v2.14.0

[github.com/gardener/gardenctl-v2:v2.14.0]

✨ New Features

• [USER] gardenctl target view now also displays the seed, if a shoot was targeted. by @dguendisch [#712]

📖 Documentation

• [USER] Describe installation using winget instead of chocolatey by @mbs-c [#726]
• [USER] Recommend the rc command for configuring the shell in README.md by @mbs-c [#727]

v2.13.0

[github.com/gardener/gardenctl-v2:v2.13.0]

✨ New Features

• [USER] ssh: Bastion ingress addresses and hostnames are now validated to prevent invalid IP addresses and non-DNS-compliant hostnames. by @petersutter [#678]
• [USER] Added sanity checks for user-provided and shoot node SSH keys by @petersutter [#674]
• [USER] The gardenctl ssh command now accepts a --shell flag to specify the shell used for escaping arguments when printing SSH commands. If not provided, it falls back to the GCTL_SHELL environment variable or defaults to bash. To set GCTL_SHELL automatically, source the gardenctl startup script in your shell profile (e.g., add source <(gardenctl rc bash) to ~/.bashrc), or use the --shell flag to avoid escaping issues. by @petersutter [#690]
• [USER] provider-env: Added workload identity support for provider environments on AWS, Azure, and GCP. Use the --workload-identity-token-expiration flag to control token validity duration (default: 1h). by @petersutter [#659]

v2.12.0

[github.com/gardener/gardenctl-v2:v2.12.0]

⚠️ Breaking Changes

• [DEVELOPER] provider-env: region and credential field values are now written to temporary files. Their file paths are exposed under .dataFiles both in (custom) provider templates and when using gardenctl provider-env -o {json|yaml} (for example, .dataFiles.region points to the temporary file). This change is only relevant when using custom provider templates or when invoking gardenctl provider-env -o {json|yaml} in custom scripts. by @petersutter [#648]
• [USER] Garden names and aliases must now follow naming rules: only alphanumeric characters, underscore, or hyphen are allowed, and names must start and end with an alphanumeric character. Existing configurations with invalid names will be rejected when loading the configuration. by @petersutter [#650]
• [USER] provider-env command:
  • OpenStack: provider-env now requires configuring allowed authURL patterns; the command will fail for OpenStack if none are provided. See documentation: OpenStack: Allowed authURL patterns (required)
  • Templates: raw Secret data is no longer exposed at the top level in provider-env templates. Custom/out-of-tree templates that previously accessed raw keys must now read them from .unsafeSecretData (unvalidated — hence "unsafe"). This is currently required to keep out-of-tree provider support in gardenctl. Built-in templates must not use .unsafeSecretData. by @petersutter [#636]

✨ New Features

• [USER] Introduces gardenctl config set-openstack-authurl command for setting one or more allowed OpenStack authURLs used in the provider-env command. Example usage: gardenctl config set-openstack-authurl --uri-pattern https://keystone.example.com:5000/v3 by @petersutter [#643]
• [USER] provider-env command enhancements:
  • Enforce schema-driven validation for provider credentials
  • Avoid exporting credentials unless needed by @petersutter [#636]
• [USER] Added additional GCP service account validation for provider-env command by @petersutter [#574]

🐛 Bug Fixes

• [USER] Fixed an issue where the provider-env command failed when the targeted Shoot used a NamespacedCloudProfile by @petersutter [#639]

🏃 Others

• [USER] Improved the openstack credential handling by @petersutter [#619]
• [DEVELOPER] migrate CICD-Pipeline to GitHub-Actions by @ccwienk [#598]
• [USER] gardenctl does not fallback anymore to <shoot-name>.ca-cluster Secret for fetching the CA of the cluster. It only relies on the <shoot-name>.ca-cluster ConfigMap to be present. by @petersutter [#618]

v2.11.0

[gardener/gardenctl-v2]

✨ New Features

• [USER] ssh to nodes that have IPv6 addresses is now supported. by @axel7born [#565]

🐛 Bug Fixes

• [USER] Added validation to ensure credential type is properly set for GCP authentication, preventing potential connection failures due to incomplete configuration. by @petersutter [#567]

🏃 Others

• [DEVELOPER] Updated dependencies to latest versions by @gardener-ci-robot [#526]
• [DEVELOPER] The golang version to build the binaries is upgraded to v1.24.1 by @gardener-ci-robot [#529]

v2.10.0

[gardener/gardenctl-v2]

⚠️ Breaking Changes

• [USER] Access Restrictions: The gardens[].accessRestrictions[].notifyIf field in the gardenctl configuration (see gardenctl config view) is no longer supported and will be ignored. gardenctl now assumes notifyIf=true. This change does not affect the gardens[].accessRestrictions[].options[].notifyIf setting. by @petersutter [#503]
• [USER] The session directory has been moved to a sessions subfolder, changing from <temp_dir>/garden/<session_id> to <temp_dir>/garden/sessions/<session_id>. The current session will be migrated on the next run of a gardenctl command. by @petersutter [#476]

✨ New Features

• [USER] ssh: New flags have been introduced to provide finer control over strict host key checking behavior when using the gardenctl ssh command:
  • --bastion-strict-host-key-checking: Controls how the SSH client performs host key checking for the bastion host. Valid options are yes, no, or ask. The default value is ask.
  • --node-strict-host-key-checking: Controls how the SSH client performs host key checking for the Shoot cluster node. Valid options are yes, no, or ask. The default value is ask.
    Previously, the behavior was equivalent to setting these flags to no, meaning no host key verification was performed. by @petersutter [#470]
• [USER] Access Restrictions:
  • Use new fields in Shoot API for the shoot access restriction configuration, that were introduced with g/g#10654.
  • The legacy access-restriction key seed.gardener.cloud/eu-access will be mapped to eu-access-only if your gardenctl configuration has not been updated (see gardenctl config view). by @petersutter [#503]
• [USER] ssh: Default paths for known_hosts files are set for bastions and shoot nodes. Bastion keys are stored in temporary directories, while shoot node keys persist in the garden home directory. by @petersutter [#476]
• [DEVELOPER] gosec was introduced for Static Application Security Testing (SAST). by @petersutter [#470]

v2.9.0

[gardener/gardenctl-v2]

✨ New Features

• [USER] Cloud provider credentials can now be extracted following a shoot reference to a credentials binding. by @dimityrmirchev [#464]
• [USER] Support Namespaced Cloud Profiles by @petersutter [#462]

v2.8.0

[gardener/gardenctl-v2]

🏃 Others

• [USER] The gardenlogin kubeconfig now only includes kube-apiserver addresses from Shoot.status.advertisedAddresses. This ensures compatibility with gardener/gardener version v1.91.0 and later. by @petersutter [#412]

v2.7.0

[gardener/gardenctl-v2]

✨ New Features

• [USER] Users with the Project viewer role can now target shoot clusters and obtain the kubeconfig for these clusters. gardenctl-v2 fetches the cluster CA via ConfigMap to generate the gardenlogin kubeconfig. This feature is supported with Gardener v1.89 and requires gardenlogin v0.5 or higher. by @petersutter [#380]

v2.6.1

[gardener/gardenctl-v2]

🐛 Bug Fixes

• [USER] Fixed: Windows build not being uploaded to GitHub release and to Chocolatey by @petersutter [#376]

v2.6.0

[gardener/gardenctl-v2]

✨ New Features

• [OPERATOR] ssh: Now outputs pending Nodes in addition to already joined Nodes. by @petersutter [#368]
• [OPERATOR] gardenctl ssh <tab> completes nodes that are unable to join the cluster. The list is based on the machine objects by @tedteng [#347]
• [USER] gardenctl-v2 is now also available for linux/arm64 by @petersutter [#358]

🏃 Others

• [OPERATOR] ssh now uses 3072 bit keys by @dimityrmirchev [#348]