v0.4.0

0.4.0 (January 12th, 2022)

Changes

• -write-secrets flag now defaults to false, delegating file writes to the driver. [GH-127]
  • Note: -write-secrets is deprecated and will be removed in the next major version.

Features

• Support extracting JSON values using secretKey in the SecretProviderClass [GH-126]

Maintenance

• Multi-arch images now available on Docker hub, including amd64, arm64, arm/v6 and 386

0.3.0

0.3.0 (June 7th, 2021)

Announcements

• --write-secrets=false will become the default from v0.4.0, and requires secrets-store-csi-driver v0.0.21+.
• The --health_addr flag is marked deprecated but still functioning. Please use --health-addr instead. --health_addr is currently planned for removal in v0.5.0.

Features

• Support for changing the default Vault address and Kubernetes mount path via CLI flag to the vault-csi-provider binary [GH-96]
• Support for sending secret contents to driver for writing via --write-secrets=false [GH-89]
  • Note: --write-secrets=false will become the default from v0.4.0 and require secrets-store-csi-driver v0.0.21+

Changes

• --health_addr flag is marked deprecated and replaced by --health-addr. Slated for removal in v0.5.0 [GH-100]

Bugs

• Added missing error handling when transforming SecretProviderClass config to a Vault request [GH-97]

0.2.0

0.2.0 (April 14th, 2021)

FEATURES

• Support for Vault namespaces, via vaultNamespace option in SecretProviderClass parameters [GH-84]

0.1.0

0.1.0 (March 24th, 2021)

CHANGES

• All secret engines are now supported [GH-63]
  • This makes several breaking changes to the configuration of the SecretProviderClass' objects entry
  • There is no top-level array entry under objects
  • objectVersion is now ignored
  • objectPath is renamed to secretPath
  • secretKey, secretArgs and method are newly available options
  • objectName no longer determines which key is read from the secret's data
  • If secretKey is set, that is the key from the secret's data that will be written
  • If secretKey is not set, the whole JSON response from Vault will be written
  • vaultSkipTLSVerify is no longer required to be set to "true" if the vaultAddress scheme is not https
• The provider will now authenticate to Vault as the requesting pod's service account [GH-64]
  • This is likely a breaking change for existing deployments being upgraded
  • vault-csi-provider service account now requires cluster-wide permission to create service account tokens
  • auth/kubernetes mounts in Vault will now need to bind ACL policies to the requesting pods'
    service accounts instead of the provider's service account.
  • spec.parameters.kubernetesServiceAccountPath is now ignored and will log a warning if set
• The provider now supports mTLS [GH-65]
  • spec.parameters.vaultCAPem is now ignored and will log a warning if set. This is a breaking change
  • spec.parameters.vaultTLSClientCertPath and spec.parameters.vaultTLSClientKeyPath are newly available options

IMPROVEMENTS

• The provider now uses the hashicorp/vault/api package to communicate with Vault [GH-61]
• --version flag will now print the version of Go used to build the provider [GH-62]
• CircleCI linting, tests and integration tests added [GH-60]

Release 0.0.7

CHANGES:

• Switch provider to gRPC. [GH-54]
  • Note this requires at least v0.0.14 of the driver, and the driver should have 'vault' included in --grpcSupportedProviders.
  • Existing installations being upgraded will also need to set the provider's service account as the one that can authenticate with Vault instead of the driver, as the Vault requests now happen in the provider container.

0.0.6

Set GOOS and GOARCH for Makefile build target (#52)
Enforce descending directory write path (#50)