Patch release covering two infra-level fixes surfaced during the v0.28.x rollout.
Highlights
- Rate limiter recognises listener cert auth — listeners authenticate via
X-Terrapod-Client-Cert, notAuthorization: Bearer. The middleware only checked the Authorization header, so listener traffic fell into the unauthenticated 100/min bucket per client IP. All listeners across the fleet sharing an ingress-controller pod IP got starved within seconds of any chart rollout, deadlocking on 429s. Fix: cert header presence bumps the tier the same way Authorization does — listeners now useauthenticated_requests_per_minute(1000/min default). - Playwright E2E CI — replaces the host-side
npx playwright installstep (which repeatedly wedged at the post-download extract phase on the Azure-backed runner disk) withdocker run mcr.microsoft.com/playwright:v1.58.2-noble. The container ships Chromium + deps pre-installed at the image layer; no extract at job time. Total step time ~75 s vs prior 5-minute-or-timeout. Image tag MUST tracke2e/package-lock.json's@playwright/testpin.
Status
Beta — both fixes are additive and backwards-compatible. Existing rate-limit configs continue to apply; the Playwright image tag is pinned and only used in the E2E job.
Full Changelog: v0.28.1...v0.28.2