bank-vaults

Changelog

48cdf57 add goreleaser github action

Webhook

• webhook: mutate container probes #1427
• webhook: Addition of dnsPolicy for deployment in helm chart #1430
• webhook: add syslog capability to vault-env #1432
• webhook: make DNS policy empty if not set, Default broke CI #1438

This is minor release in terms of number of fixes but a huge one in the terms of content! 🃏

webhook

• make pod mutation idempotent (#1419)
• fix registry lookup, add test for validating it in the future (#1418)
• chart: Fix API versions for k8s < 1.21 (#1413) - @horjulf
• charts: Fix md tables in chart Readmes (#1415) @LinAnt

client

• set Vault Namespace on underlying rawClient if it has a non-empty value (#1412) - @wmene

This release contains a lot of bug fixes! Thanks for the reports and also for the PRs! 👍

webhook

• vault-env: fix errors.As error handling caused panic (#1386) - @win-t
• Use of namespaced service accounts for auth (#1401, #1407) - @timbuchwaldt, @dquagebeur
• fix(registry): use default value if no ImagePullSecrets was specified in podspec (#1409) - @kratisto

configurer

• bank-vaults: fix the usage of some common flags (#1405)

charts

• operator: Add SETFCAP Capabilities to Helm psp template (#1388) - @inesterenko
• Fix k8s deprecations (#1404)
• vault: ClusterRole binding fix (#1408)
• operator: remove direct etcd subchart support (#1411)

operator

• change default configurer config to a Secret (#1389)

This release contains a lot of bug fixes! Thanks for the reports and also for the PRs! 👍

webhook

• extract the main code to pkg (#1337)
• vault-env: fix exit code detection (#1342)
• give back error logging (#1350)
• add Vault namespaces support (#1361) - @anoncam
• remove the need for the inline-mutation annotation (#1380)
• fix inline-mutation for envFrom constructs (#1381)

configurer

• set issuer explicitly from service account JWT for in-cluster scenarios (#1348)

charts

• vault: openshift support (#1355) - @chris1786
• webhook: Adding support for topologySpreadConstraints to helm chart (#1359) - @johnwoo247

operator

• set owner reference on raw config (#1367)
• fix config check for ha capable storages (ha_enabled=false) combined with ha_storage stanza
• fix raft ha_storage combined with seal stanza (#1369)

configurer

• Properly check if database connections are already configured. (#1318) - @tandrup

vault-env

• Support JWT-based auth methods outside of K8s clusters (#1321) - @gw0
• add azure msi auth method for vault (#1319) - @leosayous21

operator

• Add awskms seal configuration to example (#1324) - @miguelaferreira
• remove usage of VAULT_LOCAL_CONFIG (#1329)
• updated controller-runtime to 0.9.0 (#1334)

webhook

• Allow users to specify resources for init-containers (#1331) - @sopriani
• vault-env/vault-secrets-webhook: Add VAULT_ENV_DELAY and vault-env-delay annotation (#1333) - @gw0
• use slok/kubewebhook/v2 (#1334)
• fixes for running with kurun (#1335)

Operator

• type fix for IsNotFoundError (#1312)
• operator: fix ingress rbac api group (#1310)

• [general]

  • built by Go 1.16 (#1274)
  • certmanager: use v1 resource versions (#1293)
  • vault chart improvements (#1296)
  • chart/helm: stricter default rbac for secrets (#1299)

• [webhook]

  • Support separate tags in webhook helm chart for vault-secrets-webhook repo and vault-env repo (#1282) - @tandrup
  • Add missing objectSelector configuration options - @gw0
  • Add default objectSelector to not trigger on internal Helm v3 state resources - @gw0
  • vault-ct-once as initContainer (#1295) - @moskitone
  • consul-template: add configuration for template injecting for in init containers (#1302) - @kratisto

• [operator]

  • make aws region optional in the crd (#1294)
  • fix nodes null unmarshal issue (#1301)
  • ingress: add default backend only if there are no rules defined (#1305)
  • ingress: v1 (#1306)

• build(deps): bump alpine from 3.13.1 to 3.13.2 (#1262)
• vault-env: smarter env sanitization in case of vault:login (#1265)
• webhook: Fix for inline mutations in custom resources (#1271) - @dervoeti
• webhook: Enable GCPIAMAuth method for vault webhook auth (#1272) - @connorlwilkes

• general: bump alpine from 3.13.0 to 3.13.1 (#1246)
• general: update to vault 1.6.2 (#1252)
• configurer: fix map types in auth config blocks (#1248)
• webhook: extend and specify documentation around namespaces (#1244)
• operator: fix Vault status updates (#1245)
• operator: reduce the CRD size by removing the descriptions (#1249)
• operator: Add missing capability (#1257) - @davidkarlsen

• webhook: Kill container process when non-renewable lease expired (#1239) - @moskitone

• operator: full v1/CRD specification and validation (#973)
• webhook: rewrite registry access entirely with go-containerregistry (#1194)

• injector: differentiate "not found" from other errors (#1223)
• operator&chart: drsecondary nodes should be healthy (#1230)

• operator: prometheus fixes in example (#1210)
• operator: support for unauthenticated_metrics_access and deduplicating prometheus targets (#1211)
• charts: standardize serviceAccount creation (#1213)
• charts: fix yaml when install chart vault with .Values.rbac.psp.enabled=true (#1215) - @LuckySB
• operator: fix stable chart repo location (#1216)
• update vault to 1.6.1
• unseal: use AWS_REGION/AWS_DEFAULT_REGION if possible (#1221)
• operator: add cert-manager example (#1205)
• operator: support for all affinity configurations (#1222)

Changes

• client: log warnings from configuration changes (#1199)
• charts: move all images to ghcr.io (#1185)
• configurer: allow saving Vault secret engine configuration data to KV 2 engine (#1202)
• webhook: migrate to to google/go-containerregistry (#1194)
• webhook: tries to fetch image descriptor from Docker Hub instead of private registry (#1203) - @joshdvir
• webhook/chart: allow the vault-webhook to be contacted over loadbalancer or ingress (#1196) - @AtzeDeVries
• operator: ability to use specific loadbalancerip (#1186) - @squaricdot
• operator: apply sidecarEnvsConfig to fluentd and statsd, add resources for fluentd (#1197)
• operator: add VaultContainerSpec override (#1207)
• documentation: many fixes, structural changes thanks to @fekete-robert

🎄 Thanks to all the contributors! 👍 🎄

Changes

• client: automated GCP GCE authentication (#1166)
• webhook: configurable timeoutSeconds value (#1159) - @rexbut
• webhook: annotations to control agent and env images (#1163) - @michael-todorovic
• webhook: fix vault agent -once command to exit after auth (#1168) - @joshdvir
• webhook: Use agent ConfigMap when agent is in the InitContainers (#1181) - @joshdvir
• webhook: add hostnetwork in chart (following of #1154) (#1171) - @cpoule23
• webhook: Add inline secrets for vault-env/vault-secrets-webhook (#1178) - @Lord-Y
• operator: Raft as HA storage (#1172)
• operator: add service_registration (#1174)
• operator: added Alibaba example (#1179)
• vault/chart: align IPC_LOCK behaviour to operator based on disable_mlock (#1176)
• vault-env: fix vault:login clientOptions (#1180)

Thanks to all the contributors! 👍

A 100% webhook release this time! 🕸️ ⚓ Thanks to all external contributors!

Changes

• webhook: add a check for EnvFromPath to be empty for continuation (#1145) - @rocpatel
• webhook: load CA for non-pods as well (#1148)
• webhook: add possibility to define multiple inline-secrets (#1143) - @kschu91, @nikals99
• webhook: add support for externally defined Certificate by cert-manager (#1146) - @gw0
• webhook: Adding KubeVersion validation when using admissionReviewVersions (#1150) - @fdpeiter
• webhook: allow token access to vault (#1156) - @bradfordwagner

Changes

• general: upgrade Kubernetes to 1.19 (#1131) (@sagikazarmark)
• general: use Vault 1.5.4 (#1132)
• operator: Custom fluentd conf path (#1134) (@idgenchev)
• operator: drop helm2 support in the chart, fix linting issues (#1139)
• operator: Update values.yaml: fix typo (#1116) (@evgkrsk)
• operator: deploy configurer only if there is any externalConfig present (#1126)
• webhook: fix: move VAULT_ENV_FROM_PATH to mutateContainers (#1117) (@rocpatel)
• webhook: add support for GCR default credentials (#1120) (@viktorradnai)
• webhook: allow specifying pod securityContext and full container securityContext (#1119) (@dbeal-wiser)
• webhook: make secretNeedsMutation check work better for DockerConfigJsonKey (#1123)
• webhook: change the resource limit/requests of copy-vault-env and vault-agent to a sane value (#1124)
• webhook: fix secret caching and add test (#1137)
• vault-env: implement aws ec2 auth method (#1095)
• cli: replace gin with net/http to avoid dependency (#1118)
• cli: handle signals properly (#1129)
• configurer: exit early if possible before touching the API (#1125)

Note about Helm charts:
From 1.6.0 the operator chart is Helm 3 only (the other charts are still compatible with Helm 2, but only on best-effort basis).

Helm2 -> Helm3 migration

If you have installed the chart with Helm 2 and now you are trying to upgrade it with Helm3 you have to be careful because Helm 3 will delete the Vault CRD from your cluster during the upgrade from Helm 2 (see helm/helm#7279). To avoid that follow these steps:

# Make sure you are using Helm 3
helm version

# version.BuildInfo{Version:"v3.3.4", GitCommit:"a61ce5633af99708171414353ed49547cf05013d", GitTreeState:"clean", GoVersion:"go1.14.9"}

# Get the latest vault-operator chart
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm repo update

# Delete all Helm2 releases of the vault-operator manually wit kubectl to keep the resources in the cluster
kubectl delete configmaps -n kube-system vault-operator.v1
# Delete all resources except the Vault CRD
helm template vault-operator banzaicloud-stable/vault-operator | kubectl delete -f -
# Install the new Helm3 version of the chart
helm upgrade --install vault-operator banzaicloud-stable/charts/vault-operator

Changes

• vault-env: support GCP auth (#1093)
• client: move operator_client.go to internal (BREAKING CHANGE) (#1092)
• webhook: allow adding auth-delegator role in the chart (#1101)
• multi-dc: add local acceptance-test based on kind and MetalLB (#1103)
• operator: fix single cluster raft with LoadBalancer serviceType (#1105)
• ci: build multi-platform images (#1107)
• operator: extract raft detection logic to IsRaftBootstrapFollower (#1111)
• operator: add PSP for vault-operator and vault that is deployed by the operator (#1109)
• operator: update images to support arm64 (#1114)
• webhook: Add env from vault path (#1100) (@rocpatel)

Note about Docker images:
From this release, all Bank-Vaults Docker images are pushed to the GitHub Container Registry as well as an alternative to Docker Hub. You can find them here.
Helm charts, vault-operator, and vault-secrets-webhook still use Docker Hub as the default image source, but in all cases, this can be changed to ghcr.io, see the charts and documentation for more details.

All images deployed by the operator are ARM friendly multi-platform images. The images pushed to the ghcr.io registry are built for 3 different architectures:

• linux/amd64
• linux/arm64
• linux/arm

Note about Helm charts:
This is the last release where we officially support Helm 2 for the charts. From now on Helm 3 is guaranteed to work only. See: https://github.com/banzaicloud/bank-vaults/issues/1097

Changes

• operator: bump controller-runtime ang k8s versions (#1090)
• webhook: fix injection request method for non-pods (#1084)
• webhook: allow the vault-env repository to be overridden. (#1088) (@brewneaux)
• ci: enable github container registry build (#1089)

Note about Docker images:
From this release, all Bank-Vaults Docker images are pushed to the GitHub Container Registry as well as an alternative to Docker Hub Tou can find them here.
Helm charts, vault-operator, and vault-secrets-webhook still use Docker Hub as the default image source, but in all cases, this can be changed to ghcr.io, see the charts and documentation for more details.