diff --git a/CHANGELOG.md b/CHANGELOG.md
index 252afd87a..0980866cf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,86 @@
 
 All notable changes to this project are documented in this file.
 
+## 1.9.0
+
+**Release date:** 2026-06-17
+
+This minor release comes with new features for post-build variable substitution,
+drift detection, SOPS decryption and Kustomize build metadata, along with various
+bug fixes and dependency updates.
+
+### Kustomization
+
+Post-build substitutions are now stricter by default: the controller fails the
+reconciliation when a variable without a default value is referenced in the
+manifests but is missing from the input vars. This behavior is controlled by the
+`StrictPostBuildSubstitutions` feature gate, which is now enabled by default and
+can be opted out of. In addition, a new `.spec.postBuild.substituteStrategy: Always`
+option was introduced to always perform substitutions even when no variables are
+defined, which is useful when the substitution expressions all carry defaults
+(e.g. `${var:=default}`).
+
+Drift detection can now be fine-tuned with ignore rules. The new `.spec.ignore`
+field accepts a list of rules selecting JSON pointer paths (optionally scoped to
+specific targets) to exclude from both drift detection and the apply process.
+
+A new `.spec.buildMetadata` field allows enabling Kustomize build metadata
+annotations per Kustomization, supporting the `originAnnotations` and
+`transformerAnnotations` options.
+
+The controller now keeps resources that failed to be pruned in the
+`.status.inventory`, ensuring they remain tracked and can be retried on the next
+reconciliation instead of becoming untracked orphans.
+
+#### SOPS decryption
+
+SOPS decryption now supports generic Kubernetes workload identity for the
+OpenBao/Vault transit engine, allowing the controller to authenticate to OpenBao
+by exchanging a Kubernetes ServiceAccount token for a short-lived OpenBao token
+through a JWT-backed auth method, instead of using a static token. This is purely
+additive and non-breaking: the existing `sops.vault-token` Secret and `VAULT_TOKEN`
+environment variable paths are unchanged and take precedence.
+
+Age and SOPS have also been updated to support Age hybrid post-quantum encryption.
+
+### General updates
+
+In addition, the Kubernetes dependencies have been updated to v1.36, the controller
+is now built with Go 1.26 and the source-controller API has been upgraded to v1.9.0.
+The shared `DependencyReference` type was migrated to the `apis/meta` package,
+preserving backward compatibility through a type alias.
+
+Fixes:
+- Keep failed-to-prune resources in `.status.inventory`
+  [#1665](https://github.com/fluxcd/kustomize-controller/pull/1665)
+
+Improvements:
+- Enable `StrictPostBuildSubstitutions` by default
+  [#1671](https://github.com/fluxcd/kustomize-controller/pull/1671)
+- Introduce `substituteStrategy: Always`
+  [#1672](https://github.com/fluxcd/kustomize-controller/pull/1672)
+- Add support for drift detection ignore rules
+  [#1627](https://github.com/fluxcd/kustomize-controller/pull/1627)
+- Add `.spec.buildMetadata` optional field to Kustomization API
+  [#1632](https://github.com/fluxcd/kustomize-controller/pull/1632)
+- Introduce generic Kubernetes workload identity for SOPS OpenBao/Vault
+  [#1659](https://github.com/fluxcd/kustomize-controller/pull/1659)
+- Update Age and SOPS for Age post-quantum cypher
+  [#1601](https://github.com/fluxcd/kustomize-controller/pull/1601)
+- Migrate `DependencyReference` to shared `apis/meta` type
+  [#1656](https://github.com/fluxcd/kustomize-controller/pull/1656)
+- Update to Kubernetes 1.36 and Go 1.26
+  [#1660](https://github.com/fluxcd/kustomize-controller/pull/1660)
+- Upgrade source-controller API to v1.9.0
+  [#1674](https://github.com/fluxcd/kustomize-controller/pull/1674)
+- Various dependency updates
+  [#1661](https://github.com/fluxcd/kustomize-controller/pull/1661)
+  [#1662](https://github.com/fluxcd/kustomize-controller/pull/1662)
+  [#1666](https://github.com/fluxcd/kustomize-controller/pull/1666)
+  [#1667](https://github.com/fluxcd/kustomize-controller/pull/1667)
+  [#1668](https://github.com/fluxcd/kustomize-controller/pull/1668)
+  [#1669](https://github.com/fluxcd/kustomize-controller/pull/1669)
+
 ## 1.8.5
 
 **Release date:** 2026-05-12
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index 4ece535f2..4d65f3af0 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v1.8.0
+    newTag: v1.9.0
diff --git a/go.mod b/go.mod
index 0a3aef018..14eabc2a4 100644
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.6.1
 	github.com/dimchansky/utfbom v1.1.1
 	github.com/fluxcd/cli-utils v1.2.1
-	github.com/fluxcd/kustomize-controller/api v1.8.0
+	github.com/fluxcd/kustomize-controller/api v1.9.0
 	github.com/fluxcd/pkg/apis/acl v0.10.0
 	github.com/fluxcd/pkg/apis/event v0.27.0
 	github.com/fluxcd/pkg/apis/kustomize v1.19.0