Minor release to provide smaller Vault Sidecar Injector image and new default Vault image to fix CVE-2021-32923 (refer to HashiCorp Vault's changelog).

Changed

• VSI #53 - Rework Dockerfile to reduce image size
• VSI #52 - Update HashiCorp Vault image to 1.6.5

This release comes with support for admission.k8s.io/v1 AdmissionReview and admissionregistration.k8s.io/v1 MutatingWebhookConfiguration on Kubernetes 1.16+. As a result, Vault Sidecar Injector now handles both v1 and v1beta1 versions of those resources.

Note that admission.k8s.io/v1beta1 AdmissionReview and admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration should not be supported (nor available) anymore on Kubernetes 1.22+

Changed

• VSI #48 - Minor chart updates (adjust CPU & memory for injected containers, add checks during chart install)
• VSI #51 - Update base image to CentOS 7.9.2009

Added

• VSI #49 - Add support for admission.k8s.io/v1 AdmissionReview and admissionregistration.k8s.io/v1 MutatingWebhookConfiguration (in addition to v1beta1)

Fixed

• VSI #45 - Do not inject sidecars if only job and secrets modes are enabled and secrets type is "static"

A new sidecar.vault.talend.org/vault-image annotation has been added to override the default injected image. Refer to the samples for a working example.

The default Vault image has been bumped to version 1.6.2.

Changed

• VSI #44 - Update HashiCorp Vault image to 1.6.2

Added

• VSI #43 - New annotation to allow injection of custom Vault image

Changed

• VSI #40 - Update doc references to Helm Hub (now Artifact Hub)

Added

• VSI #41 - New configuration value to set Vault Agent log format

Minor release with new default Vault image to address several security issues in HashiCorp Vault (CVE-2020-25816, CVE-2020-16250, CVE-2020-16251, CVE-2020-17455).

Note that provided chart now requires Helm v3.

Changed

• VSI #34 - Documentation improvements
• VSI #36 - Update HashiCorp Vault image to 1.5.4
• VSI #37 - Update base image to CentOS 7.8.2003
• VSI #38 - Migrate chart to Helm v3
• VSI #39 - Code refactoring

New with this release: Vault secrets can now be injected right into environment variables. Only static secrets are supported at the moment. Along with this feature, the secrets volumeMount is now automatically injected in your containers if not already defined (as it was the case with the secrets volume).

Default Vault image is now set to 1.4.2 to fix several CVEs (CVE-2020-13223, CVE-2020-12757: see HashiCorp's CHANGELOG).

Finally, the webhook certificates are no more generated using the Kubernetes Certificates API. The certificates and associated private key are now either generated by code or read from a Kubernetes Secret you provide. Refer to the updated documentation for details.

Changed

• VSI #29 - Update HashiCorp Vault image to 1.4.2
• VSI #30 - Webhook certificates generated by code or provided
• VSI #31 - Migrate to Golang 1.14

Added

• VSI #32 - Inject secrets in env vars. Feature announcement here.

This release fixes VSI deployment on Kubernetes 1.18+ clusters. It also comes with better AppRole integration and updated Vault image.

Changed

• VSI #27 - Update HashiCorp Vault image to 1.4.1

Added

• VSI #26 - Improve AppRole support: add tests, enforce check over secrets type, tune Vault Agent config

Fixed

• VSI #25 - Fix RBAC following breaking change in Kubernetes 1.18 Certificates API. See also associated PR 86476 & 86933.

This is a minor release to update Vault image to 1.3.4 by default (CVE fixes, see details here) and enable offline builds by vendoring dependencies (use make build OFFLINE=true).

Changed

• VSI #23 - Update HashiCorp Vault image (CVE fixes)

Added

• VSI #24 - Vendoring

This is a major release introducing new features and complete code refactoring for clear isolation of modes.

Highlights:

• New Static Secrets feature, part of secrets mode (now supporting both dynamic and static secrets)
• Kubernetes Jobs are now handled as a Vault Sidecar Injector mode. Annotation sidecar.vault.talend.org/workload is still supported but deprecated: make use of sidecar.vault.talend.org/mode to enable job mode
• HashiCorp Vault image updated to 1.3.2

Added

• VSI #20 - Static secrets. Feature announcement here.