Changelog

Notable changes in each release of the Apollo GraphOS Operator

1.3.0

Breaking changes

  • Supergraph and SupergraphSet CRDs updated to v1alpha4 to achieve parity with the Router Helm chart — existing manifests must be migrated before upgrading

    spec.podTemplate has moved to spec.deployment.podTemplate, and spec.podTemplate.annotations / spec.podTemplate.labels have been promoted to top-level spec.annotations and spec.labels fields that apply to all managed resources. Resource-specific annotations can now be set independently under spec.deployment.annotations (for the Deployment) and spec.networking.annotations (for the Service). SupergraphSet follows the same structure under spec.supergraphTemplate.

    New fields added in this version include:

    • Service & Deployment annotations

    • NodeSelector

    • ImagePullSecrets

    • RollingUpdateParameters: maxUnavailable and maxSurge

    For other resources not managed directly by the Operator, see the migration guide.

Bug fixes

  • Bump dependencies to resolve CVE-2026-32766

  • Bump dependencies to resolve GHSA-pwjx-qhcg-rvj4, GHSA-9f94-5g5w-gf6r and GHSA-394x-vwmw-crm3

  • Bump dependencies to resolve CVE-2026-31812

  • Supergraphs with Argo Rollout strategy now report a clear failure when Argo is not installed

    If you configure a Supergraph with deploymentStrategy: rollout but the Argo Rollouts API is not installed in your cluster, the operator previously created a plain Kubernetes Deployment silently in its place. The Supergraph appeared to be running, but was not using the strategy you specified.

    The operator now sets Progressing: False with reason DeploymentFailed on the Supergraph, making the misconfiguration immediately visible via kubectl describe supergraph. No Deployment is created until the configuration is corrected or Argo Rollouts is installed.

  • Fix credentials expiring when using OCI registries with short-lived tokens (e.g. ECR, GAR)

  • Bump dependencies to resolve RUSTSEC-2026-0097

  • Fix leftover Rollout resource not being removed after migration to Kubernetes Deployment strategy

    After a successful migration, the Argo Rollout resource was not reliably cleaned up, leaving a stale resource in the cluster. It will now be removed once the Deployment has fully rolled out.

  • Fix SupergraphSchema controller becoming unresponsive after extended inactivity with no compositions

1.2.0

Breaking changes

  • Expose full router container configuration via routerContainer spec

    The Supergraph and SupergraphSet CRDs now expose a routerContainer field under spec.podTemplate for fine-grained control over the router container, including lifecycle hooks, liveness/readiness/startup probes, additional ports, and volume mounts. spec.podTemplate.additionalVolumes is also now available for mounting volumes into containers in the router pods. As a result, the Supergraph and SupergraphSet CRDs have been bumped from v1alpha2 to v1alpha3.

    Several fields have moved from spec.podTemplate into the new spec.podTemplate.routerContainer sub-object. Existing Supergraph and SupergraphSet resources using these fields must be updated:

    Old fieldNew field
    spec.podTemplate.envspec.podTemplate.routerContainer.additionalEnv
    spec.podTemplate.envFromspec.podTemplate.routerContainer.additionalEnvFrom
    spec.podTemplate.resourcesspec.podTemplate.routerContainer.resources
    spec.podTemplate.securityContextspec.podTemplate.routerContainer.securityContext

    See our documentation for more details as to exact fields exposed

Features

  • Add installCRDs and rbac.create flags to Helm chart values

    Set these to false when installing a second instance of the operator in the same cluster. installCRDs: false skips CRD creation so Helm does not conflict with the CRDs owned by the first installation, and rbac.create: false skips ClusterRole creation so the existing ClusterRoles are reused with new namespace-scoped RoleBindings.

Bug fixes

  • Bump dependencies to resolve GHSA-65p9-r9h6-22vj, GHSA-vw5v-4f2q-w9xf, and GHSA-hfpc-8r3f-gw53.

  • Improve Argo Rollouts detection and compatibility with namespaced mode

    Argo Rollouts availability detection and the Rollout resource watcher have been updated to work correctly when the operator is running in namespaced mode alongside a namespace-scoped Argo Rollouts install.

1.1.1

Bug fixes

  • Fix 404 errors when Argo Rollouts is not installed
Feedback

Ask Community