CHANGES:
- Start testing against Kubernetes 1.24. GH-744
- Deprecated
injector.externalVaultAddr
. Addedglobal.externalVaultAddr
, which applies to both the Injector and the CSI Provider. GH-745 - CSI Provider pods now set the
VAULT_ADDR
environment variable to either the internal Vault service or the configured external address. GH-745
CHANGES:
vault-k8s
updated to 0.16.1 GH-739
Improvements:
- Mutating webhook will no longer target the agent injector pod GH-736
Bugs:
vault
service account is now created even if the server is set to disabled, as per before 0.20.0 GH-737
CHANGES:
global.enabled
now works as documented, that is, settingglobal.enabled
to false will disable everything, with individual components able to be turned on individually GH-703- Default value of
-
used for injector and server to indicate that they followglobal.enabled
. GH-703 - Vault default image to 1.10.3
- CSI provider default image to 1.1.0
- Vault K8s default image to 0.16.0
- Earliest Kubernetes version tested is now 1.16
- Helm 3.6+ now required
Features:
- Support topologySpreadConstraints in server and injector. GH-652
Improvements:
- CSI: Set
extraLabels
for daemonset, pods, and service account GH-690 - Add namespace to injector-leader-elector role, rolebinding and secret GH-683
- Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector GH-710
- Make the Cluster Address (CLUSTER_ADDR) configurable GH-629
- server: Make
publishNotReadyAddresses
configurable for services GH-694 - server: Allow config to be defined as a YAML object in the values file GH-684
- Maintain default MutatingWebhookConfiguration values from
v1beta1
GH-692
CHANGES:
- Vault image default 1.9.2
- Vault K8s image default 0.14.2
Features:
- Added configurable podDisruptionBudget for injector GH-653
- Make terminationGracePeriodSeconds configurable for server GH-659
- Added configurable update strategy for injector GH-661
- csi: ability to set priorityClassName for CSI daemonset pods GH-670
Improvements:
- Set the namespace on the OpenShift Route GH-679
- Add volumes and env vars to helm hook test pod GH-673
- Make TLS configurable for OpenShift routes GH-686
CHANGES:
- Removed support for deploying a leader-elector container with the vault-k8s injector injector since vault-k8s now uses an internal mechanism to determine leadership GH-649
- Vault image default 1.9.0
- Vault K8s image default 0.14.1
Improvements:
- Added templateConfig.staticSecretRenderInterval chart option for the injector GH-621
Improvements:
- Add option for Ingress PathType GH-634
KNOWN ISSUES:
- The chart will fail to deploy on Kubernetes 1.19+ with
server.ingress.enabled=true
because nopathType
is set
CHANGES:
- Vault image default 1.8.4
- Vault K8s image default 0.14.0
Improvements:
- Support Ingress stable networking API GH-590
- Support setting the
externalTrafficPolicy
forLoadBalancer
andNodePort
service types GH-626 - Support setting ingressClassName on server Ingress GH-630
Bugs:
- Ensure
kubeletRootDir
volume path and mounts are the same whencsi.daemonSet.kubeletRootDir
is overridden GH-628
CHANGES:
- Vault image default 1.8.3
- Vault K8s image default 0.13.1
CHANGES:
- Support for deploying a leader-elector container with the vault-k8s injector injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set
useContainer=true
.
Improvements:
- Make CSI provider
hostPaths
configurable viacsi.daemonSet.providersDir
andcsi.daemonSet.kubeletRootDir
GH-603 - Support vault-k8s internal leader election GH-568 GH-607
Improvements:
Features:
- Added templateConfig.exitOnRetryFailure chart option for the injector GH-560
Improvements:
- Support configuring pod tolerations, pod affinity, and node selectors as YAML GH-565
- Set the default vault image to come from the hashicorp organization GH-567
- Add support for running the acceptance tests against a local
kind
cluster GH-567 - Add
server.ingress.activeService
to configure if the ingress should use the active service GH-570 - Add
server.route.activeService
to configure if the route should use the active service GH-570 - Support configuring
global.imagePullSecrets
from a string array GH-576
Improvements:
- Added a helm test for vault server GH-531
- Added server.enterpriseLicense option GH-547
- Added OpenShift overrides GH-549
Bugs:
- Fix ui.serviceNodePort schema GH-537
- Fix server.ha.disruptionBudget.maxUnavailable schema GH-535
- Added webhook-certs volume mount to sidecar injector GH-545
Features:
- Pass additional arguments to
vault-csi-provider
usingcsi.extraArgs
GH-526
Improvements:
- Set chart kubeVersion and added chart-verifier tests GH-510
- Added values json schema GH-513
- Ability to set tolerations for CSI daemonset pods GH-521
- UI target port is now configurable GH-437
Bugs:
- CSI:
global.imagePullSecrets
are now also used for CSI daemonset GH-519
Features:
- Added
server.enabled
to explicitly skip installing a Vault server GH-486 - Injector now supports enabling host network GH-471
- Injector port is now configurable GH-489
- Injector Vault Agent resource defaults are now configurable GH-493
- Extra paths can now be added to the Vault ingress service GH-460
- Log level and format can now be set directly using
server.logFormat
andserver.logLevel
GH-488
Improvements:
- Added
https
name to injector service port GH-495
Bugs:
- CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name GH-486
Features:
- Add support for Vault CSI provider GH-461
Improvements:
objectSelector
can now be set on the mutating admission webhook GH-456
Bugs:
- Injector: fix labels for default anti-affinity rule GH-441, GH-442
- Set VAULT_DEV_LISTEN_ADDRESS in dev mode GH-446
Features:
- Injector now supports configurable number of replicas GH-436
- Injector now supports auto TLS for multiple replicas using leader elections GH-436
Improvements:
- Dev mode now supports
server.extraArgs
GH-421 - Dev mode root token is now configurable with
server.dev.devRootToken
GH-415 - ClusterRoleBinding updated to
v1
GH-395 - MutatingWebhook updated to
v1
GH-408 - Injector service now supports
injector.service.annotations
425 - Injector now supports
injector.extraLabels
428 - Added
allowPrivilegeEscalation: false
to Vault and Injector containers 429 - Network Policy now supports
server.networkPolicy.egress
389
Improvements:
- Make server NetworkPolicy independent of OpenShift GH-381
- Added configurables for all probe values GH-387
- MountPath for audit and data storage is now configurable GH-393
- Annotations can now be added to the Injector pods GH-394
- The injector can now be configured with a failurePolicy GH-400
- Added additional environment variables for rendering within Vault config GH-398
- Service account for Vault K8s auth is automatically created when
injector.externalVaultAddr
is set GH-392
Bugs:
- Fixed install output using Helm V2 command GH-378
Features:
- Added
volumes
andvolumeMounts
for mounting any type of volume GH-314. - Added configurable to enable prometheus telemetery exporter for Vault Agent Injector GH-372
Improvements:
- Added
defaultMode
configurable toextraVolumes
GH-321 - Option to install and use PodSecurityPolicy's for vault server and injector GH-177
VAULT_API_ADDR
is now configurable GH-290- Removed deprecated tolerate unready endpoint annotations GH-363
- Add an option to set annotations on the StatefulSet GH-199
- Make the vault server serviceAccount name a configuration option GH-367
- Removed annotation striction from
dev
mode GH-371 - Add an option to set annotations on PVCs GH-364
- Added service configurables for UI GH-285
Bugs:
- Fix python dependency in test image GH-337
- Fix caBundle not being quoted causing validation issues with Helm 3 GH-352
- Fix injector network policy being rendered when injector is not enabled GH-358
Features:
- Added
extraInitContainers
to define init containers for the Vault cluster GH-258 - Added
postStart
lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready GH-315 - Beta: Added OpenShift support GH-319
Improvements:
- Server configs can now be defined in YAML. Multi-line string configs are still compatible GH-213
- Removed IPC_LOCK privileges since swap is disabled on containers [GH-198]
- Use port names that map to vault.scheme [GH-223]
- Allow both yaml and multi-line string annotations [GH-272]
- Added configurable to set the Raft node name to hostname [GH-269]
- Support setting priorityClassName on pods [GH-282]
- Added support for ingress apiVersion
networking.k8s.io/v1beta1
[GH-310] - Added configurable to change service type for the HA active service GH-317
Bugs:
- Fixed default ingress path [GH-224]
- Fixed annotations for HA standby/active services [GH-268]
- Updated some value defaults to match their use in templates [GH-309]
- Use active service on ingress when ha [GH-270]
- Fixed bug where pull secrets weren't being used for injector image GH-298
Features:
-
Added Raft support for HA mode [GH-228]
-
Now supports Vault Enterprise [GH-250]
-
Added K8s Service Registration for HA modes [GH-250]
-
Option to set
AGENT_INJECT_VAULT_AUTH_PATH
for the injector [GH-185] -
Added environment variables for logging and revocation on Vault Agent Injector [GH-219]
-
Option to set environment variables for the injector deployment [GH-232]
-
Added affinity, tolerations, and nodeSelector options for the injector deployment [GH-234]
-
Made all annotations multi-line strings [GH-227]
Improvements:
- Allow process namespace sharing between Vault and sidecar containers [GH-174]
- Added configurable to change updateStrategy [GH-172]
- Added sleep in the preStop lifecycle step [GH-188]
- Updated chart and tests to Helm 3 [GH-195]
- Adds Values.injector.externalVaultAddr to use the injector with an external vault [GH-207]
Bugs:
- Fix bug where Vault lifecycle was appended after extra containers. [GH-179]
Security:
- Added
server.extraArgs
to allow loading of additional Vault configurations containing sensitive settings GH-175
Bugs:
- Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
Bugs:
- Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
Bugs:
- Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
Features:
- Extra containers can now be added to the Vault pods
- Added configurability of pod probes
- Added Vault Agent Injector
Improvements:
- Moved
global.image
toserver.image
- Changed UI service template to route pods that aren't ready via
publishNotReadyAddresses: true
- Added better HTTP/HTTPS scheme support to http probes
- Added configurable node port for Vault service
server.authDelegator
is now enabled by default
Bugs:
- Fixed upgrade bug by removing chart label which contained the version
- Fixed typo on
serviceAccount
(wasserviceaccount
) - Fixed readiness/liveliness HTTP probe default to accept standbys
Bugs:
- Removed
readOnlyRootFilesystem
causing issues when validating deployments
Features:
- Added load balancer support
- Added ingress support
- Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
- Removed root requirements, now runs as Vault user
Improvements:
- Added namespace value to all rendered objects
- Made ports configurable in services
- Added the ability to add custom annotations to services
- Added docker image for running bats test in CircleCI
- Removed restrictions around
dev
mode such as annotations readOnlyRootFilesystem
is now configurable- Image Pull Policy is now configurable
Bugs:
- Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
- Fixed bug where audit storage was not being mounted in HA mode
- Fixed bug where Vault pod wasn't receiving SIGTERM signals
Features:
- Added
extraSecretEnvironmentVars
to allow users to mount secrets as environment variables - Added
tlsDisable
configurable to change HTTP protocols from HTTP/HTTPS depending on the value - Added
serviceNodePort
to configure a NodePort value when settingserviceType
to "NodePort"
Improvements:
- Changed UI port to 8200 for better HTTP protocol support
- Added
path
toextraVolumes
to define where the volume should be mounted. Defaults to/vault/userconfig
- Upgraded Vault to 1.2.2
Bugs:
- Fixed bug where upgrade would fail because immutable labels were being changed (Helm Version label)
- Fixed bug where UI service used wrong selector after updating helm labels
- Added
VAULT_API_ADDR
env to Vault pod to fixed bug where Vault thinks Consul is the active node - Removed
step-down
preStop since it requires authentication. Shutdown signal sent by Kube acts similar tostep-down
Features:
- Added
authDelegator
Cluster Role Binding to Vault service account for bootstrapping Kube auth method
Improvements:
- Added
server.service.clusterIP
tovalues.yml
so users can toggle the Vault service to headless by using the valueNone
. - Upgraded Vault to 1.2.1
Initial release