1. Docs
  2. Changes and releases

Workload cluster release aws-34.2.0 for CAPA

CAPA releases releases aws-34.2.0

Changes compared to v34.1.1

Components

  • cluster-aws from v7.4.0 to v7.6.1
  • cluster from v5.1.2 to v5.3.1
  • Flatcar from v4459.2.3 to v4459.2.4
  • Kubernetes from v1.34.5 to v1.34.7
  • os-tooling from v1.26.4 to v1.28.0

cluster-aws v7.4.0…v7.6.1

Added

  • Add appVersion field to Chart.yaml.
  • Enable scraping metrics and logs from the karpenter app.
  • Allow to configure the name of the hosted zone to use for the workload cluster by setting global.connectivity.dns.hostedZoneName.
  • Allow to configure the AWS IAM Role to use when managing the DNS delegation for the hosted zone by setting global.connectivity.dns.delegationIdentityName.
  • Added new annotation network.giantswarm.io/base-domain with the base domain value used for the workload cluster.
  • Add support for network.giantswarm.io/wildcard-cname-target annotation on AWSCluster via global.connectivity.dns.wildcardCnameTarget.

Changed

  • Enable cert-manager DNS challenges by default.
  • Reduced default karpenter consolidation from 6 hours to 1 hour.
  • Apps: Enable rbac-bootstrap as a default HelmRelease app.

Fixed

  • Set appName before catalog lookup in aws-nth-app template to ensure correct catalog resolution from Release CR.

cluster v5.1.2…v5.3.1

Added

  • Apps: Add rbac-bootstrap as a default HelmRelease app with a default ClusterRoleBinding for giantswarm:giantswarm-admins.

Changed

  • Apps: Use OCIRepository source for rbac-bootstrap HelmRelease.

Fixed

  • Apps: Change rbac-bootstrap default role from read-all to view and add additional groups for token forwarded cases.

Apps

  • aws-ebs-csi-driver from v4.1.1 to v4.1.2
  • aws-nth-bundle from v1.3.0 to v1.4.0
  • cert-exporter from v2.9.16 to v2.10.1
  • cert-manager-crossplane-resources from v0.1.0 to v0.1.1
  • cilium from v1.4.1 to v1.4.3
  • cloud-provider-aws from v2.0.0 to v2.1.0
  • cluster-autoscaler from v1.34.3-1 to v1.34.3-2
  • coredns from v1.29.1 to v1.30.0
  • etcd-defrag from v1.2.4 to v1.2.6
  • k8s-dns-node-cache from v2.9.2 to v2.11.0
  • karpenter from v2.1.0 to v2.3.0
  • observability-bundle from v2.6.0 to v2.8.0
  • prometheus-blackbox-exporter from v0.5.1 to v0.7.0
  • security-bundle from v1.17.0 to v1.17.1

aws-ebs-csi-driver v4.1.1…v4.1.2

Changed

  • Update ABS config to replace .appVersion in Chart.yaml with version detected by ABS.

Fixed

  • Use .Chart.AppVersion instead of .Chart.Version for OCIRepository tag.

aws-nth-bundle v1.3.0…v1.4.0

Changed

  • Migrate sub-apps from App CRs to Flux HelmRelease CRs.
  • Add io.giantswarm.application.audience: all annotation to publish the app to the customer Backstage catalog.
  • Migrate chart metadata annotations to io.giantswarm.application.* format.

cert-exporter v2.9.16…v2.10.1

Added

  • DaemonSet: Add VPA.

Changed

  • Values: Tune resources.

Fixed

  • Parse all PEM blocks in secrets and certificate files, not just the first one. This fixes false alerts when multiple certificates are concatenated (e.g. Kyverno webhook cert rotation).

cert-manager-crossplane-resources v0.1.0…v0.1.1

Changed

  • Update architect-orb to v6.15.0.

cilium v1.4.1…v1.4.3

Changed

cloud-provider-aws v2.0.0…v2.1.0

Changed

  • Bump to upstream image v1.35.0

cluster-autoscaler v1.34.3-1…v1.34.3-2

Added

  • Validate that managementCluster (when isManagementCluster=true) or clusterID (otherwise) are set, failing early with a clear error message.
  • Add support for CAPI mode (kubeconfig-incluster): run cluster-autoscaler on the management cluster using a pre-existing kubeconfig to connect to the workload cluster.
  • Add clusterAPI values section for configuring CAPI mode (autodiscovery, kubeconfig secret, configmaps namespace).
  • Add rbac.clusterScoped toggle to support namespace-scoped RBAC (no ClusterRole/ClusterRoleBinding) for CAPI deployments.

Changed

  • Migrate test infrastructure from pipenv to uv.
  • Deploy the Kyverno policy exception in the policy-exceptions Namespace.
  • Deploy the Kyverno PolicyException as a Helm pre-install,pre-upgrade hook so it takes effect before chart resources are created.

coredns v1.29.1…v1.30.0

Added

  • Add coredns-adopter job to adopt default CoreDNS resources on EKS clusters (disabled by default).

Changed

  • Update coredns image to 1.14.2.

etcd-defrag v1.2.4…v1.2.6

Changed

  • Chart: Update dependency ahrtr/etcd-defrag to v0.39.0. (#86)
  • Chart: Update dependency ahrtr/etcd-defrag to v0.38.0. (#84)

k8s-dns-node-cache v2.9.2…v2.11.0

Added

  • Add configmap.log.enabled helm value to toggle CoreDNS query logging (default: false).
  • Make AAAA NOERROR configurable for IPv6.

karpenter v2.1.0…v2.3.0

Changed

  • Migrate workload chart to use unmodified upstream Karpenter v1.8.1 chart as a Helm dependency (alias: upstream), eliminating fork maintenance.
  • Bundle chart: add giantswarm.workloadValues transformer to route values under upstream: key with extras (podLogs, global) at top level.
  • Bundle chart: convert proxy settings to controller.env entries for upstream compatibility.
  • Bundle chart: add giantswarm.combineImage helper to merge split registry+repository into single repository path.
  • Restructure bundle values.yaml into annotated BUNDLE-ONLY / UPSTREAM / EXTRAS sections.
  • Add io.giantswarm.application.audience: all annotation to publish the app to the customer Backstage catalog.
  • Migrate chart metadata annotations to io.giantswarm.application.* format for both the karpenter and karpenter-bundle charts.
  • Update ABS config to replace .appVersion in Chart.yaml with version detected by ABS.

Fixed

  • Use .Chart.AppVersion instead of .Chart.Version for OCIRepository tag.

Removed

  • Remove all forked upstream templates from workload chart (replaced by upstream dependency).
  • Remove vendir.yml, vendir.lock.yml, vendor/ directory, and Makefile.custom.mk.

observability-bundle v2.6.0…v2.8.0

Added

  • Add KSM metrics for Envoy Gateway resources.
  • Add application.giantswarm.io/team annotation from HelmReleases as label to KSM emitted metrics.

Changed

  • Update kube-prometheus-stack to 20.1.0
  • Change team annotation in Chart.yaml to OpenContainers format (io.giantswarm.application.team).
  • Update alloy-app to 0.17.1
  • Update kube-prometheus-stack to 20.0.0
  • Update prometheus-operator-crd to 20.0.0

prometheus-blackbox-exporter v0.5.1…v0.7.0

Added

  • Add http_2xx_insecure module with insecure_skip_verify: true to support probing workload cluster API servers from the management cluster. The MC’s service account CA (http_2xx_k8sca) only covers the MC itself; workload clusters have their own CA which is not available to the blackbox exporter, making TLS verification impossible without this module.

Changed

  • Set priorityClassName to system-node-critical to ensure DaemonSet pods are scheduled even on full nodes.

security-bundle v1.17.0…v1.17.1

Added

  • Add io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.

Changed

  • Update falco (app) to v0.11.2.
  • Update gel (app) to v1.0.2.
  • Update kubescape (app) to v0.0.6.
  • Update reports-server (app) to v0.1.3.
  • Update starboard-exporter (app) to v1.0.3.
  • Update trivy (app) to v0.14.2.
  • Update trivy-operator (app) to v0.12.2.
  • Migrate chart annotations to OCI-compatible format.