Features:
- UBI-based images now built and published with releases: GH-288
Improvements:
- Helm:
controller.imagePullSecretsstanza is added to provide imagePullSecrets to the controller's containers via the serviceAccount: GH-266
Changes:
- Helm: Update default kube-rbac-proxy container image in helm chart from
v0.11.0tov0.14.1: GH-267
Improvements:
- VaultPKISecrets (VPS): Include the CA chain (sans root) in 'tls.crt' when the destination secret type is "kubernetes.io/tls": GH-256
Changes:
- Helm: Breaking Change Fix typos in values.yaml that incorrectly referenced
approleroleidandsecretNamewhich should beappRoleroleIdandsecretRefrespectively underdefaultAuthMethodandcontroller.manager.clientCache.storageEncryption: GH-257
Features:
- Helm: Support optionally deploying the Prometheus ServiceMonitor: GH-227
- Helm: Breaking Change: Adds support for additional Auth Methods in the Transit auth method template: GH-226
To migrate, set Kubernetes specific auth method configuration under
controller.manager.clientCache.storageEncryptionusing the new stanzacontroller.manager.clientCache.storageEncryption.kubernetes. - VaultAuth: Adds support for the AWS authentication method, which can use an IRSA service account, static credentials in a Kubernetes secret, or the underlying node role/instance profile for authentication: GH-235
- Helm: Add AWS to defaultAuth and storageEncryption auth: GH-247
Improvements:
- Core: Extend vault Client validation checks to handle failed renewals: GH-171
- VaultDynamicSecrets: Add support for synchronizing static-creds: GH-239
- VDS: add support for drift detection for static-creds: GH-244
- Helm: Make defaultVaultConnection.headers a map: GH-249
Build:
- Update to go 1.20.5: GH-248
- CI: Testing VSO in Azure K8s Service (AKS): GH-218
- CI: Updating tests for VSO in EKS: GH-219
Changes:
- API: Bump version from v1alpha1 to v1beta1 Breaking Change: GH-251
- VaultStaticSecrets (VSS): Breaking Change: Replace
Spec.NamewithSpec.Path: GH-240 - VaultPKISecrets (VPS): Breaking Change: Replace
Spec.NamewithSpec.Role: GH-233 - Helm chart: the Transit auth method kubernetes specific configuration in
controller.manager.clientCache.storageEncryptionhas been moved tocontroller.manager.clientCache.storageEncryption.kubernetes.
Bugs:
- Helm: fix deployment templating so setting
controller.kubernetesClusterDomainworks as defined in values.yaml: GH-183 - Helm: Add
vaultConnectionReftocontroller.manager.clientCache.storageEncryptionfor transit auth method configuration and provide a default value which uses thedefaultvaultConnection. GH-201 - VaultPKISecret (VPS): Ensure
Spec.AltNames, andSpec.IPSansare properly formatted for the Vault request: GH-130 - VaultPKISecret (VPS): Make
Spec.OtherSANSa string slice (breaking change): GH-190 - VaultConnection (VC): Ensure
Spec.CACertSecretRefis relative to the connection's Namespace: GH-195
Features:
- VaultDynamicSecrets (VDS): CRD is extended with
Revokefield which will result in the dynamic secret lease being revoked on CR deletion. Note: The VaultAuthMethod referenced by the VDS Secret must have a policy which provides["update"]onsys/leases/revoke: GH-143 GH-209 - VaultAuth: Adds support for the JWT authentication method which either uses the JWT token from the provided secret reference, or a service account JWT token that VSO will generate using the provided service account: GH-131
- VaultDynamicSecrets (VDS): New
RenewalPercentfield to control when a lease is renewed: GH-170 - Helm: Support specifying extra annotations on the Operator's Deployment: GH-169
Improvements:
- VaultDynamicSecrets (VDS): Generate new credentials if lease renewal TTL is truncated: GH-170
- VaultDynamicSecrets (VDS): Replace
Spec.RolewithSpec.Path(breaking change): GH-172 - VaultPKISecrets (VPS): Make
commonNameoptional: GH-160 - VaultDynamicSecrets (VDS): Add support for specifying extra request params, and HTTP request method override: GH-186
- VaultStaticSecrets (VSS): Ensure an out-of-band Secret deletion is properly remediated: GH-137
- Honour a Vault*Secret's Vault namespace: GH-157
- VaultStaticSecrets (VSS): Add
Spec.Versionfield to support fetching a specific kv-v2 secret version: GH-200
Changes:
- API schema (VDS):
Spec.Rolerenamed toSpec.Pathwhich can be set to any path supported by the Vault secret's engine. - API schema (VPS):
Spec.OtherSANStakes a slice of strings likeSpec.AltNamesandSpec.IPSans
- Initial Beta Release