PaletteAI 1.1.6 Release Notes
Summary
PaletteAI 1.1.6 is a patch release on 1.1.5 that ships a coordinated hotfix.5 image train for brush, canvas, hue, and mural-crds. It backports observability, Tenant federation, sharing, and airgap tooling improvements from the 1.1 release line.
Observability expands with a Prometheus remote-write authentication component, dynamic in-context extension value resolution, and updated prometheus-agent hub add-on manifests that propagate remote-write credentials to spoke clusters.
The paletteai mirror CLI gains --extra-repo and --extra-artifact flags for more flexible airgapped export and sync workflows, along with fixes for pack push with relative paths and cleaner mirror bundles.
Tenant workload namespace spokes receive stronger federation support. Hue federates Tenant resources to spokes hosting Tenant-scoped workloads, brush injects hue.tenantName for those spokes, and Canvas correctly lists shared Tenant resources at Project scope. Gamut tenant-scope sidebar RBAC is corrected.
Canvas fixes address resource sharing bugs, Tenant settings that omitted Compute resources, duplicate fields in the settings creation flow, Palette integration warnings, ProfileBundle action clarity, baseline pool counts on empty compute configs, and AIWorkload workload deployment class selection.
Hue reliability improvements include clearer out-of-policy errors, retries when Tenant spoke OCI sync targets are not ready, a race-condition fix during default resource upsert, ProfileBundle project sync retries, and ComputePool pause-label support. Metadata drift is now correctly detected and resolved for ComputePool worker pools. Finally, context extensions may now reference objects by label instead of name and or namespace.
The Mural umbrella chart enables read-only root filesystems for canvas and palette-ai workloads, terminates Zot registry TLS at the Traefik load balancer by default instead of in-pod, and fixes nil-pointer issues when installing via the Helm SDK with default values.
Upgrade Notes
- You must upgrade the
mural-crdschart to 0.7.8-hotfix.5 before upgrading themuralchart to 1.1.6. For detailed instructions on how to upgrade PaletteAI, refer to the PaletteAI upgrade guide.
Component Versions
The following core component versions are pinned for this PaletteAI release.
| Component | Version |
|---|---|
| brush | 0.5.18-hotfix.5 |
| canvas | 0.6.9-hotfix.5 |
| hue | 0.12.12-hotfix.5 |
| mural-crds | 0.7.8-hotfix.5 |
Mural Helm values
The following diff lists changes to mural/charts/mural/values.yaml between PaletteAI 1.1.5 and 1.1.6.
values.yaml
diff --git a/mural/charts/mural/values.yaml b/mural/charts/mural/values.yaml
index 3eceb220c..9c6f98262 100644
--- a/mural/charts/mural/values.yaml
+++ b/mural/charts/mural/values.yaml
@@ -67,7 +67,7 @@ global:
# - use a custom FleetConfig controller image with the `gke-gcloud-auth-plugin` installed
kubernetesProvider: "Generic"
certManagerVersion: "v1.19.1"
- muralVersion: "1.1.5"
+ muralVersion: "1.1.6"
dns:
domain: "replace.with.your.domain"
rootIngress:
@@ -108,7 +108,7 @@ global:
username: ""
password: ""
basicAuthSecretName: ""
- muralCrdsVersion: "0.7.8-hotfix.4"
+ muralCrdsVersion: "0.7.8-hotfix.5"
## @section certificates
## @param certificates.clusterIssuer.spec.selfSigned The spec for the ClusterIssuer used by cert-manager to issue the Mural root CA certificate.
@@ -182,6 +182,10 @@ cleanup:
## @skip fleetConfig.hub.addOnConfigs[1]
## @skip fleetConfig.hub.addOnConfigs[2]
+
+## @skip fleetConfig.hub.addOnConfigs[3]
+
+## @skip fleetConfig.hub.addOnConfigs[4]
## @param fleetConfig.hub.hubAddOns Global hub add-on configuration for the hub cluster.
## @param fleetConfig.hub.clusterManager.enabled Whether to enable the cluster manager. Set to false if using Singleton Control Plane.
## @param fleetConfig.hub.clusterManager.featureGates.DefaultClusterSet DefaultClusterSet feature gate.
@@ -448,6 +452,10 @@ fleetConfig:
- name: "prometheus-agent-minimal"
version: "v0.0.1"
overwrite: true
+ manifests: ""
+ - name: "prometheus-agent-minimal"
+ version: "v0.0.2"
+ overwrite: true
manifests: |
apiVersion: v1
kind: ConfigMap
@@ -520,6 +528,19 @@ fleetConfig:
password: "{{PROMETHEUS_PASSWORD}}"
---
apiVersion: v1
+ kind: Secret
+ metadata:
+ name: prometheus-remote-write-credentials
+ namespace: open-cluster-management-agent-addon
+ labels:
+ spectrocloud.com/prometheus-agent: "true"
+ type: Opaque
+ stringData:
+ endpoint: "{{PROMETHEUS_BASE_URL}}/api/v1/write"
+ username: "{{PROMETHEUS_USERNAME}}"
+ password: "{{PROMETHEUS_PASSWORD}}"
+ ---
+ apiVersion: v1
kind: ServiceAccount
metadata:
name: mural-prometheus-agent-minimal
@@ -649,6 +670,10 @@ fleetConfig:
- name: "prometheus-agent"
version: "v0.0.1"
overwrite: true
+ manifests: ""
+ - name: "prometheus-agent"
+ version: "v0.0.2"
+ overwrite: true
manifests: |
apiVersion: v1
kind: ConfigMap
@@ -706,6 +731,19 @@ fleetConfig:
password: "{{PROMETHEUS_PASSWORD}}"
---
apiVersion: v1
+ kind: Secret
+ metadata:
+ name: prometheus-remote-write-credentials
+ namespace: open-cluster-management-agent-addon
+ labels:
+ spectrocloud.com/prometheus-agent: "true"
+ type: Opaque
+ stringData:
+ endpoint: "{{PROMETHEUS_BASE_URL}}/api/v1/write"
+ username: "{{PROMETHEUS_USERNAME}}"
+ password: "{{PROMETHEUS_PASSWORD}}"
+ ---
+ apiVersion: v1
kind: ServiceAccount
metadata:
name: mural-prometheus-agent
@@ -1475,7 +1513,7 @@ brush:
## @param brush.image.pullPolicy The pull policy to use for the image
image:
repository: public.ecr.aws/mural/brush
- tag: v0.5.18-hotfix.4
+ tag: v0.5.18-hotfix.5
pullPolicy: IfNotPresent
## @param brush.imagePullSecrets The pull secrets to use for the image
imagePullSecrets: []
@@ -1764,7 +1802,7 @@ canvas:
## @param canvas.image.pullPolicy canvas image pull policy
image:
repository: public.ecr.aws/mural/canvas
- tag: v0.6.9-hotfix.4
+ tag: v0.6.9-hotfix.5
pullPolicy: IfNotPresent
## @param canvas.imagePullSecrets Image pull secrets
imagePullSecrets: []
@@ -1795,6 +1833,7 @@ canvas:
type: RuntimeDefault
## @param canvas.securityContext.allowPrivilegeEscalation Allow privilege escalation
## @param canvas.securityContext.capabilities.drop List of capabilities to drop
+ ## @param canvas.securityContext.readOnlyRootFilesystem Enable read only root filesystem for the container
## @param canvas.securityContext.runAsNonRoot Run as non-root
## @param canvas.securityContext.runAsUser The User ID to run the container as
## @param canvas.securityContext.runAsGroup The Group ID to run the container as
@@ -1803,6 +1842,7 @@ canvas:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
@@ -1864,6 +1904,8 @@ canvas:
## @param canvas.volumes.items[0].emptyDir Empty directory
## @param canvas.volumes.items[1].name Volume name
## @param canvas.volumes.items[1].emptyDir Empty directory
+ ## @param canvas.volumes.items[2].name Volume name
+ ## @param canvas.volumes.items[2].emptyDir Writable temp directory for paletteai CLI and profile bundle uploads
volumes:
enabled: true
items:
@@ -1871,11 +1913,15 @@ canvas:
emptyDir: {}
- name: template-sessions
emptyDir: {}
+ - name: tmp
+ emptyDir: {}
## @param canvas.volumeMounts.enabled Enable volume mounts. The default item is the template-sessions and is required.
## @param canvas.volumeMounts.items[0].name Volume mount name
## @param canvas.volumeMounts.items[0].mountPath Volume mount path
## @param canvas.volumeMounts.items[1].name Volume mount name
## @param canvas.volumeMounts.items[1].mountPath Volume mount path
+ ## @param canvas.volumeMounts.items[2].name Volume mount name
+ ## @param canvas.volumeMounts.items[2].mountPath Volume mount path
volumeMounts:
enabled: true
items:
@@ -1883,6 +1929,8 @@ canvas:
mountPath: /app/sessions
- name: template-sessions
mountPath: /app/templatesessions
+ - name: tmp
+ mountPath: /tmp
## @param canvas.env.items Environment variables
env:
items: []
@@ -3271,7 +3319,7 @@ hue:
## @param hue.image.pullPolicy Image pull policy
image:
repository: public.ecr.aws/mural/hue
- tag: v0.12.12-hotfix.4
+ tag: v0.12.12-hotfix.5
pullPolicy: IfNotPresent
## @param hue.resources.requests.cpu hue controller deployment's cpu request
## @param hue.resources.requests.memory hue controller deployment's memory request
@@ -3431,7 +3479,7 @@ hue:
enabled: true
image:
repository: public.ecr.aws/mural/hue-definitions
- tag: v0.12.12-hotfix.4
+ tag: v0.12.12-hotfix.5
pullPolicy: IfNotPresent
pullSecrets: []
job:
@@ -4818,9 +4866,10 @@ zot:
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
serviceHeadless:
# Enable headless service, only for statefulset
enabled: false
# Headless service port
port: 5000
# Annotations to add to the headless service
@@ -4881,7 +4930,7 @@ zot:
# By default, Kubernetes HTTP probes use HTTP 'scheme'. So if TLS is enabled
# in configuration, to prevent failures, the scheme must be set to 'HTTPS'.
httpGet:
- scheme: HTTPS
+ scheme: HTTP
port: 5000
# By default, Kubernetes considers a Pod healthy if the liveness probe returns
# successfully. However, sometimes applications need additional startup time on
@@ -4902,7 +4951,7 @@ zot:
config.json: |-
{
"storage": { "rootDirectory": "/var/lib/registry" },
- "http": { "address": "0.0.0.0", "port": "5000", "tls": { "cert": "/etc/zot-tls-certs/tls.crt", "key": "/etc/zot-tls-certs/tls.key" }, "auth": { "failDelay": 5, "htpasswd": { "path": "/secret/htpasswd" } } },
+ "http": { "address": "0.0.0.0", "port": "5000", "auth": { "failDelay": 5, "htpasswd": { "path": "/secret/htpasswd" } } },
"extensions": {"search": {"enable": true}, "ui": {"enable": false}},
"log": { "level": "debug" }
}
@@ -4996,18 +5045,12 @@ zot:
# key: username
# Extra Volume Mounts
- extraVolumeMounts:
- - name: zot-tls-cert-vol
- mountPath: /etc/zot-tls-certs
- readOnly: true
+ extraVolumeMounts: []
# - name: data
# mountPath: /var/lib/registry
# Extra Volumes
- extraVolumes:
- - name: zot-tls-cert-vol
- secret:
- secretName: zot-serving-cert
+ extraVolumes: []
# - name: data
# emptyDir: {}
@@ -5058,6 +5101,9 @@ zot:
fullnameOverride: zot
# Authentication header for Helm tests (base64 encoded "admin:admin")
authHeader: "YWRtaW46YWRtaW4="
+ # When true, cert-manager issues zot-serving-cert and zot should serve HTTPS (see config.json).
+ tls:
+ enabled: false
podSecurityContext:
fsGroup: 65534
seccompProfile:
Full Component Release Notes
The following table lists all changes made to core components in this PaletteAI release.
| Component | Tag | Notes |
|---|---|---|
| brush | brush/v0.5.18-hotfix.5 | Bug Fixes
|
| canvas | canvas/v0.6.9-hotfix.5 | Bug Fixes
|
| hue | hue/v0.12.12-hotfix.5 | Includes paletteai CLI binaries. Features
Bug Fixes
Other
|
| mural-crds | mural-crds/v0.7.8-hotfix.5 | Features
Other
|