Skip to main content

9.0-to-10.0

Please read this entire document before commencing an upgrade.

It is necessary to migrate Azul OpenSearch data to new prefixes as part of this release.

It is also NOT necessary to migrate Kafka data.

Required Changes

Opensearch data is the only data that needs to be migrated for this release, incrementing the external.opensearch.partition number will achieve this. However, new optional functionality is available and can be enabled through configuration.

New Helm Chart Values

Logging

You can now control the log level of various Azul components directly through the Helm chart. The relevant options in the values.yaml file are:

  • apiServices.smartStringFilter.logLevel
  • stats.config.logLevel
  • recovery.logLevel
  • dispatcher.config.defaultLogLevel
  • metastore.instances.ageoff.logLevel
  • metastore.instances.ingest-binary.logLevel
  • metastore.instances.ingest-plugin.logLevel
  • metastore.instances.ingest-status.logLevel
  • restapi.config.logLevel
  • pluginConfig: 
    pluginConfig:
      RUNNER_LOG_LEVEL: "INFO"

Enabling JWT Authentication

Admin accounts can now generate and manage PATs (Personal Access Tokens) for external integrations.

To enable PAT support, configure the following Helm chart options:

  • security.enable_pat: Enables PAT-based authentication (defaults to false). Requires the following additional settings:
  • security_index_username: The username of an OpenSearch account with access to the security index. (A secret must also exist containing this user’s password.)
  • security_index: Name of the security index where PATs are stored. Defaults to security_azul.

Note: The metastoreCreds secret must include two new keys:

  • jwt_signing_secret
  • opensearch_azul_security_password

Once configured, administrators can generate tokens via the Swagger API. As this is an admin‑only feature, PATs are not visible within the Azul Web UI.

AWS Support

CloudWatch

The audit forwarder now supports authentication options to allow forwarding logs to CloudWatch.

Relevant setting: auditForwarder.serviceAccountName

Recovery AWS Storage

Recovery can now use AWS S3 as its storage location, either via. Access key & secret key, or Service account authentication

New values:

  • recovery.s3AuthMode: can be keys or service_account (defaults to the only previous option mode: keys)
  • recovery.bucketRegion: required when using service_account authentication

Other Updates

Kafka

You can now configure the Kafka consumer‑group retention period. This helps prevent unnecessary reprocessing when consumers aren't accessing their consumer groups for extended periods.

external.kafka.consumerGroupRetentionDays

Security Label Rendering

A new setting allows alternate display of the origin releasability when it is the only releasability on a binary:

security.labels.releasability.origin_alt_name