v1.1.0-rc.0

v1.1.0-rc.0 - 2022-02-08

Changelog

Code Refactoring 💎

• b0af2b9 refactor: use NewSharedInformerFactoryWithOptions for new shared informer
• 14489c7 refactor: update mdbook install and serve

Continuous Integration 💜

• 2f16132 ci: add goreleaser workflow for release
• d0e614f ci: fix shellcheck file paths
• 00a1445 ci: add markdown-link-check workflow

Documentation 📘

• 8c41c4a docs: remove helm repo url change note in install steps
• 052429b docs: add slack badge
• 95218a6 docs: fix dead links based on errors
• 0391489 docs: update features and add toc
• ba364e1 docs: Update helm README.md with linux crd image values (#797)
• 856ad85 docs: update supported feature by current providers
• a760c18 docs: fix typo in api version group name
• ed9ecf3 docs: add design docs and roadmap to website
• 99aafa5 docs: add project status to docs

Features 🌈

• 7ac887a feat: add token requests client (#805)
• 4b8c442 feat: send NodePublishVolumeRequest.VolumeContext in MountRequest to provider

Maintenance 🔧

• 06931d3 chore: bump version to v1.1.0-rc.0 in release-1.1
• ca257a8 chore: mark v1alpha1 api version as deprecated
• ccb9fa4 chore: updates trivy command
• a596624 chore: log invalid key in error
• dac5381 chore: update debian-base to bullseye-v1.1.0
• f694be2 chore: bump node-driver-reegistrar image to v2.4.0
• 9750771 chore: remove deprecated --filtered-watch-secret flag
• c78559e chore: bump livenessprobe image to v2.5.0
• 2b27e0c chore: upgrade kubernetes deps
• 6069215 chore: use TARGETARCH for image build and makefile update
• e1f143c chore: use corev1 as import alias instead of v1

Security Fix 🛡️

• e6d1c8f security: fix CVE-2021-3995, CVE-2021-3996
• 6462375 security: fix CVE-2021-43618

Testing 💚

• 899d3ed test: add test for view and admin cluster role (#845)

v1.0.1

Security Fix 🛡️

• fix CVE-2021-43618 (#826, @aramase)

Maintenance 🔧

• remove strict linting (#822, @aramase)
• update livenessprobe image to v2.5.0 (#803, @aramase)
• update node-driver-registrar image to v2.4.0 (#807, @aramase)
• use k8s-staging-test-infra/gcb-docker-gcloud (#814, @spiffxp)
• update debian-base to bullseye-v1.1.0 (#825, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v1.0.0

Announcement 📢

• This is the first stable release for the driver!
• The SecretProviderClass and SecretProviderClassPodStatus CRDs are now v1 🎉

Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v100 before upgrade. Refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html for load test results.

Features 🌈

• Promoted CRDs to v1 (#760, @aramase)
• Add Windows Server 2022 (#757, @nick5616)

Bug Fixes 🐞

• create or update secretproviderclasspodstatus post mount (#735, @aramase)
• Update base image for ltsc2022 (#770, @aramase)

Documentation 📘

• update RELEASE docs based on v0.3.0 experience (#718, @tam7t)
• fix typo in helm url (#720, @nilekhc)
• fix typo in chart url in charts dir (#721, @aramase)
• add detail about pprof and metrics endpoint (#731, @aramase)
• update design docs status (#737, @aramase)
• add providers support matrix (#724, @nilekhc)
• add supported kubernetes versions (#751, @aramase)
• additional release note updates based on v1.0.0-rc.1 (#776, @tam7t)
• update docs for v1.0.0 and CRD version upgrades (#781, @tam7t)

Helm 📈

• Support imagePullSecrets in Job/secrets-store-csi-driver-keep-crds (#778, @remm)

Maintenance 🔧

• rename references from master to main (#726, @aramase)
• add LICENSE to all files (#727, @aramase)
• remove deprecated --prometheus-port flag (#732, @aramase)
• update the initialDelaySeconds and timeoutSeconds for node-driver-registrar livenessprobe (#729, @aramase)
• use structured logging and update imports order (#736, @aramase)
• use kubectl.kubernetes.io/default-container annotation (#738, @aramase)
• update to debian-base:bullseye-v1.0.0 (#742, @aramase)

Testing 💚

• implement e2e provider (#682, @nilekhc)
• add workflow for e2e using staging images (#730, @nilekhc)
• adds support for inplace upgrade test (#741, @nilekhc)
• adds e2e test for vault rotation (#758, @tam7t)
• log the secrets-store API version (#764, @aramase)
• add k8s test matrix for staging e2e (#774, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v1.0.0-rc.1

Announcement 📢

• The SecretProviderClass and SecretProviderClassPodStatus CRDs are now v1!
• The helm charts have been moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts. Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades for information on upgrading existing clusters.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Features 🌈

• Promoted CRDs to v1 (#760, @aramase)
• Add Windows Server 2022 (#757, @nick5616)

Bug Fixes 🐞

• Update base image for ltsc2022 (#770, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v1.0.0-rc.0

Announcement 📢

• The helm charts have been moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts. Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades for information on upgrading existing clusters.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Bug Fixes 🐞

• create or update secretproviderclasspodstatus post mount (#735, @aramase)

Documentation 📘

• update RELEASE docs based on v0.3.0 experience (#718, @tam7t)
• fix typo in helm url (#720, @nilekhc)
• fix typo in chart url in charts dir (#721, @aramase)
• add detail about pprof and metrics endpoint (#731, @aramase)
• update design docs status (#737, @aramase)

Maintenance 🔧

• rename references from master to main (#726, @aramase)
• add LICENSE to all files (#727, @aramase)
• remove deprecated --prometheus-port flag (#732, @aramase)
• update the initialDelaySeconds and timeoutSeconds for node-driver-registrar livenessprobe (#729, @aramase)
• use structured logging and update imports order (#736, @aramase)
• use kubectl.kubernetes.io/default-container annotation (#738, @aramase)
• update to debian-base:bullseye-v1.0.0 (#742, @aramase)

Testing 💚

• implement e2e provider (#682, @nilekhc)
• add workflow for e2e using staging images (#730, @nilekhc)
• adds support for inplace upgrade test (#741, @nilekhc)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.3.0

Announcement 📢

• The helm charts have been moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts. Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades for information on upgrading existing clusters.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Breaking Changes ⚠️

• --filtered-watch-secret cannot be disabled starting in v0.3.0. Refer to #550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• syncSecret.enabled has been set to false by default in v0.0.23. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade from versions < v0.1.0

Bug Fixes 🐞

• remove constraints on secret type name (#703, @aramase)

Testing 💚

• extended windows first pod timeout to 300s (#698, @aramase)
• cleanup filteredWatchSecret=false from e2e tests (#708, @aramase)
• update kubectl to 1.22.1 (#713, @tam7t)
• add aws release test (#633, @tam7t)

Helm 📈

• allow annotations on upgrade jobs (#692, @thomasmRavn )
• publish helm charts using github workflow (#693, @aramase)
• update chart repo to https://kuberentes-sigs.github.io/secrets-store-csi-driver/charts (#695, @aramase)
• add pod security policy to upgrade hooks (#709, @nilekhc)

Maintenance 🔧

• update release documentation (#649, @tam7t)
• update node-driver-registrar to v2.3.0 (#691, @aramase)
• update opentelemetry to v0.20.0 (#701, @aramase)
• refactor: remove csi-common package and update driver (#702, @aramase)
• update build to go 1.17 (#710, #711, @aramase)
• update livenessprobe to v2.4.0 (#712, @aramase)
• upgrade build runner to N1_HIGHCPU_8 (#714, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.2.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default in v0.0.23. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.
• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade from versions < v0.1.0

Documentation 📘

• add details on v0.1.0 upgrades (#650, @tam7t)
• Update Membership.md with more roles/details (#607, @karenhchu)
• update load test doc for filtered watch secret (#667, @aramase)

Testing 💚

• use kubectl exec instead of cp (#664, @aramase)
• gcp tests: explicit specify namespace (#664, @tam7t)
• adds make target for deploy manifest (#669, @nilekhc)

Helm 📈

• add option to configure fullnameOverride (#671, @aramase)
• Add pre-install to upgrade hook so existing CRDs on helm install can be upgraded (#679, @ritazh)
• use same toleration and nodeselector for crd-hook jobs (#683, @uncycler)

Maintenance 🔧

• update golangci-lint (#635, @tam7t)
• Add metrics port definition to DS (#614, @NissesSenap)
• Migrate from deprecated io/ioutil package to using os package (#673, @katyamag)
• update debian base to buster-v1.9.0 (#681, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.1.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0 will result in an error.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.
• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade

Features 🌈

• set filtered-watch-secret to true by default for nodePublishSecretRef (#594, @aramase)
• use DynamicRESTMapper for manager (#608, @aramase)
• add possibility to annotate the created secret with CSI driver (#612, @tetianakravchenko)
• Initial implementation of token request (#471, @micahhausler)

Bug Fixes 🐞

• fix Windows nodes compatibility issues in pod definition (#625, @georgechang)
• fix CVE-2021-33910 (#645, @aramase)

Documentation 📘

• Debugging (#556, @nilekhc)
• Release management (#555, @nilekhc)
• update master to main release (#616, @ikarldasan)
• link and mention optional features (#627, @tam7t)
• use testgrid for readme test status (#631, @tam7t)
• adds note about crd upgrade (#642, @nilekhc)

Testing 💚

• add e2e for filtered-watch-secret=false (#596, @aramase)
• add kubernetes.io/os nodeselector for azure tests (#626, @aramase)
• use kubectl wait to check if pods ready (#628, @aramase)
• implements e2e upgrade test (#602, @nilekhc)
• ensure pod deletion is successful (#599, @tam7t)
• include more debug info in artifacts (#632, @tam7t)
• get logs for sidecar containers (#638, @aramase)
• gcp use workload id instead of node publish (#641, @tam7t)
• add driver-crd image to e2e-helm-upgrade target (#657, @aramase)

Helm 📈

• ❗ Move crds to crds dir for helm3 and installCRDs flag for supporting helm3 ( #289, @Evalle)
• move default annotations out of conditional (#629, @aramase)
• Crd upgrade via helm hooks (#623, @nilekhc)
• add keep-crd upgrade hook (#656, @aramase)

Maintenance 🔧

• upgrades controller-runtime to v0.9.0 (#593, @nilekhc)
• update to debian-base v1.7.2 and update packages to fix CVEs (#603, @aramase)
• add warning message for sync secret forbidden error (#606, @aramase)
• update debian base to buster-v1.8.0 (#609, @aramase)
• removes local cache used for rotation (#598, @nilekhc)
• revert changes from deploy and add to manifest_staging (#630, @aramase)
• switch to using distroless base image for driver-crds (#643, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.23

Announcement 📢

• --filtered-watch-secret will be enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Prepare to return files in gRPC responses as this will become the recommended approach in the next release. See #551

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.

Features 🌈

• add arm64 build (#575, @aramase)
• add rbac role and binding for rotation (#586, @aramase)

Bug Fixes 🐞

• CVE-2021-3520 (#562, @aramase)

Documentation 📘

• set-as-env-var pod indent (#553, @dawncold)
• add membership criteria and getting involved section (#563, @aramase)
• fix the default volume path for providers (#574, @katyamag)
• Add AWS Provider (#517, @nlamirault)
• add aws provider ref in install provider (#584, @aramase)

Testing 💚

• enable shellcheck and fix errors (#557, @aramase)
• Add test coverage report into Makefile for unit test (#537, @hixichen)
• add aws integration tests (#533, @lasred)
• Add uuid to AWS secret and parameter names (#569, @lasred)

Helm 📈

• provide ability to add volume and volumeMounts (#539, @hixichen)
• add image pull secrets (#554, @mehmetsalgar)
• default syncSecret.enable to false (#510, @ritazh)

Maintenance 🔧

• add psp snippet to manifests target (#560, @aramase)
• add tam7t as approver (#564, @aramase)
• update to debian-base v1.7.0 (#565, @aramase)
• remove deprecated --grpc-supported-providers and --debug flag (#566, @aramase)
• Add golang version validate at Makefile (#538, @hixichen)
• Added GOPROXY propagation to container builds (#571, @micahhausler)
• Replace golang.org/x/net/context with context (#577, @hixichen)
• generate log if grpc message size larger than max (#581, @aramase)
• list builder instances in image build (#583, @aramase)
• enable qemu for multi-arch (#586, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.22

Announcement 📢

• syncSecret.enabled will be set to false by default in the next release v0.0.23. Refer to #268 for more info.
• --filtered-watch-secret will be enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Prepare to return files in gRPC responses as this will become the recommended approach in a future release. See #551

Features 🌈

• add optional healthcheck for provider plugins (#508, @aramase)
• allow maxCallRecvMsgSize to be increased for large secret mounts (#512, @tam7t)
• vendor atomic_writer and use it to write files returned by grpc (#520, @tam7t)

Bug Fixes 🐞

• GetMountedFiles() returns map that key includes sub directory (#516, @mitsutaka)
• windows targetpath cleanup as part of node unpublish (#545, @aramase)

Documentation 📘

• fix indentation in load tests (#504, @aramase)
• add test scenarios currently supported (#509, @aramase)
• install to kube-system & best-practices (#505, @tam7t)

Testing 💚

• include nested path in secret sync and update vault suite (#532, @aramase)

Helm 📈

• Added Pod Security Policy to the chart (#478, @pierluigilenoci)
• node affinity now prevents CSI driver from being scheduled on a node with a label 'type=virtual-kublet' (#513, @manedurphy)

Maintenance 🔧

• updates CSIDriver api ver to storage.k8s.io/v1 (#518, @nilekhc)
• update to using k8s.io/mount-utils (#524, @aramase)
• remove windows file deletion on unmount (#526, @tam7t)
• update sidecar images and set imagePullPolicy to IfNotPresent (#519, @aramase)
• update release docs and makefile targets (#543, @aramase)
• Bump versions for v0.0.22 (#544, @tam7t)
• make manifests dependencies (#547, @tam7t)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver