Changelog

1.18.0.0

Validate descriptor JSON file before deployment to k8s cluster
Upgrade ArgoCD to v2.5.5
Move Descriptor Validator to git-ops-command.sh
Upgrade nginx-ingress-controller to v1.5.1
Add base & region values.yaml files for Helm migration
Add ArgoCD application set definition for microservice architecture
Update sealed-secrets-controller to v0.19.3
Add multiple USER_BASE_DNs and BACKEND_IDs env vars

Changes:

PDO-3335 Set PingFederate Engines minReplicas count to 3 in prod/small deployment
PDO-4570 Validate descriptor JSON file before deployment to k8s cluster
PDO-4575 Upgrade ArgoCD to v2.5.5
PDO-4636 Move Descriptor Validator to git-ops-command.sh
PDO-4698 Upgrade nginx-ingress-controller to v1.5.1
PDO-4701 Update cluster tools to latest version: sealed-secrets-controller v0.19.3
PDO-4773 Update generate-cluster-state script to create base and region values.yaml files
PDO-4775 Add new ArgoCD application definition to PCB
PDO-4818 Add multiple USER_BASE_DNs and BACKEND_IDs env vars

1.17.0.0

Remove logstash tolerations
Argo CD non-root user changes
Prometheus configured to take metrics from second region
Prometheus upgraded to 2.39.1
Create new global repo for dashboards
Send logs from second region to main Elasticsearch
Add HTTP server pod for PingAccess-WAS healthchecks
Add HTTP server pod for PingAccess healthchecks
Add HTTP server pod for PingFederate healthchecks
Remove unneeded resources from secondary region
Retain set value for slack channel alerts
Added CICD integration health test to check certificate results
Modified Kibana dashboards to show second region logs and metrics
Allow release branches to update image names using the kustomize image patch
Add beluga_log verbosity level to control logging level
Changed Slack channel for Argo notifications depending on IS_GA value
Remove "PING_CONTAINER_PRIVILEGED" from env_vars
Remove EFS access points directories when deleting PV
NewRelic Java Agent upgraded to 7.11.1
Refactor elastic-stack manifests
Remove outdated CW logs test methods
Add healthcheck-pingdirectory cronjob
Added k8s serviceAccount for PA, PD & PF
Update ping-cloud-base to use the cluster tools from new ECR repo
Configure Argo Redis container to run as nonroot
Update applications logs location
Refactor offline-enable script to use "dsreplication enable-with-static-topology" subcommand
Healthcheck logs now stored in separate index with 7 days retention period
Upgrade kubectl to match K8s version and bitnami kubectl image.
Mirror our own version of PGO/crunchy images
Add pod exec privileges to cluster-healthcheck-serviceaccount
Add delete patch to remove pingaccess-was healthcheck cronjob from multi-region
Revert removing alertmanager from the prometheus config
Add PF transaction logs parsing and indexing
Fix regional variable for new customer creation

Changes:

PDO-2799 Rewrite CloudWatch log tests
PDO-3165 Refactor offline-enable script to use "dsreplication enable-with-static-topology" subcommand
PDO-4186 beluga_log is not respecting verbosity levels
PDO-4224 Properly propagate SSH key when upgrading CSR
PDO-4240 PF Health Check Tests - Certificates
PDO-4249 Remove unused networking yaml from PCB
PDO-4279 Add Pod Disruption Budgets for PA-WAS Engine, PingDelegator
PDO-4291 PF Health Check Tests - connectivity
PDO-4312 PA-WAS Health Check Tests - object creation, unauthenticated proxy requests
PDO-4343 Mirror our own version of PGO/crunchy images
PDO-4432 Logstash has broken tolerations
PDO-4439 PF Health Check Tests - object creation, authentication
PDO-4440 PD Health Check Tests - appintegrations
PDO-4481 Upgrade kubectl to match K8s version
PDO-4496 Create new global repo for dashboards
PDO-4533 Move PCB CI/CD env vars from deploy script to common script
PDO-4535 Argo CD non-root user changes
PDO-4543 Create K8s serviceAccount for PA, PD and PF
PDO-4545 Add delete patch to remove pingaccess-was healthcheck cronjob from multi-region
PDO-4565 Prometheus: Configure It to Take Metrics from Second Region
PDO-4566 Logstash: Configure It to Send Logs from Second Region to Primary Region
PDO-4568 Kibana: Modify Dashboards to Show Second Region Logs and Metrics
PDO-4569 Remove ES, Kibana and Grafana from second region
PDO-4574 Pod Reaper pod should re-spin, when env_vars is updated
PDO-4583 PA Health Check Tests - object creation, unauthenticated proxy requests
PDO-4610 Retain set value for slack channel alerts
PDO-4614 Automate pinning the branch for ping-cloud-dashboards in PCB
PDO-4615 Remove outdated CW logs test methods
PDO-4618 Default slack notifications using IS_GA env var
PDO-4632 ALERT from the secondary region is shown as an ALERT from the primary region in the email message
PDO-4636 Remove "PING_CONTAINER_PRIVILEGED" from env_vars
PDO-4644 Update cluster tools to latest version: NewRelic Java agent v7.11.1
PDO-4648 Allow release branches to update image names using the kustomize image patch
PDO-4649 prometheus-0/logstash-elastic-0 pod does not come up upon changing LEGACY_LOGGING or LS_JAVA_OPTS
PDO-4669 EFS access point dir doesn't remove during PVC removal
PDO-4671 Refactor elastic-stack manifests
PDO-4686 Update ping-cloud-base to use the cluster tools from new ECR repo
PDO-4807 Configure Argo Redis container to run as nonroot
PDO-4808 Update applications logs location
PDO-4809 Refactor generate-cluster-state.sh to retain set value for slack channel alerts on upgrade
PDO-4877 ELK logs for healthcheck pods should be storing for 7 days
PDO-4918 Missing PF Transaction Log
PDO-4921 Revert removing alertmanager from the prometheus config
PDO-4922 Fix regional variable for new customer creation

1.16.1.0

Added ENVIRONMENT_TYPE to backup failure notification
Remove all out-of-the-box IKs from PingFederate base image

Changes:

PDO-4844 Environment Key is missing in Product Backup Failure Alert Message
PDO-4893 Remove all out-of-the-box IKs from PingFederate base image

1.16.0.1

Force PingAccess engines to get its certificate ID from the engines endpoint instead of HTTP Listener

Changes:

PDO-4804 Force PingAccess engines to get its certificate ID from the engines endpoint instead of HTTP Listener

1.16.0.0

Implemented Radius Proxy as optional installation
Setup NewRelic Kube Events Integration
Add newrelic-metadata pod to send metadata to NewRelic
Add PingAccess and PingAccess-WAS health checks cronjobs
Update ping-cloud namespace variable
Add ArgoCD slack notifications secret within SSM and remove from k8s secret
Added argo-events version 1.7.2
Enable newrelic-logging for host logs and service cluster-tools pods(kube-system namespace + external-dns)
Resolve tag _grokparsefailure and log components are missing
Add new env_var "DEFAULT_USER_BASE_DN"
Added event source and webhook for argo-events to enable notification
LEGACY_LOGGING defaulted to False
update pingcloud-bom and pingcloud-oauth securityContext with allowPrivilegeEscalation set to false
Use camelCase for healthcheck test tags and filenames
Implemented must-have monitoring/alerting of PGO
Implement PGO alerting via argo-events
Added argo-image-updater version v0.12.0
Fix: Events are not displayed in New Relic for some pods in some namespaces
Fix: New relic not reporting accurate pod metrics for some environments
Switch Delegated Admin to use OAuth Authorization Flow instead of Implicit Flow
Added ArgoCD slack notifications
Upgraded Prometheus to v2.39.1

Changes:

PDO-2300 Add ArgoCD slack notifications for better visibility into failure to apply manifests
PDO-3599 Autoupdate to minor releases of PingOne AS Product Images
PDO-3785 Add PGO database to CI/CD
PDO-3791 Create hook script to enable outbound provisioning
PDO-3823 Add newrelic-metadata pod to send metadata to NewRelic
PDO-3863 PGO backups
PDO-4046 Ability to override product initContainer p14c-integration image
PDO-4089 Notification Framework: Introduce argo-events
PDO-4096 Failed Cluster Health Job hanging around
PDO-4104 PA Health Check Tests
PDO-4110 Switch Delegated Admin to use OAuth Authorization Flow instead of Implicit Flow
PDO-4117 Go Proxy: Write Manifest to Deploy RadSec Proxy
PDO-4150 Tag _grokparsefailure and log components are missing
PDO-4176 Enable desired NewRelic Logging
PDO-4178 Setup NewRelic Kube Events Integration
PDO-4207 Add ArgoCD slack notifications secret within SSM and remove from k8s secret
PDO-4261 Upgrade Kustomize to v4.5.7
PDO-4274 New relic not reporting accurate pod metrics for Star
PDO-4281 Update ping-cloud namespace variable
PDO-4290 Add simple postgres operator (PGO) database
PDO-4320 Set AllowPrivilegeEscalation to False
PDO-4326 Implement must-have monitoring/alerting of PGO
PDO-4327 Implement PGO resource sizing per environment
PDO-4351 Events are not displayed in New Relic for some pods in some namespaces
PDO-4397 Add new env_var "DEFAULT_USER_BASE_DN"
PDO-4391 Notification Framework: alert on backup failure
PDO-4401 LEGACY_LOGGING mode: Change default from true to false (off) - Leave flag available
PDO-4432 Logstash has broken tolerations
PDO-4438 PostgreSQL pods and secrets not deployed
PDO-4442 Update healthcheck service keys to use consistent format
PDO-4446 Handle missing SSM parameters
PDO-4454 Implement Prometheus Alerting
PDO-4476 Modify PGO feature flag to not require update-cluster script
PDO-4480 newrelic-license-secret-exporter job not present in newrelic namespace
PDO-4491 Run Radius as a sidecar container alongside PingFederate engine
PDO-4492 Enable/disable Radius with environment variable
PDO-4498 Move nri-kubernetes images to dev ECR within PCB
PDO-4580 Prometheus Pod is being OOMKilled

1.15.1.0

Fix Logstash broken tolerations

Changes:

PDO-4432 Logstash has broken tolerations

1.15.0.1

Allow multiple Pass-Through-Authentication plugin instances

Changes:

PDO-4558 Allow multiple Pass-Through-Authentication plugin instances

1.15.0.0

Augment ArgoCD's application name with customer name
Add fix to application name for ArgoCD
Fix grafana PD topology successful SSOs
Updated cluster tool sealed-secrets-controller from v0.17.3 to v0.18.0
Healthcheck cronjobs moved to 'health' namespace
Update API version in Beluga K8s manifest for EKS v1.22
Setup EFS as backend for Prometheus storage
Updated cluster tool cert-manager from v1.5.3 to v1.9.1
Use generic bootstrap app for p14c and logging
Improved Grafana dashboards to be more consistent
Added prometheus-job-exporter deployment to expose command outputs as prometheus metrics
Added LDAP users count graph
Add PingFederate health checks cronjob
Fix Fluent-bit raw logs sending to S3
Fix secrets sealing

Changes:

PDO-2635 Augment ArgoCD's application name with customer name
PDO-3271 Updated argocd to v2.4.6
PDO-3272 Update cluster tool to recommended version: cert-manager v1.9.1
PDO-3273 Update cluster tool to latest version: sealed-secrets-controller v.0.18.0
PDO-3524 Create PingOne-Configurator test for CI/CD
PDO-3575 Cluster tool: force pingcloud-monitoring/newrelic-tags-exporter initContainer to run with allowPrivilegeEscalation: false
PDO-3918 Move chrome install from run-integration-tests.sh to k8s-deploy-tools image
PDO-3940 Add timeouts for screen updates in PingOne integration tests
PDO-3944 Create CI/CD integration test for Health Checks
PDO-3988 Grafana Successful SSOs Pingfederate Topology dashboard displaying wrong data
PDO-4002 Unified bootstrap application
PDO-4036 Fix SigSci to exit properly when terminated
PDO-4051 Remove PingDirectory config-audit reference from Fluentbit configuration
PDO-4052 Update to handle NEW_RELIC_LICENSE_KEY environment variable
PDO-4060 Update versioning for cluster tools in PCB
PDO-4082 Create a custom sort method to sortBy production release and release candidate
PDO-4090 Prometheus: Implement EFS to back /data Directory
PDO-4097 Execute a _start-server.sh.pre script before starting PingDirectory
PDO-4101 PF Health Check Tests
PDO-4106 Update profile with X.509 authentication sample
PDO-4122 Move Health Check Jobs to separate NS
PDO-4153 Adjust default PingDirectory purge plugin properties
PDO-4154 Update truststore with signing certificates for X.509 authentication
PDO-4159 Update API version in Beluga K8s manifest for EKS V1.22
PDO-4193 Inconsistent performance metrics
PDO-4205 Create the K8s infrastructure to get active users count for each tenant environment
PDO-4206 Visualize active users count for each tenant environment data through Grafana dashboards
PDO-4242 Improve cert-manager ci/cd deployment reliablility
PDO-4265 Increase memory limits for prometheus pod
PDO-4268 Fix Fluent-bit raw logs sending to S3
PDO-4301 Fix secrets sealing

1.14.1.0

Backport logstash tolerations fix

Changes:

PDO-4432 Logstash has broken tolerations

1.14.0.1

Allow multiple Pass-Through-Authentication plugin instances

Changes:

PDO-4547 Allow multiple Pass-Through-Authentication plugin instances

1.14.0.0

Update cluster-tool external-dns from version v0.08.0 to version v.0.11.0
New image tagging convention for all Ping applications
SigSci Agent upgraded from v4.24.1 to v4.28.0
Nginx Ingress Controller upgraded from v1.0.0 to v1.2.0
Configure PingFederate and PingAccess environments within PingCentral
Create PingDirectory's Password Credential Validator using PingFederate Admin API
Grafana upgraded from v6.5.3 to v8.4.5
Create PingDirectory's LDAP Client Manager using PingFederate Admin API
Replace Fluentd with Fluent Bit
Force liveness probe for PingDirectory to use API endpoint /available-or-degraded-state
Logstash now getting logs from Fluent Bit and working as non-root Deployment
Cluster tool cluster-autoscaler upgrade from v1.20.0 to v1.21.1
Fluent Bit now has a FeatureFlag 'LEGACY_LOGGING' to control application logs destination
Fluent Bit docker image is now pulled from ECR
Implemented Hot\Warm Tiers for ElasticSearch
Add "pf-jwt-token-translator-1.1.1.2.jar" to artifact.json file
Add healthcheck service
Add cluster-health healthchecks for namespaces, nodes, and statefulsets
Add logstash parsers for all ping apps
Add EFS StorageClass. Configure Elasticsearch to use EFS StorageClass
Add customer-configurable pipeline to logstash
Fix max-character branch name length for ping-cloud-base
Convert PingDataSync to a StatefulSet
Add Pod-Reaper cluster tool
Implement Kibana-based alerting
Add logging-bootstrap application
Fluent Bit now store raw logs on S3
Remove stunnel from PingDirectory
Remove skbn as backup mechanism as replaced with aws cli
Update cronjobs to prevent multiple jobs being scheduled during scaledown

Changes:

PDO-2517 Port of PingFederate pre-config script from bash to python
PDO-2827 Configure PingFederate and PingAccess environments within PingCentral
PDO-2894 Use Fluent Bit instead of Fluentd
PDO-3269 Update cluster tools to latest version: cluster-autoscaler v1.21.1
PDO-3270 Update cluster tools to latest version: nginx-ingress-controller v1.2.0
PDO-3274 Update cluster tools to recommended version: external-dns v.11.0
PDO-3275 Update cluster tools to latest version: Kibana v8.1.3
PDO-3276 Update cluster tools to latest version: Elasticsearch 8.1.3
PDO-3277 Update cluster tools to latest version: kube-state-metrics v2.5.0
PDO-3278 Update cluster tools to latest version: metrics-server v0.6.1
PDO-3279 Update cluster tools to latest version: Logstash v8.1.3
PDO-3421 Set ImagePullPolicy for all Ping apps to 'Always'
PDO-3422 Create script to ensure development ECR public image tag isn't in any production release
PDO-3428 PA/PF heartbeat exporter doesn't export metric properly after implementing PDO-3207
PDO-3433 Create PingDirectory's Password Credential Validator using PingFederate Admin API
PDO-3434 Create PingDirectory's LDAP Client Manager using PingFederate Admin API
PDO-3446 Upgraded ArgoCD to v2.3.1
PDO-3522 Create PF admin SSO integration test for CI/CD
PDO-3548 Set manage-profile tempProfileDirectory argument and force exportldiff files to write to the persistent volume /opt/out directory
PDO-3571 Added non-admin ArgoCD user with access to restart StatefulSet pods
PDO-3574 Cluster tool: force bitnami/kubectl initContainer to use its own nonroot user
PDO-3576 Cluster tool: force busybox initContainer to use its own nonroot user
PDO-3582 Force liveness probe to use API endpoint /available-or-degraded-state
PDO-3603 Auto update product tags for production registry in ping-cloud-base
PDO-3605 Automate release candidate ECR images within in ping-cloud-base
PDO-3610 Convert PingDataSync to a Statefulset
PDO-3611 Use 'manage-profile replace-profile' to support root password change
PDO-3620 Update cluster tools to latest version: Grafana v8.4.5
PDO-3678 server.publicBaseUrl is not found in Kibana
PDO-3684 Remove skbn as replaced with aws cli in PD0-3683
PDO-3716 Elasticsearch: Implement Hot/Warm Tiers
PDO-3723 Grafana: Upgrade to 8.4.5 risks investigation
PDO-3743 Automate development ECR images in ping-cloud-base
PDO-3745 Argocd admin creds in secrets.yaml
PDO-3753 Configure Fluent Bit to send SIEM logs to logstash
PDO-3754 Replace current logstash DaemonSet by non-root Deployment
PDO-3755 Implement FeatureFlags with many outputs for Fluent Bit
PDO-3773 Encrypt K8s StorageClass (AWS EBS volumes)
PDO-3780 Connect to external PD server within PingDataSync using LDAPS
PDO-3783 Recreate the PF Threat Detection Dashboard in P1AS
PDO-3805 Create & Deploy Health Check service in P1AS
PDO-3821 Create customer-configurable pipeline in logstash with PQ
PDO-3830 ES JVM Heapsize too small
PDO-3840 Update cluster tools to latest version: prometheus to v2.36.1
PDO-3841 Update cluster tools to latest version: newrelic-infrastructure to 4.5.8
PDO-3842 Update cluster tools to latest version: newrelic java agent to v6.5.4
PDO-3843 Update cluster tools to latest version: cloudwatch-agent to v1.247352.0
PDO-3844 Update cluster tools to latest version: sig-sci agent v4.28.0
PDO-3851 Implement EFS storage for ElasticSearch
PDO-3856 PingOne configurator skips is_myping
PDO-3887 Add config-audit.log and server.out files to PingDirectory tail logs
PDO-3892 Fluent Bit image is now pulled from ECR
PDO-3907 Create Cluster Health Tests for Health Checks Pt 1
PDO-3910 Create a logstash parsers for all ping-app non-SIEM logs
PDO-3911 Warning message in es-cluster pods logs
PDO-3912 Few PF Kibana Dashboards and one PD Kibana Dashboard not showing data
PDO-3913 Few data views are listed twice in Kibana Discover tab
PDO-3915 Create Reaper Deployment in PCB
PDO-3919 Create Cluster Health Tests for Health Checks Pt 2
PDO-3936 Investigate flaky PingOne integration tests
PDO-3928 Move script that verifies development images are not in production to tag-release.sh
PDO-3930 Add "pf-jwt-token-translator-1.1.1.2.jar" to artifact.json file
PDO-3933 ELK/CloudWatch logging improvements
PDO-3942 Moved ENVIRONMENT_PREFIX from base env_vars to region env_vars
PDO-3946 Some of Kibana resources bootstrapping fails in rare cases
PDO-3956 ELK: there are no log time chart and no window to choose time slot for 'pa-was-system' data view
PDO-3959 Fix URLs not rendering due to DNS_ZONE envsubst ordering
PDO-3968 Update logstash image to have all needed plugins
PDO-3969 Store raw logs on S3
PDO-3972 Remove stunnel from PingDirectory
PDO-3974 Implement Kibana Alerting
PDO-3980 Health Check service is listing wrong envType in a CDE
PDO-3993 Fix PF Admin API endpoint for integration test
PDO-4008 Fix max-character branch name for PCB
PDO-4016 Few data views are listed twice in Kibana Discover tab
PDO-4040 Add ingress metrics dashboard to Grafana
PDO-4027 Add logging-bootstrap application
PDO-4056 Ping Federate - Threat Intel / Detection Dashboard is missing
PDO-4057 Update all cronjob configs to prevent multiple jobs being scheduled during scaledown
PDO-4093 Logstash is in crashloop state for chub clusters
PDO-4098 Newrelic Infrastructure sends data from primary and secondary regions to one NR
PDO-4108 There are no data on PA-WAS - Response Codes Over Time Kibana Dashboards
PDO-4121 Cost Savings: New Relic: Globally Update Configuration to use lowDataMode

1.13.0

Deploy PingDataSync into cluster
Updated the SigSci Agent to run as a non-root user
Updated default PingID adapter, PingOne MFA IK, PingOne Risk Management IK
Force engines to use non-root
Force admins (PF, PA, PA-WAS, PD) to use non-root
Update PingFederateConfigurator job to use ansible image
Run PingDataSync using nonroot user
Update Pingdatasync secrets volume mount from pingdatasync to pingdirectory
Update all pingcloud-apps images to support ssh-rsa HostKeyAlgorithm
Use alpine docker image for enrichment-bootstrap
Add custom artifacts to PingDataSync to allow custom sync pipes
Upgrade PF to 11.0.2
Fix fluentd PD logs parsing configuration
Fix missing PD logs due to late tail-logs hook call
Use self-hosted newrelic docker images
Automate usage of AWS Secrets Manager
Set min and max CPU properties within run.properties for engine and admin
Add jetty-runtime.xml to profile-repo
Move PingCentral AWS RDS MYSQL vars from base/env_vars to region/pingcentral/env_vars
Turned off pod logs from going into NewRelic
Fix upgrade-cluster-state script to import new env_vars changes from base
Fix PingCentral PingOne deployment status and url update

Changes:

BRASS-358 Update Solutions Ansible to continue on error, removed "canUseIntelligenceDataConsent": true from risk script
BRASS-359 Add local username attribute to Risk Adapter in PingFederate
BRASS-367 Pre-configured IdP/SP connections do not match up; don't work OOTB
BRASS-370 Pre-configured PF Policy incorrect Population ID mapping
PDO-2092 Allow UDP ports to enable PF RADIUS functionality
PDO-2233 Change "apiVersion" for CRD resources in ping-cloud-base
PDO-2350 Add Metric For JVM GC CPU percent in PF
PDO-2351 Add Metric For JVM Old Gen Collected percent in PF
PDO-2354 Add Metric For JVM GC CPU percent in PA
PDO-2356 Add Metric For JVM Old Gen Collected percent in PA
PDO-2746 Add PingCentral deployment status to PingOne
PDO-2944 Add urls to metadata pod
PDO-2951 Deploy PingDataSync into cluster
PDO-2953 Sync directory from external PD server to P1AS PD server
PDO-2954 Support PingDataSync logs within CloudWatch
PDO-2955 Add External PD & P1AS PD certs to PingDataSync TrustStore
PDO-2995 Update Pingdatasync secrets volume mount from pingdatasync to pingdirectory
PDO-3017 Upgrade PF to 11.0.1
PDO-3064 PingAccess hook scripts updated to use the beluga_log method instead of echo
PDO-3065 PingFederate hook scripts updated to use the beluga_log method instead of echo
PDO-3103 Force admins (PF, PA, PA-WAS, PD, DA, PC) to use non-root
PDO-3104 Change PingAccess/PingAccess-WAS beluga_log messages to use beluga_warn or beluga_error
PDO-3105 Change PingFederate beluga_log messages to use beluga_warn or beluga_error
PDO-3106 Change PingDirectory beluga_log messages to use beluga_warn or beluga_error
PDO-3108 Change PingCentral beluga_log messages to use beluga_warn or beluga_error
PDO-3129 Update json_exporter image version to 0.3.0
PDO-3142 Run SigSci agent as non-root, update nginx ingress controller security context
PDO-3146 Change Busybox-based containers in cluster-tools to run as non-root
PDO-3154 Update Fluentd logs routing
PDO-3160 Update NGINX ingress controller to use 8080/8443 for the containerPort
PDO-3163 Change PingFederate Port to 9999 within P14C Integration
PDO-3167 Update default PingID adapter, PingOne MFA IK, PingOne Risk Management IK
PDO-3180 Sync directory from P1AS PD server to external PD server
PDO-3200 Change dev-env.sh script to have better error handling for kubectl apply
PDO-3207 Force Admins to use non-root
PDO-3262 Add push rule to repo, README for branch name max length requirement
PDO-3281 Upgrade PingAccess and PingCentral base images to avoid DOS attack
PDO-3305 Modify k8s in PCB to run ansible image
PDO-3307 Update PD status for PingOne
PDO-3340 PA-WAS pods crashed during 82-upload-csd-s3.sh hook run on test/dev clusters
PDO-3341 Run PingDataSync using nonroot user
PDO-3343 Upgrade PingDelegator/DelegatedAdmin to 4.8.0
PDO-3369 Update p1/newrelic-tags-exporter to run with "ping" user, "identity" group
PDO-3370 (BugFix) PD running into crashloop after restart with missing PingDirectory.lic file
PDO-3371 Update all pingcloud-apps images to support ssh-rsa HostKeyAlgorithm
PDO-3382 Change P1 Deployment to use isMyPing SSM
PDO-3404 PingDataSync add wait-for-service for external and internal PD instance
PDO-3406 Set changelog max-age within external PingDirectory server using API and P1AS PingDirectory server using dsconfig
PDO-3408 Enforce PingDataSync to only deploy within primary region
PDO-3394 (BugFix) PD status update for P1
PDO-3411 Move Fluentd CloudWatch config to a separate file
PDO-3414 Use alpine docker image for enrichment-bootstrap
PDO-3425 Deploy utils.lib.sh to each product container from one place
PDO-3449 Add custom artifacts to PingDataSync to allow custom sync pipes
PDO-3479 Change PA integration test 01-agent-config-test.sh to be idempotent
PDO-3488 Solutions Ansible entrypoint.sh script null evaluation
PDO-3501 Consolidate and rename PingDataSync, external PD, and P1AS PD shared variables
PDO-3502 Update DataSync to use USER_BASE_DN variable
PDO-3513 (BugFix) Logstash crashlooping due to updated plugin dependencies
PDO-3518 Fix fluentd PD logs parsing configuration
PDO-3540 Fix metadata by updating flask to v2.0.3
PDO-3557 Update PD to 8.3.0.5 to fix JVM crashes
PDO-3570 Add group identity 9999 for all Ping product applications and avoid escalating privileges
PDO-3577 Disable external server configuration. Use flag IS_P1AS_TEST_MODE to enable for QA
PDO-3594 Add a new dsconfig file "45-disable-daily-ldif-export.dsconfig" to turn off on-prem backup
PDO-3598 Fix missing PD logs
PDO-3601 Upgrade PF to 11.0.2 to fix OOM issue
PDO-3606 Backup/restore PingDataSync config/sync-state.ldif file to/from s3
PDO-3608 Add Secrets Manager objects to Discovery Service
PDO-3625 Run bootstrap & bom pods in CHUB account
PDO-3643 NewRelic infrastructure pods pulling from docker instead of ecr
PDO-3685 Set min and max CPU properties within run.properties for engine and admin
PDO-3731 Move PingCentral AWS RDS MYSQL vars from base/env_vars to region/pingcentral/env_vars
PDO-3764 Turn off pod logs from going into NewRelic
PDO-3771 Fix upgrade-cluster-state script to import new env_vars changes from base
PDO-3781 Encrypt K8s StorageClass

1.12.0

Added support for SigSci Web Access Firewall (WAF) to Nginx ingress controller
Updated Nginx ingress controller to version 1.0.0
Update PF upload artifact script to support Standard IKs
Updated ArgoCD to version 2.1.6
Added custom patch to create public ingresses for admin endpoints
Added multiline log support for PA-WAS
Added sideband fields to PA logs
Added regional custom-patches.yaml as an extension point to customize the configuration for a specific region
Added support for enabling rate-limiting in PA and PA-WAS
Heartbeat endpoint page template changed
Removing vestigial code (restore-db-password hook script and dbConfig.jose manipulation) from deployment automation
Update 20-restart-sequence.sh script to skip rebuild index when no index changes
Implemented Kubernetes Infrastructure Agent for New Relic
Fixed showing a few SharedResourceWarnings in ArgoCD UI
Updated to address Log4Shell vulnerabilities
Update logstash to 7.16.2
ElasticSearch image updated to 7.16.2
Kibana updated to 7.16.2
Added Open Token Adapter Integration Kit to server profile for PingFederate SSO
Patched default PF agentless adapter IK
Upgraded PingFederate to v10.3.5 to resolve security vulnerability SECADV029 and SECBL021
Turned off pod logs from going into NewRelic

Changes:

PDO-1350 PingAccess proactively remove temp file that causes upgrade to fail
PDO-1676 Deploy Kubernetes Infrastructure Agent for New Relic
PDO-2223 Heartbeat endpoint page template changing
PDO-2368 Refactored IK download script to use artifact-list.json as the single source of truth for all PF IKs
PDO-2410 PA-WAS: parse multiline logs
PDO-2432 Update cluster tools to latest version: argocd to v2.1.6
PDO-2534 SigSci WAF: run the SigSci agent as a sidecar container in the Nginx-ingress-controller pod
PDO-2895 Update PF upload artifact script to support Standard IKs
PDO-2921 SigSci WAF: create public ingresses for admin endpoints
PDO-2928 Add support for enabling rate limiting in PA and PA-WAS
PDO-2937 Change 'Replica __ {}' metric's names to match the other metric's names template
PDO-2938 Added regional custom-patches.yaml as an extension point to customize configuration for a specific region
PDO-2962 Added new PA sideband logs to SIEM Integration
PDO-2965 Refactor NewRelic APM agents to use Secret located in 'newrelic' namespace
PDO-2978 Integrate latest New Relic namespace changes in Beluga 1.12
PDO-2988 Increased metadata pod timeoutSeconds probe to 3 seconds for liveness & readiness
PDO-2991 SigSci WAF: Update SigSci sidecar resource limit & requests
PDO-2993 Add "ttlSecondsAfterFinished: 30" to all ping product and Kibana jobs so its pods get reaped upon completion
PDO-2996 Removing vestigial code (restore-db-password hook script and dbConfig.jose manipulation) from deployment automation
PDO-3003 Update 20-restart-sequence.sh script to skip rebuild index when no index changes
PDO-3058 CSD upload file changed from .zip-zip format to .zip
PDO-3087 Enhance default PingFederate user to support password change and policies by default
PDO-3092 Force all jobs and cronjobs of Ping products to use non-root
PDO-3091 Fixed role association on gateway objects created in P14C and PF authentication policy issue for MyPing E2E flow
PDO-3102 Fix offline replication configuration error when config.ldif has line wrappings
PDO-3109 Fix code generation script to only use the SSH-RSA host keys for GitHub
PDO-3110 Make code generation script more resilient to invalid values for IS_GA and IS_MY_PING SSM parameters
PDO-3115 Remove OOTB Integration Kits for PingFederate
PDO-3137 Support SSO for multiple PA admin applications per environment
PDO-3145 Fixed MyPing admin SSO errors caused due to intermittent DNS resolution issues
PDO-3175 ArgoCD UI shows a few SharedResourceWarnings
PDO-3179 Argocd failing to deploy newrelic namespace from scratch and shows 3 newrelic resources as out of sync
PDO-3196 Fix Security Vulnerability CVE-2021-44228 by patching Log4j2 files
PDO-3218 Updating images for Log4Shell security vulnerability
PDO-3243 Upgrade New Relic Java Agent to 6.5.2 to address Log4Shell Vulnerability
PDO-3266 Upgrade Logstash version to 7.16.2 for patches to the log4j2
PDO-3265 Upgrade Elasticsearch version to 7.16.2 for patches to the log4j2
PDO-3333 Fix Kibana showing an error 'We encountered an error retrieving search results
PDO-3352 Add Open Token Adapter Integration Kit to server profile for PingFederate SSO
PDO-3393 Default Agentless adapter kit deployed has known vulnerabilities
PDO-3401 Upgrade PingFederate to v10.3.5 to resolve security vulnerability SECADV029 and SECBL021
PDO-3513 (BugFix) Logstash crashlooping due to updated plugin dependencies
PDO-3764 Turn off pod logs from going into NewRelic
PDO-3782 Encrypt K8s StorageClass

1.11.0

Enabled PingAccess Admin SSO for MyPing customers
Fixing P14C issuer URL to not have newlines so PA pods do not fail to start up
Updated p14c-integration image to 1.0.29
Updated PA to 6.3 to support SSO through P14C (for administrator users) and SSO through PingFederate (for customer users)
Configured all Ping applications to use the DevOps user/key retrieved through the Discovery service as defaults
Updated the P14C bootstrap image to query the platform event queue for future updates to MyPing parameters
Fixed PD Grafana dashboard, 'Replication Backlog' metric with changeable UserBaseDN env var
Fix PF's run.sh to not map SIGTERM to SIGKILL
Added the ability to roll out PF/PA/PA-WAS admin and engines separately
Upgraded newrelic-tags-exporter to version 1.0.5
Increase memory for FluentD to avoid memory issues in GA deployments
Fixed error in run.sh when New Relic key isn't provided
Updated cert-manager from v0.10.1 to v1.5.3
Added New Relic support for PingCentral
Decreased log level for argocd
Updated Pingcentral image version to 1.0.20
Added support for PingCentral application performance metrics through the NewRelic APM agent
Support PA database changed from H2 to Apache Derby
Updated starter configuration to use LE production server for all GA and MyPing customers
Fixed Pod startup errors due to Prometheus not being able to find jmx_export_config.yaml
Added PD startupProbe with replication backlog check
Update cluster tools to version: cluster-autoscaler (1.20.0)
Update kibana index mappings

Changes:

PDO-1668 Fixing P14C issuer URL to not have newlines so PA pods do not fail to start up
PDO-2401 create a new hook script "10-download-artifact.sh.post" in the PF image
PDO-2412 Decrease ArgoCD log level
PDO-2433 Updated cert-manager from v0.10.1 to v1.5.3
PDO-2599 Updated starter configuration to use LE production server for all GA and MyPing customers
PDO-2753 PF Admin SSO Revert script update
PDO-2758 Enabled PingAccess Admin SSO for MyPing customers
PDO-2791 Added a script to update server profile code from one version of Beluga to another
PDO-2810 Added a license pre-hook script that configures the DevOps user/key to use for product licenses
PDO-2811 Change the default for the DevOps USER/KEY to SSM paths
PDO-2826 Add replication backlog check to PD readiness check
PDO-2837 P14C liveness probe hitting wrong URL
PDO-2846 Updated PA to 6.3
PDO-2872 Support PA database changed from H2 to Apache Derby
PDO-2874 Updated the P14C bootstrap image to query the platform event queue for future updates to MyPing parameters
PDO-2878 Update newrelic-tags-exporter image version to 1.0.5
PDO-2885 Provide the ability to update PA/PF admin independent of engines
PDO-2919 Fix PF's run.sh to not map SIGTERM to SIGKILL
PDO-2935 Increase memory for FluentD to avoid memory issues in GA deployments
PDO-2936 Error in run.sh when New Relic key isn't provided
PDO-2941 Add New Relic support for PingCentral
PDO-2950 Fixed error in PingDirectory's utils.lib.sh for USER_BASE_DN that's 1-level deep, e.g. o=data
PDO-2958 newrelic-tags-exporter container crashes if 'entitlements' configmap not found
PDO-2986 Fixed issue with P14C bootstrap image where k8s resource data for SSM params are deleted on param update
PDO-2989 Add the Beluga version to the cluster-state and profile repos in a version.txt file
PDO-2990 Pod startup errors due to Prometheus not being able to find jmx_export_config.yaml
PDO-3027 Update cluster tools to version: cluster-autoscaler (1.20.0)
PDO-3037 Update PF audit Kibana index mapping
PDO-3038 Update PA audit Kibana index mapping

1.10.0

Deploy PingCentral in P1AS customer hub clusters
PA-WAS now verifies each individual Application exists on restarts and upgrades
PingDirectory health checks are now performed via HTTPS
Update a few supporting cluster tools to their latest versions
Beluga maintained container images with built in hook scripts
Server profiles are now seeded into a separate repository for partner access
Add Elasticsearch wait init container to kibana manifest
Updated cluster-autoscalar memory request/limit to 512 MB
Fixed PD Grafana dashboard, 'Replication Backlog' metric
Updated p14c-integration image to 1.0.28
Upgraded PingDirectory to version 8.3.0.0
Upgraded PingFederate to version 10.3.1
Modify all P1AS apps to use user_id:group_id => 9031:9999
Remove NATIVE_S3_PING as a supported JGroups discovery protocol for PF clustering
Enabling access to the PingCentral Admin UI via PingAccess WAS
Move DA Configuration to offline mode within PD
Update images to pull from ECR

Changes:

PDO-700 Deploy PingCentral in P1AS customer hub clusters
PDO-1739 Migrate to Beluga container images
PDO-2208 Change "apiVersion" for ingress resources in ping-cloud-base
PDO-2386 Improve upgrade of PA-WAS by making idempotent
PDO-2387 Remove the nginx annotation service-upstream from all ingresses
PDO-2430 Update cluster tools to latest version: cluster-autoscaler (1.17.4)
PDO-2434 Update cluster tools to latest version: sealed-secrets-controller (0.16.0)
PDO-2435 Update cluster tools to latest version: external-dns (0.8.0)
PDO-2445 Logstash date parsing errors
PDO-2462 Update cluster tools to latest version: Kibana (7.13.2)
PDO-2463 Update cluster tools to latest version: Elasticsearch (7.13.2)
PDO-2465 Update cluster tools to latest version: metrics-server (v0.5.0)
PDO-2468 Update PD healthchecks to use the availability servlet
PDO-2571 Add P1AS Branding to PF Admin Console
PDO-2623 Separate the server profiles into its own repository for partner enablement
PDO-2624 Restore and backup PingCentral encryption key file from S3
PDO-2638 Update cluster tools to latest version: Logstash (7.13.2)
PDO-2676 Update the push-cluster-state.sh script to push seed code into the new profile-repo
PDO-2686 Provide a wrapper script in the profile-repo to update profiles from one version to another
PDO-2687 Update update-cluster-state-wrapper.sh to seed initial customer-hub code into the CSR
PDO-2700 Fix inconsistency in "newrelic-tags-exporter" init container between PA/PF/PD
PDO-2705 NR agent could crash if config file contains empty tag values (Config Syntax Error))
PDO-2708 Fix image tag kustomization in the CSR for P1AS app images
PDO-2709 Decommission the JFrog pull cache and use public ECR for all images
PDO-2713 Change PingCentral application password
PDO-2715 Move DA Configuration to offline mode within PD
PDO-2717 Adapt the Discovery service to retrieve the PingCentral database details from SSM
PDO-2718 Allow MyPing image tags to be Kustomizable
PDO-2721 Logstash index template didn't create during deployment
PDO-2728 Update p14c-integration docker images in ping-cloud-base
PDO-2739 Press more app-specific concerns into the images instead of exposing them in the profile-repo
PDO-2741 Update cluster-autoscalar memory request/limit to 512 MB
PDO-2740 No data on PD Grafana dashboard, 'Replication Backlog' metric
PDO-2754 Remove NATIVE_S3_PING as a supported JGroups discovery protocol for PF clustering
PDO-2763 Wrong way of retrieving NR account_type tag data
PDO-2764 Upgrade PF to version 10.3.1
PDO-2779 Implement CloudWatch for PingCentral Log Files
PDO-2788 Upgraded PingDirectory to version 8.3.0.0
PDO-2789 Force PingCentral to communicate to RDS using SSL connection
PDO-2794 Enabling access to the PingCentral Admin UI via PingAccess WAS
PDO-2806 Ensure that profile changes are being applied on a restart
PDO-2807 Add a public NLB in the customer-hub VPC for the metadata service
PDO-2814 Modify all P1AS apps to use user_id:group_id => 9031:9999
PDO-2830 Set PingCentral k8s deployment strategy to Recreate
PDO-2832 Move PingCentral v1.8.0 from edge to a stable tag
PDO-2849 Reuse environment variables in the env_vars file in the CSR as much as possible
PDO-2851 Cleanup PingCentral application.properties file
PDO-2869 Change PingFederate v10.3.1-edge image tag to a stable version
PDO-2916 Enable/or disable PingCentral development endpoints using an environment variable

1.9.3

Fix a PingDirectory crash caused by the offline-enable hook script after a restart
Remove PingFederate-P14C-Init container from secondary region
Updated p14c-integration image to 1.0.24
Update prometheus-json-exporter image to 1.0.3
Upgraded PingFederate to version 10.2.4
Capture additional logs from rebuild-index within PD
Fixed hook script issue with updated collect-support-data tool

Changes:

PDO-2631 Upgrade PF to version 10.2.4
PDO-2637 PingDirectroy crashloops on restart in the offline-enable hook script
PDO-2661 Remove pingfederate-p14c-init container in secondary
PDO-2668 Update p14c-integration docker images in ping-cloud-base to v1.0.23
PDO-2688 Use latest prometheus-json-exporter image
PDO-2689 Capture additional logs from rebuild-index within PD
PDO-2690 Updating the PD and PF 82-upload-csd-s3.sh hook scripts to work with the updated collect-support-data tool
PDO-2723 Update p14c-integration docker images in ping-cloud-base to v1.0.24

1.9.2

P14c-oauth and p14c-bom controllers now restart when pingone api is inaccessible
Preserve PingDirectory descriptor.json across CSR updates
Added entitled-app: "true" label to PingFederate Admin and PingAccess Admin
Updated p14c-integration image to 1.0.22
Updated p14c-bootstrap image to 1.0.9
Fixed external access to the PingFederate admin API
Removing pf-referenceid-adapter-2.0.1.jar if it is found on the filesystem
DA now creates its own Identity Mapper within PD
Fixed issue with DA IDP Adapter Grant Mapping to handle Persistent Grant Extended Attributes
Updated PF heap settings to match 1.7.2 values

Changes:

PDO-2203 Add liveness probe to p14c-oauth and p14c-bom controllers
PDO-2285 Narrow Kube watch pods for Bom Controller
PDO-2431 Update to use ingress-nginx/controller:v0.46.0
PDO-2539 Preserve PingDirectory descriptor.json across CSR updates
PDO-2578 Updated p14c-integration image to 1.0.20 and p14c-bootstrap image to 1.0.9
PDO-2579 Update to use skbn v1.0.1
PDO-2607 Fix external access to the PingFederate admin API
PDO-2609 Removing pf-referenceid-adapter-2.0.1.jar if it is found on the filesystem
PDO-2633 DA now creates its own Identity Mapper within PD
PDO-2639 Update p14c-integration docker images in ping-cloud-base to v1.0.21
PDO-2641 Fixed issue with DA IDP Adapter Grant Mapping to handle Persistent Grant Extended Attributes
PDO-2645 Fix PF product Heap Variable Settings to return to 1.7 values
PDO-2665 My Ping Trial deployment failure RCA - Workforce solution - p14c-e2e-reliability267-271

1.9.1

Fixed Elasticsearch cluster not able to select a primary
Removed duplicate PingDelegator logs from CloudWatch
Reduced log output on curl calls
Fixed the problem where PingFederate fails to crashloop pods when artifact-list.json contains improper json
Added the pingfederate-p14c-init container to PingFederate engine nodes so that integration kits are deployed on engines
Updated fluentd to aggregate multiline log messages

Changes:

PDO-2243 Remove duplicate messages from PingDelegator's access.log
PDO-2308 Update PD liveness check to use an absolute path
PDO-2335 PingFederate fails to crashloop pods when artifact-list.json contains improper json
PDO-2399 Multi-line logs not displaying in CW properly
PDO-2413 Remove curl progress output from logs
PDO-2439 Elasticsearch log level to warn
PDO-2490 Allow auto-expansion of all volumes (Elastic logging, PD, and PA/PA-WAS/PF admins)
PDO-2507 NS 2 - Missing integration kit file in the node on CIAM environment

1.9.0

Add PingDelegator 4.4.1 as a new application in P1AS
Upgraded PingFederate to version 10.2
Upgraded PingDirectory to version 8.2.0.4
Option to enable Delegated Admin
Provisioned Workforce/Customer 360 Plugins (PF Trial)
Added a metadata service to display Ping Cloud metadata component versions
Added PingFederate NewRelic APM Agent

Changes:

PDO-1133 Multi-Region Kubernetes DNS
PDO-1606 DA - Create k8s ingress resource
PDO-1607 DA - Create k8s service
PDO-1608 DA - Create k8s Deployment
PDO-1609 DA - Create a liveness and readiness probe
PDO-1610 DA - Create PingDelegator environment variables configmap
PDO-1612 DA - Integrate PingDelegator logs with AWS CloudWatch
PDO-1615 DA - customizations to Ping Cloud templates
PDO-1621 Add a metadata service to display Ping Cloud metadata component versions
PDO-1638 Upgrade PF to 10.2
PDO-1639 Beluga k8s stack fails to build with customize version >= 3.9
PDO-1669 Provision Workforce/Customer 360 Plugins (PF Trial)
PDO-1704 DA - Integrate PingDelegator with PingFederate
PDO-1721 MyPing -> Ping Cloud bootstrap secrets and configuration
PDO-1758 Create the OAuth client services controller Deployment object
PDO-1771 Add access control to ECR registries in CSG AWS account
PDO-1773 ECR: ensure that untagged images get periodically cleaned up
PDO-1775 Change the JSON for the metadata service to future proof it for additional metadata
PDO-1777 DA - Move docker image to JFrog registry
PDO-1788 DA - Integrate PingDelegator with PingDirectory
PDO-1801 Image tag customization broke in v1.7
PDO-1802 Performance degradation of git-ops-command.sh due to PDO-1578
PDO-2072 Provide patch for increasing header-size on public nginx for Kerberos
PDO-2098 Change the image repo for the Ping Cloud monitoring image
PDO-2122 Remove waiting on pingdirectory-0 to speed up PF bootstrap on rolling updates
PDO-2124 ALL_MIN_SECRETS_FOUND not set when running update cluster script
PDO-2130 DA: Create ConfigMap and Secrets to hold common variables for DA, PF, and PD
PDO-2133 Add custom-patch-sample for schedule edits of corncobs into custom-patch-sample.yaml
PDO-2134 Setup NR Agent for PF
PDO-2135 Setup tags for PF APM NR
PDO-2175 Public URL for variable PD_HTTP_PUBLIC_HOSTNAME is not set in PingCloud
PDO-2225 p14c-bootstrap k8s: add IRSA to new Ping service account
PDO-2234 Remove MyPing controllers from secondary regions
PDO-2236 Remove Daily encrypted exports run in PD - redundant as backups are already taken to S3
PDO-2252 Rebuild the indexes before starting/restarting the server
PDO-2253 DA: Integrate administrator as the default Delegated Admin
PDO-2254 ArgoCD: enable auto-pruning to prevent OutOfSync issues on update
PDO-2261 Decrease PD cpu in medium/large to support new relic pods
PDO-2279 Create PodDisruptionBudget for PF Runtime
PDO-2280 Create PodDisruptionBudget for PA Runtime
PDO-2281 Create PodDisruptionBudget for PD
PDO-2296 Custom secrets printed in startup log
PDO-2306 Long-running PD pods being OOMKilled when there is no user activity
PDO-2314 Set data backups for PA/PF to run at the half-hour mark
PDO-2316 Metadata pod crashing due to resource pressure
PDO-2319 Upgrade script replaces custom-resources and custom-patches
PDO-2320 Run PD periodic backup processes at different times to mitigate OOMKills
PDO-2322 Add sealed-secrets annotation to argocd-secret
PDO-2323 Hook script failed to get pod metadata when pod suffix is double digit
PDO-2336 Adjust pod sizes. Pods being OOMKilled in dev environments
PDO-2338 PD throws LDAP exception when PF initially deploys
PDO-2371 Upgrade DA and PD images
PDO-2391 Fix ACI causing UI warning in DA
PDO-2395 Enable DA Sessions
PDO-2415 Update to turn acl flag on for native s3
PDO-2474 PF-admin is crashing at start-up after running environment upgrade

1.8.3

Increase PD pod resources to account for ad-hoc java processes
PDO-2178 PingDirectory Pods - backup processes cause pod restarts

1.8.2

Fixed PingFederate issue where LDAP stores added after initial bootstrap were getting removed on restart.
PDO-2125 Data loss in PF on pod rolling

1.8.1

Fixed PingFederate to not allow back-channel access after revoking persistent session
Decreased CPU requests and limits of the PingDirectory stunnel sidecar container
Fixed the update-cluster-state-wrapper.sh script to preserve customer size

Changes:

PDO-1712 PingFederate back-channel access available even after revoking persistent session
PDO-2068 Evaluate pod sizing for small deployment sizing
PDO-2086 RESET_TO_DEFAULT flag of update CSR script not preserving customer size
PDO-2094 PingDirectory backup for large backup files fails

1.8.0

Upgraded PingFederate to 10.1.4
Standardized CSD export naming convention to an easily retrievable name
Added periodic CSD log collection for PingAccess WAS admin and engines
Added Grafana dashboards for PingFederate and PingAccess
Changed the default environment size to x-small for dev and test environments to reduce costs
Replaced FluxCD with ArgoCD as the continuous delivery tool
Enabled IAM Roles for Kubernetes Service Accounts (IRSA) to pare down pod permissions

Changes:

PDO-1030 Expose the relevant Operation Data from PingFederate through a JMX exporter
PDO-1031 Expose the relevant Operation Data from PingAccess through a protocol that can be consumed by Prometheus
PDO-1032 Import PingFederate Operation Data to Prometheus
PDO-1033 Import PingAccess Operation Data to Prometheus
PDO-1388 Standardize CSD Export naming convention to an easily retrievable name
PDO-1390 Collect CSD data for pingaccess-was and pingaccess-was-admin
PDO-1533 Count relevant Operational Data for PingFederate from existing logs
PDO-1536 Count relevant Operational Data for PingAccess from existing logs
PDO-1539 Deploy a very small deployment size as the default for dev/test
PDO-1564 Add ArgoCD as the continuous delivery tool in Ping Cloud environments
PDO-1569 Enable IRSA for K8s Pods to use AWS IAM role
PDO-1570 Configure PA-WAS to proxy to the ArgoCD UI
PDO-1578 Allow more granular upgrades of ping applications
PDO-1664 Fix edge-case errors with push-clouster-state.sh
PDO-1671 PingCloud deployments of Stage CDE needs to be the same size as Prod
PDO-1722 Update PD k8s configs to use PD labels only in production
PDO-1747 Set up a pull cache for ArgoCD images from docker.io in the JFrog mirror
PDO-1770 Update SIEM logstash/elasticsearch images from using JFrog to ECR
PDO-1799 Upgrade PF to 10.1.4
PDO-1812 improper shutdowns of PF not cleaned up
PDO-1821 Upload json_exporter Docker image to ECR
PDO-2025 PA engine crash looping due to excessive public key creation
PDO-2042 Change the staging directory for restore to not use the tmp file system
PDO-2058 PD fails when changing out USER_BASE_DN
PDO-2061 PA post-start failure does not stop the server as intended
PDO-2066 Update script not handling files with spaces in the name

1.7.2

Decreased stunnel cpu resources
Fixed the seal.sh script, which was broken when the IRSA environment variable was made regional in v1.7.1

Changes:

PDO-2068 Evaluate pod sizing for small deployment sizing
PDO-2067 seal.sh script broken

1.7.1

Added a script to update the cluster-state repo from one release to another
Provide extension points within k8s-configs for PS/GSO customizations

Changes:

PDO-1397 Add a script to update the cluster-state repo from one release to another
PDO-1663 Templatize the env_vars files generated by the generate-cluster-state.sh script
PDO-1746 Provide extension points within k8s-configs for PS/GSO customizations

1.7.0

GSA images can now be pulled via the JFrog registry instead of DockerHub to prevent throttling limits
Added PA log collection for SIEM
Automated deployment of PA and PF customer license keys
Updated PA-WAS, PF, and PA
Reduced logging noise

Changes:

PDO-1357 Rename PD CSD Exports to an easily retrievable name
PDO-1362 PA log Collection for SIEM
PDO-1376 Rewrite SIEM filters for PD to work with log files
PDO-1384 Ensure PD pods run on PD nodes
PDO-1385 Always import PA admin config query key-pair on start/restart
PDO-1389 Remove unused secrets for Kibana, Grafana, and Prometheus from ping-cloud-base
PDO-1421 Automate deploying the customer license key for PingFederate
PDO-1425 Automate deploying the customer license key for PingAccess
PDO-1426 Automate configuring PingAccess customer templates
PDO-1469 Reduce config duplication on multi-region deployments
PDO-1481 Update cluster-autoscaler image url and decrease log level
PDO-1482 Decrease cloudwatch-agent log level
PDO-1487 Fix 00-ditstructure and 20-plugin-purge-sessions.dsconfig mismatch
PDO-1493 Fix GLOBAL_TENANT_DOMAIN regardless of how customer is named in the cluster-state-repo
PDO-1497 Upgrade PF to 10.1.2
PDO-1498 Upgrade PA to 6.1.3
PDO-1503 Upgrade PA-WAS to 6.13
PDO-1515 Remove similar log messages from Ping product health checks
PDO-1519 Move secrets to base directory since all regions must share secrets for an environment
PDO-1522 Replace missing memory limits on PD pods and adjust MAX_HEAP_SIZE defaults
PDO-1543 Fix CLUSTER_BUCKET_NAME is not the same between regions for multi-region environments
PDO-1567 Pull GSA images from Frog registry
PDO-1571 Update flux so it only has read-only access to the repo
PDO-1572 Add PA upgrade logs to its own log stream
PDO-1617 Fixed issue with LDAP users on PD being orphaned
PDO-1622 Update flux to not cache docker images
PDO-1631 Move all docker.io registry images to JFrog to avoid rate limit error
PDO-1648 Set ARTIFACT_REPO_URL variable to be region specific

1.6.1

Updated PingDirectory image to 8.1.0.2 so replication initialization does not lock down a new server
Ignoring PingDirectory topology descriptor file in single-region environments
Fixed ability to update PingDirectory license after initial launch

Changes:

PDO-1393: update PingDirectory image to 8.1.0.2 so replication initialization does not lock down a new server
PDO-1494: Ignore PingDirectory topology descriptor file in single-region environments
PDO-1514: Unable to update PingDirectory license after initial launch

1.6.0

Added multi-region support of PD, PF, and PA
Added periodic CSD uploads for PF admin, PA admin/engine
Leveraged topology-aware volume provisioning for all StatefulSets
Added Web Application Firewall to PF/PA admin UIs, Kibana, Grafana and Prometheus
Added SIEM for PingFederate

Changes:

PDO-685 - Deploy PD in each region
PDO-686 - Deploy PF in primary region
PDO-687 - Deploy PF in secondary region
PDO-688 - Deploy PA in primary region
PDO-690 - Deploy PA in secondary region
PDO-884 - Update generate-cluster-state.sh script to support multiple clusters
PDO-885 - Update push-cluster-state.sh script to support multiple clusters
PDO-886 - Update flux configuration to point to the correct directories within the cluster-state-repo for each cluster
PDO-999 - Discovery Service - update generate-cluster-state script to remove variables with cde prefix
PDO-1202 - PingFederate admin now creates and upload CSD regularly
PDO-1203 - PingAccess admin/runtime now creates and upload CSD regularly
PDO-1227 - Leveraged topology-aware volume provisioning for all StatefulSets
PDO-1228 - Added soft affinity to PA/PF Engines for multi-region
PDO-1242 - Enabled cluster communication between peered VPCs
PDO-1252 - Added log level to elastic-stack application
PDO-1259 - Removed PingDataConsole
PDO-1262 - Added custom log function, beluga_log, to server profile hooks
PDO-1270 - Verify config changes can occur with backups and not be deleted from S3 for PF and PA admins
PDO-1273 - PingDirectory - update offline-enable to use cluster communication over peered-VPC vs. NLB
PDO-1277 - PA - update hook scripts of admin and runtimes for runtimes in secondary cluster to join admin using keypair
PDO-1276 - Update pingcommon initContainer for PD/PF/PA/PA-WAS
PDO-1304 - Removed PA-WAS from secondary region
PDO-1309 - Update wait-for-service initContainer to check multiple ports for PD/PF/PA/PA-WAS
PDO-1311 - Fixed issue with warnings about env_vars file during container startup
PDO-1317 - Increased Cert Manager resources to handle multi-region deployments
PDO-1321 - Force PingDirectory in secondary region to wait for PingDirectory in primary region
PDO-1331 - Created a customized hook script to support PA/PA-WAS admin and runtime liveness probe
PDO-1332 - Fixed issue with PF pods becoming unresponsive during endurance
PDO-1334 - Added Web Application Firewall in for PF/PA Admin UIs
PDO-1335 - Added Web Application Firewall in for Kibana, Grafana, Prometheus
PDO-1345 - Update PingCloud to use custom log stash images
PDO-1346 - Fixed SIEM for PF
PDO-1349 - Removed Calico
PDO-1352 - Increased PA Admin requests/limits to enable successful PA version upgrades for dev/test cde environments
PDO-1383 - Added logic to verify provided PD hostname before deploying to multi-region
PDO-1386 - Fixed issue with SIEM logging incorrectly and being sent to CloudWatch
PDO-1391 - Added missing index-pattern for Logstash in ELK
PDO-1396 - Added DNS_PING with MULTI_PING to the groups stack for added reliability
PDO-1412 - Removed the logic in server profile hook that explicitly copies config archive to PF engine drop-in-deployer directory
PDO-1432 - Fixed incompatibility between PA Admin SSO and PA-WAS
PDO-1435 - Fixed Logstash errors in pods
PDO-1440 - Fixed Logstash errors in Kibana
PDO-1453 - Added logic to Fluentd container to only log at error level
PDO-1467 - Fixed multi-region global url into ingress service so multi-region failover works
PDO-1468 - Fixed PD periodic backups from failing
PDO-1474 - PD - fixed replace-profile errors when transitioning from single to multi-cluster
PDO-1480 - After initial launch, scaling up a PD server does not initialize replication data

1.5.0

Added Pingaccess-WAS deployment
Enabled SIEM for PingDirectory
Created Discovery Service for variable discovery across regions
Setup use of SKBN to replace AWS specific implementation

Changes:

PDO-366 - Create K8s Deployment for internal PingAccess
PDO-458 - Fixed PF pods not getting configuration from admin when spun up
PDO-748 - Protect PF Admin UI
PDO-749 - Configure P14C to generate tokens that PA WAS can consume
PDO-753 - Set up PA Internal to allow P14C to act as Token Provider for PingCloud Web/API Security
PDO-754 - Store P14C Token Provider Creds in PingCloud within the CDE
PDO-757 - Protect PA Customer Admin UI
PDO-812 - Protect Prometheus Endpoint
PDO-839 - Discovery Service (Environment Variables for Backup & Log AWS S3 Buckets)
PDO-857 - Edit PD Restore script to use pre/post external initialization of replication in place of scale down/up used currently
PDO-870 - Creating Kibana dashboards
PDO-944 - PD - Use skbn to restore and backup data/log from k8s to s3 bucket
PDO-955 - Fixed dashboards in Grafana broken with EKS upgrade
PDO-959 - Update ping-cloud-base to support EKS v1.16
PDO-961 - PF- Use skbn to download artifact/archive and upload csd logs
PDO-962 - Migration to logstash (instead fluentd)
PDO-963 - Porting fluentd configs to logstash format
PDO-965 - Setting up PD log collection
PDO-966 - Setting up logstash filters
PDO-968 - Setting up logstash outputs (including client-side SIEM env)
PDO-969 - Creating enrichment service
PDO-973 - Creating Bootstrap engine
PDO-975 - Protect Grafana Endpoint
PDO-976 - Expose PD REST API
PDO-977 - Expose PD SCIM API
PDO-987 - PA - Use skbn to download and restore backup
PDO-1001 - Default PF Admins to Audit Only
PDO-1002 - Configure PA WAS hardware and scaling requirements for multi-region
PDO-1014 - Host skbn executables on AWS object storage service (S3 bucket)
PDO-1022 - PF - Recover to a specified recovery point
PDO-1037 - Fixed default PF thread count incorrect
PDO-1045 - Elastic stack improvements
PDO-1086 - Fixed PingFederate tried to start before a temporary instance had fully shut down.
PDO-1087 - Synchronize supported features for PA and PF backup/restore
PDO-1137 - Fixed Sealed-Secrets-Controller fails to generate xls cert resulting in inability to seal/unseal secrets stored for our deployment in New Launch environments
PDO-1188 - Fixed logging in 10-configuration-overrides to provide better diagnostic information.
PDO-1193 - 1.5: Update PD Docker Images to specified docker image and product version
PDO-1194 - 1.5: Update PF Docker Images to specified docker image and product version
PDO-1195 - 1.5: Update PA Docker Images to specified docker image and product version
PDO-1197 - 1.5: PA upgrade with existing data is busted due to Docker image update
PDO-1213 - Update critical dependencies for the v1.5 release
PDO-1223 - Logging improvements to deployment automation hook scripts
PDO-1251 - external-dns application log level
PDO-1293 - Fixed PF Pods not responding to requests
PDO-1303 - Fixed PF_LOG_LEVEL should be set to INFO by default and be overridable
PDO-1318 - Fixed probe/liveness timeouts
PDO-1320 - Fixed PF/PA audit log rotation
PDO-1322 - Fixed PF pods become unresponsive during endurance

1.4.3

Resolved an issue prevent access to server profiles

Changes:

PDO-1150 - Need variable replacement added for new secrets.yaml files so need .tmpl extension added in ping-cloud-base

1.4.2

Fixed ingresses to force HTTP traffic to be redirected to HTTPS
Fixed a data loss issue in PingFederate admin that was caused by switching it to use a persistent disk
Fixed a typo in PingDirectory's BACKENDS_TO_BACKUP environment variable
Fixed the base DN to point to the right backend in PingDirectory's purge-sessions script

Changes:

PDO-845 - PingDirectory purge-sessions script set up to use incorrect DN for the backend to be purged
PDO-1119 - Data loss caused by switching PingFederate admin to use a persistent disk
PDO-1123 - Fix typo in PingDirectory BACKENDS_TO_BACKUP environment variable
PDO-1124 - HTTP ingress traffic should be redirected to use HTTPS

1.4.1

Changed PingAccess 'podManagementPolicy' to 'OrderedReady' to support zero-downtime update of engines
Fixed encryption errors encountered while restoring PingDirectory user and operational data from backups
Disabled automatic key renewal on the Bitnami sealed-secrets controller

Changes:

PDO-1083 - PingAccess podManagementPolicy 'Parallel' tears down all engines at the same time
PDO-1089 - Attempt to restore backups made after changing encryption-password for PingDirectory fails
PDO-1092 - CI/CD cluster's capacity reduced by half due to PingFederate limit changes in base
PDO-1095 - Bitnami sealed-secrets controller rotates keys every 30 days

1.4.0

Updated Container Insights to silo each product log file into log streams
Allow pre-launch configuration to be customized for PingFederate
Added support for in-place upgrade of the PingFederate admin server
Added support for PingAccess artifact service
Changed the PingAccess file and database passwords from its default value
Downsized PingDirectory persistent volume to reduce cost
Updated PingDirectory deployment automation to remove its persistent volume on scale-down to reduce cost

Changes:

PDO-334 - Deploy PingAccess kits, plugins & jars
PDO-335 - Update PingAccess kits, plugins & jars
PDO-337 - Upgrade PingFederate to a later version
PDO-504 - Allow pre-launch configuration to be customized for PingFederate
PDO-585 - Change the default PingAccess file and database passwords
PDO-679 - Expose prometheus outside of EKS
PDO-790 - PingDirectory sizing changes to reduce cost
PDO-822 - Clean-up PVCs on PingDirectory pod scale-down
PDO-842 - Configure Container Insights to capture more logs for all Ping Products
PDO-988 - Need to find workaround for PingDirectory failing to join topology due to duplicate entries
PDO-1005 - PingDirectory SDK DEBUG logging should be disabled by default
PDO-1007 - PingFederate utils method using wrong password when making admin API requests
PDO-1008 - Add limits to PingDirectory's stats-exporter container
PDO-1009 - PingFederate log4j2.xml org.sourceid using invalid variable
PDO-1041 - Set limits on every Beluga deployment/statefulset spec
PDO-1053 - Inconsistent PingAccess Artifacts between admin and engine pods
PDO-1054 - Change imagePullPolicy to "ifNotPresent" across the board
PDO-1058 - PingDirectory 3rd server cannot join the cluster topology
PDO-1060 - Fix PingFederate liveness probe to better represent server state
PDO-1061 - Allow NLB(s) to support cross-zone load balancing
PDO-1067 - PingFederate admin cannot establish a connection to PingDirectory
PDO-1068 - Set the artifact list to download the useful and common plugins for PingFederate
PDO-1069 - Default PingFederate runtime pod sizing

1.3.2

Fixed PingDirectory deployment automation to replace the server profile fully so that environment variable changes are always honored
Fixed PingAccess deployment automation such that the Backup CronJob does not crash the admin server

Changes:

PDO-928 - Workaround for DS-41964: replace-profile does not honor environment variable changes
PDO-930 - Output managed-profile logs to the container console on failure
PDO-949 - PingAccess backup CronJob does not wait for admin to be ready and crashes admin

1.3.1

Fixed PingAccess engine flapping due to HPA and Flux interfering with each other
Fixed PingAccess deployment automation to enable verbose logging only if VERBOSE is true
Fixed PingDirectory backup to include PingFederate data under the o=appintegrations backend
Fixed PingDirectory rolling update to preserve the server's MAX_HEAP_SIZE setting
Fixed PingFederate restore job to not fail if there are too many backup files

Changes:

PDO-845 - Purge sessions script purging wrong backend
PDO-846 - Setting minReplicas 1 and maxReplicas 2 for PingAccess HPA causes second PA pod to cycle
PDO-847 - PF Admin default bootstraping if S3 contains too many files
PDO-862 - PA Pod horizontal auto-scale cycling too quickly under load
PDO-900 - PA automation - enable verbose logging only if VERBOSE is true
PDO-903 - PD backup does not include PF data under o=appintegrations
PDO-916 - PD deployment automation: running replace-profile drops JVM heap space down to 384MB

1.3.0

Added support for PingAccess deployment automation, including initial deployment of a cluster, auto-scaling, auto-healing of failed admin and engine instances, encrypted backup of the master key for disaster recovery upon instance and AZ failure
Added the ability to capture and upload PingFederate CSD archives to S3, if using AWS
Updated PingDirectory from 8.0.0.0 to 8.0.0.1
Updated PingFederate from 10.0.0 to 10.0.1
Updated cluster-autoscaler from v1.13.9 to v1.14.4
Added the ability to define service dependencies between Ping application using the WAIT_FOR_SERVICES environment variable

Changes:

PDO-143 - Recover from a disaster that occurs within an existing PingAccess deployment
PDO-256 - Create K8s clustered deployment for PingAccess Admin and Engines
PDO-322 - PA Clustered engine Auto-Scaling Descriptor
PDO-376 - PA Periodically backup config
PDO-521 - Master Key Delivery Interface for PA
PDO-529 - Disable replication for all base DNs on pre-stop
PDO-533 - Switch to PA 6.0.1 version
PDO-630 - PingAccess - creating and updating engine certificates
PDO-631 - Look into removing PingAccess server profile wait functions
PDO-629 - PingAccess is forced to restart upon uploading engines keypair certificate
PDO-653 - Extract PingAccess heap sizes into environment variables
PDO-701 - Configure PingAccess Engines to use serviceAccount RBAC
PDO-723 - WAIT_FOR_SERVICES to define service dependencies
PDO-737 - PF CSD logs persistence to S3 bucket
PDO-743 - PingAccess crashes upon new deployment
PDO-750 - Switch to PF 10.0.1 version
PDO-751 - Switch to PD 8.0.0.1 version
PDO-752 - PD Pod Image Upgrade Broken Due To Incompatible JVM Settings
PDO-771 - Wonky issue where pingdirectory-0 pod somehow lost its password file on upgrade from v1.2.0 to v1.3.0
PDO-776 - PingAccess 81-import-initial-configuration script isn't checking to see if keypair already exists
PDO-792 - PingAccess upload configuration to S3 after successful deployment
PDO-793 - Manual PD Backup fails
PDO-794 - Redact log passwords for PingFederate and PingAccess
PDO-795 - PW change to PA Causes Issues with Kubernetes
PDO-797 - Periodic Upload of PF CSD Logs Failing
PDO-810 - Cherry Pick from Master - Update PF deployment automation to upload data.zip to s3 upon start/restart
PDO-816 - Upgrade cluster-autoscaler version to 1.14.x
PDO-817 - Add pod anti-affinities for each ES pod to be deployed to a separate node and potentially separate AZ
PDO-810 - Wait for the admin API to be ready before uploading data to s3
PDO-820 - Force pod restart on PA API call failure

1.2.0

Added support for P14C pass-through authentication so customer IAM admins can login to PingFederate using their CAP credentials
Reconfigured PingFederate admin authentication to use LDAPS
Enabled replication for o=platformconfig and o=appintegrations, where PingFederate administrative data is stored

Changes:

PDO-624 Reconfigure PF admin authentication to use LDAPS
PDO-648 Write a pre-parse PingDirectory plugin for P14C pass-through authentication
PDO-649 Enable replication for ou=admins,o=platformconfig on ping-cloud-base
PDO-650 Add dsconfig to PD server profile for the pre-parse and pass-through auth plugins
PDO-678 The appintegrations backend is not being replicated

1.1.1

Added the ability to override heap size of PingDirectory via MAX_HEAP_SIZE environment variable
Added the ability to set TLS versions and ciphers for the LDAPS endpoint via environment variables
Added the ability in PingDirectory to automatically enable/initialize replication after baseDN is updated
Added the ability to specify the user data backup file to restore from S3
Added the ability to specify the PingDirectory server from which to back up user data to S3
Fixed PingDirectory extensions to default to public if something incorrect is entered
Fixed PingFederate administrative configuration to import on all PingDirectory servers instead of first server only
Fixed sealed secrets to not overwrite secrets if they already exist

Changes:

PDO-561 PF administrative configuration (e.g. admin users) were only being imported on the first PD server
PDO-564 PD extensions default to public even if something incorrect is entered
PDO-568 PD updates to USER_BASE_DN should automatically enable/initialize replication for that baseDN
PDO-578 Sealed secrets do not overwrite secrets if they already exist
PDO-611 Unable to set TLS version and ciphers for the LDAPS endpoint via environment variables

1.1.0

Added a Kubernetes CronJob for periodic backup of PingDirectory user data to S3, if using AWS
Added a Kubernetes Job for manual backups of PingDirectory user data to S3, if using AWS
Added a Kubernetes Job for restoring PingDirectory user data from S3, if using AWS
Added support for installing and updating PingDirectory extensions, similar to PingFederate kits
Separated the PingFederate admin configuration from customer end users in the PingDirectory DIT
Organized the cluster state repo into branches for different environments instead of a single master branch with directories for each environment

Changes:

PDO-305 PD extensions are installed correctly
PDO-306 PD extensions are updated correctly
PDO-311 Able to change all user passwords for each tenant environment
PDO-312 Able to install product licenses for each tenant environment
PDO-314 Provide method and documentation to encrypt secrets at rest
PDO-434 Add support for periodic backup of PD user data to S3
PDO-435 Add a Job for restoring PD user data from S3
PDO-436 Add a Job for backing PD user data to S3 for ClickOps
PDO-470 Separate PD/PF profile config from data
PDO-514 Provide a push-cluster-state.sh script that organizes cluster state repo into branches

1.0.0

Added support for PingDirectory deployment automation, including initial setup of a replication topology, scaling, auto-healing of failed instances, backup/restore for disaster recovery upon instance and AZ failure and periodic collection of CSD archives
Added support for PingFederate deployment automation, including initial deployment of a cluster, auto-scaling, auto-healing of failed admin and engine instances, encrypted backup of the master key for disaster recovery upon instance and AZ failure

Files

Changelog.md

Latest commit

History

Changelog.md

File metadata and controls

Changelog

1.18.0.0

1.17.0.0

1.16.1.0

1.16.0.1

1.16.0.0

1.15.1.0

1.15.0.1

1.15.0.0

1.14.1.0

1.14.0.1

1.14.0.0

1.13.0

1.12.0

1.11.0

1.10.0

1.9.3

1.9.2

1.9.1

1.9.0

1.8.3

1.8.2

1.8.1

1.8.0

1.7.2

1.7.1

1.7.0

1.6.1

1.6.0

1.5.0

1.4.3

1.4.2

1.4.1

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.1

1.1.0

1.0.0