Certificate Authorities
-----------------------

The above example uses a self-signed certificate. This is convenient for testing but not
representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.

- [Customization Guide](https://github.com/codelibs/fess-site-search)

---

### Elasticsearch / OpenSearch

If you're migrating from a standalone Elasticsearch or OpenSearch deployment:

#### Document Migration

**Step 1: Export from Source**

Export documents from your existing Elasticsearch/OpenSearch cluster:

```bash
# Using elasticdump
elasticdump \

- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([#133087](https://github.com/kubernetes/kubernetes/pull/133087), [@atiratree](https://github.com/atiratree)) [SIG...

  Multi vCenter support is deprecated as of v1.21. If you have a Kubernetes cluster spanning across multiple vCenter servers, please consider moving all k8s nodes to a single vCenter Server. vSphere CSI Driver does not support Kubernetes deployment spanning across multiple vCenter servers.
  
  Support for these deprecations will be available till Kubernetes v1.24. ([#98546](https://github.com/kubernetes/kubernetes/pull/98546), [@divyenpatel](https://github.com/divyenpatel))

- Kube-controller-manager: Fixes bug setting headless service labels on endpoints ([#85361](https://github.com/kubernetes/kubernetes/pull/85361),...

### Feature

- 'kubeadm: enhanced the "patches" functionality to be able to patch coredns
  deployment. The new patch target is called "corednsdeployment" (e.g. patch file
  "corednsdeployment+json.json"). This makes it possible to apply custom patches

### Bug or Regression

- (PodSecurity admission) errors validating workload resources (deployment, replicaset, etc.) no longer block admission. ([#106017](https://github.com/kubernetes/kubernetes/pull/106017), [@tallclair](https://github.com/tallclair)) [SIG Auth]

With cluster-wide seccomp defaults, the kubelet uses the `RuntimeDefault` seccomp profile by default, rather than than `Unconfined`. This allows enhancing the default cluster wide workload security of the Kubernetes deployment. Security administrators will now sleep better knowing there is some security by default for the workloads.

- Seccomp support has graduated to GA. A new `seccompProfile` field is added...

  select the same set of Pods, scaling now will be disabled for those HPAs with
  the reason `AmbiguousSelector`. This change also covers a case when multiple HPAs
  point to the same deployment.'
   ([#112011](https://github.com/kubernetes/kubernetes/pull/112011), [@pbeschetnov](https://github.com/pbeschetnov))
- 'Pod Security admission: the pod-security `warn` level will now default to
  the `enforce` level.'