Google Distributed Cloud air-gapped release notes

Add-on Manager:

• The Runtime Config Processing component processes runtime information and produces deterministic results.
• Add-on Manager supports the auto-generation of OpenAPI schema for ConfigTypeSpec parameters.
• Kind clusters can use a dedicated network.

Artifact Management:

• Added support for package validation to ensure that the integrity of the relevant artifacts used for provisioning or updating are maintained and not tampered with.
• Added support for IP privatization to protect intellectual property of system artifacts.

Backup and restore:

• Backup and restore create, read, update, and delete operations for backup resources are available in the UI.
• Replaced the VM backup and restore APIs on the system cluster with a new VM API on the org admin cluster. VM Backup APIs are available from the org admin cluster.

Billing:

• Introduced automated hourly computation of usage costs.
• Introduced automated monthly generation of invoices.
• Added new processes for the IO to configure one-time charges and recurring charges based on customer usage and contract.
• Added a new public SKUDescription resource that lets you query for prices for services.
• Introduced PDF export for invoices and pricing calculator estimates.

Cluster:

• Introduced the new Cluster KRM API for user cluster creation.
• Enabled node pool deletion in the UI.
• Enabled node pool downscaling in the UI.
• Added Cluster dashboards.

Database Service:

• Added support for creating a standby postgres database in the same zone, and issuing a failover command.
• Added support for defining maintenance windows for database clusters by using the gdcloud CLI.
• Added support for PostgreSQL 14.5.
• Added support for automatic in-place database minor version upgrades in user-specified maintenance windows.
• Added support for configuring a list of supported database flags. Additional supported flags are added for Postgres and Oracle. Database Service also validates and rejects unsafe flag values to avoid database outages.
• The Database Service CLI command group moved from gdcloud alpha database to gdcloud database.
• Added two new commands:
• gdcloud database clusters update for updating the database settings
• gdcloud database clusters failover for causing failover for an HA database cluster
• Added support for enabling external connectivity through the gdcloud database clusters update command.
• Added support for setting database flags through the gdcloud database clusters create and gdcloud database clusters update commands.
• Added support for a new AlloyDB Omni database engine (Preview) in the GDC database service.

Disaster Recovery:

• Added gdcloud CLI commands for pausing and resuming backup plans.

Firewall:

• Health checks and firewall upgrade preflight checks are added.
• Firewall upgrade for segmentation is supported.

Hardware security module:

• HSM secret rotation is automated.
• Introduced automated HSM backup improvements and a gdcloud command for taking manual HSM backups.
• Security keys protecting storage data volumes are annotated by the associated resources that they protect.
• Security keys are deleted when their associated HSM keys are destroyed.
• HSM initialization is automated.
• Introduced a gdcloud command to print HSM network info.
• Introduced a gdcloud command to create a config file for communicating with HSMs.

Identity and access management:

• After 15 or more minutes of inactivity in a session, the GDCH console and gdcloud CLI logs you out.
• If a member leaves your organization or team, you can revoke their access to GDC.
• When running the gdcloud init command, an https:// prefix is added to the URL if the prefix is missing.
• Encrypted tokens are supported for OIDC identity providers.
• The web-tls certificate is forwarded to the system cluster.

Key Management Service (KMS):

• A new role is added for PAs and AOs to create and manage secrets in projects.
• Improved the KMS Golden Metrics monitoring dashboard.
• KMS can be configured with a Kubernetes secret based root key, or an HSM backed root key.
• Improved KMS audit logging.
• Introduced a gdcloud command to verify key signatures.

Logging and audit logging:

• Added support for Loki high availability.
• General performance, stability and scalability improvements.
• Fully automated integration of logging and audit logging pipelines with object storage.
• Added IO and PA/AO audit logs separation across different object storage buckets.
• Loki version updated to v2.8.4.
• Added support for NetFlow logs fanout across multiple organizations.

Marketplace:

• The GDC Marketplace lets you access popular software that has gone through security scanning and been validated for GDC. Elastic Cloud on Kubernetes (ECK) is the official Elastic Kubernetes Operator. With the power of Elastic Cloud on ECK, application and operation teams can focus on their Elasticsearch, observability, and security use cases instead of spending valuable time managing Elasticsearch deployments.

Networking (physical) :

• Added support for configuring Direct Connect (DX) Interconnect.
• Direct Server Return (DSR) is supported. DSR is a load balancing configuration where servers behind a load balancer return responses directly to the client.

Networking (virtual)

• External load balancer (ELB) services are created in default-deny mode, and require ProjectNetworkPolicy to allow access to workloads using ELB.
• Fabric trace tooling is added, which allows an operator to view information about flows and traffic flowing through the organization.
• A network diagnose CLI command is added.
• A BGP diagnose CLI tool is added.

Node platform and operating system:

• Added support for applying runtime modifications to a GDCH operating system by using a custom orchestration mechanism to safely configure the target operating system.
• The startup script is updated to use the pre-installed package OS.
• The server reconciler supports the force power off API.
• A fencing reconciler watches IM and controls the server.
• The NodeUpgrade and NodeUpgradeTask API added more columns such as status and concurrency.

Object storage:

• Project deletion checks if there are any buckets in the project before deleting.
• The object storage load balancer is updated to not use a web-tls certificate for communicating with Istio.

Platform authentication:

• Improved the Bring your Own Certificate mode for all certificates served by the ingress (customer facing endpoints). The Infrastructure Operator can use the customer's public key infrastructure (PKI) for signing certificate signing requests and can install the certificates to customer facing endpoints.

Resource manager:

• Added support for deleting a project using the GDC console and gdcloud CLI.

• Added support for creating, managing, and deleting projects by using the gdcloud projects command group.

Ticketing system:

• The ticketing system automatically deploys with the gdchservices organization.
• A Security Incident Response module is added.
• Audit logs are forwarded with the service name gdchservices.
• Email to case workflow support is enabled.
• Major Incident workflow is enabled.
• Support for metrics collection and reporting is enabled.
• Scripted configuration upgrade is enabled.

Transfer service:

• Ongoing stats for long-lived transfers are logged.
• Added support for custom CA certificates for object storage.

Upgrade:

• IOs and PAs can pin certain nodes in the pool to upgrade instead of having to upgrade the entire pool.
• Prometheus is configured to scrape the VM for metrics.
• An upgrade status metric is added to the upgrade orchestrator.
• An Upgrade Status dashboard is added.
• Added pre-flight checks prior to controller upgrades.

Vertex AI:

• You can enable or disable a specific Vertex AI pre-trained service. The pre-trained services are Optical Character Recognition (OCR), Speech-to-Text, and Translation.
• Vertex AI OCR supports asynchronous file detection and annotation. Asynchronous OCR enables users to schedule multiple jobs to batch process a collection of files, such as images and PDFs. Each job is identified by a unique identifier, which lets the user monitor the status of the job.

Virtual machines (VM):

• Replaced the VM API on the system cluster with a new VM API on the org admin cluster. VM APIs are available from the org admin cluster.
• Launched VM HA to ensure VM availability during a node outage.
• Launched the bring your own image feature, which lets you import your own Ubuntu and RHEL operating system images.
• Added support for Rocky 8 and RHEL 8 operating systems, with one out-of-the-box Rocky image released.
• Launched a CLI-oriented operation experience by using the gdcloud compute command group.
• Launched VM package manager, which automatically sets up VMs to install and update APT and RPM packages from a GDCH-provided package manager.
• The NTP of the VM is automatically set up without human intervention.
• Introduced the ability to store and serve VM images with object storage instead of Harbor to increase image availability and support large VM image distribution.
• Introduced an VM Egress improvement that lets you enable or disable VM egress filed without requiring VM rebooting.