v1.3.0

1.3.0 (February 19th, 2026)

Enhancements:

• Add Ready condition: (#1204)
• Support CA cert from disk: (#1203)
• Add additional printer column fields: (#1202)
• Allow custom cache key func: (#1199)
• Internal integration work: (#1186)
• Get AppRole secret ID from file on disk: (#1153)

Fix:

• VDS: ensure periodic static-role rotations are honored: (#1220)
• fix: nullEventLogger panics on calls to Eventf(): (#1214)

Build:

• Add 1.2.0 chart upgrade test: (#1205)

Dependency Updates:

• Bump golang.org/x/crypto from 0.46.0 to 0.47.0 in the gomod-backward-compatible group: (#1201)
• Bump google.golang.org/api from 0.264.0 to 0.265.0 in the gomod-backward-compatible group: (#1213)
• Bump the gomod-backward-compatible group across 1 directory with 3 updates: (#1210)
• Bump the gomod-backward-compatible group with 2 updates: (#1206)
• Bump the gomod-backward-compatible group across 1 directory with 6 updates: (#1216)

v1.2.0

1.2.0 (January 12th, 2026)

Fix:

• Helm: properly set the PodSecurityContext: (#1183)
• VDS: only trigger rollout restarts on static cred changes.: (#1191)
• VDS: invalid secret HMAC validation on static creds: (#1194)
• HMAC: only support non-nil data: (#1200)

Enhancements:

• Helm: bump CSI driver version to 1.0.1: (#1184)

Build:

• Suppress CVE-2025-6020 on the container only: (#1190)
• CI: test against k8s 1.35 + update changelog: (#1197)

Dependency Updates:

• Bump the gomod-backward-compatible group across 1 directory with 5 updates: (#1188)
• Bump google.golang.org/api from 0.258.0 to 0.259.0 in the gomod-backward-compatible group: (#1192)
• Bump github.com/onsi/gomega from 1.38.3 to 1.39.0 in the gomod-backward-compatible group: (#1196)

v1.1.0

1.1.0 (December 12th, 2025)

Enhancements:

• Add support for linux/s390x and linux/arm64 (Red Hat): (#1152)

Fixes:

• Topology spread constraints bugfix: (#1148)
• Update docs branch version: (#1140)

Build:

• ci: updating vault-helm to v0.31.0 and latest Vault versions: (#1125)

Dependency Updates:

• Bump the gomod-backward-compatible group across 1 directory with 4 updates: (#1172)
• Bump the gomod-backward-compatible group with 4 updates: (#1178)
• Bump github.com/gruntwork-io/terratest from 0.53.0 to 0.54.0 in the gomod-backward-compatible group: (#1162)
• Bump the gomod-backward-compatible group across 1 directory with 6 updates: (#1147)
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0: (#1154)
• Bump the gomod-backward-compatible group with 7 updates: (#1157)
• Bump google.golang.org/api from 0.250.0 to 0.251.0 in the gomod-backward-compatible group: (#1133)
• Bump the gomod-backward-compatible group with 5 updates: (#1128)
• Bump Go version to 1.25.4: (#1151)
• Bump ubi10/ubi-micro from 10.0 to 10.1: (#1150)
• Bump ubi10/ubi-minimal from 10.0 to 10.1: (#1149)

v1.0.1

1.0.1 (September 26th, 2025)

Fix:

• VSS: rollout restarts were being executed erroneously GH-1126

v1.0.0

1.0.0 (September 24th, 2025)

Features:

• Add support for the VSO CSI Driver (Vault Enterprise only): GH-1098

Enhancements:

• Helm: update values comment: GH-1046
• Helm: Support setting priorityClassName, topologySpreadConstraints and podDisruptionBudget: GH-1050
• API: Include conditions on supported types: GH-1058
• API: Clarify VaultAuth allowedNamespaces docs: GH-1113

Fix:

• No longer store non-renewable Vault clients: GH-1066

Build:

• CI: Add scale tests: GH-916
• CI: update k8s and vault versions: GH-1033
• SEC-090: Automated trusted workflow pinning (2025-03-24): GH-1038
• CI: Add v0.9.1 and v0.10.0 to chart upgrade tests: GH-1039
• SEC-090: Automated trusted workflow pinning (2025-03-31): GH-1042
• CI: disable HVS integration tests.: GH-1090
• CI: Update k8s and vault versions: GH-1105
• [Compliance] - PR Template Changes Required: GH-1086
• CI: Give the VDS reconciliation check a bit more time.: GH-1114
• CI: Standardize security-scanner config and update Go version: GH-1080
• Add CSI containers to check-versions script: GH-1116

Dependency Updates:

• Bump golang.org/x/net from 0.35.0 to 0.36.0: GH-1031
• Bump the gomod-backward-compatible group across 1 directory with 10 updates: GH-1037
• Bump the gomod-backward-compatible group across 1 directory with 4 updates: GH-1048
• Bump golang.org/x/net from 0.37.0 to 0.38.0: GH-1052
• Bump the gomod-backward-compatible group across 1 directory with 9 updates: GH-1065
• Bump ubi9/ubi-micro from 9.5 to 9.6: GH-1067
• Bump ubi9/ubi-minimal from 9.5 to 9.6: GH-1068
• Bump the gomod-backward-compatible group across 1 directory with 11 updates: GH-1083
• Bump the gomod-backward-compatible group across 1 directory with 8 updates: GH-1089
• Bump the gomod-backward-compatible group across 1 directory with 8 updates: GH-1095
• Bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14: GH-1102
• Bump go version to 1.24.7: GH-1108
• Bump the gomod-backward-compatible group across 1 directory with 9 updates: GH-1110
• Upgrade to ubi10: GH-1111
• Bump the gomod-backward-compatible group with 7 updates: GH-1112
• Bump cloud.google.com/go/compute/metadata from 0.8.0 to 0.8.4: GH-1117
• Bump argorollouts to v1.8.3: GH-1119

v0.10.0

0.10.0 (March 4th, 2025)

Enhancements:

• Add Kubernetes Client QPS and Burst Configuration: GH-1013

Fix:

• Add new Client for caching VSO owned Secrets: GH-1010
• VPS: support day duration notation for TTL: GH-990

Build:

• Build with Go 1.23.6: GH-1024
• SEC-090: Automated trusted workflow pinning (2024-12-23): GH-993
• SEC-090: Automated trusted workflow pinning (2024-12-30): GH-995
• SEC-090: Automated trusted workflow pinning (2025-01-07): GH-997
• SEC-090: Automated trusted workflow pinning (2025-01-20): GH-1005
• SEC-090: Automated trusted workflow pinning (2025-02-03): GH-1009
• SEC-090: Automated trusted workflow pinning (2025-02-10): GH-1012
• SEC-090: Automated trusted workflow pinning (2025-02-17): GH-1015

Dependency Updates:

• Bump github.com/go-jose/go-jose/v4 from 4.0.1 to 4.0.5: GH-1020
• Bump the gomod-backward-compatible group across 1 directory with 3 updates: GH-994
• Bump the gomod-backward-compatible group across 1 directory with 8 updates: GH-1014
• Bump the gomod-backward-compatible group across 1 directory with 9 updates: GH-988
• Bump the gomod-backward-compatible group with 2 updates: GH-1007
• Bump the gomod-backward-compatible group with 3 updates: GH-1001
• Bump the gomod-backward-compatible group with 3 updates: GH-1018
• Bump the gomod-backward-compatible group with 6 updates: GH-989
• Bump the gomod-backward-compatible group with 7 updates: GH-1004
• Bump golang.org/x/crypto from v0.34.0 to v0.35.0 GH-1024

v0.9.1

0.9.1 (December 11th, 2024)

Fix:

• Memory: Prevent OOM due to large K8s Secrets cache: GH-982 GH-984

Improvements:

• add events for HVS client failures: GH-960
• Memory: Use the mutex pool provided by K8s keymutex: GH-975

Build:

• SEC-090: Automated trusted workflow pinning (2024-10-28): GH-957
• Bump K8s version: GH-968

Dependency Updates:

• Bump the gomod-backward-compatible group with 2 updates: GH-950
• Bump the gomod-backward-compatible group across 1 directory with 9 updates: GH-958
• Bump ubi9/ubi-micro from 9.4-15 to 9.5: GH-970
• Bump ubi9/ubi-minimal from 9.4-1227.1726694542 to 9.5: GH-971
• Bump golang.org/x/crypto from 0.28.0 to 0.31.0: GH-987

v0.9.0

0.9.0 (October 8th, 2024)

Features:

• Add support for syncing HVS rotating secrets: GH-893 GH-889
• Add support for syncing HVS dynamic secrets: GH-917 GH-939 GH-934 GH-941

Fix:

• VC: update spec.timeout to be a string: GH-906

Improvements:

• VSS(instant-updates): more stable event watcher: GH-898
• Bump kube-rbac-proxy to 0.18.1: GH-909

Build:

• Upgrade controller-gen to 0.16.3: GH-944
• SEC-090: Automated trusted workflow pinning (2024-08-13): GH-888
• SEC-090: Automated trusted workflow pinning (2024-08-19): GH-897
• SEC-090: Automated trusted workflow pinning (2024-09-30): GH-937
• Use dependabot groups for Go deps: GH-924
• Conform to IPS-002: GH-947

Dependency Updates:

• Bump the gomod-backward-compatible group across 1 directory with 14 updates: GH-943
• Bump golang.org/x/crypto from 0.27.0 to 0.28.0 in the gomod-backward-compatible group: GH-945
• Bump ubi9/ubi-micro from 9.4-13 to 9.4-15: GH-904
• Bump ubi9/ubi-minimal from 9.4-1227.1725849298 to 9.4-1227.1726694542: GH-930

v0.8.1

0.8.1 (July 29th, 2024)

Improvements:

• Log build info on startup: GH-872
• API: Support setting the Vault request timeout on a VaultConnection: GH-862

Fix:

• Fix: encryption client deadlocking the factory: GH-868
• Helm(hooks): honor imagePullPolicy and imagePullSecrets: GH-873

Build:

• SEC-090: Automated trusted workflow pinning (2024-07-22): GH-866
• SEC-090: Automated trusted workflow pinning (2024-07-17): GH-859

Dependency Updates:

• Bump github.com/onsi/gomega from 1.33.1 to 1.34.0: GH-874
• Bump google.golang.org/api from 0.188.0 to 0.189.0: GH-875
• Bump k8s.io/apiextensions-apiserver from 0.30.2 to 0.30.3: GH-864
• Bump k8s.io/client-go from 0.30.2 to 0.30.3: GH-865
• Bump ubi9/ubi-micro from 9.4-9 to 9.4-13: GH-870
• Bump ubi9/ubi-minimal from 9.4-1134 to 9.4-1194: GH-869

v0.8.0

0.8.0 (July 22nd, 2024)

Important

• Helm: CRD schema changes are now automatically applied at upgrade time.

  See updating-crds for more details.

• This release contains CRD schema changes which remove the field validation on most VaultAuth spec fields. That means invalid VaultAuth
  configurations will no longer be handled at resource application time. Please review the VSO logs and K8s
  events when troubleshooting Vault authentication issues.

Features:

• Helm: add support for auto upgrading CRDs: GH-789
• VaultStaticSecret: support instant event-driven updates: GH-771
• Add new VaultAuthGlobal type for shared VaultAuth configurations: GH-735 GH-800 GH-847 GH-855 GH-850
• CachingClientFactory: support client taints to trigger Vault client token validation: GH-717 GH-769

Improvements:

• VPS: add ca.crt from issuing CA for tls secret type: GH-848
• Helm: support setting VaultAuthGlobalRef on VaultAuth: GH-851
• Migrate to k8s.io/utils/ptr: GH-856
• Core: update backoff option docs: GH-801

Fix:

• VaultAuth: set valid status on VaultAuthGlobal deref error: GH-854
• VDS: properly handle the clone cache key variant during client callback execution: GH-835
• Core: delete resource status metrics upon object deletion: GH-815
• VSS: use a constant backoff on some reconciliation errors: GH-811
• VDS: work around Vault DB static creds TTL rollover bug: GH-730

Build:

• CI: bump Vault versions: GH-797

Dependency Updates:

• Bump cloud.google.com/go/compute/metadata from 0.4.0 to 0.5.0: GH-853
• Bump github.com/gruntwork-io/terratest from 0.46.16 to 0.47.0: GH-852
• Bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5: GH-834
• Bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7: GH-833
• Bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0: GH-810
• Bump golang.org/x/crypto from 0.24.0 to 0.25.0: GH-843
• Bump google.golang.org/api from 0.186.0 to 0.188.0: GH-846
• Bump google.golang.org/grpc from 1.64.0 to 1.64.1: GH-845
• Bump k8s.io/api from 0.30.1 to 0.30.2: GH-822
• Bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2: GH-828
• Bump k8s.io/client-go from 0.30.1 to 0.30.2: GH-830
• Bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4: GH-808
• Bump ubi9/ubi-micro from 9.4-6.1716471860 to 9.4-9: GH-819
• Bump ubi9/ubi-minimal from 9.4-949.1717074713 to 9.4-1134: GH-820