operator: Add per instance svc hosts to Vault cert SANs (#1073) (@ptzianos)
operator: add labels to deployments and StatefulSets as well (#1079)
operator: pin tagged version for bank-vaults sidecar (#1082)
webhook: use admissionregistration.k8s.io/v1 in registration wherever possible (#1078)

Changes:

• webhook: add resource skip annotation (#1036)
• charts: fix image tag by appVersion (#1040)
• operator: Unset owner references on synced TLS CA secrets (#1037) @Jpnock
• webhook: possibility to change the log level (#1039) @anasinnyk
• operator: add image image pull secrets (#1042) @sparqueur
• operator: remove outdated image setting from script (#1045)
• operator: TLS fixes in multi dc raft example (#1046)
• webhook: Optional serviceaccount labels and annotations (#1048) @boukili
• operator: allow VAULT_ADDR to be overriden (#1051)
• webhook: pass log_level to mutated container (#1050) @anasinnyk
• chart/vault: support downward api in vault chart env vars (#1054) @jcooley
• operator: add some startup secrets to the softhsm example
• chart/vault: add option for headless service (#1056) @cablespaghetti
• chart/vault: Option to use CertManager to generate certs (#1057) @cablespaghetti
• webhook: remove unnecessary config.hcl entry in example deployment (#1060) @jwitko
• configurer: AWS SSE Support (#1055) @ptzianos
• webhook: fix VAULT_IMAGE case (#1061)
• chart/vault: make affinity configurable in helm chart (#1062) @jcooley
• operator: Multi-DC Raft Service fixes (#1058) (#1064)
• charts: fix template globalness (#1066)
• code: check all returned errors correctly (#1067)
• configurer: implement userpass auth method (#1068)
• Vault 1.5.0 tested and works fine!

Deprecations:

• Using Helm 2 is considered to be deprecated and support for it will be removed after two non-patch releases from now on.

Changes:

• Fix names of k8s resources in vault-secrets-webhook chart (#1025) @gw0
• Add seal check to vault init (#1030) @dbason
• Kubernetes OIDC and projected SA support (#1026)
• operator: remove ca.key from CA secret (#1033) @sanderma
• chart/vault: fix helm test for https (#1034) @jcooley
• simplify acceptance test with conditional waits (#1032)
• use templates for image versions in charts (#1035)

This release contains some bugfixes:

Operator

• automount ServiceAccount Token into Bank-Vaults pods (#1018)
• various Raft transport fixes when using Raft with Istio over plain HTTP (#1021)
• fixing Google KMS unsealing when using Raft (#1022)

General

• Vault 1.4.2 (#1000)

SDK

• client: Fix sdk logging (#1010)
• unseal: notFoundError cause fix (#1008)

Webhook:

• chart: typo in helm configMap variable (#999) (@nesl247)
• chart: add labels to webhook pods themselves (#1003) (@agringeri)
• Remove unneeded webhook ClusterRoleBinding notes (#1012) (@ananth-racherla )
• Remove explicit check for annotations (#1014) (@flozzone)

General:

• Vault 1.4 support works stable (#963)
• improve lint and introduce emperror errors (#989)
• various docs fixes
• prepend namespace name to ClusterRoleBinding for Vault Helm Chart (#993) (@cablespaghetti)

Webhook:

• support the old .dockercfg key from the imagePullSecret as well (#975)
• support cert renewal in bods by using secret projectedVolume instead of subPath mounts (#976)
• fix Kubernetes version comparison (#987) (@martinezleoml)
• vault-env: allow to pass data in write requests (#984)
• OCP 4.3: runAsUser in Vault Secrets webhook chart should be configurable (#995) (@dakine1111)

Operator:

• add vault condition statuses (#972)
• support JSON-formatted Vault policies (#978) (@chrlwrd)

Security:

• Snyk code scanner has been enabled for scanning the whole codebase (#980)

Next Release:

• In Vault 1.4.0 the Raft storage backend has been stabilized, and in tandem, the etcd-operator project has been archived, so we are going to deprecate etcd-operator support (but not etcd support!) and phase it out in later versions, we suggest to use Raft in the first place.

Webhook:

• @bonifaido: vault-env: process all signals (#956)

Operator:

• @jamie-34254 operator/tls: Use Data instead of StringData when accessing the previous CA, add log message if the CA has to be rotated (#949)
• @patoarvizu Add custom functions for awskms, gcpkms and file (#953)
  • templating got a new docs page: https://banzaicloud.com/docs/bank-vaults/operator/templating-configuration/
• @bonifaido add blob template function (#959)

Dev environment:

• @allthecode0 Add gitpod config (#958)

Next-release:

• We are going to test that Vault 1.4.0 works well with Bank-Vaults and add implement support for it if not.
• In Vault 1.4.0 the Raft storage backend has been stabilized, and in tandem, the etcd-operator project has been archived, so we are going to deprecate etcd-operator support (but not etcd support!) and phase it out in later versions, we suggest to use Raft in the first place.

Webhook:

• @szymonpk: update consul-template default image (#935)
• @bonifaido: vault-env: fix signal subscription order (#936)
• @bonifaido webhook: upgrade jsonpatch to fix index out of range (#941)
• @bonifaido update kubewebhook (#942)

Operator:

• @jamie-34254: Implement the ability for a CA to persist when the Server certificate needs to be regenerated (#933)
• @pbalogh-sa Use string for tlsExpiryTreshold in spec instead of duration (#937)
• @bonifaido update controller-runtime (#942)

Bugfixes:

• operator: support etcd when declared in ha_storage stanza (@oschira, https://github.com/banzaicloud/bank-vaults/pull/924)
• client: make client timeout configurable (@busser, https://github.com/banzaicloud/bank-vaults/pull/925)

Bank-Vaults 🥇.0.0

Notable new features:

• HSM support for encrypting unseal-keys and the root-token
• vault-env daemon mode with dynamic secret renewal
• Documentation site created at https://banzaicloud.com/docs/bank-vaults/
• Add cert-manager certificate capability to the webhook chart
• Inject Secrets into any kind of k8s resources with the webhook
• Support adding existing root CA k8s secret to the PKI engine
• Backups using Velero
• Istio support/documentation of running Vault and the injection webhook alongside sidecars
• Replication across multiple datacenters

Minor changes:

• Helm 3 support for the operator chart
• The operator doesn't set the OwnerReference of Unseal secret for the K8s backend (same functionality now across all unseal backends)
• Make the unseal command in the CLI platform-agnostic
• Do not just overwrite the annotations for the updated service in the operator
• Don't add IPC_LOCK capability when disable_mlock is true in Vault config
• etcd affinity support in the operator
• Lots of documentation fixes

Credits:

Thank you all for your efforts who have contributed (we have 93 contributors which is a LOT!) to Bank-Vaults since the first release. You all helped to achieve 1.0, which is a major milestone in the life of every software project.

Changelog

cc5f782 add goreleaser
09b739d fix TLS readme
ac22951 ability to use custom TLS secret
22804f1 define existing TLS secret
8ba2bd1 fix aws auth cross account sts role parameter name
3908ad7 increase linter timeout
728327f add vault service to github actions build
350f3d3 fix lint errors in sdk
74cbdf6 add linter to sdk package
dc28d35 split integration tests and run sdk tests as well
f9798d7 Update ADOPTERS.md
cb5a68b docs: use kms key alias
8106a36 velero: add kmsKeyId
5ecb87d velero: add daily schedule example to docs
ca65cd4 tidy operator docs and remove plain manifest instructions
1170723 operator: velero enhancements (#853)
3024bde fix typos
900f21c extend velero docs
e1ae2c5 fix fsfreeze and change examples
6eb9864 regenerate deepcopy code
5058235 operator: add velero fsfreeze sidecar
0600b0e bump objectmatcher to incorporate numeric pointer fix
81efc4b velero support
c84e9b4 operator: velero support
9dcae5a Fix nakedret violations
d5cb664 Fix whitespace violations
2b03b71 Fix staticcheck deprecation violation
d61f77d Fix unconvert violations
95a1602 Fix unparam violations
d9e75f7 Fix misspell violations
0e66733 Fix staticcheck violations
da6c805 Fix gosimple violations
d8d7bc7 Fix gofmt violations
5d83e08 Fix goimports violations
10f7fbf Upgrade linter and gotestsum
33799a7 add labels to k8s unseal secret
3236784 more tls docs (#846)
338c73d webhook: fix agent config examples
7687ace Add support for custom hosts/IPs on the TLS certificates managed by vault-operator (#843)

The last non-patch release before version 1.0.0 !

Notable new features and fixes:

Charts:

• operator: fix nodeSelector condition check in vault-operator chart deployment file (@raoofm)
• operator: operator: update etcd chart and fix scope (@bonifaido)
• operator: excercise the chart in the acceptance test (@bonifaido)
• add openshift scc example (@pbalogh-sa)

Webhook:

• fix error handling in case of missing secret/configmap defined in envFrom/valueFrom (@pbalogh-sa)
• ownerreferences should be always queried (@bonifaido)
• Fix trim to >> value (@ramonberrutti)
• Add registry address to cache key (@Kasama)
• Fix resource parsing error check (@marcoreni)
• Implement vault-agent templating support (@marcoreni )

Operator:

• use probes from controller-runtime (@bonifaido)
• update AWS SDK to support EKS AWS_ROLE_ARN mappings (@bonifaido)
• example for raft directory permission setup (@pbalogh-sa)
• multi DC failover support and example with Raft (@bonifaido)
• Add oci authMethodType to gcp case to support configuring vault auth roles (@arumer)
• fix dependencies (@sagikazarmark)

All commits since the last version: https://github.com/banzaicloud/bank-vaults/compare/0.7.1...0.8.0

Thanks to all the contributors! 🍺 ❤️

@arumer
@pbalogh-sa
@raoofm
@marcoreni
@ramonberrutti
@Kasama
@sagikazarmark
@matyix

Artifacts:

With tag 0.8.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

This release contains only an existing and then missing a feature, that got factored out in the previous releases, namely the operator leader election. Operator version 0.7.1 and chart version 0.6.1 will contain the fix. 🏂

This is a rather small, but special release because this is the last one for this year! 🎄 🎁 🍾 🎉

Thanks for the all the discussions, issues and PRs this year, please keep them coming in the next year as well! 👍

Notable new features and fixes:

First of all please welcome @leominov as a new member of the project!

Charts:

• vault: fix resources block (@bonifaido)
• vault: the chart is part of the acceptance test suite now (@bonifaido)

Webhook:

• fix for kubectl DockerHub address format (@bonifaido)
• add alias for consul-template - vault-configfile-path (@pbalogh-sa)
• documentation clarifications (@hacktron95)
• adding new parameters to control the sideEffect to support older clusters (@nullck)
• add consul-template with PKI example (@bonifaido)
• AWS IAM instance role-based ECR authentication with token cache (@Kasama, @bonifaido)
• vault-env: add version to secret cache key (@bonifaido)

Operator:

• the operator has migrated to pure k8s-sigs/controller-runtime and kubernetes/code-generator and cut ties with the operator-sdk, to reduce the number of dependencies and more control over the version of those core libraries
• startupSecrets from k8s Secrets (@pbalogh-sa)
• support extra initContainers for Vault Pod (@pbalogh-sa)

All commits since the last version: https://github.com/banzaicloud/bank-vaults/compare/0.6.3...0.7.0

Thanks to all the contributors! 🍺 ❤️

@pbalogh-sa
@nullck
@hacktron95
@Kasama
@bonifaido

Artifacts:

With tag 0.7.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

Minor release with with bug fixes again:

• chart: add custom certificate documentation and support (@bonifaido )
• chart: add default requests / containers (@tarokkk )
• operator: istio compatibility flag added with port naming support (@bonifaido )
• operator: diff fix for pvc status updates (@bonifaido )
• vault-env: Make vault-env psp friendly (@funkypenguin )

Minor release mostly with bug fixes again:

• operator: fixed replicaset and deployment RBAC issues for Kubernetes < 1.6 (#752) - @szwed
• operator: etcd upgrade to 3.3.17 (#753) - @bonifaido
• operator and chart: Fix readiness probe for vault v1.3.0 - @arminbuerkle
• operator: various fixes around transit unseal envs and mounts - @bonifaido
• webhook: add objecSelector in case of k8s version is above 1.15 - @pbalogh-sa

Just a quick release, mostly bug fixes around registry access in the mutating webhook:

• webhook: fix docker.io addressed images to index.docker.io (bugfix)
• webhook: turn registry pinging off, it causes issues for some registry implementations (bugfix)
• webhook: configurable transit path
• operator: accept vault-config.yml and .yaml as well in external ConfigMaps (improvement) @leominov
• charts: Added labels support to vault-operator and vault-secrets-webhook charts (improvement) @szwed

Notable new features and fixes:

Charts:

• Added limit resources to initContainer
• Adding the ability to define nodeSelector and tolerations
• Breaking change: labels changed to Kubernetes standard labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/

Library:

• the client code has been moved to the SDK package and is versioned separately
• fixed connection leak in client.Close()
• remove JWT handler from auth package, it was not strongly bank-vaults related
• client: add the ability to provide a Vault token

Webhook:

• allow vault_role to be specified globally
• vault-env: implement templating of data sourced from Vault
• Disable image caching for Policy=PullAlways and ref=latest
• vault-env: Support Vault Transit Secret Engine for PODs
• Add option to use static certificates for vault-secrets-webhook helm chart
• unit tests! (@lhotrifork 🙇)
• Add RunAsUser functionality within copy-vault-init and containers
• Slim vault-env docker image size from 127Mb to 24Mb
• Added release namespace to webhook helm templates
• allow JSON logging
• Fix parsing of Image Name with digest
• Add new annotation to change the config file path in the container
• Make ImagePull Docker config JSON key configurable
• Change hardcoded imagePullPolicy
• Make listen-address configurable
• Serving telemetry on another address avoid TLS problems
• add PDB to vault-secrets-webhook

Configurer:

• azure auth method got implemented
• Vault KV based unsealing
• Support creating group-aliases with same name and different mount_accessor
• fix: Config not added with rotate: true

Operator:

• default to fsGroup 1000 (vault user) to fix filesystem permission issues (raft and file backend for example)
• add the ability to apply additional labels to the vault statefulset and other resources
• rework of watched secrets
• scope configmap/secret selection to same namespace
• fix rbac for openshift
• Add Vault Mounts to the configurer as well
• Propagate env vars to bank-vaults and configurer
• Add postgresql as an allowed HA backend
• make the prometheus example fully automated
• automated raft storage support
• Breaking change: labels changed to Kubernetes standard labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/

All commits: https://github.com/banzaicloud/bank-vaults/compare/0.5.1...0.6.0

Thanks to all the contributors! 🍺 ❤️

@sagikazarmark
@matyix
@bonifaido
@pbalogh-sa
@funkypenguin
@KealanM
@leominov
@lhotrifork
@primeroz
@Yvonne2017
@szwed
@MightySCollins
@Z3r0Sum
@srleyva
@nesl247
@wombat
@thejmazz
@tommy-dk
@upodroid
@JaredEdwards
@skhedim
@msvticket
@colin014
@fraenkel
@stokkie90

Artifacts:

With tag 0.6.0:

https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags

This is a patch release for the 0.5.x branch which contains:

#719

This is a patch release for the 0.5.x branch which contains:

#659