v1.31.1

Bug Fixes

• routes controller on node name drift (#1221)

v1.31.0

Features

• robot: allow Robot support without API credentials for IP-based LB targets (#1163)
• helm: allow customizing chart deployment strategy (#1190)
• support Kubernetes v1.36
• drop support for Kubernetes v1.32

Bug Fixes

• helm: remove permissions for persistentvolumes (#1203)
• route: error handling on locked networks (#1215)

v1.30.1

Datacenter Deprecation

The server.datacenter field is deprecated and will be removed from the API response after July 2026: https://docs.hetzner.cloud/changelog#2025-12-16-phasing-out-datacenters

To avoid a breaking change in HCCM, we decided to statically map from the old location names to the existing datacenter names for the topology.kubernetes.io/zone label. For new locations we will return the location name without a -dcxx suffix.

Deployments of hcloud-cloud-controller-manager that are not updated when the field is removed from the API will panic with the following error:

"Observed a panic" panic="runtime error: invalid memory address or nil pointer dereference" panicGoValue=""invalid memory address or nil pointer dereference""

We have published an RFC which details how we want to continue utilizing the labels topology.kubernetes.io/zone and topology.kubernetes.io/region: #1146 (comment)

Bug Fixes

• statically map deprecated datacenter names (#1159)

v1.30.0

Features

• support Kubernetes v1.35
• drop support for Kubernetes v1.31

Bug Fixes

• load-balancer: wait for action of managed certificate (#1144)

v1.29.2

Bug Fixes

• tcp service created for service with unsupported load balancer protocol (#1129)

v1.29.1

Bug Fixes

• respect proxy protocol default from config for load balancer status (#1131)

v1.29.0

Watch-Based Route Reconciliation

Previously, route reconciliation is performed at a fixed interval of 30s. This leads to unnecessary API requests, as a GET /v1/networks/{id} call is triggered every 30s, even when no changes have occurred.

Upstream, we have contributed an event-driven approach, similar to the mechanisms used by other controllers such as the Load Balancer controller. With this new approach, route reconciliation is triggered by node additions, node deletions, or changes to a node’s PodCIDRs or Addresses. Additionally, to ensure consistency, reconciliation still occurs periodically at a randomized interval between 12 and 24 hours.

Enabled by default

This feature is now enabled by default.

If you encounter any problems you can disable the feature by setting the following Helm value:

args.feature-gates=CloudControllerManagerWatchBasedRoutesReconciliation=false

Global Load Balancer Defaults

Configure cluster-wide defaults for Load Balancers via the extended HCLOUD_LOAD_BALANCERS_* env vars. These values automatically apply during Load Balancer creation and reconciliation whenever annotations are omitted. Learn more about it in the reference documentation

Features

• extend environment variables for default load balancer configuration (#1052)
• enable watch based route reconciliation by default (#1112)

v1.28.0

Updated ClusterRole for HCCM

We have introduced a custom ClusterRole for the HCCM component, based on the upstream recommendation from sig-cloud-provider.

To ensure a smooth transition, we renamed the ClusterRoleBinding by adding the :restricted suffix. This change was necessary because the roleRef field in a ClusterRoleBinding is immutable, which would otherwise cause errors during a Helm upgrade.

As a result, users who deploy HCCM using the provided Kubernetes manifests must manually delete the old ClusterRoleBinding after applying the updated manifests. Users deploying via the Helm chart do not need to take any action.

kubectl delete clusterrolebindings.rbac.authorization.k8s.io system:hcloud-cloud-controller-manager

Features

• helm: use custom ClusterRole
• configurable metrics address (#1055)

Bug Fixes

• add client-side timeouts to hcloud and robot clients (#1058)

v1.28.0-rc.1

Updated ClusterRole for HCCM

We have introduced a custom ClusterRole for the HCCM component, based on the upstream recommendation from sig-cloud-provider.

Due to this change, users who deploy HCCM using the provided Kubernetes manifests must manually remove the old ClusterRoleBinding after applying the updated manifests. Users deploying via the Helm chart do not need to perform any migration steps.

kubectl delete clusterrolebindings.rbac.authorization.k8s.io system:hcloud-cloud-controller-manager

v1.28.0-rc.0

Updated ClusterRole for HCCM

We have introduced a custom ClusterRole for the HCCM component, based on the upstream recommendation from sig-cloud-provider.

Because of this change, a simple helm upgrade may fail due to immutable fields in the existing ClusterRoleBinding. To ensure a successful upgrade, you must delete the existing ClusterRoleBinding before upgrading. This will make HCCM temporarily unavailable until the new version is deployed. Please avoid making any changes to the clusters, especially node- or service-related modifications, during this time.

kubectl delete clusterrolebindings.rbac.authorization.k8s.io system:hcloud-cloud-controller-manager

Features

• helm: use custom ClusterRole
• configurable metrics address (#1055)

Bug Fixes

• add client-side timeouts to hcloud and robot clients (#1058)