Edge Release List

Adds Temporal workflow orchestration, per-schema Vault roles for PostgreSQL clusters, AWS Service Quotas Automatic Management, and a new cluster reset command, alongside extensive reliability improvements to cluster and SSO installation flows.

• New kube_temporal module — deploy Temporal workflow orchestration with full Panfactum operational guarantees
• New pf cluster reset command — safely reset EKS clusters by removing default AWS resources
• aws_account now enables AWS Service Quotas Automatic Management for proactive quota monitoring and increase requests
• kube_pg_cluster gains per-schema Vault roles and automatic schema initialization — re-apply to enable new capabilities
• authentik_vault_sso now filters regex redirect URIs Vault cannot accept — re-apply authentik_vault_sso and vault_auth_oidc modules
• kube_cilium operator now runs 2 replicas on all clusters regardless of SLA target — re-apply kube_cilium to apply
• kube_aws_ebs_csi PodDisruptionBudget switched to server-side apply to fix Helm race condition — re-apply kube_aws_ebs_csi
• Authentik default login session extended from 8 hours to 30 days — matches industry norms while MFA remains enforced
• pf cluster add and pf sso add receive major reliability improvements including bootstrap anti-affinity bypass, idempotent re-runs, and pre-flight checks

Launches the new `pf` CLI with guided wizards for environment, cluster, domain, and SSO provisioning, upgrades Kubernetes to 1.33 and AWS provider to 6.x, migrates legacy devshell scripts to TypeScript, and consolidates several IaC modules.

• New pf CLI tool with guided installers — pf env add, pf cluster add, pf domain add, and pf sso add automate end-to-end infrastructure provisioning
• kube_cert_manager and kube_cert_issuers consolidated into kube_certificates — state migration required
• Kubernetes default upgraded to 1.33 — review the K8s 1.33 changelog for deprecated APIs
• Node image cache modules (kube_node_image_cache, kube_node_image_cache_controller) removed — destroy existing deployments before upgrading
• Legacy bash devshell scripts migrated to pf subcommands — IaC modules now call pf buildkit, pf wf, and pf kube commands
• OpenTofu upgraded to 1.9.1 and AWS provider to 6.x — re-apply all modules after upgrading
• KEDA added to base cluster — deploy kube_keda before applying other modules

Improves Argo Events and NATS messaging reliability, adds JetStream configuration options, enables single-platform Docker builds with skipping for existing images, and adds PostgreSQL recovery from alternate backup buckets.

• Event stream replication fixed in kube_argo_event_bus — events now properly replicated across all NATS servers
• Fixed NATS ACK bug that could prevent event publishing entirely
• New single-platform image support and skip-if-exists logic in wf_dockerfile_build
• New min_node_cpu input for kube_karpenter_node_pools

Separates burstable and spot instance options, improves PostgreSQL backup performance 100x with explicit backup directories, adds automatic PV garbage collection, and enhances Node.js applications with automatic memory limit configuration.

• burstable_nodes_enabled no longer implies spot — must now set spot_nodes_enabled = true explicitly
• PostgreSQL backup directory is now explicit via pg_backup_directory — set this to preserve existing backups
• PostgreSQL backup throughput improved 100x
• Automatic garbage collection of orphaned persistent volumes via kube_policies
• Node.js heap size now automatically configured from container memory limits

Adds wait options to speed up deployments, fixes VPA CRD management issues, ensures bastion high availability with two replicas, and resolves policy deployment conflicts during bootstrapping.

• Apply kube_vpa before any other module — required ordering for this release
• New wait input on Kubernetes modules — set to false to skip readiness checks for faster deploys
• kube_bastion now always uses two replicas for immediate tunnel reconnection