v0.25.0

Added

• Documentation updates.
• Added liveness and readiness probes to SPIRE Server and SPIRE Agent.
• Added pod priority classes to SPIRE Server, SPIRE Agent, and VSecM pods
  to ensure that VSecM components are prioritized and maintained in the
  event of resource constraints.
• VSecM Sentinel Init Commands can now wait a configurable amount of time
  before running. This feature is useful when you want to delay the execution
  of the init commands to ensure that other components are ready.
• VSecM Sentinel can now wait before marking Init Commands as successful.
  This feature is useful when you want to delay the readiness of VSecM Sentinel
  until other components are ready.
• VSecM Sentinel Init Command can now parse and understand all VSecM Sentinel
  commands.
• Added Generated protobuffer files into the source code for ease of maintenance.

Changed

• Removed the tombstone feature, we use VSecM Keystone instead of tombstone,
  which is more reliable, secure, and under our control.
• Reliability improvements in VSecM Sentinel. For example, VSecM Sentinel does
  not wait forever in a loop for VSecM Safe to be ready. Instead, it crashes
  after a grace period, and the orchestrator can restart it in a more cloud-native way.
• SPIRE Server is now a StatefulSet by default instead of a Deployment.
  This change ensures that SPIRE Server has a stable identity across restarts.
• VSecM Keystone, and VSecM Keystone secrets are being used instead of tombstone.
• Various other stabilization improvements.

Fixed

• Minor bug fixes and feature enhancements.

Security

• Fixed CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
• Fixed GHSA-pxvg-2qj5-37jq Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs
• Fixed GHSA-xc9x-jj77-9p9j Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
• Fixed GHSA-vcc3-rw6f-jv97 Use-after-free in libxml2 via Nokogiri::XML::Reader
• Addressed CVE-2020-8559 Privilege Escalation in Kubernetes

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• next helm charts by @v0lkan in #796
• next by @v0lkan in #798
• 💄 cosmetic(VSecM): rename busywait to background by @v0lkan in #811
• add wait time to init commands by @v0lkan in #813
• 🌟 enhancement(VSecM Sentinel): option to terminate early by @v0lkan in #814
• wait before marking init command as successful by @v0lkan in #816
• SDK signature change by @v0lkan in #818
• Refactoring Init Command code by @v0lkan in #819
• Closes #644, Add statefulset support in spire-server fix by @BulldromeQ in #812
• Address some of the TODO’s in the source code by @v0lkan in #820
• statefulset by @v0lkan in #823
• Remove Tombstone and Use Keystone Instead by @v0lkan in #824
• 🌟 enhancement(VSecM Sentinel): processInitCommands improvement by @v0lkan in #825
• documentation update by @v0lkan in #826
• documentation updates by @v0lkan in #911
• Update spire-server.yaml statefulset missing serviceName by @BulldromeQ in #926
• enhancement: protofiles generated, dev-env md and workflow edited by @marikann in #930
• Stabilization Improvement for the Helm Charts (for Resource-Limited Environments) by @v0lkan in #933
• Add events-based cache by @v0lkan in #934
• Bump golang.org/x/net from 0.19.0 to 0.23.0 by @dependabot in #936
• Introducing initial helm-chart for version 0.25.0 by @v0lkan in #937

Full Changelog: v0.24.4...v0.25.0

v0.24.4

This is an intermediate maintenance release, focusing on making the "init command" wofklow of VSecM Sentinel more robust.

What's Changed

• manifest update by @v0lkan in #791
• next: 0.24.4 by @v0lkan in #793
• Add keystone and init-container image to values.yaml by @BulldromeQ in #794
• logic fixes and extra logs by @v0lkan in #795

New Contributors

• @BulldromeQ made their first contribution in #794

Full Changelog: v0.24.3...v0.24.4

v0.24.3

This is an intermediate maintenance release.

What's Changed

• Introducing initial helm-chart for version 0.24.3 by @v0lkan in #787
• prep for v0.24.3 by @v0lkan in #789
• logic update in RunInitCommands() by @v0lkan in #790

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

Full Changelog: v0.24.2...v0.24.3

v0.24.2

This is an intermediate patch release to make sentinel’s ”init command” flow more robust.

What's Changed

• Introducing initial helm-chart for version 0.24.2 by @v0lkan in #770
• Add retry with backoff to sentinel's init commands by @v0lkan in #786

Full Changelog: v0.24.1...v0.24.2

v0.24.1

Added

• Added 4 new use cases to the documentation.

Fixed

• VSecM Sentinel was not honoring the tombstone secret, now it is fixed.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Next Release Candidate by @v0lkan in #757
• 📚 docs(VSecM): Added several new use cases by @v0lkan in #767
• Fix init command tombstone functionality by @v0lkan in #769

Full Changelog: v0.24.0...v0.24.1

v0.24.0

Added

• Kickstarted SDK work for Java.
• VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET environment variable added for
  giving an option to updating internal k8s secrets when manual root key provided.
• Added additional logs to VSecM Sentinel to help with debugging.

Fixed

• Quickstart guide on the website was not working as expected, now it is fixed.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.24.0 by @v0lkan in #741
• v0.24.0 by @v0lkan in #742
• docs: Update quickstart guide in VMware Secrets Manager by @marikann in #746
• quickstart fixes by @v0lkan in #747
• added placeholder folders for sdks by @v0lkan in #748
• ✨ feat(VSecM Safe): #460 Manual Root Key Updates K8s Secret by @gurkanguray in #725
• added extra logs to sentinel by @v0lkan in #751
• 🚧 build(VSecM): v0.24.0 release by @v0lkan in #752
• Introducing initial helm-chart for version 0.24.1 by @v0lkan in #753
• 0.24.1 manifests by @v0lkan in #754
• 0.24.0 changelog by @v0lkan in #756

Full Changelog: v0.23.3...v0.24.0

v0.23.3

Added

• Added the Helm charts the ability for SPIRE Server to use Persistent Volumes
  for its data.
• Introduced VSecM Keystone a workload that waits until all the "init commands"
  that VSecM Sentinel runs are completed. This feature is useful, especially when
  an orchestrator watches for the readiness of VSecM Keystone to bring up other
  workloads that depend on the secrets that VSecM Sentinel initializes.
• Now, one secret can be associated with multiple workloads in multiple
  namespaces. This feature is useful when you want to share a secret across
  multiple workloads in different namespaces.
• Added image pull secrets to SPIRE Server and SPIRE Agent Helm charts.
• Added Kampus Discord Server as a welcoming and supporting community
  for VSecM users and contributors. This is an additional community that
  augments the official Slack workspace. The Slack workspace is still
  the primary community for VSecM. Kampus is a global community; however, its
  core audience is Turkish-speaking people. The community is open to everyone.
• By adding Kampus as a supported community, we aim to:
  • Acknowledge and express gratitude for the Kampus community's ongoing
    support and contributions.
  • Facilitate a more integrated and cohesive ecosystem for current and future
    contributors.
  • Enhance accessibility for new contributors seeking guidance or looking to
    engage with the project community.
  • Foster a diverse and inclusive environment where all members can share,
    learn, and contribute to the project's success.

Changed

• BREAKING: Removed the -k flag from Sentinel, as the k8s: prefix was
  a better way that does an identical job. This change also simplified the
  internal workings of VSecM Safe, making it more efficient, reliable, and
  easier to maintain.
• VSecM documentation now has a dark mode for better readability. In addition,
  the typography and layout of the documentation have been improved for a more
  consistent and user-friendly experience.

Fixed

• Integration tests were failing, now they are fixed.
• Various minor bugfixes.
• Performance improvements and asset cleanup in the documentation website.

Security

• SPIRE Server Helm charts was using NodePort; we defaulted it to the more
  secure ClusterIP in the Helm charts.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.23.3 by @v0lkan in #609
• next manifests by @v0lkan in #611
• next version of helm charts and manifests to be worked on by @v0lkan in #612
• Fix Integration Tests by @v0lkan in #726
• 🐛 fix(VSecM): made 8443 port dynamic by @v0lkan in #727
• 🐛 fix(SPIRE): SPIRE Agent and Server did not have image pull secrest by @v0lkan in #728
• Remove -k flag from Sentinel CLI by @v0lkan in #729
• refactor(docs): assets and css cleanup & ui changes by @kuzeykose in #606
• (feat) Remove nodeport from helm charts by @v0lkan in #735
• Ability to Associate the Same Random Secret to Multiple Workloads by @v0lkan in #736
• Introducing VSecM Keystone by @v0lkan in #737
• 🚧 build(VSecM): Release v0.23.3 by @v0lkan in #739

New Contributors

• @kuzeykose made their first contribution in #606

Full Changelog: v0.23.2...v0.23.3

v0.23.2

Added

• VSecM Sentinel can now act as an OIDC Resource Server (experimental). This
  feature is disabled by default, and can be enabled by an environment variable.
  When you enable it, you should also ensure the security of the OIDC Server
  as breaching it will give direct access to VSecM. This feature changes the
  attack surface of the system and should be implemented only if you are
  extremely sure of what you are doing.
• Documented all public methods in the codebase. This will help
  contributors to understand the codebase better and make it easier to
  contribute.
• We now have an official “VSecM Inspector” container image that can be used
  to inspect the secrets bound to workloads without having to shell into
  the workloads. This is especially helpful when you want to debug a workload’s
  secrets without needing to uninstall or change the source code of the workload.
• Unit tests to increase coverage.

Changed

• We now have a Go-based integration test suite instead of the former bash-based
  one. This change makes the tests more reliable and easier to maintain, while
  we can leverage the Go language’s powerful primitives to make the tests
  readable, maintainable, and scalable.
• VSecM components have sensible “memory” lower limits in helm charts (before
  it was left for the end-user to decide, now we provide a starting point
  while encouraging the user to do their own benchmarks to update the
  resource limits to their production needs.)
• Updated the log level of all VSecM components to the highest (7, TRACE).
  This setting is to help VSecM users to diagnose and debug potential
  installation issues during initial deployment. Once you are sure that things
  work as expected, you are encouraged to change the log level to a more
  sensible value (like, 3, DEBUG).
• Refactorings to make the code easier to follow.

Fixed

• VSecM Sentinel’s “Init Command” loop had a logic error that was preventing the
  initialization command to function under certain edge conditions. It’s now
  fixed.

Security

• Updated SPIRE Server, SPIRE Client, and SPIRE Controller Manager images to
  their latest version.
• Increased the Go version to the recent stable.
• Fixed CVE-2024-28180 Go JOSE vulnerable to Improper Handling of Highly
  Compressed Data

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• v0.23.0 by @v0lkan in #583
• 0.23.0 by @v0lkan in #584
• Enable Golang-based Integration Tests by @v0lkan in #590
• Add Resource Limits to Helm Charts by @v0lkan in #594
• 0.23.1 helm charts by @v0lkan in #595
• 0.23.2 by @v0lkan in #597
• refactor: go version increased and name changed in test-coverage.yaml by @marikann in #593
• feat: Add FreeForm format handling by @marikann in #591
• 🛡️ security(SPIRE): Upgrading spire images for latest release by @abhishek44sharma in #604
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot in #603
• Add VSecM Inspector as a Utility App by @v0lkan in #605
• 404 create service sentinel by @sahinakyol in #592
• v0.23.2 by @v0lkan in #608

Full Changelog: v0.23.0...v0.23.2

v0.23.0

Added

• VSecM Sentinel now waits for VSecM Safe to be ready before running init
  commands.
• Documentation updates and code refactoring.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• 0.22.5 changelog update by @v0lkan in #569
• Initializing helm chart/0.23.0 by @v0lkan in #570
• added 0.23.0 manifests by @v0lkan in #571
• 📚 docs(VSecM): updated roadmap by @v0lkan in #576
• Enable VSecM Sentinel Init Command to Wait Until VSecM Safe is Healthy by @v0lkan in #577
• Check VSecM Safe is functional before running init commands by @v0lkan in #578
• Added a few unit tests and scenarios by @marikann in #579

Full Changelog: v0.22.5...v0.23.0

v0.22.5

Added

• Provisioned an public ECR registry to deploy and test VSecM on EKS.
• Added a GitHub Actions workflow to generate a test coverage badge, and
  coverage reports.
• Added the ability to use a persistent volume for VSecM Safe.

Changed

• Bumped SPIRE Server and SPIRE Agent to the latest versions (1.9.0).
• VSecM Sentinel logs now have a correlation ID to make it easier to trace
  logs initiated by different requests.
• Improvements to the logging-and-auditing-related code.
• Deleting a VSecM Safe “secret” now also deletes the associated Kubernetes
  secret, if it exists.
• VSecM Safe now has a more robust retry strategy for creating and updating
  Kubernetes secrets.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• 📚 docs(VSecM): v0.22.3 Changelog by @v0lkan in #485
• Add Version Snapshots by @v0lkan in #486
• Bugfix/162 fix resource mgmnt minikube by @sahinakyol in #472
• 🐛 fix(VSecM): 467 Update version 0.22.4, fix typo, add audit entity by @sahinakyol in #488
• chore(docs): change VMware, Inc. to VMware secrets manager contributors. by @huseyingulec in #490
• chore(deps): bump nokogiri from 1.15.4 to 1.16.2 in /docs by @dependabot in #494
• Ovolkan/sentinel tombstone by @v0lkan in #499
• VSECM_LOG_LEVEL field has been edited to a default value of 3 for each location by @yigithankarabulut in #500
• Add ability to associate multiple namespaces to a secret by @v0lkan in #501
• 227 sentinel audit logs stdout grpc by @sahinakyol in #510
• Revert "227 sentinel audit logs stdout grpc (#510)" by @v0lkan in #512
• ✨ feat(VSecM Safe): 504-Add backoff policy to create/update k8s secrets by @gurkanguray in #506
• various changes by @v0lkan in #513
• 227 sentinel audit logs stdout grpc by @sahinakyol in #514
• 515 unit tests are failing for sentinel logger by @sahinakyol in #522
• 517 sentinel logging log levels by @sahinakyol in #521
• ✨ feat(VSecM Safe): Delete safe-managed assoc k8s secrets by @gurkanguray in #519
• Doc and Manifest Update for 0.23.0 by @v0lkan in #552
• 🌟 enhancement(VSecM): typo fix in filename by @v0lkan in #553
• update doc snapshot link by @v0lkan in #554
• 📚 docs(VSecM): 516 Add doc for proto files generation by @sahinakyol in #546
• Refactoring the Logging Logic by @v0lkan in #557
• 🌟 enhancement(VSecM): helm template changes by @v0lkan in #558
• 🔨 refactor(VSecM): 555 update log message by @omergk28 in #562
• 396 test coverage badge workflow by @marikann in #560
• Add EKS Manifests by @v0lkan in #565
• ✨ feat(SPIRE): Bumping spire image with latest release version by @abhishek44sharma in #566
• refactor: test-coverage yaml edited by @marikann in #563
• v0.22.5 Release Prep by @v0lkan in #567

New Contributors

• @yigithankarabulut made their first contribution in #500
• @gurkanguray made their first contribution in #506
• @omergk28 made their first contribution in #562
• @marikann made their first contribution in #560

Full Changelog: v0.22.3...v0.22.5