Minor release to provide smaller Vault Sidecar Injector image and new default Vault image to fix CVE-2021-32923 (refer to HashiCorp Vault's changelog).
Changed
This release comes with support for admission.k8s.io/v1
AdmissionReview and admissionregistration.k8s.io/v1
MutatingWebhookConfiguration on Kubernetes 1.16+. As a result, Vault Sidecar Injector now handles both v1 and v1beta1 versions of those resources.
Note that admission.k8s.io/v1beta1
AdmissionReview and admissionregistration.k8s.io/v1beta1
MutatingWebhookConfiguration should not be supported (nor available) anymore on Kubernetes 1.22+
Changed
- VSI #48 - Minor chart updates (adjust CPU & memory for injected containers, add checks during chart install)
- VSI #51 - Update base image to CentOS 7.9.2009
Added
- VSI #49 - Add support for
admission.k8s.io/v1
AdmissionReview andadmissionregistration.k8s.io/v1
MutatingWebhookConfiguration (in addition to v1beta1)
Fixed
- VSI #45 - Do not inject sidecars if only job and secrets modes are enabled and secrets type is "static"
A new sidecar.vault.talend.org/vault-image
annotation has been added to override the default injected image. Refer to the samples for a working example.
The default Vault image has been bumped to version 1.6.2
.
Changed
- VSI #44 - Update HashiCorp Vault image to 1.6.2
Added
- VSI #43 - New annotation to allow injection of custom Vault image
Changed
- VSI #40 - Update doc references to Helm Hub (now Artifact Hub)
Added
- VSI #41 - New configuration value to set Vault Agent log format
Minor release with new default Vault image to address several security issues in HashiCorp Vault (CVE-2020-25816, CVE-2020-16250, CVE-2020-16251, CVE-2020-17455).
Note that provided chart now requires Helm v3.
Changed
- VSI #34 - Documentation improvements
- VSI #36 - Update HashiCorp Vault image to 1.5.4
- VSI #37 - Update base image to CentOS 7.8.2003
- VSI #38 - Migrate chart to Helm v3
- VSI #39 - Code refactoring
New with this release: Vault secrets can now be injected right into environment variables. Only static secrets are supported at the moment. Along with this feature, the secrets
volumeMount is now automatically injected in your containers if not already defined (as it was the case with the secrets
volume).
Default Vault image is now set to 1.4.2
to fix several CVEs (CVE-2020-13223, CVE-2020-12757: see HashiCorp's CHANGELOG).
Finally, the webhook certificates are no more generated using the Kubernetes Certificates API. The certificates and associated private key are now either generated by code or read from a Kubernetes Secret you provide. Refer to the updated documentation for details.
Changed
- VSI #29 - Update HashiCorp Vault image to 1.4.2
- VSI #30 - Webhook certificates generated by code or provided
- VSI #31 - Migrate to Golang 1.14
Added
This release fixes VSI deployment on Kubernetes 1.18+ clusters. It also comes with better AppRole integration and updated Vault image.
Changed
- VSI #27 - Update HashiCorp Vault image to 1.4.1
Added
- VSI #26 - Improve AppRole support: add tests, enforce check over secrets type, tune Vault Agent config
Fixed
- VSI #25 - Fix RBAC following breaking change in Kubernetes 1.18 Certificates API. See also associated PR 86476 & 86933.
This is a minor release to update Vault image to 1.3.4
by default (CVE fixes, see details here) and enable offline builds by vendoring dependencies (use make build OFFLINE=true
).
Changed
- VSI #23 - Update HashiCorp Vault image (CVE fixes)
Added
- VSI #24 - Vendoring
This is a major release introducing new features and complete code refactoring for clear isolation of modes.
Highlights:
- New Static Secrets feature, part of
secrets
mode (now supporting both dynamic and static secrets) - Kubernetes Jobs are now handled as a Vault Sidecar Injector mode. Annotation
sidecar.vault.talend.org/workload
is still supported but deprecated: make use ofsidecar.vault.talend.org/mode
to enable job mode - HashiCorp Vault image updated to
1.3.2
Added
Added
- VSI #18 - Basis for new inline injection feature
Fixed
- VSI #16 - secrets-template with >1 templates that include range statement causes dest/template mismatch [Thanks @smurfralf]
- VSI #15 - Document requirement for configured certificates api [Thanks @drpebcak]
- VSI #14 - Minor updates to Helm chart and documentation.
- VSI #13 - New Proxy mode. Injected Vault Agent sidecar can act as a local proxy forwarding application requests to Vault server.
- VSI #12 - Image based on CentOS
7.7
and run as non-root, chart available on Helm Hub
- VSI #9 - Remove Consul Template sidecar and use Vault 1.3.0 new agent template feature to fetch secrets. See announcement here.
- VSI #10 - Helm chart is now part of the released artifacts.
- First open source release of Talend Vault Sidecar Injector component