Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Latest commit

 

History

History
594 lines (314 loc) · 53.5 KB

CHANGELOG.md

File metadata and controls

594 lines (314 loc) · 53.5 KB
Raw

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

8.5.5 (2022-03-23)

Bug Fixes

  • deps: bump node-forge CVE-2022-24772 CVE-2022-24771 CVE-2022-0122 (#916) (30616d9)
  • deps: CVE-2021-44906 bump minimist from 1.2.5 to 1.2.6 (#915) (9804629)

8.5.4 (2022-02-16)

Bug Fixes

  • deps: bump follow-redirects from 1.14.7 to 1.14.8 (#907) (a65b4f2)
  • deps: CVE-2021-23555 bump vm2 from 3.9.5 to 3.9.7 (#908) (see 2642fed) (ce06c7b)

8.5.3 (2022-02-15)

Bug Fixes

  • chart: add deprecation notice (264de92)

8.5.2 (2022-01-31)

Bug Fixes

  • azure: AzureUSGovernment -> AzureUSGovernmentCloud (#901) (fa09c72)
  • azure: bump @azure/identity and @azure/keyvault-secrets dependencies due to audit warnings (d89bb84)
  • deps: CVE-2022-0155 bump follow-redirects from 1.14.4 to 1.14.7 (#900) (561faf2)
  • deps: GHSA-64g7-mvw6-v9qj bump shelljs from 0.8.4 to 0.8.5 (#899) (4e3f068)
  • security: npm audit fix, bump security alerted dependencies (6fcbb56)

8.5.1 (2022-01-02)

Bug Fixes

8.5.0 (2021-12-17)

Features

8.4.0 (2021-11-17)

Features

  • ✨ Introduce dataFromWithOptions (#846) (4dbb6dd)
  • ibm: add spec option keyByName to support the use of a name, instead of id, as the key (#850) (20496ab)
  • Log base w/ configurable pid and hostname keys (#868) (ca549f5)

Bug Fixes

  • redact sensitive information from logs (#859) (79da8cb)

8.3.2 (2021-10-19)

Bug Fixes

  • update image to use alpine 3.14 base (#855) (99575ef)

8.3.1 (2021-10-19)

Bug Fixes

  • fixes naming convention permission check for data items with path attribute only. (#830) (a7d8c6c)
  • package.json & package-lock.json to reduce vulnerabilities (#825) (946f692)
  • remove AWS_DEFAULT_REGION (#794) (45e8948)
  • update runtime to node 14, update all transitive dependencies, update dev dependencies (#854) (7a178d0)

8.3.0 (2021-08-05)

Features

  • chart: Add optional deployment labels value to charts (#814) (43eb046)

Bug Fixes

  • stop using deprecated/removed --generator flag in e2e tests (#819) (6347182)

8.2.3 (2021-07-30)

Bug Fixes

  • core: verify data items with path attribute when using naming conventions. (#800) (129a518)

8.2.2 (2021-07-12)

Bug Fixes

  • IBM: correctly extract secret data for IBM IAM credentials type secrets (#792) (2f16714)

8.2.1 (2021-07-02)

Bug Fixes

  • update transitive dependencies to resolve CVE-2020-28469, CVE-2021-33502 (fcd353f)

8.2.0 (2021-07-02)

Features

  • chart: add securityContext settings for pod container (#780) (28ce1a8)
  • Upsert secrets only when needed (#782) (48db901)

8.1.3 (2021-06-14)

Bug Fixes

8.1.2 (2021-06-05)

Bug Fixes

  • deps: CVE-2021-32640, CVE-2021-23364, update transitive dependencies to address ReDOS vulnerabilities (78f7b2e)

8.1.1 (2021-06-03)

Bug Fixes

  • verify CRD is available on startup (182e224)

8.1.0 (2021-06-03)

Features

8.0.2 (2021-06-03)

Bug Fixes

  • crd: remove unnecessary empty properties in oneOf validation (#758) (fa54f54), closes #753
  • watcher: ensure that the restart timer is always started regardless of whether there are events or not (#765) (1de5432)

8.0.1 (2021-05-13)

Bug Fixes

  • add observedGeneration to CRD status fields (#747) (d8abea3)

8.0.0 (2021-05-12)

⚠ BREAKING CHANGES

  • Drops support for kubernetes versions <1.16. This shouldn't be a breaking change if you have followed earlier deprecation's (like using spec instead of secretDescriptor. The updated CRD complies with the new structural validation and should validate all fields, any fields missing in the validation will be dropped from your ExternalSecret resource.

Bug Fixes

  • update crd to apiextensions.k8s.io/v1 (#681) (73aeaef)

7.2.1 (2021-04-26)

Bug Fixes

  • correctly pass instanceId to daemon so scoping with controllerId works (#719) (82f54e2)
  • update dependency jose (#713) (e47dee0)

7.2.0 (2021-04-14)

Features

  • chart: add envVarsFromConfigMap and envFrom support for more options to configure the Helm deployment (#706) (14900e5)

Bug Fixes

  • crash on watcher events introduced with multi-tenancy (#708) (c7250cc)

7.1.0 (2021-04-14)

Features

  • multitenancy: scope KES access using ExternalSecret spec.controllerId and INSTANCE_ID env (#701) (af50ca6)

7.0.1 (2021-04-08)

Bug Fixes

  • chart: add prerelease suffix ('>=1.17.0-0') to all semverCompare checks in rbac template (#699) (87d6037)
  • chart: bump Helm chart API version (#698) (ce27e88)

7.0.0 (2021-04-06)

⚠ BREAKING CHANGES

  • require .spec field in CRD validation (#682)
  • drop helm v2 and builtin CRD management (#663)
  • rename time field to avoid duplicate time key in log output

Features

  • add arm v7 as docker multi arch target (#679) (7c7cca8)
  • add container scan (#658) (82ff43e)
  • add support for IBM Cloud Secrets Manager backend (#656) (8ff9490)
  • automated docker image build with multi arch (amd64 + arm64) (#665) (4846313)
  • drop helm v2 and builtin CRD management (#663) (87a3ecb)

Bug Fixes

  • add a accurate log message when AWS region is not defined in the Systems manager manifest (#648) (448305a)
  • remove instructions to push docker image when cutting release (472ad25)
  • rename time field to avoid duplicate time key in log output (faf2093)
  • require .spec field in CRD validation (#682) (e43a6b8)
  • update transitive deps (#667) (7852dd6)
  • update transitive netmask dependency to resolve CVE-2021-28918 (#693) (483fb90)
  • use getObjectStream to address deprecation warning in kubernetes-client (#664) (3ee939a)
  • watch without namespace path if watching all namespaces (#673) (fa070ef)
  • deps: drop individual 'lodash.*' packages in favor of lodash package (#661) (cfe3366)
  • helm: add patch version to semverCompare (#637) (9394316)
  • secretsManager: remove 'undefined' log message when AWS region is not defined in the ExternalSecret manifest (#641) (3409c66)

6.4.0 (2021-02-25)

Features

  • poller: lodash template preprocess for externalsecret.spec.template field (#626) (6639553)

6.3.0 (2021-02-10)

Features

  • aws: allow custom endpoints for aws services (#602) (03f5c65)
  • aws-ssm: Add support to get parameters by path (#603) (74d4459)
  • core: adds support for nested key lookups (eg key: a.b.c to get nested value in json secret) (#592) (190e6db)
  • helm: add in ability to inject init containers in to deployment from values (#615) (21acce1)
  • helm: add pdb in helm chart (#616) (3be641f)

6.2.0 (2021-01-21)

Features

  • multitenancy: Allow to watch ExternalSecrets in specific namespaces (#548) (85739fd)
  • Add HTTP Proxy support to AWS SDK (#601) (c9d7785)

6.1.0 (2020-12-22)

Features

  • add general support for isBinary for all backends (#585) (e138a28)
  • restart watcher if no events seen for specified period (default 60 sec) (#532) (bb1ed9e)
  • helm: add the ability to set the priorityClassName (#534) (e719c87)
  • metrics: add metrics names following Prometheus best practices, deprecating old metrics names! (#540) (5b5a00f)

Bug Fixes

  • values: imagePullSecrets was wrongly indented under image (#577) (7861473), closes #522
  • configure nestedKey in logger to avoid invalid json (#568) (a430320)
  • deps: bumping @grpc/grpc-js to 1.1.8 (#550) (4e88026)
  • deps: bumping lodash from 4.17.19 to 4.17.20 (#545) (6c9d60d)

6.0.0 (2020-10-09)

⚠ BREAKING CHANGES

  • azure: Unwraps the value returned from Azure Key vault (migration: "property: value" -> remove property selector) (#460)

Features

  • aws: add region support to ssm and sm (#475) (0b35441)
  • aws: add support for setting an intermediate iam role (#454) (72920e4)
  • Cluster level default settings for Hashicorp Vault (#472) (5215090)

Bug Fixes

  • azure: Unwraps the value returned from Azure Key vault (migration: "property: value" -> remove property selector) (#460) (36d5bbb)
  • deps: update dependency @google-cloud/secret-manager to v3 (#345) (2bf42db)
  • helm: apply namespace to Deployment and Service (#471) (ba38e3a)
  • vault: Cache Vault clients/tokens on a per-role&mountpoint basis. (#488) (ab36718)
  • vault: handle token renewal failures (#497) (c3c27bc)
  • e2e tests to work with kind 0.9.0 + bump k8s version used (#498) (f815afd)
  • provide a meaningful error message when an SSM parameter is missing (#483) (99ce81e)

5.2.0 (2020-08-18)

Bug Fixes

  • vault: token ttl conditional renew (#457) (a52987b)
  • reverts assumeRole to use pod role instead of web identity (#453) (fa747dc)

5.1.0 (2020-07-27)

Features

  • added the option to enforce namespace annotations (#448) (1517333)

Bug Fixes

  • config: extract LOG_MESSAGE_KEY properly (#456) (a50c219)
  • pino: messageKey option as root constructor property (#455) (22208b0)

5.0.0 (2020-07-24)

NOTE There was no breaking changes in this release, just a release script mishap bumping the major.

Features

  • chart:: add dns config options
  • logging: add config to allow switching level format to human-readable log levels (#429) (4602ad0)
  • secretsManager: add support for versionId in AWS Secrets Manager (#436) (95827bc)

Bug Fixes

  • upgrade the Azure Identity SDK and Azure KeyVault secret SDK to support AKS pod identity for authorization (#447) (020c10b)

4.2.0 (2020-07-12)

Features

  • add support for using either Vault k/v 1 or k/v 2 (#426) (4193050)

4.1.0 (2020-07-09)

Features

  • add e2e test for naming conventions enforcement (#412) (bfb5ed2)
  • allow permitted-key-name to be provided as list (#409) (10e3991)
  • Vault namespace support (#403) (6bd9570)

Bug Fixes

  • pass in the Web Identity token to assumeRoleWithWebIdentity (#417) (23d511f)
  • use assumeRoleWithWebIdentity when using IRSA (#416) (117b926)
  • vault: fix requestOptions for vault namespace support (#410) (e80d83d)

4.0.0 (2020-06-02)

⚠ BREAKING CHANGES

  • Changes the values return type from GCP secret manager Previously secret value was wrapped in an object { "value": <secret> } while now <secret> will be returned directly so KES features can be properly used
  • GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json is no longer set by default as it causes conflicts with other configurations.

Features

  • add support for Alibaba Cloud KMS Secret Manager (#355) (cceb40b)
  • Chart optionally installs CRD / CR Manager configurable for more strict clusters (#344) (131e201)

Bug Fixes

  • vault: follow all redirects to support vault HA (#394) (a05aa92)
  • don't set GOOGLE_APPLICATION_CREDENTIALS by default and update README for Google Secret Manager (#371) (e9db0f8)
  • Handle JSON in GCP Secrets Manager (#373) (4273598)

3.3.0 (2020-05-01)

Features

  • add last_state metric (#357) (1d9d237)
  • enable use of AWS STS regional endpoints (#348) (9a46773)
  • improve out-of-the-box compatibility with clusters running locked down PodSecurityPolicy enabling runAsNonRoot by default (#361) (27ba7e1)
  • support isBinary for GCP (#353) (de20a1b), closes #352

Bug Fixes

  • deps: update dependency kubernetes-client to v9 (#367) (f06bd59)
  • deps: update dependency pino to v6 (#322) (3664540)
  • deps: update dependency prom-client to v12 (#323) (504ed6c)

3.2.0 (2020-03-27)

Features

Bug Fixes

  • azure-registry: handle binary files (#311) (9727d48)
  • stringify json object based secrets (#247) (828d0ce)
  • upgrade aws-sdk from 2.575.0 to 2.628.0 (#305) (149e33a)
  • upgrade pino from 5.13.6 to 5.16.0 (#306) (be74814)
  • verify dataFrom property in naming convention verification (#292) (f26bf2b)

3.1.0 (2020-02-06)

3.0.0 (2020-01-09)

Features

  • release: use same version for app and chart release (#242) (2000864)
  • allow enforcing naming conventions for key names, limiting which keys can be fetched from backends (#230) (c4fdea6), closes #178 #178 #178

Bug Fixes

  • default service account annotation value (#252) (b163a69)
  • remove required top level key from vault backend validation (#255) (e567117)

2.2.1 (2019-12-06)

Bug Fixes

  • do not skew binary data (#244) (01e0ca2)
  • chart: remove one of the duplicate securityContext (#222) (2b54f34)
  • bump pino and sub dependency flatstr, fixes #218 (#219) (db3491b)
  • kv-backend: Add empty keyOptions for dataFrom case. (#221) (8e838ee)

2.2.0 (2019-11-14)

Features

  • implement basic e2e tests (#207) (dfa210b)
  • chart: support mounting existing secrets as files (#213) (ac9b9e2)
  • secrets-manager: Added support for secrets versioning in Secrets Manager using version stage labels (#181) (9d6c2f9)
  • add validation to CRD (#208) (d2ebaeb)
  • allow disabling of interval polling (#211) (9441216)

Bug Fixes

  • script: remove external-secrets.yml patching from release.sh (#216) (9d871cd)
  • add dataFrom support to vault backend (refactor kv-backend) (#206) (24421b9)
  • status update conflicts should not cause crash, fixes #199 (#215) (e6171c8)
  • Stringify JSON response for compatibility with KV backend (#214) (5527530)

2.1.0 (2019-11-08)

Features

  • vault: Support for Hashicorp Vault (#198) (d61312c)
  • add status subresource with last sync and generation tracking (#133) (8db1749)
  • add support for dataFrom & fix: encoding of non-string values (#196) (90f01c5)
  • allow setting additional markup on generated secret resource using template (#192) (25e2f74)
  • make role-scope annotation configurable & fix: allow missing roleArn even if annotations are set (#179) (8c17819), closes #174 #174
  • support Secret Binary from AWS Secrets Manager (#197) (731edb1)
  • Update aws-sdk to enable IRSA (AWS IAM Roles for ServiceAccounts) support, add securityContext to helm chart (#200) (165662c)
  • use spec in external secret resource, keeping secretDescriptor for backwards compat (#204) (a2a9dff)

Bug Fixes

1.6.0 (2019-10-23)

Features

1.5.0 (2019-09-27)

Features

1.4.0 (2019-09-27)

Features

  • allow setting type in external secret to support other than Opaque secrets (#130) (226697a)

Bug Fixes

  • daemon: Upsert secrets immediately poller added (a986dfb)

1.3.1 (2019-07-18)

Bug Fixes

  • secret: fix SSM parameter store code (e5e635f)

1.3.0 (2019-06-22)

Features

  • secret: add ownerreference to remove created secret when external secret is removed (#95) (66af903)

Bug Fixes

  • remove logging of potentially secret value (#96) (6063f79)

1.2.3 (2019-06-06)

Bug Fixes

  • logging: show error on missing property (#87) (ef8bd5f)

1.2.2 (2019-06-03)

Bug Fixes

  • AWSSM: treat value as object iff the es specifies .property (#74) (1d5a9dd)

1.2.1 (2019-05-20)

Bug Fixes

  • config: remove default aws region (#54) (4584a09)
  • package: update kubernetes-client to version 7.0.0 (#49) (eeb7acf)

1.2.0 (2019-04-09)

Features

  • data: support .data in the secretDescriptor (#40) (4887469)

Bug Fixes

  • package: update make-promises-safe to version 5.0.0 (#33) (a25b1d2)

1.1.0 (2019-03-14)

Features

  • cicd: add .travis.yml file (#9) (fbe52b3)
  • deploy: move deploy resources into single file (#5) (a264f2c)
  • examples: add hello-service example (#6) (af5b1d2)
  • json: support JSON objects in AWS Secret Manager (#13) (cd7130f)
  • project: add nodemon for development (#7) (ec25cbd)

Bug Fixes

  • backends: fix secretsManager backend name (#27) (d494edf)
  • deploy: fix deployment file (#4) (bcb1ad1)
  • dockerfile: remove broken commands (#3) (7901f90)
  • rbac: adjust the poller upsert code so it doesn't need get (#22) (5cffe97)
  • typo: fix typo in external secrets name (#8) (e26f75c)
  • updating: use PUT not PATCH when updating an existing Secret (#20) (856d8e0)