Skip to content
This repository has been archived by the owner on Nov 28, 2022. It is now read-only.

Latest commit

 

History

History
161 lines (87 loc) · 8.62 KB

CHANGELOG.md

File metadata and controls

161 lines (87 loc) · 8.62 KB

Changelog for Vault Sidecar Injector

Release v7.2.1 - 2021-05-26

Minor release to provide smaller Vault Sidecar Injector image and new default Vault image to fix CVE-2021-32923 (refer to HashiCorp Vault's changelog).

Changed

  • VSI #53 - Rework Dockerfile to reduce image size
  • VSI #52 - Update HashiCorp Vault image to 1.6.5

Release v7.2.0 - 2021-05-19

This release comes with support for admission.k8s.io/v1 AdmissionReview and admissionregistration.k8s.io/v1 MutatingWebhookConfiguration on Kubernetes 1.16+. As a result, Vault Sidecar Injector now handles both v1 and v1beta1 versions of those resources.

Note that admission.k8s.io/v1beta1 AdmissionReview and admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration should not be supported (nor available) anymore on Kubernetes 1.22+

Changed

  • VSI #48 - Minor chart updates (adjust CPU & memory for injected containers, add checks during chart install)
  • VSI #51 - Update base image to CentOS 7.9.2009

Added

  • VSI #49 - Add support for admission.k8s.io/v1 AdmissionReview and admissionregistration.k8s.io/v1 MutatingWebhookConfiguration (in addition to v1beta1)

Release v7.1.1 - 2021-04-02

Fixed

  • VSI #45 - Do not inject sidecars if only job and secrets modes are enabled and secrets type is "static"

Release v7.1.0 - 2021-02-09

A new sidecar.vault.talend.org/vault-image annotation has been added to override the default injected image. Refer to the samples for a working example.

The default Vault image has been bumped to version 1.6.2.

Changed

  • VSI #44 - Update HashiCorp Vault image to 1.6.2

Added

  • VSI #43 - New annotation to allow injection of custom Vault image

Release v7.0.2 - 2020-11-09

Changed

  • VSI #40 - Update doc references to Helm Hub (now Artifact Hub)

Added

  • VSI #41 - New configuration value to set Vault Agent log format

Release v7.0.1 - 2020-10-28

Minor release with new default Vault image to address several security issues in HashiCorp Vault (CVE-2020-25816, CVE-2020-16250, CVE-2020-16251, CVE-2020-17455).

Note that provided chart now requires Helm v3.

Changed

  • VSI #34 - Documentation improvements
  • VSI #36 - Update HashiCorp Vault image to 1.5.4
  • VSI #37 - Update base image to CentOS 7.8.2003
  • VSI #38 - Migrate chart to Helm v3
  • VSI #39 - Code refactoring

Release v7.0.0 - 2020-06-21

New with this release: Vault secrets can now be injected right into environment variables. Only static secrets are supported at the moment. Along with this feature, the secrets volumeMount is now automatically injected in your containers if not already defined (as it was the case with the secrets volume).

Default Vault image is now set to 1.4.2 to fix several CVEs (CVE-2020-13223, CVE-2020-12757: see HashiCorp's CHANGELOG).

Finally, the webhook certificates are no more generated using the Kubernetes Certificates API. The certificates and associated private key are now either generated by code or read from a Kubernetes Secret you provide. Refer to the updated documentation for details.

Changed

  • VSI #29 - Update HashiCorp Vault image to 1.4.2
  • VSI #30 - Webhook certificates generated by code or provided
  • VSI #31 - Migrate to Golang 1.14

Added

  • VSI #32 - Inject secrets in env vars. Feature announcement here.

Release v6.1.0 - 2020-05-18

This release fixes VSI deployment on Kubernetes 1.18+ clusters. It also comes with better AppRole integration and updated Vault image.

Changed

  • VSI #27 - Update HashiCorp Vault image to 1.4.1

Added

  • VSI #26 - Improve AppRole support: add tests, enforce check over secrets type, tune Vault Agent config

Fixed

Release v6.0.1 - 2020-04-06

This is a minor release to update Vault image to 1.3.4 by default (CVE fixes, see details here) and enable offline builds by vendoring dependencies (use make build OFFLINE=true).

Changed

  • VSI #23 - Update HashiCorp Vault image (CVE fixes)

Added

Release v6.0.0 - 2020-03-04

This is a major release introducing new features and complete code refactoring for clear isolation of modes.

Highlights:

  • New Static Secrets feature, part of secrets mode (now supporting both dynamic and static secrets)
  • Kubernetes Jobs are now handled as a Vault Sidecar Injector mode. Annotation sidecar.vault.talend.org/workload is still supported but deprecated: make use of sidecar.vault.talend.org/mode to enable job mode
  • HashiCorp Vault image updated to 1.3.2

Added

Release v5.1.1 - 2019-12-23

Added

  • VSI #18 - Basis for new inline injection feature

Fixed

  • VSI #16 - secrets-template with >1 templates that include range statement causes dest/template mismatch [Thanks @smurfralf]
  • VSI #15 - Document requirement for configured certificates api [Thanks @drpebcak]

Release v5.1.0 - 2019-12-09

  • VSI #14 - Minor updates to Helm chart and documentation.

Release v5.0.0 - 2019-12-06

  • VSI #13 - New Proxy mode. Injected Vault Agent sidecar can act as a local proxy forwarding application requests to Vault server.

Release v4.1.0 - 2019-11-24

  • VSI #12 - Image based on CentOS 7.7 and run as non-root, chart available on Helm Hub

Release v4.0.0 - 2019-11-15

  • VSI #9 - Remove Consul Template sidecar and use Vault 1.3.0 new agent template feature to fetch secrets. See announcement here.
  • VSI #10 - Helm chart is now part of the released artifacts.

Release v3.0.0 - 2019-10-11

  • First open source release of Talend Vault Sidecar Injector component