bank-vaults

Changelog

cc5f782 add goreleaser
09b739d fix TLS readme
ac22951 ability to use custom TLS secret
22804f1 define existing TLS secret
8ba2bd1 fix aws auth cross account sts role parameter name
3908ad7 increase linter timeout
728327f add vault service to github actions build
350f3d3 fix lint errors in sdk
74cbdf6 add linter to sdk package
dc28d35 split integration tests and run sdk tests as well
f9798d7 Update ADOPTERS.md
cb5a68b docs: use kms key alias
8106a36 velero: add kmsKeyId
5ecb87d velero: add daily schedule example to docs
ca65cd4 tidy operator docs and remove plain manifest instructions
1170723 operator: velero enhancements (#853)
3024bde fix typos
900f21c extend velero docs
e1ae2c5 fix fsfreeze and change examples
6eb9864 regenerate deepcopy code
5058235 operator: add velero fsfreeze sidecar
0600b0e bump objectmatcher to incorporate numeric pointer fix
81efc4b velero support
c84e9b4 operator: velero support
9dcae5a Fix nakedret violations
d5cb664 Fix whitespace violations
2b03b71 Fix staticcheck deprecation violation
d61f77d Fix unconvert violations
95a1602 Fix unparam violations
d9e75f7 Fix misspell violations
0e66733 Fix staticcheck violations
da6c805 Fix gosimple violations
d8d7bc7 Fix gofmt violations
5d83e08 Fix goimports violations
10f7fbf Upgrade linter and gotestsum
33799a7 add labels to k8s unseal secret
3236784 more tls docs (#846)
338c73d webhook: fix agent config examples
7687ace Add support for custom hosts/IPs on the TLS certificates managed by vault-operator (#843)

The last non-patch release before version 1.0.0 !

Notable new features and fixes:

Charts:

• operator: fix nodeSelector condition check in vault-operator chart deployment file (@raoofm)
• operator: operator: update etcd chart and fix scope (@bonifaido)
• operator: excercise the chart in the acceptance test (@bonifaido)
• add openshift scc example (@pbalogh-sa)

Webhook:

• fix error handling in case of missing secret/configmap defined in envFrom/valueFrom (@pbalogh-sa)
• ownerreferences should be always queried (@bonifaido)
• Fix trim to >> value (@ramonberrutti)
• Add registry address to cache key (@Kasama)
• Fix resource parsing error check (@marcoreni)
• Implement vault-agent templating support (@marcoreni )

Operator:

• use probes from controller-runtime (@bonifaido)
• update AWS SDK to support EKS AWS_ROLE_ARN mappings (@bonifaido)
• example for raft directory permission setup (@pbalogh-sa)
• multi DC failover support and example with Raft (@bonifaido)
• Add oci authMethodType to gcp case to support configuring vault auth roles (@arumer)
• fix dependencies (@sagikazarmark)

All commits since the last version: https://github.com/banzaicloud/bank-vaults/compare/0.7.1...0.8.0

Thanks to all the contributors! 🍺 ❤️

@arumer
@pbalogh-sa
@raoofm
@marcoreni
@ramonberrutti
@Kasama
@sagikazarmark
@matyix

Artifacts:

With tag 0.8.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

This release contains only an existing and then missing a feature, that got factored out in the previous releases, namely the operator leader election. Operator version 0.7.1 and chart version 0.6.1 will contain the fix. 🏂

This is a rather small, but special release because this is the last one for this year! 🎄 🎁 🍾 🎉

Thanks for the all the discussions, issues and PRs this year, please keep them coming in the next year as well! 👍

Notable new features and fixes:

First of all please welcome @leominov as a new member of the project!

Charts:

• vault: fix resources block (@bonifaido)
• vault: the chart is part of the acceptance test suite now (@bonifaido)

Webhook:

• fix for kubectl DockerHub address format (@bonifaido)
• add alias for consul-template - vault-configfile-path (@pbalogh-sa)
• documentation clarifications (@hacktron95)
• adding new parameters to control the sideEffect to support older clusters (@nullck)
• add consul-template with PKI example (@bonifaido)
• AWS IAM instance role-based ECR authentication with token cache (@Kasama, @bonifaido)
• vault-env: add version to secret cache key (@bonifaido)

Operator:

• the operator has migrated to pure k8s-sigs/controller-runtime and kubernetes/code-generator and cut ties with the operator-sdk, to reduce the number of dependencies and more control over the version of those core libraries
• startupSecrets from k8s Secrets (@pbalogh-sa)
• support extra initContainers for Vault Pod (@pbalogh-sa)

All commits since the last version: https://github.com/banzaicloud/bank-vaults/compare/0.6.3...0.7.0

Thanks to all the contributors! 🍺 ❤️

@pbalogh-sa
@nullck
@hacktron95
@Kasama
@bonifaido

Artifacts:

With tag 0.7.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

Minor release with with bug fixes again:

• chart: add custom certificate documentation and support (@bonifaido )
• chart: add default requests / containers (@tarokkk )
• operator: istio compatibility flag added with port naming support (@bonifaido )
• operator: diff fix for pvc status updates (@bonifaido )
• vault-env: Make vault-env psp friendly (@funkypenguin )

Minor release mostly with bug fixes again:

• operator: fixed replicaset and deployment RBAC issues for Kubernetes < 1.6 (#752) - @szwed
• operator: etcd upgrade to 3.3.17 (#753) - @bonifaido
• operator and chart: Fix readiness probe for vault v1.3.0 - @arminbuerkle
• operator: various fixes around transit unseal envs and mounts - @bonifaido
• webhook: add objecSelector in case of k8s version is above 1.15 - @pbalogh-sa

Just a quick release, mostly bug fixes around registry access in the mutating webhook:

• webhook: fix docker.io addressed images to index.docker.io (bugfix)
• webhook: turn registry pinging off, it causes issues for some registry implementations (bugfix)
• webhook: configurable transit path
• operator: accept vault-config.yml and .yaml as well in external ConfigMaps (improvement) @leominov
• charts: Added labels support to vault-operator and vault-secrets-webhook charts (improvement) @szwed

Notable new features and fixes:

Charts:

• Added limit resources to initContainer
• Adding the ability to define nodeSelector and tolerations
• Breaking change: labels changed to Kubernetes standard labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/

Library:

• the client code has been moved to the SDK package and is versioned separately
• fixed connection leak in client.Close()
• remove JWT handler from auth package, it was not strongly bank-vaults related
• client: add the ability to provide a Vault token

Webhook:

• allow vault_role to be specified globally
• vault-env: implement templating of data sourced from Vault
• Disable image caching for Policy=PullAlways and ref=latest
• vault-env: Support Vault Transit Secret Engine for PODs
• Add option to use static certificates for vault-secrets-webhook helm chart
• unit tests! (@lhotrifork 🙇)
• Add RunAsUser functionality within copy-vault-init and containers
• Slim vault-env docker image size from 127Mb to 24Mb
• Added release namespace to webhook helm templates
• allow JSON logging
• Fix parsing of Image Name with digest
• Add new annotation to change the config file path in the container
• Make ImagePull Docker config JSON key configurable
• Change hardcoded imagePullPolicy
• Make listen-address configurable
• Serving telemetry on another address avoid TLS problems
• add PDB to vault-secrets-webhook

Configurer:

• azure auth method got implemented
• Vault KV based unsealing
• Support creating group-aliases with same name and different mount_accessor
• fix: Config not added with rotate: true

Operator:

• default to fsGroup 1000 (vault user) to fix filesystem permission issues (raft and file backend for example)
• add the ability to apply additional labels to the vault statefulset and other resources
• rework of watched secrets
• scope configmap/secret selection to same namespace
• fix rbac for openshift
• Add Vault Mounts to the configurer as well
• Propagate env vars to bank-vaults and configurer
• Add postgresql as an allowed HA backend
• make the prometheus example fully automated
• automated raft storage support
• Breaking change: labels changed to Kubernetes standard labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/

All commits: https://github.com/banzaicloud/bank-vaults/compare/0.5.1...0.6.0

Thanks to all the contributors! 🍺 ❤️

@sagikazarmark
@matyix
@bonifaido
@pbalogh-sa
@funkypenguin
@KealanM
@leominov
@lhotrifork
@primeroz
@Yvonne2017
@szwed
@MightySCollins
@Z3r0Sum
@srleyva
@nesl247
@wombat
@thejmazz
@tommy-dk
@upodroid
@JaredEdwards
@skhedim
@msvticket
@colin014
@fraenkel
@stokkie90

Artifacts:

With tag 0.6.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

This is a patch release for the 0.5.x branch which contains:

#719

This is a patch release for the 0.5.x branch which contains:

#659

This is a patch release for the 0.5.x branch which contains:

• https://github.com/banzaicloud/bank-vaults/pull/652

In this release, we have moved the helm charts to this repository, this should ease maintaining both the application and the deployment configuration.

Notable new features:

Webhook:

• make it locally runnable with make -j webhook-up
• small logging / comment additions
• handle vault-tls double mount gracefully
• add support for dry-run with the webhook controller
• make the webhook failure policy configurable, also set the default to Ignore (chart)
• add support for a default imagePullSecret
• add ServiceMonitor config to the webhook (chart)
• expose mutation metrics in Prometheus format
• ignoring kube-system by default (chart)
• fix indentation for webhook matchLabels (chart)
• allow setting Pod annotations (chart)
• ConfigMap: mutate BinaryData as well
• vault-env: cache secrets to reduce calls and support dynamic credentials
• Add priorityClass for secrets webhook deployment (chart)
• don't bail out on missing optional env sources

Configurer:

• add support for auth mount config + example

Operator:

• add priority class for vault operator

@dcherman
@sagikazarmark
@baluchicken
@mgruener
@jurgenweber
@bonifaido
@matyix
@chrisob
@rrondeau

https://github.com/banzaicloud/bank-vaults/compare/0.5.0...0.5.1

Notable new features:

Operator

• add transit unseal example with operator and webhook
• enable preFlightChecks by default
• RBAC - allow Operator to list replicasets

Webhook

• add VAULT_TOKEN=vault:login special value for passing the Vault token from vault-env to the application
• lazy connection to Vault in case of ConfigMaps and Secrets
• Docker CMD should be appended only if Kubernetes args is empty
• Allow enabling debug logs
• Configurable Webhook listen address

Library

• wildcard TLS certificates should support multiple wildcard SANs

Misc

• various documentation and diagram fixes
• use Vault SDK instead of pulling in the whole Vault project 🎉

All commits since 0.4.18:

https://github.com/banzaicloud/bank-vaults/compare/0.4.18...0.5.0

Thanks to all the contributors! 🍺 ❤️

@ahma
@leominov
@mgruener
@tommy-dk
@sosoriov
@bonifaido
@pbalogh-sa
@matyix

Artifacts:

With tag 0.5.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

Notable new features:

• Mutating Webhook and vault-env:

  • add healthz handler and added readinessProbe to chart with this

• Vault Configurer:

  • Add support for "create_only" field to secret engines
  • Example added for Google Secret backend configuration
  • added complete MySQL backed HA setup example

• Operator:

  • add all Kubernetes Service FQDNs to TLS cert hosts
  • make Vault Pods fine-tunable via VaultPodSpec and VaultConfigurerPodSpec
  • Use the k8s-objectmatcher library to avoid unnecessary object updates
  • updated operatork SDK to 0.9.0 - Go modules 🎉
  • Make etcd image repositories configurable
  • allow Vault configuration to be templated with environment variables (and actually all Go template and Sprig functions) the same way as configurer configuration ⚛️

Bugfixes:

• Operator:
  • Cluster vs namespaced Role seemed were swapped around in the deployment examples
  • Fetch the Vault instance again before update to minimize the possibility of updating a stale object
• Mutating Webhook and vault-env:
  • Fix for mutating webhook not mounting TLS certificates to the "main" container

Misc

• various CI and acceptance test fixes and improvements (as always...)
• various documentation fixes

All commits since 0.4.17:

https://github.com/banzaicloud/bank-vaults/compare/0.4.17...0.4.18

Thanks to all the contributors! 🍺 ❤️

@pbalogh-sa
@baluchicken
@jurgenweber
@ryandbump
@mgruener
@primeroz
@pepov
@matyix
@bonifaido

Artifacts:

With tag 0.4.18:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

Notable new features:

• Mutating Webhook and vault-env:

  • Read container command and args from the source image registry
  • Handle pod spec when CMD is absent and ARGS are present
  • Make Consul Template resource limits configurable
  • Webhook now supports mutating Secrets and ConfigMaps
  • added ability to only warn for missing secrets
  • added option to pass VAULT env vars to the main process

• Vault Configurer:

  • Add support for OIDC auth type
  • Add support for rotating Database and AWS root credentials via the rotate: true field

• Operator:

  • Regenerate TLS certificate automatically before the defined time of expiry in CR
  • Distributing Vault TLS CA to specified namespaces
  • Add support for user-defined labels on Vault and VaultConfigurer resources
  • define resource limits to ALL resources

Bugfixes:

• Operator:
  • preserve NodePort for Services
  • use 'reclaim' policy for host-path PVs in the cr.yaml example
• Configurer:
  • fix regression regarding missing secret engine options
• Webhook:
  • Fix configmap name for vault agent if ownerreference does not contain -

Misc

• various CI and acceptance test fixes and improvements
• various documentation fixes

All commits since 0.4.16:

https://github.com/banzaicloud/bank-vaults/compare/0.4.16...0.4.17

Thanks to all the contributors! 🍺 ❤️

@tczekajlo
@pbalogh-sa
@jurgenweber
@baluchicken
@matyix
@primeroz
@stephenmuss
@robertgates55
@moskitone
@pepov
@devlounge
@benjamink
@bonifaido

Artifacts:

With tag 0.4.17:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

Notable new features:

• Watch external secrets using labels selector and reload vault StatefulSet if any change is detected (operator)
• cert auth support in configurer
• okta auth support in configurer
• token auth support in configurer
• allow for annotations overrides of the consul template image (webhook)
• Bank vaults client constructor improvements (client)
• Add support for secret versioning (webhook)
• Add support for provisioning vault with auto-unsealing (bank-vaults)
• Allow to enable/disable AllowPrivilegeEscalation for injected containers to make it works with psp restricted deployments [webhook]

Bugfixes:

• fix for [webhook] vault-env is not injected when vault.security.banzaicloud.io/vault-agent: "false"

All commits since 0.4.15: https://github.com/banzaicloud/bank-vaults/compare/0.4.15...0.4.16

Thanks to all the contributors! 🍺

Notable new features:

• consul-template support in vault-secrets-webhook
• statsd port added to Prometheus ServiceMonitor
• exporting Prometheus metrics from operator SDK's manager
• add support for creating vault configurations as Secrets
• add --once flag to configure and respect VAULT_TOKEN in dev mode
• add "--fatal" flag to configurer
• implement common kv backend test before initializing Vault
• Vault groups support
• operator: Supporting nodeselectors, and tolerations

Bugfixes:

• configurer: Remove leaked configuration from error log
• configurer: always transform sts_account to a string
• configurer: handle configuration errors by re-injecting configuration files (improvement)
• operator: fix resource quota issues via checking and upgrading existing objects
• rbac: scope fixes

All commits since 0.4.14: https://github.com/banzaicloud/bank-vaults/compare/0.4.14...0.4.15

Thanks to all the contributors! 🍺

https://github.com/banzaicloud/bank-vaults/pull/368
https://github.com/banzaicloud/bank-vaults/pull/366

https://github.com/banzaicloud/bank-vaults/compare/0.4.13...0.4.14

• HA Improvements
• webhook supports now dynamic secrets
• go 1.12 and modules

https://github.com/banzaicloud/bank-vaults/compare/0.4.12...0.4.13