From 731d418bb8f27b6e048eb54b70f5984628e58f3a Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 16 Mar 2026 19:11:41 +0100
Subject: [PATCH 01/48] docs: Add skeleton 26.3.0 release notes

---
 modules/ROOT/pages/release-notes.adoc                 | 2 ++
 modules/ROOT/partials/release-notes/release-26.3.adoc | 6 ++++++
 2 files changed, 8 insertions(+)
 create mode 100644 modules/ROOT/partials/release-notes/release-26.3.adoc

diff --git a/modules/ROOT/pages/release-notes.adoc b/modules/ROOT/pages/release-notes.adoc
index 5f89b55d1..e320758f5 100644
--- a/modules/ROOT/pages/release-notes.adoc
+++ b/modules/ROOT/pages/release-notes.adoc
@@ -7,6 +7,8 @@ The Stackable Data Platform consists of multiple operators that work together.
 Periodically a platform release is made, including all components of the platform at a specific version.
 
 // WARNING: Please keep the empty newlines, otherwise headings are broken.
+include::partial$release-notes/release-26.3.adoc[]
+
 include::partial$release-notes/release-25.11.adoc[]
 
 include::partial$release-notes/release-25.7.adoc[]
diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
new file mode 100644
index 000000000..48dcf9b5d
--- /dev/null
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -0,0 +1,6 @@
+== Release 26.3
+
+=== 26.3.0
+
+Released on 2026-03-16.
+(Optional description / introduction)

From 9e95d08aeb761b412d87e8a8bfea0928137e3846 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 16 Mar 2026 19:12:15 +0100
Subject: [PATCH 02/48] chore: Add summary of breaking changes section to
 release notes template

---
 modules/ROOT/partials/release-notes/release-template.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-template.adoc b/modules/ROOT/partials/release-notes/release-template.adoc
index f852d7870..9919fa8f9 100644
--- a/modules/ROOT/partials/release-notes/release-template.adoc
+++ b/modules/ROOT/partials/release-notes/release-template.adoc
@@ -15,6 +15,14 @@ Released on YYYY-MM-DD.
 * Highlight 3
 ====
 
+[WARNING,caption=Overview of breaking changes]
+====
+The following components of the SDP contain breaking changes for this release:
+
+* Breaking change 1
+* Breaking change 2
+====
+
 ==== New platform features
 
 All subsections must follow this order:

From fe027c7dc95635ba37d693531a52b1324e61f0c6 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 12:07:33 +0100
Subject: [PATCH 03/48] docs: Add supported Kubernetes and OpenShift versions

---
 .../partials/release-notes/release-26.3.adoc  | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 48dcf9b5d..8849519d7 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -4,3 +4,33 @@
 
 Released on 2026-03-16.
 (Optional description / introduction)
+
+==== Supported versions
+
+===== Kubernetes versions
+
+This release supports the following Kubernetes versions:
+
+* `1.35`
+* `1.34`
+* `1.33`
+* `1.32`
+* `1.31`
+
+These Kubernetes versions are no longer supported:
+
+* `1.30`
+* `1.29`
+
+===== OpenShift versions
+
+This release is available in the RedHat Certified Operator Catalog for the following OpenShift versions:
+
+* `4.20`
+* `4.19`
+* `4.18`
+
+These OpenShift versions are no longer supported:
+
+* `4.17`
+* `4.16`

From 6ebb37e5210b0d76fc9e08c48cfd79b8bea9481f Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 12:08:36 +0100
Subject: [PATCH 04/48] docs: Add MaxUnavailableStatefulSet known issue for K8s
 1.35

---
 .../ROOT/partials/release-notes/release-26.3.adoc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 8849519d7..81501ccae 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -9,6 +9,12 @@ Released on 2026-03-16.
 
 ===== Kubernetes versions
 
+[WARNING]
+====
+There currently is one known issue when running on Kubernetes 1.35.
+See the link:#known-issues-26_3_0[known issues] section below for more details.
+====
+
 This release supports the following Kubernetes versions:
 
 * `1.35`
@@ -34,3 +40,12 @@ These OpenShift versions are no longer supported:
 
 * `4.17`
 * `4.16`
+
+[#known-issues-26_3_0]
+==== Known issues
+
+* There is a https://github.com/kubernetes/kubernetes/issues/137409[known issue] with the feature gate https://github.com/kubernetes/kubernetes/pull/133153[MaxUnavailableStatefulSet] that is enabled by default as a beta feature in Kubernetes 1.35.
+  This issue affects all SDP operators, especially the Trino operator. +
+  To work around the issue there are two possibilities:
+  . Disable this feature gate in your Kubenetes 1.35 clusters.
+  . Ensure that your dev-ops pipelines create product custom resources (e.g. TrinoCluster, SparkApplication, etc.) last, after any referenced custom resources such as TrinoCatalog, S3Connection and so on.

From d824ef61c8667bf999ab07514012b59b2a4716ea Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:21:36 +0100
Subject: [PATCH 05/48] docs: Add product versions section

---
 .../partials/release-notes/release-26.3.adoc  | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 81501ccae..c23718296 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -7,6 +7,67 @@ Released on 2026-03-16.
 
 ==== Supported versions
 
+===== Product versions
+
+As with previous SDP releases, many product images have been updated to their latest versions.
+Refer to the xref:operators:supported_versions.adoc[supported versions] documentation for a complete overview including LTS versions or deprecations.
+
+====== New versions
+
+The following new product versions are now supported:
+
+* Apache Airflow: https://github.com/stackabletech/docker-images/issues/1416[3.1.6]
+* Apache Druid: https://github.com/stackabletech/docker-images/issues/1371[35.0.1]
+* Apache HBase: https://github.com/stackabletech/docker-images/issues/1372[2.6.4 (LTS)]
+* Apache Hive: https://github.com/stackabletech/docker-images/issues/1375[4.2.0]
+* Apache Kafka: https://github.com/stackabletech/docker-images/issues/1376[4.1.1 (experimental)]
+** Note that Kafka 3.9.1 is the last version that supports Apache ZooKeeper as the metadata manager.
+* Apache NiFi: https://github.com/stackabletech/docker-images/issues/1377[2.7.2]
+** Note that this version supports Iceberg, but only with S3 and the Iceberg REST catalog.
+   Hive metastore or HDFS are not supported.
+   Read the https://docs.stackable.tech/home/nightly/nifi/usage_guide/writing-to-iceberg-tables/[official NiFi Iceberg documentation] for details.
+* Apache Spark: https://github.com/stackabletech/docker-images/issues/1381[3.5.8 (LTS)], https://github.com/stackabletech/docker-images/issues/1381[4.1.1]
+** Note that there are no Apache Iceberg and Delta runtime libraries available for 4.1.1 yet.
+* Apache Superset: https://github.com/stackabletech/docker-images/issues/1382[6.0.0]
+** OpenStreetView has been promoted as the new default for the Deck.gl visualization which doesn't require an API key.
+** `AUTH_OID` will not longer be automatically imported in the superset_config.py, and is no longer available from Superset 6.0.0.
+   If you are using Superset < 6.0.0 and still require `AUTH_OID`, you can manually import it by following the xref:superset:usage-guide/configuration-environment-overrides.adoc#_configuration_properties[documented instructions].
+** Also consult the https://github.com/apache/superset/blob/6.0.0/UPDATING.md[official update notes].
+* Open Policy Agent: https://github.com/stackabletech/docker-images/issues/1378[1.12.3]
+* OpenSearch: https://github.com/stackabletech/docker-images/issues/1379[3.4.0]
+* Trino: https://github.com/stackabletech/docker-images/issues/1383[479]
+** The storage-connector is based on Trino 477 because there was no later release.
+* Vector: https://github.com/stackabletech/docker-images/issues/1369[0.52.0]
+
+====== Deprecated versions
+
+The following product versions are deprecated and will be removed in a later release:
+
+* Apache Druid: https://github.com/stackabletech/docker-images/issues/1371[34.0.0]
+* Apache HBase: https://github.com/stackabletech/docker-images/issues/1372[2.6.3]
+* Apache Hive: https://github.com/stackabletech/docker-images/issues/1375[4.1.0]
+* Apache Spark: https://github.com/stackabletech/docker-images/issues/1381[3.5.7], https://github.com/stackabletech/docker-images/issues/1381[4.0.1]
+* Open Policy Agent: https://github.com/stackabletech/docker-images/issues/1378[1.8.0]
+
+====== Removed versions
+
+The following product versions are no longer supported.
+These images for released product versions remain available https://oci.stackable.tech/[here,window=_blank].
+Information on how to browse the registry can be found xref:contributor:project-overview.adoc#docker-images[here,window=_blank].
+
+* Apache Airflow: https://github.com/stackabletech/docker-images/issues/1370[2.10.5], https://github.com/stackabletech/docker-images/issues/1370[3.0.1]
+* Apache Druid: https://github.com/stackabletech/docker-images/issues/1371[33.0.0]
+* Apache HBase: https://github.com/stackabletech/docker-images/issues/1372[2.6.2]
+* Apache Hadoop: https://github.com/stackabletech/docker-images/issues/1374[3.4.1]
+* Apache Kafka: https://github.com/stackabletech/docker-images/issues/1376[3.7.2], https://github.com/stackabletech/docker-images/issues/1376[4.1.0]
+* Apache NiFi: https://github.com/stackabletech/docker-images/issues/1377[1.27.0], https://github.com/stackabletech/docker-images/issues/1377[2.4.0]
+* Apache Spark: https://github.com/stackabletech/docker-images/issues/1381[3.5.6]
+* Apache Superset: https://github.com/stackabletech/docker-images/issues/1382[4.0.2], https://github.com/stackabletech/docker-images/issues/1382[4.1.2]
+* Apache ZooKeeper: https://github.com/stackabletech/docker-images/issues/1384[3.9.3]
+* Open Policy Agent: https://github.com/stackabletech/docker-images/issues/1378[1.4.2]
+* Trino: https://github.com/stackabletech/docker-images/issues/1383[451], https://github.com/stackabletech/docker-images/issues/1383[476]
+* Vector: https://github.com/stackabletech/docker-images/issues/1369[0.49.0]
+
 ===== Kubernetes versions
 
 [WARNING]

From 4155961550f59c13aae96d134ab91227be043c5c Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:22:03 +0100
Subject: [PATCH 06/48] docs: Add and simplify upgrade section

---
 .../partials/release-notes/release-26.3.adoc  | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index c23718296..62b9f8c4c 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -102,6 +102,78 @@ These OpenShift versions are no longer supported:
 * `4.17`
 * `4.16`
 
+==== Upgrade from 25.11
+
+[TIP]
+====
+Please consult the following upgrade notes when upgrading from 25.11 to 26.3:
+
+* xref:opensearch:usage-guide/upgrade.adoc[OpenSearch upgrade guide]
+====
+
+===== Using stackablectl
+
+====== Upgrade with a single command
+
+Starting with stackablectl Release 1.0.0 the multiple consecutive commands described below can be shortened to just one command, which executes exactly those steps on its own.
+
+[source,console]
+----
+$ stackablectl release upgrade 26.3
+----
+
+====== Upgrade with multiple consecutive commands
+
+Uninstall the `25.11` release
+
+[source,console]
+----
+$ stackablectl release uninstall 25.11
+
+Uninstalled release '25.11'
+
+Use "stackablectl release list" to list available releases.
+# ...
+----
+
+Install the `26.3` release
+
+[source,console]
+----
+$ stackablectl release install 26.3
+
+Installed release '26.3'
+
+Use "stackablectl operator installed" to list installed operators.
+----
+
+===== Using Helm
+
+Use `helm list` to list the currently installed operators.
+
+You can use the following command to uninstall all operators that are part of the `25.11` release:
+
+[source,console]
+----
+$ helm uninstall airflow-operator <PRODUCT>-operator ...
+release "airflow-operator" uninstalled
+release "<PRODUCT>-operator" uninstalled
+...
+----
+
+Install the `26.3` release
+
+[NOTE]
+====
+`helm repo` subcommands are not supported for OCI registries.
+The operators are installed directly, without adding the Helm Chart repository first.
+====
+
+[source,console]
+----
+helm install --wait <PRODUCT>-operator oci://oci.stackable.tech/sdp-charts/<PRODUCT>-operator --version 26.3.0
+----
+
 [#known-issues-26_3_0]
 ==== Known issues
 

From 28fcd59c7b6c6cc0c73cd66f63a0a8f3774a2a18 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:22:57 +0100
Subject: [PATCH 07/48] docs: Add new miscellaneous platform features

---
 .../partials/release-notes/release-26.3.adoc    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 62b9f8c4c..89efa5806 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -5,6 +5,23 @@
 Released on 2026-03-16.
 (Optional description / introduction)
 
+==== New platform features
+
+===== General
+
+====== Miscellaneous
+
+* In 26.3.0 we added new demo that shows Retrieval Augmented Generation (RAG) with OpenSearch as the vector store.
+  Consult the xref:demos:opensearch-rag.adoc[demo documentation page] for more details.
+  See https://github.com/stackabletech/demos/pull/354[demos#354].
+* All remaining operators now maintain their own CRD(s) instead of relying on Helm as a deployment mechanism.
+  Additionally, the conversion webhook is now running alongside the controller for future CRD versioning.
+  Tracked in https://github.com/stackabletech/issues/issues/808[issues#808].
+* This release supports `objectOverrides`, a list of generic Kubernetes objects, which are merged into the objects created by the operator (e.g. StatefulSets, Listeners or ConfigMaps).
+  The priority of the overrides (in ascending order) is `configOverrides` -> `podOverrides` -> `objectOverrides`, with the latter overriding the previous.
+  See the xref:concepts:overrides.adoc#object-overrides[concepts page] for more details.
+  Tracked in https://github.com/stackabletech/issues/issues/712[issues#712].
+
 ==== Supported versions
 
 ===== Product versions

From c74399167ffd03094345c99c870eb392275daf8e Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:23:42 +0100
Subject: [PATCH 08/48] docs: Add new Airflow features

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 89efa5806..8c568776c 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -22,6 +22,14 @@ Released on 2026-03-16.
   See the xref:concepts:overrides.adoc#object-overrides[concepts page] for more details.
   Tracked in https://github.com/stackabletech/issues/issues/712[issues#712].
 
+===== Apache Airflow
+
+Airflow can now use gitsync to authenticate against a repository using SSH keys as well as basic auth, which was previously the only option.
+The Airflow operator also now has the ability to convert certain changes between CRD versions: in the case of this change, the operator can automatically convert the field `credentialsSecret` to `credentials: basicAuthSecretName` so that this change is non-breaking.
+It should be noted that conversions in the opposite direction - from v1alpha2 to v1alpha1 - are not possible if the v1alpha2 resource definition refers to the new field.
+See the xref:airflow:usage-guide/mounting-dags.adoc#_via_git_sync[DAG mounting usage guide] for more details.
+Implemented in https://github.com/stackabletech/airflow-operator/issues/382[airflow-operator#382].
+
 ==== Supported versions
 
 ===== Product versions

From 33437db354302e5d75251f1e1025d7cfc7110e58 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:23:58 +0100
Subject: [PATCH 09/48] docs: Add new Hive features

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 8c568776c..146656527 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -30,6 +30,13 @@ It should be noted that conversions in the opposite direction - from v1alpha2 to
 See the xref:airflow:usage-guide/mounting-dags.adoc#_via_git_sync[DAG mounting usage guide] for more details.
 Implemented in https://github.com/stackabletech/airflow-operator/issues/382[airflow-operator#382].
 
+===== Apache Hive
+
+The Stackable operator for Apache Hive now supports delegating authorization requests to the Open Policy Agent (OPA) using a custom https://github.com/boschglobal/hive-metastore-opa-authorizer[hive-metastore-opa-authorizer] plugin.
+See the xref:hive:usage-guide/security.adoc#_open_policy_agent_opa[usage guide] for more information.
+Implemented in https://github.com/stackabletech/hive-operator/issues/388[hive-operator#388].
+
+
 ==== Supported versions
 
 ===== Product versions

From 8e7b23220c9094ad5639feb26864edccf732ebba Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:24:13 +0100
Subject: [PATCH 10/48] docs: Add new Kafka features

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 146656527..842f39e93 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -36,6 +36,12 @@ The Stackable operator for Apache Hive now supports delegating authorization req
 See the xref:hive:usage-guide/security.adoc#_open_policy_agent_opa[usage guide] for more information.
 Implemented in https://github.com/stackabletech/hive-operator/issues/388[hive-operator#388].
 
+===== Apache Kafka
+
+Users of the Stackable operator for Apache Kafka can now migrate existing 3.9.1 clusters from Apache ZooKeeper to the built in Kraft metadata manager.
+xref:kafka:usage-guide/kraft-controller.adoc#_kraft_migration_guide[This guide] describes the necessary steps to perform the migration.
+Implemented in https://github.com/stackabletech/kafka-operator/pull/923[kafka-operator#923].
+
 
 ==== Supported versions
 

From e43b2545e7c126fa7abd1967571d525ad0dea689 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:24:29 +0100
Subject: [PATCH 11/48] docs: Add new Spark features

---
 .../partials/release-notes/release-26.3.adoc  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 842f39e93..54d5afe00 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -42,6 +42,25 @@ Users of the Stackable operator for Apache Kafka can now migrate existing 3.9.1
 xref:kafka:usage-guide/kraft-controller.adoc#_kraft_migration_guide[This guide] describes the necessary steps to perform the migration.
 Implemented in https://github.com/stackabletech/kafka-operator/pull/923[kafka-operator#923].
 
+===== Apache Spark
+
+* Starting with this release, Spark applications will not be resubmitted automatically in case of failure.
+  Users can restore the previous behavior by setting the new `spec.job.retryOnFailureCount` property to a non negative value. +
+  In addition, small improvements have been made to clean up resources created by Spark applications.
+** application driver pods are now deleted as soon as they reach a terminal state.
+** application executor pods are now deleted as soon as possible in case of driver or submit failure.
+
++
+Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/647[spark-k8s-operator#647].
+* This release adds first class support for S3 buckets and connections to Spark Connect servers.
+  Users can give clients access to all S3 buckets or a selected list.
+  For more details, see the xref:spark-k8s:usage-guide/spark-connect.adoc[Spark Connect usage guide].
+  Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/652[spark-k8s-operator#652].
+* This release introduces Spark Application Templates.
+  These allow application authors to group frequently used application configuration in a central place that is referenced from application objects.
+  For more details on this new operator feature see the xref:spark-k8s:usage-guide/app_templates.adoc[template usage guide].
+  Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/660[spark-k8s-operator#660].
+
 
 ==== Supported versions
 

From 21bef500ac407ce0aaba9de225d692306afdbb2a Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:24:44 +0100
Subject: [PATCH 12/48] docs: Add new OPA features

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 54d5afe00..bda1290fd 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -61,6 +61,16 @@ Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/647[spar
   For more details on this new operator feature see the xref:spark-k8s:usage-guide/app_templates.adoc[template usage guide].
   Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/660[spark-k8s-operator#660].
 
+===== Open Policy Agent
+
+* The User Info Fetcher (UIF) now has experimental support for OpenLDAP as a backend.
+  See the xref:opa:usage-guide/user-info-fetcher.adoc#backend-openldap[documentation] of the UIF for details on how to configure it.
+  Implemented in https://github.com/stackabletech/opa-operator/issues/523[opa-operator#523].
+* The OPA operator now supports overriding command-line arguments passed to the OPA binary via the cliOverrides property in the CRD.
+  This allows you to customize OPA's behavior by passing additional or overriding existing command-line flags.
+  See the xref:opa:usage-guide/configuration-environment-overrides.adoc#_cli_overrides[OPA operator documentation] for further details and examples.
+  Implemented in https://github.com/stackabletech/opa-operator/issues/781[opa-operator#781].
+
 
 ==== Supported versions
 

From 01cf608f23048ed1629e3bed0a02eaba2e8b5c81 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:25:00 +0100
Subject: [PATCH 13/48] docs: Add new OpenSearch features

---
 .../partials/release-notes/release-26.3.adoc  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index bda1290fd..818f3f6ec 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -71,6 +71,30 @@ Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/647[spar
   See the xref:opa:usage-guide/configuration-environment-overrides.adoc#_cli_overrides[OPA operator documentation] for further details and examples.
   Implemented in https://github.com/stackabletech/opa-operator/issues/781[opa-operator#781].
 
+===== OpenSearch
+
+* The operator now supports the configuration of TLS for the server (optional) and internal communication (mandatory) using SecretClasses.
+  See the xref:opensearch:usage-guide/security.adoc#_tls[OpenSearch security usage guide] for more details.
+* The operator now supports adding secrets to the OpenSearch keystore, e.g. S3 credentials for creating and restoring backups.
+  See the xref:opensearch:usage-guide/keystore.adoc[keystore usage guide] for more details.
+  Implemented in https://github.com/stackabletech/opensearch-operator/pull/76[opensearch-operator#76].
+* A new service discovery mechanism has been introduced, enabling OpenSearch clients to be easily configured.
+  Users can specify whether a role group should be exposed and choose the corresponding ListenerClass.
+  The connection parameters for accessing the OpenSearch cluster are provided in a discovery ConfigMap.
+  Detailed information can be found at the xref:opensearch:reference/discovery.adoc[OpenSearch discovery documentation page].
+  See https://github.com/stackabletech/opensearch-operator/issues/52[opensearch-operator#52].
+* The OpenSearch security plugin is now configurable within the OpenSearchCluster specification.
+  Users can choose for each configuration file whether to initialize it solely with the provided values and manage it through the API or to allow the operator to take over management.
++
+--
+[IMPORTANT]
+====
+It is essential to remove both `podOverrides` and `configOverrides` related to security settings, such as `plugins.security.allow_default_init_securityindex`.
+====
+
+See https://github.com/stackabletech/opensearch-operator/issues/43[opensearch-operator#43].
+--
+
 
 ==== Supported versions
 

From 25dfff3b662cd946fc529352b496724fb852880d Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:25:20 +0100
Subject: [PATCH 14/48] docs: Add new listener-operator features

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 818f3f6ec..070c82b0f 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -95,6 +95,15 @@ It is essential to remove both `podOverrides` and `configOverrides` related to s
 See https://github.com/stackabletech/opensearch-operator/issues/43[opensearch-operator#43].
 --
 
+===== Stackable listener-operator
+
+* The listener-operator now supports configuring `serviceOverrides` on ListenerClasses similar to `podOverrides` on stacklets.
+  This enables users to make arbitrary modifications to the created Services.
+  Implemented in https://github.com/stackabletech/listener-operator/pull/365[listener-operator#365].
+* The listener-operator now deploys the selected ListenerClass preset on its own instead of relying on Helm.
+  This is done to ensure the ListenerClasses are created after the operator deployed its own CRD.
+  Implemented in https://github.com/stackabletech/listener-operator/pull/369[listener-operator#369].
+
 
 ==== Supported versions
 

From f6eb13c1444d2c5a6fc89ac0153138f6f0479c31 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:25:40 +0100
Subject: [PATCH 15/48] docs: Add new secret-operator features

---
 .../ROOT/partials/release-notes/release-26.3.adoc  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 070c82b0f..6021eadba 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -104,6 +104,20 @@ See https://github.com/stackabletech/opensearch-operator/issues/43[opensearch-op
   This is done to ensure the ListenerClasses are created after the operator deployed its own CRD.
   Implemented in https://github.com/stackabletech/listener-operator/pull/369[listener-operator#369].
 
+===== Stackable secret-operator
+
+The secret-operator now supports the new `secrets.stackable.tech/provision-parts` annotation on the secret volume.
+This annotation allows configuring which parts of the secret material should be provisioned.
+Using this annotation enables the following use-cases:
+
+* Use the `autoTls` backend, but only provision the `ca.crt`/`truststore.p12` for the consumer.
+* Use the `kerberosKeytab` backend, but only provision the `krb5.conf` for the consumer.
+* Use the `k8sSearch` backend to select Secrets which contain public data only and support parsing the partial set of files.
+  Using this annotation disables the strict parsing of files when an explicit format is requested.
+
+See the xref:secret-operator:volume.adoc#_secrets_stackable_techprovision_parts[volume documentation page] for more details.
+Implemented in https://github.com/stackabletech/secret-operator/pull/676[secret-operator#676].
+
 
 ==== Supported versions
 

From a6136bd5d1a4ea1f138bc91f79db7d90d425c7cc Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:26:32 +0100
Subject: [PATCH 16/48] docs: Add miscellaneous platform improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 6021eadba..9496cf79b 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -118,6 +118,17 @@ Using this annotation enables the following use-cases:
 See the xref:secret-operator:volume.adoc#_secrets_stackable_techprovision_parts[volume documentation page] for more details.
 Implemented in https://github.com/stackabletech/secret-operator/pull/676[secret-operator#676].
 
+==== Platform improvements
+
+===== General
+
+====== Miscellaneous
+
+* All operator images have been updated from UBI9 to UBI10 base images.
+  See https://github.com/stackabletech/docker-images/issues/1349[docker-images#1349].
+* All products now have the xref:commons-operator:restarter.adoc[restart-controller] enabled, so that the Pods are automatically restarted on config changes (in ConfigMaps and Secrets).
+  See https://github.com/stackabletech/issues/issues/816[issues#816].
+
 
 ==== Supported versions
 

From 31a798bdd429b0a2480930e666a94b81bf30eda4 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:26:48 +0100
Subject: [PATCH 17/48] docs: Add Airflow improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 9496cf79b..b7623675e 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -129,6 +129,15 @@ Implemented in https://github.com/stackabletech/secret-operator/pull/676[secret-
 * All products now have the xref:commons-operator:restarter.adoc[restart-controller] enabled, so that the Pods are automatically restarted on config changes (in ConfigMaps and Secrets).
   See https://github.com/stackabletech/issues/issues/816[issues#816].
 
+===== Apache Airflow
+
+* Previously, only selected providers were included in the Airflow product images.
+  Now we attempt to include all extra packages that are available for Airflow versions 3+, with an overview and explicit exclusions listed in the product image notes.
+  See https://github.com/stackabletech/docker-images/pull/1336[docker-images#1336].
+* At times, a race condition can arise between DAG parsing and GitSync fetches.
+  We have added a note to the troubleshooting section of the documentation to suggest a workaround for this problem.
+  See https://github.com/stackabletech/airflow-operator/issues/732[airflow-operator#732].
+
 
 ==== Supported versions
 

From 7091149acfe5d0ad8daddd29d25d29accb5e635a Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:27:14 +0100
Subject: [PATCH 18/48] docs: Add HBase improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index b7623675e..d1810bc81 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -138,6 +138,11 @@ Implemented in https://github.com/stackabletech/secret-operator/pull/676[secret-
   We have added a note to the troubleshooting section of the documentation to suggest a workaround for this problem.
   See https://github.com/stackabletech/airflow-operator/issues/732[airflow-operator#732].
 
+===== Apache HBase
+
+The hbase-operator-tools have been bumped to 1.3.0 and https://issues.apache.org/jira/browse/HBASE-29797[HBASE-29797] has been backported for all supported HBase images.
+See https://github.com/stackabletech/docker-images/issues/1417[docker-images#1417].
+
 
 ==== Supported versions
 

From 6aac9dc5b6f370c1a715cd7ea84018e0274e9544 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:27:25 +0100
Subject: [PATCH 19/48] docs: Add Kafka improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index d1810bc81..56a51e5d6 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -143,6 +143,16 @@ Implemented in https://github.com/stackabletech/secret-operator/pull/676[secret-
 The hbase-operator-tools have been bumped to 1.3.0 and https://issues.apache.org/jira/browse/HBASE-29797[HBASE-29797] has been backported for all supported HBase images.
 See https://github.com/stackabletech/docker-images/issues/1417[docker-images#1417].
 
+===== Apache Kafka
+
+Previously, Kafka supported OPA in non-TLS mode.
+Now both TLS and non-TLS modes are supported.
+
+[IMPORTANT]
+====
+It should be noted that this is not yet supported by the Kafka Controller (available in Kafka 4.x).
+====
+
 
 ==== Supported versions
 

From e38732ddc5cf10764c873e36cb397a3f4635e27b Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:27:37 +0100
Subject: [PATCH 20/48] docs: Add NiFi improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 56a51e5d6..7aed34417 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -153,6 +153,13 @@ Now both TLS and non-TLS modes are supported.
 It should be noted that this is not yet supported by the Kafka Controller (available in Kafka 4.x).
 ====
 
+===== Apache NiFi
+
+There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra).
+Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
+The Nifi images have been patched for versions 2.4.0 and 2.6.0 to implement this.
+See https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
+
 
 ==== Supported versions
 

From d9241f00cdc398f40395566c186bbaff8b48271b Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:27:47 +0100
Subject: [PATCH 21/48] docs: Add Spark improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 7aed34417..5d933dc57 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -160,6 +160,12 @@ Statically provided user/group information and rough-granular permissions are ho
 The Nifi images have been patched for versions 2.4.0 and 2.6.0 to implement this.
 See https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
 
+===== Apache Spark
+
+Spark application jobs can now have pod/node affinities.
+Previously only the application driver and executors had a dedicated field for this purpose.
+See https://github.com/stackabletech/spark-k8s-operator/issues/639[spark-k8s-operator#639].
+
 
 ==== Supported versions
 

From f37a5c74c8d6c63c1bdd00a0b1e434e189175ece Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:27:56 +0100
Subject: [PATCH 22/48] docs: Add OPA improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 5d933dc57..1cf741a78 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -166,6 +166,12 @@ Spark application jobs can now have pod/node affinities.
 Previously only the application driver and executors had a dedicated field for this purpose.
 See https://github.com/stackabletech/spark-k8s-operator/issues/639[spark-k8s-operator#639].
 
+===== Open Policy Agent
+
+The Entra User Info Fetcher (UIF) backend has been stabilized with the introduction of OpaCluster v1alpha2.
+Conversion between v1alpha1 and v1alpha2 is handled automatically by default.
+Implemented in https://github.com/stackabletech/opa-operator/pull/801[opa-operator#801].
+
 
 ==== Supported versions
 

From 0f5552fd9cc71f29a0ae500034a922c671fdcedb Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:28:08 +0100
Subject: [PATCH 23/48] docs: Add Trino improvements

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 1cf741a78..50cbbde07 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -172,6 +172,17 @@ The Entra User Info Fetcher (UIF) backend has been stabilized with the introduct
 Conversion between v1alpha1 and v1alpha2 is handled automatically by default.
 Implemented in https://github.com/stackabletech/opa-operator/pull/801[opa-operator#801].
 
+===== Trino
+
+*Breaking:* The operator no longer sets `opa.policy.column-masking-uri` in `access-control.properties` but `opa.policy.batch-column-masking-uri` instead, allowing Trino to fetch multiple column masks in a single request.
+This therefore now requires a `batchColumnMasks` rule to be present in the OPA Trino rules, when using the default URI set by the trino-operator.
+
+* The above default can be disabled with the new enableColumnMasking field in the opa configuration in authorization
+* *Breaking:* The field opa in authorization is now a mandatory enum variant instead of being optional
+* Quick note: Use `spec.clusterConfig.authorization.opa.enableColumnMasking: false` instead of `batchColumnMasks = []`
+
+See https://github.com/stackabletech/trino-operator/issues/814[trino-operator#814].
+
 
 ==== Supported versions
 

From 7ab8a144047818f77f085b0d770fd010380b671b Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:28:34 +0100
Subject: [PATCH 24/48] docs: Add platform fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 50cbbde07..91effe73a 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -183,6 +183,16 @@ This therefore now requires a `batchColumnMasks` rule to be present in the OPA T
 
 See https://github.com/stackabletech/trino-operator/issues/814[trino-operator#814].
 
+==== Platform fixes
+
+===== General
+
+====== Logging
+
+Previously, log entries could be sent multiple times to the Vector aggregator if the Vector container was restarted.
+This issue has now been resolved by persisting the Vector state across container restarts.
+Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
+
 
 ==== Supported versions
 

From 584f6344a698a9e5a1d9e46c9d4b49871529c45e Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:28:53 +0100
Subject: [PATCH 25/48] docs: Add Airflow fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 91effe73a..57d8d27f9 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -193,6 +193,17 @@ Previously, log entries could be sent multiple times to the Vector aggregator if
 This issue has now been resolved by persisting the Vector state across container restarts.
 Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
 
+===== Apache Airflow
+
+* Previously, Celery workers in Airflow 3 could run into the problem of not executing tasks anymore after a Redis re-connect.
+  Now, this issue is fixed by bumping the celery Python package.
+  Fixed in https://github.com/stackabletech/docker-images/pull/1343[docker-images#1343].
+* Previously, the operator adopted the default of 4 API workers per webserver.
+  This results in higher resource usage although it is not required for every situation.
+  Now, the default has been set to 1 (it can easily be changed by adding either more webserver replicas or an override).
+  The documentation has been xref:airflow:troubleshooting/index.adoc#_setting_api_workers[corrected] and clarified to reflect this.
+  Fixed in https://github.com/stackabletech/airflow-operator/pull/727[airflow-operator#727].
+
 
 ==== Supported versions
 

From f2f4d019816357dcd21995f1cea9fa64a75b23c6 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:29:03 +0100
Subject: [PATCH 26/48] docs: Add HBase fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 57d8d27f9..19c271c42 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -204,6 +204,11 @@ Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
   The documentation has been xref:airflow:troubleshooting/index.adoc#_setting_api_workers[corrected] and clarified to reflect this.
   Fixed in https://github.com/stackabletech/airflow-operator/pull/727[airflow-operator#727].
 
+===== Apache HBase
+
+Add the `hbase.rest.endpoint` field to the restserver rolegroup ConfigMap for advertising the REST servers.
+Fixed in https://github.com/stackabletech/hbase-operator/pull/716[hbase-operator#716].
+
 
 ==== Supported versions
 

From 0305188f5450678a48867029dc71cd009f046566 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:29:12 +0100
Subject: [PATCH 27/48] docs: Add NiFi fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 19c271c42..d1a522a1f 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -209,6 +209,11 @@ Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
 Add the `hbase.rest.endpoint` field to the restserver rolegroup ConfigMap for advertising the REST servers.
 Fixed in https://github.com/stackabletech/hbase-operator/pull/716[hbase-operator#716].
 
+===== Apache NiFi
+
+The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` field instead of hard-coding the OPA package name to `nifi`.
+Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#881].
+
 
 ==== Supported versions
 

From ad9143d99f1ae95e9f907beede2f13febcbaafdd Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:29:22 +0100
Subject: [PATCH 28/48] docs: Add Spark fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index d1a522a1f..a5f178839 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -214,6 +214,15 @@ Fixed in https://github.com/stackabletech/hbase-operator/pull/716[hbase-operator
 The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` field instead of hard-coding the OPA package name to `nifi`.
 Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#881].
 
+===== Apache Spark
+
+* Driver pods are now garbage collected when the spark application is finished.
+  Previously, driver pods created by the submit job would be left hanging even after the job has been deleted.
+  Fixed in https://github.com/stackabletech/spark-k8s-operator/pull/649[spark-k8s-operator#649].
+* Fix application pod specifications when both the history server and the S3 connection reference the same SecretClass object.
+  Previously this would lead to duplicate volume. With this release that duplication is removed.
+  Fixed in https://github.com/stackabletech/spark-k8s-operator/pull/655[spark-k8s-operator#655].
+
 
 ==== Supported versions
 

From b05f29e47311eb8dd518c7799b0a161878aa8db9 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:29:31 +0100
Subject: [PATCH 29/48] docs: Add ZooKeeper fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index a5f178839..d894c5dbe 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -223,6 +223,11 @@ Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#8
   Previously this would lead to duplicate volume. With this release that duplication is removed.
   Fixed in https://github.com/stackabletech/spark-k8s-operator/pull/655[spark-k8s-operator#655].
 
+===== Apache ZooKeeper
+
+Previously running `zkCli` commands in the ZooKeeper image could fail due to https://issues.apache.org/jira/browse/ZOOKEEPER-4985[an upstream issue ZOOKEEPER-4985], this has now been fixed by setting the environment variable `ZOOCFGDIR`.
+Fixed in https://github.com/stackabletech/zookeeper-operator/pull/988[zookeeper-operator#988].
+
 
 ==== Supported versions
 

From e3a2894e2ffef5977aa85fcde5f218f6ac6e0a57 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:29:41 +0100
Subject: [PATCH 30/48] docs: Add OpenSearch fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index d894c5dbe..fc9522f00 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -228,6 +228,13 @@ Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#8
 Previously running `zkCli` commands in the ZooKeeper image could fail due to https://issues.apache.org/jira/browse/ZOOKEEPER-4985[an upstream issue ZOOKEEPER-4985], this has now been fixed by setting the environment variable `ZOOCFGDIR`.
 Fixed in https://github.com/stackabletech/zookeeper-operator/pull/988[zookeeper-operator#988].
 
+===== OpenSearch
+
+Previously, the log file rollover was non-functional.
+When the log file reached a size of 5 MB, an error message repeatedly appeared in the console, indicating that the log file could not be renamed.
+With this release, we have resolved the permissions issue, ensuring that the log file rollover works correctly.
+Fixed in https://github.com/stackabletech/opensearch-operator/issues/106[opensearch-operator#106].
+
 
 ==== Supported versions
 

From 99c4bf18574dccbdaf98017519b5b0652871d670 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:29:50 +0100
Subject: [PATCH 31/48] docs: Add Trino fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index fc9522f00..431a6d40a 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -235,6 +235,11 @@ When the log file reached a size of 5 MB, an error message repeatedly appeared i
 With this release, we have resolved the permissions issue, ensuring that the log file rollover works correctly.
 Fixed in https://github.com/stackabletech/opensearch-operator/issues/106[opensearch-operator#106].
 
+===== Trino
+
+The `spec.connector.iceberg.metastore` field in TrinoCatalog is now optional, as Iceberg also supports other catalogs, such as a REST catalog, which (currently) can only be added using configOverrides.
+Fixed in https://github.com/stackabletech/trino-operator/pull/841[trino-operator#841].
+
 
 ==== Supported versions
 

From 167c3d91608ebe0c7a722c6586aefde1549bcbf8 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:30:02 +0100
Subject: [PATCH 32/48] docs: Add commons-operator fixes

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 431a6d40a..8934fc5ab 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -240,6 +240,15 @@ Fixed in https://github.com/stackabletech/opensearch-operator/issues/106[opensea
 The `spec.connector.iceberg.metastore` field in TrinoCatalog is now optional, as Iceberg also supports other catalogs, such as a REST catalog, which (currently) can only be added using configOverrides.
 Fixed in https://github.com/stackabletech/trino-operator/pull/841[trino-operator#841].
 
+===== Stackable commons-operator
+
+*BREAKING:* Prevent an unnecessary restart of Pod 0 of the StatefulSet when the StatefulSet is initially created.
+This was caused by commons-operator needing to update the StatefulSet immediately after creation, at which point Pod 0 was already created.
+The problem is fixed by utilizing an admission webhook, which is able to mutate the StatefulSet during its creation, so before Pod 0 is created.
+For that the commons-operator now needs the RBAC permission to `create` and `patch` `mutatingwebhookconfigurations`, which the Helm Chart automatically adds.
+The webhook can be disabled using `--disable-restarter-mutating-webhook` or by setting the `DISABLE_RESTARTER_MUTATING_WEBHOOK` environment variable, which will revert the fixed behaviour.
+Fixed in https://github.com/stackabletech/commons-operator/pull/387[commons-operator#387].
+
 
 ==== Supported versions
 

From a4e8d4af30bd9d17b1624e42af38cc6e4c96a472 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:30:19 +0100
Subject: [PATCH 33/48] docs: Add Airflow removals

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 8934fc5ab..24e347bb9 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -249,6 +249,13 @@ For that the commons-operator now needs the RBAC permission to `create` and `pat
 The webhook can be disabled using `--disable-restarter-mutating-webhook` or by setting the `DISABLE_RESTARTER_MUTATING_WEBHOOK` environment variable, which will revert the fixed behaviour.
 Fixed in https://github.com/stackabletech/commons-operator/pull/387[commons-operator#387].
 
+==== Platform removals
+
+===== Apache Airflow
+
+*Breaking:* Users of the `EXPERIMENTAL_FILE_HEADER` and `EXPERIMENTAL_FILE_FOOTER` fields who rely on `AUTH_OID` from the `flask_appbuilder.const` import must switch to `AUTH_OAUTH`.
+Removed in https://github.com/stackabletech/airflow-operator/pull/737[airflow-operator#737].
+
 
 ==== Supported versions
 

From a8cb3b8a38266b3bc9c8934f59d389715f3d21f1 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:30:34 +0100
Subject: [PATCH 34/48] docs: Add secret-operator removals

---
 .../partials/release-notes/release-26.3.adoc  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 24e347bb9..51b91fc89 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -256,6 +256,25 @@ Fixed in https://github.com/stackabletech/commons-operator/pull/387[commons-oper
 *Breaking:* Users of the `EXPERIMENTAL_FILE_HEADER` and `EXPERIMENTAL_FILE_FOOTER` fields who rely on `AUTH_OID` from the `flask_appbuilder.const` import must switch to `AUTH_OAUTH`.
 Removed in https://github.com/stackabletech/airflow-operator/pull/737[airflow-operator#737].
 
+===== Stackable secret-operator
+
+*Breaking:* Removed support for ephemeral CSI volumes.
+This has been deprecated since secret-operator 0.4.0 because it doesn't support Pod stickiness.
+Ephemeral PersistentVolumes that use CSI are still supported and are the recommended way forward.
+
+[source,yaml]
+----
+# Replace this
+volumes:
+  - csi: # ...
+
+# with the new recommended syntax
+volumes:
+  - ephemeral:
+      volumeClaimTemplate: # ...
+----
+
+Removed in https://github.com/stackabletech/secret-operator/issues/481[secret-operator#481].
 
 ==== Supported versions
 

From 32811050079ffc12fa65395889caf0a3eb89ead5 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:31:14 +0100
Subject: [PATCH 35/48] docs: Add known issue for Kafka

---
 .../partials/release-notes/release-26.3.adoc     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 51b91fc89..d1282add1 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -448,6 +448,22 @@ helm install --wait <PRODUCT>-operator oci://oci.stackable.tech/sdp-charts/<PROD
 [#known-issues-26_3_0]
 ==== Known issues
 
+* This release makes `zookeeper` the default metadata manager for Kafka 3.x clusters.
+  If you are running Kafka 3 with `kraft` as metadata manager already, you need to patch your existing Kafka custom resource to make this choice explicit after upgrading the SDP version.
+  The Kafka cluster will run in an error state until you patch it.
+  Patch your Kafka resource like this:
++
+--
+[source,console]
+----
+$ kubectl -n <namespace> \
+  patch kafkaclusters.kafka.stackable.tech <kafka-resource-name> \
+  --type merge -p '{"spec":{"clusterConfig":{"metadataManager":"kraft"}}}''
+----
+
+Replace `<namespace>` and `<kafka-resource-name>` as appropriate. +
+See https://github.com/stackabletech/kafka-operator/pull/933[kafka-operator#933].
+--
 * There is a https://github.com/kubernetes/kubernetes/issues/137409[known issue] with the feature gate https://github.com/kubernetes/kubernetes/pull/133153[MaxUnavailableStatefulSet] that is enabled by default as a beta feature in Kubernetes 1.35.
   This issue affects all SDP operators, especially the Trino operator. +
   To work around the issue there are two possibilities:

From edb5124d2cfc7234e3d75aa84b134011a919b87a Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Wed, 18 Mar 2026 17:31:33 +0100
Subject: [PATCH 36/48] docs: Use correct heading in 25.11 release notes

---
 modules/ROOT/partials/release-notes/release-25.11.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ROOT/partials/release-notes/release-25.11.adoc b/modules/ROOT/partials/release-notes/release-25.11.adoc
index a983c3ccb..6c0a147a8 100644
--- a/modules/ROOT/partials/release-notes/release-25.11.adoc
+++ b/modules/ROOT/partials/release-notes/release-25.11.adoc
@@ -773,7 +773,7 @@ These Kubernetes versions are no longer supported:
 
 * `1.30`
 
-==== OpenShift
+===== OpenShift
 
 This release is available in the RedHat Certified Operator Catalog for the following OpenShift versions:
 

From ab1103576e1dc2d3b6a9b0ff0b3d2b3df2222401 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 08:54:29 +0100
Subject: [PATCH 37/48] docs: Add vulnerability stats

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index d1282add1..68aa44f5a 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -122,6 +122,11 @@ Implemented in https://github.com/stackabletech/secret-operator/pull/676[secret-
 
 ===== General
 
+====== Vulnerabilities
+
+114 CVEs were fixed in the Stackable product images.
+This includes 9 critical and 40 high-severity CVEs.
+
 ====== Miscellaneous
 
 * All operator images have been updated from UBI9 to UBI10 base images.

From 00c87485fcb14633d24f6d50ad21af9aaaf1f810 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 11:20:48 +0100
Subject: [PATCH 38/48] docs: Move HBase change, add Druid fix

---
 .../ROOT/partials/release-notes/release-26.3.adoc   | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 68aa44f5a..7d21603ff 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -30,6 +30,11 @@ It should be noted that conversions in the opposite direction - from v1alpha2 to
 See the xref:airflow:usage-guide/mounting-dags.adoc#_via_git_sync[DAG mounting usage guide] for more details.
 Implemented in https://github.com/stackabletech/airflow-operator/issues/382[airflow-operator#382].
 
+===== Apache HBase
+
+Add the `hbase.rest.endpoint` field to the restserver rolegroup ConfigMap for advertising the REST servers.
+Implemented in https://github.com/stackabletech/hbase-operator/pull/708[hbase-operator#708] and https://github.com/stackabletech/hbase-operator/pull/716[hbase-operator#716].
+
 ===== Apache Hive
 
 The Stackable operator for Apache Hive now supports delegating authorization requests to the Open Policy Agent (OPA) using a custom https://github.com/boschglobal/hive-metastore-opa-authorizer[hive-metastore-opa-authorizer] plugin.
@@ -209,10 +214,12 @@ Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
   The documentation has been xref:airflow:troubleshooting/index.adoc#_setting_api_workers[corrected] and clarified to reflect this.
   Fixed in https://github.com/stackabletech/airflow-operator/pull/727[airflow-operator#727].
 
-===== Apache HBase
+[#druid-fixes-26_3_0]
+===== Apache Druid
 
-Add the `hbase.rest.endpoint` field to the restserver rolegroup ConfigMap for advertising the REST servers.
-Fixed in https://github.com/stackabletech/hbase-operator/pull/716[hbase-operator#716].
+*Breaking:* Starting with Druid 35, the router requires higher CPU resources.
+CPU request and limit have been bumped from `100m` and `400m` to `300m` and `1200m` respectively.
+Fixed in https://github.com/stackabletech/druid-operator/pull/786[druid-operator#786].
 
 ===== Apache NiFi
 

From 31352d7994a529c76f075fbcf4ab31fd56d510db Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:22:44 +0100
Subject: [PATCH 39/48] docs: Add HDFS restarter exception

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 7d21603ff..abe3799ae 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -136,7 +136,7 @@ This includes 9 critical and 40 high-severity CVEs.
 
 * All operator images have been updated from UBI9 to UBI10 base images.
   See https://github.com/stackabletech/docker-images/issues/1349[docker-images#1349].
-* All products now have the xref:commons-operator:restarter.adoc[restart-controller] enabled, so that the Pods are automatically restarted on config changes (in ConfigMaps and Secrets).
+* All products (except https://github.com/stackabletech/hdfs-operator/issues/750[Apache Hadoop]) now have the xref:commons-operator:restarter.adoc[restart-controller] enabled, so that the Pods are automatically restarted on config changes (in ConfigMaps and Secrets).
   See https://github.com/stackabletech/issues/issues/816[issues#816].
 
 ===== Apache Airflow

From cc1106cb130b5b25b55e21b50be1cf1c166581e3 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:24:01 +0100
Subject: [PATCH 40/48] docs: Add missing changes

---
 .../partials/release-notes/release-26.3.adoc  | 54 +++++++++++++++++--
 1 file changed, 51 insertions(+), 3 deletions(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index abe3799ae..6210f88e9 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -153,6 +153,11 @@ This includes 9 critical and 40 high-severity CVEs.
 The hbase-operator-tools have been bumped to 1.3.0 and https://issues.apache.org/jira/browse/HBASE-29797[HBASE-29797] has been backported for all supported HBase images.
 See https://github.com/stackabletech/docker-images/issues/1417[docker-images#1417].
 
+===== Apache Hadoop
+
+The operator now adds a warning and exit condition to the `format-namenodes` container script to check for corrupted data after formatting.
+Implemented in https://github.com/stackabletech/hdfs-operator/pull/751[hdfs-operator#751].
+
 ===== Apache Kafka
 
 Previously, Kafka supported OPA in non-TLS mode.
@@ -165,7 +170,39 @@ It should be noted that this is not yet supported by the Kafka Controller (avail
 
 ===== Apache NiFi
 
-There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra).
+* *Breaking:* The authorization configuration for the operator has been adjusted to more closely match and represent the Apache NiFi interfaces and implementations.
+  The `OpaAuthorizer`, `SingleUserAuthorizer` and `StandardManagedAuthorizer` can now be explicitly set.
+  This allows to set an `initialAdminUser` for file-based authorization.
++
+--
+[source,yaml]
+----
+spec:
+  clusterConfig:
+    authorization:
+      opa: { .. } # existing
+      # OR
+      singleUser: {} # new
+      # OR
+      standard: # new
+        accessPolicyProvider:
+          fileBased:
+            initialAdminUser: CN=admin,OU=admin-group,DC=example,DC=org
+----
+
+If not provided this defaults to the `SingleUserAuthorizer`.
+
+[WARNING]
+====
+Users authenticating via LDAP that do not use the `OpaAuthorizer` (but relied on the operator-generated file-based authorization), now have to explicitly set the `StandardManagedAuthorizer` and the `initialAdminUser`.
+The cluster definition must be extended by an authorization part like shown above.
+
+This means that the bind user now can differ from the `initialAdminUser`.
+====
+
+See the xref:nifi:usage_guide/security.adoc#authorization[security usage guide] for more information.
+--
+* There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra).
 Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
 The Nifi images have been patched for versions 2.4.0 and 2.6.0 to implement this.
 See https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
@@ -178,7 +215,10 @@ See https://github.com/stackabletech/spark-k8s-operator/issues/639[spark-k8s-ope
 
 ===== Open Policy Agent
 
-The Entra User Info Fetcher (UIF) backend has been stabilized with the introduction of OpaCluster v1alpha2.
+* Previously, when POST-ing the status following the successful loading of a bundle, a warning was written to the logs because of a superfluous service name.
+  This has now been removed.
+  Implemented in https://github.com/stackabletech/opa-operator/issues/798[opa-operator#798].
+* The Entra User Info Fetcher (UIF) backend has been stabilized with the introduction of OpaCluster v1alpha2.
 Conversion between v1alpha1 and v1alpha2 is handled automatically by default.
 Implemented in https://github.com/stackabletech/opa-operator/pull/801[opa-operator#801].
 
@@ -221,9 +261,17 @@ Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
 CPU request and limit have been bumped from `100m` and `400m` to `300m` and `1200m` respectively.
 Fixed in https://github.com/stackabletech/druid-operator/pull/786[druid-operator#786].
 
+===== Apache Hadoop
+
+Previously, some parts of the shell output of the init containers were not logged properly and therefore not aggregated.
+Now, these log messages are captured correctly.
+Fixed in https://github.com/stackabletech/hdfs-operator/pull/746[hdfs-operator#746].
+
 ===== Apache NiFi
 
-The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` field instead of hard-coding the OPA package name to `nifi`.
+* The operator now instructs NiFi pods to also listen on the loopback interface so that Kubernetes port-forwards work.
+  Fixed in https://github.com/stackabletech/nifi-operator/pull/870[nifi-operator#870].
+* The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` field instead of hard-coding the OPA package name to `nifi`.
 Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#881].
 
 ===== Apache Spark

From eb32c1c03d9a809b6b4d60a65957aed2fab0a01f Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:24:42 +0100
Subject: [PATCH 41/48] docs: Improve various entries

---
 .../partials/release-notes/release-26.3.adoc  | 30 +++++++++++++------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 6210f88e9..976ac1942 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -204,14 +204,14 @@ See the xref:nifi:usage_guide/security.adoc#authorization[security usage guide]
 --
 * There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra).
 Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
-The Nifi images have been patched for versions 2.4.0 and 2.6.0 to implement this.
-See https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
+  The Nifi images have been patched for versions 2.4.0 and 2.6.0 to support this.
+  Implemented in https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
 
 ===== Apache Spark
 
 Spark application jobs can now have pod/node affinities.
 Previously only the application driver and executors had a dedicated field for this purpose.
-See https://github.com/stackabletech/spark-k8s-operator/issues/639[spark-k8s-operator#639].
+Implemented in https://github.com/stackabletech/spark-k8s-operator/issues/639[spark-k8s-operator#639].
 
 ===== Open Policy Agent
 
@@ -222,16 +222,28 @@ See https://github.com/stackabletech/spark-k8s-operator/issues/639[spark-k8s-ope
 Conversion between v1alpha1 and v1alpha2 is handled automatically by default.
 Implemented in https://github.com/stackabletech/opa-operator/pull/801[opa-operator#801].
 
+[#trino-improvements-26_3_0]
 ===== Trino
 
-*Breaking:* The operator no longer sets `opa.policy.column-masking-uri` in `access-control.properties` but `opa.policy.batch-column-masking-uri` instead, allowing Trino to fetch multiple column masks in a single request.
-This therefore now requires a `batchColumnMasks` rule to be present in the OPA Trino rules, when using the default URI set by the trino-operator.
+* *Breaking:* The operator no longer sets `opa.policy.column-masking-uri` in `access-control.properties` but `opa.policy.batch-column-masking-uri` instead, allowing Trino to fetch multiple column masks in a single request.
+  This therefore now requires a `batchColumnMasks` rule to be present in the OPA Trino rules, when using the default URI set by the trino-operator. +
+  The above default can be disabled with the new enableColumnMasking field in the opa configuration in authorization
++
+--
+[WARNING]
+====
+The `opa` field under `authorization` is now a mandatory enum variant instead of being optional.
+====
 
-* The above default can be disabled with the new enableColumnMasking field in the opa configuration in authorization
-* *Breaking:* The field opa in authorization is now a mandatory enum variant instead of being optional
-* Quick note: Use `spec.clusterConfig.authorization.opa.enableColumnMasking: false` instead of `batchColumnMasks = []`
+[TIP]
+====
+It is recommended to use `spec.clusterConfig.authorization.opa.enableColumnMasking: false` instead of `batchColumnMasks = []`.
+====
 
-See https://github.com/stackabletech/trino-operator/issues/814[trino-operator#814].
+Implemented in https://github.com/stackabletech/trino-operator/issues/814[trino-operator#814].
+--
+* The `spec.connector.iceberg.metastore` field in TrinoCatalog is now optional, as Iceberg also supports other catalogs, such as a REST catalog, which (currently) can only be added using configOverrides.
+  Implemented in https://github.com/stackabletech/trino-operator/pull/841[trino-operator#841].
 
 ==== Platform fixes
 

From a5450d7a60c408977ceb6aab8b1a5150a8d9f0f0 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:29:53 +0100
Subject: [PATCH 42/48] docs: Add summary of breaking changes

---
 .../partials/release-notes/release-26.3.adoc  | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 976ac1942..46ff12423 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -5,6 +5,18 @@
 Released on 2026-03-16.
 (Optional description / introduction)
 
+[WARNING,caption=Overview of breaking changes]
+====
+The following components of the SDP contain breaking changes for this release:
+
+* link:#airflow-removals-26_3_0[Apache Airflow]
+* link:#druid-fixes-26_3_0[Apache Druid]
+* link:#nifi-improvements-26_3_0[Apache NiFi]
+* link:#trino-improvements-26_3_0[Trino]
+* link:#commons-fixes-26_3_0[Stackable commons-operator]
+* link:#secret-removals-26_3_0[Stackable secret-operator]
+====
+
 ==== New platform features
 
 ===== General
@@ -168,6 +180,7 @@ Now both TLS and non-TLS modes are supported.
 It should be noted that this is not yet supported by the Kafka Controller (available in Kafka 4.x).
 ====
 
+[#nifi-improvements-26_3_0]
 ===== Apache NiFi
 
 * *Breaking:* The authorization configuration for the operator has been adjusted to more closely match and represent the Apache NiFi interfaces and implementations.
@@ -307,11 +320,7 @@ When the log file reached a size of 5 MB, an error message repeatedly appeared i
 With this release, we have resolved the permissions issue, ensuring that the log file rollover works correctly.
 Fixed in https://github.com/stackabletech/opensearch-operator/issues/106[opensearch-operator#106].
 
-===== Trino
-
-The `spec.connector.iceberg.metastore` field in TrinoCatalog is now optional, as Iceberg also supports other catalogs, such as a REST catalog, which (currently) can only be added using configOverrides.
-Fixed in https://github.com/stackabletech/trino-operator/pull/841[trino-operator#841].
-
+[#commons-fixes-26_3_0]
 ===== Stackable commons-operator
 
 *BREAKING:* Prevent an unnecessary restart of Pod 0 of the StatefulSet when the StatefulSet is initially created.
@@ -323,11 +332,13 @@ Fixed in https://github.com/stackabletech/commons-operator/pull/387[commons-oper
 
 ==== Platform removals
 
+[#airflow-removals-26_3_0]
 ===== Apache Airflow
 
 *Breaking:* Users of the `EXPERIMENTAL_FILE_HEADER` and `EXPERIMENTAL_FILE_FOOTER` fields who rely on `AUTH_OID` from the `flask_appbuilder.const` import must switch to `AUTH_OAUTH`.
 Removed in https://github.com/stackabletech/airflow-operator/pull/737[airflow-operator#737].
 
+[#secret-removals-26_3_0]
 ===== Stackable secret-operator
 
 *Breaking:* Removed support for ephemeral CSI volumes.

From 033ccd2a18649d68e4f7487b546b3a53f7eab2a6 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:30:22 +0100
Subject: [PATCH 43/48] chore: Fix indentation

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 46ff12423..96c0edccc 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -216,7 +216,7 @@ This means that the bind user now can differ from the `initialAdminUser`.
 See the xref:nifi:usage_guide/security.adoc#authorization[security usage guide] for more information.
 --
 * There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra).
-Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
+  Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
   The Nifi images have been patched for versions 2.4.0 and 2.6.0 to support this.
   Implemented in https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
 
@@ -232,8 +232,8 @@ Implemented in https://github.com/stackabletech/spark-k8s-operator/issues/639[sp
   This has now been removed.
   Implemented in https://github.com/stackabletech/opa-operator/issues/798[opa-operator#798].
 * The Entra User Info Fetcher (UIF) backend has been stabilized with the introduction of OpaCluster v1alpha2.
-Conversion between v1alpha1 and v1alpha2 is handled automatically by default.
-Implemented in https://github.com/stackabletech/opa-operator/pull/801[opa-operator#801].
+  Conversion between v1alpha1 and v1alpha2 is handled automatically by default.
+  Implemented in https://github.com/stackabletech/opa-operator/pull/801[opa-operator#801].
 
 [#trino-improvements-26_3_0]
 ===== Trino
@@ -297,7 +297,7 @@ Fixed in https://github.com/stackabletech/hdfs-operator/pull/746[hdfs-operator#7
 * The operator now instructs NiFi pods to also listen on the loopback interface so that Kubernetes port-forwards work.
   Fixed in https://github.com/stackabletech/nifi-operator/pull/870[nifi-operator#870].
 * The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` field instead of hard-coding the OPA package name to `nifi`.
-Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#881].
+  Fixed in https://github.com/stackabletech/nifi-operator/pull/881[nifi-operator#881].
 
 ===== Apache Spark
 

From d74880f4b577da1d79c7e5d3259be3d3c626fc1b Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:44:05 +0100
Subject: [PATCH 44/48] docs: Add release highlights

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 96c0edccc..23f313973 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -3,7 +3,14 @@
 === 26.3.0
 
 Released on 2026-03-16.
-(Optional description / introduction)
+
+[TIP,caption=Release highlights]
+====
+* Generic object overrides are now supported across the SDP.
+* The Stackable operator for OpenSearch adds many new features, like TLS configuration and service discovery.
+* The User Info Fetcher (UIF) gained experimental support for OpenLDAP and the Entra backend has been stabilized.
+* The restart-controller is now enabled for nearly all products.
+====
 
 [WARNING,caption=Overview of breaking changes]
 ====

From 99cfff3d9ed5faf48b92b7f7943a5eef77959047 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 12:44:21 +0100
Subject: [PATCH 45/48] chore: Add missing "a"

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 23f313973..2e7fa138d 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -30,7 +30,7 @@ The following components of the SDP contain breaking changes for this release:
 
 ====== Miscellaneous
 
-* In 26.3.0 we added new demo that shows Retrieval Augmented Generation (RAG) with OpenSearch as the vector store.
+* In 26.3.0 we added a new demo that shows Retrieval Augmented Generation (RAG) with OpenSearch as the vector store.
   Consult the xref:demos:opensearch-rag.adoc[demo documentation page] for more details.
   See https://github.com/stackabletech/demos/pull/354[demos#354].
 * All remaining operators now maintain their own CRD(s) instead of relying on Helm as a deployment mechanism.

From 80054e9a68f40b4f1316ae74545db54baa1978af Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 15:16:15 +0100
Subject: [PATCH 46/48] docs: Add OpenSearch upgrade guide to admonition

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 2e7fa138d..e7c8380ae 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -114,6 +114,8 @@ Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/647[spar
 [IMPORTANT]
 ====
 It is essential to remove both `podOverrides` and `configOverrides` related to security settings, such as `plugins.security.allow_default_init_securityindex`.
+
+Also consult the xref:opensearch:usage-guide/upgrade.adoc[upgrade guide] for more detailed instructions.
 ====
 
 See https://github.com/stackabletech/opensearch-operator/issues/43[opensearch-operator#43].

From 4b8011ed0bee8e5a3bb4df95d8a99ca745c5edb4 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 16:04:17 +0100
Subject: [PATCH 47/48] docs: Add graceful shutdown section

---
 modules/ROOT/partials/release-notes/release-26.3.adoc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index e7c8380ae..91cff0e44 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -277,6 +277,12 @@ Previously, log entries could be sent multiple times to the Vector aggregator if
 This issue has now been resolved by persisting the Vector state across container restarts.
 Fixed in https://github.com/stackabletech/issues/issues/821[issues#821].
 
+====== Miscellaneous
+
+All operators now correctly and gracefully shutdown all concurrent tasks by forwarding the SIGTERM signal.
+Most operators already correctly handled this before, but this is now done consistently across the board.
+Tracked in https://github.com/stackabletech/issues/issues/803[issues#803].
+
 ===== Apache Airflow
 
 * Previously, Celery workers in Airflow 3 could run into the problem of not executing tasks anymore after a Redis re-connect.

From 87156528be058e5a93853da94ffc56550fc86464 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Thu, 19 Mar 2026 17:00:59 +0100
Subject: [PATCH 48/48] docs: Add various small tweaks

---
 .../partials/release-notes/release-26.3.adoc  | 39 +++++++++++++------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/modules/ROOT/partials/release-notes/release-26.3.adoc b/modules/ROOT/partials/release-notes/release-26.3.adoc
index 91cff0e44..a149b5126 100644
--- a/modules/ROOT/partials/release-notes/release-26.3.adoc
+++ b/modules/ROOT/partials/release-notes/release-26.3.adoc
@@ -45,7 +45,12 @@ The following components of the SDP contain breaking changes for this release:
 
 Airflow can now use gitsync to authenticate against a repository using SSH keys as well as basic auth, which was previously the only option.
 The Airflow operator also now has the ability to convert certain changes between CRD versions: in the case of this change, the operator can automatically convert the field `credentialsSecret` to `credentials: basicAuthSecretName` so that this change is non-breaking.
+
+[IMPORTANT]
+====
 It should be noted that conversions in the opposite direction - from v1alpha2 to v1alpha1 - are not possible if the v1alpha2 resource definition refers to the new field.
+====
+
 See the xref:airflow:usage-guide/mounting-dags.adoc#_via_git_sync[DAG mounting usage guide] for more details.
 Implemented in https://github.com/stackabletech/airflow-operator/issues/382[airflow-operator#382].
 
@@ -70,9 +75,9 @@ Implemented in https://github.com/stackabletech/kafka-operator/pull/923[kafka-op
 
 * Starting with this release, Spark applications will not be resubmitted automatically in case of failure.
   Users can restore the previous behavior by setting the new `spec.job.retryOnFailureCount` property to a non negative value. +
-  In addition, small improvements have been made to clean up resources created by Spark applications.
-** application driver pods are now deleted as soon as they reach a terminal state.
-** application executor pods are now deleted as soon as possible in case of driver or submit failure.
+  In addition, small improvements have been made to clean up resources created by Spark applications:
+** Application driver pods are now deleted as soon as they reach a terminal state.
+** Application executor pods are now deleted as soon as possible in case of driver or submit failure.
 
 +
 Implemented in https://github.com/stackabletech/spark-k8s-operator/pull/647[spark-k8s-operator#647].
@@ -222,12 +227,16 @@ The cluster definition must be extended by an authorization part like shown abov
 This means that the bind user now can differ from the `initialAdminUser`.
 ====
 
-See the xref:nifi:usage_guide/security.adoc#authorization[security usage guide] for more information.
+See the xref:nifi:usage_guide/security.adoc#authorization[security usage guide] for more information. Implemented in https://github.com/stackabletech/nifi-operator/pull/884[nifi-operator#884].
 --
 * There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra).
-  Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
-  The Nifi images have been patched for versions 2.4.0 and 2.6.0 to support this.
-  Implemented in https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
++
+--
+Statically provided user/group information and rough-granular permissions are honoured automatically (as long as the UUIDs match those available in the backend), but for the initial process group this has to be done by a callback mechanism so that the authorizations can be updated after the flow has been registered.
+
+The Nifi images have been patched for versions 2.4.0 and 2.6.0 to support this.
+Implemented in https://github.com/stackabletech/nifi-operator/issues/862[nifi-operator#862].
+--
 
 ===== Apache Spark
 
@@ -338,13 +347,19 @@ Fixed in https://github.com/stackabletech/opensearch-operator/issues/106[opensea
 [#commons-fixes-26_3_0]
 ===== Stackable commons-operator
 
-*BREAKING:* Prevent an unnecessary restart of Pod 0 of the StatefulSet when the StatefulSet is initially created.
-This was caused by commons-operator needing to update the StatefulSet immediately after creation, at which point Pod 0 was already created.
-The problem is fixed by utilizing an admission webhook, which is able to mutate the StatefulSet during its creation, so before Pod 0 is created.
-For that the commons-operator now needs the RBAC permission to `create` and `patch` `mutatingwebhookconfigurations`, which the Helm Chart automatically adds.
-The webhook can be disabled using `--disable-restarter-mutating-webhook` or by setting the `DISABLE_RESTARTER_MUTATING_WEBHOOK` environment variable, which will revert the fixed behaviour.
+*BREAKING:* Prevent an unnecessary restart of Pod 0 of the StatefulSet when the STS is initially created.
+This was caused by commons-operator needing to update the STS immediately after creation, at which point Pod 0 was already created.
+The problem is now fixed by utilizing an admission webhook, which is able to mutate the StatefulSet during its creation - before Pod 0 is created.
 Fixed in https://github.com/stackabletech/commons-operator/pull/387[commons-operator#387].
 
+[WARNING]
+====
+It should be noted that the commons-operator now needs the RBAC permission to `create` and `patch` `mutatingwebhookconfigurations`.
+Operator installations via the Helm Chart automatically add these new permissions.
+====
+
+The webhook can be disabled using `--disable-restarter-mutating-webhook` or by setting the `DISABLE_RESTARTER_MUTATING_WEBHOOK` environment variable, which will however revert the fixed behaviour.
+
 ==== Platform removals
 
 [#airflow-removals-26_3_0]