Nxs Universal Chart

v3.1.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 7d Containers & Orchestration

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 6d

Release v3.1.0 adds many subcharts, generic workload defaults, projected volumes, new Istio and Vault Secret Operator templates, plus critical rendering fixes.

Why it matters: The update introduces 11 subcharts, generic workload defaults, projected volume support, and fixes severity‑40 Helm template evaluation in HTTPRoute specs and YAML document separation for jobs, hooks, and cronJobs.

Summary

AI summary

Added many subcharts, generic workload defaults, projected volumes, Istio and Vault Secret Operator templates, GitHub CI config, contributor templates, and several samples.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Added subcharts: nuc-strimzi-kafka-operator, nuc-keycloak-operator, nuc-fluxcd, nuc-external-secrets, nuc-mongodb-percona-operator, nuc-envoy-gateway, nuc-cloudnativepg, nuc-mysql-percona-operator, nuc-elk, nuc-rabbitmq, nuc-clickhouse. Added subcharts: nuc-strimzi-kafka-operator, nuc-keycloak-operator, nuc-fluxcd, nuc-external-secrets, nuc-mongodb-percona-operator, nuc-envoy-gateway, nuc-cloudnativepg, nuc-mysql-percona-operator, nuc-elk, nuc-rabbitmq, nuc-clickhouse. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added shared generic defaults for workloads: nodeSelector, resources, podSecurityContext, containerSecurityContext, automountServiceAccountToken. Added shared generic defaults for workloads: nodeSelector, resources, podSecurityContext, containerSecurityContext, automountServiceAccountToken. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added servicesGeneral for common labels and annotations on rendered Service resources, including auto-generated governing Services. Added servicesGeneral for common labels and annotations on rendered Service resources, including auto-generated governing Services. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added typed projected volumes via volumes[].type: projected. Added typed projected volumes via volumes[].type: projected. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added ServiceAccount.imagePullSecrets support via serviceAccountDefaultImagePullSecretName, serviceAccountGeneral.imagePullSecrets, and per-ServiceAccount overrides. Added ServiceAccount.imagePullSecrets support via serviceAccountDefaultImagePullSecretName, serviceAccountGeneral.imagePullSecrets, and per-ServiceAccount overrides. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added new Istio templates: AuthorizationPolicy, DestinationRule, EnvoyFilter, Gateway, PeerAuthentication, ProxyConfig, RequestAuthentication, ServiceEntry, Sidecar, Telemetry, VirtualService, WasmPlugin, WorkloadEntry, WorkloadGroup. Added new Istio templates: AuthorizationPolicy, DestinationRule, EnvoyFilter, Gateway, PeerAuthentication, ProxyConfig, RequestAuthentication, ServiceEntry, Sidecar, Telemetry, VirtualService, WasmPlugin, WorkloadEntry, WorkloadGroup. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added new Vault Secret Operator templates: HCPAuth, HCPVaultSecretsApp, SecretTransformation, VaultAuthGlobal, VaultConnection, VaultDynamicSecret, VaultPKISecret. Added new Vault Secret Operator templates: HCPAuth, HCPVaultSecretsApp, SecretTransformation, VaultAuthGlobal, VaultConnection, VaultDynamicSecret, VaultPKISecret. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Added stdin and tty support for containers and initContainers. Added stdin and tty support for containers and initContainers. Source: llm_adapter@2026-05-28 Confidence: high	—
Dependency
Dependency	Low	Updated nuc-common dependency from 1.0.4 to 1.0.5. Updated nuc-common dependency from 1.0.4 to 1.0.5. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Dependency	Low	Updated nuc-keycloak-operator dependency from 1.0.0 to 1.0.1. Updated nuc-keycloak-operator dependency from 1.0.0 to 1.0.1. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Dependency	Low	Updated nuc-external-secrets dependency from 1.0.1 to 1.1.0. Updated nuc-external-secrets dependency from 1.0.1 to 1.1.0. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixed nuc-native-gateway (1.0.6) so Helm template expressions in HTTPRoute spec are evaluated via tpl instead of toYaml. Fixed nuc-native-gateway (1.0.6) so Helm template expressions in HTTPRoute spec are evaluated via tpl instead of toYaml. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixed YAML doc separator rendering between consecutive jobs, hooks, and cronJobs to emit each resource as a separate YAML document. Fixed YAML doc separator rendering between consecutive jobs, hooks, and cronJobs to emit each resource as a separate YAML document. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Fixed deprecated imagePullSecrets warnings in NOTES.txt so null entries inside deployments, cronJobs, jobs, and hooks do not fail template rendering. Fixed deprecated imagePullSecrets warnings in NOTES.txt so null entries inside deployments, cronJobs, jobs, and hooks do not fail template rendering. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed FluxCD dependency condition to use nuc-fluxcd.enabled. Fixed FluxCD dependency condition to use nuc-fluxcd.enabled. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed Envoy Gateway dependency condition to use global.nuc-envoy-gateway.enabled, avoiding an enabled key rejected by the subchart schema. Fixed Envoy Gateway dependency condition to use global.nuc-envoy-gateway.enabled, avoiding an enabled key rejected by the subchart schema. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed cronJobsGeneral.suspend and cronJobsGeneral.singleOnly inheritance allowing per-CronJob overrides. Fixed cronJobsGeneral.suspend and cronJobsGeneral.singleOnly inheritance allowing per-CronJob overrides. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed envConfigmaps and envSecrets rendering to preserve multiple entries and skip null or empty items without rendering an empty envFrom block. Fixed envConfigmaps and envSecrets rendering to preserve multiple entries and skip null or empty items without rendering an empty envFrom block. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed automatic checksum reference collection for General.envConfigmaps and General.envSecrets. Fixed automatic checksum reference collection for General.envConfigmaps and General.envSecrets. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed ConfigMaps and Secrets annotated by default hooks preventing uninstall. Fixed ConfigMaps and Secrets annotated by default hooks preventing uninstall. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Fixed multi-env rendering error. Fixed multi-env rendering error. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Refactor	Low	autoRolloutChecksums now generates checksum annotations only for referenced ConfigMaps, Secrets, and SealedSecrets per workload. autoRolloutChecksums now generates checksum annotations only for referenced ConfigMaps, Secrets, and SealedSecrets per workload. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—

Full changelog

What's Changed

Added

added nuc-strimzi-kafka-operator, nuc-keycloak-operator, nuc-fluxcd, nuc-external-secrets, nuc-mongodb-percona-operator, nuc-envoy-gateway, nuc-cloudnativepg, nuc-mysql-percona-operator, nuc-elk, nuc-rabbitmq, and nuc-clickhouse subcharts to the dependency list.
added shared generic defaults for workloads: nodeSelector, resources, podSecurityContext, containerSecurityContext, and automountServiceAccountToken.
added servicesGeneral for common labels and annotations on rendered Service resources, including auto-generated governing Services.
added typed projected volumes via volumes[].type: projected.
added ServiceAccount.imagePullSecrets support via serviceAccountDefaultImagePullSecretName, serviceAccountGeneral.imagePullSecrets, and per-ServiceAccount overrides.
added new Istio templates: AuthorizationPolicy, DestinationRule, EnvoyFilter, Gateway, PeerAuthentication, ProxyConfig, RequestAuthentication, ServiceEntry, Sidecar, Telemetry, VirtualService, WasmPlugin, WorkloadEntry, WorkloadGroup.
added new Vault Secret Operator templates: HCPAuth, HCPVaultSecretsApp, SecretTransformation, VaultAuthGlobal, VaultConnection, VaultDynamicSecret, VaultPKISecret.
added stdin and tty support for containers and initContainers.
added GitHub chart-testing and CI configuration under .github/, including lint, security, smoke, unit, and e2e workflows.
added contributor templates: docs/PULL_REQUEST_TEMPLATE.md, docs/ISSUE_TEMPLATE/bug_report.yml, docs/ISSUE_TEMPLATE/feature_request.yml.
added samples catalog: nuc-fluxcd, nuc-external-secrets, nuc-mongodb-percona-operator, nuc-envoy-gateway, nuc-valkey, wordpress, and wordpress-vault (WordPress + Vault Secret Operator) deployment examples.

Fixed

fixed nuc-native-gateway (1.0.6): spec of HTTPRoute (and all other Gateway API resources) was rendered as-is via toYaml, so Helm template expressions in string values — e.g. '{{ printf "%s-%s" .Release.Name "frontend" }}' or '{{ include "helpers.app.fullname" … }}' — were not evaluated. spec and status are now rendered through tpl, making release-name-aware backendRefs work out of the box.
fixed YAML doc separator rendering between consecutive jobs, hooks, and cronJobs so each resource is emitted as a separate YAML document.
fixed deprecated imagePullSecrets warnings in NOTES.txt so null entries inside deployments, cronJobs, jobs, and hooks do not fail template rendering.
fixed FluxCD dependency condition to use nuc-fluxcd.enabled.
fixed Envoy Gateway dependency condition to use global.nuc-envoy-gateway.enabled, avoiding an enabled key rejected by the subchart schema.
fixed cronJobsGeneral.suspend and cronJobsGeneral.singleOnly so CronJobs inherit the general defaults while still allowing per-CronJob false or null overrides.
fixed envConfigmaps and envSecrets rendering to preserve multiple entries and skip null or empty items without rendering an empty envFrom block.
fixed automatic checksum reference collection for *General.envConfigmaps and *General.envSecrets.
fixed ConfigMaps and Secrets annotated by default hooks preventing uninstall.
fixed multi-env rendering error.
fixed CronJob general settings (cronJobsGeneral) inheritance.

Changed

autoRolloutChecksums now generates checksum annotations only for ConfigMaps, Secrets, and SealedSecrets actually referenced by a given workload, instead of checksumming every resource in the release.
updated nuc-common dependency from 1.0.4 to 1.0.5.
updated nuc-keycloak-operator dependency from 1.0.0 to 1.0.1.
updated nuc-external-secrets dependency from 1.0.1 to 1.1.0.
completed Dependency Subcharts documentation for all dependencies declared in Chart.yaml.
documented deploymentsGeneral and cronJobsGeneral environment source defaults, including empty-value handling and override behavior.

Testing

added unit and smoke coverage for all new features and bug fixes introduced across the 3.0.x series.

New Contributors

@apberdnikov made their first contribution in https://github.com/nixys/nxs-universal-chart/pull/99
@Gekter made their first contribution in https://github.com/nixys/nxs-universal-chart/pull/104
@edvegas made their first contribution in https://github.com/nixys/nxs-universal-chart/pull/112

Full Changelog: https://github.com/nixys/nxs-universal-chart/compare/v3.0.21...v3.1.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Nxs Universal Chart

Get notified when new releases ship.

About Nxs Universal Chart

All releases →