# Panfactum Changelog — edge.24-12-05
> Major Linkerd upgrade that improves security and startup times, replaces NATS backend for Argo EventBus, and adds support for NATS Jetstream message broker along with numerous improvements to node image caching and AWS EKS features.
## Highlights
- Major Linkerd upgrade — removes privileged `proxy-init` container, reduces pod startup by 5-20s
- NATS backend for `kube_argo_event_bus` replaced with [`kube_nats`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_nats) — EventBus deletion required
- `kube_fledged` and `kube_reflector` removed (deprecated in `edge.24-11-13`)
- Must update modules in specific order — see upgrade instructions
## Breaking Changes
- Major Linkerd upgrade that removes the privileged `proxy-init` initContainer. Reduces pod startup times by 5-20 seconds and improves security. **Modules
- Impacts: iac-module `kube_linkerd` — Removes privileged proxy-init container and speeds up pod startup
- The NATS backend for [`kube_argo_event_bus`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_argo_event_bus) has been replaced with [`kube_nats`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_nats). Existing `EventBus` resources must be manually deleted before applying. **Deleting
- Impacts: iac-module `kube_argo_event_bus` — NATS backend replaced; existing EventBus resources must be deleted
- Impacts: iac-module `kube_nats` — New module now provides NATS backend for EventBus
- `kube_fledged` and `kube_reflector` modules have been removed (deprecated in `edge.24-11-13`).
- The `images` input of [`kube_node_image_cache`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_node_image_cache) now takes a list of image configuration objects instead of image strings. `node_image_cached_enabled` has been
## Additions
- Added support for the [NATS Jetstream message broker](https://docs.nats.io/nats-concepts/jetstream) via [`kube_nats`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_nats). Also adds the `nats` CLI to the devShell and NATS
- Impacts: iac-module `kube_nats` — New module for deploying NATS Jetstream message broker
- Impacts: devshell `nats` — NATS CLI added to the development shell
- Impacts: devshell `pf-db-tunnel` — Added NATS connection support
- The [`kube_node_image_cache_controller`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_node_image_cache_controller) now pulls cached images in parallel as soon as a node launches (previously serial, causing significant delays).
- Images provided to Panfactum submodules are now cached by default.
- Additional annotations and labels can now be added to controllers created via `kube_deployment`, `kube_stateful_set`, `kube_daemon_set`, and `kube_cron_job`.
- Impacts: iac-module `kube_deployment` — Supports additional annotations and labels on controllers
- Impacts: iac-module `kube_stateful_set` — Supports additional annotations and labels on controllers
- Impacts: iac-module `kube_daemon_set` — Supports additional annotations and labels on controllers
- Impacts: iac-module `kube_cron_job` — Supports additional annotations and labels on controllers
## Improvements
- [`aws_eks`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/aws/aws_eks) now has EKS access entries and ARC Zonal Shift enabled. Also now launches with `arm64` nodes when `bootstrap_mode_enabled` is
- Impacts: iac-module `aws_eks` — Enables EKS access entries, ARC Zonal Shift, and arm64 bootstrap nodes
## Fixes
- Resolved slow Vault startup times for Vault databases larger than 100MB.
- Impacts: iac-module `kube_vault` — Fixes slow startup for databases larger than 100MB
- BuildKit cache PVCs are now excluded from Velero backups.
- Impacts: iac-module `kube_buildkit` — Cache PVCs now excluded from Velero backups
- Addressed issue where resetting one's own password via Authentik caused an unauthorized error.
- Impacts: iac-module `kube_authentik` — Fixes unauthorized error when resetting own password
- Reference (issue-report): [Authentik password reset returns unauthorized error](https://github.com/Panfactum/stack/issues/177)
## Upgrade Instructions
import MarkdownAlert from "@/components/markdown/MarkdownAlert.astro"
When upgrading `aws_eks` to this version, you may receive an error about attempting to recreate the cluster:
```hcl
bootstrap_cluster_creator_admin_permissions = true -> false # forces replacement
```
To work around this, upgrade the `aws_eks` module directly to `edge.24-12-10` and set the new
`bootstrap_cluster_creator_admin_privileges` input to `true`.
[`kube_nats`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_nats) in this version contains a bug
that forces redeployment of the underlying NATS StatefulSet on every tag/label update. This also impacts
[`kube_argo_event_bus`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_argo_event_bus).
This will cause complete loss of any pending NATS messages in Jetstream streams. If you cannot afford to lose
stream data, delay upgrading those modules until `edge.24-12-22` which contains the fix.
## Linkerd Major Upgrade
This release contains a major version upgrade to Linkerd. **To upgrade with no downtime, update modules in this order:**
1. [`kube_kyverno`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_kyverno)
2. [`kube_policies`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_policies)
3. [`kube_cilium`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_cilium)
4. [`kube_linkerd`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_linkerd)
5. [`aws_eks`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/aws/aws_eks)
6. [`kube_karpenter_node_pools`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_karpenter_node_pools)
7. The remainder of the modules may be updated in any order.
## Replace NATS EventBus Backend
The NATS backend for
[`kube_argo_event_bus`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_argo_event_bus) has been
replaced with the enhanced [`kube_nats`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_nats) module.
To apply this module:
1. Delete any associated `EventSource` or `Sensor` resources first (the `EventBus` deletion will be blocked otherwise).
2. Manually delete any existing `EventBus` resources in your cluster.
3. Apply the updated module.
**Deleting an existing EventBus will cause any unprocessed events to be deleted.** Ensure no pending events exist
before performing this upgrade.
## Remove Deprecated Modules
`kube_fledged` and `kube_reflector` have been removed (deprecated in `edge.24-11-13`). Remove these from your
clusters before upgrading if you haven't already.
## Update `kube_node_image_cache` Images Input
The `images` input of
[`kube_node_image_cache`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_node_image_cache)
has been updated to take a list of image configuration options rather than a list of image strings.
Also, `node_image_cached_enabled` has been removed as a top-level input from Panfactum submodules (e.g.,
[`kube_deployment`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_deployment)) — image
cache settings can now be configured on a per-container basis.
## Related Resources
- [JSON Data](https://panfactum.com/docs/changelog/edge.24-12-05.json): Machine-readable data
- [Channel Release List](https://panfactum.com/docs/changelog/edge.json): All releases in this channel