Skip to content

Latest commit

 

History

History
481 lines (345 loc) · 25.6 KB

CHANGELOG.md

File metadata and controls

481 lines (345 loc) · 25.6 KB

Unreleased

Changes:

  • Latest Kubernetes version tested is now 1.27
  • server: Headless service ignores server.service.publishNotReadyAddresses setting and always sets it as true GH-902

Features:

  • CSI: Make nodeSelector and affinity configurable for CSI daemonset's pods GH-862

Bugs:

  • server: Set the default for prometheusRules.rules to an empty list GH-886

0.24.1 (April 17, 2023)

Bugs:

  • csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions GH-872

0.24.0 (April 6, 2023)

Changes:

  • Earliest Kubernetes version tested is now 1.22
  • vault updated to 1.13.1 GH-863
  • vault-k8s updated to 1.2.1 GH-868
  • vault-csi-provider updated to 1.3.0 GH-749

Features:

  • server: New extraPorts option for adding ports to the Vault server statefulset GH-841
  • server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset GH-831
  • injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe GH-852
  • csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals GH-749

0.23.0 (November 28th, 2022)

Changes:

  • vault updated to 1.12.1 GH-814
  • vault-k8s updated to 1.1.0 GH-814
  • vault-csi-provider updated to 1.2.1 GH-814

Features:

  • server: Add extraLabels for Vault server serviceAccount GH-806
  • server: Add server.service.active.enabled and server.service.standby.enabled options to selectively disable additional services GH-811
  • server: Add server.serviceAccount.serviceDiscovery.enabled option to selectively disable a Vault service discovery role and role binding GH-811
  • server: Add server.service.instanceSelector.enabled option to allow selecting pods outside the helm chart deployment GH-813

Bugs:

  • server: Quote .server.ha.clusterAddr value GH-810

Improvements:

  • injector: Add ephemeralLimit and ephemeralRequest as options for configuring Agent's ephemeral storage resources GH-798

0.22.1 (October 26th, 2022)

Changes:

  • vault updated to 1.12.0 GH-803
  • vault-k8s updated to 1.0.1 GH-803

0.22.0 (September 8th, 2022)

Features:

  • Add PrometheusOperator support for collecting Vault server metrics. GH-772

Changes:

  • vault-k8s to 1.0.0 GH-784
  • Test against Kubernetes 1.25 GH-784
  • vault updated to 1.11.3 GH-785

0.21.0 (August 10th, 2022)

CHANGES:

  • vault-k8s updated to 0.17.0. GH-771
  • vault-csi-provider updated to 1.2.0 GH-771
  • vault updated to 1.11.2 GH-771
  • Start testing against Kubernetes 1.24. GH-744
  • Deprecated injector.externalVaultAddr. Added global.externalVaultAddr, which applies to both the Injector and the CSI Provider. GH-745
  • CSI Provider pods now set the VAULT_ADDR environment variable to either the internal Vault service or the configured external address. GH-745

Features:

  • server: Add server.statefulSet.securityContext to override pod and container securityContext. GH-767
  • csi: Add csi.daemonSet.securityContext to override pod and container securityContext. GH-767
  • injector: Add injector.securityContext to override pod and container securityContext. GH-750 and GH-767
  • Add server.service.activeNodePort and server.service.standbyNodePort to specify the nodePort for active and standby services. GH-610
  • Support for setting annotations on the injector's serviceAccount GH-753

0.20.1 (May 25th, 2022)

CHANGES:

  • vault-k8s updated to 0.16.1 GH-739

Improvements:

  • Mutating webhook will no longer target the agent injector pod GH-736

Bugs:

  • vault service account is now created even if the server is set to disabled, as per before 0.20.0 GH-737

0.20.0 (May 16th, 2022)

CHANGES:

  • global.enabled now works as documented, that is, setting global.enabled to false will disable everything, with individual components able to be turned on individually GH-703
  • Default value of - used for injector and server to indicate that they follow global.enabled. GH-703
  • Vault default image to 1.10.3
  • CSI provider default image to 1.1.0
  • Vault K8s default image to 0.16.0
  • Earliest Kubernetes version tested is now 1.16
  • Helm 3.6+ now required

Features:

  • Support topologySpreadConstraints in server and injector. GH-652

Improvements:

  • CSI: Set extraLabels for daemonset, pods, and service account GH-690
  • Add namespace to injector-leader-elector role, rolebinding and secret GH-683
  • Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector GH-710
  • Make the Cluster Address (CLUSTER_ADDR) configurable GH-629
  • server: Make publishNotReadyAddresses configurable for services GH-694
  • server: Allow config to be defined as a YAML object in the values file GH-684
  • Maintain default MutatingWebhookConfiguration values from v1beta1 GH-692

0.19.0 (January 20th, 2022)

CHANGES:

  • Vault image default 1.9.2
  • Vault K8s image default 0.14.2

Features:

  • Added configurable podDisruptionBudget for injector GH-653
  • Make terminationGracePeriodSeconds configurable for server GH-659
  • Added configurable update strategy for injector GH-661
  • csi: ability to set priorityClassName for CSI daemonset pods GH-670

Improvements:

  • Set the namespace on the OpenShift Route GH-679
  • Add volumes and env vars to helm hook test pod GH-673
  • Make TLS configurable for OpenShift routes GH-686

0.18.0 (November 17th, 2021)

CHANGES:

  • Removed support for deploying a leader-elector container with the vault-k8s injector injector since vault-k8s now uses an internal mechanism to determine leadership GH-649
  • Vault image default 1.9.0
  • Vault K8s image default 0.14.1

Improvements:

  • Added templateConfig.staticSecretRenderInterval chart option for the injector GH-621

0.17.1 (October 25th, 2021)

Improvements:

  • Add option for Ingress PathType GH-634

0.17.0 (October 21st, 2021)

KNOWN ISSUES:

  • The chart will fail to deploy on Kubernetes 1.19+ with server.ingress.enabled=true because no pathType is set

CHANGES:

  • Vault image default 1.8.4
  • Vault K8s image default 0.14.0

Improvements:

  • Support Ingress stable networking API GH-590
  • Support setting the externalTrafficPolicy for LoadBalancer and NodePort service types GH-626
  • Support setting ingressClassName on server Ingress GH-630

Bugs:

  • Ensure kubeletRootDir volume path and mounts are the same when csi.daemonSet.kubeletRootDir is overridden GH-628

0.16.1 (September 29th, 2021)

CHANGES:

  • Vault image default 1.8.3
  • Vault K8s image default 0.13.1

0.16.0 (September 16th, 2021)

CHANGES:

  • Support for deploying a leader-elector container with the vault-k8s injector injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set useContainer=true.

Improvements:

  • Make CSI provider hostPaths configurable via csi.daemonSet.providersDir and csi.daemonSet.kubeletRootDir GH-603
  • Support vault-k8s internal leader election GH-568 GH-607

0.15.0 (August 23rd, 2021)

Improvements:

  • Add imagePullSecrets on server test GH-572
  • Add injector.webhookAnnotations chart option GH-584

0.14.0 (July 28th, 2021)

Features:

  • Added templateConfig.exitOnRetryFailure chart option for the injector GH-560

Improvements:

  • Support configuring pod tolerations, pod affinity, and node selectors as YAML GH-565
  • Set the default vault image to come from the hashicorp organization GH-567
  • Add support for running the acceptance tests against a local kind cluster GH-567
  • Add server.ingress.activeService to configure if the ingress should use the active service GH-570
  • Add server.route.activeService to configure if the route should use the active service GH-570
  • Support configuring global.imagePullSecrets from a string array GH-576

0.13.0 (June 17th, 2021)

Improvements:

  • Added a helm test for vault server GH-531
  • Added server.enterpriseLicense option GH-547
  • Added OpenShift overrides GH-549

Bugs:

  • Fix ui.serviceNodePort schema GH-537
  • Fix server.ha.disruptionBudget.maxUnavailable schema GH-535
  • Added webhook-certs volume mount to sidecar injector GH-545

0.12.0 (May 25th, 2021)

Features:

  • Pass additional arguments to vault-csi-provider using csi.extraArgs GH-526

Improvements:

  • Set chart kubeVersion and added chart-verifier tests GH-510
  • Added values json schema GH-513
  • Ability to set tolerations for CSI daemonset pods GH-521
  • UI target port is now configurable GH-437

Bugs:

  • CSI: global.imagePullSecrets are now also used for CSI daemonset GH-519

0.11.0 (April 14th, 2021)

Features:

  • Added server.enabled to explicitly skip installing a Vault server GH-486
  • Injector now supports enabling host network GH-471
  • Injector port is now configurable GH-489
  • Injector Vault Agent resource defaults are now configurable GH-493
  • Extra paths can now be added to the Vault ingress service GH-460
  • Log level and format can now be set directly using server.logFormat and server.logLevel GH-488

Improvements:

  • Added https name to injector service port GH-495

Bugs:

  • CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name GH-486

0.10.0 (March 25th, 2021)

Features:

Improvements:

  • objectSelector can now be set on the mutating admission webhook GH-456

0.9.1 (February 2nd, 2021)

Bugs:

  • Injector: fix labels for default anti-affinity rule GH-441, GH-442
  • Set VAULT_DEV_LISTEN_ADDRESS in dev mode GH-446

0.9.0 (January 5th, 2021)

Features:

  • Injector now supports configurable number of replicas GH-436
  • Injector now supports auto TLS for multiple replicas using leader elections GH-436

Improvements:

  • Dev mode now supports server.extraArgs GH-421
  • Dev mode root token is now configurable with server.dev.devRootToken GH-415
  • ClusterRoleBinding updated to v1 GH-395
  • MutatingWebhook updated to v1 GH-408
  • Injector service now supports injector.service.annotations 425
  • Injector now supports injector.extraLabels 428
  • Added allowPrivilegeEscalation: false to Vault and Injector containers 429
  • Network Policy now supports server.networkPolicy.egress 389

0.8.0 (October 20th, 2020)

Improvements:

  • Make server NetworkPolicy independent of OpenShift GH-381
  • Added configurables for all probe values GH-387
  • MountPath for audit and data storage is now configurable GH-393
  • Annotations can now be added to the Injector pods GH-394
  • The injector can now be configured with a failurePolicy GH-400
  • Added additional environment variables for rendering within Vault config GH-398
  • Service account for Vault K8s auth is automatically created when injector.externalVaultAddr is set GH-392

Bugs:

  • Fixed install output using Helm V2 command GH-378

0.7.0 (August 24th, 2020)

Features:

  • Added volumes and volumeMounts for mounting any type of volume GH-314.
  • Added configurable to enable prometheus telemetery exporter for Vault Agent Injector GH-372

Improvements:

  • Added defaultMode configurable to extraVolumesGH-321
  • Option to install and use PodSecurityPolicy's for vault server and injector GH-177
  • VAULT_API_ADDR is now configurable GH-290
  • Removed deprecated tolerate unready endpoint annotations GH-363
  • Add an option to set annotations on the StatefulSet GH-199
  • Make the vault server serviceAccount name a configuration option GH-367
  • Removed annotation striction from dev mode GH-371
  • Add an option to set annotations on PVCs GH-364
  • Added service configurables for UI GH-285

Bugs:

  • Fix python dependency in test image GH-337
  • Fix caBundle not being quoted causing validation issues with Helm 3 GH-352
  • Fix injector network policy being rendered when injector is not enabled GH-358

0.6.0 (June 3rd, 2020)

Features:

  • Added extraInitContainers to define init containers for the Vault cluster GH-258
  • Added postStart lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready GH-315
  • Beta: Added OpenShift support GH-319

Improvements:

  • Server configs can now be defined in YAML. Multi-line string configs are still compatible GH-213
  • Removed IPC_LOCK privileges since swap is disabled on containers [GH-198]
  • Use port names that map to vault.scheme [GH-223]
  • Allow both yaml and multi-line string annotations [GH-272]
  • Added configurable to set the Raft node name to hostname [GH-269]
  • Support setting priorityClassName on pods [GH-282]
  • Added support for ingress apiVersion networking.k8s.io/v1beta1 [GH-310]
  • Added configurable to change service type for the HA active service GH-317

Bugs:

  • Fixed default ingress path [GH-224]
  • Fixed annotations for HA standby/active services [GH-268]
  • Updated some value defaults to match their use in templates [GH-309]
  • Use active service on ingress when ha [GH-270]
  • Fixed bug where pull secrets weren't being used for injector image GH-298

0.5.0 (April 9th, 2020)

Features:

  • Added Raft support for HA mode [GH-228]

  • Now supports Vault Enterprise [GH-250]

  • Added K8s Service Registration for HA modes [GH-250]

  • Option to set AGENT_INJECT_VAULT_AUTH_PATH for the injector [GH-185]

  • Added environment variables for logging and revocation on Vault Agent Injector [GH-219]

  • Option to set environment variables for the injector deployment [GH-232]

  • Added affinity, tolerations, and nodeSelector options for the injector deployment [GH-234]

  • Made all annotations multi-line strings [GH-227]

0.4.0 (February 21st, 2020)

Improvements:

  • Allow process namespace sharing between Vault and sidecar containers [GH-174]
  • Added configurable to change updateStrategy [GH-172]
  • Added sleep in the preStop lifecycle step [GH-188]
  • Updated chart and tests to Helm 3 [GH-195]
  • Adds Values.injector.externalVaultAddr to use the injector with an external vault [GH-207]

Bugs:

  • Fix bug where Vault lifecycle was appended after extra containers. [GH-179]

0.3.3 (January 14th, 2020)

Security:

  • Added server.extraArgs to allow loading of additional Vault configurations containing sensitive settings GH-175

Bugs:

  • Fixed injection bug where wrong environment variables were being used for manually mounted TLS files

0.3.2 (January 8th, 2020)

Bugs:

  • Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]

0.3.1 (January 2nd, 2020)

Bugs:

  • Fixed injection bug causing kube-system pods to be rejected [VK8S-14]

0.3.0 (December 19th, 2019)

Features:

  • Extra containers can now be added to the Vault pods
  • Added configurability of pod probes
  • Added Vault Agent Injector

Improvements:

  • Moved global.image to server.image
  • Changed UI service template to route pods that aren't ready via publishNotReadyAddresses: true
  • Added better HTTP/HTTPS scheme support to http probes
  • Added configurable node port for Vault service
  • server.authDelegator is now enabled by default

Bugs:

  • Fixed upgrade bug by removing chart label which contained the version
  • Fixed typo on serviceAccount (was serviceaccount)
  • Fixed readiness/liveliness HTTP probe default to accept standbys

0.2.1 (November 12th, 2019)

Bugs:

  • Removed readOnlyRootFilesystem causing issues when validating deployments

0.2.0 (October 29th, 2019)

Features:

  • Added load balancer support
  • Added ingress support
  • Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
  • Removed root requirements, now runs as Vault user

Improvements:

  • Added namespace value to all rendered objects
  • Made ports configurable in services
  • Added the ability to add custom annotations to services
  • Added docker image for running bats test in CircleCI
  • Removed restrictions around dev mode such as annotations
  • readOnlyRootFilesystem is now configurable
  • Image Pull Policy is now configurable

Bugs:

  • Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
  • Fixed bug where audit storage was not being mounted in HA mode
  • Fixed bug where Vault pod wasn't receiving SIGTERM signals

0.1.2 (August 22nd, 2019)

Features:

  • Added extraSecretEnvironmentVars to allow users to mount secrets as environment variables
  • Added tlsDisable configurable to change HTTP protocols from HTTP/HTTPS depending on the value
  • Added serviceNodePort to configure a NodePort value when setting serviceType to "NodePort"

Improvements:

  • Changed UI port to 8200 for better HTTP protocol support
  • Added path to extraVolumes to define where the volume should be mounted. Defaults to /vault/userconfig
  • Upgraded Vault to 1.2.2

Bugs:

  • Fixed bug where upgrade would fail because immutable labels were being changed (Helm Version label)
  • Fixed bug where UI service used wrong selector after updating helm labels
  • Added VAULT_API_ADDR env to Vault pod to fixed bug where Vault thinks Consul is the active node
  • Removed step-down preStop since it requires authentication. Shutdown signal sent by Kube acts similar to step-down

0.1.1 (August 7th, 2019)

Features:

  • Added authDelegator Cluster Role Binding to Vault service account for bootstrapping Kube auth method

Improvements:

  • Added server.service.clusterIP to values.yml so users can toggle the Vault service to headless by using the value None.
  • Upgraded Vault to 1.2.1

0.1.0 (August 6th, 2019)

Initial release