Overview
v1.1.0 is the first stable release of the v1.1.x series. It requires Cluster API v1.12, introduces a new optional image provisioning model for both HCloud and bare metal machines, adds upstream hcloud-ccm 2.0.6 support, and improves observability through new conditions and better error handling.
Key Changes / Features
HCloud image provisioning via command (optional)
The standard way to specify an HCloud machine image remains HCloudMachine.spec.imageName (a static image name or label), this continues to work exactly as before.
As an optional alternative, HCloudMachine.spec.imageURLCommand is now also supported: it specifies the basename of a command file below /shared on the controller pod, which the controller copies into the machine and executes to determine the image URL dynamically.
imageName and imageURLCommand are mutually exclusive i.e. you may set one or the other, but not both. (#1647, #1954, #1995)
Bare metal image provisioning via command
Similarly, HetznerBareMetalMachine.spec.installImage now has an imageURLCommand field. When set, the controller copies the named command into the rescue system and executes it to determine the image URL instead of using a static URL. (#1679, #1955)
noSSHAfterInstallImage field on HetznerBareMetalMachine
A new noSSHAfterInstallImage boolean field is added to HetznerBareMetalMachine.spec to control whether SSH access is allowed after installimage completes:
spec:
noSSHAfterInstallImage: true # disables SSH access after installimage runsCAPI v1.12 required (v1beta1 contract retained for CAPH CRDs)
Cluster API v1.12 is now required. The v1beta1 API contract is retained for CAPH's own CRDs (HCloudMachine, HetznerBareMetalHost, etc.), no schema changes are needed on those objects. However, CAPI core types (Cluster, Machine, KubeadmControlPlane, etc.) have moved to v1beta2. The cluster templates shipped in this release already reference v1beta2. (#1628, #1990, #1993)
Upstream hcloud-ccm 2.0.6 and new bare metal provider ID format
CAPH now integrates with the upstream hcloud-ccm 2.0.6. The upstream chart expects different secret names and key names than the legacy Syself CCM fork:
| Legacy Syself CCM | Upstream hcloud-ccm | |
|---|---|---|
| Secret name | hetzner
| hcloud
|
| HCloud token key | hcloud-token
| token
|
| Robot user key | hetzner-robot-user
| robot-user
|
| Robot password key | hetzner-robot-password
| robot-password
|
To ease migration from the Syself CCM to the upstream CCM, CAPH creates an additional secret or adds extra keys to an existing one in the workload cluster:
- If your management-cluster secret is not named
hcloud, CAPH creates a second workload-cluster secret namedhcloud(alongside the one matching your configured name), containing the HCloud token under the keytoken. - If your management-cluster secret is already named
hcloudbut your configured token key is nottoken, CAPH writes the token under both the configured key andtokeninside that same secret.
This ensures the upstream CCM can find the credentials without manual changes, but will likely result in token duplication, either across two secrets or under two keys within the same secret depending on your configuration. To avoid any duplication, set spec.hetznerSecretRef.name: hcloud and spec.hetznerSecretRef.key.hcloudToken: token. (#1915, #1920)
Alongside this, a new bare metal provider ID format is supported that matches the upstream CCM's expectations. The legacy Syself CCM format was:
hcloud://bm-<serverNumber> # e.g. hcloud://bm-12345
The new upstream format is:
hrobot://<serverNumber> # e.g. hrobot://12345
The new format is opt-in via an annotation on HetznerCluster, so existing clusters are unaffected until you explicitly switch:
metadata:
annotations:
capi.syself.com/use-hrobot-provider-id-for-baremetal: "true"Multiple subnets on HetznerCluster
If a subnet matching the configured CIDR already exists in Hetzner, CAPH now reuses it instead of erroring. Multiple existing subnets are handled gracefully. (#1633, #1868)
Namespace skip annotation
Annotate a namespace with caph.syself.com/skip-reconciliation=true to exclude it from all CAPH reconciliation. Useful for paused or staging environments. (#1902)
PortAfterCloudInit deprecated
HetznerBareMetalMachine.spec.sshSpec.portAfterCloudInit is deprecated and no longer has any effect.
Previously, CAPH would SSH into the freshly installed machine a second time on portAfterCloudInit to inject the CAPI bootstrap (cloud-init) data. CAPH now injects that data during the installimage phase itself via a post-install.sh script. This script is generated and uploaded by CAPH to the rescue system before installimage runs; installimage then executes it as a post-install hook. Users can append their own bash commands to this hook via InstallImage.postInstallScript in the spec. (#1670)
Dependency Updates
| Dependency | New version |
|---|---|
| Cluster API (CAPI) | v1.12.7 |
| hcloud-ccm | upstream 2.0.6 |
| InstallImage | v1.0.8 |
| Go | 1.25 |
New Contributors
- @goodlime made their first contribution in #1654
- @Deepam02 made their first contribution in #1688
- @s04 made their first contribution in #1700
- @FrankFoerster24 made their first contribution in #1793
- @fgrutsch made their first contribution in #1633
- @abdullah599 made their first contribution in #1906
- @skuethe made their first contribution in #1868
Full Changelog: v1.0.12...v1.1.0
No time to manage Kubernetes yourself?
Feel free to try our 🚀 Syself Autopilot
Open Source User?
Please give us a ⭐ at github.com/syself/cluster-api-provider-hetzner