v0.0.21

Features 🌈

• add helpers and tools to install proto utilities (#461, @tam7t)
• optimization based on load test (#458, @aramase)
  • add filtered watch for reconcile
  • switch to using versioned clients for rotation
  • enable filtered secret watch with feature flag
  • create separate cache for nodepublishsecretref in rotation
  • ❗ Refer to Load tests for more details and actions to take.
• connect to plugins at runtime instead of configuration (#462, @tam7t)
• allow providers to have the driver write files (#481, @tam7t)

Bug Fixes 🐞

• CVE-2021-24032 (#470, @aramase)
• prevent duplicate owner references (#493, @aramase)
• grpc naming is not compatible with windows unix socket (#490, @tam7t)

Documentation 📘

• update ingress sample url for azure provider (#452, @aramase)
• fix urls in providers doc (#466, @aramase)
• add design docs url and remove old docs (#468, @aramase)
• Fix broken doc link for website (#465, @hixichen)
• use multi-os image for examples and update urls (#494, @aramase)
• add load test spec and results (#497, @aramase)

Testing 💚

• add e2e for filtered watch secret (#479, @aramase)
• update vault e2e to use versioned deployment (#484, @aramase)
• add make target for installing chart releases (#487, @aramase)
• add helm deploy target for windows tests (#491, @aramase)
• update tests to use multi-os image (#480, @aramase)

Maintenance 🔧

• update to go 1.16 (#467, @aramase)
• upgrade to controller-runtime v0.8.2 (#473, @aramase)
• remove v1.15 yamls and update doc (#486, @aramase)
• update servercore reference to windows-servercore-cache (#488, @aramase)
• update debian base to buster-v1.5.0 (#496, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.20

Features 🌈

• enable 2004 builds for windows images (#439)
• set secrets-store default container for log (#451)

Bug Fixes 🐞

• set rsa key type for pkcs1 key (#448)

Documentation 📘

• Update mdbook to 0.4.5 to fix CVE-2020-26297 (#436)
• update docs site (#399)
• update readme to reference docs site (#445)

Testing 💚

• Update e2e tests for gRPC Vault provider release (#431)
• add image scan as part of CI (#441)

Helm 📈

• Helm value for setting pod annotations (#440)
• add podLabels parameter (#444)
• add log verbosity for node-driver-registrar (#449)

Maintenance 🔧

• update debian-base image to buster-v1.3.0 (#428)
• add vault provider to grpc supported providers (#434)
• remove host network (#437)
• remove deprecated logic of invoking provider binary (#433)
• update klog to v2.5.0 (#449)
• increase cloudbuild timeout to 1h (#456)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.19

Warning ⚠️

• With this release of the driver, the liveness-probe sidecar container image has been updated to v2.2.0. This version of the liveness-probe contains a fix for memory leak issues that were observed in previous versions. Update to the latest driver using helm or manifests to get the latest liveness-probe image.

Features 🌈

• use common port for all metrics (#421)

Bug Fixes 🐞

• CVE-2020-27350, CVE-2020-29362 (#422)

Helm 📈

• add support to set annotations (#412)
• add providersDir (#409)

Maintenance 🔧

• add azure provider to grpc supported providers (#417)
• update PR template for chart updates (#419)
• update node-driver-registrar and liveness-probe images (#424) ❗

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.18

Features 🌈

• best-effort cleanup socket (#387)
• create target path in node publish (#383)
  • ❗ This is required for Kubernetes version v1.20+. Older version of driver will not work with v1.20+
• Build and reuse provider grpc clients across mounts and reconciliation (#394)
• add pprof profiling (#396)
• csidriver object api version v1 (#402)

Bug Fixes 🐞

• skip pods in succeeded or failed phase (#388)
• set key type to rsa or ec (#393)
• windows image build with buildx (#404)

Documentation 📘

• add netlify book configuration (#360)
• add mailing list url to readme (#381)
• update doc link for azure tls sample (#391)
• update install doc for crds to check (#400)

Testing 💚

• Fix vault bats tests for v0.0.6 of the provider (#380)

Maintenance 🔧

• add tam7t as reviewer (#397)
• deploy: set namespace as kube-system (#386)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.17

Warning ⚠️

• CVE-2020-8568 (Medium): Secrets sync/rotate directory traversal. See #378 for more details.

Features 🌈

• update deps and switch to klog (#365)

Bug Fixes 🐞

• validate SPCPS targetPaths match Pod UIDs (#371)
• handle pod termination during reconcile (#373)

Documentation 📘

• add link to GCP provider (#348)
• update demo in the readme (#363)

Testing 💚

• gcp integration tests (#340)
• add gosec linter and fix warnings (#352)
• make tests more deterministic and retries (#359)

Helm 📈

• Add priorityClassName to daemonsets (#337)
• Allow the 'updateStrategy' of the Daemonset to be configured in Helm (#362)

Maintenance 🔧

• add gcp as grpcSupportedProviders by default (#351)
• Switch to using official images for containers (#358)
• remove lifecycle prestop hook command (#366)
• Update otel to 0.13.0 (#374)
• Driver images are now hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.16

Warning ⚠️

• The SecretProviderClass needs to be in the same namespace as the pod referencing it as of v0.0.12.
• Defining driver configuration and provider-specific parameters to the CSI driver in pod.Spec[].Volumes has been deprecated in v0.0.12. It is now mandatory to use SecretProviderClass custom resource.

Bug Fixes 🐞

• marshal secrets for non node publish secret ref (#339)

v0.0.15

Warning ⚠️

• The SecretProviderClass needs to be in the same namespace as the pod referencing it as of v0.0.12.
• Defining driver configuration and provider-specific parameters to the CSI driver in pod.Spec[].Volumes has been deprecated in v0.0.12. It is now mandatory to use SecretProviderClass custom resource.

Features 🌈

• add rotation reconciler (#303)
• add trimspace to sanitize yaml fields (#327)
• add event recorder (#323)

Documentation 📘

• add doc for new provider gRPC (#317)
• add doc for auto rotation (#331)

Testing 💚

• Add more unit tests for secrets-store pkg (#308)
• update e2e helm install for grpc supported provider (#328)
• add e2e tests for rotation with azure provider (#329)

Maintenance 🔧

• remove unused PodUID field in secretproviderclasspodstatus (#325)
• update default rotation poll interval to 2m (#326)
• change health check port to 8095 (#332)

v0.0.14

Warning ⚠️

• The SecretProviderClass needs to be in the same namespace as the pod referencing it as of v0.0.12.
• Defining driver configuration and provider-specific parameters to the CSI driver in pod.Spec[].Volumes has been deprecated in v0.0.12. It is now mandatory to use SecretProviderClass custom resource.

Features 🌈

• gRPC support for driver-provider communication (#280)
• add managed label to secret created by driver (#314)

Documentation 📘

• update install doc for sync secret rbac (#306)
• add known limitations docs (#311)

Testing 💚

• update test for secret with multiple owner references (#309)

Helm 📈

• set resource limits in deploy and charts (#312)
• add option to set --grpc-supported-providers in helm charts (#312)

Maintenance 🔧

• update crd apiversion to apiextensions.k8s.io/v1 (#313)

v0.0.13

Warning ⚠️

• The SecretProviderClass needs to be in the same namespace as the pod referencing it as of v0.0.12.
• Defining driver configuration and provider-specific parameters to the CSI driver in pod.Spec[].Volumes has been deprecated in v0.0.12. It is now mandatory to use SecretProviderClass custom resource.

Features 🌈

• Add stripping sensitive information while logging the grpc request (#259)
• attributes: pass csi.storage.k8s.io/serviceAccount.name (#267)
• add preserveUnknownFields=false marker (#274)
• Add metadata.label support for sync secret (#273)
• rbac: move secrets sync to own role (secretprovidersyncing-role) (#266)

Bug Fixes 🐞

• use namespace for spc lookup + unit tests (#264)

Documentation 📘

• add release doc and targets (#258)
• add release, go report, go version badge (#278)
• Fixing links where files were moved to a new subdirectory (#283)

Testing 💚

• check pod ready status before getting name (#270)
• move tests to subdir for provider (#276)
• add test for multiple secret provider class (#261)
• remove az cli req (#284)

Helm 📈

• add tolerations to helm charts (#262)
• Move tolerations block inside OS conditional in helm chart (#272)
• regenerate manifests to remove unused rbac permissions (#275)
• make all images configurable (#260)
• Add support for envs in helm chart (#279)
• implement helm best practices, add recommended standard helm labels (#240)

Maintenance 🔧

• update golangci-lint (#282)
• Driver images are now hosted in GCR at us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver

v0.0.12

Warning ⚠️

This release includes breaking changes:

• The SecretProviderClass needs to be in the same namespace as the pod referencing it.
• Defining driver configuration and provider-specific parameters to the CSI driver in pod.Spec[].Volumes has been deprecated. It is now mandatory to use SecretProviderClass custom resource.

Features 🌈

• Use controller to reconcile k8s secrets (#224)

Bug Fixes 🐞

• set context for provider binary calls (#238)

Documentation 📘

• add docs for ingress tls with vault (#212)
• add note about community call (#244)
• Update community meeting (#250)

Testing 💚

• update azure key tests for latest release 0.0.6 (#213)
• Update and fix e2e-vault (#234)

Helm 📈

• update node selector and make it configurable (#232)

Maintenance 🔧

• Adds image automated build (#189)
• set DOCKER_CLI_EXPERIMENTAL in makefile (#218)
• Switch from manifest-tool to docker manifest (#225)
• update to livenessprobe v2.0.0 (#248)
• Driver images are now hosted in GCR at us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver