Releases: hashicorp/vault-secrets-operator
v0.6.0
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
0.6.0 (April 24th, 2024)
Fix:
- VDS: reconcile instances on lifetimeWatcher done events and other Vault client rotation events: GH-665
Improvements:
- Core: no longer restore all clients from storage: GH-684
- Helm: lower min k8s version to 1.21: GH-656
Build:
- Upgrade to go 1.22.2: GH-683
- CI: fix tests in GKE: GH-675
- OLM: remove the
skips
from the last release: GH-703
Dependency Updates:
- Bump github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0: GH-673
- Bump github.com/gruntwork-io/terratest from 0.46.11 to 0.46.13: GH-669
- Bump github.com/hashicorp/go-hclog from 1.6.2 to 1.6.3: GH-679
- Bump github.com/hashicorp/vault/api from 1.12.1 to 1.12.2: GH-667
- Bump github.com/hashicorp/vault/sdk from 0.11.1 to 0.12.0: GH-687
- Bump github.com/onsi/gomega from 1.32.0 to 1.33.0: GH-696
- Bump github.com/prometheus/client_model from 0.6.0 to 0.6.1: GH-678
- Bump google.golang.org/api from 0.171.0 to 0.172.0: GH-672
- Bump k8s.io/client-go from 0.29.2 to 0.29.3: GH-660
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3: GH-688
v0.5.2
0.5.2 (March 13th, 2024)
Improvements:
- VDS: support configuring an explicit sync delay for non-renewable leases without an explicit TTL: GH-641
- OLM: add newly required ClusterServiceVersion annotations: GH-628
- Helm: mention global transformation option env variable: GH-626
Fix:
- API: make some required bool parameters optional: GH-650
- VDS: make rotationSchedule status field optional: GH-621
- VPS: return an error when the PKI secret is nil: GH-636
- Core: ensure VaultConnection headers are set on the vault client: GH-629
Build:
- Use Go 1.21.8: GH-651
Dependency Updates:
- Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3: GH-646
- Bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0: GH-648
- Bump github.com/go-openapi/strfmt from 0.22.1 to 0.23.0: GH-649
- Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0: GH-634
- Bump github.com/stretchr/testify from 1.8.4 to 1.9.0: GH-633
- Bump google.golang.org/api from 0.167.0 to 0.169.0: GH-647
- Bump google.golang.org/protobuf from 1.32.0 to 1.33.0: GH-642
- Bump sigs.k8s.io/controller-runtime from 0.17.1 to 0.17.2: GH-625
- Bump ubi9/ubi-micro from 9.3-13 to 9.3-15: GH-640
- Bump ubi9/ubi-minimal from 9.3-1552 to 9.3-1612: GH-639
v0.5.1
0.5.1 (February 20th, 2024)
Fix:
- Sync: mitigate potential schema validation failures by only adding finalizers after a status update: GH-609
Dependency Updates:
v0.5.0
0.5.0 (February 15th, 2024)
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
KNOWN ISSUES:
- Upgrades via OperatorHub may fail due to some new required fields in VaultConnection and the Secret types as described in GH-631
Features:
- Sync: add support for secret data transformation: GH-437
Improvements:
- Core: set CLI options from VSO_ environment variables: GH-551
- Sync: Reconcile on secret deletion: GH-587
- Sync: support excluding _raw from the destination: GH-546
- Sync: take ownership of an existing destination secret: GH-545
- Sync: add support for userIDs in VaultPKISecret: GH-552
- OLM: set OLM bundle to "Seamless Upgrades": GH-581
- Helm: add annotations to the cleanup job: GH-284
- Helm: support setting imagePullPolicy: GH-601
- Helm: support setting VaultAuth allowedNamespaces: GH-602
Fix:
- Sync: sync HCPVaultSecretsApp on lastGeneration change: GH-591
- Sync: properly handle secret type changes: GH-605
Build:
- Install the operator-sdk CLI and check
sdk-generate
in CI: GH-590 - Bump some GH action versions: GH-583
Dependency Updates:
- Bump github.com/go-openapi/runtime from 0.26.2 to 0.27.1: GH-572
- Bump github.com/google/uuid from 1.5.0 to 1.6.0: GH-570
- Bump github.com/gruntwork-io/terratest from 0.46.8 to 0.46.11: GH-550
- Bump github.com/hashicorp/go-secure-stdlib/awsutil from 0.2.3-0.20230606170242-1a4b95565d57 to 0.3.0: GH-579
- Bump github.com/hashicorp/vault/api from 1.11.0 to 1.12.0: GH-595
- Bump github.com/hashicorp/vault/sdk from 0.10.2 to 0.11.0: GH-596
- Bump github.com/onsi/gomega from 1.30.0 to 1.31.1: GH-558
- Bump google.golang.org/api from 0.161.0 to 0.163.0: GH-594
- Bump k8s.io/api from 0.29.0 to 0.29.1: GH-556
- Bump k8s.io/client-go from 0.29.0 to 0.29.1: GH-554
- Bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.1: GH-597
- Bump ubi9/ubi-micro from 9.3-9 to 9.3-13: GH-566
- Bump ubi9/ubi-minimal from 9.3-1475 to 9.3-1552: GH-565
v0.4.3
0.4.3 (January 10th, 2024)
Fix:
- Helm: rename and truncate the pre-delete cleanup job to 63 characters: GH-506
- VDS: remediate deleted destination secret: GH-532
- Update paused deployment error message: GH-528
- VC: provide default value for spec.skipTLSVerify: GH-527
- CCS: ensure invalid storage objects are deleted: GH-525
- VDS: Log and record Vault request failures: GH-508
- VPS: Sync on any update: GH-479
Dependency Updates:
- update go version to fix CVE-2023-45284,CVE-2023-39326,CVE-2023-48795: GH-541
- Bump google.golang.org/api from 0.154.0 to 0.155.0: GH-542
- Bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0: GH-540
- Bump github.com/go-openapi/strfmt from 0.21.9 to 0.22.0: GH-539
- Bump github.com/go-logr/logr from 1.3.0 to 1.4.1: GH-536
- Bump golang.org/x/crypto from 0.16.0 to 0.17.0: GH-524
- Bump k8s.io/client-go from 0.28.4 to 0.29.0: GH-523
- Bump google.golang.org/api from 0.153.0 to 0.154.0: GH-522
- Bump github.com/hashicorp/go-hclog from 1.6.1 to 1.6.2: GH-521
- Bump github.com/google/uuid from 1.4.0 to 1.5.0: GH-520
- Bump ubi9/ubi-minimal from 9.3-1361.1699548032 to 9.3-1475: GH-516
- Bump ubi9/ubi-micro from 9.3-6 to 9.3-9: GH-515
- Bump github.com/go-openapi/strfmt from 0.21.8 to 0.21.9: GH-514
- Bump github.com/hashicorp/go-hclog from 1.5.0 to 1.6.1: GH-513
- Bump github.com/go-openapi/runtime from 0.26.0 to 0.26.2: GH-512
- Bump github.com/gruntwork-io/terratest from 0.46.6 to 0.46.8: GH-497
- Bump google.golang.org/api from 0.152.0 to 0.153.0: GH-496
v0.4.2
0.4.2 (December 7th, 2023)
Important:
- This release corrects a failed release of v0.4.1 to OpenShift's OperatorHub. It should be used in place of v0.4.1.
- When upgrading directly from 0.4.0 or below using Helm, please follow updating-crds.
Fix:
- Include viewer and editor RBAC roles in the chart: GH-501
- Build: image/ubi: add separate target and build job for RedHat: GH-503
Dependency Updates:
v0.4.1
0.4.1 (December 4th, 2023)
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
Improvements:
- Manager: setting
controller.manager.maxConcurrentReconciles
now applies to all Syncable Secret controllers. The previous flag for the manager--max-concurrent-reconciles-vds
is now deprecated and replaced by--max-concurrent-reconciles
which applies to all controllers. GH-483
Fix:
- Helm: prefix all helper functions with
vso
to avoid subchart name collisions: GH-487 - VSS: Ensure all resource updates are synced: GH-492
- VDS: Fix compute static-creds rotation horizon: GH-488
Dependency Updates:
v0.4.0
0.4.0 (November 16th, 2023)
Features:
- VaultAuth: Support for the GCP authentication method when using GKE workload identity: GH-411
- VDS: Support rotation for non-renewable secrets: GH-397
Fix:
- Remove unneeded instantiation of the VSO ConfigMap watcher: GH-446
- VDS: Correctly compute the lease renewal horizon after a new VSO leader has been elected and the lease is still within its renewal window: GH-397
Dependency Updates:
- Upgrade kube-rbac-proxy to v0.15.0: GH-458
- Bump github.com/onsi/gomega from 1.29.0 to 1.30.0: GH-456
- Bump github.com/gruntwork-io/terratest from 0.46.5 to 0.46.6: GH-455
- Bump google.golang.org/api from 0.149.0 to 0.150.0: GH-454
- Bump ubi9/ubi-minimal from 9.2-750.1697625013 to 9.3-1361.1699548032: GH-444 GH-460
- Bump ubi9/ubi-micro from 9.2-15.1696515526 to 9.3-6: GH-443
- Bump github.com/gruntwork-io/terratest from 0.46.1 to 0.46.5: GH-440
- Bump google.golang.org/api from 0.148.0 to 0.149.0: GH-439
- Bump github.com/go-logr/logr from 1.2.4 to 1.3.0: GH-435
- Bump github.com/google/uuid from 1.3.1 to 1.4.0: GH-434
- Bump github.com/onsi/gomega from 1.28.1 to 1.29.0: GH-433
- Bump google.golang.org/grpc from 1.57.0 to 1.57.1: GH-428
- Bump k8s.io/apimachinery from 0.28.2 to 0.28.3: GH-421
- Bump github.com/onsi/gomega from 1.28.0 to 1.28.1: GH-420
- Bump k8s.io/api from 0.28.2 to 0.28.3: GH-419
- Bump github.com/gruntwork-io/terratest from 0.46.0 to 0.46.1: GH-418
- Bump sigs.k8s.io/controller-runtime from 0.16.2 to 0.16.3: GH-417
v0.3.4
v0.3.3
0.3.3 (October 17th, 2023)
Fix:
- Important security update to address some Golang vulnerabilities GH-414
Dependency Updates:
- Upgrade kube-rbac-proxy to v0.14.4 for CVE-2023-39325 GH-414
- Bump to Go 1.21.3 for CVE-2023-39325: GH-408
- Bump github.com/hashicorp/vault/sdk from 0.10.0 to 0.10.2: GH-410
- Bump github.com/gruntwork-io/terratest from 0.45.0 to 0.46.0: GH-409
- Bump golang.org/x/net from 0.14.0 to 0.17.0: GH-407