bank-vaults
A Vault swiss-army knife: A CLI tool to init, unseal and configure Vault (auth methods, secret engines).
APACHE-2.0 License
Bot releases are visible (Hide)
Published by bonifaido about 5 years ago
This is a patch release for the 0.5.x branch which contains:
Published by bonifaido about 5 years ago
In this release, we have moved the helm charts to this repository, this should ease maintaining both the application and the deployment configuration.
Notable new features:
Webhook:
- make it locally runnable with
make -j webhook-up - small logging / comment additions
- handle vault-tls double mount gracefully
- add support for dry-run with the webhook controller
- make the webhook failure policy configurable, also set the default to Ignore (chart)
- add support for a default
imagePullSecret - add
ServiceMonitorconfig to the webhook (chart) - expose mutation metrics in Prometheus format
- ignoring
kube-systemby default (chart) - fix indentation for webhook
matchLabels(chart) - allow setting Pod annotations (chart)
- ConfigMap: mutate BinaryData as well
- vault-env: cache secrets to reduce calls and support dynamic credentials
- Add priorityClass for secrets webhook deployment (chart)
- don't bail out on missing optional env sources
Configurer:
- add support for auth mount config + example
Operator:
- add priority class for vault operator
@dcherman
@sagikazarmark
@baluchicken
@mgruener
@jurgenweber
@bonifaido
@matyix
@chrisob
@rrondeau
https://github.com/banzaicloud/bank-vaults/compare/0.5.0...0.5.1
Published by bonifaido about 5 years ago
Published by bonifaido about 5 years ago
Notable new features:
Operator
- add transit unseal example with operator and webhook
- enable
preFlightChecksby default - RBAC - allow Operator to list replicasets
Webhook
- add
VAULT_TOKEN=vault:loginspecial value for passing the Vault token from vault-env to the application - lazy connection to Vault in case of ConfigMaps and Secrets
- Docker CMD should be appended only if Kubernetes args is empty
- Allow enabling debug logs
- Configurable Webhook listen address
Library
- wildcard TLS certificates should support multiple wildcard SANs
Misc
- various documentation and diagram fixes
- use Vault SDK instead of pulling in the whole Vault project 🎉
All commits since 0.4.18:
https://github.com/banzaicloud/bank-vaults/compare/0.4.18...0.5.0
Thanks to all the contributors! 🍺 ❤️
@ahma
@leominov
@mgruener
@tommy-dk
@sosoriov
@bonifaido
@pbalogh-sa
@matyix
Artifacts:
With tag 0.5.0:
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags
Published by bonifaido over 5 years ago
Notable new features:
-
Mutating Webhook and vault-env:
- add healthz handler and added
readinessProbeto chart with this
- add healthz handler and added
-
Vault Configurer:
- Add support for "create_only" field to secret engines
- Example added for Google Secret backend configuration
- added complete MySQL backed HA setup example
-
Operator:
- add all Kubernetes Service FQDNs to TLS cert hosts
- make Vault Pods fine-tunable via VaultPodSpec and VaultConfigurerPodSpec
- Use the k8s-objectmatcher library to avoid unnecessary object updates
- updated operatork SDK to 0.9.0 - Go modules 🎉
- Make etcd image repositories configurable
- allow Vault configuration to be templated with environment variables (and actually all Go template and Sprig functions) the same way as configurer configuration ⚛️
Bugfixes:
- Operator:
- Cluster vs namespaced Role seemed were swapped around in the deployment examples
- Fetch the Vault instance again before update to minimize the possibility of updating a stale object
- Mutating Webhook and vault-env:
- Fix for mutating webhook not mounting TLS certificates to the "main" container
Misc
- various CI and acceptance test fixes and improvements (as always...)
- various documentation fixes
All commits since 0.4.17:
https://github.com/banzaicloud/bank-vaults/compare/0.4.17...0.4.18
Thanks to all the contributors! 🍺 ❤️
@pbalogh-sa
@baluchicken
@jurgenweber
@ryandbump
@mgruener
@primeroz
@pepov
@matyix
@bonifaido
Artifacts:
With tag 0.4.18:
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags
Published by bonifaido over 5 years ago
Notable new features:
-
Mutating Webhook and vault-env:
- Read container command and args from the source image registry
- Handle pod spec when CMD is absent and ARGS are present
- Make Consul Template resource limits configurable
- Webhook now supports mutating Secrets and ConfigMaps
- added ability to only warn for missing secrets
- added option to pass VAULT env vars to the main process
-
Vault Configurer:
- Add support for OIDC auth type
- Add support for rotating Database and AWS root credentials via the
rotate: truefield
-
Operator:
- Regenerate TLS certificate automatically before the defined time of expiry in CR
- Distributing Vault TLS CA to specified namespaces
- Add support for user-defined labels on Vault and VaultConfigurer resources
- define resource limits to ALL resources
Bugfixes:
- Operator:
- preserve NodePort for Services
- use 'reclaim' policy for host-path PVs in the cr.yaml example
- Configurer:
- fix regression regarding missing secret engine options
- Webhook:
- Fix configmap name for vault agent if ownerreference does not contain -
Misc
- various CI and acceptance test fixes and improvements
- various documentation fixes
All commits since 0.4.16:
https://github.com/banzaicloud/bank-vaults/compare/0.4.16...0.4.17
Thanks to all the contributors! 🍺 ❤️
@tczekajlo
@pbalogh-sa
@jurgenweber
@baluchicken
@matyix
@primeroz
@stephenmuss
@robertgates55
@moskitone
@pepov
@devlounge
@benjamink
@bonifaido
Artifacts:
With tag 0.4.17:
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-secrets-webhook/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/bank-vaults/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-env/tags
https://cloud.docker.com/u/banzaicloud/repository/docker/banzaicloud/vault-operator/tags
Published by bonifaido over 5 years ago
Notable new features:
- Watch external secrets using labels selector and reload vault StatefulSet if any change is detected (operator)
- cert auth support in configurer
- okta auth support in configurer
- token auth support in configurer
- allow for annotations overrides of the consul template image (webhook)
- Bank vaults client constructor improvements (client)
- Add support for secret versioning (webhook)
- Add support for provisioning vault with auto-unsealing (bank-vaults)
- Allow to enable/disable AllowPrivilegeEscalation for injected containers to make it works with psp restricted deployments [webhook]
Bugfixes:
- fix for [webhook] vault-env is not injected when vault.security.banzaicloud.io/vault-agent: "false"
All commits since 0.4.15: https://github.com/banzaicloud/bank-vaults/compare/0.4.15...0.4.16
Thanks to all the contributors! 🍺
Published by bonifaido over 5 years ago
Notable new features:
- consul-template support in vault-secrets-webhook
- statsd port added to Prometheus ServiceMonitor
- exporting Prometheus metrics from operator SDK's manager
- add support for creating vault configurations as Secrets
- add --once flag to configure and respect VAULT_TOKEN in dev mode
- add "--fatal" flag to configurer
- implement common kv backend test before initializing Vault
- Vault groups support
- operator: Supporting nodeselectors, and tolerations
Bugfixes:
- configurer: Remove leaked configuration from error log
- configurer: always transform sts_account to a string
- configurer: handle configuration errors by re-injecting configuration files (improvement)
- operator: fix resource quota issues via checking and upgrading existing objects
- rbac: scope fixes
All commits since 0.4.14: https://github.com/banzaicloud/bank-vaults/compare/0.4.14...0.4.15
Thanks to all the contributors! 🍺
Published by bonifaido over 5 years ago
Published by bonifaido over 5 years ago
- HA Improvements
- webhook supports now dynamic secrets
- go 1.12 and modules
https://github.com/banzaicloud/bank-vaults/compare/0.4.12...0.4.13
Published by bonifaido over 5 years ago
Published by bonifaido over 5 years ago
Published by bonifaido over 5 years ago
Published by bonifaido over 5 years ago
Published by baluchicken over 5 years ago
Published by bonifaido over 5 years ago
Published by bonifaido over 5 years ago
Ingress support added and smaller fixes:
https://github.com/banzaicloud/bank-vaults/compare/0.4.5...0.4.6
Published by bonifaido over 5 years ago
Full set of changes: https://github.com/banzaicloud/bank-vaults/compare/0.4.4...0.4.5
PRs:
https://github.com/banzaicloud/bank-vaults/pull/284
https://github.com/banzaicloud/bank-vaults/pull/294
https://github.com/banzaicloud/bank-vaults/pull/296
https://github.com/banzaicloud/bank-vaults/pull/297
https://github.com/banzaicloud/bank-vaults/pull/298
Published by bonifaido almost 6 years ago
- An integration test has been added to CI: https://github.com/banzaicloud/bank-vaults/pull/276
- Add support to config secret engine, which nosub-path after config (bugfix): https://github.com/banzaicloud/bank-vaults/pull/278
- Add container resource config: https://github.com/banzaicloud/bank-vaults/pull/279
- Allow to use ha_storage in replicated vault setup https://github.com/banzaicloud/bank-vaults/pull/281
Published by bonifaido almost 6 years ago
