Releases: giantswarm/kubectl-gs
Releases · giantswarm/kubectl-gs
Release list
v5.6.4
Added
login: new--oidc-scopeflag (repeatable, comma-separated) appends extra scopes to the direct workload-cluster OIDC request. Use--oidc-scope=groupswith Okta to receive group memberships in the ID token when the workload cluster's structured auth is configured withgroupsClaim.
v5.6.3
Fixed
login: stop silently rerouting client-certificate logins to direct OIDC. Passing any cert-only flag now skips structured-auth detection.
Changed
template cluster: expand the command's--helpwith a multi-lineLongdescription, a docs URL, and worked examples — including how to add an arm64 worker node pool to the generated values.yaml for AWS clusters.
v5.6.2
v5.6.1
v5.6.0
Changed
login: when a workload cluster's structured authentication exposes multiple OIDC issuers and no--oidc-issuer/--oidc-client-idflag is set, prompt the user to pick one from a numbered menu (interactive TTY only). Non-interactive invocations keep the previous error listing the available issuers so scripted callers stay informative.- Bump
giantswarm/architectorb to8.2.2and re-enable cosign keyless chart signing (sign: falseremoved from everypush-to-app-catalog*invocation). v8.2.2 ships architect-orb#772 which upgrades theapp-build-suiteexecutor image from1.8.0-circlecito1.8.1-circleci-- the new image includes thecosignbinary that v8.2.0's chart signing defaults require. Closes architect-orb#769. - Bump
giantswarm/architectorb to8.2.1to pick up architect-orb#767:image-login-to-registriesis now POSIX-portable, unblockingarchitect/sync-china-registry(the gsoci -> Aliyun mirror via the in-Chinagiantswarm/galaxy-runner). The v8.1.0 refactor accidentally introduced bash-only${!var}indirect expansion in the shared login command, which BusyBox/bin/sh(used by the regctl executor) rejected withbad substitution-- so no Aliyun mirror has been happening since the migration tosplit-china-push: true. v8.2.x also enables cosign keyless signing, SLSA provenance, and SBOM attestations by default for public images and charts. - Enable
split-china-push: trueon the tag-buildpush-to-registries-multiarchjob and add a companionsync-china-registryjob. The cross-Pacificdocker buildxpush to the Aliyun mirror is replaced with aregctl image copyfrom gsoci to Aliyun executed on the in-Chinagiantswarm/galaxy-runnerself-hosted CircleCI runner. - Bump
giantswarm/architectorb to8.1.0and replace the hand-rolled inlinepush-to-registries-multiarchjob (~75 lines ofdocker buildxwrapper) witharchitect/push-to-registriesandmultiarch: true. The orb job builds the multi-arch image from the per-arch binaries produced bygo-build-{amd64,arm64}and reuses the Dockerfile'sCOPY ./kubectl-gs-${TARGETARCH}step. Picks up the v8.1.0 QEMU/binfmt auto-registration, hardened buildx bootstrap, and standard OCI image labels for free.
Fixed
login: enable PKCE (RFC 7636) on the direct OIDC flow used for workload clusters with Kubernetes structured authentication. Public OIDC clients registered without aclient_secret(e.g. Okta SPA / Native apps) previously failed the token exchange withinvalid_clientbecause neither client authentication nor a PKCE code verifier was sent. The Dex-mediated management cluster flow is unaffected.- Drop
linux/386from the docker image's--platformlist. The base imagegsoci.azurecr.io/giantswarm/alpinedoes not ship alinux/386variant, so the legacy inlinepush-to-registries-multiarchjob'sbuildxinvocation has been silently failing for that platform on every run -- the bug was masked by the script's... | tee .docker.logpipe always returning0, so the failed buildx output never affected the job's exit code. The pushed multi-arch image therefore never actually contained alinux/386variant. The standalonelinux/386kubectl-gsbinary continues to be produced bygo-build-386and shipped through GitHub releases / krew.