1. Docs
  2. Changes and releases
  3. Fleet Management

Fleet Management

  • Fleet Management kubectl-gs v5.6.4

    Added

    • login: new --oidc-scope flag (repeatable, comma-separated) appends extra scopes to the direct workload-cluster OIDC request. Use --oidc-scope=groups with Okta to receive group memberships in the ID token when the workload cluster’s structured auth is configured with groupsClaim.
  • Fleet Management capa-karpenter-taint-remover v1.1.0

    Changed

    • Build and publish a multi-arch (linux/amd64 + linux/arm64) container image.
    • Add io.giantswarm.application.audience: all annotation to publish the app to the customer Backstage catalog.
    • Migrate chart metadata annotations to io.giantswarm.application.* format.
  • Fleet Management aws-load-balancer-controller-app v5.2.0

    Added

    • Add valuesFromSecret value to optionally inject a Secret as an additional valuesFrom source in the HelmRelease.
  • Fleet Management kubectl-gs v5.6.3

    Fixed

    • login: stop silently rerouting client-certificate logins to direct OIDC. Passing any cert-only flag now skips structured-auth detection.

    Changed

    • template cluster: expand the command’s --help with a multi-line Long description, a docs URL, and worked examples — including how to add an arm64 worker node pool to the generated values.yaml for AWS clusters.
  • Fleet Management kubectl-gs v5.6.2

    Fixed

    • login: do not break the generated kubeconfig when the OIDC provider does not return a refresh token. The plugin now serves the still-valid ID token first and only requires a refresh token at renewal time.
  • Fleet Management kubectl-gs v5.6.1

    Changed

    • Upgrading Flux API versions to match the ones considered stable in Flux 2.6.
  • Fleet Management kubectl-gs v5.6.0

    Changed

    • login: when a workload cluster’s structured authentication exposes multiple OIDC issuers and no --oidc-issuer / --oidc-client-id flag is set, prompt the user to pick one from a numbered menu (interactive TTY only). Non-interactive invocations keep the previous error listing the available issuers so scripted callers stay informative.
    • Bump giantswarm/architect orb to 8.2.2 and re-enable cosign keyless chart signing (sign: false removed from every push-to-app-catalog* invocation). v8.2.2 ships architect-orb#772 which upgrades the app-build-suite executor image from 1.8.0-circleci to 1.8.1-circleci – the new image includes the cosign binary that v8.2.0’s chart signing defaults require. Closes architect-orb#769.
    • Bump giantswarm/architect orb to 8.2.1 to pick up architect-orb#767: image-login-to-registries is now POSIX-portable, unblocking architect/sync-china-registry (the gsoci -> Aliyun mirror via the in-China giantswarm/galaxy-runner). The v8.1.0 refactor accidentally introduced bash-only ${!var} indirect expansion in the shared login command, which BusyBox /bin/sh (used by the regctl executor) rejected with bad substitution – so no Aliyun mirror has been happening since the migration to split-china-push: true. v8.2.x also enables cosign keyless signing, SLSA provenance, and SBOM attestations by default for public images and charts.
    • Enable split-china-push: true on the tag-build push-to-registries-multiarch job and add a companion sync-china-registry job. The cross-Pacific docker buildx push to the Aliyun mirror is replaced with a regctl image copy from gsoci to Aliyun executed on the in-China giantswarm/galaxy-runner self-hosted CircleCI runner.
    • Bump giantswarm/architect orb to 8.1.0 and replace the hand-rolled inline push-to-registries-multiarch job (~75 lines of docker buildx wrapper) with architect/push-to-registries and multiarch: true. The orb job builds the multi-arch image from the per-arch binaries produced by go-build-{amd64,arm64} and reuses the Dockerfile’s COPY ./kubectl-gs-${TARGETARCH} step. Picks up the v8.1.0 QEMU/binfmt auto-registration, hardened buildx bootstrap, and standard OCI image labels for free.

    Fixed

    • login: enable PKCE (RFC 7636) on the direct OIDC flow used for workload clusters with Kubernetes structured authentication. Public OIDC clients registered without a client_secret (e.g. Okta SPA / Native apps) previously failed the token exchange with invalid_client because neither client authentication nor a PKCE code verifier was sent. The Dex-mediated management cluster flow is unaffected.
    • Drop linux/386 from the docker image’s --platform list. The base image gsoci.azurecr.io/giantswarm/alpine does not ship a linux/386 variant, so the legacy inline push-to-registries-multiarch job’s buildx invocation has been silently failing for that platform on every run – the bug was masked by the script’s ... | tee .docker.log pipe always returning 0, so the failed buildx output never affected the job’s exit code. The pushed multi-arch image therefore never actually contained a linux/386 variant. The standalone linux/386 kubectl-gs binary continues to be produced by go-build-386 and shipped through GitHub releases / krew.
  • Fleet Management kubectl-gs v5.5.0

    Added

    • login: support direct OIDC authentication for workload clusters (Kubernetes structured authentication). The appropriate workload-cluster authentication mode is now selected automatically based on the cluster’s configuration.
  • Fleet Management zot v2.7.0

    Changed

    • Update to upstream Helm Chart v0.1.112 and Zot v2.1.16.
  • Fleet Management kubectl-gs v5.4.0

    Added

    • Add global.release.version to template output for EKS

    Removed

    • Remove unused code (error variables, helper functions, types, and dead templates)
    • Stop templating the deprecated default-apps-eks App