Features:
- Add support for syncing HVS rotating secrets: GH-893 GH-889
- Add support for syncing HVS dynamic secrets: GH-917 GH-939 GH-934 GH-941
Fix:
- VC: update
spec.timeout
to be a string: GH-906
Improvements:
Build:
- Upgrade controller-gen to 0.16.3: GH-944
- SEC-090: Automated trusted workflow pinning (2024-08-13): GH-888
- SEC-090: Automated trusted workflow pinning (2024-08-19): GH-897
- SEC-090: Automated trusted workflow pinning (2024-09-30): GH-937
- Use dependabot groups for Go deps: GH-924
- Conform to IPS-002: GH-947
Dependency Updates:
- Bump the gomod-backward-compatible group across 1 directory with 14 updates: GH-943
- Bump golang.org/x/crypto from 0.27.0 to 0.28.0 in the gomod-backward-compatible group: GH-945
- Bump ubi9/ubi-micro from 9.4-13 to 9.4-15: GH-904
- Bump ubi9/ubi-minimal from 9.4-1227.1725849298 to 9.4-1227.1726694542: GH-930
Improvements:
- Log build info on startup: GH-872
- API: Support setting the Vault request timeout on a VaultConnection: GH-862
Fix:
- Fix: encryption client deadlocking the factory: GH-868
- Helm(hooks): honor imagePullPolicy and imagePullSecrets: GH-873
Build:
- SEC-090: Automated trusted workflow pinning (2024-07-22): GH-866
- SEC-090: Automated trusted workflow pinning (2024-07-17): GH-859
Dependency Updates:
- Bump github.com/onsi/gomega from 1.33.1 to 1.34.0: GH-874
- Bump google.golang.org/api from 0.188.0 to 0.189.0: GH-875
- Bump k8s.io/apiextensions-apiserver from 0.30.2 to 0.30.3: GH-864
- Bump k8s.io/client-go from 0.30.2 to 0.30.3: GH-865
- Bump ubi9/ubi-micro from 9.4-9 to 9.4-13: GH-870
- Bump ubi9/ubi-minimal from 9.4-1134 to 9.4-1194: GH-869
Important
-
Helm: CRD schema changes are now automatically applied at upgrade time.
See updating-crds for more details.
-
This release contains CRD schema changes which remove the field validation on most VaultAuth spec fields. That means invalid VaultAuth configurations will no longer be handled at resource application time. Please review the VSO logs and K8s events when troubleshooting Vault authentication issues.
Features:
- Helm: add support for auto upgrading CRDs: GH-789
- VaultStaticSecret: support instant event-driven updates: GH-771
- Add new VaultAuthGlobal type for shared VaultAuth configurations: GH-735 GH-800 GH-847 GH-855 GH-850
- CachingClientFactory: support client taints to trigger Vault client token validation: GH-717 GH-769
Improvements:
- VPS: add ca.crt from issuing CA for tls secret type: GH-848
- Helm: support setting VaultAuthGlobalRef on VaultAuth: GH-851
- Migrate to k8s.io/utils/ptr: GH-856
- Core: update backoff option docs: GH-801
Fix:
- VaultAuth: set valid status on VaultAuthGlobal deref error: GH-854
- VDS: properly handle the clone cache key variant during client callback execution: GH-835
- Core: delete resource status metrics upon object deletion: GH-815
- VSS: use a constant backoff on some reconciliation errors: GH-811
- VDS: work around Vault DB static creds TTL rollover bug: GH-730
Build:
- CI: bump Vault versions: GH-797
Dependency Updates:
- Bump cloud.google.com/go/compute/metadata from 0.4.0 to 0.5.0: GH-853
- Bump github.com/gruntwork-io/terratest from 0.46.16 to 0.47.0: GH-852
- Bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5: GH-834
- Bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7: GH-833
- Bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0: GH-810
- Bump golang.org/x/crypto from 0.24.0 to 0.25.0: GH-843
- Bump google.golang.org/api from 0.186.0 to 0.188.0: GH-846
- Bump google.golang.org/grpc from 1.64.0 to 1.64.1: GH-845
- Bump k8s.io/api from 0.30.1 to 0.30.2: GH-822
- Bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2: GH-828
- Bump k8s.io/client-go from 0.30.1 to 0.30.2: GH-830
- Bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4: GH-808
- Bump ubi9/ubi-micro from 9.4-6.1716471860 to 9.4-9: GH-819
- Bump ubi9/ubi-minimal from 9.4-949.1717074713 to 9.4-1134: GH-820
Fix:
- Helm: fix invalid value name for telemetry.serviceMonitor.enabled (#786): GH-790
Important: this release contains CRD schema changes that must be applied manually when deploying VSO with Helm. Please see updating-crds for more details.
Behavioral changes:
- Core: Controller logs are now JSON encoded by default.
Features:
- Core: support argo.Rollout as a rolloutRestartTarget for all secret type custom resources: GH-702
- Helm: add support for cluster role aggregates: GH-752
- Helm: adds values for setting VSO logging options: GH-778
- Helm: add support for configuring strategy on controller deployment : GH-709
Improvements:
- CachingClientFactory: lock by client cache key: GH-716
- Transformations: add support for the htpasswd Sprig function: GH-708
- VPS: skip overwriting tls.crt and tls.key whenever transformation templates are configured: GH-659
- Core: Use exponential backoff on secret source errors: GH-732
Fix:
- Core: call VDS callbacks on VaultAuth and VaultConnection changes: GH-739
- Core: skip LifetimeWatcher validation for non-renewable auth tokens: GH-722
- Core: disable development logger mode by default: GH-751
- VSS: that spec.hmacSecretData's value is honoured: GH-753
- VDS: Selectively log calls to SyncRegistry.Delete(): GH-718
Build:
Dependency Updates:
- Bump TF provider versions: GH-737
- Bump github.com/go-logr/logr from 1.4.1 to 1.4.2: GH-775
- Bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.4: GH-711
- Bump github.com/hashicorp/vault/api from 1.12.2 to 1.13.0: GH-725
- Bump github.com/hashicorp/vault/sdk from 0.12.0 to 0.13.0: GH-773
- Bump github.com/onsi/gomega from 1.33.0 to 1.33.1: GH-727
- Bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1: GH-741
- Bump golang.org/x/crypto from 0.22.0 to 0.23.0: GH-744
- Bump google.golang.org/api from 0.176.1 to 0.177.0: GH-724
- Bump google.golang.org/api from 0.180.0 to 0.181.0: GH-758
- Bump k8s.io/api from 0.30.0 to 0.30.1: GH-761
- Bump k8s.io/client-go from 0.30.0 to 0.30.1: GH-760
- Bump sigs.k8s.io/controller-runtime from 0.18.2 to 0.18.3: GH-772
- Bump ubi9/ubi-micro from 9.3-15 to 9.4-6: GH-719
- Bump ubi9/ubi-minimal from 9.4-949 to 9.4-949.1714662671: GH-728
Fix:
- VDS: reconcile instances on lifetimeWatcher done events and other Vault client rotation events: GH-665
Improvements:
- Core: no longer restore all clients from storage: GH-684
- Helm: lower min k8s version to 1.21: GH-656
Build:
- Upgrade to go 1.22.2: GH-683
- CI: fix tests in GKE: GH-675
- OLM: remove the
skips
from the last release: GH-703
Dependency Updates:
- Bump github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0: GH-673
- Bump github.com/gruntwork-io/terratest from 0.46.11 to 0.46.13: GH-669
- Bump github.com/hashicorp/go-hclog from 1.6.2 to 1.6.3: GH-679
- Bump github.com/hashicorp/vault/api from 1.12.1 to 1.12.2: GH-667
- Bump github.com/hashicorp/vault/sdk from 0.11.1 to 0.12.0: GH-687
- Bump github.com/onsi/gomega from 1.32.0 to 1.33.0: GH-696
- Bump github.com/prometheus/client_model from 0.6.0 to 0.6.1: GH-678
- Bump google.golang.org/api from 0.171.0 to 0.172.0: GH-672
- Bump k8s.io/client-go from 0.29.2 to 0.29.3: GH-660
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3: GH-688
Improvements:
- VDS: support configuring an explicit sync delay for non-renewable leases without an explicit TTL: GH-641
- OLM: add newly required ClusterServiceVersion annotations: GH-628
- Helm: mention global transformation option env variable: GH-626
Fix:
- API: make some required bool parameters optional: GH-650
- VDS: make rotationSchedule status field optional: GH-621
- VPS: return an error when the PKI secret is nil: GH-636
- Core: ensure VaultConnection headers are set on the vault client: GH-629
Build:
- Use Go 1.21.8: GH-651
Dependency Updates:
- Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3: GH-646
- Bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0: GH-648
- Bump github.com/go-openapi/strfmt from 0.22.1 to 0.23.0: GH-649
- Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0: GH-634
- Bump github.com/stretchr/testify from 1.8.4 to 1.9.0: GH-633
- Bump google.golang.org/api from 0.167.0 to 0.169.0: GH-647
- Bump google.golang.org/protobuf from 1.32.0 to 1.33.0: GH-642
- Bump sigs.k8s.io/controller-runtime from 0.17.1 to 0.17.2: GH-625
- Bump ubi9/ubi-micro from 9.3-13 to 9.3-15: GH-640
- Bump ubi9/ubi-minimal from 9.3-1552 to 9.3-1612: GH-639
Fix:
- Sync: mitigate potential schema validation failures by only adding finalizers after a status update: GH-609
Dependency Updates:
- Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0: GH-613
- Bump google.golang.org/api from 0.163.0 to 0.165.0: GH-614
- Bump k8s.io/api from 0.29.1 to 0.29.2: GH-612
- Bump k8s.io/apimachinery from 0.29.1 to 0.29.2: GH-615
- Bump k8s.io/client-go from 0.29.1 to 0.29.2: GH-611
KNOWN ISSUES:
- Upgrades via OperatorHub may fail due to some new required fields in VaultConnection and the Secret types as described in GH-631
Features:
- Sync: add support for secret data transformation: GH-437
Improvements:
- Core: set CLI options from VSO_ environment variables: GH-551
- Sync: Reconcile on secret deletion: GH-587
- Sync: support excluding _raw from the destination: GH-546
- Sync: take ownership of an existing destination secret: GH-545
- Sync: add support for userIDs in VaultPKISecret: GH-552
- OLM: set OLM bundle to "Seamless Upgrades": GH-581
- Helm: add annotations to the cleanup job: GH-284
- Helm: support setting imagePullPolicy: GH-601
- Helm: support setting VaultAuth allowedNamespaces: GH-602
Fix:
- Sync: sync HCPVaultSecretsApp on lastGeneration change: GH-591
- Sync: properly handle secret type changes: GH-605
Build:
- Install the operator-sdk CLI and check
sdk-generate
in CI: GH-590 - Bump some GH action versions: GH-583
Dependency Updates:
- Bump github.com/go-openapi/runtime from 0.26.2 to 0.27.1: GH-572
- Bump github.com/google/uuid from 1.5.0 to 1.6.0: GH-570
- Bump github.com/gruntwork-io/terratest from 0.46.8 to 0.46.11: GH-550
- Bump github.com/hashicorp/go-secure-stdlib/awsutil from 0.2.3-0.20230606170242-1a4b95565d57 to 0.3.0: GH-579
- Bump github.com/hashicorp/vault/api from 1.11.0 to 1.12.0: GH-595
- Bump github.com/hashicorp/vault/sdk from 0.10.2 to 0.11.0: GH-596
- Bump github.com/onsi/gomega from 1.30.0 to 1.31.1: GH-558
- Bump google.golang.org/api from 0.161.0 to 0.163.0: GH-594
- Bump k8s.io/api from 0.29.0 to 0.29.1: GH-556
- Bump k8s.io/client-go from 0.29.0 to 0.29.1: GH-554
- Bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.1: GH-597
- Bump ubi9/ubi-micro from 9.3-9 to 9.3-13: GH-566
- Bump ubi9/ubi-minimal from 9.3-1475 to 9.3-1552: GH-565
Fix:
- Helm: rename and truncate the pre-delete cleanup job to 63 characters: GH-506
- VDS: remediate deleted destination secret: GH-532
- Update paused deployment error message: GH-528
- VC: provide default value for spec.skipTLSVerify: GH-527
- CCS: ensure invalid storage objects are deleted: GH-525
- VDS: Log and record Vault request failures: GH-508
- VPS: Sync on any update: GH-479
Dependency Updates:
- update go version to fix CVE-2023-45284,CVE-2023-39326,CVE-2023-48795: GH-541
- Bump google.golang.org/api from 0.154.0 to 0.155.0: GH-542
- Bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0: GH-540
- Bump github.com/go-openapi/strfmt from 0.21.9 to 0.22.0: GH-539
- Bump github.com/go-logr/logr from 1.3.0 to 1.4.1: GH-536
- Bump golang.org/x/crypto from 0.16.0 to 0.17.0: GH-524
- Bump k8s.io/client-go from 0.28.4 to 0.29.0: GH-523
- Bump google.golang.org/api from 0.153.0 to 0.154.0: GH-522
- Bump github.com/hashicorp/go-hclog from 1.6.1 to 1.6.2: GH-521
- Bump github.com/google/uuid from 1.4.0 to 1.5.0: GH-520
- Bump ubi9/ubi-minimal from 9.3-1361.1699548032 to 9.3-1475: GH-516
- Bump ubi9/ubi-micro from 9.3-6 to 9.3-9: GH-515
- Bump github.com/go-openapi/strfmt from 0.21.8 to 0.21.9: GH-514
- Bump github.com/hashicorp/go-hclog from 1.5.0 to 1.6.1: GH-513
- Bump github.com/go-openapi/runtime from 0.26.0 to 0.26.2: GH-512
- Bump github.com/gruntwork-io/terratest from 0.46.6 to 0.46.8: GH-497
- Bump google.golang.org/api from 0.152.0 to 0.153.0: GH-496
Fix:
- Include viewer and editor RBAC roles in the chart: GH-501
- Build: image/ubi: add separate target and build job for RedHat: GH-503
Dependency Updates:
- Bump github.com/go-openapi/strfmt from 0.21.7 to 0.21.8: GH-490
- Bump google.golang.org/api from 0.151.0 to 0.152.0: GH-489
Improvements:
- Manager: setting
controller.manager.maxConcurrentReconciles
now applies to all Syncable Secret controllers. The previous flag for the manager--max-concurrent-reconciles-vds
is now deprecated and replaced by--max-concurrent-reconciles
which applies to all controllers. GH-483
Fix:
- Helm: prefix all helper functions with
vso
to avoid subchart name collisions: GH-487 - VSS: Ensure all resource updates are synced: GH-492
- VDS: Fix compute static-creds rotation horizon: GH-488
Dependency Updates:
- Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1: GH-475
- Bump google.golang.org/api from 0.150.0 to 0.151.0: GH-470
- Bump k8s.io/client-go from 0.28.3 to 0.28.4: GH-469
Features:
- VaultAuth: Support for the GCP authentication method when using GKE workload identity: GH-411
- VDS: Support rotation for non-renewable secrets: GH-397
Fix:
- Remove unneeded instantiation of the VSO ConfigMap watcher: GH-446
- VDS: Correctly compute the lease renewal horizon after a new VSO leader has been elected and the lease is still within its renewal window: GH-397
Dependency Updates:
- Upgrade kube-rbac-proxy to v0.15.0: GH-458
- Bump github.com/onsi/gomega from 1.29.0 to 1.30.0: GH-456
- Bump github.com/gruntwork-io/terratest from 0.46.5 to 0.46.6: GH-455
- Bump google.golang.org/api from 0.149.0 to 0.150.0: GH-454
- Bump ubi9/ubi-minimal from 9.2-750.1697625013 to 9.3-1361.1699548032: GH-444 GH-460
- Bump ubi9/ubi-micro from 9.2-15.1696515526 to 9.3-6: GH-443
- Bump github.com/gruntwork-io/terratest from 0.46.1 to 0.46.5: GH-440
- Bump google.golang.org/api from 0.148.0 to 0.149.0: GH-439
- Bump github.com/go-logr/logr from 1.2.4 to 1.3.0: GH-435
- Bump github.com/google/uuid from 1.3.1 to 1.4.0: GH-434
- Bump github.com/onsi/gomega from 1.28.1 to 1.29.0: GH-433
- Bump google.golang.org/grpc from 1.57.0 to 1.57.1: GH-428
- Bump k8s.io/apimachinery from 0.28.2 to 0.28.3: GH-421
- Bump github.com/onsi/gomega from 1.28.0 to 1.28.1: GH-420
- Bump k8s.io/api from 0.28.2 to 0.28.3: GH-419
- Bump github.com/gruntwork-io/terratest from 0.46.0 to 0.46.1: GH-418
- Bump sigs.k8s.io/controller-runtime from 0.16.2 to 0.16.3: GH-417
Fix:
- UBI image: Include the tls-ca-bundle.pem from ubi-minimal: GH-415
Fix:
- Important security update to address some Golang vulnerabilities GH-414
Dependency Updates:
- Upgrade kube-rbac-proxy to v0.14.4 for CVE-2023-39325 GH-414
- Bump to Go 1.21.3 for CVE-2023-39325: GH-408
- Bump github.com/hashicorp/vault/sdk from 0.10.0 to 0.10.2: GH-410
- Bump github.com/gruntwork-io/terratest from 0.45.0 to 0.46.0: GH-409
- Bump golang.org/x/net from 0.14.0 to 0.17.0: GH-407
Fix:
- Handle invalid Client race after restoration: GH-400
Dependency Updates:
- Bump ubi9/ubi-micro from 9.2-15 to 9.2-15.1696515526: GH-404
- Bump github.com/hashicorp/hcp-sdk-go from 0.64.0 to 0.65.0: GH-403
- Bump github.com/gruntwork-io/terratest from 0.44.0 to 0.45.0: GH-402
- Bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0: GH-401
- Bump github.com/go-openapi/runtime from 0.25.0 to 0.26.0: GH-394
- Bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0: GH-393
- Bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7: GH-392
- Bump github.com/onsi/gomega from 1.27.10 to 1.28.0: GH-391
- Bump github.com/hashicorp/hcp-sdk-go from 0.63.0 to 0.64.0: GH-390
Fix:
- Helm: bump the chart version and default tags to 0.3.1: GH-386
Improvements:
- VDS: Support for DB schedule-based static role rotations: GH-369
- HVS: Rename servicePrinciple data key clientKey to clientSecret: GH-368
- HVS: Include User-Agent and requester HTTP request headers.: GH-382
- HVS: Add validation for spec.refreshAfter and min constraints: GH-376
- Helm: Add support for affinity and hostAliases: GH-343
- Helm: Add the ability to specify a security context to the deployment: GH-289
Features:
- Add support for syncing HCP Vault Secrets: GH-315
Revert:
Improvements:
- Add support for HCP Vault Secrets: GH-315
- Add new HCPVaultSecretsApp CRD and Controller: GH-314
- Add new HCPAuth CRD and Controller: GH-313
- Optionally revoke and purge all cached vault clients upon Operator deployment deletion: GH-202
Improvements:
- Helm:
controller.imagePullSecrets
stanza is added to provide imagePullSecrets to the controller's containers via the serviceAccount: GH-266 - Helm:
controller.manager.resources
values now also apply to the pre-delete-controller-cleanup-job. GH-280 - Helm: Adding nodeselector and tolerations to deployment: GH-272
- Helm: Add extraLabels to deployment: #281
- Add K8s namespace support to VaultAuthRef and VaultConnectionRef: (#291)
Changes:
- Helm: Update default kube-rbac-proxy container image in helm chart from
v0.11.0
tov0.14.1
: GH-267 - Added Vault 1.14 and removed 1.11 from CI testing GH-324
- K8s versions tested are now 1.23-1.27 GH-324
- UBI-based images now built and published with releases: GH-288
- Updated the license from MPL to Business Source License: GH-321
Bugs:
- VaultStaticSecrets (VSS): fix issue where the response error was not being set: GH-301
Improvements:
- VaultPKISecrets (VPS): Include the CA chain (sans root) in 'tls.crt' when the destination secret type is "kubernetes.io/tls": GH-256
Changes:
- Helm: Breaking Change Fix typos in values.yaml that incorrectly referenced
approle
roleid
andsecretName
which should beappRole
roleId
andsecretRef
respectively underdefaultAuthMethod
andcontroller.manager.clientCache.storageEncryption
: GH-257
Features:
- Helm: Support optionally deploying the Prometheus ServiceMonitor: GH-227
- Helm: Breaking Change: Adds support for additional Auth Methods in the Transit auth method template: GH-226
To migrate, set Kubernetes specific auth method configuration under
controller.manager.clientCache.storageEncryption
using the new stanzacontroller.manager.clientCache.storageEncryption.kubernetes
. - VaultAuth: Adds support for the AWS authentication method, which can use an IRSA service account, static credentials in a Kubernetes secret, or the underlying node role/instance profile for authentication: GH-235
- Helm: Add AWS to defaultAuth and storageEncryption auth: GH-247
Improvements:
- Core: Extend vault Client validation checks to handle failed renewals: GH-171
- VaultDynamicSecrets: Add support for synchronizing static-creds: GH-239
- VDS: add support for drift detection for static-creds: GH-244
- Helm: Make defaultVaultConnection.headers a map: GH-249
Build:
- Update to go 1.20.5: GH-248
- CI: Testing VSO in Azure K8s Service (AKS): GH-218
- CI: Updating tests for VSO in EKS: GH-219
Changes:
- API: Bump version from v1alpha1 to v1beta1 Breaking Change: GH-251
- VaultStaticSecrets (VSS): Breaking Change: Replace
Spec.Name
withSpec.Path
: GH-240 - VaultPKISecrets (VPS): Breaking Change: Replace
Spec.Name
withSpec.Role
: GH-233 - Helm chart: the Transit auth method kubernetes specific configuration in
controller.manager.clientCache.storageEncryption
has been moved tocontroller.manager.clientCache.storageEncryption.kubernetes
.
Bugs:
- Helm: fix deployment templating so setting
controller.kubernetesClusterDomain
works as defined in values.yaml: GH-183 - Helm: Add
vaultConnectionRef
tocontroller.manager.clientCache.storageEncryption
for transit auth method configuration and provide a default value which uses thedefault
vaultConnection. GH-201 - VaultPKISecret (VPS): Ensure
Spec.AltNames
, andSpec.IPSans
are properly formatted for the Vault request: GH-130 - VaultPKISecret (VPS): Make
Spec.OtherSANS
a string slice (breaking change): GH-190 - VaultConnection (VC): Ensure
Spec.CACertSecretRef
is relative to the connection's Namespace: GH-195
Features:
- VaultDynamicSecrets (VDS): CRD is extended with
Revoke
field which will result in the dynamic secret lease being revoked on CR deletion. Note: The VaultAuthMethod referenced by the VDS Secret must have a policy which provides["update"]
onsys/leases/revoke
: GH-143 GH-209 - VaultAuth: Adds support for the JWT authentication method which either uses the JWT token from the provided secret reference, or a service account JWT token that VSO will generate using the provided service account: GH-131
- VaultDynamicSecrets (VDS): New
RenewalPercent
field to control when a lease is renewed: GH-170 - Helm: Support specifying extra annotations on the Operator's Deployment: GH-169
Improvements:
- VaultDynamicSecrets (VDS): Generate new credentials if lease renewal TTL is truncated: GH-170
- VaultDynamicSecrets (VDS): Replace
Spec.Role
withSpec.Path
(breaking change): GH-172 - VaultPKISecrets (VPS): Make
commonName
optional: GH-160 - VaultDynamicSecrets (VDS): Add support for specifying extra request params, and HTTP request method override: GH-186
- VaultStaticSecrets (VSS): Ensure an out-of-band Secret deletion is properly remediated: GH-137
- Honour a Vault*Secret's Vault namespace: GH-157
- VaultStaticSecrets (VSS): Add
Spec.Version
field to support fetching a specific kv-v2 secret version: GH-200
Changes:
- API schema (VDS):
Spec.Role
renamed toSpec.Path
which can be set to any path supported by the Vault secret's engine. - API schema (VPS):
Spec.OtherSANS
takes a slice of strings likeSpec.AltNames
andSpec.IPSans
- Initial Beta Release