Skip to main content


Supported Kubernetes version

We are dedicated to maintain support for three different Kubernetes versions within a specific major version of Otomi. Whenever we decide to discontinue support for a particular Kubernetes version, we increment the major version of Otomi.

Otomi VersionSupported Kubernetes versionExpected release date
v1.01.24, 1.25, 1.262023-09-28
v2.01.25, 1.26, 1.272023-11-28
v3.01.26, 1.27, 1.282024-03-28
v4.01.27, 1.28, 1.292024-05-14


2023 Q4

  • Provide a developer catalog in Gitea ✅
  • Migrate platform pipeline from Drone to Tekton ✅
  • Implement status indicators within Otomi Console to keep Team users informed about the status of various components, including Build processes, Workload management, and Service availability ✅
  • Add Team and Platform Dashboards to provide an overview of team resource status using Prometheus metrics ✅
  • Leverage Argo CD to deploy Team K8s resources ✅
  • Quality assurance cluster for continuous Otomi hardening and performance testing ✅
  • Provide UI interface for adding Helm charts to developer catalog in Gitea ✅

2024 Q1

  • Add Grype to the Otomi Build pipeline to scan source code for security vulnerabilities ✅
  • Implement a new secret management solution (as a replacement for Hashicorp Vault) ✅
  • Move network policies out of the Service configuration to improve network policy management 🔄
  • Migrate OPA/Gatekeeper to Kyverno and offer a large set of default policies that can also be managed by Teams 🔄
  • Improve Team self-service permissions ✅
  • Create an Organization in Gitea for each Team (tenant)

2024 Q2

  • Harden the Istio service mesh configuration
  • Implement Gitea with a database managed by the CloudNativePG operator
  • Migrate Harbor and Keycloak Jobs to the Otomi operators
  • Enhance network policies across the platform
  • Enable user configurable storage classes
  • Provide disaster recovery procedures for Otomi core applications, such as Gitea, Keycloak and Harbor

Q3 2024

After Q2 2024 we have the following goals:

  • Add the option to add charts from artifacthub to the Catalog 🔄
  • Leverage Argo CD to deploy Otomi Platform apps 🔄
  • Bring user management into Otomi when Keycloak is used as an IdP
  • Ensure Otomi's NSA and CISA compliance
  • Show a compliance report (code vulnerabilities, image vulnerabilities, security violations, container vulnerabilities, config audit, exposed secrets) per workload
  • Make Otomi more plugable by enabling users to bring their own platform apps

Q4 2024

  • Encrypt platform secrets with SealedSecrets instead of SOPS
  • Remove platform app forms in favor of generated values that can be customized in an editor
  • Migrate to ambient mesh using eBPF

Removed features by release



Otomi will stop delivering Drone as a platform app. The Tekton app is introduced in Otomi v2.0 as a replacement. There is no migration procedure, Drone is used primarely as an Otomi deployment pipeline. However if you used it as for custom pipeline then you may need to migrate them Tekton.


This app will not be deleted if it is already deployed.

Hashicorp Vault

Otomi will stop delivering the Hashicorp Vault as a platform app. The SealedSecrets app is introduced in Otomi v2.7 as a replacement. The procedure to migrate from Hashicorp Vault to SealedSecrets is as follows:


This app will not be deleted if it is already deployed. The external-secrets app is still going to be part of Otomi

Migrating Secrets from Hashicorp Vault to SealedSecrets

Otomi Console offers a feature to migrate secrets from Hashicorp Vault to SealedSecrets. Follow the steps below:

  1. Ensure the SealedSecrets app is enabled and deployed in the cluster via the Otomi Console apps page.
  2. Navigate to the Maintenance page in the Otomi Console.
  3. Click the Migrate HashiCorp Vault Secrets to Sealed Secrets button in the Migrations section.
  4. Wait for the migration to complete. The duration depends on the number of secrets in the cluster.
  5. Upon completion, an information modal will display the count of migrated secrets.
  6. The migrated secrets (Sealed Secrets) will be accessible in a few minutes.
  7. Use the SealedSecrets page to manage your secrets.

Otomi cannot overwrite existing secrets due to immutable fields. It will recreate the secrets with the same name using SealedSecrets after removing them from the cluster. This makes the secrets temporarily unavailable during the migration.


The migration process doesn't delete secrets from Hashicorp Vault. You can delete them from Hashicorp Vault manually after the migration is completed.

OPA Gatekeeper

Otomi will stop delivering the OPA Gatekeeper as a platform app. The Kyverno app is going to be introduced as a replacement. There is no migration procedure, as the basic policies are already covered. However if you used your custom policies then you may need to migrated them on your own.


This app will not be deleted if it is already deployed.

Otomi shortcuts

Due to lack of interest in this feature, we decided to remove it from Otomi.


The shortcuts will be automatically removed from the values repo.