Skip to content

Releases: giantswarm/kubectl-gs

v5.6.4

Choose a tag to compare

@taylorbot taylorbot released this 01 Jun 11:04
bd270c1

Added

  • login: new --oidc-scope flag (repeatable, comma-separated) appends extra scopes to the direct workload-cluster OIDC request. Use --oidc-scope=groups with Okta to receive group memberships in the ID token when the workload cluster's structured auth is configured with groupsClaim.

v5.6.3

Choose a tag to compare

@taylorbot taylorbot released this 28 May 11:52
21e1d37

Fixed

  • login: stop silently rerouting client-certificate logins to direct OIDC. Passing any cert-only flag now skips structured-auth detection.

Changed

  • template cluster: expand the command's --help with a multi-line Long description, a docs URL, and worked examples — including how to add an arm64 worker node pool to the generated values.yaml for AWS clusters.

v5.6.2

Choose a tag to compare

@taylorbot taylorbot released this 22 May 15:19
ed30682

Fixed

  • login: do not break the generated kubeconfig when the OIDC provider does not return a refresh token. The plugin now serves the still-valid ID token first and only requires a refresh token at renewal time.

v5.6.1

Choose a tag to compare

@taylorbot taylorbot released this 22 May 08:23
7d1a852

Changed

  • Upgrading Flux API versions to match the ones considered stable in Flux 2.6.

v5.6.0

Choose a tag to compare

@taylorbot taylorbot released this 19 May 12:58
384ff0f

Changed

  • login: when a workload cluster's structured authentication exposes multiple OIDC issuers and no --oidc-issuer / --oidc-client-id flag is set, prompt the user to pick one from a numbered menu (interactive TTY only). Non-interactive invocations keep the previous error listing the available issuers so scripted callers stay informative.
  • Bump giantswarm/architect orb to 8.2.2 and re-enable cosign keyless chart signing (sign: false removed from every push-to-app-catalog* invocation). v8.2.2 ships architect-orb#772 which upgrades the app-build-suite executor image from 1.8.0-circleci to 1.8.1-circleci -- the new image includes the cosign binary that v8.2.0's chart signing defaults require. Closes architect-orb#769.
  • Bump giantswarm/architect orb to 8.2.1 to pick up architect-orb#767: image-login-to-registries is now POSIX-portable, unblocking architect/sync-china-registry (the gsoci -> Aliyun mirror via the in-China giantswarm/galaxy-runner). The v8.1.0 refactor accidentally introduced bash-only ${!var} indirect expansion in the shared login command, which BusyBox /bin/sh (used by the regctl executor) rejected with bad substitution -- so no Aliyun mirror has been happening since the migration to split-china-push: true. v8.2.x also enables cosign keyless signing, SLSA provenance, and SBOM attestations by default for public images and charts.
  • Enable split-china-push: true on the tag-build push-to-registries-multiarch job and add a companion sync-china-registry job. The cross-Pacific docker buildx push to the Aliyun mirror is replaced with a regctl image copy from gsoci to Aliyun executed on the in-China giantswarm/galaxy-runner self-hosted CircleCI runner.
  • Bump giantswarm/architect orb to 8.1.0 and replace the hand-rolled inline push-to-registries-multiarch job (~75 lines of docker buildx wrapper) with architect/push-to-registries and multiarch: true. The orb job builds the multi-arch image from the per-arch binaries produced by go-build-{amd64,arm64} and reuses the Dockerfile's COPY ./kubectl-gs-${TARGETARCH} step. Picks up the v8.1.0 QEMU/binfmt auto-registration, hardened buildx bootstrap, and standard OCI image labels for free.

Fixed

  • login: enable PKCE (RFC 7636) on the direct OIDC flow used for workload clusters with Kubernetes structured authentication. Public OIDC clients registered without a client_secret (e.g. Okta SPA / Native apps) previously failed the token exchange with invalid_client because neither client authentication nor a PKCE code verifier was sent. The Dex-mediated management cluster flow is unaffected.
  • Drop linux/386 from the docker image's --platform list. The base image gsoci.azurecr.io/giantswarm/alpine does not ship a linux/386 variant, so the legacy inline push-to-registries-multiarch job's buildx invocation has been silently failing for that platform on every run -- the bug was masked by the script's ... | tee .docker.log pipe always returning 0, so the failed buildx output never affected the job's exit code. The pushed multi-arch image therefore never actually contained a linux/386 variant. The standalone linux/386 kubectl-gs binary continues to be produced by go-build-386 and shipped through GitHub releases / krew.

v5.5.0

Choose a tag to compare

@taylorbot taylorbot released this 12 May 10:12
2cb39b1

Added

  • login: support direct OIDC authentication for workload clusters (Kubernetes structured authentication). The appropriate workload-cluster authentication mode is now selected automatically based on the cluster's configuration.

v5.4.0

Choose a tag to compare

@taylorbot taylorbot released this 04 May 09:55
6245862

Added

  • Add global.release.version to template output for EKS

Removed

  • Remove unused code (error variables, helper functions, types, and dead templates)
  • Stop templating the deprecated default-apps-eks App

v5.3.1

Choose a tag to compare

@taylorbot taylorbot released this 04 Apr 06:14
951c139

Fixed

  • Updated dependencies

v5.3.0

Choose a tag to compare

@taylorbot taylorbot released this 27 Mar 11:18
2ce71d7

Added

  • Usage info now also shows aliases for subcommands.

v5.2.0

Choose a tag to compare

@taylorbot taylorbot released this 26 Mar 16:59
3fe89d6

Changed

  • Deprecated app-related commands: get apps, get catalogs, gitops add app, update app, validate apps.
  • Added extra error logging when doing login and cache operations.
  • Added handler for Exec AuthType.