π Our most significant release since v1.0.0. Although feature-packed, this release focuses heavily on improving performance, stability, and overall user experience.
π¨ Breaking Changes
-
The
SemVerConstraintfield, deprecated in v1.7, has been removed. Use theconstraintfield instead. -
CLI Upgrade Required: Due to unavoidable breaking changes in how
WarehouseandFreighttypes are serialized as protocol buffers, users upgrading the Kargo back end to v1.9.0 must also upgrade their CLI.
β οΈ New Deprecations
-
The Connect-based API is deprecated in favor of a new, RESTful API. The older API will be removed entirely in Kargo v1.12.0. The New REST API section below has further details.
-
Image and Commit Tag Filtering: The
allowTagsandignoreTagsfields are deprecated in favor ofallowTagsRegexesandignoreTagsRegexes. Artifact discovery will fail if the deprecated fields are non-empty beginning in v1.11.0. These fields will be removed in v1.13.0.
πͺ Big Changes
πΊπ» The Secret Shuffle
Users have been confused by the proper use of "global credentials namespace(s)" and the "cluster secrets namespace." To resolve this, v1.9.0 institutes changes in terminology:
-
Shared resources namespace (replaces "global credentials namespace(s)"): The place to store resources (like repository credentials) available to all Projects. "Shared" signals that anything here is accessible by all Projects.
-
System resources namespace (replaces "cluster secrets namespace"): The place to store namespaced resources referenced by cluster-scoped configuration (
ClusterConfig). "System" signals this is private property of the operator; not for sharing.
Refer to the documentation for further details.
Transitioning
In conjunction with the terminology change, the default namespaces for shared and system resources are changing accordingly to: kargo-shared-resources and kargo-system-resources. These are overridable at install/upgrade time, meaning it's possible to simply set them to their legacy values if you wish.
Kargo v1.9.0 automatically migrates Secrets from old to new locations (if they differ):
- Kargo Enterprise users: Unaffected.
- Multiple global credentials namespaces configured: Manual consolidation required before upgrade (automated migration cannot resolve name conflicts).
- Fresh installs: No action needed.
- "Clickops" users: No action needed.
- "GitOps" users: No immediate action required. Continue syncing to original locations; Kargo will sync to new locations. The migration tool will be removed in v1.11.0 -- update your manifests before then.
More specifics on the migration can be found in the docs.
π₯οΈ Better UI and CLI Support
The UI and CLI now have improved support for managing shared and system-level resources, including ConfigMaps.
π€ The New REST API
Breaking changes in Kubernetes v1.35 make it difficult to represent Kubernetes resource types, including our own CRDs, as protocol buffers, which Connect-based APIs require. Beginning with Kubernetes v1.36, it will be impossible. This currently prevents Kargo from upgrading its Kubernetes dependencies beyond v1.34.x.
To resolve this, v1.9.0 introduces a new RESTful API as an eventual replacement for the legacy, Connect-based API. The legacy API will continue to be served alongside its replacement through v1.11.x. It will be removed in v1.12.0, at which time Kargo can resume freely updating its Kubernetes dependencies.
The CLI already uses the new REST API. By transitioning now (when a CLI upgrade is already required), we avoid forcing another upgrade when the legacy API is removed. The new API is also significantly easier to integrate with using curl or clients generated from swagger.json.
The UI continues to use the legacy API at this time.
β¨ Other Noteworthy Features
π API Tokens
Provision API tokens (JWTs) via UI or CLI, associated with system-level or Project-level roles. Tokens are easily used with the kargo CLI and curl. Refer to the documentation for details.
π¦ Warehouse Performance
Two new optimizations address the pain of slow container image discovery caused by registry rate limits:
-
Opt-in metadata caching: Docker tags are mutable, which until now has prevented safely caching image metadata by tag. Now, individual
Warehouseimage repository subscriptions can opt-in to tag-based caching if not relying in any way on mutable tags. Operators can set system-level policy to forbid, allow, require, or force this caching. Refer to the documentation for details. -
Configurable rate limits: Kargo has historically enforced conservative client-side rate limits. Operators can now tune this, though caution is advised -- raising limits too high can degrade performance. This initial implementation is system-wide and tunable in the chart; per-registry control may come later.
πͺ The Generic Webhook Receiver
Not all artifact repositories support webhooks (notably ECR). The new generic webhook receiver is highly configurable, allowing users to describe how incoming requests should be parsed to trigger Warehouse refreshes. Refer to the documentation for details.
Smaller Improvements
-
Azure Container Registry Workload Identity: Workload identity-based authentication to ACR, though not as robust as GAR/ECR support due to Azure complexities. (docs)
-
Helm charts in GAR: Warehouses can now subscribe to Helm charts in Google Artifact Registry. (docs)
-
Alternative Expression Delimiters: Use
${% %}instead of${{ }}when expressions contain closing braces (e.g., JSON objects). (docs) -
Semantic Version Parsing: New
semverParse()function breaks semver strings into components. (docs) -
Accessing Shared Resources: New
sharedSecret()andsharedConfigMap()functions access resources from the shared namespace.sharedSecret()is limited to "generic credentials" to prevent exposure of repository credentials. (docs) -
Live Log Streaming for Verifications: View verification logs in near-real time while in progress. (docs)
πͺ New and Improved Promotion Steps
-
git-clone: Now supports sparse checkouts and submodules. (docs) -
git-push: Can force push (use with caution). (docs) -
git-wait-for-pr: PR links now visible in the UI. (docs) -
yaml-merge: Merges multiple YAML files into one. (docs) -
yaml-parse/json-parse: Can now parse lists directly. (docs, docs) -
helm-template: NewignoreMissingValueFilesoption; supports literal string values. (docs) -
kustomize-build: New output formatting option. (docs) -
http: More flexible response body parsing. (docs) -
argocd-update: Now able to identify App(s) to update or sync based on labels. (docs)
π Special Thanks
Thank you to community members who made their first contributions in this release or a recent v1.8 patch release!
@chiukapoor
@jfgrea27
@filip-aipl
@kejne
@kwoodson
@prune998
@GooglyBlox
@lindhe
@Deepam02
@aryasoni98
@Demivan
@codyja
@aslafy-z
@csz-akuity
@vadasambar
@rklonner
@DavidS-ovm
@BWagener
@singhvibhanshu
@ksawerykarwacki
@likelymichael
@hairyhum
Full Changelog: v1.8.9...v1.9.0