v1.1.2

What's Changed

🐛 Bug Fixes

• [FirewallConfiguration] nft filter rule equal check by @cheina97 in #3207
• fix: always render EKS annots on wg server templates by @fra98 in #3208
• fix: avoid false positive errors in controllers by @fra98 in #3212
• [Networking] arm32 overflow by @cheina97 in #3218

🧹 Code Refactoring

• refactor: crd-upgrade appversion by @cheina97 in #3206
• [Networking] fwcfg and rtcfg controllers reconcile timeout by @cheina97 in #3217

✅ Tests

• [NFTables] rules forging tests by @cheina97 in #3213
• [Kubernetes] Update libraries to k8s v0.35.0 by @cheina97 in #3216

🚚 Dependencies Management

• chore: update nftables library from v0.2.0 to v0.3.0 by @cheina97 in #3215
• chore: bump github.com/go-git/go-git/v5 from 5.12.0 to 5.16.5 by @dependabot[bot] in #3196
• chore: bump github.com/containerd/containerd from 1.7.12 to 1.7.29 by @dependabot[bot] in #3141
• chore: bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @dependabot[bot] in #3211

Full Changelog: v1.1.1...v1.1.2

v1.1.1

What's Changed

🚚 Dependencies Management

• [ReadTheDocs] update python version by @cheina97 in #3205

Full Changelog: v1.1.0...v1.1.1

v1.1.0

What's Changed

🚀 New Features

• [Network] TCP MSS clamping in Gateway by @cheina97 in #3176
• [Webhook]: added skip label by @cheina97 in #3183
• feat: add skip webhook label to non cross-cluster resources by @fra98 in #3185
• [Networking] disable leader election in gateway by @cheina97 in #3186
• [VirtualKubelet] shadowpod event reflection by @cheina97 in #3189
• feat(vkoptions): add tolerations support for virtual kubelet pod by @aleoli in #3191
• [Liqo-CRDs] CRD upgrade job by @cheina97 in #3192
• feat(helm): support priorityClassName in default gateway templates by @fra98 in #3195
• feat: avoid kyverno dependency in tests by @cheina97 in #3128
• [API] Firewall: support IP ranges and accept/drop by @Wekkser in #2966
• feat(gateway): add tolerations option for gateway pods by @aleoli in #3193
• feat(pod-security): add pod security labels to tenant ns by @aleoli in #3184
• [Core] feat: mark foreigncluster as permanently unreachable by @claudiolor in #3122
• [Liqoctl] Force unpeer command by @giuliafalaschi in #3126

🐛 Bug Fixes

• [Networking] fwcfg match port fix by @cheina97 in #3181
• fix: fix a bug that CN should be consumer cluster id by @likakuli in #3171
• fix: bind cluster-wide clusterroles with TolerateNoHandshake peering by @fra98 in #3201
• fix: ignore not found InternalNode on deletion by @claudiolor in #3200
• [Networking] Relieve stress on the Kubernetes API server. by @cheina97 in #3202

🧹 Code Refactoring

• [Copyright] 2026 update by @cheina97 in #3175
• refactor: align wireguard gateway templates by @fra98 in #3203

📝 Documentation

• [Network] Cilium MTU autodiscovery by @cheina97 in #3178
• [Liqo-CRDs] helm docs generation by @cheina97 in #3197
• Fix minor doc inconsistencies around mariadb invokation by @topiaruss in #3019

✅ Tests

• [Unit Tests] macos run fix by @cheina97 in #3190

🚚 Dependencies Management

• chore: bump golang from v1.24.0 to v1.25.5 by @cheina97 in #3177
• [Sphinx] update docs python packages by @cheina97 in #3198

📦 Builds Management

• build(liqo-test): switch to setup‑envtest for envtest binaries by @aleoli in #3199

👷 CI/CD

• [CRD-Upgrade] excludes arm/v7 from build by @cheina97 in #3204

New Contributors

• @Wekkser made their first contribution in #2966
• @giuliafalaschi made their first contribution in #3126

Full Changelog: v1.0.3...v1.1.0

v1.0.3

What's Changed

🐛 Bug Fixes

• fix: TolerateNoHandshake ResourceSlice approval by @claudiolor in #3168

Full Changelog: v1.0.2...v1.0.3

v1.0.2

What's Changed

🚀 New Features

• [Network] wireguard-go post new build pipeline by @cheina97 in #3089
• feat(auth): add TLS compatibility mode for authentication keys by @aleoli in #3109
• [Liqoctl] Specify other (non-standard) resources with liqoctl commands by @claudiolor in #3138
• feat: add helm values for affinity and ns on fabric ds by @fra98 in #3150

🐛 Bug Fixes

• fix(reflection): handle errors when getting metadata accessor by @aleoli in #3106
• fix(reflection): terminated pod reflection logic by @aleoli in #3107
• [virtual-kubelet] Allow scheduling pods with name > 63 chars by @fra98 in #3111
• [Auth module] fix: enable healthcheck with missing identity by @claudiolor in #3114
• fix: handle nil chain type in FromChainToRulesArray by @riccardotornesello in #3131
• [Network] Internalfabric get fix by @cheina97 in #3125
• fix: backward compatibility with ed25519-only keys clusters by @claudiolor in #3165
• [Network] fullmasquerade idempotency by @cheina97 in #3167

🧹 Code Refactoring

• [Network] refactor InternalFabric name source by @cheina97 in #3077
• [Controller-Manager] flags refactoring by @cheina97 in #3088

📝 Documentation

• [Linter] fix broken links by @cheina97 in #3087
• docs(install): add Cilium device config note by @aleoli in #3151

✅ Tests

• [E2E] forge kubeconfig from service-account by @cheina97 in #3146
• test(cni): update Cilium CLI version to v0.18.8 by @aleoli in #3149

🚚 Dependencies Management

• [Linting] ignore broken link by @cheina97 in #3078
• chore: bump k8s libs to v1.33 by @fra98 in #3116

👷 CI/CD

• [Build] faster pipeline by @cheina97 in #3065

New Contributors

• @riccardotornesello made their first contribution in #3131

Full Changelog: v1.0.1...v1.0.2

v1.0.1

What's Changed

🚀 New Features

• [ArgoCD] support for v3.0 by @claudiolor in #3043
• feat(offload): Add the liqoctl offload namespaces command. by @mayooot in #3060

🐛 Bug Fixes

• [liqoctl] fix help commands templating by @claudiolor in #2986
• Permission for in-band peering by @aleoli in #3030
• [Telemetry] UUID by @cheina97 in #3039
• fix: show correct err when update local pod status failed by @likakuli in #3041
• fix: escape the shadowpod creator label by @claudiolor in #3052
• [Network] avoid panic when setting gateway secretRef by @fra98 in #3049
• [Auth] Tenant idempotency fix by @cheina97 in #3061
• [Network] fix SNAT remaping CIDR by @cheina97 in #3064

🧹 Code Refactoring

• [Firewall] moved FwCfg util functions out of apis types folder by @fra98 in #2995
• [Docs] update mariadb-galera version by @cheina97 in #3001
• [Makefile] removed useless command by @cheina97 in #3056

📝 Documentation

• [Docs] add liqoctl commands documentation by @claudiolor in #2989
• Update text to the content of the latest community repository by @frisso in #3005
• [Sphinx] ignore google scholar in linting by @cheina97 in #3036
• [ArgoCD] installation instructions by @cheina97 in #3035
• [IPAM] improved error logs by @cheina97 in #3034
• [Telemetry] ResourceSliceNumber by @cheina97 in #3038
• [Network] Debugging FAQ by @cheina97 in #2999
• docs: Add missing labels in resource slice for declarative peering by @laurall974 in #3050
• docs: fixed network configuration example by @fra98 in #3059
• [Project] devcontainer docs by @cheina97 in #3063

🚚 Dependencies Management

• chore: bump deprecated ubuntu 20.04 runner by @fra98 in #3027
• chore: bump golangci-lint to v2 by @fra98 in #3009
• chore: bump controller-runtime to v0.20.4 by @fra98 in #3028
• Add image pull policy and secret handling across components by @aleoli in #3029

Other Changes

• Adding information about community (how-to, meetings, etc) by @frisso in #2955
• Update reflection.md to fix two trivial typos by @topiaruss in #3015
• [Project] DevContainer configuration by @cheina97 in #3062

New Contributors

• @topiaruss made their first contribution in #3015
• @likakuli made their first contribution in #3041
• @laurall974 made their first contribution in #3050
• @mayooot made their first contribution in #3060

Full Changelog: v1.0.0...v1.0.1

v1.0.0

🚀 Liqo v1.0.0 Release Notes 🚀

🚨 Breaking Changes Alert

This release contains significant breaking changes.

---

The Liqo v1.0.0 release includes many breaking changes, due to the necessity to bring more modularity and flexibility to the project, a cleaner and more granular control (e.g., fully declarative APIs to control the most important features of Liqo), and other features.

Even more important, the Liqo team believes that the project is now mature and stable enough to be safely deployed in production environments, and to consolidate most of its APIs that were defined as alpha in the past.

📝 Fully declarative APIs

This approach allows users to support gitops and automation use cases, as Liqo can be completely configured via CRs, without necessarily relying on liqoctl (e.g., perform peering declaratively, easily integrate Liqo with other services).

🧩 Modularity

Liqo is now structured in three core modules (network, authentication, and offloading) that are totally independent and can be individually configured and used (e.g. you can enable offloading or resource reflection without necessarily setting up the network connectivity between the clusters, which can be provided by other third-party tools).

🌐 Network Module

Complete re-design of the network fabric, involving:

• A new communication model inside the cluster (i.e., intra-cluster traffic now flows inside the CNI thanks to node-to-gateway geneve tunnels replacing the old node-to-node vxlan overlay)
• A new, simplified model for the inter-cluster connectivity (still based on wireguard, but more robust and open to other technologies)

🔐 Authentication Module

The peering authentication between clusters is now:

• Fully declarative and simpler (it does not require exposing a dedicated auth service anymore as well as no API server exposition is necessary from the consumer side)
• More robust overall (e.g., fixing a broken peer is easier and faster)
• Minimized permissions required on the provider cluster to establish a peering connection with liqoctl
• New ResourceSlice CR allows a more granular and flexible control of the resources requested to provider clusters

🚢 Offloading Module

• It is now possible to have multiple virtual nodes targeting the same remote provider cluster
• This allows splitting the resources of bigger clusters across multiple virtual nodes
• Support for nodes with specific resources (e.g. GPUs) or characteristics (e.g. specific architectures)
• Share huge resource pools with another cluster while keeping the virtual nodes size quite small, avoiding a "black hole" effect during scheduling

🔮 What's Next?

There are many more news and features that will be presented in dedicated blog posts and community meetings.

Stay tuned! 📢

---

The Liqo Team

v1.0.0-rc.3

What's Changed

🚀 New Features

• [Feat] Webhook HA by @aleoli in #2759
• [Feat] VirtualKubelet HA by @aleoli in #2770
• [Feat] Gateway external secrets by @aleoli in #2747
• [Feat] Gateway HA by @cheina97 in #2767
• Improve declarative usage of authentication module by @claudiolor in #2766
• [Feat] liqoctl gateway template check by @cheina97 in #2791
• [Feat] Add nodePort and loadbalancerIPAddress as optional fields in WG gateway template by @claudiolor in #2799
• [Feat] Golang http proxy by @aleoli in #2819
• [liqoctl] allow override gateway client address and port by @claudiolor in #2831
• Add global labels and annotations to liqo-created resources by @aleoli in #2832
• [Offloading] Allow coexistence of podoffloadingpolicy and runtimeclass by @claudiolor in #2861
• [IPAM] Major refactoring by @fra98 in #2852

🐛 Bug Fixes

• add missing ClusterRole to liqo-webhook by @EladDolev in #2726
• fix: retrieve GatewayServer/GatewayClient resources by labels by @fra98 in #2758
• Assign unique names to all controllers by @fra98 in #2771
• fix: retrieve configuration resources by labels by @fra98 in #2772
• fix: retrieve publickey resources by labels by @fra98 in #2773
• fix: network status in ForeignCluster resource by @claudiolor in #2783
• fix: avoid creation of VirtualNode if ResourceSlice deleting by @fra98 in #2786
• fix: wggateway controllers pod watch by @cheina97 in #2815
• test: fix HA replicas checks by @fra98 in #2804
• fix: liqoctl cluster labels and API server addr override collection by @claudiolor in #2781
• fix: nil pointer in network checker of liqoctl info peer by @claudiolor in #2797
• [Fix] argocd install by @aleoli in #2794
• [Fix] improve liqoctl uninstall error message by @claudiolor in #2825
• [virtual-kubelet] namespacemap bidirectional fix by @cheina97 in #2870
• [Deploy] Fixes for smooth ArgoCD uninstall by @claudiolor in #2847

🧹 Code Refactoring

• Metrics: changed port from 8080 to 8082 by @cheina97 in #2818
• refactor: use standard maps lib instead of experimental one by @fra98 in #2860
• [Helm] uniform flag names by @aleoli in #2855

📝 Documentation

• docs: added section for liqo pods in HA by @fra98 in #2780
• [Docs] Add declarative peering section by @claudiolor in #2813
• docs: removed community meeting from readme by @fra98 in #2822
• [Docs] improve NAT and manual peering documentation by @claudiolor in #2827
• [Docs] resource templating by @aleoli in #2872

Other Changes

• Bump controller-runtime from 0.18.5 to 0.19.0 by @cheina97 in #2751
• Bump sphinx from 7.2.6 to 8.0.2 and sphinxawesome-theme from 5.2.0 to 5.3.1 by @cheina97 in #2765
• CI: arm32 build by @cheina97 in #2779
• Nftables monitor disable by @cheina97 in #2817
• Updated legend in grafana Liqo dashboard by @frisso in #2820
• chore: bump to controller-runtime v0.19.2 and go 1.23.3 by @fra98 in #2844
• chore: bump alpine to 3.21.0 by @aleoli in #2853
• fix: peer command default network resources namespace by @fra98 in #2846
• [Liqoctl] interaction schema by @cheina97 in #2856
• [Liqoctl] network test exit error code by @cheina97 in #2865
• [Liqoctl] control-planes in liqoctl network np-nodes flag by @cheina97 in #2867
• [dependabot] add chore prefix to commit messages by @fra98 in #2875

Full Changelog: v1.0.0-rc.2...v1.0.0-rc.3

v1.0.0-rc.2

What's Changed

🚀 New Features

• [Test] e2e plugin for eks by @aleoli in #2643
• [Test] e2e plugin for aks by @fra98 in #2647
• Geneve port configurable by @cheina97 in #2722
• [Feat] New In-Band Peering by @aleoli in #2720
• New liqoctl info command by @claudiolor in #2718
• [E2E] k3s test plugin by @aleoli in #2730
• [Test] e2e plugin for gke by @cheina97 in #2651
• [Feat] support cluster ip in gateway services by @aleoli in #2746
• [Feat] New liqoctl info peer command by @claudiolor in #2741

🐛 Bug Fixes

• [Test] fix e2e by @aleoli in #2707
• Fix providers overwrite flags liqoctl install by @fra98 in #2704
• Avoid retrieval of tenant namespace by name by @fra98 in #2703
• Fix logs follow by @aleoli in #2524
• [Fix] Node IP by @aleoli in #2713
• Fix bug deletion routine of virtualnodes with createNode=false by @fra98 in #2721
• Support for gcloud subnet in different project by @cheina97 in #2723
• Fix default wireguard MTU by @cheina97 in #2736
• [Fix] Tenant cleanup & bidirectional peering by @aleoli in #2740
• Fix liqoctl disconnect on bidirectional peering by @fra98 in #2750

🧹 Code Refactoring

• E2E: add kyverno install as pipeline step by @fra98 in #2708
• Update CodeQL action by @fra98 in #2717
• Flags package refactoring: from "flag" to "pflag" by @cheina97 in #2725

📝 Documentation

• Updating the roadmap based on recent discussions within the Liqo maintainers by @frisso in #2475
• Docs: fix Liqo version in Helm installation by @cheina97 in #2739
• docs: add liqoctl info documentation by @claudiolor in #2753
• Docs: in-band docs refactored by @cheina97 in #2754

Other Changes

• Bump golangci-lint and gci by @fra98 in #2706
• Bump controller-runtime to v0.18.5 and k8s libs to v.1.30.3 by @fra98 in #2705
• Bump alpine images to v3.20 by @fra98 in #2714
• Bump go version to 1.23 by @fra98 in #2724
• Bump Alpine from 3.20 to 3.20.3 by @cheina97 in #2749
• Disable docker artifacts in CI by @cheina97 in #2756

Full Changelog: v1.0.0-rc.1...v1.0.0-rc.2

v1.0.0-rc.1

New Liqo v1.0.0-rc.1 release

Liqo v1.0.0-rc.1 is here! 🚀

This is a major milestone for the project, bringing us closer to the stable 1.0 release. We encourage you to try out this release candidate and provide feedback. Your input is invaluable as we refine Liqo and prepare for the 1.0 release.

This major version includes a new suite of features and a big refactoring of the codebase:

• fully declarative approach on all functionalities (install, peering, offloading, etc..)
• a new division in 3 main modules: networking, authentication, offloading
• modularity and independence between the 3 modules (e.g., the possibility to turn off individual modules)
• new networking fabric
• possibility to implement new networking technologies
• new authentication workflow
• possibility to have multiple virtual nodes targeting the same remote cluster, giving more flexibility and allowing to target specific node pools on the remote provider cluster
• docs: new structure, improvements, new pages (e.g., advanced usage examples), fix deprecated features, and a lot more