v1.0.4

This release includes important dependency updates, security fixes, and several maintenance improvements.

What's Changed

• Bump uptest to v2 by @sergenyalcin in #301
• feat: update Helm to v3.18.5 to address multiple CVEs by @johngmyers in #303
• Replace xpkg.upbound.io with xpkg.crossplane.io in README and examples by @bobh66 in #304
• fix(owners): set correct mail-address by @haarchri in #305
• Bump dependencies by @sergenyalcin in #306
• Update codeowners by @sergenyalcin in #308
• [main]: Update go.mod dependencies [SECURITY] by @upbound-bot in #302
• [main]: Update go.mod dependencies [SECURITY] by @upbound-bot in #311

New Contributors

• @johngmyers made their first contribution in #303
• @upbound-bot made their first contribution in #302

Full Changelog: v1.0.2...v1.0.4

v1.0.2

This patch release adds the namespaced related fields to specify namespaces for releases.helm.m.crossplane.io. This change is to resolve the remote cluster scenarios. Details are in #297 #298

What's Changed

• Add a field to specify namespaces for releases.helm.m.crossplane.io by @tydanny in #298

New Contributors

• @tydanny made their first contribution in #298

Full Changelog: v1.0.0...v1.0.2

v1.0.0

Release v1.0.0

Caution

This release introduces breaking changes and significant internal upgrades. Please review the release notes thoroughly, make the necessary changes to your manifests, and test thoroughly before upgrading.

Before using any Crossplane v2 capabilities in the provider, we encourage you to familiarize yourself with the changes in v2.

This release introduces:

• Compatibility with Crossplane v2
• Support for Crossplane v2 namespace-scoped Managed Resources (MRs) alongside existing cluster-scoped MRs.
• Upgrade to crossplane-runtime v2.0.0.
• Upgrade to Upjet v2.0.0.
• Removal of External Secret Store support.

Please review the breaking changes carefully before upgrading.

Namespace-scope MR Support (Crossplane v2-only)

• New namespace-scoped MR APIs are available under the helm.m.crossplane.io API group.
• All new APIs are at version v1beta1.
• ProviderConfig
  • ProviderConfig.helm.m.crossplane.io is now namespace-scoped.
  • A new cluster-scoped ClusterProviderConfig.helm.m.crossplane.io resource was added; new MRs can reference either ProviderConfig or ClusterProviderConfig via spec.providerConfigRef.kind.
  • spec.providerConfigRef defaults to ClusterProviderConfig with name default when omitted.
• spec.writeConnectionSecretToRef and sensitive parameter refs (e.g., spec.forProvider.fooSecretRef) in namespace-scoped MRs are now local secret references (if no namespace is specified, it defaults to the MR's namespace).
• Cross-resource references are now namespace-scoped by default, however, cross-namespace references are allowed.
• This provider will serve both the new namespace-scoped and cluster-scoped APIs.

Note

Cluster-scoped MRs do NOT implement the above changes and continue operating as before.

Note

All namespace references in the spec of the namespaced Release MR were removed and now default to the MR’s own namespace.

Removed Features

• External Secret Store support has been removed from all MRs (spec.publishConnectionDetailsTo is no longer available) as the feature has been removed in Crossplane v2.

Note

The removed feature is the External Secret Store, which allowed storing connection details outside the cluster (e.g., in Vault). Connection secrets for managed resources remain available for storing connection details in Kubernetes Secrets.

Other Notable Changes

• SafeStart capability has been added (Crossplane v2-only): Controllers start once their CRD is installed.
• Repository structure changes:
  • apis, controllers, and examples now have scoped subdirectories: cluster and namespaced.
  • Resource configurations are also scoped; updates must be applied to both where relevant.
  • Examples for namespace-scoped MRs are included.

Note

This PR duplicates most of the controller logic and apis for namespaced MRs with several namespace-specific code modified. A refactoring of types and controllers should follow-up.

Backward Compatibility Notes

• This provider can be installed in Crossplane v1.x environments:
  • Both cluster-scoped and namespace-scoped CRDs will be installed; namespace-scoped CRDs cannot be composed in v1.x.
  • SafeStart will be disabled.
• When upgrading from v1.x providers, review all breaking resource API changes noted above. The package itself is Crossplane v1.x compatible, but there can be resources that have API changes that need adjustment in your control plane.

Upgrade Guide

1. Review all affected resources listed under Breaking API Changes.
2. Update manifests to reflect renamed/removed properties.
3. For Crossplane v2.x users:
   • Ensure secret and reference configurations align with the new namespace-scoped MR behavior.
   • Decide whether to use ProviderConfig or ClusterProviderConfig.
4. Remove any spec.publishConnectionDetailsTo usage.
5. Validate repository structure changes if maintaining custom resource configurations.

What's Changed

• Mark Releases as deterministic external name by @Kidswiss in #289
• add basic plumbing for provider startup checks by @jastang in #293
• feat: update Helm to v3.17.4 to address CVE-2025-53547 by @erost in #292
• crossplane v2: Namespace-scoped MRs by @sergenyalcin in #294
• Update go version to 1.24.6 [Security] by @turkenf in #295

New Contributors

• @Kidswiss made their first contribution in #289
• @erost made their first contribution in #292

Full Changelog: v0.21.0...v1.0.0

v0.21.0

What's Changed

• bump helm to 3.16.2 by @erhancagirici in #248
• Update go.mod dependencies [SECURITY] by @sergenyalcin in #260
• fix: remove omitempty in invalid json tag combination by @kkendzia in #262
• Update package address by @turkenf in #266
• Update go version to 1.23.6 [SECURITY] by @sergenyalcin in #272
• Integrate reusable workflow for provider package publishing by @turkenf in #275
• Update OWNERS.md by @jeanduplessis in #277
• Create CODEOWNERS by @jeanduplessis in #278
• Remove unused backport workflows by @turkenf in #279
• feat: support changelogs by @cychiang in #284
• Fix CVE issues by bumping up helm version by @cychiang in #286

New Contributors

• @kkendzia made their first contribution in #262
• @turkenf made their first contribution in #266
• @cychiang made their first contribution in #284

Full Changelog: v0.20.4...v0.21.0

v0.20.4

This release includes updates to the go.mod file to address security vulnerabilities.

What's Changed

• (release-0.20): Update go version to 1.23.6 [SECURITY] by @sergenyalcin in #271

Full Changelog: v0.20.3...v0.20.4

v0.19.4

This release includes updates to the go.mod file to address security vulnerabilities.

What's Changed

• (release-0.19): Update go version to 1.22.12 [SECURITY] by @sergenyalcin in #270

Full Changelog: v0.19.3...v0.19.4

v0.20.3

What's Changed

• [Backport release-0.20] fix: remove omitempty in invalid json tag combination by @github-actions in #264

Full Changelog: v0.20.2...v0.20.3

v0.19.3

What's Changed

• [Backport release-0.19] fix: remove omitempty in invalid json tag combination by @github-actions in #263

Full Changelog: v0.19.2...v0.19.3

v0.20.2

This release updates golang.org/x/net to v0.33.0 to fix CVE-2024-45338

What's Changed

• (release-0.20): Update go.mod dependencies [SECURITY] by @sergenyalcin in #259

Full Changelog: v0.20.1...v0.20.2

v0.20.1

This release includes updates to the go.mod file to address security vulnerabilities.

What's Changed

• (release-0.20): Update go.mod dependencies [SECURITY] by @sergenyalcin in #257

Full Changelog: v0.20.0...v0.20.1