v0.2.0

0.2.0 (August 16th, 2023)

Improvements:

• Helm: controller.imagePullSecrets stanza is added to provide imagePullSecrets to the controller's containers via the serviceAccount: GH-266
• Helm: controller.manager.resources values now also apply to the pre-delete-controller-cleanup-job. GH-280
• Helm: Adding nodeselector and tolerations to deployment: GH-272
• Helm: Add extraLabels to deployment: #281
• Add K8s namespace support to VaultAuthRef and VaultConnectionRef: (#291)

Changes:

• Helm: Update default kube-rbac-proxy container image in helm chart from v0.11.0 to v0.14.1: GH-267
• Added Vault 1.14 and removed 1.11 from CI testing GH-324
• K8s versions tested are now 1.23-1.27 GH-324
• UBI-based images now built and published with releases: GH-288
• Updated the license from MPL to Business Source License: GH-321

Bugs:

• VaultStaticSecrets (VSS): fix issue where the response error was not being set: GH-301

v0.1.0

0.1.0 (June 12th, 2023)

Improvements:

• VaultPKISecrets (VPS): Include the CA chain (sans root) in 'tls.crt' when the destination secret type is "kubernetes.io/tls": GH-256

Changes:

• Helm: Breaking Change Fix typos in values.yaml that incorrectly referenced approle roleid and secretName which should be appRole roleId and secretRef respectively under defaultAuthMethod and controller.manager.clientCache.storageEncryption: GH-257

v0.1.0-rc.1

0.1.0-rc.1 (June 7th, 2023)

Features:

• Helm: Support optionally deploying the Prometheus ServiceMonitor: GH-227
• Helm: Breaking Change: Adds support for additional Auth Methods in the Transit auth method template: GH-226
  To migrate, set Kubernetes specific auth method configuration under controller.manager.clientCache.storageEncryption
  using the new stanza controller.manager.clientCache.storageEncryption.kubernetes.
• VaultAuth: Adds support for the AWS authentication method, which can use an IRSA service account, static credentials in a
  Kubernetes secret, or the underlying node role/instance profile for authentication: GH-235
• Helm: Add AWS to defaultAuth and storageEncryption auth: GH-247

Improvements:

• Core: Extend vault Client validation checks to handle failed renewals: GH-171
• VaultDynamicSecrets: Add support for synchronizing static-creds: GH-239
• VDS: add support for drift detection for static-creds: GH-244
• Helm: Make defaultVaultConnection.headers a map: GH-249

Build:

• Update to go 1.20.5: GH-248
• CI: Testing VSO in Azure K8s Service (AKS): GH-218
• CI: Updating tests for VSO in EKS: GH-219

Changes:

• API: Bump version from v1alpha1 to v1beta1 Breaking Change: GH-251
• VaultStaticSecrets (VSS): Breaking Change: Replace Spec.Name with Spec.Path: GH-240
• VaultPKISecrets (VPS): Breaking Change: Replace Spec.Name with Spec.Role: GH-233
• Helm chart: the Transit auth method kubernetes specific configuration in controller.manager.clientCache.storageEncryption
  has been moved to controller.manager.clientCache.storageEncryption.kubernetes.

v0.1.0-beta.1

0.1.0-beta.1 (May 25th, 2023)

Bugs:

• Helm: fix deployment templating so setting controller.kubernetesClusterDomain works as defined in values.yaml: GH-183
• Helm: Add vaultConnectionRef to controller.manager.clientCache.storageEncryption for transit auth method configuration and provide a default value which uses the default vaultConnection. GH-201
• VaultPKISecret (VPS): Ensure Spec.AltNames, and Spec.IPSansare properly formatted for the Vault request: GH-130
• VaultPKISecret (VPS): Make Spec.OtherSANS a string slice (breaking change): GH-190
• VaultConnection (VC): EnsureSpec.CACertSecretRef is relative to the connection's Namespace: GH-195

Features:

• VaultDynamicSecrets (VDS): CRD is extended with Revoke field which will result in the dynamic secret lease being revoked on CR deletion. Note:
  The VaultAuthMethod referenced by the VDS Secret must have a policy which provides ["update"] on sys/leases/revoke: GH-143 GH-209
• VaultAuth: Adds support for the JWT authentication method which either uses the JWT token from the provided secret reference,
  or a service account JWT token that VSO will generate using the provided service account: GH-131
• VaultDynamicSecrets (VDS): New RenewalPercent field to control when a lease is renewed: GH-170
• Helm: Support specifying extra annotations on the Operator's Deployment: GH-169

Improvements:

• VaultDynamicSecrets (VDS): Generate new credentials if lease renewal TTL is truncated: GH-170
• VaultDynamicSecrets (VDS): Replace Spec.Role with Spec.Path (breaking change): GH-172
• VaultPKISecrets (VPS): Make commonName optional: GH-160
• VaultDynamicSecrets (VDS): Add support for specifying extra request params, and HTTP request method override: GH-186
• VaultStaticSecrets (VSS): Ensure an out-of-band Secret deletion is properly remediated: GH-137
• Honour a Vault*Secret's Vault namespace: GH-157
• VaultStaticSecrets (VSS): Add Spec.Version field to support fetching a specific kv-v2 secret version: GH-200

Changes:

• API schema (VDS): Spec.Role renamed to Spec.Path which can be set to any path supported by the
  Vault secret's engine.
• API schema (VPS): Spec.OtherSANS takes a slice of strings like Spec.AltNames and Spec.IPSans

v0.1.0-beta

0.1.0-beta (March 29th, 2023)

* Initial Beta Release