kubectl-gs release v5.6.0
Changed
login: when a workload cluster’s structured authentication exposes multiple OIDC issuers and no --oidc-issuer / --oidc-client-id flag is set, prompt the user to pick one from a numbered menu (interactive TTY only). Non-interactive invocations keep the previous error listing the available issuers so scripted callers stay informative.- Bump
giantswarm/architect orb to 8.2.2 and re-enable cosign keyless chart signing (sign: false removed from every push-to-app-catalog* invocation). v8.2.2 ships architect-orb#772 which upgrades the app-build-suite executor image from 1.8.0-circleci to 1.8.1-circleci – the new image includes the cosign binary that v8.2.0’s chart signing defaults require. Closes architect-orb#769. - Bump
giantswarm/architect orb to 8.2.1 to pick up architect-orb#767: image-login-to-registries is now POSIX-portable, unblocking architect/sync-china-registry (the gsoci -> Aliyun mirror via the in-China giantswarm/galaxy-runner). The v8.1.0 refactor accidentally introduced bash-only ${!var} indirect expansion in the shared login command, which BusyBox /bin/sh (used by the regctl executor) rejected with bad substitution – so no Aliyun mirror has been happening since the migration to split-china-push: true. v8.2.x also enables cosign keyless signing, SLSA provenance, and SBOM attestations by default for public images and charts. - Enable
split-china-push: true on the tag-build push-to-registries-multiarch job and add a companion sync-china-registry job. The cross-Pacific docker buildx push to the Aliyun mirror is replaced with a regctl image copy from gsoci to Aliyun executed on the in-China giantswarm/galaxy-runner self-hosted CircleCI runner. - Bump
giantswarm/architect orb to 8.1.0 and replace the hand-rolled inline push-to-registries-multiarch job (~75 lines of docker buildx wrapper) with architect/push-to-registries and multiarch: true. The orb job builds the multi-arch image from the per-arch binaries produced by go-build-{amd64,arm64} and reuses the Dockerfile’s COPY ./kubectl-gs-${TARGETARCH} step. Picks up the v8.1.0 QEMU/binfmt auto-registration, hardened buildx bootstrap, and standard OCI image labels for free.
Fixed
login: enable PKCE (RFC 7636) on the direct OIDC flow used for workload clusters with Kubernetes structured authentication. Public OIDC clients registered without a client_secret (e.g. Okta SPA / Native apps) previously failed the token exchange with invalid_client because neither client authentication nor a PKCE code verifier was sent. The Dex-mediated management cluster flow is unaffected.- Drop
linux/386 from the docker image’s --platform list. The base image gsoci.azurecr.io/giantswarm/alpine does not ship a linux/386 variant, so the legacy inline push-to-registries-multiarch job’s buildx invocation has been silently failing for that platform on every run – the bug was masked by the script’s ... | tee .docker.log pipe always returning 0, so the failed buildx output never affected the job’s exit code. The pushed multi-arch image therefore never actually contained a linux/386 variant. The standalone linux/386 kubectl-gs binary continues to be produced by go-build-386 and shipped through GitHub releases / krew.
