# Panfactum Changelog — edge.24-09-10

> Updates Karpenter CRD specification requiring manual intervention during upgrade, restructures ports configuration in workload modules, adds Kubernetes Service submodule, and fixes PostgreSQL credential access issues.

## Highlights

- Karpenter CRD update requires manual state manipulation — see upgrade instructions
- `ports` input moved to container-level in [`kube_deployment`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_deployment) and [`kube_stateful_set`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_stateful_set)
- New [`kube_service`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_service) submodule for optimized Kubernetes Services

## Breaking Changes

- Karpenter has updated its CRD specification which requires manual intervention during upgrade. See upgrade instructions for the required state manipulation
  - Impacts: iac-module `kube_karpenter` — CRD specification updated; requires manual state manipulation
- The `ports` input on [`kube_deployment`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_deployment) and [`kube_stateful_set`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_stateful_set) has been moved to a container-level field rather than a top-level field to
  - Impacts: iac-module `kube_deployment` — Ports input moved from top-level to container-level
  - Impacts: iac-module `kube_stateful_set` — Ports input moved from top-level to container-level

## Additions

- Adds a new submodule, [`kube_service`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_service), for defining Kubernetes Services optimized for the Panfactum Stack. Also integrated into `kube_deployment` and `kube_stateful_set`
  - Impacts: iac-module `kube_service` — New submodule for Panfactum-optimized Kubernetes Services
  - Impacts: iac-module `kube_deployment` — Integrated automatic Service creation via kube_service
  - Impacts: iac-module `kube_stateful_set` — Integrated automatic Service creation via kube_service
- Adds `extra_storage_classes` input to the [`kube_aws_ebs_csi`](https://panfactum.com/docs/main/reference/infrastructure-modules/direct/kubernetes/kube_aws_ebs_csi) module.
  - Impacts: iac-module `kube_aws_ebs_csi` — Added extra_storage_classes input for custom storage classes

## Fixes

- Addressed issue in [`kube_pg_cluster`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_pg_cluster) where non-superuser credentials created by Vault would not have access to database schemas other than `public`.
  - Impacts: iac-module `kube_pg_cluster` — Fixed Vault-created credentials lacking non-public schema access
  - Reference (issue-report): [Vault-created non-superuser credentials lack non-public schema access](https://github.com/Panfactum/stack/issues/128)
- Addressed issue where Terragrunt configuration caused version pinning for `goauthentik/authentik` and `alekc/kubectl` providers to be removed during `terragrunt init -upgrade`.

## Upgrade Instructions

## Karpenter CRD Migration

Karpenter has updated its CRD specification which requires manual intervention during upgrade.

**After** updating the `pf_stack_version` for any deployments of the `kube_karpenter_node_pools` module, run the
following commands in the `kube_karpenter_node_pools` folder:

```bash
pf-providers-enable
terragrunt state rm kubernetes_manifest.default_node_class \
  kubernetes_manifest.spot_node_class \
  kubernetes_manifest.burstable_node_class \
  kubernetes_manifest.burstable_node_pool \
  kubernetes_manifest.burstable_arm_node_pool \
  kubernetes_manifest.spot_node_pool \
  kubernetes_manifest.spot_arm_node_pool \
  kubernetes_manifest.on_demand_arm_node_pool \
  kubernetes_manifest.on_demand_node_pool
terragrunt apply --auto-approve
kubectl delete nodepools burstable burstable-arm on-demand on-demand-arm spot spot-arm
kubectl delete ec2nc spot burstable on-demand
```

The `kubectl delete` commands may take a few minutes to complete as this will force all pods to be rescheduled from
nodes using the old CRDs to nodes using the new CRDs.

## Related Resources

- [JSON Data](https://panfactum.com/docs/changelog/edge.24-09-10.json): Machine-readable data
- [Channel Release List](https://panfactum.com/docs/changelog/edge.json): All releases in this channel