Mach5 Search v5.9.0
Migration Guide
Upgrading from an older version to v5.9.0: Migrating to v5.9.0
What’s Changed
NGINX Keycloak InitContainer Improvements
The NGINX Keycloak initialization workflow now tolerates and ignores errors, enabling administrators to:
- Modify or remove the default Keycloak admin user created during system bootstrap.
- Perform Keycloak admin adjustments without breaking NGINX initialization.
Authentication & Authorization (Keycloak Integration)
Impact
These changes apply to all installations with authentication and authorization enabled in previous versions of Mach5.
Key Updates
-
Mach5 roles have been migrated from realm roles to client roles under the Mach5 client in the Default realm.
-
Users previously assigned the old
m5-adminrealm role must:- Unassign
m5-admin, and - Assign the new
adminclient role under the Mach5 client.
- Unassign
-
Any custom roles formerly created as realm roles must be:
- Unassigned from all users.
- Recreated as client roles under the Mach5 client.
- Reassigned to the required users.
- Created following the updated role-pattern specification introduced in v5.9.0.
-
Obsolete realm roles may be safely removed.
-
Authorization enforcement for Mach5 Search resources has been introduced. These resources were previously not checked for authorization.
Additional Documentation
Notebooks API Changes
Impact
Applies to all API consumers using Mach5 Notebook APIs.
Breaking Change
Notebook APIs now identify notebooks by name instead of ID.
| Operation | Previous Versions | v5.9.0+ |
|---|---|---|
| Read | GET /namespaces/{namespace}/notebooks/{id} | GET /namespaces/{namespace}/notebooks/{name} |
| Update | PATCH /namespaces/{namespace}/notebooks/{id} | PATCH /namespaces/{namespace}/notebooks/{name} |
| Delete | DELETE /namespaces/{namespace}/notebooks/{id} | DELETE /namespaces/{namespace}/notebooks/{name} |
For more details on notebooks: Notebooks in Mach5
Kafka Ingest Pipeline - Tombstone Message Support in Mach5
v5.9.0 adds support for Kafka tombstone records in log-compacted topics.
For more details: Kafka Tombstone Support in Mach5
values.yaml Enhancements
User-Provided Keycloak Master Realm Credentials
Support added for supplying your own secret for the Keycloak Master realm.
keycloak:
master:
secret:
create: false
name: keycloak-secret
pwdkey: master-password
userkey: master-username
User-Provided Keycloak Default Realm Client Secret
Administrators may now provide the client secret for the Mach5 Default realm client via a custom secret.
keycloak:
client:
secret:
create: false
name: keycloak-default-client
namekey: name
clientsecretkey: clientsecret
User-Provided License Secrets
Support added for supplying external license mode and token via a custom secret.
license:
createSecretResources: false
name: license-secret
metered: false
Extra Annotations for NGINX Service
Custom Service annotations can now be added (e.g., for LoadBalancer tuning).
nginx:
annotations:
my-custom-annotation: "true"
another-custom-annotation: "true"