Skip to content

v1.0.0

Latest

Choose a tag to compare

@stubbi stubbi released this 18 Jun 10:36
df93527

First stable release

A complete Karpenter CloudProvider for Hetzner Cloud: full drift detection, observability, supply-chain attestations, and adoption docs. Karpenter launches the cheapest Hetzner server that fits pending pods and consolidates idle nodes.

Added

  • Image label selector: HCloudNodeClass.spec.imageSelector.selector filters Hetzner images by arbitrary labels, so you can pin the exact image (version plus baked extensions, e.g. a gVisor-Talos snapshot) instead of fuzzy description matching (#23).
  • Wrong-arch guard: provisioning is rejected when the resolved image architecture does not match the architecture the NodeClaim requires (#23).
  • Placement group creation and assignment: placementGroupStrategy: spread now actually creates and assigns a cluster-scoped Hetzner placement group (previously declared but a no-op) (#24).
  • Location drift detection: servers whose Hetzner location is no longer in the NodeClass locations are flagged as drifted (#24).
  • Label drift detection: servers whose labels no longer cover the NodeClass labels are flagged as drifted (#26).
  • Structured logging across provider operations via the controller-runtime contextual logger (#26).
  • seccompProfile: RuntimeDefault on the controller pod for PSS restricted compliance (#26).
  • Prometheus metrics (karpenter_hetzner_*: server create/delete results and duration, hcloud API calls, drift detections, instance-type cache hits/misses) plus a Helm ServiceMonitor (#29).
  • Warning Events from the nodeclass controller on every NotReady path, so kubectl describe hcloudnodeclass explains why a class is not Ready (#29).
  • Examples (talos-nodeclass, ubuntu-nodeclass, nodepool-multiarch) and Talos and Ubuntu bootstrap guides (#28).

Security

  • Cosign keyless signing of the release image using GitHub OIDC (no long-lived keys).
  • SLSA provenance attestation (mode=max) attached in-registry via BuildKit.
  • In-registry SBOM attestation (CycloneDX) attached via BuildKit.
  • Standalone SPDX SBOM uploaded as a workflow artifact via anchore/sbom-action.

Artifacts: multi-arch image ghcr.io/paperclipinc/karpenter-provider-hetzner:1.0.0 and OCI chart oci://ghcr.io/paperclipinc/charts/karpenter-provider-hetzner:1.0.0.