Releases: hashicorp/vault-secrets-operator
Releases · hashicorp/vault-secrets-operator
v0.8.0
0.8.0 (July 22nd, 2024)
Important
-
Helm: CRD schema changes are now automatically applied at upgrade time.
See updating-crds for more details.
-
This release contains CRD schema changes which remove the field validation on most VaultAuth spec fields. That means invalid VaultAuth
configurations will no longer be handled at resource application time. Please review the VSO logs and K8s
events when troubleshooting Vault authentication issues.
Features:
- Helm: add support for auto upgrading CRDs: GH-789
- VaultStaticSecret: support instant event-driven updates: GH-771
- Add new VaultAuthGlobal type for shared VaultAuth configurations: GH-735 GH-800 GH-847 GH-855 GH-850
- CachingClientFactory: support client taints to trigger Vault client token validation: GH-717 GH-769
Improvements:
- VPS: add ca.crt from issuing CA for tls secret type: GH-848
- Helm: support setting VaultAuthGlobalRef on VaultAuth: GH-851
- Migrate to k8s.io/utils/ptr: GH-856
- Core: update backoff option docs: GH-801
Fix:
- VaultAuth: set valid status on VaultAuthGlobal deref error: GH-854
- VDS: properly handle the clone cache key variant during client callback execution: GH-835
- Core: delete resource status metrics upon object deletion: GH-815
- VSS: use a constant backoff on some reconciliation errors: GH-811
- VDS: work around Vault DB static creds TTL rollover bug: GH-730
Build:
- CI: bump Vault versions: GH-797
Dependency Updates:
- Bump cloud.google.com/go/compute/metadata from 0.4.0 to 0.5.0: GH-853
- Bump github.com/gruntwork-io/terratest from 0.46.16 to 0.47.0: GH-852
- Bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5: GH-834
- Bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7: GH-833
- Bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0: GH-810
- Bump golang.org/x/crypto from 0.24.0 to 0.25.0: GH-843
- Bump google.golang.org/api from 0.186.0 to 0.188.0: GH-846
- Bump google.golang.org/grpc from 1.64.0 to 1.64.1: GH-845
- Bump k8s.io/api from 0.30.1 to 0.30.2: GH-822
- Bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2: GH-828
- Bump k8s.io/client-go from 0.30.1 to 0.30.2: GH-830
- Bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4: GH-808
- Bump ubi9/ubi-micro from 9.4-6.1716471860 to 9.4-9: GH-819
- Bump ubi9/ubi-minimal from 9.4-949.1717074713 to 9.4-1134: GH-820
v0.7.1
v0.7.0
0.7.0 (May 27th, 2024)
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm.
Please see updating-crds for more details.
Behavioral changes:
- Core: Controller logs are now JSON encoded by default.
- Core: Secret source errors are now retried using an exponential backoff strategy. Previously the backoff was a constant duration with some added jitter.
Features:
- Core: support argo.Rollout as a rolloutRestartTarget for all secret type custom resources: GH-702
- Helm: add support for cluster role aggregates: GH-752
- Helm: adds values for setting VSO logging options: GH-778
- Helm: add support for configuring strategy on controller deployment : GH-709
Improvements:
- CachingClientFactory: lock by client cache key: GH-716
- Transformations: add support for the htpasswd Sprig function: GH-708
- VPS: skip overwriting tls.crt and tls.key whenever transformation templates are configured: GH-659
- Core: Use exponential backoff on secret source errors: GH-732
Fix:
- Core: call VDS callbacks on VaultAuth and VaultConnection changes: GH-739
- Core: skip LifetimeWatcher validation for non-renewable auth tokens: GH-722
- Core: disable development logger mode by default: GH-751
- VSS: that spec.hmacSecretData's value is honoured: GH-753
- VDS: Selectively log calls to SyncRegistry.Delete(): GH-718
Build:
Dependency Updates:
- Bump TF provider versions: GH-737
- Bump github.com/go-logr/logr from 1.4.1 to 1.4.2: GH-775
- Bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.4: GH-711
- Bump github.com/hashicorp/vault/api from 1.12.2 to 1.13.0: GH-725
- Bump github.com/hashicorp/vault/sdk from 0.12.0 to 0.13.0: GH-773
- Bump github.com/onsi/gomega from 1.33.0 to 1.33.1: GH-727
- Bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1: GH-741
- Bump golang.org/x/crypto from 0.22.0 to 0.23.0: GH-744
- Bump google.golang.org/api from 0.176.1 to 0.177.0: GH-724
- Bump google.golang.org/api from 0.180.0 to 0.181.0: GH-758
- Bump k8s.io/api from 0.30.0 to 0.30.1: GH-761
- Bump k8s.io/client-go from 0.30.0 to 0.30.1: GH-760
- Bump sigs.k8s.io/controller-runtime from 0.18.2 to 0.18.3: GH-772
- Bump ubi9/ubi-micro from 9.3-15 to 9.4-6: GH-719
- Bump ubi9/ubi-minimal from 9.4-949 to 9.4-949.1714662671: GH-728
v0.6.0
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
0.6.0 (April 24th, 2024)
Fix:
- VDS: reconcile instances on lifetimeWatcher done events and other Vault client rotation events: GH-665
Improvements:
- Core: no longer restore all clients from storage: GH-684
- Helm: lower min k8s version to 1.21: GH-656
Build:
- Upgrade to go 1.22.2: GH-683
- CI: fix tests in GKE: GH-675
- OLM: remove the
skipsfrom the last release: GH-703
Dependency Updates:
- Bump github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0: GH-673
- Bump github.com/gruntwork-io/terratest from 0.46.11 to 0.46.13: GH-669
- Bump github.com/hashicorp/go-hclog from 1.6.2 to 1.6.3: GH-679
- Bump github.com/hashicorp/vault/api from 1.12.1 to 1.12.2: GH-667
- Bump github.com/hashicorp/vault/sdk from 0.11.1 to 0.12.0: GH-687
- Bump github.com/onsi/gomega from 1.32.0 to 1.33.0: GH-696
- Bump github.com/prometheus/client_model from 0.6.0 to 0.6.1: GH-678
- Bump google.golang.org/api from 0.171.0 to 0.172.0: GH-672
- Bump k8s.io/client-go from 0.29.2 to 0.29.3: GH-660
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3: GH-688
v0.5.2
0.5.2 (March 13th, 2024)
Improvements:
- VDS: support configuring an explicit sync delay for non-renewable leases without an explicit TTL: GH-641
- OLM: add newly required ClusterServiceVersion annotations: GH-628
- Helm: mention global transformation option env variable: GH-626
Fix:
- API: make some required bool parameters optional: GH-650
- VDS: make rotationSchedule status field optional: GH-621
- VPS: return an error when the PKI secret is nil: GH-636
- Core: ensure VaultConnection headers are set on the vault client: GH-629
Build:
- Use Go 1.21.8: GH-651
Dependency Updates:
- Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3: GH-646
- Bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0: GH-648
- Bump github.com/go-openapi/strfmt from 0.22.1 to 0.23.0: GH-649
- Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0: GH-634
- Bump github.com/stretchr/testify from 1.8.4 to 1.9.0: GH-633
- Bump google.golang.org/api from 0.167.0 to 0.169.0: GH-647
- Bump google.golang.org/protobuf from 1.32.0 to 1.33.0: GH-642
- Bump sigs.k8s.io/controller-runtime from 0.17.1 to 0.17.2: GH-625
- Bump ubi9/ubi-micro from 9.3-13 to 9.3-15: GH-640
- Bump ubi9/ubi-minimal from 9.3-1552 to 9.3-1612: GH-639
v0.5.1
0.5.1 (February 20th, 2024)
Fix:
- Sync: mitigate potential schema validation failures by only adding finalizers after a status update: GH-609
Dependency Updates:
v0.5.0
0.5.0 (February 15th, 2024)
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
KNOWN ISSUES:
- Upgrades via OperatorHub may fail due to some new required fields in VaultConnection and the Secret types as described in GH-631
Features:
- Sync: add support for secret data transformation: GH-437
Improvements:
- Core: set CLI options from VSO_ environment variables: GH-551
- Sync: Reconcile on secret deletion: GH-587
- Sync: support excluding _raw from the destination: GH-546
- Sync: take ownership of an existing destination secret: GH-545
- Sync: add support for userIDs in VaultPKISecret: GH-552
- OLM: set OLM bundle to "Seamless Upgrades": GH-581
- Helm: add annotations to the cleanup job: GH-284
- Helm: support setting imagePullPolicy: GH-601
- Helm: support setting VaultAuth allowedNamespaces: GH-602
Fix:
- Sync: sync HCPVaultSecretsApp on lastGeneration change: GH-591
- Sync: properly handle secret type changes: GH-605
Build:
- Install the operator-sdk CLI and check
sdk-generatein CI: GH-590 - Bump some GH action versions: GH-583
Dependency Updates:
- Bump github.com/go-openapi/runtime from 0.26.2 to 0.27.1: GH-572
- Bump github.com/google/uuid from 1.5.0 to 1.6.0: GH-570
- Bump github.com/gruntwork-io/terratest from 0.46.8 to 0.46.11: GH-550
- Bump github.com/hashicorp/go-secure-stdlib/awsutil from 0.2.3-0.20230606170242-1a4b95565d57 to 0.3.0: GH-579
- Bump github.com/hashicorp/vault/api from 1.11.0 to 1.12.0: GH-595
- Bump github.com/hashicorp/vault/sdk from 0.10.2 to 0.11.0: GH-596
- Bump github.com/onsi/gomega from 1.30.0 to 1.31.1: GH-558
- Bump google.golang.org/api from 0.161.0 to 0.163.0: GH-594
- Bump k8s.io/api from 0.29.0 to 0.29.1: GH-556
- Bump k8s.io/client-go from 0.29.0 to 0.29.1: GH-554
- Bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.1: GH-597
- Bump ubi9/ubi-micro from 9.3-9 to 9.3-13: GH-566
- Bump ubi9/ubi-minimal from 9.3-1475 to 9.3-1552: GH-565
v0.4.3
0.4.3 (January 10th, 2024)
Fix:
- Helm: rename and truncate the pre-delete cleanup job to 63 characters: GH-506
- VDS: remediate deleted destination secret: GH-532
- Update paused deployment error message: GH-528
- VC: provide default value for spec.skipTLSVerify: GH-527
- CCS: ensure invalid storage objects are deleted: GH-525
- VDS: Log and record Vault request failures: GH-508
- VPS: Sync on any update: GH-479
Dependency Updates:
- update go version to fix CVE-2023-45284,CVE-2023-39326,CVE-2023-48795: GH-541
- Bump google.golang.org/api from 0.154.0 to 0.155.0: GH-542
- Bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0: GH-540
- Bump github.com/go-openapi/strfmt from 0.21.9 to 0.22.0: GH-539
- Bump github.com/go-logr/logr from 1.3.0 to 1.4.1: GH-536
- Bump golang.org/x/crypto from 0.16.0 to 0.17.0: GH-524
- Bump k8s.io/client-go from 0.28.4 to 0.29.0: GH-523
- Bump google.golang.org/api from 0.153.0 to 0.154.0: GH-522
- Bump github.com/hashicorp/go-hclog from 1.6.1 to 1.6.2: GH-521
- Bump github.com/google/uuid from 1.4.0 to 1.5.0: GH-520
- Bump ubi9/ubi-minimal from 9.3-1361.1699548032 to 9.3-1475: GH-516
- Bump ubi9/ubi-micro from 9.3-6 to 9.3-9: GH-515
- Bump github.com/go-openapi/strfmt from 0.21.8 to 0.21.9: GH-514
- Bump github.com/hashicorp/go-hclog from 1.5.0 to 1.6.1: GH-513
- Bump github.com/go-openapi/runtime from 0.26.0 to 0.26.2: GH-512
- Bump github.com/gruntwork-io/terratest from 0.46.6 to 0.46.8: GH-497
- Bump google.golang.org/api from 0.152.0 to 0.153.0: GH-496
v0.4.2
0.4.2 (December 7th, 2023)
Important:
- This release corrects a failed release of v0.4.1 to OpenShift's OperatorHub. It should be used in place of v0.4.1.
- When upgrading directly from 0.4.0 or below using Helm, please follow updating-crds.
Fix:
- Include viewer and editor RBAC roles in the chart: GH-501
- Build: image/ubi: add separate target and build job for RedHat: GH-503
Dependency Updates:
v0.4.1
0.4.1 (December 4th, 2023)
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
Improvements:
- Manager: setting
controller.manager.maxConcurrentReconcilesnow applies to all Syncable Secret controllers. The previous flag for the manager--max-concurrent-reconciles-vdsis now deprecated and replaced by--max-concurrent-reconcileswhich applies to all controllers. GH-483
Fix:
- Helm: prefix all helper functions with
vsoto avoid subchart name collisions: GH-487 - VSS: Ensure all resource updates are synced: GH-492
- VDS: Fix compute static-creds rotation horizon: GH-488
Dependency Updates: