v0.26.1

[v0lkan]

Added

• VMware Secrets Manager Helm charts now have the ability to generate
  RedHat OpenShift compatible manifests. You’ll need to set global.enableOpenShift
  to true to use this feature. It is false by default because it introduced
  OpenShift-specific security rules that other clusters will not interpret
  properly.
• Introduced new images spireHelperBash, spireHelperKubectl,
  openShiftHelperUbi9 to help and streamline SPIRE deployment and harden
  its security by mutating webhook configurations and other security attributes
  post-install.
• Increased unit tests coverage. Our first target is 50%, and we are aiming to
  reach there one unit test at a time.
• Documentation updates.

Changed

• BREAKING: We have made significant updates in the VSecM SPIRE helm charts
  to align them with the official upstream SPIFFE helm-charts-hardened
  project. This means, VSecM users will need to add className: "vsecm" to
  their workload SPIFFEID for the workloads to get their SVIDs.
• BREAKING: The default SPIRE Agent socket is renamed to spire-agent.sock
  instead of agent.sock. If you are using VSecM SDK or VSecM Sidecar
  this change is transparent; however if you are manually consuming the SPIRE
  Agent socket, you’d need to change your code to listen to the new socket.
• SPIRE Server and SPIRE Agent configuration values in the ConfigMaps are now
  in JSON form to align with helm-charts-hardened.
• SPIRE Server Service is now serving from the standard TLS port 443.
• Updated SPIRE-related dependencies to their recent stable versions.
• Updates in the exponential backoff algorithm to make it more robust.
• Certain environment variables changed, the changes have not reflected to the
  documentation by the time of this release note. We will update the documentation
  shortly. In the meantime, when in doubt, take source code as the authoritative
  reference for variable naming. Helm charts will also contain the correct
  environment variable names and default values.
• Other refactorings in the codebase to improve performance. The changes do
  not change the behavior or introduce any new behavior.

Security

• SPIRE Server is now in its own namespace (to benefit from the security of
  namespace isolation) and also has a restricted pod security audit with
  a read-only file system and an unprivileged non-root account.
• Other security enhancements especially focused around SPIRE.

Fixed

• Several minor bugfixes and regressions.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.26.1 by @v0lkan in Introducing initial helm-chart for version 0.26.1 #1024
• 📚 docs(VSecM): Documentation Updates by @v0lkan in 📚 docs(VSecM): Documentation Updates #1033
• 💄 cosmetic(VSecM): fix a dockerfile build warning by @v0lkan in 💄 cosmetic(VSecM): fix a dockerfile build warning #1034
• 🛡️ security(VSecM Helm Charts): add security labels to namespaces by @v0lkan in 🛡️ security(VSecM Helm Charts): add security labels to namespaces #1035
• generated files for the playground by @v0lkan in generated files for the playground #1036
• manifest changes by @v0lkan in manifest changes #1039
• convert configs to json form by @v0lkan in convert configs to json form #1041
• Rename socket path by @v0lkan in Rename socket path #1042
• helm chart changes by @v0lkan in helm chart changes #1043
• more manifest changes by @v0lkan in more manifest changes #1044
• update spire server port to 443 by @v0lkan in update spire server port to 443 #1045
• manifest updates by @v0lkan in manifest updates #1046
• Helm Changes and OpenShift Support by @v0lkan in Helm Changes and OpenShift Support #1047

Full Changelog: v0.26.0...v0.26.1

---

This discussion was created from the release v0.26.1.