v1.9.2

What's Changed

• chore(backport release-1.9): docs: add release notes, update deprecations page and roadmap by @akuitybot in #5691
• chore(backport release-1.9): fix(api): add SHARED_RESOURCES_NAMESPACE to configmap by @akuitybot in #5693
• chore(backport release-1.9): chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 in the go-patch group by @akuitybot in #5694

Full Changelog: v1.9.1...v1.9.2

v1.9.1

What's Changed

• chore(backport release-1.9): fix(api): force custom marshaling of warehouses in watch endpoint by @akuitybot in #5669
• chore(backport release-1.9): fix(ui): correct format of max-age directive by @akuitybot in #5670
• chore(backport release-1.9): fix: temporarily revert --filter on Git clone by @akuitybot in #5679
• chore(backport release-1.9): feat: do not allow registrations with empty names by @akuitybot in #5681

Full Changelog: v1.9.0...v1.9.1

v1.8.10

What's Changed

• chore(backport release-1.8): fix: temporarily revert --filter on Git clone by @hiddeco in #5678

Full Changelog: v1.8.9...v1.8.10

v1.9.0

🚀 Our most significant release since v1.0.0. Although feature-packed, this release focuses heavily on improving performance, stability, and overall user experience.

🚨 Breaking Changes

• The SemVerConstraint field, deprecated in v1.7, has been removed. Use the constraint field instead.

• CLI Upgrade Required: Due to unavoidable breaking changes in how Warehouse and Freight types are serialized as protocol buffers, users upgrading the Kargo back end to v1.9.0 must also upgrade their CLI.

⚠️ New Deprecations

• The Connect-based API is deprecated in favor of a new, RESTful API. The older API will be removed entirely in Kargo v1.12.0. The New REST API section below has further details.

• Image and Commit Tag Filtering: The allowTags and ignoreTags fields are deprecated in favor of allowTagsRegexes and ignoreTagsRegexes. Artifact discovery will fail if the deprecated fields are non-empty beginning in v1.11.0. These fields will be removed in v1.13.0.

💪 Big Changes

🕺🏻 The Secret Shuffle

Users have been confused by the proper use of "global credentials namespace(s)" and the "cluster secrets namespace." To resolve this, v1.9.0 institutes changes in terminology:

• Shared resources namespace (replaces "global credentials namespace(s)"): The place to store resources (like repository credentials) available to all Projects. "Shared" signals that anything here is accessible by all Projects.

• System resources namespace (replaces "cluster secrets namespace"): The place to store namespaced resources referenced by cluster-scoped configuration (ClusterConfig). "System" signals this is private property of the operator; not for sharing.

Refer to the documentation for further details.

Transitioning

In conjunction with the terminology change, the default namespaces for shared and system resources are changing accordingly to: kargo-shared-resources and kargo-system-resources. These are overridable at install/upgrade time, meaning it's possible to simply set them to their legacy values if you wish.

Kargo v1.9.0 automatically migrates Secrets from old to new locations (if they differ):

• Kargo Enterprise users: Unaffected.
• Multiple global credentials namespaces configured: Manual consolidation required before upgrade (automated migration cannot resolve name conflicts).
• Fresh installs: No action needed.
• "Clickops" users: No action needed.
• "GitOps" users: No immediate action required. Continue syncing to original locations; Kargo will sync to new locations. The migration tool will be removed in v1.11.0 -- update your manifests before then.

More specifics on the migration can be found in the docs.

🖥️ Better UI and CLI Support

The UI and CLI now have improved support for managing shared and system-level resources, including ConfigMaps.

💤 The New REST API

Breaking changes in Kubernetes v1.35 make it difficult to represent Kubernetes resource types, including our own CRDs, as protocol buffers, which Connect-based APIs require. Beginning with Kubernetes v1.36, it will be impossible. This currently prevents Kargo from upgrading its Kubernetes dependencies beyond v1.34.x.

To resolve this, v1.9.0 introduces a new RESTful API as an eventual replacement for the legacy, Connect-based API. The legacy API will continue to be served alongside its replacement through v1.11.x. It will be removed in v1.12.0, at which time Kargo can resume freely updating its Kubernetes dependencies.

The CLI already uses the new REST API. By transitioning now (when a CLI upgrade is already required), we avoid forcing another upgrade when the legacy API is removed. The new API is also significantly easier to integrate with using curl or clients generated from swagger.json.

The UI continues to use the legacy API at this time.

✨ Other Noteworthy Features

🔑 API Tokens

Provision API tokens (JWTs) via UI or CLI, associated with system-level or Project-level roles. Tokens are easily used with the kargo CLI and curl. Refer to the documentation for details.

📦 Warehouse Performance

Two new optimizations address the pain of slow container image discovery caused by registry rate limits:

• Opt-in metadata caching: Docker tags are mutable, which until now has prevented safely caching image metadata by tag. Now, individual Warehouse image repository subscriptions can opt-in to tag-based caching if not relying in any way on mutable tags. Operators can set system-level policy to forbid, allow, require, or force this caching. Refer to the documentation for details.

• Configurable rate limits: Kargo has historically enforced conservative client-side rate limits. Operators can now tune this, though caution is advised -- raising limits too high can degrade performance. This initial implementation is system-wide and tunable in the chart; per-registry control may come later.

🪝 The Generic Webhook Receiver

Not all artifact repositories support webhooks (notably ECR). The new generic webhook receiver is highly configurable, allowing users to describe how incoming requests should be parsed to trigger Warehouse refreshes. Refer to the documentation for details.

Smaller Improvements

• Azure Container Registry Workload Identity: Workload identity-based authentication to ACR, though not as robust as GAR/ECR support due to Azure complexities. (docs)

• Helm charts in GAR: Warehouses can now subscribe to Helm charts in Google Artifact Registry. (docs)

• Alternative Expression Delimiters: Use ${% %} instead of ${{ }} when expressions contain closing braces (e.g., JSON objects). (docs)

• Semantic Version Parsing: New semverParse() function breaks semver strings into components. (docs)

• Accessing Shared Resources: New sharedSecret() and sharedConfigMap() functions access resources from the shared namespace. sharedSecret() is limited to "generic credentials" to prevent exposure of repository credentials. (docs)

• Live Log Streaming for Verifications: View verification logs in near-real time while in progress. (docs)

🪜 New and Improved Promotion Steps

• git-clone: Now supports sparse checkouts and submodules. (docs)

• git-push: Can force push (use with caution). (docs)

• git-wait-for-pr: PR links now visible in the UI. (docs)

• yaml-merge: Merges multiple YAML files into one. (docs)

• yaml-parse / json-parse: Can now parse lists directly. (docs, docs)

• helm-template: New ignoreMissingValueFiles option; supports literal string values. (docs)

• kustomize-build: New output formatting option. (docs)

• http: More flexible response body parsing. (docs)

• argocd-update: Now able to identify App(s) to update or sync based on labels. (docs)

🙏 Special Thanks

Thank you to community members who made their first contributions in this release or a recent v1.8 patch release!

@chiukapoor
@jfgrea27
@filip-aipl
@kejne
@kwoodson
@prune998
@GooglyBlox
@lindhe
@Deepam02
@aryasoni98
@Demivan
@codyja
@aslafy-z
@csz-akuity
@vadasambar
@rklonner
@DavidS-ovm
@BWagener
@singhvibhanshu
@ksawerykarwacki
@likelymichael
@hairyhum

Full Changelog: v1.8.9...v1.9.0

v1.9.0-rc.2

chore(backport release-1.9): fix(controller): fix bug that wrongly ju…

v1.8.9

What's Changed

• fix(api): Ensure a cred-type is set when creating a secret via the API by @thomastaylor312 in #5639

Full Changelog: v1.8.7...v1.8.9

v1.9.0-rc.1

feat(api): use internal client for listing shared secrets (#5635)

Signed-off-by: Kent Rancourt <[email protected]>

v1.8.7

This is a bugfix release for Kargo to address GHSA-w5wv-wvrp-v5m5

v1.7.7

This is a bugfix release for Kargo

v1.6.3

This is a bugfix release for Kargo