Release Notes#

ESS 2.4.0 Released 2025-05-13

New Configuration Requirements#

Database Requirements#

The ESS 2.4 release introduces new database requirements for the scalable cloud deployment:

  • Purger Service: Requires a new dedicated database to manage Pod deletion requests and their status.

  • Notification Service: Requires a new dedicated database to store subscription information and event data.

Important

Operators must set up and configure these databases prior to upgrading to ESS 2.4.

For scalable cloud deployments, update the following files in the inputs/ directory of your ESS installation:

  • ess-purger-postgres-credentials.env - Configure the Purger Service database connection

  • ess-notification-postgres-credentials.env - Configure the Notification Service database connection

These files contain the necessary parameters including database user, password, host, port, and database name. Ensure that you:

  1. Create the required databases on your PostgreSQL server

  2. Create database users with appropriate read & write permissions

  3. Update the credential files with the correct connection information

  4. Verify that the inputs/kustomization.yaml file includes entries for both ess-purger-postgres-credentials and ess-notification-postgres-credentials in the secretGenerator section

  5. Apply the configuration changes following your standard deployment process

Kafka Message Encryption#

ESS 2.4 introduces new Kafka topics for change notifications that require encryption passwords. Before upgrading to ESS 2.4, you must configure the following new encryption settings in the inputs/kafka-credentials.env file:

  • INRUPT_KAFKA_CHANGE_NOTIFICATION_CIPHER_PASSWORD - Password used for encrypting messages sent over the “change-notification” topic

  • INRUPT_NOTIFICATION_DISPATCH_CIPHER_PASSWORD - Password used for encrypting messages sent over the “change-notification-dispatch”, “change-notification-failed-dispatch”, and related retry topics

For security best practices:

  1. Generate strong, unique passwords for each encryption setting

  2. Ensure passwords are at least 16 characters long with a mix of characters

  3. Store these passwords securely in your password management system

  4. Never reuse passwords across different encryption settings

New Purger Service#

Starting in 2.4, ESS includes a new Purger Service for deleting user data and Pods from ESS. This service hosts HTTPS API endpoints that can be called as part of a workflow. This helps organizations using ESS comply with legislative requirements such as GDPR/CCPA and the right to have personal data deleted.

For more information, see Purger Service.

Change Notifications#

The Notification Service now includes an HTTPS API for agents to subscribe to notifications from the Access Grant Service. An agent provides a webhook URL as part of the subscription that will receive events from the Notification Service.

The Access Grant Service generates events for each of the following:

  • An Access Request is awaiting review

  • An Access Request was denied

  • An Access Grant was issued

  • An Access Grant expired

  • An Access Grant was revoked

For more information, see Notification Delivery Service.

Third-Party Dependency Updates#

Various third-party dependencies used by ESS have been updated in 2.4. Key dependency upgrades include:

UBI 9#

ESS images are now based on UBI 9, aligning with Red Hat’s supported and hardened base images. This change was backported to ESS 2.3.4, so it will not impact the migration of ESS deployments on the latest version of the 2.3 series.

Kafka 3.9#

ESS has upgraded to Kafka 3.9 in the standalone overlay.

Changelogs#

For changelogs, see 2.4 Changelogs.