Releases: hashicorp/vault-csi-provider
Releases · hashicorp/vault-csi-provider
v1.4.2
1.4.2 (March 27th, 2024)
CHANGES:
- Build with Go v1.22.1
- Test with K8s 1.25-1.29
- Test with Vault 1.13-1.15
- Updated Docker base image from alpine 3.18.4 -> 3.19.1
- Updated dependencies:
- github.com/go-jose/go-jose/v3 v3.0.1 -> 3.0.3
- github.com/hashicorp/go-hclog v1.5.0 -> v1.6.2
- github.com/hashicorp/golang-lru/v2 v2.0.2 -> v2.0.7
- github.com/hashicorp/vault/api v1.9.0 -> v1.12.2
- github.com/stretchr/testify v1.8.2 -> v1.9.0
- golang.org/x/crypto v0.14.0 -> v0.21.0
- golang.org/x/net v0.17.0 -> v0.22.0
- golang.org/x/sys v0.13.0 -> v0.18.0
- golang.org/x/term v0.13.0 -> v0.18.0
- google.golang.org/grpc v1.56.3 -> v1.62.1
- google.golang.org/protobuf v1.30.0 -> v1.33.0
- k8s.io/api v0.26.3 -> v0.29.3
- k8s.io/apimachinery v0.26.3 -> v0.29.3
- k8s.io/client-go v0.26.3 -> v0.29.3
- k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 -> v0.0.0-20230726121419-3b25d923346b
- sigs.k8s.io/secrets-store-csi-driver v1.3.3 -> v1.4.2
v1.4.1
Prepare release 1.4.1 (#228)
v1.4.0
Changes
- SecretProviderClass objects now also accept
spec.parameters.vaultAuthMountPath
as an alternative tospec.parameters.vaultKubernetesMountPath
. [GH-210]
Features
v1.3.0
1.3.0 (April 5th, 2023)
CHANGES:
- Vault CSI Provider will use service account tokens passed from the Secrets Store CSI Driver instead of generating one if an appropriate token is provided. [GH-163]
- The Secrets Store CSI driver needs to be configured to generate tokens with the correct audience for this feature. Vault CSI Provider
will look for a token with the audience specified in the SecretProviderClass, or otherwise "vault". To configure the driver to generate
a token with the correct audience, use the
tokenRequests
option from the driver helm chart via the flag--set tokenRequests[0].audience="vault"
. See
CSI TokenRequests documentation for further details.
- The Secrets Store CSI driver needs to be configured to generate tokens with the correct audience for this feature. Vault CSI Provider
- Vault CSI Provider now creates a Kubernetes secret with an HMAC key to produce consistent hashes for secret versions. [GH-198]
- Requires RBAC permissions to create secrets, and read the same specific secret back. Versions are not generated otherwise and a warning
is logged on each mount that fails to generate a version. - Supports creating the secret with custom name via
-hmac-secret-name
- Requires RBAC permissions to create secrets, and read the same specific secret back. Versions are not generated otherwise and a warning
- Updated Docker base image from alpine 3.16.3 -> 3.17.3
- Build with Go v1.20.3
- Updated dependencies:
- github.com/hashicorp/go-hclog v1.3.1 -> v1.5.0
- github.com/hashicorp/vault/api v1.8.2 -> v1.9.0
- github.com/stretchr/testify v1.8.1 -> v1.8.2
- google.golang.org/grpc v1.50.1 -> v1.54.0
- k8s.io/api v0.25.4 -> v0.26.3
- k8s.io/apimachinery v0.25.4 -> v0.26.3
- k8s.io/client-go v0.25.4 -> v0.26.3
- k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed -> v0.0.0-20230313181309-38a27ef9d749
- sigs.k8s.io/secrets-store-csi-driver v1.2.4 -> v1.3.2
- Tests are now run against Kubernetes versions: 1.22.17, 1.23.17, 1.24.12, 1.25.8, 1.26.3
IMPROVEMENTS:
- Support utf-8 (default), hex, and base64 encoded secrets [GH-194]
v1.2.1
1.2.1 (November 21st, 2022)
CHANGES:
- Updated dependencies:
- github.com/hashicorp/go-hclog v1.0.0 -> v1.3.1
- github.com/hashicorp/vault/api v1.2.0 -> v1.8.2
- github.com/stretchr/testify v1.7.2 -> v1.8.1
- google.golang.org/grpc v1.41.0 -> v1.50.1
- k8s.io/api v0.22.2 -> v0.25.4
- k8s.io/apimachinery v0.22.2 -> v0.25.4
- k8s.io/client-go v0.22.2 -> v0.25.4
- sigs.k8s.io/secrets-store-csi-driver v1.0.0 -> v1.2.4
- golang.org/x/net v0.0.0-20220722155237-a158d28d115b -> v0.0.0-20221012135044-0b7e1fb9d458
- golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f -> v0.0.0-20220728004956-3c1f35247d10
- golang.org/x/text v0.3.7 -> v0.3.8
- Updated Docker base image from alpine 3.15.0 -> 3.16.3
v1.2.0
1.2.0 (August 8th, 2022)
CHANGES:
- Duplicate object names now trigger an error instead of silently overwriting files. [GH-148]
BUGS:
VAULT_ADDR
environment variable can now be used to set the Vault address. [GH-160]- Secret mounting correctly fails now if the secret path exists but the requested secret key does not. [GH-166]
IMPROVEMENTS:
v1.1.0
1.1.0 (April 26th, 2022)
IMPROVEMENTS:
- New flags to configure default Vault namespace and TLS details. [GH-138]
-vault-namespace
-vault-tls-ca-cert
-vault-tls-ca-directory
-vault-tls-server-name
-vault-tls-client-cert
-vault-tls-client-key
-vault-tls-skip-verify
- Add an optional SecretProviderClass parameter
audience
to customize theaud
claim in the JWT [GH-144] - New SecretProviderClass field
filePermission
can be used per-secret to set the file permissions it is written with. [GH-139]
v1.0.0
1.0.0 (January 25th, 2022)
Changes
-write-secrets
flag removed. All secrets are now written to the filesystem by the CSI secrets store driver. [GH-133]- Note: CSI secrets store driver v0.0.21+ is required.
-health_addr
flag removed, use-health-addr
instead. [GH-133]- Warning logs are no longer printed when deprecated SecretProviderClass fields
kubernetesServiceAccountPath
andvaultCAPem
are used. [GH-134]
v0.4.0
0.4.0 (January 12th, 2022)
Changes
-write-secrets
flag now defaults tofalse
, delegating file writes to the driver. [GH-127]- Note:
-write-secrets
is deprecated and will be removed in the next major version.
- Note:
Features
- Support extracting JSON values using
secretKey
in the SecretProviderClass [GH-126]
Maintenance
- Multi-arch images now available on Docker hub, including
amd64
,arm64
,arm/v6
and386
0.3.0
0.3.0 (June 7th, 2021)
Announcements
--write-secrets=false
will become the default from v0.4.0, and requires secrets-store-csi-driver v0.0.21+.- The
--health_addr
flag is marked deprecated but still functioning. Please use--health-addr
instead.--health_addr
is currently planned for removal in v0.5.0.
Features
- Support for changing the default Vault address and Kubernetes mount path via CLI flag to the vault-csi-provider binary [GH-96]
- Support for sending secret contents to driver for writing via
--write-secrets=false
[GH-89]- Note:
--write-secrets=false
will become the default from v0.4.0 and require secrets-store-csi-driver v0.0.21+
- Note:
Changes
--health_addr
flag is marked deprecated and replaced by--health-addr
. Slated for removal in v0.5.0 [GH-100]
Bugs
- Added missing error handling when transforming SecretProviderClass config to a Vault request [GH-97]