Changed
- Updated chart metadata
Changes and Releases
Updates on Giant Swarm workload cluster releases, apps, UI improvements and documentation changes.
Warning: Important Note for Upgrading to this Release
tl;dr: Please first upgrade your existing cluster to Giant Swarm Release v33.2.0 for VMware Cloud Director or newer before upgrading to this release! Otherwise, you risk service outage and severe issues.
Giant Swarm Release v34.0.0 for VMware Cloud Director comes with Kubernetes v1.34. This version contains etcd v3.6, which makes use of the so-called v3 store by default. Before, with etcd v3.5, the v2 store was used by default and synchronized to the already existing v3 store.
Different flaws could lead to an inconsistency between the old v2 store and the already present but unused standby v3 store in etcd v3.5 and before. Because of this, new etcd v3.6 members, which first start to use this v3 store, might suffer from these inconsistencies.
This can come into play when upgrading a cluster to this and future releases from any release older than Giant Swarm Release v33.2.0 for VMware Cloud Director. For this reason, we require you to first upgrade your cluster to Giant Swarm Release v33.2.0 for VMware Cloud Director or newer before upgrading to this or future releases.
OIDC Structured Authentication (optional)
This release introduces optional support for Kubernetes Structured Authentication Configuration for OIDC providers. We recommend testing this feature on a non-production cluster first.
Minimal example
global: controlPlane: oidc: structuredAuthentication: enabled: true issuers: - issuerUrl: https://your-idp.example.com clientId: kubernetesExample with customization
global: controlPlane: oidc: structuredAuthentication: enabled: true issuers: - issuerUrl: https://your-idp.example.com clientId: kubernetes usernameClaim: email # Optional: use 'email' instead of 'sub' groupsClaim: roles # Optional: use 'roles' instead of 'groups' usernamePrefix: "oidc:" # Optional: prefix usernames groupsPrefix: "oidc:" # Optional: prefix groupsMigration from legacy OIDC configuration
If you already use OIDC with the legacy configuration, add
structuredAuthentication.enabled: trueto migrate:global: controlPlane: oidc: issuerUrl: https://your-idp.example.com clientId: kubernetes structuredAuthentication: enabled: trueThis will automatically convert your legacy configuration to the new structured format.
Advanced options
Additional configuration options are available for more complex setups, including:
- Multiple audiences (
audiences,audienceMatchPolicy) - Custom discovery URL (
discoveryUrl) - Custom CA certificate (
caPem) - CEL expressions for claim and user validation (
claimValidationRules,userValidationRules) - Advanced claim mappings with CEL expressions (
claimMappings)
Refer to the Kubernetes Structured Authentication documentation for details.
Changes compared to v33.1.1
Components
- cluster-cloud-director from v2.4.0 to v3.1.2
- Flatcar from v4459.2.1 to v4459.2.2
- Kubernetes from v1.33.6 to v1.34.3
- os-tooling from v1.26.2 to v1.26.3
cluster-cloud-director v2.4.0…v3.1.2
Added
- Added
fix-dns-nic-allocation.shIgnition script to attach DNS servers to correct network interfaces. - Add the
priority-classesdefault app, enabled by default. This app provides standardisedPriorityClassresources likegiantswarm-criticalandgiantswarm-high, which should replace the previous inconsistent per-app priority classes. - Add
"helm.sh/resource-policy": keepannotation toVCDClusterCR so that it doesn’t get removed by Helm when uninstalling this chart. The CAPI controllers will take care of removing it, following the expected deletion order.
Changed
- Fix a race condition when populating
/run/metadata/coreos. - Fix race condition in
ntpdunit. - Chart: Update
clusterto v5.1.2. - Chart: Update
clusterto v5.1.1. - Chart: Update
clusterto v5.1.0. - Chart: Update
clusterto v5.0.0.
Apps
- cert-exporter from v2.9.14 to v2.9.15
- cilium from v1.3.2 to v1.3.4
- coredns from v1.28.3 to v1.29.1
- etcd-k8s-res-count-exporter from v1.10.11 to v1.10.12
- network-policies from v0.1.1 to v0.1.3
- node-exporter from v1.20.9 to v1.20.10
- observability-bundle from v2.3.2 to v2.5.0
- Added priority-classes v0.3.0
- security-bundle from v1.15.0 to v1.16.1
cert-exporter v2.9.14…v2.9.15
Changed
- Go: Update dependencies.
cilium v1.3.2…v1.3.4
Changed
coredns v1.28.3…v1.29.1
Changed
etcd-k8s-res-count-exporter v1.10.11…v1.10.12
Changed
- Go: Update dependencies.
network-policies v0.1.1…v0.1.3
Added
- Add support for Kamaji.
Fixed
- Fixed broken templating.
node-exporter v1.20.9…v1.20.10
Removed
- Repository: Remove integration tests.
observability-bundle v2.3.2…v2.5.0
Added
- Add KSM metrics
kube_servicemonitor_infoandkube_podmonitor_infofor ServiceMonitor and PodMonitor resources - Add KSM metrics
kube_podlog_infofor PodLog resource
Changed
- Upgrade
kube-prometheus-stack-appto 19.0.0 - Update alloy-app to 0.16.0
- Bumps alloy to 1.12.0
Fixed
- Fixed KSM metrics for endpoints
priority-classes v0.3.0
Changed
- Label now uses chart version instead of app version.
Removed
- Removed appVersion (only version is used now).
security-bundle v1.15.0…v1.16.1
Changed
- Add missing dependency to all apps.
- Allow to set multiple dependencies on the depends-on annotation.
- Rename
edgedbtogel. - Update
cloudnative-pg(app) to v0.0.12. - Update
gel(app) to v1.0.1.
- Multiple audiences (
Warning: Important Note for Upgrading to this Release
tl;dr: Please first upgrade your existing cluster to Giant Swarm Release v33.1.1 for vSphere or newer before upgrading to this release! Otherwise, you risk service outage and severe issues.
Giant Swarm Release v34.0.0 for vSphere comes with Kubernetes v1.34. This version contains etcd v3.6, which makes use of the so-called v3 store by default. Before, with etcd v3.5, the v2 store was used by default and synchronized to the already existing v3 store.
Different flaws could lead to an inconsistency between the old v2 store and the already present but unused standby v3 store in etcd v3.5 and before. Because of this, new etcd v3.6 members, which first start to use this v3 store, might suffer from these inconsistencies.
This can come into play when upgrading a cluster to this and future releases from any release older than Giant Swarm Release v33.1.1 for vSphere. For this reason, we require you to first upgrade your cluster to Giant Swarm Release v33.1.1 for vSphere or newer before upgrading to this or future releases.
OIDC Structured Authentication (optional)
This release introduces optional support for Kubernetes Structured Authentication Configuration for OIDC providers. We recommend testing this feature on a non-production cluster first.
Minimal example
global: controlPlane: oidc: structuredAuthentication: enabled: true issuers: - issuerUrl: https://your-idp.example.com clientId: kubernetesExample with customization
global: controlPlane: oidc: structuredAuthentication: enabled: true issuers: - issuerUrl: https://your-idp.example.com clientId: kubernetes usernameClaim: email # Optional: use 'email' instead of 'sub' groupsClaim: roles # Optional: use 'roles' instead of 'groups' usernamePrefix: "oidc:" # Optional: prefix usernames groupsPrefix: "oidc:" # Optional: prefix groupsMigration from legacy OIDC configuration
If you already use OIDC with the legacy configuration, add
structuredAuthentication.enabled: trueto migrate:global: controlPlane: oidc: issuerUrl: https://your-idp.example.com clientId: kubernetes structuredAuthentication: enabled: trueThis will automatically convert your legacy configuration to the new structured format.
Advanced options
Additional configuration options are available for more complex setups, including:
- Multiple audiences (
audiences,audienceMatchPolicy) - Custom discovery URL (
discoveryUrl) - Custom CA certificate (
caPem) - CEL expressions for claim and user validation (
claimValidationRules,userValidationRules) - Advanced claim mappings with CEL expressions (
claimMappings)
Refer to the Kubernetes Structured Authentication documentation for details.
Changes compared to v33.1.1
Components
- cluster-vsphere from v3.4.0 to v4.1.2
- Flatcar from v4459.2.1 to v4459.2.2
- Kubernetes from v1.33.6 to v1.34.3
- os-tooling from v1.26.2 to v1.26.3
cluster-vsphere v3.4.0…v4.1.2
Added
- Add the
priority-classesdefault app, enabled by default. This app provides standardisedPriorityClassresources likegiantswarm-criticalandgiantswarm-high, which should replace the previous inconsistent per-app priority classes. - Add
"helm.sh/resource-policy": keepannotation toVSphereClusterCR so that it doesn’t get removed by Helm when uninstalling this chart. The CAPI controllers will take care of removing it, following the expected deletion order. - Add
"helm.sh/resource-policy": keepannotation to the provider secret. This is to ensure that it isn’t removed by Helm, thus leading to a race condition when deleting the cluster as the vSphere cleaner needs it to clean up resources in vSphere.
Changed
- Chart: Update
clusterto v5.1.2. - Chart: Update
clusterto v5.1.1. - Chart: Update
clusterto v5.1.0. - Chart: Update
clusterto v5.0.0. - Chart: Update
clusterto v4.6.0. - Chart: Update
clusterto v4.5.1. - Chart: Update
clusterto v4.5.0.
Apps
- cert-exporter from v2.9.14 to v2.9.15
- cilium from v1.3.2 to v1.3.4
- cloud-provider-vsphere from v2.0.1 to v2.2.0
- coredns from v1.28.3 to v1.29.1
- etcd-k8s-res-count-exporter from v1.10.11 to v1.10.12
- network-policies from v0.1.1 to v0.1.3
- node-exporter from v1.20.9 to v1.20.10
- observability-bundle from v2.3.2 to v2.5.0
- Added priority-classes v0.3.0
- security-bundle from v1.15.0 to v1.16.1
- vsphere-csi-driver from v3.4.2 to v3.4.3
cert-exporter v2.9.14…v2.9.15
Changed
- Go: Update dependencies.
cilium v1.3.2…v1.3.4
Changed
cloud-provider-vsphere v2.0.1…v2.2.0
Added
- Add kamaji.enabled value. If set to true, a deployment instead of the dameonset will be used for CPI controller components.
Changed
- Update to upstream
1.34.0.
coredns v1.28.3…v1.29.1
Changed
etcd-k8s-res-count-exporter v1.10.11…v1.10.12
Changed
- Go: Update dependencies.
network-policies v0.1.1…v0.1.3
Added
- Add support for Kamaji.
Fixed
- Fixed broken templating.
node-exporter v1.20.9…v1.20.10
Removed
- Repository: Remove integration tests.
observability-bundle v2.3.2…v2.5.0
Added
- Add KSM metrics
kube_servicemonitor_infoandkube_podmonitor_infofor ServiceMonitor and PodMonitor resources - Add KSM metrics
kube_podlog_infofor PodLog resource
Changed
- Upgrade
kube-prometheus-stack-appto 19.0.0 - Update alloy-app to 0.16.0
- Bumps alloy to 1.12.0
Fixed
- Fixed KSM metrics for endpoints
priority-classes v0.3.0
Changed
- Label now uses chart version instead of app version.
Removed
- Removed appVersion (only version is used now).
security-bundle v1.15.0…v1.16.1
Changed
- Add missing dependency to all apps.
- Allow to set multiple dependencies on the depends-on annotation.
- Rename
edgedbtogel. - Update
cloudnative-pg(app) to v0.0.12. - Update
gel(app) to v1.0.1.
vsphere-csi-driver v3.4.2…v3.4.3
Changed
- Update upstream chart to
v3.3.1 - Make deployment
affinityandtolerationsconfigurable invalues.yaml.
- Multiple audiences (
Warning: Important Note for Upgrading to this Release
tl;dr: Please first upgrade your existing cluster to Giant Swarm Release v33.1.1 for Azure or newer before upgrading to this release! Otherwise, you risk service outage and severe issues.
Giant Swarm Release v34.0.0 for Azure comes with Kubernetes v1.34. This version contains etcd v3.6, which makes use of the so-called v3 store by default. Before, with etcd v3.5, the v2 store was used by default and synchronized to the already existing v3 store.
Different flaws could lead to an inconsistency between the old v2 store and the already present but unused standby v3 store in etcd v3.5 and before. Because of this, new etcd v3.6 members, which first start to use this v3 store, might suffer from these inconsistencies.
This can come into play when upgrading a cluster to this and future releases from any release older than Giant Swarm Release v33.1.1 for Azure. For this reason, we require you to first upgrade your cluster to Giant Swarm Release v33.1.1 for Azure or newer before upgrading to this or future releases.
OIDC Structured Authentication (optional)
This release introduces optional support for Kubernetes Structured Authentication Configuration for OIDC providers. We recommend testing this feature on a non-production cluster first.
Minimal example
global: controlPlane: oidc: structuredAuthentication: enabled: true issuers: - issuerUrl: https://your-idp.example.com clientId: kubernetesExample with customization
global: controlPlane: oidc: structuredAuthentication: enabled: true issuers: - issuerUrl: https://your-idp.example.com clientId: kubernetes usernameClaim: email # Optional: use 'email' instead of 'sub' groupsClaim: roles # Optional: use 'roles' instead of 'groups' usernamePrefix: "oidc:" # Optional: prefix usernames groupsPrefix: "oidc:" # Optional: prefix groupsMigration from legacy OIDC configuration
If you already use OIDC with the legacy configuration, add
structuredAuthentication.enabled: trueto migrate:global: controlPlane: oidc: issuerUrl: https://your-idp.example.com clientId: kubernetes structuredAuthentication: enabled: trueThis will automatically convert your legacy configuration to the new structured format.
Advanced options
Additional configuration options are available for more complex setups, including:
- Multiple audiences (
audiences,audienceMatchPolicy) - Custom discovery URL (
discoveryUrl) - Custom CA certificate (
caPem) - CEL expressions for claim and user validation (
claimValidationRules,userValidationRules) - Advanced claim mappings with CEL expressions (
claimMappings)
Refer to the Kubernetes Structured Authentication documentation for details.
Changes compared to v33.1.1
Components
- cluster-azure from v4.4.0 to v5.1.2
- Flatcar from v4459.2.1 to v4459.2.2
- Kubernetes from v1.33.6 to v1.34.3
- os-tooling from v1.26.2 to v1.26.3
cluster-azure v4.4.0…v5.1.2
Added
- Add the
priority-classesdefault app, enabled by default. This app provides standardisedPriorityClassresources likegiantswarm-criticalandgiantswarm-high, which should replace the previous inconsistent per-app priority classes. - Add
"helm.sh/resource-policy": keepannotation toAzureClusterCR so that it doesn’t get removed by Helm when uninstalling this chart. The CAPI controllers will take care of removing it, following the expected deletion order.
Changed
- Chart: Update
clusterto v5.1.2. - Chart: Update
clusterto v5.1.1. - Chart: Update
clusterto v5.1.0. - Chart: Update
clusterto v5.0.0.
Apps
- azure-cloud-controller-manager from v1.32.7-1 to v2.0.0
- azure-cloud-node-manager from v1.32.7 to v2.0.0
- azuredisk-csi-driver from v1.32.9 to v2.1.0
- azurefile-csi-driver from v1.32.5 to v2.0.0
- cert-exporter from v2.9.14 to v2.9.15
- cilium from v1.3.2 to v1.3.4
- coredns from v1.28.3 to v1.29.1
- etcd-k8s-res-count-exporter from v1.10.11 to v1.10.12
- external-dns from v3.2.0 to v3.4.0
- k8s-audit-metrics from v0.10.10 to v0.10.11
- network-policies from v0.1.1 to v0.1.3
- node-exporter from v1.20.9 to v1.20.10
- observability-bundle from v2.3.2 to v2.5.0
- Added priority-classes v0.3.0
- security-bundle from v1.15.0 to v1.16.1
azure-cloud-controller-manager v1.32.7-1…v2.0.0
Changed
- Chart: Update to upstream v1.34.3. (#132)
azure-cloud-node-manager v1.32.7…v2.0.0
Changed
- Chart: Update to upstream v1.34.3. (#118)
azuredisk-csi-driver v1.32.9…v2.1.0
Changed
azurefile-csi-driver v1.32.5…v2.0.0
Changed
- Chart: Update to upstream v1.34.2. (#71)
cert-exporter v2.9.14…v2.9.15
Changed
- Go: Update dependencies.
cilium v1.3.2…v1.3.4
Changed
coredns v1.28.3…v1.29.1
Changed
etcd-k8s-res-count-exporter v1.10.11…v1.10.12
Changed
- Go: Update dependencies.
external-dns v3.2.0…v3.4.0
Changed
- Sync to upstream helm chart 1.20.0.
- Add option to set annotationPrefix.
- Fixed the missing schema for .provider.webhook.serviceMonitor configs.
- Fixed incorrect indentation of selector labels under spec.template.spec.topologySpreadConstraints when topologySpreadConstraints is set.
- Use kubectl-apply-job when installing CRDs.
- Upgrade external-dns to v0.20.0.
- Update DNSEndpoints CRD.
- Sync to upstream helm chart
1.19.0.- Grant
discovery.k8s.io/endpointslicespermission only when usingservicesource. - Update RBAC for
Servicesource to supportEndpointSlices. - Allow extraArgs to also be a map enabling overrides of individual values.
- Set defaults for
automountServiceAccountTokenandserviceAccount.automountServiceAccountTokentotruein Helm chart values. - Correctly handle
txtPrefixandtxtSuffixarguments when both are provided. - Add ability to generate schema with
helm plugin schema. - Regenerate JSON schema with `helm-values-schema-json’ plugin.
- Added ability to configure
imagePullSecretsvia helmglobalvalue. - Added options to configure
labelFilterandmanagedRecordTypesvia dedicated helm values. - Allow templating
serviceaccount.annotationskeys and values, by rendering them using thetplbuilt-in function. - Added support for
extraContainersargument. - Added support for setting
excludeDomainsargument. - Added support for setting
dnsConfig. - Added support for webhook providers.
- Grant
- Restrict managed record types to A and CNAME.
k8s-audit-metrics v0.10.10…v0.10.11
Changed
- Go: Update dependencies.
network-policies v0.1.1…v0.1.3
Added
- Add support for Kamaji.
Fixed
- Fixed broken templating.
node-exporter v1.20.9…v1.20.10
Removed
- Repository: Remove integration tests.
observability-bundle v2.3.2…v2.5.0
Added
- Add KSM metrics
kube_servicemonitor_infoandkube_podmonitor_infofor ServiceMonitor and PodMonitor resources - Add KSM metrics
kube_podlog_infofor PodLog resource
Changed
- Upgrade
kube-prometheus-stack-appto 19.0.0 - Update alloy-app to 0.16.0
- Bumps alloy to 1.12.0
Fixed
- Fixed KSM metrics for endpoints
priority-classes v0.3.0
Changed
- Label now uses chart version instead of app version.
Removed
- Removed appVersion (only version is used now).
security-bundle v1.15.0…v1.16.1
Changed
- Add missing dependency to all apps.
- Allow to set multiple dependencies on the depends-on annotation.
- Rename
edgedbtogel. - Update
cloudnative-pg(app) to v0.0.12. - Update
gel(app) to v1.0.1.
- Multiple audiences (
What’s Changed
- Test: Add BDD scenarios for multi-server OAuth flow isolation (#269) by @teemow in https://github.com/giantswarm/muster/pull/295
Full Changelog: https://github.com/giantswarm/muster/compare/v0.0.177...v0.0.178
What’s Changed
- Feat: Redesign MCPServer CRD Status and Session State Separation (#292) by @teemow in https://github.com/giantswarm/muster/pull/291
Full Changelog: https://github.com/giantswarm/muster/compare/v0.0.176...v0.0.177
What’s Changed
- Fix: Suppress MCP notification debug output from CLI by @teemow in https://github.com/giantswarm/muster/pull/290
Full Changelog: https://github.com/giantswarm/muster/compare/v0.0.175...v0.0.176
What’s Changed
- Fix: Handle server-side token invalidation in CLI by @teemow in https://github.com/giantswarm/muster/pull/289
Full Changelog: https://github.com/giantswarm/muster/compare/v0.0.174...v0.0.175
What’s Changed
- Fix: serviceInfoAdapter implements StateUpdater for SSO state updates (closes #287) by @teemow in https://github.com/giantswarm/muster/pull/288
Full Changelog: https://github.com/giantswarm/muster/compare/v0.0.173...v0.0.174
What’s Changed
- Fix: Prevent CRD drift with single source of truth and CI enforcement by @teemow in https://github.com/giantswarm/muster/pull/285
Full Changelog: https://github.com/giantswarm/muster/compare/v0.0.172...v0.0.173