Releases: jetstack/jetstack-secure
Releases · jetstack/jetstack-secure
v1.1.0
- The agent now reports the annotations and labels of namespaces and secrets. (#581, #582)
- The agent now exposes readiness and liveness probes. (#580)
- In Venafi Cloud Key Pair Service Account mode, you can now omit the
server
field in the configuration file. It defaults to the URLhttps://api.venafi.cloud
. If you are in the european region, you still need to setserver: https://api.venafi.eu
field in the configuration file. (#575)
- It is now possible to use the
--period
flag without also giving theperiod
field. (#575) - Helm chart values are now validated to alert you if they contain errors to help you quickly identify typos in fields. (#556)
- The "unauthenticated mode" has been removed as it made it hard to diagnose mismatched authentication flags. For example, using
--venafi-cloud
without--credentials-file
/-k
used to not show any error and the Agent would happily start. Now, if you don't provide the right set of authentication flags, the Agent will show a helpful message explaining how the authentication flags can be used. (#575) - The
--help
has been re-written to help understanding how authentication flags interact with each other. (#575) - You can no longer use
--private-key-path
along with--credentials-path
. Previously,--private-key-path
would be ignored if--credentials-path
was provided. Now, the two options are mutually exclusive and a helpful message is shown when trying to use both. (#575) - The flag
--private-key-path
now defaults to the empty string. It previously defaulted to/etc/venafi/agent/key/privatekey.pem
and the flag was omitted from the deployment manifest, which was confusing to users trying to understand how this private key was being configured. A helpful message is now shown when trying to run--client-id
without--private-key-path
. (#575) - The field
uploader_id
in the configuration file is deprecated. Setting this field will no longer do anything. A warning is now shown when using this field. The reason this field was deprecated is that it was never used by the Venafi Cloud API. Behind the scenes, theuploader_id
is arbitrarily set tono
so that the API doesn't complain. (#575) - The binary's size has been reduced from 72 MB down to 55 MB. (#556)
- The Docker image is now built using cert-manager's base image based on apko's alpine image using
ko
. As a result, the binary's location in the image is now located at/ko-app/preflight
instead of/bin/preflight
. (#556)
v1.1.0-alpha.0
What's Changed
- The agent now reports the annotations and labels of namespaces and secrets. (#581, #582)
- The agent now exposes readiness and liveness probes. (#580)
- In Venafi Cloud Key Pair Service Account mode, you can now omit the
server
field in the configuration file. It defaults to the URLhttps://api.venafi.cloud
. If you are in the european region, you still need to setserver: https://api.venafi.eu
field in the configuration file. (#575)
- It is now possible to use the
--period
flag without also giving theperiod
field. (#575) - Helm chart values are now validated to alert you if they contain errors to help you quickly identify typos in fields. (#556)
- The "unauthenticated mode" has been removed as it made it hard to diagnose mismatched authentication flags. For example, using
--venafi-cloud
without--credentials-file
/-k
used to not show any error and the Agent would happily start. Now, if you don't provide the right set of authentication flags, the Agent will show a helpful message explaining how the authentication flags can be used. (#575) - The
--help
has been re-written to help understanding how authentication flags interact with each other. (#575) - You can no longer use
--private-key-path
along with--credentials-path
. Previously,--private-key-path
would be ignored if--credentials-path
was provided. Now, the two options are mutually exclusive and a helpful message is shown when trying to use both. (#575) - The flag
--private-key-path
now defaults to the empty string. It previously defaulted to/etc/venafi/agent/key/privatekey.pem
and the flag was omitted from the deployment manifest, which was confusing to users trying to understand how this private key was being configured. A helpful message is now shown when trying to run--client-id
without--private-key-path
. (#575) - The field
uploader_id
in the configuration file is deprecated. Setting this field will no longer do anything. A warning is now shown when using this field. The reason this field was deprecated is that it was never used by the Venafi Cloud API. Behind the scenes, theuploader_id
is arbitrarily set tono
so that the API doesn't complain. (#575) - The binary's size has been reduced from 72 MB down to 55 MB. (#556)
- The Docker image is now built using cert-manager's base image based on apko's alpine image using
ko
. As a result, the binary's location in the image is now located at/ko-app/preflight
instead of/bin/preflight
. (#556)
Full Changelog: v1.0.0...v1.1.0-alpha.0
v1.0.0
What's Changed
- You can now use the VenafiConnection CRD to authenticate to Venafi Control Plane. With the VenafiConnection CRD, you can choose to authenticate using a Workload Identity Federation service account ("secretless"). (#552, #559)
- The memory usage of Venafi Kubernetes Agent has been reduced by excluding Helm release Secrets and some standard Secret types. You can configure the ignored types with the Helm value
config.ignoredSecretTypes
. (#554) - The configuration manifest is no longer dumped on startup, uncluttering the logs. (#564)
New Contributors
Full Changelog: v0.1.49...v1.0.0
v0.1.49
What's Changed
- An error preventing the Venafi Kubernetes Agent deployment on Red Hat OpenShift clusters has been resolved. The error "runAsUser: Invalid value: 1000" is no longer encountered. By @ThatsMrTalbot in #546
- You no longer have to scroll up in the logs to find out why the agent pod has crashed. The last log line before the process exits now shows the reason for giving up. By @james-w in #537
- The Helm chart
venafi-kubernetes-agent
has been improved:- When a proxy for outbound connections to
api.venafi.cloud
orapi.venafi.eu
is required, and the proxy uses a certificate issued by a private certificate authority, you can now add the certificate authority to a custom CA bundle that will be trusted by the agent. The Helm chart now supports specifying volumes and volume mounts to streamline this process. By @maelvls in #543 - The Helm chart has been enhanced to allow users to control the metrics settings. For more information, see the {{ven}} {{k8s}} Agent Helm values reference page. By @wallrj in #544
- Following best practices, the default CPU limit for the Venafi Kubernetes Agent pod has been removed. This allows for more dynamic resource allocation by Kubernetes. By @wallrj in #539
- When a proxy for outbound connections to
- The Helm chart for
jetstack-secure
has also been improved:- You can now set
volumes
andvolumeMounts
when using the jetstack-agent Helm chart. By @hawksight in #540 - The
jetstack-secure
Helm chart version has been bumped to 0.4.0. By @hawksight in #542
- You can now set
New Contributors
- @james-w made their first contribution in #537
- @ThatsMrTalbot made their first contribution in #546
Full Changelog: v0.1.48...v0.1.49
v0.1.48
v0.1.47
What's Changed
- Helm: the namespace was missing in the configmap, deployment, and serviceaccount templates by @maelvls in #526
- fix/vc-31703-agent-memory-startup-spikes by @mol-george in #525
- chore: Update the chart to 0.1.47 by @tfadeyi in #527
New Contributors
Full Changelog: v0.1.46...v0.1.47
v0.1.46
What's Changed
- feat(helm): Add PodDisruptionBudget option to helm chart by @SgtCoDFish in #516
- Use agent image in the venafi repository by @tfadeyi in #517
- Add missing labels for VEI clusterrole / binding by @SgtCoDFish in #521
- Update helm chart version by @tfadeyi in #522
New Contributors
- @SgtCoDFish made their first contribution in #516
Full Changelog: v0.1.45...v0.1.46
v0.1.45
v0.1.44
What's Changed
Features
- Chart compatible with TLSPK VCP auth by @hawksight in #466
- [VC-28877] Publish venafi kubernetes agent chart by @wallrj in #471
- feat(client): Allow agent to send cluster description by @tfadeyi in #508
- update agent config to upload firefly by @mol-george in #507
Dependencies
- chore: Update agent version to latest by @hawksight in #470
- chore(go): Update golang version by @tfadeyi in #509
- build(deps): bump golang from 1.19.0 to 1.21.6 by @dependabot in #497
- build(deps): bump sigstore/cosign-installer from 9becc617647dfa20ae7b1151972e9b3a2c338a2b to a5d81fb6bdbcbb3d239e864d6552820420254494 by @dependabot in #462
- build(deps): bump anchore/sbom-action from 0.14.1 to 0.15.0 by @dependabot in #473
- build(deps): bump sigstore/cosign-installer from a5d81fb6bdbcbb3d239e864d6552820420254494 to 1fc5bd396d372bee37d608f955b336615edf79c8 by @dependabot in #474
- build(deps): bump docker/setup-qemu-action from 1 to 3 by @dependabot in #476
- build(deps): bump docker/login-action from 2 to 3 by @dependabot in #477
- build(deps): bump actions/checkout from 3 to 4 by @dependabot in #475
- build(deps): bump docker/setup-buildx-action from 1 to 3 by @dependabot in #478
- build(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #479
- build(deps): bump github.com/fatih/color from 1.15.0 to 1.16.0 by @dependabot in #481
- build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 by @dependabot in #482
- build(deps): bump philips-labs/SLSA-Provenance-Action from 0.8.0 to 0.9.0 by @dependabot in #489
- build(deps): bump github.com/google/uuid from 1.3.1 to 1.6.0 by @dependabot in #504
- build(deps): bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 by @dependabot in #495
- build(deps): bump github.com/maxatome/go-testdeep from 1.13.0 to 1.14.0 by @dependabot in #494
Full Changelog: v0.1.43...v0.1.44
v0.1.43
What's Changed
- Update dependencies to latest compatible version by @j-fuentes in #469
Full Changelog: v0.1.42...v0.1.43