> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ditto.live/llms.txt
> Use this file to discover all available pages before exploring further.

# Release Notes

<Update label="v0.17.1" description="Release Date: w/c Jul 3, 2026">
  **Ditto Operator 0.17.1 adds an Azure Blob Storage attachment backend.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Azure Blob Storage attachment backend (`spec.attachments.backend.azure`) supporting Azure Workload Identity and a storage-account access key
</Update>

<Update label="v0.17.0" description="Release Date: w/c Jul 1, 2026">
  **Ditto Operator 0.17.0 standardizes status reporting across all Big Peer CRDs with Kubernetes-style conditions, `observedGeneration`, and `kubectl` printer columns.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * The `status` of every Big Peer CRD now reports per-component conditions, derived `Ready` / `Degraded` conditions, and `observedGeneration`, and exposes `kubectl get` printer columns
    * `BigPeer.status`: `KafkaReady`, `BigPeerStoreReady`, `BigPeerSubscriptionReady` conditions; `Ready` / `Version` / `Age` columns
    * `BigPeerStore.status`: `TransactionLogReady`, `RollingUpdateSucceeded`, `ClusterConfigTransitionSucceeded` conditions, a per-replica inventory; `Ready` / `Replicas` / `Age` columns
    * `BigPeerSubscription.status`: `BigPeerStoreReady`, `TransactionLogReady`, `SubserversReady`, `RollingUpdateSucceeded` conditions, observed `replicas` / `readyReplicas`; `Ready` / `Subservers` / `Age` columns
    * `BigPeerApp.status`: `Validated` and `AuthConfigApplied` (when `spec.auth` is set) conditions; `Ready` / `App ID` / `Age` columns
    * `BigPeerDataBridge.status`: per-component conditions and `kind`; `Ready` / `Kind` / `Age` columns

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * The Operator container image is now built on `gcr.io/distroless/cc-debian12` instead of `ubuntu:22.04`, producing a smaller image with a reduced attack surface
    * The image no longer ships a shell, so `kubectl exec` into the Operator or API Key Validator pods is no longer possible; use `kubectl logs` and the `diagnostics` subcommand instead

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * CDC component Pods (CDC Transformer, CDC Heartbeat, Stream Splitter, Mongo Connector) now carry the `ditto.live/role` label, so `kubectl get pods -l ditto.live/role=…` matches them
    * Upgrading from Operator `<= 0.16.2` with existing Data Bridges triggers a one-time, harmless restart of the CDC component Pods; clusters without Data Bridges are unaffected
</Update>

<Update label="v0.16.2" description="Release Date: w/c Jun 19, 2026">
  **Ditto Operator 0.16.2 lets the Operator API accept Better Auth tokens.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * The Operator API now accepts Better Auth tokens when configured with `operator.api.authMode: better-auth`
</Update>

<Update label="v0.16.1" description="Release Date: w/c Jun 16, 2026">
  **Ditto Operator 0.16.1 adds `diagnostics` archive retention and makes diagnostics runs resilient to collector failures.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * `diagnostics` archive retention via `--max-archives` (default 10), also exposed as `BigPeerManagerTask.spec.task.diagnostics.maxArchives`
    * Prunes the oldest timestamped archives after each run; `latest_diagnostics.tar.xz` is never pruned and `0` disables pruning

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * `diagnostics` no longer aborts when a collector or scraper fails: it writes a partial (or metadata-only) archive and records the failures in `metadata.yaml` under `collector_errors`
  * `diagnostics` renders core Kubernetes resources without a leading underscore in archive paths (e.g. `v1_Pod`, not `_v1_Pod`)
</Update>

<Update label="v0.16.0" description="Release Date: w/c Jun 12, 2026">
  **Ditto Operator 0.16.0 introduces the `BigPeerManagerTask` CRD for running operator-managed diagnostics tasks, with configurable HTTP endpoint scraping.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * New `BigPeerManagerTask` CRD for running operator-managed diagnostics tasks
    * The Helm chart installs a `ditto-bpmt-diagnostics` `ClusterRole` for the diagnostics task (renamable via the `operator.config.managerTaskClusterRoleName` Helm value)
    * Supports HTTP endpoint scraping via label-selector to endpoint mappings supplied in a `diagnostics.yaml` config (`--config-file=PATH` or XDG-discovered). Scraped HTTP response bodies are written to the archive as-is and are NOT subject to redaction.
    * `BigPeerManagerTask.spec.task.diagnostics` accepts inline `endpoints` and `configMap` fields (mutually exclusive) for declaring endpoint-scraping configuration on the resource
    * Built-in `/debug/*` scrapes target Big Peer Store replicas and Subscription / Replication server Pods with per-role endpoint sets; built-in `/metrics` scrapes apply to any Pod carrying the `ditto.live/big-peer` label

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Operator `ClusterRole` now has the `delete` permission on `poddisruptionbudgets`, fixing a recurring error and failure to delete the resource
</Update>

<Update label="v0.15.0" description="Release Date: w/c Jun 8, 2026">
  **Ditto Operator 0.15.0 introduces a new `diagnostics` subcommand and adds optional managed Better Auth provisioning to the `BigPeer` CRD.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * New `diagnostics` subcommand on the Ditto Operator binary, which generates a diagnostics artifact with sensitive data redacted by default
  * Optional `spec.auth.betterAuth` on the `BigPeer` CRD provisions a managed Better Auth deployment
    * The Ditto Operator `ClusterRole` has extra permissions to `delete` `serviceaccounts`, `services`, `configmaps`, and `secrets`
</Update>

<Update label="v0.14.8" description="Release Date: w/c May 13, 2026">
  **Ditto Operator 0.14.8 is a patch release that propagates image pull configuration to CDC components.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * `imagePullSecrets` and `imagePullPolicy` from the `BigPeer` custom resource are now propagated to CDC components
    * Any `imagePullSecrets` specified per-component are merged into the inherited ones
</Update>

<Update label="v0.14.7" description="Release Date: w/c May 11, 2026">
  **Ditto Operator 0.14.7 is a patch release that fixes propagation of `BigPeer` and `BigPeerApp` changes to data bridges, with a small breaking change.**

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * BREAKING CHANGE: `BigPeerDataBridge` custom resources must now carry an extra label `ditto.live/big-peer: <big-peer-name>`

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Changes to `BigPeer` and `BigPeerApp` are now properly propagated to `BigPeerDataBridge` custom resources
</Update>

<Update label="v0.14.6" description="Release Date: w/c May 7, 2026">
  **Ditto Operator 0.14.6 fixes several reconciliation issues, drops support for older Big Peer versions, and changes a Kafka data bridge default.**

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * Kafka data bridges now default to 12 topic partitions when unspecified

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Big Peer Store StatefulSets are now rebuilt when storage is updated in the `BigPeer` custom resource, instead of looping on `HTTP 422 Forbidden` from the Kubernetes API
    * The pod and PVC are preserved across the rebuild
    * The Ditto Operator `ClusterRole` has extra permissions to `delete` pods
  * Race condition where multiple Big Peer Store replicas could be updated at the same time
  * Changes to `BigPeer` are now properly propagated to `BigPeerReplication` custom resources
    * Users are no longer required to manually edit `spec.image` in `BigPeerReplication` as a workaround

  <Icon icon="minus" iconType="solid" horizontal /> **Removed:**

  * Support for Big Peer versions `< 1.49.0`
</Update>

<Update label="v0.14.5" description="Release Date: w/c Apr 17, 2026">
  **Ditto Operator 0.14.5 is a patch release that fixes a crash during Big Peer Store PVC lookup.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Operator no longer enters `CrashloopBackoff` when a Kubernetes race condition prevents fetching the PVCs of a Big Peer Store `StatefulSet`
</Update>

<Update label="v0.14.4" description="Release Date: w/c Apr 17, 2026">
  **Ditto Operator 0.14.4 adds support for configuring the Big Peer Store MRF and fixes a portal image tag issue.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Support for specifying the Big Peer Store MRF (minimum replication factor) via the `BigPeer` CRD

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * Upgraded the `kube-rs` and `k8s-openapi` Kubernetes client dependencies to their latest versions (`3.0.1` and `0.27`, respectively)

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Self-managed portal image tag no longer falls back to the operator's `appVersion` when the tag value is empty, preventing `ImagePullBackOff` errors from non-existent image references
  * Fixed the formula that calculates the MRF based on the number of replicas
    * NOTE: this may trigger a cluster config transition upon upgrading the Ditto Operator
</Update>

<Update label="v0.14.3" description="Release Date: w/c Feb 25, 2026">
  **Ditto Operator 0.14.3 is a patch release that switches the Mongo Connector deployment to a `Recreate` strategy.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Mongo Connector deployment now uses the `Recreate` strategy to prevent duplicate connectors running concurrently during pod replacement
    * IMPORTANT: when upgrading a Big Peer with existing Mongo Connectors, each affected deployment must be manually deleted with `kubectl delete deployment <name> --cascade=orphan` so the Ditto Operator can recreate it
</Update>

<Update label="v0.14.2" description="Release Date: w/c Jan 16, 2026">
  **Ditto Operator 0.14.2 is a patch release that updates the self-managed portal audience mapping and bumps its image tag.**

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * The `portal-self-managed` audience now maps to the permissions needed by the self-managed portal
  * Bumped the self-managed portal image tag to `0.3.0`
</Update>

<Update label="v0.14.1" description="Release Date: w/c Jan 15, 2026">
  **Ditto Operator 0.14.1 is a patch release that fixes environment variable propagation in the Big Peer Store controller.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Big Peer Store controller now correctly diffs lists of environment variables, fixing an issue where env vars added to `BigPeer` were not propagated to its Store replicas
</Update>

<Update label="v0.14.0" description="Release Date: w/c Jan 12, 2026">
  **Ditto Operator 0.14.0 adds the ability to disable Kafka's external listener, expands the data bridge creation API, and soft-deprecates the legacy CDC network properties.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Ability to disable Kafka's external listener (used for Kafka data bridges) via `spec.cdc.network.kafkaExternalListener.enabled` in the `BigPeer` CRD (enabled by default)

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * `spec.cdc.network.externalListener*` properties in the `BigPeer` CRD are now soft-deprecated; use `spec.cdc.network.kafkaExternalListener` instead
  * Subservers' revision hash calculation no longer takes the number of replicas into account
  * The Operator API's endpoint for creating data bridges now accepts `connectionString` when creating Mongo Connectors

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Operator API's OpenAPI spec
</Update>

<Update label="v0.13.1" description="Release Date: w/c Dec 17, 2025">
  **Ditto Operator 0.13.1 adds authentication to the Operator API and several improvements to Kafka data bridges and workload authentication.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Authentication support for the Operator API
  * Support for Kafka data bridges to map multiple queries to a single destination topic

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * Legacy auto-mounting of Service Account tokens in Kubernetes pods is now disabled by default everywhere, relying instead on projected tokens for workload authentication
  * The `HYDRA_APISERVER_URLS` environment variable is now set on Big Peer HTTP API pods, which helps support distributed queries
  * Upgraded `kube-rs`, `k8s-openapi`, and `schemars` Kubernetes client dependencies to their latest versions

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Removing `store.resources` from a `BigPeerStore` no longer triggers a schema error
</Update>

<Update label="v0.12.1" description="Release Date: w/c Dec 8, 2025">
  **Ditto Operator 0.12.1 is a patch release that adds support for the Kafka `metricsConfig` property.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Support for the `metricsConfig` property in Kafka configuration, configurable via `spec.transactions.kafka.strimzi`
</Update>

<Update label="v0.12.0" description="Release Date: w/c Dec 5, 2025">
  **Ditto Operator 0.12.0 adds support for managed Big Peer Synthetic Monitors and additional customization options for the Operator Helm chart.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Operator-managed Big Peer Synthetic Monitors
    * For now this only supports the small peer sync scenario, equivalent to the `hydra-synthetic-monitor`
  * The Operator Helm chart now allows configuring extra annotations and labels to be applied only to the Operator `Service`
  * `nginx.ingress.kubernetes.io/cors-allow-headers` and `nginx.ingress.kubernetes.io/enable-cors` annotations on the HTTP API `Ingress`
</Update>

<Update label="v0.11.1" description="Release Date: w/c Dec 4, 2025">
  **Ditto Operator 0.11.1 is a patch release that fixes CORS handling in the Operator API.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Operator API now properly handles CORS
</Update>

<Update label="v0.11.0" description="Release Date: w/c Dec 3, 2025">
  **Ditto Operator 0.11.0 introduces optional deployment of the self-managed portal UI, enables Cruise Control by default for multi-broker Kafka, and exposes Operator metrics.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * The self-managed portal UI can now be optionally deployed as part of the Operator Helm chart via `portal.enabled=true`
    * Provides a web interface for managing Ditto applications in self-managed deployments
    * Disabled by default — customers must explicitly opt-in
    * Includes an Operator HTTP API service to enable portal communication
  * Cruise Control is enabled by default for Kafka when the number of brokers is greater than 1
    * Can be templated via `spec.transactions.kafka.strimzi.template.cruiseControl`
    * Can be disabled by setting `spec.transactions.kafka.strimzi.enableCruiseControl` to `false`
  * The Ditto Operator now exposes metrics via the `/metrics` endpoint, accessible through the Operator API
    * All metrics are prefixed with `ditto_operator_`
</Update>

<Update label="v0.10.1" description="Release Date: w/c Nov 27, 2025">
  **Ditto Operator 0.10.1 is a patch release that prevents replication instability caused by concurrent replication pods.**

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * At most a single replication pod is now guaranteed to run at a time, preventing deadlock and instability when multiple pods simultaneously attempt to hold a lockfile over the replication session cache
</Update>

<Update label="v0.10.0" description="Release Date: w/c Nov 25, 2025">
  **Ditto Operator 0.10.0 adds support for Mongo Connector data bridges, expands the Operator API for data bridges, and offers further Kafka customization options.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * The Operator API now supports create, get, list, and delete operations for Data Bridges on an existing Big Peer app
  * `spec.subscriptions.everything` in the `BigPeerReplication` CRD allows a replication instance to subscribe to all objects across all collections
    * NOTE: this should only be enabled with a full understanding of the interplay with evictions
  * Support for Mongo Connector data bridges
  * Further customization of Kafka-related resources:
    * `spec.transactions.topic` to customize the Kafka topic used for the transaction log
    * `spec.transactions.kafka.strimzi` accepts `config` and `jmxOptions`
    * `spec.transactions.kafka.strimzi.template.kafka` accepts `pod` and `kafkaContainer`
  * Support for providing extra ACLs when creating Kafka data bridges via `spec.bridge.kafka.extraAcls` in the `BigPeerDataBridge` CRD

  <Icon icon="minus" iconType="solid" horizontal /> **Removed:**

  * Traces from `Webhook` data bridges
</Update>

<Update label="v0.9.0" description="Release Date: w/c Nov 14, 2025">
  **Ditto Operator 0.9.0 introduces CDC network configuration in the `BigPeer` CRD, exposes Kafka through an Ingress listener, and ships experimental full Kafka data bridge support.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * `spec.cdc.network` in the `BigPeer` CRD configures network aspects of the CDC Kafka
  * `spec.streamType` in the `BigPeerDataBridge` CRD, primarily to support legacy data bridges
  * The transaction log Kafka has an extra `ingress` listener on port `9094`
    * Strimzi creates an `Ingress` that exposes Kafka outside the cluster via this listener, authenticated and subject to ACLs; used for CDC purposes
  * (EXPERIMENTAL) The `BigPeerDataBridge` controller now fully supports Kafka data bridges

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * The transaction log built by the Ditto Operator now sets `spec.authentication.type` to `simple` by default
    * Access to Kafka via any listener other than the plaintext one (`9092`, not exposed outside the cluster) is now subject to authentication via ACLs
  * The Ditto Operator's RBAC now allows manipulating `KafkaUser`, `Secret`, `Role`, and `RoleBinding` objects (needed for CDC and Data Bridges)

  <Icon icon="minus" iconType="solid" horizontal /> **Removed:**

  * `spec.cdc.kafka` in the `BigPeer` CRD
    * NOTE: `spec.cdc` is considered **EXPERIMENTAL** and is subject to breaking changes until it becomes stable
  * `spec.cdc.enabled` in the `BigPeer` CRD — CDC is always enabled
</Update>

<Update label="v0.8.2" description="Release Date: w/c Oct 23, 2025">
  **Ditto Operator 0.8.2 is a patch release that temporarily disables the Auth Server's `HorizontalPodAutoscaler`.**

  <Icon icon="minus" iconType="solid" horizontal /> **Removed:**

  * The `HorizontalPodAutoscaler` for the Auth Server is temporarily disabled
</Update>

<Update label="v0.8.1" description="Release Date: w/c Oct 15, 2025">
  **Ditto Operator 0.8.1 is a patch release that adds custom storage class support to `BigPeerReplication`.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * `BigPeerReplication` now supports setting a custom storage class, causing the pod to use a PVC instead of ephemeral storage
</Update>

<Update label="v0.8.0" description="Release Date: w/c Oct 8, 2025">
  **Ditto Operator 0.8.0 introduces several customization options for Big Peer services and authentication, plus experimental data bridge and CDC support.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * `version` field in the `AuthProvider::TokenWebhook` CRD (optional)
  * New optional field `spec.api.enableRemoteQuery` in `BigPeer` to enable the Remote Query feature across the cluster
  * The `repository` name used to construct the full image path for each Big Peer service can now be overridden via new optional CRD fields:
    * Auth Service: `auth.server.repository`
    * API Service: `api.repository`
    * Subscription Service: `subscriptions.repository`
    * Store Service: `store.repository`
    * If omitted, the previous `big-peer-` prefixed names are used
  * (EXPERIMENTAL) New `BigPeerDataBridge` CRD and corresponding controller — the controller is a no-op for now
  * (EXPERIMENTAL) `spec.cdc` in the `BigPeer` CRD enables CDC for a particular Big Peer (disabled by default)
  * (EXPERIMENTAL) The `BigPeerApp` CRD allows customizing individual CDC components per app; `spec.cdc` in `BigPeer` enables global customization and templating that per-app configurations can override
  * The `operator_internal` auth provider now accepts a customizable list of additional audiences to trust, allowing CDC and synthetic monitor workloads to authenticate via `operator_internal`

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The `ConfigMap` for global authentication providers is now serialized in a stable format when there are multiple providers, preventing unnecessary reconciliations
</Update>

<Update label="v0.7.4" description="Release Date: w/c Sep 4, 2025">
  **Ditto Operator 0.7.4 reintroduces the `hashing_scheme` field in the `BigPeer` CRD.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Reintroduced `hashing_scheme` to the `BigPeer` CRD as an optional value
    * NOTE: this field was removed prior to version `0.1.4`, but some clusters were using `ByNamespace` by default, causing clusters with more than 1 partition to be stuck in a permanently broken cluster config transition
</Update>

<Update label="v0.7.3" description="Release Date: w/c Aug 29, 2025">
  **Ditto Operator 0.7.3 is a patch release that fixes Auth Server and HTTP API URL resolution across namespaces.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The `BigPeerApp`'s namespace is now included in the Auth Server and HTTP API URLs constructed by the `BigPeerApp` controller, allowing the Operator to interact with Big Peer components deployed in different namespaces
</Update>

<Update label="v0.7.2" description="Release Date: w/c Aug 29, 2025">
  **Ditto Operator 0.7.2 is a patch release that fixes cluster config transitions when the Operator and Big Peers run in different namespaces.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The `BigPeer`'s namespace is now included in the Store replicas' routable addresses, fixing cluster config transitions in deployments where the Operator and Big Peers run in different namespaces
</Update>

<Update label="v0.7.1" description="Release Date: w/c Aug 28, 2025">
  **Ditto Operator 0.7.1 is a patch release that relaxes the ARN regex validation in `BigPeer` and `BigPeerSubscription` CRDs.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The ARN regex in the `BigPeer` and `BigPeerSubscription` CRDs has been relaxed to accept more allowed symbols
</Update>

<Update label="v0.7.0" description="Release Date: w/c Aug 28, 2025">
  **Ditto Operator 0.7.0 introduces a dedicated Auth Server Docker image, configurable Kafka topic and PVC deletion, and additional template options.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Support for `topicName` and `topicResourceName` fields in Strimzi Kafka configurations, allowing custom topic names and Kubernetes resource names for `KafkaTopic` resources
  * The `BigPeer` CRD now supports configurable Kafka topic and PVC deletion via `spec.transactions.kafka.strimzi.enableDeletion` (defaults to `false`)

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * When `spec.version >= 1.49.0`, the Operator builds the Auth Server using a new Docker image, `big-peer-auth-server`
    * NOTE: when `spec.version < 1.49.0`, the Operator still builds a separate Auth Server, but uses the `big-peer-subscription` Docker image
  * The `BigPeer` CRD now supports templating `PodDisruptionBudget` under `spec.auth.server.template`
</Update>

<Update label="v0.6.1" description="Release Date: w/c Aug 18, 2025">
  **Ditto Operator 0.6.1 is a patch release that restores clean upgrades from earlier versions and fixes Operator API routing.**

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Named parameters captured in Operator API routes are correctly handled following a recent dependency upgrade
  * `ongoingPvcResize` in `BigPeerStore` Status is now optional, restoring clean upgrades from versions prior to 0.6.0
  * Added missing permissions to read `StorageClass` resources, required for PVC resize support
</Update>

<Update label="v0.6.0" description="Release Date: w/c Aug 6, 2025">
  **Ditto Operator 0.6.0 separates the Auth Server into its own workload, ships default topology and disruption configurations for API and Subscription resources, and enables Store storage resizing.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * API and Subscription pods now include a default set of `topologySpreadConstraints` when none are specified, attempting to schedule replicas across both availability zones and worker nodes
  * API and Subscription resources now ship with a default set of `PodDisruptionBudget` configurations
  * Store nodes can have their storage size increased by updating `spec.store.storage.size`
  * The Auth Server now runs as a separate workload
    * The `BigPeer` CRD exposes configuration to tweak Auth Server workloads
    * The Operator manages extra Kubernetes resources for it: `Deployment`, `Service`, `ServiceAccount`, `Ingress`, `HorizontalPodAutoscaler`, and `PodDisruptionBudget`, all suffixed with `-auth-server`

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * Tightened schema validations for `BigPeer` and related objects:
    * Fields represented internally as unsigned 16-bit integers now have maximums reflecting that
    * S3 bucket names, regions, and ARNs are validated against a regular expression

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * `KafkaTopic` and Kafka's persistent storage are now correctly removed when the `BigPeer` resource is deleted
  * Setting `imagePullSecrets` to an empty array no longer causes the Operator to get stuck updating replicas
</Update>

<Update label="v0.5.0" description="Release Date: w/c Jul 3, 2025">
  **Ditto Operator 0.5.0 expands the Operator API for managing existing Big Peer apps and fixes cluster config transitions in the Store.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Operator API enhancements:
    * Add, update, or delete auth providers for an existing Big Peer app
    * Update an existing Big Peer app
      * NOTE: only the set of auth providers can be updated for now
    * Configure Big Peer replication for an existing Big Peer app
  * API server replicas are now limited to a maximum of 256
  * CRDs no longer require a `size` to be set alongside `storage_class_name`
  * New CLI parameters: `--service-account-token-path` and `--api-key-validator-url`

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Configuring custom auth providers in a `BigPeerApp`
  * Broken cluster config transitions that prevented changing the number of partitions and/or replicas in a Big Peer Store
    * NOTE: this bug affected Operator versions `>= 0.3.0`
</Update>

<Update label="v0.4.0" description="Release Date: w/c May 1, 2025">
  **Ditto Operator 0.4.0 adds per-app auth providers, ships a default auth provider set for every `BigPeer`, and validates BP2BP subscription expressions.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Support for per-app auth providers

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * Every `BigPeer` is now built with a default set of auth providers (currently just the `internal` provider)
  * The API Key Validator is used as the internal provider for validating service account tokens
  * BigPeer-to-BigPeer subscription expressions are now validated before reconciling BP2BP resources
    * NOTE: invalid expressions will prevent resources from being reconciled

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * The Operator API now returns `400 Bad Request` when attempting to create an API key with a past expiry date
    * NOTE: this is a breaking change — previously a `200 OK` was returned
</Update>

<Update label="v0.3.0" description="Release Date: w/c Apr 25, 2025">
  **Ditto Operator 0.3.0 adds important features, such as an internal API key validator and an Operator Management API.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * New CRD: `BigPeerApiKey`
  * Support for validating Big Peer HTTP API keys using an internal API Key Validator
  * Optional deployment of API Key Validator via Ditto Operator Helm chart
  * Support for BigPeer-to-BigPeer auth. This requires Big Peer `>= 1.43.0`
  * Operator Management API

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * BigPeer-to-BigPeer subscriptions from OQL to DQL, which requires Big Peer `>= 1.42.0`
  * BREAKING CHANGE: new invariants for `BigPeerApp` custom resources:
    * Label `ditto.live/big-peer` must exist
    * `BigPeer` references by label `ditto.live/big-peer` must exist
    * `spec.appId` must be unique amongst all the `BigPeerApp`'s that reference the same `BigPeer`
  * BREAKING CHANGE: new invariants for `BigPeerReplication` custom resources:
    * Label `ditto.live/app` must exist
    * `BigPeerApp` referenced by label `ditto.live/app` must exist
</Update>

<Update label="v0.2.0" description="Release Date: w/c Apr 3, 2025">
  **Ditto Operator 0.2.0 adds new features, important bug fixes, and a breaking change.**
  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Initial BigPeer-to-BigPeer (`BigPeerReplication`) support

  <Icon icon="arrows-rotate" iconType="solid" horizontal /> **Changed:**

  * Ensure stable ordering in serialized custom resources.

  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Ensure unique API actor ids across Big Peers in BigPeer-to-BigPeer. Requires Big Peer `>= 1.42.0`
  * Ensure Big Peer Store replicas are updated one at a time
  * Support templates for Kafka-related resources. This has been fully extended to full parity with Strimzi's templating scheme.
  * Extra verbosity in Big Peer Store controller's logs
</Update>

<Update label="v0.1.5" description="Release Date: w/c Mar 18, 2025">
  **Ditto Operator 0.1.5 is a patch release that adds bug fixes.**
  <Icon icon="screwdriver-wrench" iconType="solid" horizontal /> **Fixed:**

  * Add disjoint roles for Ditto Operator store services
  * Fix Ditto Operator `BigPeer` enum serialization
</Update>

<Update label="v0.1.4" description="Release Date: w/c Mar 16, 2025">
  **Ditto Operator 0.1.4 adds minor features.**

  <Icon icon="plus" iconType="solid" horizontal /> **Added:**

  * Attachment backend support
  * Anonymous auth provider
</Update>
