Skip to main content
February 2026

v0.98.9 - February 25, 2026

  • Unified encryption configuration for cp-controller, dp-controller, and dp-llmproxy-service
  • Supports at-rest encryption for identity management and provider secrets via KMS or environment variable mode
  • New common.encryption.keyId value in both control-plane and data-plane services
  • New ExternalSecret templates for encryption in both control-plane and data-plane secret-store charts
  • Replaced dpLlmproxyService.kmsKeyId with unified HH_ENCRYPTION_KEY_ID and HH_ENCRYPTION_SECRET env vars in dp-llmproxy-service
  • Fixed perpetual ArgoCD OutOfSync caused by Redis PDB enabled: true in control-plane Redis
  • Action Required: Remove dpLlmproxyService.kmsKeyId from data-plane values and add common.encryption.keyId in both control-plane and data-plane values
February 2026

v0.98.1 - February 11, 2026

  • Added common.extraLabels for custom governance/compliance labels on all Kubernetes resources (control-plane, data-plane, shared dependencies)
  • Added common.observability.otel.exporterProtocol (default: "grpc") for OTLP exporter protocol configuration in data-plane
  • Added dpLlmproxyService.kmsKeyId (default: "alias/hh-provider-secrets") for AWS KMS encryption of LLM provider secrets
  • Removed duplicate common.observability block in data-plane services values
  • Fixed Next.js cache permission errors in cp-frontend-service with nextjs-cache emptyDir volume
  • Fixed OTEL service name in cp-frontend-service (was hardcoded to cp-controller-service)
  • Added custom CA certificate support (SSL_CERT_FILE, REQUESTS_CA_BUNDLE) for dp-llmproxy-service and dp-pythonmetric-service
  • Added DP_DATABASE_URL env var and KMS config to dp-llmproxy-service
  • Fixed ClickHouse logging configuration (moved to config.d/99-logger.xml with replace="1")
  • Action Required: Set common.extraLabels if your organization requires specific labels on all resources
January 2026

v0.90.17 - January 12, 2026

  • Added kube-prometheus-stack monitoring for both control-plane and data-plane (Prometheus, Grafana, Alertmanager with 30-day retention)
  • Added Tempo for distributed tracing in both control-plane and data-plane
  • Added Loki and Promtail for centralized log aggregation in control-plane
  • Added legacy nats-old chart for backward compatibility
  • Added Datadog integration support for OTEL collectors (disabled by default, set datadog.enabled: true)
  • Added common.tls.caCerts dictionary for custom root CA certificates in data-plane
  • Added common.controlPlane.apiPublicUrl for data-plane to call control-plane API
  • Added resource limits for dp-llmproxy-service and dp-pythonmetric-service (500m/512Mi requests, 1000m/1Gi limits)
  • Added persistent storage for ClickHouse Keeper (storage.enabled: true, storage.size: "10Gi")
  • Updated ClickHouse Keeper image to altinity/clickhouse-keeper:25.3.6.10034.altinitystable-alpine
  • Simplified ClickHouse Operator values from 903 lines to 29 lines
  • Updated ExternalSecret API version from v1beta1 to v1 (requires External Secrets Operator 0.9.0+)
  • Moved OTEL collector nodeSelector/affinity/tolerations under opentelemetry-collector key
  • Action Required: Set common.controlPlane.apiPublicUrl to your control-plane API endpoint
  • Action Required: Ensure ClickHouse Keeper persistent storage is enabled for production
  • Action Required: Update External Secrets Operator to 0.9.0+ if not already
December 2025

December 2025

  • Removed OpenUnison authentication infrastructure (all charts, operators, CRDs)
  • Removed Nginx ingress infrastructure
  • Added NATS infrastructure for data-plane with independent cluster deployment (3 replicas, JetStream, PDB)
  • Disabled S3 DLQ and disk spool in writer service (cpWriterService.dlq.enabled: false)
  • Added frontendIngress.alb.annotations for custom ALB annotations
  • Removed PVC functionality from cp-writer-service
  • Changed cp-frontend-service NEXTJS_PORT env var to PORT
  • Added auth config env vars (AUTH_ISSUER_DOMAIN, AUTH_CLIENT_ID, AUTH_CLIENT_SECRET) to cp-frontend-service
  • Added NATS connection settings for data-plane services (dp-evaluation-service, dp-ingestion-service)
  • Enabled Redis authentication in control-plane (auth: true, existingSecret: redis-secrets)
  • Removed gRPC ingress from data-plane services
  • Switched from NLB to ALB for both control-plane and data-plane ingress
  • Added NATS HA streams configuration with configurable replicas
  • Added common.dataPlane.dpPublicUrl and common.controlPlane.frontendPublicUrl for cross-plane communication
  • Added Prometheus monitoring for NATS (exporter on port 7777) and ClickHouse (built-in on port 9363)
  • Added Redis authentication for data-plane (auth: true, existingSecret: redis-secrets)
  • Fixed Redis PDB in data-plane (removed invalid enabled field)
  • Action Required: Remove any NLB-related values overrides and switch to ALB configuration
  • Action Required: Remove any OpenUnison or Beekeeper-related overrides from values files
  • Action Required: Configure auth secrets in AWS Secrets Manager with client-secret and cp-jwt-private-key