You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Graduate the operator from alpha to its first non-alpha cut, v0.1.0. This issue tracks everything that needs to land — and everything we want to audit — before that release.
Current state: v0.1.0-alpha.20 (cut 2026-05-20). Twenty alphas, chart-image fix from #128 landed cleanly, Node 24 audit done. The MVP milestone "Operator: Architecture + CRDs + Decisions + MVP" is closed. Time to draw the line and call the next cut "real."
Not a feature freeze — a quality bar. Docs match the code, examples actually run, release process is reproducible without tribal knowledge.
"Expect significant changes." CRD shape moved meaningfully, you'll touch your pack manifests.
MESO (x.Y.z)
"Could break, watch for warnings." New fields, optional opt-ins, deprecations.
MICRO (x.y.Z)
"Should be safe." Bug fixes, doc updates, operator-internal refactors with no CRD impact.
Why EffVer over SemVer:
SemVer demands backwards-compat precision we don't have yet. Pre-1.0 we already break things on minor bumps; SemVer says that warrants a major. EffVer just says "watch the MACRO digit for migration work."
Maps cleanly to what pack authors care about: "do I need to read release notes or can I just bump."
Honest signal during pre-stable.
Tag format stays vX.Y.Z (Helm chart + GitHub Releases want SemVer-shaped tags). Interpretation in docs changes.
Maintainer docs that mention "semantic versioning" need updating:
docs/maintainers/release-process.md
docs/maintainers/release-setup.md
docs/maintainers/release-checklist.md
Documentation readiness for v0.1.0
Top-level
README.md — soften "may change without notice" language (still pre-1.0, but the strong wording should go).
CONTRIBUTING.md — review against current PR / branch / lint workflow.
Decide: curated CHANGELOG.md, or rely solely on GitHub-generated release notes.
User-facing docs (docs/)
docs/quickstart.md — verify steps still match dev/Makefile. Cover the user-provided-TLS path and the new chart manager.image.* defaults.
docs/configuration-reference.md — audit for every CRD field added since 2026-03: routing.tls.secretName, auth.forwardAccessToken, auth.denyRedirect, auth.tokenExchange, auth.spaClient, auth.deviceFlowClient, plus whatever lands from the gating set (multi-port, dark/light icons, etc.).
docs/troubleshooting.md — sanity-check the symptom list against currently surfaced condition reasons.
docs/api-reference.md — auto-generated via make docs; verify it generates clean from main HEAD.
docs/reconcilers/{README,routing,validation,authentication}.md — match current responsibilities. TLS reconciler probably wants its own doc.
docs/makefile-reference.md — verify coverage of new/changed targets (generate-dev, helm-chart-version semantics).
Maintainer docs (docs/maintainers/)
release-process.md — EffVer language.
release-checklist.md — EffVer language. Also: job-name list (lines 84-90) is wrong vs current release.yml. Five jobs (tests, build-manifests, goreleaser, publish-helm-chart, sync-helm-repository), not seven.
release-setup.md — EffVer language.
Design / decision / plan archives
Verify nothing in docs/plans/ is an orphan (never landed, never decisioned).
Examples
Currently dev/examples/ has just two files. For v0.1.0:
Minimal NebariApp (sanity-check end-to-end against make setup).
NebariApp with auth.enabled: true + Keycloak provisioning.
NebariApp with routing.tls.secretName (user-provided cert).
NebariApp with routing.publicRoutes for health endpoints.
A non-routing NebariApp (operator-as-contract-aggregator mode).
Each example: kubectl apply -f-able against the dev cluster, with an inline comment explaining what it demonstrates.
Automated documentation: what we have, what to expand
Today: docs/api-reference.md auto-generated from api/v1/ via crd-ref-docs (make docs).
Add at least one of these before v0.1.0:
Condition / event reason table from the EventReason* / Reason* constants in api/v1/nebariapp_types.go. Lowest-friction starting point.
RBAC summary table from // +kubebuilder:rbac: markers.
Helm values reference (e.g. via helm-docs).
Naming-rules diagram from naming.ValidateResourceNames so pack authors see name-length implications early.
Goal: a new pack author shouldn't have to read the operator source to understand what their NebariApp produces.
Triage
Rule: anything that touches the CRD spec lands pre-v0.1.0 — especially field removals. After v0.1.0, CRD shape changes become MACRO bumps and real migration work for consumers.
Goal
Graduate the operator from alpha to its first non-alpha cut,
v0.1.0. This issue tracks everything that needs to land — and everything we want to audit — before that release.Current state:
v0.1.0-alpha.20(cut 2026-05-20). Twenty alphas, chart-image fix from #128 landed cleanly, Node 24 audit done. The MVP milestone "Operator: Architecture + CRDs + Decisions + MVP" is closed. Time to draw the line and call the next cut "real."Not a feature freeze — a quality bar. Docs match the code, examples actually run, release process is reproducible without tribal knowledge.
Versioning: adopt EffVer
Going forward (starting with
v0.1.0), use Effort-based Versioning (EffVer) —MACRO.MESO.MICRO— instead of strict SemVer.X.y.z)x.Y.z)x.y.Z)Why EffVer over SemVer:
Tag format stays
vX.Y.Z(Helm chart + GitHub Releases want SemVer-shaped tags). Interpretation in docs changes.Maintainer docs that mention "semantic versioning" need updating:
docs/maintainers/release-process.mddocs/maintainers/release-setup.mddocs/maintainers/release-checklist.mdDocumentation readiness for v0.1.0
Top-level
README.md— soften "may change without notice" language (still pre-1.0, but the strong wording should go).CONTRIBUTING.md— review against current PR / branch / lint workflow.CHANGELOG.md, or rely solely on GitHub-generated release notes.User-facing docs (
docs/)docs/quickstart.md— verify steps still matchdev/Makefile. Cover the user-provided-TLS path and the new chartmanager.image.*defaults.docs/configuration-reference.md— audit for every CRD field added since 2026-03:routing.tls.secretName,auth.forwardAccessToken,auth.denyRedirect,auth.tokenExchange,auth.spaClient,auth.deviceFlowClient, plus whatever lands from the gating set (multi-port, dark/light icons, etc.).docs/troubleshooting.md— sanity-check the symptom list against currently surfaced condition reasons.docs/api-reference.md— auto-generated viamake docs; verify it generates clean frommainHEAD.docs/reconcilers/{README,routing,validation,authentication}.md— match current responsibilities. TLS reconciler probably wants its own doc.docs/makefile-reference.md— verify coverage of new/changed targets (generate-dev,helm-chart-versionsemantics).Maintainer docs (
docs/maintainers/)release-process.md— EffVer language.release-checklist.md— EffVer language. Also: job-name list (lines 84-90) is wrong vs currentrelease.yml. Five jobs (tests,build-manifests,goreleaser,publish-helm-chart,sync-helm-repository), not seven.release-setup.md— EffVer language.Design / decision / plan archives
docs/plans/is an orphan (never landed, never decisioned).Examples
Currently
dev/examples/has just two files. For v0.1.0:make setup).auth.enabled: true+ Keycloak provisioning.routing.tls.secretName(user-provided cert).routing.publicRoutesfor health endpoints.routing.routes[].port(multi-port — gated on feat(api): per-route port overrides on NebariApp routes #121).Each example:
kubectl apply -f-able against the dev cluster, with an inline comment explaining what it demonstrates.Automated documentation: what we have, what to expand
Today:
docs/api-reference.mdauto-generated fromapi/v1/viacrd-ref-docs(make docs).Add at least one of these before v0.1.0:
EventReason*/Reason*constants inapi/v1/nebariapp_types.go. Lowest-friction starting point.// +kubebuilder:rbac:markers.helm-docs).naming.ValidateResourceNamesso pack authors see name-length implications early.Goal: a new pack author shouldn't have to read the operator source to understand what their NebariApp produces.
Triage
Rule: anything that touches the CRD spec lands pre-v0.1.0 — especially field removals. After v0.1.0, CRD shape changes become MACRO bumps and real migration work for consumers.
Gating set for v0.1.0 (must close before the cut)
Bugs / security
enforceAtGatewayproduces two competing HTTPRoutes (contract bug)syncClientScopesdoesn't remove scopes no longer in spec (drift bug)CRD-spec changes (must land pre-v0.1.0)
RouteMatch.port— additive)status.serviceDiscovery.children(status shape change)auth.keycloakConfigadditions)forwardAccessToken, add app-level OIDC redirect URIs (field removal — the most v0.1.0-critical of all)Auth quality
Release readiness
main).Doc / process
That's 14 items + this tracker. v0.1.0 is a real milestone, not a renamed alpha.
Worth landing if cheap (no CRD touch)
Decision point
Punt to v0.1.x patches (MICRO under EffVer, no CRD shape change)
SecurityPolicy.spec.oidc.providerReconciletest coveragePunt to v0.2.0+ (no CRD touch but larger scope / epic-level)
SecurityPolicy.Issuerinvestigation (diagnostic, may be no-op)Tracking epics
The existing epics (#78 CRD evolution, #79 Keycloak & Auth, #80 Reconciler & Tech Debt) cover most child issues already, and a final one:
Ordering recommendation (within the gating set)
#132 (release validation) explicitly depends on the rest of the gating set being on
main. Suggested order:Cut v0.1.0 when this issue's "Done when" checklist is fully ticked.
Release process audit
Verified end-to-end via
v0.1.0-alpha.20:values.yamlcorrectly stamped with registry-qualified image + version tag (ci(release): pass IMG to make helm-chart so values.yaml inherits the pinned image #128).Stale items to fix before v0.1.0:
docs/maintainers/release-checklist.mdjob-name list.docs/maintainers/*.md.Out-of-repo follow-up (doesn't gate v0.1.0):
sync-chartcomposite action.Done when (acceptance criteria for v0.1.0)
docs/maintainers/release-checklist.mdjob-name list matches actualrelease.yml.v0.1.0-rc.1) and verify the checklist completes top-to-bottom with no manual recovery.v0.1.0.When to formalize as a GitHub Milestone
Once triage above is locked, create the
v0.1.0Milestone in GitHub and attach the gating issues. Holding off until then to avoid premature attachment.