Activity across datum-cloud/enhancements, datum-cloud/infra, and datum-cloud/network-services-operator. Period: January 1 – March 10, 2026.
The activity system went from an idea to a fully deployed production service. Work spanned the activity-apiserver (sharing the etcd cluster, infra#1875), activity-processor with NATS mTLS (infra#1584, infra#1587), a ClickHouse full-text index fix for v26.1 (infra#1885), the activity-ui (infra#1581), ActivityPolicy support wired into dns-operator (infra#1832), and a ReindexJob template for Milo access (infra#1871). The full system deployed to staging (infra#1582) and graduated to main (infra#1823). Design documented in enhancements#589.
A custom external-dns webhook was built and deployed to push DNS records from GKE control planes into Datum DNS (infra#1809). It was wired through Karmada with dedicated RBAC (infra#1814), promoted to production (infra#1829), extended to manage TXT records (infra#1825), and integrated with GKE control planes pushing upstream (infra#1837). Externaldns was switched to watch mode for efficiency (infra#1868). In parallel, the network-services-operator (NSO) DNS integration branch enabled DNS-aware proxy configuration in staging and production (infra#1672, infra#1677, infra#1682), building on the primary/secondary zone transfer design (enhancements#538).
The iroh-gateway was promoted to edge (infra#1627) with Envoy connected via UDS socket (infra#1646) and TCP tunnel support added (infra#1601). The ingress LB gained HTTP/3 and QUIC support (infra#1591) with UDP advertised via alt-svc (infra#1594), and client source IP is now passed directly to the relay for QUIC (infra#1890). The iroh relay was deployed to staging (infra#1550) and promoted to edge (infra#1880) with its own namespace and network policies (infra#1881, infra#1884). BGP announcements for edge services were enabled (infra#1655), and unicast edge IP announcements now use Cilium with NetActuate BGP communities (infra#1879).
The search system was built out with Milo-delegated authentication and authorization via webhook (infra#1840), deployed using a consolidated OCI deployment strategy (infra#1811), and promoted to production (infra#1849). Circular Kustomization dependencies were resolved along the way (infra#1855). Resource index policies were added as a Kustomization (infra#1863).
A new validation service was built from scratch: Django backend bootstrapped (infra#1542), dedicated managed SQL instance provisioned (infra#1680), gateway service names and routing unified (infra#1684, infra#1673), Sentry and external secrets configured (infra#1798), and Datum Desktop OIDC client added for authentication (infra#1671). Docs bootstrapped at infra#1696.
Sentry was upgraded from v28 to v29 in a two-phase migration: Phase 1 added a dedicated ClickHouse instance (infra#1703) and Phase 2 wired Sentry to it (infra#1711). Sentry was upgraded to v28.0.3 first to gain the OTLP integration endpoint (infra#1667), OTel auto-project creation was enabled (infra#1666, infra#1654), CSRF trusted origins added for OTel trace export (infra#1681), and symbolicator permissions fixed (infra#1669). Sentry performance was improved by enabling autoscaling and stabilizing node allocation (infra#1643, infra#1644).
A full cluster generation upgrade was executed across lab, staging, and edge. Talos was upgraded to v1.12 in labs (infra#1616), followed by Talos v1.12.3 (infra#1621) and then v1.12.4 with Kubernetes v1.35.2 in labs (infra#1791). Kubernetes v1.34.4 rolled out everywhere (infra#1619, infra#1620), then labs upgraded to Kubernetes v1.35 (infra#1622), edge followed to latest Talos (infra#1792) and Kubernetes v1.35 (infra#1793, infra#1795). The cycle closed with Talos v1.12.5 on edge (infra#1901).
A new shared TLS listener infrastructure was built so edge services share a single Envoy gateway HTTPS listener. A cert webhook for DNSEndpoints was created (infra#1757), shared TLS secrets were enabled in staging (infra#1773) and minted in production (infra#1800). Certificates are now minted for edge into TLS secrets (infra#1841) with push/pull secrets distributing them to edge (infra#1843, infra#1857). A shared Envoy Gateway HTTPRoute was introduced for all edge services (infra#1844) and the full shared TLS listener work was promoted to prod and edge (infra#1861). Regional IP reservations for edge were captured via textual IPAM (infra#1856).
The CRM implementation specs for the People (enhancements#549) and Company (enhancements#550) components were merged, providing the API and data model definitions for customer relationship management. A price book document was added to formalize commercial packaging (enhancements#540). Requirements for Galactic VPC — the multi-region virtual private cloud product — were documented (enhancements#476). Foundational platform docs were also merged: the Milo Waitlist and Approval Gate system (enhancements#413), the Agreements system (enhancements#369), policy-driven metrics (enhancements#252), and the Milo Control Plane Architecture (enhancements#205).
The network-services-operator gained a full Connector subsystem for managing overlay network connections. Connector CRDs were introduced (nso#84, nso#87), followed by connector and advertisement controllers (nso#92), an HTTPProxy connector name field with validation (nso#91), EnvoyPatchPolicy integration for HTTPProxy backends (nso#93), connection detail addresses with ports (nso#102), and a selectable publicKey.id in status (nso#99). ConnectorClass was made cluster-scoped (nso#106).
Alongside the Connector work, NSO gained automatic DNS record management for gateway hostnames (nso#111), shared TLS secret support for the default HTTPS listener (nso#118), custom hostname cert issuance fixes (nso#122, nso#123), and a controller to clean up errored ACME challenges (nso#98). A phantom-blocking and reconciliation storm bug in HTTPProxy was also resolved (nso#120).
- Raleigh-Durham lab cluster added to expand the edge footprint (infra#1612, infra#1613)
- Claude Code integrated into infra CI with GitHub Actions workflow, write-to-branch, and PR creation (infra#1741, infra#1746, infra#1700)
- Edge cluster CI linter added for configuration validation (infra#1722)
- Telepresence Traffic Manager deployed to staging for remote debugging (infra#1724)
Generated 2026-03-10.