# Panfactum Changelog — edge.24-09-12 > Replaces Secrets CSI with Vault Secrets Operator for better security and performance, renames credential outputs for clarity, improves Terragrunt provider management, and adds support for sourcing environment variables from ConfigMaps and Secrets. ## Highlights - `kube_secrets_csi` deprecated and should be removed — saves ~150MB memory per node - `pf-providers-enable` renamed to `pf-tf-init` with expanded functionality - Credential outputs renamed: `superuser_username/password` → `root_username/password` in `kube_pg_cluster` and `kube_redis_sentinel` - Provider configuration no longer needs to be manually enabled via `module.yaml` ## Breaking Changes - [`kube_secrets_csi`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_secrets_csi) has been deprecated and should be removed from your clusters. The Vault Secrets Operator replaces its functionality with improved - [`kube_pg_cluster`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_pg_cluster) and [`kube_redis_sentinel`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_redis_sentinel) outputs `superuser_username` and `superuser_password` have been renamed to `root_username` and `root_password`. - Impacts: iac-module `kube_pg_cluster` — Outputs renamed from superuser_* to root_* - Impacts: iac-module `kube_redis_sentinel` — Outputs renamed from superuser_* to root_* - `pf-providers-enable` has been renamed to `pf-tf-init` with expanded functionality: now influences every module in the directory tree, runs `init -upgrade` - You no longer need to manually enable providers via the `providers` array in `module.yaml`. Terragrunt now automatically detects required providers - Impacts: configuration `module.yaml` — Manual provider configuration via providers array no longer needed ## Additions - Adds `common_env_from_config_maps` and `common_env_from_secrets` inputs to all standard workload submodules to source environment variables from existing ConfigMaps and Secrets, respectively. - [`kube_pg_cluster`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_pg_cluster) and [`kube_redis_sentinel`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_redis_sentinel) now support using Vault-generated credentials to authenticate from other workloads. - Impacts: iac-module `kube_pg_cluster` — Added Vault-generated credential support for workload auth - Impacts: iac-module `kube_redis_sentinel` — Added Vault-generated credential support for workload auth ## Fixes - Adds a controller node preference to pods with `controller_nodes_enabled` set to `true`, optimizing resource efficiency by preferring to fill controller ## Upgrade Instructions ## Remove `kube_secrets_csi` [`kube_secrets_csi`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_secrets_csi) has been deprecated and should be removed from your clusters. It was primarily used for managing dynamically generated Vault secrets such as database credentials. We have switched to a new paradigm using the [Vault Secrets Operator](https://github.com/hashicorp/vault-secrets-operator). To remove it: 1. Apply this release. 2. Remove any dependency blocks to `kube_secrets_csi` in your `terragrunt.hcl` files. 3. Run `terragrunt destroy` on the `kube_secrets_csi` module. This saves approximately 150MB of memory per node and improves security by removing pods that needed elevated host-level permissions. ## Rename Credential Outputs [`kube_pg_cluster`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_pg_cluster) and [`kube_redis_sentinel`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_redis_sentinel) output renames: | Old Name | New Name | | -------------------- | --------------- | | `superuser_username` | `root_username` | | `superuser_password` | `root_password` | ## Rename `pf-providers-enable` to `pf-tf-init` `pf-providers-enable` has been renamed to `pf-tf-init`. It now has expanded functionality: - Influences every module in the directory tree where it is run (not just CWD). - Runs `init -upgrade` on every module to update provider versions and download submodules. - Significantly improved runtime speed. Update the [upgrade guide](https://panfactum.com/docs/edge/guides/versioning/upgrading/general) steps to use `pf-tf-init` when upgrading the Panfactum version in an environment. ## Remove Manual Provider Configuration You no longer need to manually enable providers via the `providers` array in each `module.yaml`. Terragrunt now automatically detects which providers to include at runtime. The `providers` input no longer has any functionality and the `providers` array can be removed from all `module.yaml` files. If this leaves a `module.yaml` empty, the entire file can be deleted. ## Related Resources - [JSON Data](https://panfactum.com/docs/changelog/edge.24-09-12.json): Machine-readable data - [Channel Release List](https://panfactum.com/docs/changelog/edge.json): All releases in this channel