Sourced from github.com/kcp-dev/kcp's releases.

v0.29.3

What's Changed

• [release-0.29] fix endless retry loop during external cache bootstrap by more than one kcp server replica by @​kcp-ci-bot in kcp-dev/kcp#3979
• [release-0.29] fix configured CA not being used when running an external kcp virtual-workspaces server by @​kcp-ci-bot in kcp-dev/kcp#3977

Full Changelog: kcp-dev/kcp@v0.29.2...v0.29.3

v0.29.2

What's Changed

• Inter-shard by @​ntnn in kcp-dev/kcp#3966

Full Changelog: kcp-dev/kcp@v0.29.1...v0.29.2

v0.29.1

What's Changed

• [release-0.29] Bump to go v1.24.13 by @​ntnn in kcp-dev/kcp#3868

Full Changelog: kcp-dev/kcp@v0.29.0...v0.29.1

v0.29.0

Changes by Kind

API Change

• Add per-workspace authentication feature (behind the disabled by default feature gate WorkspaceAuthentication), allowing to configure additional authenticators (JWT/OIDC at the moment) for workspace types in order to admit external users into logical clusters. (#3481, @​xrstf)
• Added path to cachedresource so that CachedResourceEndpointSlice can reference a CachedResource in another workspace (#3726, @​olamilekan000)
• Allow for custom cleanup logic of LogicalClusters through the terminating virtualworkspace (#3615, @​SimonTheLeg)
• Changes in APIExport API: resource schema storage virtual, added Virtual resources support (#3620, @​gman0)
• Implement the admission framework for virtual workspaces. The VirtualWorkspace interface has been extended with two new interfaces (admission.Mutator and admission.Validator). Virtual workspace builders who are not using the DynamicVirtualWorkspaces framework have to modify their implementations to implement these two interfaces. Virtual workspace builders who are using the DynamicVirtualWorkspaces framework do not have to do anything if they don't want to use admission in their virtual workspaces (#3494, @​xmudrii)
• Implement label selectors (matchLabels and matchExpressions) for PermissionClaims (#3494, @​xmudrii)
• Rebase to kubernetes v1.33.3. WatchList has been disabled upstream, following this Watchers will no longer receive the state of objects when starting a watch (#3511, @​ntnn)
• Stop printing Ready column for APIExports as virtual workspace URLs are no longer populated by default (#3493, @​embik)
• The kcp CLI has been moved from github.com/kcp-dev/kcp/cli to github.com/kcp-dev/cli. The source code is maintained in staging/src/github.com/kcp-dev/cli in the main kcp repo (i.e. cli is a staged repository). This does not effect the existing cli releases. The CLI users will be required to change the import paths in their Go code and go.mod upon upgrading the CLI. (#3697, @​xmudrii)
• The kcp SDK has been moved from github.com/kcp-dev/kcp/sdk to github.com/kcp-dev/sdk. The source code is maintained in staging/src/github.com/kcp-dev/sdk in the main kcp repo (i.e. sdk is a staged repository). This does not effect the existing sdk releases. The SDK users will be required to change the import paths in their Go code and go.mod upon upgrading the SDK. (#3694, @​xmudrii)
• Users from other workspaces can be authorized by granting permission to the system:cluster:<clusterid> group. Authorization webhooks now get a payload with the target cluster in the authorization.kcp.io/cluster-name extra. The authorization.kubernetes.io/cluster-name extra is deprecated and will be removed in a future release (#3530, @​ntnn)

Feature

• Add --preserve-resources to apigen tool to enable resource preservation. Without this it always overrides resources on generation. (#3646, @​mjudeikis)
• Add metrics for logical clusters count (#3496, @​cnvergence)
• Add new kcp_indexed_logicalclusters metric that contains the number of known logicalclusters per shard (metric has a shard label). (#3482, @​xrstf)
• Added --i and --interactive flags to the workspace command for exploring and managing workspaces interactively. (#3611, @​olamilekan000)
• Added --create-context flag to create-workspace command to automatically create a kubeconfig context for the new workspace. Use --create-context=<name> to create without switching, or combine with --enter to create and switch context in one step. (#3550, @​vishalanarase)
• Added workspace cluster id as part of information displayed when in interactive mode. (#3728, @​olamilekan000)
• Adds resource version and UID to object's annotation before persisting to the cache server (#3648, @​olamilekan000)
• Path mappings in the front-proxy are treated as standard Go ServerMux patterns and can make use of the {cluster} placeholder to provide a cluster context to the WorkspaceAuthentication for virtual workspaces (e.g. /services/myservice/clusters/{cluster}). (#3628, @​xrstf)
• The extra authentication.kubernetes.io/cluster-name in the user info of Service Accounts has been renamed to authentication.kcp.io/cluster-name (#3568, @​ntnn)

... (truncated)

• 42f2e02 fix configured CA not being used when running an external kcp virtual-workspa...
• 8515c18 fix endless retry loop during external cache bootstrap by more than one kcp s...
• db5b668 Merge pull request #3966 from ntnn/inter-shard-0.29
• 29d3ca8 Skip cache e2e tests due to upstream Histogram data race
• 0d089cb Ensure non-root shards don't start with their own cache server
• 1885d64 Enhance inter-shard authentication
• 7b87059 Merge pull request #3868 from ntnn/bump-go-0.29
• 2e06b66 Disable verify-codegen to skip updating licence headers
• 34cde3b Bump to go v1.24.13
• a6829d3 Merge pull request #3726 from olamilekan000/add-path-to-cachedresourcerefrenc...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.