4.0.0

New Major

As per the release schedule to match up with the latest Kubernetes ハル release.
Lots of fixes and improvements. Thanks to everyone who contributed!

Kubernetes v1_36 support via k8s-openapi 0.28

Please upgrade k8s-openapi along with kube to avoid conflicts.

CEL Validation

A new optional crate kube-cel is being re-exported through kube::core::cel via #1954

Kubernetes CRDs support CEL validation rules via x-kubernetes-validations, and were supported from 3.0 via KubeSchema, but these rules could only be evaluated server-side by the API server.

The new crate allows evaluating these rules locally using rules matching the upstream Kubernetes CEL libraries.

While low-level, a higher-level CEL validator integrates with CustomResource via #[kube(cel)] from #2011 and can be used as;

#[derive(CustomResource, Serialize, Deserialize, Clone, KubeSchema)]
#[kube(group = "example.com", version = "v1", kind = "Foo", namespaced)]
#[kube(cel, validation = "self.spec.replicas >= 0")] // cel trigger + validation rule
struct FooSpec { replicas: i32 }

let foo = Foo::new("test", FooSpec { replicas: -1 });
foo.validate_cel()?;                     // new impl; checks creation rules
new_foo.validate_cel_update(&old_foo)?;  // new impl; checks transition rules

See examples/crd_derive_cel.rs for more details.

This is available under the kube/cel feature, courtesy of @doxxx93.

Config

A lot of improvements to config handling;

• better error handling of malformed client certs in #1966
• add missing Kubeconfig fields in #1965
• Kubeconfig future key compatibility for new fields by adding catch-all other key via #1964
• deserialization changed from serde-yaml to serde-saphyr to get rid of the long-deprecated dependency. #1975

Retry and Timeouts

Better timeout and retry handling to better deal with flaky network conditions, and busy or initializing apiservers.

• default global read timeouts has been unset in favor of watcher level timeouts in #1945 (see #1798 for context)
• regular (non-watch) queries now respect the RetryPolicy - now enabled by default in #2007.

Client

• properly handling rotating ca certs in cluster via #1962
• handle tls-server-name with openssl-tls via #1993
• auth exec: accept yaml output from exec plugins via #2003
• fix ws task leak and drop, and a deadlock on join() via #1978
• change: client tracing now opt-in due to issues. see #1972

Runtime

• watcher automatically uses the metadata_ api methods when called with PartialObjectMeta<K> via #1952
  • (this deprecates metadata_watcher in favor of an explicit change from Api::<K> to Api::<PartialObjectMeta<K>>)
• added wait::conditions::is_created as a counter to is_deleted #2000
• added Store::state_filtered and Store::state_filter_selector to allow more efficient slicing of the locked cache via #2002 + #1998

What's Changed

Added

• feat: add typed kubeconfig fields for client-go parity by @alex-lapuka in #1965
• Add CEL validation via kube-cel re-export by @doxxx93 in #1954
• Add AdmissionRequest::to_cel_request() for VAP CEL bridging by @doxxx93 in #1991
• runtime: implement Store::state_with and Store::state_filtered by @Alvov1 in #1998
• runtime: add wait::conditions::is_created helper by @orangecms in #2000
• refactor(runtime): rename Store::state_with/state_filtered per review feedback by @Alvov1 in #2002
• deps: bump kube-cel to 0.6.1 (validation surface flattened) by @doxxx93 in #2005
• Enable RetryPolicy::server_retry by default for Client by @Danil-Grigorev in #2007
• feat(derive): client-side CEL validation via #[kube(cel)] / #[x_kube(cel)] by @doxxx93 in #2011

Changed

• preserve unknown kubeconfig fields via serde(flatten) by @alex-lapuka in #1964
• Remove global read_timeout default, add watcher-level idle timeout by @doxxx93 in #1945
• Update tokio-tungstenite requirement from 0.28.0 to 0.29.0 by @dependabot[bot] in #1963
• convert from serde-yaml to serde-saphyr by @clux in #1975
• features: making client tracing opt-in by @mattklein123 in #1972
• client: reload in-cluster CA bundle on rotation (rustls-tls) by @chrnorm in #1962
• Api<PartialObjectMeta> should opportunistically degrade to metadata requests by @doxxx93 in #1952
• Chore(deps): Update garde requirement from 0.22.0 to 0.23.0 by @dependabot[bot] in #1989
• bump k8s-openapi to 0.28 by @clux in #2009
• Box a large runtime error in ReconcilerErr by @clux in #1880

Fixed

• fix: feature-flag CREATE_NO_WINDOW to not break stderr inheritance by @cristeigabriela in #1971
• Remove silent error when client-key/client-certificate is malformed by @goenning in #1966
• Fix AttachedProcess task leak on drop and join() deadlock by @SebTardif in #1978
• support auth exec yaml output by @aviramha in #2003
• fix(client): apply tls-server-name on the openssl-tls path by @dgunzy in #1993
• Use the resource's own name for the schema title by @cehoffman in #1985

New Contributors

• @alex-lapuka made their first contribution in #1965
• @cristeigabriela made their first contribution in #1971
• @mattklein123 made their first contribution in #1972
• @chrnorm made their first contribution in #1962
• @SebTardif made their first contribution in #1978
• @Alvov1 made their first contribution in #1998
• @orangecms made their first contribution in #2000
• @dgunzy made their first contribution in #1993
• @cehoffman made their first contribution in #1985

Full Changelog: 3.1.0...4.0.0