diff --git a/Cargo.lock b/Cargo.lock
index a8273db..5196beb 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -475,9 +475,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.57"
+version = "1.2.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
+checksum = "e1e928d4b69e3077709075a938a05ffbedfa53a84c8f766efbf8220bb1ff60e1"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -1392,9 +1392,9 @@ checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
 [[package]]
 name = "iri-string"
-version = "0.7.10"
+version = "0.7.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
 dependencies = [
  "memchr",
  "serde",
@@ -1433,10 +1433,12 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.91"
+version = "0.3.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+checksum = "cc4c90f45aa2e6eacbe8645f77fdea542ac97a494bcd117a67df9ff4d611f995"
 dependencies = [
+ "cfg-if",
+ "futures-util",
  "once_cell",
  "wasm-bindgen",
 ]
@@ -1711,9 +1713,9 @@ dependencies = [
 
 [[package]]
 name = "mio"
-version = "1.1.1"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
 dependencies = [
  "libc",
  "log",
@@ -1738,9 +1740,9 @@ dependencies = [
 
 [[package]]
 name = "num-conv"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"
 
 [[package]]
 name = "num-traits"
@@ -2122,9 +2124,9 @@ dependencies = [
 
 [[package]]
 name = "pulldown-cmark"
-version = "0.13.1"
+version = "0.13.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83c41efbf8f90ac44de7f3a868f0867851d261b56291732d0cbf7cceaaeb55a6"
+checksum = "7c3a14896dfa883796f1cb410461aef38810ea05f2b2c33c5aded3649095fdad"
 dependencies = [
  "bitflags",
  "memchr",
@@ -2351,7 +2353,7 @@ dependencies = [
 
 [[package]]
 name = "restate-operator"
-version = "2.3.1"
+version = "2.4.0"
 dependencies = [
  "actix-web",
  "anyhow",
@@ -2403,9 +2405,9 @@ dependencies = [
 
 [[package]]
 name = "rustc-hash"
-version = "2.1.1"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
 
 [[package]]
 name = "rustc_version"
@@ -2468,9 +2470,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.9"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -2643,9 +2645,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "1.0.4"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
+checksum = "876ac351060d4f882bb1032b6369eb0aef79ad9df1ea8bc404874d8cc3d0cd98"
 dependencies = [
  "serde_core",
 ]
@@ -2724,9 +2726,9 @@ dependencies = [
 
 [[package]]
 name = "simd-adler32"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
+checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214"
 
 [[package]]
 name = "slab"
@@ -3016,18 +3018,18 @@ dependencies = [
 
 [[package]]
 name = "toml_parser"
-version = "1.0.10+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
+checksum = "2334f11ee363607eb04df9b8fc8a13ca1715a72ba8662a26ac285c98aabb4011"
 dependencies = [
- "winnow 1.0.0",
+ "winnow 1.0.1",
 ]
 
 [[package]]
 name = "toml_writer"
-version = "1.0.7+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"
+checksum = "d282ade6016312faf3e41e57ebbba0c073e4056dab1232ab1cb624199648f8ed"
 
 [[package]]
 name = "tonic"
@@ -3272,9 +3274,9 @@ checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
 [[package]]
 name = "unicode-segmentation"
-version = "1.12.0"
+version = "1.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
+checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c"
 
 [[package]]
 name = "unicode-xid"
@@ -3366,9 +3368,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.114"
+version = "0.2.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
+checksum = "6523d69017b7633e396a89c5efab138161ed5aafcbc8d3e5c5a42ae38f50495a"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -3379,23 +3381,19 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.64"
+version = "0.4.65"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
+checksum = "2d1faf851e778dfa54db7cd438b70758eba9755cb47403f3496edd7c8fc212f0"
 dependencies = [
- "cfg-if",
- "futures-util",
  "js-sys",
- "once_cell",
  "wasm-bindgen",
- "web-sys",
 ]
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.114"
+version = "0.2.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
+checksum = "4e3a6c758eb2f701ed3d052ff5737f5bfe6614326ea7f3bbac7156192dc32e67"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -3403,9 +3401,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.114"
+version = "0.2.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
+checksum = "921de2737904886b52bcbb237301552d05969a6f9c40d261eb0533c8b055fedf"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -3416,9 +3414,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.114"
+version = "0.2.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
+checksum = "a93e946af942b58934c604527337bad9ae33ba1d5c6900bbb41c2c07c2364a93"
 dependencies = [
  "unicode-ident",
 ]
@@ -3459,9 +3457,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.91"
+version = "0.3.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
+checksum = "84cde8507f4d7cfcb1185b8cb5890c494ffea65edbe1ba82cfd63661c805ed94"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -3709,9 +3707,9 @@ checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945"
 
 [[package]]
 name = "winnow"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
+checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5"
 
 [[package]]
 name = "wit-bindgen"
@@ -3832,18 +3830,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.47"
+version = "0.8.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
+checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.47"
+version = "0.8.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
+checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/Cargo.toml b/Cargo.toml
index af5d22d..0be7994 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "restate-operator"
-version = "2.3.1"
+version = "2.4.0"
 authors = ["restate.dev"]
 edition = "2024"
 rust-version = "1.92"
diff --git a/charts/restate-operator-helm/Chart.yaml b/charts/restate-operator-helm/Chart.yaml
index bd7e46e..a15f300 100644
--- a/charts/restate-operator-helm/Chart.yaml
+++ b/charts/restate-operator-helm/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v2
 name: restate-operator-helm
 description: An operator for Restate clusters
 type: application
-version: "2.3.1"
+version: "2.4.0"
diff --git a/release-notes/unreleased/94-configurable-canary-image.md b/release-notes/unreleased/94-configurable-canary-image.md
deleted file mode 100644
index 2f1e1e4..0000000
--- a/release-notes/unreleased/94-configurable-canary-image.md
+++ /dev/null
@@ -1,40 +0,0 @@
-# Release Notes for Issue #94: Configurable canary image
-
-## New Feature
-
-### What Changed
-The container image used for PIA and Workload Identity canary jobs is now
-configurable via the `canaryImage` Helm value, `CANARY_IMAGE` environment
-variable, or `--canary-image` CLI flag. Previously `busybox:uclibc` was
-hardcoded, which fails in environments that cannot pull from Docker Hub.
-
-### Why This Matters
-Air-gapped or restricted environments require all images to be pulled from
-a private registry. The hardcoded image caused canary pods to enter
-ImagePullBackOff, blocking RestateCluster reconciliation.
-
-### Impact on Users
-- **Existing deployments**: No impact. The default remains `busybox:uclibc`.
-- **Restricted environments**: Can now point to a private registry mirror.
-
-### Migration Guidance
-If your nodes cannot pull from Docker Hub, set the canary image in your
-Helm values:
-
-```yaml
-canaryImage: my-registry.example.com/busybox:uclibc
-```
-
-The simplest approach is to mirror the default image to your private registry:
-
-```bash
-docker pull busybox:uclibc
-docker tag busybox:uclibc my-registry.example.com/busybox:uclibc
-docker push my-registry.example.com/busybox:uclibc
-```
-
-If using a different image, it must provide `grep` and `wget` (used by the
-AWS PIA and GCP Workload Identity canary jobs respectively).
-
-### Related Issues
-- Issue #94: Cannot configure image URI for PIA canary pods
diff --git a/release-notes/unreleased/requeue-on-active-drain.md b/release-notes/unreleased/requeue-on-active-drain.md
deleted file mode 100644
index 850784e..0000000
--- a/release-notes/unreleased/requeue-on-active-drain.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# Release Notes: Requeue based on drain poll interval when old deployments are still active
-
-## Bug Fix
-
-### What Changed
-When old deployment versions still have active invocations (draining), the
-operator now requeues every 10 seconds instead of the hardcoded 5-minute
-reconcile interval. This applies to both ReplicaSet and Knative deployment
-modes.
-
-### Why This Matters
-Previously, even with `drainDelaySeconds: 0`, old versions could take up to
-5 minutes to be cleaned up because the controller's default requeue interval
-was always used when active invocations were still present. The drain delay
-setting had no effect on how quickly the operator polled for drain completion.
-
-### Impact on Users
-- Cleanup of old versions now happens within ~10 seconds of drain completion
-  instead of up to 5 minutes
-- No configuration changes needed
-
-### Related Issues
-- Follow-up to PR #96 (configurable drain delay)
diff --git a/release-notes/unreleased/trusted-ca-certs.md b/release-notes/unreleased/trusted-ca-certs.md
deleted file mode 100644
index 5b30ddf..0000000
--- a/release-notes/unreleased/trusted-ca-certs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-## Trusted CA Certificates
-
-You can now configure custom trusted CA certificates for RestateCluster via `spec.security.trustedCaCerts`.
-This is useful when Restate needs to trust internal CAs, for example when accessing an object store with a private certificate authority.
-
-The operator adds an init container that concatenates the system CA bundle with your custom certificates into a single PEM file,
-and sets `SSL_CERT_FILE` on the Restate container to point to the combined bundle. Changing the Secret references (name or key) triggers a pod rollout.
-
-```yaml
-spec:
-  security:
-    trustedCaCerts:
-      - secretName: internal-ca
-        key: ca.pem
-```
diff --git a/release-notes/v2.4.0.md b/release-notes/v2.4.0.md
new file mode 100644
index 0000000..e1cc2fa
--- /dev/null
+++ b/release-notes/v2.4.0.md
@@ -0,0 +1,99 @@
+# Restate Operator v2.4.0 Release Notes
+
+## Highlights
+
+- **Trusted CA certificates** - RestateCluster now supports custom trusted CA certificates via `spec.security.trustedCaCerts`, removing the need for custom Restate images when using internal CAs.
+- **Configurable canary image** - The canary job image is now configurable via Helm, supporting air-gapped and restricted registry environments.
+- **IPv6 support** - The operator now binds to a dual-stack address, fixing readiness probe failures on IPv6-only clusters.
+- **Faster drain cleanup** - Old deployment versions are now polled every 10 seconds during drain, instead of waiting up to 5 minutes.
+
+## New Features
+
+### Trusted CA certificates
+
+You can now configure custom trusted CA certificates for RestateCluster via
+`spec.security.trustedCaCerts`. This is useful when Restate needs to trust internal CAs, for example when
+calling services behind an internal load balancer with a private certificate.
+
+The operator adds an init container that concatenates the system CA bundle with
+your custom certificates into a single PEM file, and sets `SSL_CERT_FILE` on
+the Restate container to point to the combined bundle.
+
+Changing the Secret references (name or key) triggers a pod rollout.
+
+```yaml
+spec:
+  security:
+    trustedCaCerts:
+      - secretName: internal-ca
+        key: ca.pem
+```
+
+*Related: PR [#111](https://github.com/restatedev/restate-operator/pull/111)*
+
+---
+
+### Configurable canary image
+
+The container image used for PIA and Workload Identity canary jobs is now
+configurable via the `canaryImage` Helm value, `CANARY_IMAGE` environment
+variable, or `--canary-image` CLI flag. Previously `busybox:uclibc` was
+hardcoded, which fails in environments that cannot pull from Docker Hub.
+
+```yaml
+canaryImage: my-registry.example.com/busybox:uclibc
+```
+
+The simplest approach is to mirror the default image:
+
+```bash
+docker pull busybox:uclibc
+docker tag busybox:uclibc my-registry.example.com/busybox:uclibc
+docker push my-registry.example.com/busybox:uclibc
+```
+
+If using a different image, it must provide `cat`, `grep`, and `wget`.
+
+*Related: Issue [#94](https://github.com/restatedev/restate-operator/issues/94), PR [#106](https://github.com/restatedev/restate-operator/pull/106)*
+
+---
+
+## Bug Fixes
+
+### IPv6 dual-stack support
+
+The operator now binds its HTTP server to `[::]` instead of `0.0.0.0`,
+supporting both IPv4 and IPv6 clusters. Previously, the readiness probe
+failed on IPv6-only clusters because the operator only listened on IPv4.
+
+*Related: Issue [#93](https://github.com/restatedev/restate-operator/issues/93), PR [#107](https://github.com/restatedev/restate-operator/pull/107)*
+
+---
+
+### Faster drain cleanup polling
+
+When old deployment versions still have active invocations (draining), the
+operator now requeues every 10 seconds instead of waiting for the default
+5-minute reconcile interval. This means old versions are cleaned up within
+seconds of drain completion rather than up to 5 minutes.
+
+*Related: PR [#112](https://github.com/restatedev/restate-operator/pull/112)*
+
+---
+
+## Upgrading
+
+**CRD Update Required**: Helm does not automatically upgrade CRDs. After
+upgrading the operator, you **must** manually apply the updated CRDs:
+
+```bash
+kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.4.0/restateclusters.yaml
+kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.4.0/restatedeployments.yaml
+kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.4.0/restatecloudenvironments.yaml
+```
+
+Then upgrade the operator via Helm:
+
+```bash
+helm upgrade restate-operator restatedev/restate-operator --version 2.4.0
+```