# Panfactum Changelog — edge.25-01-04

> Adds Grist spreadsheet module, introduces alternative AWS credential management, supports voluntary disruption windows, and fixes critical Kyverno cluster deadlock and Cilium deployment issues.

## Highlights

- Apply `vault_auth_oidc` before any other module — required ordering for this release
- `kube_rbac` and `kube_priority_classes` removed — remove deployments before applying
- New [`kube_grist`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_grist) module for deploying Grist spreadsheets
- Fixed critical Kyverno cluster deadlock that required manual intervention

## Breaking Changes

- This release adds additional functionality to Vault which requires [`vault_auth_oidc`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/vault/vault_auth_oidc) to be upgraded before any other module.
  - Impacts: iac-module `vault_auth_oidc` — Must be upgraded first due to new Vault functionality
- The `kube_rbac` and `kube_priority_classes` modules have been removed per the deprecation notice in `edge.24-12-13`.

## Additions

- Adds a module for deploying [Grist](https://www.getgrist.com/), a next-generation spreadsheet system: [`kube_grist`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/kubernetes/kube_grist).
  - Impacts: iac-module `kube_grist` — New module for deploying the Grist spreadsheet system
- Adds an alternative mechanism for creating dynamically-rotated AWS credentials when IRSA is not an option: [`kube_aws_creds`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_aws_creds).
  - Impacts: iac-module `kube_aws_creds` — New module for dynamic AWS credentials without IRSA
- [`kube_deployment`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_deployment) and [`kube_stateful_set`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_stateful_set) now provide native support for voluntary disruption windows.
  - Impacts: iac-module `kube_deployment` — Adds native support for voluntary disruption windows
  - Impacts: iac-module `kube_stateful_set` — Adds native support for voluntary disruption windows

## Fixes

- Addressed issue where pods could not be created if all Kyverno admission controllers were disrupted simultaneously, which would result in
  - Impacts: iac-module `kube_kyverno` — Resolves cluster deadlock when all admission controllers are disrupted
- Addressed issue where the Kubernetes API server address was set incorrectly when deploying [`kube_cilium`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_cilium) with [`wf_tf_deploy`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/workflow/wf_tf_deploy).
  - Impacts: iac-module `kube_cilium` — Fixes incorrect API server address when deployed via wf_tf_deploy
  - Impacts: iac-module `wf_tf_deploy` — Fixes incorrect API server address passed to kube_cilium
- Helm charts deployed by Panfactum modules will no longer be automatically rolled back on deployment failure, preventing several failure cases
  - Reference (issue-report): [Helm auto-rollback on failure causes manual intervention](https://github.com/Panfactum/stack/issues/318)
- The StatefulSets in [`kube_nats`](https://panfactum.com/docs/edge/reference/infrastructure-modules/submodule/kubernetes/kube_nats) no longer need to be redeployed after each update of resource tags/labels.
  - Impacts: iac-module `kube_nats` — Eliminates unnecessary redeployments on tag/label updates
- `pf-tunnel` now binds to `127.0.0.1` instead of `localhost` to resolve connectivity problems on diverse operating systems.
  - Impacts: devshell `pf-tunnel` — Binds to 127.0.0.1 instead of localhost for cross-OS compatibility

## Upgrade Instructions

## Apply `vault_auth_oidc` First

This release adds additional functionality to Vault which requires
[`vault_auth_oidc`](https://panfactum.com/docs/edge/reference/infrastructure-modules/direct/vault/vault_auth_oidc) to be upgraded
before any other module.

## Remove Deprecated Modules

The `kube_rbac` and `kube_priority_classes` modules have been removed per the deprecation notice in
`edge.24-12-13`. If you have not already removed these modules, you must do so before applying this release.

## Related Resources

- [JSON Data](https://panfactum.com/docs/changelog/edge.25-01-04.json): Machine-readable data
- [Channel Release List](https://panfactum.com/docs/changelog/edge.json): All releases in this channel