Release Notes#
ESS 2.4.0 Released 2025-05-13
New Configuration Requirements#
Database Requirements#
The ESS 2.4 release introduces new database requirements for the scalable cloud deployment:
Purger Service: Requires a new dedicated database to manage Pod deletion requests and their status.
Notification Service: Requires a new dedicated database to store subscription information and event data.
Important
Operators must set up and configure these databases prior to upgrading to ESS 2.4.
For scalable cloud deployments, update the following files in the inputs/
directory of your ESS installation:
ess-purger-postgres-credentials.env
- Configure the Purger Service database connectioness-notification-postgres-credentials.env
- Configure the Notification Service database connection
These files contain the necessary parameters including database user, password, host, port, and database name. Ensure that you:
Create the required databases on your PostgreSQL server
Create database users with appropriate read & write permissions
Update the credential files with the correct connection information
Verify that the
inputs/kustomization.yaml
file includes entries for bothess-purger-postgres-credentials
andess-notification-postgres-credentials
in thesecretGenerator
sectionApply the configuration changes following your standard deployment process
Kafka Message Encryption#
ESS 2.4 introduces new Kafka topics for change notifications that require encryption passwords. Before upgrading to ESS 2.4, you must configure the following new encryption settings in the inputs/kafka-credentials.env
file:
INRUPT_KAFKA_CHANGE_NOTIFICATION_CIPHER_PASSWORD
- Password used for encrypting messages sent over the “change-notification” topicINRUPT_NOTIFICATION_DISPATCH_CIPHER_PASSWORD
- Password used for encrypting messages sent over the “change-notification-dispatch”, “change-notification-failed-dispatch”, and related retry topics
For security best practices:
Generate strong, unique passwords for each encryption setting
Ensure passwords are at least 16 characters long with a mix of characters
Store these passwords securely in your password management system
Never reuse passwords across different encryption settings
New Purger Service#
Starting in 2.4, ESS includes a new Purger Service for deleting user data and Pods from ESS. This service hosts HTTPS API endpoints that can be called as part of a workflow. This helps organizations using ESS comply with legislative requirements such as GDPR/CCPA and the right to have personal data deleted.
For more information, see Purger Service.
Change Notifications#
The Notification Service now includes an HTTPS API for agents to subscribe to notifications from the Access Grant Service. An agent provides a webhook URL as part of the subscription that will receive events from the Notification Service.
The Access Grant Service generates events for each of the following:
An Access Request is awaiting review
An Access Request was denied
An Access Grant was issued
An Access Grant expired
An Access Grant was revoked
For more information, see Notification Delivery Service.
Third-Party Dependency Updates#
Various third-party dependencies used by ESS have been updated in 2.4. Key dependency upgrades include:
UBI 9#
ESS images are now based on UBI 9, aligning with Red Hat’s supported and hardened base images. This change was backported to ESS 2.3.4, so it will not impact the migration of ESS deployments on the latest version of the 2.3 series.
Kafka 3.9#
ESS has upgraded to Kafka 3.9 in the standalone
overlay.
Changelogs#
For changelogs, see 2.4 Changelogs.