March & April 2026 | Changelog
Faster UI for large teams
Resources are now fetched on-demand and paginated rather than loading everything at startup. Projects, services, addons, jobs, secret groups, volumes, and domains all use localised subscriptions. Teams with large numbers of resources will see significantly faster load times and lower memory usage across the dashboard. Table pagination controls now show a loading indicator during fetches.
Cross-project build services
Build services can now be referenced from any project within the same team. A new Cross-Project Access setting on each build service controls which projects can use it. Services and jobs can trigger builds from a build service in a different project, and the UI includes a cross-project build selector. The format <project-id>/<build-service-id> is fully backwards-compatible with existing configurations.
Templates & Pipelines
Template teardown. Templates now support an attached teardown spec, a companion template that runs when the environment is destroyed. It integrates with the full node editor and schema validation, and surfaces its own run history with backlinks to the originating run.
Introducing Preview Blueprint teardown:
- Teardowns now run when a preview environment is deleted, before any resources are removed
- Teardowns correctly clean up partially-created environments, node results are stored incrementally as the run progresses
- Teardown runs no longer run concurrently with regular runs on the same environment
- Argument overrides can be submitted for preview environment teardowns
- An escape hatch allows skipping teardown when manual intervention has already cleaned up resources
Import Backup template node. A new node for importing an addon backup is available in the template editor.
Create build service in template context. Templates can now create a build service as part of the flow, automatically inserting it before any dependent start-build nodes.
File injection into OpenTofu runs. Secret files are now injected into OpenTofu runs avoiding logging environment variables
VCS trigger: PR label rule enable checkbox. PR label trigger rules now have an enable/disable checkbox, consistent with other trigger rule types.
External addon environment tracking. External addons created inside preview environment blueprints now carry the environment ID, enabling correct cleanup on teardown.
Delete external addons with environments. External addons can now be deleted as part of environment teardown.
Template editor UX improvements. Template nodes can now be added to a workflow via a new ‘add node’ menu, as an alternative to drag-and-drop. Performance has also been improved when viewing large template runs.
Fixed: template concat wrapping arguments in an array. The concat function was incorrectly nesting its arguments, breaking string concatenation expressions.
Fixed: nested workflows and blueprints not resolving project ID refs.
Fixed: global secret references in nested templates. The ref resolver was incorrectly replacing child template refs when they shared the same name as parent refs.
Fixed: only deployment services and jobs appear as targets in release workflow nodes. Combined/build services and combined jobs were incorrectly appearing in the target selector.
Preview runs remain visible after environment deletion.
External Addons
Permission check before creation. Northflank now verifies upfront that the selected provider integration has the required IAM permissions and shows a summary table before the run starts.
Aurora RDS support. The external addon form shows the correct configuration fields when an Aurora engine is selected for RDS addons.
VPC/Subnet selection for RDS. RDS addons can now specify which VPC and subnet to deploy into, rather than defaulting to the account's default VPC.
Advanced config mode. A toggle exposes the full addon spec in a code editor for direct editing.
Bring your own Addon (BYOA)
Improved irrecoverable error handling. All Helm errors now transition the addon into an error state and surface details, rather than silently failing.
OpenTofu
OpenTofu destroy node. A new teardown node type runs tofu destroy against resources provisioned by a corresponding OpenTofu node in the same template.
Akamai OpenTofu provider. Akamai is now available as an OpenTofu provider.
BYOC
Sandbox security: simplified setup. MicroVMs (kata) and gVisor can now be enabled with a single checkbox in the cluster creation form. Secure runtime options can also be enabled on existing clusters post-creation without recreating them, the controller handles installing the required components.
gVisor on ARM. Northflank with gVisor is now also supported on ARM-based node pools.
Networking settings in the UI. A new Networking section in BYOC cluster Advanced Options allows configuring the overlay network and CIDR from the UI.
Overlay network for AWS. BYOC clusters on AWS now support configuring an overlay network with a custom CIDR.
ARM on Oracle. Added support for ARM compute shapes on Oracle BYOC clusters.
AWS networking validation. Pre-flight checks now more reliably detect incompatible AWS subnets before a cluster is created, reducing failed cluster creations caused by networking misconfigurations.
BYOC node filtering. The BYOC node list can now be filtered.
Cluster observe dashboard updates. The cluster observe node list and metrics overlays have been updated with improved responsive layout.
Cluster error UI. Errored clusters now show a clear error message with a support link. GCP provisioning errors (quota exceeded, stockout, constraint violations) surface as structured, readable messages.
Compute & Deployments
Addon replica scale-down. Addon replicas can now be scaled down without destroying and recreating the addon.
Faster pod startup. For PaaS and BYOC clusters running with Northflank microVM secure runtime, the init container is no longer used by default.
Faster build startup. Build pods now set fsGroupChangePolicy: OnRootMismatch, skipping unnecessary recursive chown on volumes when ownership already matches.
Headless service performance. The headless services now reduce network load on the service mesh under high spawn and churn rates.
Ephemeral storage field restored on jobs. The field had been inadvertently removed from the jobs resource form.
Fixed: support for BYOC node pools to scale down and up from zero.
Fixed: release-variant immutability error after platform rollback.
Networking
Egress IP and Load Balancer audit logs. Audit log tabs are now available on both Load Balancer and Egress IP detail pages.
Fixed: ports/network update not reflecting status change. Service status was not being updated when load balancing config, domains, or network-only deployments were changed.
Egress IP and Load Balancer no longer expose internal error details in API responses or the UI.
Observability & Metrics
Probes and restart charts. New charts show average probe latency and reason-for-restart breakdowns on service detail pages.
Addon charts on backup/restore page. Addon metrics are now available from the backup/restore view.
Additional instance events. Instance events lists now include Northflank resource creation timestamps and when the workload executes the start command. This is helpful to see how long an AI sandbox takes to start up.
Fixed: deployment metrics not loading when switching from live-tailing to a fixed time range.
Fixed: job run metrics timeframe bugs.
Log queries: pod start/end fallback. Log queries now fall back to pod start/end times when no explicit range is set.
Permissions & RBAC
New API token UI. Team-scoped and organisation-scoped API tokens have new dedicated management UIs. The token detail page now shows permissions pulled from the associated role, with a direct link to that role.
Revoked token deletion. Revoked API tokens can now be explicitly deleted.
Role data in audit logs. Role changes are now correctly attributed and visible in the audit log.
Developer Experience
Uppercase letters in OpenTofu object names. Resource and output names in OpenTofu nodes now accept uppercase characters.
Secret file size limit increased to 3,500 KiB.
API request body limit increased to 10 MB.
Team-scoped endpoint for project secrets.
Tooltip on truncated resource names. Services, jobs, and volumes now show a tooltip when names are truncated in table views.
OpenTofu version fix. Pinned away from version 4.55 which has a known bug reading existing state.
VCS sync state in UI. Repository selectors and other version control elements in the UI now display real-time status when syncing with external providers.
Addons
Latest patch-level versions. Addon creation and upgrade flows now surface the latest available patch-level version per addon type.
Redis: configurable disabled commands. Disabled commands can now be configured per Redis addon instance.
Exec / Terminal
Multiple reliability improvements to the container exec protocol v2. Command parsing and frame handling are now consistent between exec v1 and the exec proxy; TTY command spawning has been reworked; and EOF handling and stdin drain-before-exit behaviour have been fixed.
Fixes
- Bitbucket repository listing — fixed repository listings sometimes being incomplete
- Release webhook triggers — fixed multiple typos that had likely prevented triggers from ever firing
- AWS S3 log sink — increased retry count to prevent pauses on transient failures
- Build cache invalidation — Ceph clone-chain depth and auto-invalidate at a configurable limit for affected BYOC clusters
- Build progress: unnamed stages — multi-stage Dockerfiles with unnamed stages no longer show as having incomplete steps
- Backups table — now defaults to newest-first sort order
- Backup schedule retention time — custom values can now be entered, not just preset options
- Shell copy/paste — fixed a double-paste bug and cleaned up hints in the web terminal
- Permissions group titles and icons — several entries were missing icons or had inconsistent casing