Skip to content

PaaS Release v1.0.3

Release 1.0.3 brings a number of improvements across various areas. The primary highlight is the Gardener upgrade to the upstream version 1.125.4. In addition, multiple components — including the OSC Dashboard, Cilium, the PostgreSQL database used for SSO, the ingress-nginx controller, and others — have been upgraded to newer versions. Among the most notable improvements are the introduction of custom CA support for the Keycloak truststore, a customer DNS feature, and an easier process for delegating infrastructure secrets.

Key features and improvements

  • Gardener Upgrade: Rebased and upgraded to upstream release 1.125.4.
  • Bug Fixes and Stability Improvements: Rebased upstream components including the ingress-nginx controller, Cilium, and Spilo to improve stability and address identified vulnerabilities. For detailed information, see the upgrade table below.
  • Migration to CredentialsBinding: The SecretBinding CR is deprecated and will be removed in upcoming Gardener releases. This release completes the migration to the new CredentialsBinding CR.
  • Custom identity provider CA for Keycloak truststore: Support for configuring customer CA certificates in the Keycloak truststore. OSC handles the processing and delegation of the certificate to the Keycloak truststore secret.
  • Customer DNS Management: Support for configuring custom DNS zones, including both public and private domains. For more information, see the DNS management documentation.
  • OSC Dashboard v2.4.0: Enhanced with significant improvements and new capabilities. For detailed information, see below.
  • NVIDIA GPU Support: Comprehensive GPU support across the platform. The CloudProfile has been extended to support GPU-enabled node flavors, and the gardener-extension-shoot-node-feature-discovery can deploy the NVIDIA GPU operator when the required conditions are met. For details, see the GPU support documentation and extension information. The NVIDIA GPU feature can only be used with GPU-enabled nodes which must be ordered seperately.

Breaking Changes

  • The Gardener Dashboard has been removed and is replaced by the OSC Dashboard.
  • SecretBinding has been replaced with CredentialsBinding as the secret reference for Shoot manifests. This migration is performed automatically during the upgrade. After the upgrade, use only CredentialsBinding in your Shoot manifests.
  • The legacy field spec.provider.workers[].controlPlane.backup.secretRef must be removed from Shoot manifests. If this field was manually configured, update it to spec.provider.workers[].controlPlane.backup.credentialsRef.

Required customer actions before upgrade

  • Upgrade all Kubernetes clusters to version 1.30 or higher and Garden Linux images to 1721.x.
  • Keycloak's password hashing algorithm has been updated to Argon2, a modern standard for stronger credential protection. We recommend all users reset their passwords to benefit from this security enhancement. Passwords reset after this release will automatically use the Argon2 standard. You can reset your password via the "Forgot password" option on the login page.

OSC Dashboard v2.4.0

  • Improved UI/UX for announcement management and notification display.
  • Added selection bar for filtering types of image flavours.
  • Disabled kube-proxy by default when creating new Shoots, as Cilium is used for network management.
  • Added full DNS management UI for the customer-dns controller (dns.osc.t-systems.com/v1)
    • Zone CRUD with SOA configuration (defaults matching CRD: refresh=7200, retry=3600, expire=1209600, minimumTTL=3600),
    • DNS entry CRUD supporting A, AAAA, CNAME, TXT, MX, SRV record types,
    • DNS config viewing and editing dialog,
    • Customer DNS provider type in Shoot DNS configuration.

Upgrade table of upstream components

Component Current version PaaS Previous version CVE fixed
Gardener 1.125.4 118.3
goLang 1.25.4 1.24.x CVE-2025-68119, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-58185, CVE-2025-47911
cilium 1.17.9 1.16.9
ingress-nginx 1.13.7 1.12.2 CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, CVE-2026-24514
spilo 17:4.0-p3 16:3.2-p2 CVE-2025-30204
nfd v0.18.3-minimal v0.17.2-minimal