasticd
```
  binding
```
:8087
```
  .

Version 0.11.0 — April 24, 2026

New features

Helm chart sourcing (preview)

The new

deployment.helmChartMode

manifest setting lets you choose how Helm charts are delivered:

```
local
```
(default): the process installs charts from the release package. This is the safest option for existing deployments and for air-gapped environments.
```
remote
```
: the process pulls charts from an OCI Helm registry at deployment time.

The

remote

mode and the matching

vpctl artifact sync charts

command are available as a preview in this release. Not all charts are published to the Unity OCI Helm registry yet, so a fully remote-only deployment isn't supported. For production deployments, continue to use the default

local

mode.

Default monitoring alerts

The Prometheus monitoring stack now ships with a curated set of cluster and workload alerting rules out of the box. You no longer need to assemble these rules manually before going to production.

Hardened container variant for the upc-job image

The

upc-job

image now ships in a hardened variant, which is built on a minimal base image with a reduced attack surface for stricter security baselines.

Improvements

Higher default resource allocations: MongoDB, mini-usf, and public-api now request more CPU and memory by default, which reduces the need for manual tuning to reach production-level performance.
Idempotent onboarding: the
```
upc-onboarding
```
job is now safe to rerun. The job no longer fails or duplicates resources if you retrigger it after a partial deployment.
More resilient RabbitMQ scheduling: RabbitMQ pods now schedule successfully on clusters that don't expose availability zone labels.
Reliable Keycloak tokens: Keycloak-issued tokens now include the
```
sub
```
and
```
auth_time
```
claims required by downstream services. This fixes a regression introduced by Keycloak 26's stricter scope handling.
Mini-usf routing fixes: legacy admin routes and the groups routes are now matched correctly, including the right middlewares and permissions for the global admin role.
Quieter object storage logs: RustFS no longer floods the log volume at default verbosity. The default log level is now
```
error
```
, which prevents disk pressure on the log PVC.
Organization management connectivity: the
```
organization-management
```
service now reads the correct RabbitMQ consumer queue setting and starts cleanly.

Version 0.10.0 — March 20, 2026

New features

Official Keycloak 26 image

The identity stack now runs the official Keycloak 26 image through the new keycloak-standalone chart, replacing the previous Bitnami-based Keycloak distribution. This change brings access to upstream Keycloak features and a faster security update cadence. If you previously customized the Bitnami Keycloak chart, review your manifest before upgrading.

Automation app scheduling

A new

uc-scheduler-runner

image powers scheduled jobs for automation apps such as Asset Manager and Pixyz. Scheduling now runs as part of the deployment without additional manual setup.

Improvements

The fallback namespace used for automation resource isolation (
```
UCAUTOMATION_ResourceIsolationOptions__FallbackNamespace
```
) now follows the namespace defined in your manifest instead of being hardcoded. Multi-namespace deployments work without code changes.

Version 0.9.0 — March 17, 2026

New features

Automation app management

Automation apps such as Asset Manager and Pixyz are now automatically registered during deployment. A post-deployment job handles app registration, removing the need for manual setup.

Version 0.8.0 — March 13, 2026

New features

Log storage configuration

You can now control the persistent volume size for log storage independently from data storage for the object storage component. Sizing profile defaults range from 1 GiB (

small

) to 10 GiB (

large

), and you can override the value per component.

Transformation parallelism control

A new

configuration.transformations.parallelism

manifest field lets you set the maximum number of concurrent transformation workflows. The default value is 20.

Improvements

Deployment validation now enforces that the store encryption key is exactly 32 characters, catching misconfigured keys before they cause runtime errors.

Breaking change

The

configuration.licensing

section, including FlexLM and

sdkLicenses

settings, has been removed. Built-in transformation workflows are now always enabled, and their concurrency is controlled through the new

configuration.transformations.parallelism

manifest field. Remove any licensing configuration from your manifest before upgrading.

Version 0.7.0 — March 3, 2026

New features

CLI version compatibility checks

The release package now declares the minimum required

vpctl

version. The

vpctl release generate

and

vpctl secret generate

commands check this requirement before running and block execution if the CLI version is too old. This prevents silent misconfigurations from manifest schema changes.

Improvements

Object storage distributed mode

Object storage now runs in distributed mode by default, improving data durability and availability.

Version 0.6.0 — February 23, 2026

New features

Infrastructure sizing profiles

You can now control the CPU, memory, and storage allocations for the following infrastructure components directly from the manifest: MongoDB, PostgreSQL, RabbitMQ, object storage, and Elasticsearch. Choose from three named sizing profiles:

small

medium

, or

large

. Alternatively, override the resources for individual components to match your workload.

Improved container image management

All infrastructure images, including Istio and Percona MongoDB backup images, are now sourced from your private container registry instead of public registries. This method improves reliability and security in air-gapped or restricted network environments.

Breaking change

Support for the custom Pixyz scripts has been removed. If you previously used the

automation.customPixyzScript

manifest configuration, remove it from your manifest before upgrading.

Version 0.5.0 — February 17, 2026

New features

Centralized log collection

Log collection is now available through Loki and Alloy. Enable it in your manifest with the

monitoring.logCollection.enabled

option to aggregate logs from all services in your deployment.

Improvements

Automated MongoDB backups

Percona MongoDB now automatically backs up data to RustFS S3-compatible storage, improving data durability without requiring manual backup configuration.

Version 0.4.0 — February 12, 2026

New features

Istio service mesh support

You can now enable Istio with ambient mode for service-to-service traffic management and observability. Configure Istio in your manifest under

configuration.networking.serviceMesh.istio

SDK license management

A new

sdkLicenses

setting in the manifest licensing section lets you specify how many Pixyz SDK licenses are available. This setting controls the maximum number of concurrent transformation workflows.

Improvements

Improved container image handling for workflow execution
Improved object storage reliability with automated bucket creation during deployment

Version 0.3.0 — January 28, 2026

New features

Full application suite

This release adds the complete set of application services, including:

Asset Manager: full asset management with storage, collaboration, and search
Automations and workflows: pipeline automation with Argo Workflows
Identity and access management: Keycloak for authentication and role-based access control
Notifications: event notifications through Novu
Ingress: Traefik as the ingress controller and load balancer

Version 0.2.0 — December 8, 2025

New features

Core infrastructure services

This release adds the foundational infrastructure layer, including:

Databases: PostgreSQL (via PG Operator) and Elasticsearch for relational data and search
Caching: Valkey for in-memory data storage
Messaging: RabbitMQ for asynchronous communication
Asset services: storage abstraction, collaboration, authoring, bulk operations, and catalog management

Version 0.1.0 — November 28, 2025

New features

First release of Unity Virtual Private Cloud On-Premises.