v2.10.0

[gardener/gardenctl-v2]

⚠️ Breaking Changes

• [USER] Access Restrictions: The gardens[].accessRestrictions[].notifyIf field in the gardenctl configuration (see gardenctl config view) is no longer supported and will be ignored. gardenctl now assumes notifyIf=true. This change does not affect the gardens[].accessRestrictions[].options[].notifyIf setting. by @petersutter [#503]
• [USER] The session directory has been moved to a sessions subfolder, changing from <temp_dir>/garden/<session_id> to <temp_dir>/garden/sessions/<session_id>. The current session will be migrated on the next run of a gardenctl command. by @petersutter [#476]

✨ New Features

• [USER] ssh: New flags have been introduced to provide finer control over strict host key checking behavior when using the gardenctl ssh command:
  • --bastion-strict-host-key-checking: Controls how the SSH client performs host key checking for the bastion host. Valid options are yes, no, or ask. The default value is ask.
  • --node-strict-host-key-checking: Controls how the SSH client performs host key checking for the Shoot cluster node. Valid options are yes, no, or ask. The default value is ask.
    Previously, the behavior was equivalent to setting these flags to no, meaning no host key verification was performed. by @petersutter [#470]
• [USER] Access Restrictions:
  • Use new fields in Shoot API for the shoot access restriction configuration, that were introduced with g/g#10654.
  • The legacy access-restriction key seed.gardener.cloud/eu-access will be mapped to eu-access-only if your gardenctl configuration has not been updated (see gardenctl config view). by @petersutter [#503]
• [USER] ssh: Default paths for known_hosts files are set for bastions and shoot nodes. Bastion keys are stored in temporary directories, while shoot node keys persist in the garden home directory. by @petersutter [#476]
• [DEVELOPER] gosec was introduced for Static Application Security Testing (SAST). by @petersutter [#470]

v2.9.0

[gardener/gardenctl-v2]

✨ New Features

• [USER] Cloud provider credentials can now be extracted following a shoot reference to a credentials binding. by @dimityrmirchev [#464]
• [USER] Support Namespaced Cloud Profiles by @petersutter [#462]

v2.8.0

[gardener/gardenctl-v2]

🏃 Others

• [USER] The gardenlogin kubeconfig now only includes kube-apiserver addresses from Shoot.status.advertisedAddresses. This ensures compatibility with gardener/gardener version v1.91.0 and later. by @petersutter [#412]

v2.7.0

[gardener/gardenctl-v2]

✨ New Features

• [USER] Users with the Project viewer role can now target shoot clusters and obtain the kubeconfig for these clusters. gardenctl-v2 fetches the cluster CA via ConfigMap to generate the gardenlogin kubeconfig. This feature is supported with Gardener v1.89 and requires gardenlogin v0.5 or higher. by @petersutter [#380]

v2.6.1

[gardener/gardenctl-v2]

🐛 Bug Fixes

• [USER] Fixed: Windows build not being uploaded to GitHub release and to Chocolatey by @petersutter [#376]

v2.6.0

[gardener/gardenctl-v2]

✨ New Features

• [OPERATOR] ssh: Now outputs pending Nodes in addition to already joined Nodes. by @petersutter [#368]
• [OPERATOR] gardenctl ssh <tab> completes nodes that are unable to join the cluster. The list is based on the machine objects by @tedteng [#347]
• [USER] gardenctl-v2 is now also available for linux/arm64 by @petersutter [#358]

🏃 Others

• [OPERATOR] ssh now uses 3072 bit keys by @dimityrmirchev [#348]

v2.5.0

[gardener/gardenctl-v2]

✨ New Features

• [USER] ssh: Use --user flag to override the default ssh login username by @tedteng [#335]
• [USER] Improved text which describes how to manually connect using ssh by @petersutter [#316]

v2.4.0

[gardenctl-v2]

⚠️ Breaking Changes

• [USER] Removed wrongfully added --output flag for the following commands. Setting the flag did not have any effect previously but will now result in an error: (gardener/gardenctl-v2#305, @petersutter)
  • target
  • target garden
  • target project
  • target seed
  • target shoot
  • target control-plane

✨ New Features

• [USER] ssh: reuse bastion, e.g. gardenctl ssh --keep-bastion --bastion-name cli-xxxxxxxx --public-key-file /path/to/ssh/key.pub --private-key-file /path/to/ssh/key (gardener/gardenctl-v2#283, @petersutter)
  • --bastion-name flag was added. If a bastion with this name doesn't exist, it will be created. If it does exist, the provided public SSH key must match the one used during the bastion's creation
  • --private-key-file flag was added. It must be provided alongside the --public-key-file flag if you want to use a custom keypair. If not provided, gardenctl will either generate a temporary keypair or rely on the user's SSH agent for an available private key.
• [USER] ssh: Use the --bastion-host and --bastion-port flags to customize the bastion host and port for the SSH client command, respectively. These flags are useful when you need to specify an alternative host and port for SSH port forwarding scenarios. (gardener/gardenctl-v2#284, @petersutter)
  • --bastion-host: Specify a custom hostname or IP address for the bastion used in the SSH client command. If not provided, the address will be automatically determined.
  • --bastion-port: Set the SSH port of the bastion used for the SSH client command. By default, this value is set to port 22.
• [USER] ssh: Use the --bastion-user-known-hosts-file flag to specify a custom known hosts file for the SSH connection to the bastion host. This is useful when the bastion host IP is reused, which can lead to a failed remote host key verification if there is an existing entry for the same IP but from a previous (old) bastion. (gardener/gardenctl-v2#285, @petersutter)
• [USER] The target view command (alias gtv) now also considers the target flags (gardener/gardenctl-v2#289, @petersutter)
• [USER] provider-env: You can now control the output format using --output flag. The data that is typically passed to the templating engine for generating provider-env scripts is instead output in the specified format. Usage: gardenctl provider-env -oyaml (gardener/gardenctl-v2#298, @petersutter)
• [USER] Added resolve command in order to resolve garden, seed, project or shoot for the current target. This command is particularly useful when you need to understand which shoot the current target translates to, regardless of whether a seed or a shoot is targeted. (gardener/gardenctl-v2#306, @petersutter)
• [USER] ssh: Added flag --confirm-access-restriction. Using this flag bypasses the need for confirmation of any access restrictions. Set this flag only if you are fully aware of the access restrictions. (gardener/gardenctl-v2#309, @petersutter)

🐛 Bug Fixes

• [USER] Removed unnecessary newline for yaml output (gardener/gardenctl-v2#297, @petersutter)

🏃 Others

• [USER] ssh: the command that is printed to stdout is now shell-escaped (gardener/gardenctl-v2#279, @petersutter)
• [USER] provider-env: ⚠️ The --force is now deprecated. Use --confirm-access-restriction flag instead. The --force flag will eventually be removed in a future version. (gardener/gardenctl-v2#309, @petersutter)

v2.3.0

[gardenctl-v2]

⚠️ Breaking Changes

• [USER] Make sure to update gardenlogin to v0.4.0 or higher (gardener/gardenctl-v2#254, @petersutter)

✨ New Features

• [USER] ssh: You can now control the output format using --output flag (gardener/gardenctl-v2#258, @petersutter)
• [USER] The command gardenctl provider-env ... now also supports openstack infrastructure secrets with application credentials (gardener/gardenctl-v2#277, @holgerkoser)
• [USER] ssh: You can now skip the availability check for the bastion host using the flag --skip-availability-check. This is useful when you want to spin up a bastion host but gardenctl can't reach the bastion and thus would not be able to check for the availability. (gardener/gardenctl-v2#246, @petersutter)
• [USER] ssh: You can now disable the keepalive using --no-keepalive flag. The command exits after the bastion host became available without keeping the bastion alive or establishing an SSH connection. Note that this flag requires the flags --interactive=false and --keep-bastion to be set (gardener/gardenctl-v2#249, @petersutter)
• [DEVELOPER] Run make generate-sequential in order to run go generate for pkg and internal (gardener/gardenctl-v2#259, @petersutter)

🐛 Bug Fixes

• [USER] ssh: the command will now exit in case the Bastion resource was deleted (gardener/gardenctl-v2#257, @petersutter)
• [USER] ssh: A clear error message is now displayed when SSH access is disabled for the shoot workers (spec.provider.workersSettings.sshAccess.enabled). Previously, it failed with the error no SSH keypair is available for the shoot nodes, which did not indicate that SSH access was disabled. (gardener/gardenctl-v2#270, @tedteng)

🏃 Others

• [USER] Exec plugin config in kubeconfig is now using API version client.authentication.k8s.io/v1 when kubernetes version of Shoot is >= v1.20.0. For older versions it will fallback to client.authentication.k8s.io/v1beta1 (gardener/gardenctl-v2#254, @petersutter)
• [DEVELOPER] The golang version to build the binaries is upgraded to v1.20.3 (gardener/gardenctl-v2#282, @petersutter)

v2.2.1

[gardenctl-v2]

🐛 Bug Fixes

• [USER] Fixes an issue where the help command did not work anymore in case GCTL_SESSION_ID or TERM_SESSION_ID environment variable was not set (gardener/gardenctl-v2#220, @petersutter)