• webhook: Kill container process when non-renewable lease expired (#1239) - @moskitone

• operator: full v1/CRD specification and validation (#973)
• webhook: rewrite registry access entirely with go-containerregistry (#1194)

• injector: differentiate "not found" from other errors (#1223)
• operator&chart: drsecondary nodes should be healthy (#1230)

• operator: prometheus fixes in example (#1210)
• operator: support for unauthenticated_metrics_access and deduplicating prometheus targets (#1211)
• charts: standardize serviceAccount creation (#1213)
• charts: fix yaml when install chart vault with .Values.rbac.psp.enabled=true (#1215) - @LuckySB
• operator: fix stable chart repo location (#1216)
• update vault to 1.6.1
• unseal: use AWS_REGION/AWS_DEFAULT_REGION if possible (#1221)
• operator: add cert-manager example (#1205)
• operator: support for all affinity configurations (#1222)

Changes

• client: log warnings from configuration changes (#1199)
• charts: move all images to ghcr.io (#1185)
• configurer: allow saving Vault secret engine configuration data to KV 2 engine (#1202)
• webhook: migrate to to google/go-containerregistry (#1194)
• webhook: tries to fetch image descriptor from Docker Hub instead of private registry (#1203) - @joshdvir
• webhook/chart: allow the vault-webhook to be contacted over loadbalancer or ingress (#1196) - @AtzeDeVries
• operator: ability to use specific loadbalancerip (#1186) - @squaricdot
• operator: apply sidecarEnvsConfig to fluentd and statsd, add resources for fluentd (#1197)
• operator: add VaultContainerSpec override (#1207)
• documentation: many fixes, structural changes thanks to @fekete-robert

🎄 Thanks to all the contributors! 👍 🎄

Changes

• client: automated GCP GCE authentication (#1166)
• webhook: configurable timeoutSeconds value (#1159) - @rexbut
• webhook: annotations to control agent and env images (#1163) - @michael-todorovic
• webhook: fix vault agent -once command to exit after auth (#1168) - @joshdvir
• webhook: Use agent ConfigMap when agent is in the InitContainers (#1181) - @joshdvir
• webhook: add hostnetwork in chart (following of #1154) (#1171) - @cpoule23
• webhook: Add inline secrets for vault-env/vault-secrets-webhook (#1178) - @Lord-Y
• operator: Raft as HA storage (#1172)
• operator: add service_registration (#1174)
• operator: added Alibaba example (#1179)
• vault/chart: align IPC_LOCK behaviour to operator based on disable_mlock (#1176)
• vault-env: fix vault:login clientOptions (#1180)

Thanks to all the contributors! 👍

A 100% webhook release this time! 🕸️ ⚓ Thanks to all external contributors!

Changes

• webhook: add a check for EnvFromPath to be empty for continuation (#1145) - @rocpatel
• webhook: load CA for non-pods as well (#1148)
• webhook: add possibility to define multiple inline-secrets (#1143) - @kschu91, @nikals99
• webhook: add support for externally defined Certificate by cert-manager (#1146) - @gw0
• webhook: Adding KubeVersion validation when using admissionReviewVersions (#1150) - @fdpeiter
• webhook: allow token access to vault (#1156) - @bradfordwagner

Changes

• general: upgrade Kubernetes to 1.19 (#1131) (@sagikazarmark)
• general: use Vault 1.5.4 (#1132)
• operator: Custom fluentd conf path (#1134) (@idgenchev)
• operator: drop helm2 support in the chart, fix linting issues (#1139)
• operator: Update values.yaml: fix typo (#1116) (@evgkrsk)
• operator: deploy configurer only if there is any externalConfig present (#1126)
• webhook: fix: move VAULT_ENV_FROM_PATH to mutateContainers (#1117) (@rocpatel)
• webhook: add support for GCR default credentials (#1120) (@viktorradnai)
• webhook: allow specifying pod securityContext and full container securityContext (#1119) (@dbeal-wiser)
• webhook: make secretNeedsMutation check work better for DockerConfigJsonKey (#1123)
• webhook: change the resource limit/requests of copy-vault-env and vault-agent to a sane value (#1124)
• webhook: fix secret caching and add test (#1137)
• vault-env: implement aws ec2 auth method (#1095)
• cli: replace gin with net/http to avoid dependency (#1118)
• cli: handle signals properly (#1129)
• configurer: exit early if possible before touching the API (#1125)

Note about Helm charts:
From 1.6.0 the operator chart is Helm 3 only (the other charts are still compatible with Helm 2, but only on best-effort basis).

Helm2 -> Helm3 migration

If you have installed the chart with Helm 2 and now you are trying to upgrade it with Helm3 you have to be careful because Helm 3 will delete the Vault CRD from your cluster during the upgrade from Helm 2 (see helm/helm#7279). To avoid that follow these steps:

# Make sure you are using Helm 3
helm version

# version.BuildInfo{Version:"v3.3.4", GitCommit:"a61ce5633af99708171414353ed49547cf05013d", GitTreeState:"clean", GoVersion:"go1.14.9"}

# Get the latest vault-operator chart
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm repo update

# Delete all Helm2 releases of the vault-operator manually wit kubectl to keep the resources in the cluster
kubectl delete configmaps -n kube-system vault-operator.v1
# Delete all resources except the Vault CRD
helm template vault-operator banzaicloud-stable/vault-operator | kubectl delete -f -
# Install the new Helm3 version of the chart
helm upgrade --install vault-operator banzaicloud-stable/charts/vault-operator

Changes

• vault-env: support GCP auth (#1093)
• client: move operator_client.go to internal (BREAKING CHANGE) (#1092)
• webhook: allow adding auth-delegator role in the chart (#1101)
• multi-dc: add local acceptance-test based on kind and MetalLB (#1103)
• operator: fix single cluster raft with LoadBalancer serviceType (#1105)
• ci: build multi-platform images (#1107)
• operator: extract raft detection logic to IsRaftBootstrapFollower (#1111)
• operator: add PSP for vault-operator and vault that is deployed by the operator (#1109)
• operator: update images to support arm64 (#1114)
• webhook: Add env from vault path (#1100) (@rocpatel)

Note about Docker images:
From this release, all Bank-Vaults Docker images are pushed to the GitHub Container Registry as well as an alternative to Docker Hub. You can find them here.
Helm charts, vault-operator, and vault-secrets-webhook still use Docker Hub as the default image source, but in all cases, this can be changed to ghcr.io, see the charts and documentation for more details.

All images deployed by the operator are ARM friendly multi-platform images. The images pushed to the ghcr.io registry are built for 3 different architectures:

• linux/amd64
• linux/arm64
• linux/arm

Note about Helm charts:
This is the last release where we officially support Helm 2 for the charts. From now on Helm 3 is guaranteed to work only. See: https://github.com/banzaicloud/bank-vaults/issues/1097

Changes

• operator: bump controller-runtime ang k8s versions (#1090)
• webhook: fix injection request method for non-pods (#1084)
• webhook: allow the vault-env repository to be overridden. (#1088) (@brewneaux)
• ci: enable github container registry build (#1089)

Note about Docker images:
From this release, all Bank-Vaults Docker images are pushed to the GitHub Container Registry as well as an alternative to Docker Hub Tou can find them here.
Helm charts, vault-operator, and vault-secrets-webhook still use Docker Hub as the default image source, but in all cases, this can be changed to ghcr.io, see the charts and documentation for more details.

operator: Add per instance svc hosts to Vault cert SANs (#1073) (@ptzianos)
operator: add labels to deployments and StatefulSets as well (#1079)
operator: pin tagged version for bank-vaults sidecar (#1082)
webhook: use admissionregistration.k8s.io/v1 in registration wherever possible (#1078)

Changes:

• webhook: add resource skip annotation (#1036)
• charts: fix image tag by appVersion (#1040)
• operator: Unset owner references on synced TLS CA secrets (#1037) @Jpnock
• webhook: possibility to change the log level (#1039) @anasinnyk
• operator: add image image pull secrets (#1042) @sparqueur
• operator: remove outdated image setting from script (#1045)
• operator: TLS fixes in multi dc raft example (#1046)
• webhook: Optional serviceaccount labels and annotations (#1048) @boukili
• operator: allow VAULT_ADDR to be overriden (#1051)
• webhook: pass log_level to mutated container (#1050) @anasinnyk
• chart/vault: support downward api in vault chart env vars (#1054) @jcooley
• operator: add some startup secrets to the softhsm example
• chart/vault: add option for headless service (#1056) @cablespaghetti
• chart/vault: Option to use CertManager to generate certs (#1057) @cablespaghetti
• webhook: remove unnecessary config.hcl entry in example deployment (#1060) @jwitko
• configurer: AWS SSE Support (#1055) @ptzianos
• webhook: fix VAULT_IMAGE case (#1061)
• chart/vault: make affinity configurable in helm chart (#1062) @jcooley
• operator: Multi-DC Raft Service fixes (#1058) (#1064)
• charts: fix template globalness (#1066)
• code: check all returned errors correctly (#1067)
• configurer: implement userpass auth method (#1068)
• Vault 1.5.0 tested and works fine!

Deprecations:

• Using Helm 2 is considered to be deprecated and support for it will be removed after two non-patch releases from now on.

Changes:

• Fix names of k8s resources in vault-secrets-webhook chart (#1025) @gw0
• Add seal check to vault init (#1030) @dbason
• Kubernetes OIDC and projected SA support (#1026)
• operator: remove ca.key from CA secret (#1033) @sanderma
• chart/vault: fix helm test for https (#1034) @jcooley
• simplify acceptance test with conditional waits (#1032)
• use templates for image versions in charts (#1035)

This release contains some bugfixes:

Operator

• automount ServiceAccount Token into Bank-Vaults pods (#1018)
• various Raft transport fixes when using Raft with Istio over plain HTTP (#1021)
• fixing Google KMS unsealing when using Raft (#1022)

General

• Vault 1.4.2 (#1000)

SDK

• client: Fix sdk logging (#1010)
• unseal: notFoundError cause fix (#1008)

Webhook:

• chart: typo in helm configMap variable (#999) (@nesl247)
• chart: add labels to webhook pods themselves (#1003) (@agringeri)
• Remove unneeded webhook ClusterRoleBinding notes (#1012) (@ananth-racherla )
• Remove explicit check for annotations (#1014) (@flozzone)

General:

• Vault 1.4 support works stable (#963)
• improve lint and introduce emperror errors (#989)
• various docs fixes
• prepend namespace name to ClusterRoleBinding for Vault Helm Chart (#993) (@cablespaghetti)

Webhook:

• support the old .dockercfg key from the imagePullSecret as well (#975)
• support cert renewal in bods by using secret projectedVolume instead of subPath mounts (#976)
• fix Kubernetes version comparison (#987) (@martinezleoml)
• vault-env: allow to pass data in write requests (#984)
• OCP 4.3: runAsUser in Vault Secrets webhook chart should be configurable (#995) (@dakine1111)

Operator:

• add vault condition statuses (#972)
• support JSON-formatted Vault policies (#978) (@chrlwrd)

Security:

• Snyk code scanner has been enabled for scanning the whole codebase (#980)

Next Release:

• In Vault 1.4.0 the Raft storage backend has been stabilized, and in tandem, the etcd-operator project has been archived, so we are going to deprecate etcd-operator support (but not etcd support!) and phase it out in later versions, we suggest to use Raft in the first place.

Webhook:

• @bonifaido: vault-env: process all signals (#956)

Operator:

• @jamie-34254 operator/tls: Use Data instead of StringData when accessing the previous CA, add log message if the CA has to be rotated (#949)
• @patoarvizu Add custom functions for awskms, gcpkms and file (#953)
  • templating got a new docs page: https://banzaicloud.com/docs/bank-vaults/operator/templating-configuration/
• @bonifaido add blob template function (#959)

Dev environment:

• @allthecode0 Add gitpod config (#958)

Next-release:

• We are going to test that Vault 1.4.0 works well with Bank-Vaults and add implement support for it if not.
• In Vault 1.4.0 the Raft storage backend has been stabilized, and in tandem, the etcd-operator project has been archived, so we are going to deprecate etcd-operator support (but not etcd support!) and phase it out in later versions, we suggest to use Raft in the first place.

Webhook:

• @szymonpk: update consul-template default image (#935)
• @bonifaido: vault-env: fix signal subscription order (#936)
• @bonifaido webhook: upgrade jsonpatch to fix index out of range (#941)
• @bonifaido update kubewebhook (#942)

Operator:

• @jamie-34254: Implement the ability for a CA to persist when the Server certificate needs to be regenerated (#933)
• @pbalogh-sa Use string for tlsExpiryTreshold in spec instead of duration (#937)
• @bonifaido update controller-runtime (#942)

Bugfixes:

• operator: support etcd when declared in ha_storage stanza (@oschira, https://github.com/banzaicloud/bank-vaults/pull/924)
• client: make client timeout configurable (@busser, https://github.com/banzaicloud/bank-vaults/pull/925)

Bank-Vaults 🥇.0.0

Notable new features:

• HSM support for encrypting unseal-keys and the root-token
• vault-env daemon mode with dynamic secret renewal
• Documentation site created at https://banzaicloud.com/docs/bank-vaults/
• Add cert-manager certificate capability to the webhook chart
• Inject Secrets into any kind of k8s resources with the webhook
• Support adding existing root CA k8s secret to the PKI engine
• Backups using Velero
• Istio support/documentation of running Vault and the injection webhook alongside sidecars
• Replication across multiple datacenters

Minor changes:

• Helm 3 support for the operator chart
• The operator doesn't set the OwnerReference of Unseal secret for the K8s backend (same functionality now across all unseal backends)
• Make the unseal command in the CLI platform-agnostic
• Do not just overwrite the annotations for the updated service in the operator
• Don't add IPC_LOCK capability when disable_mlock is true in Vault config
• etcd affinity support in the operator
• Lots of documentation fixes

Credits:

Thank you all for your efforts who have contributed (we have 93 contributors which is a LOT!) to Bank-Vaults since the first release. You all helped to achieve 1.0, which is a major milestone in the life of every software project.