Releases: ricoberger/vault-secrets-operator
Version 1.4.4 / 2019-12-09
Allow custom certificates
It's now possible to use custom certificates for the communication between the Operator and Vault. To use custom certificates you need to set the following environment variables:
VAULT_CACERT: CA certificate to verify the Vault server's SSL certificate.VAULT_CLIENT_CERT: CA certificate to use for TLS authentication to the Vault server.VAULT_CLIENT_KEY: Private key matching the client certificate fromVAULT_CLIENT_CERT.VAULT_SKIP_VERIFY: Disable verification of TLS certificates.VAULT_TLS_SERVER_NAME: Name to use as the SNI host when connecting via TLS.
The environment variables can be set as follows in the Helm chart:
environmentVars:
- envName: VAULT_CACERT
secretName: vault-secrets-operator-tls
secretKey: VAULT_CACERT
- envName: VAULT_CLIENT_CERT
secretName: vault-secrets-operator-tls
secretKey: VAULT_CLIENT_CERT
- envName: VAULT_CLIENT_KEY
secretName: vault-secrets-operator-tls
secretKey: VAULT_CLIENT_KEYThe corresponding secret vault-secrets-operator-tls looks as follows:
apiVersion: v1
kind: Secret
metadata:
name: vault-secrets-operator-tls
data:
VAULT_CACERT: ...
VAULT_CLIENT_CERT: ...
VAULT_CLIENT_KEY: ...
type: OpaqueVersion 1.4.3 / 2019-12-03
We are now using the LookupSelf instead of the Lookup function from the Vault API package for the readiness probe.
The Lookup requires more rights to return a successful response. These capabilities are not needed for other operations of the operator. So we switched to the LookupSelf function.
Version 1.4.2 / 2019-12-02
In case the metrics server in a Kubernetes cluster was not available the Vault Secrets Operator fails to start, because the endpoint for the liveness and readiness probe was also not available (#22). Thanks to @rust84 for pointing out the issue.
Now we are using more useful checks for the readiness and liveness probe (#25):
- Liveness: Returns true if the HTTP server is running.
- Readiness: Returns true if a valid token for Vault is passed to the operator.
Version 1.4.1 / 2019-11-28
Add new spec.isBinary field to the CRD, to indicate that the Vault secret contains binary data which is already in base64 encoded format. The binary data stored in vault requires base64 encoding. The
spec.isBinary can be used to prevent such data get base64 encoded again when store as secret in Kubernetes. Thanks to @SiweiWang for the PR #24.
Example:
vault kv put kvv1/example-vaultsecret foo=YmFyCg==You can specify spec.isBinary to indicate this is a binary data which is already in base64 encoded format:
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: kvv1-example-vaultsecret
spec:
keys:
- foo
isBinary: true
path: kvv1/example-vaultsecret
type: OpaqueThe resulting Kubernetes secret will be:
apiVersion: v1
data:
foo: YmFyCg==
kind: Secret
metadata:
labels:
created-by: vault-secrets-operator
name: kvv2-example-vaultsecret
type: OpaqueThe value for foo stays as YmFyCg== which does not get base64 encoded again.
Version 1.4.0 / 2019-10-28
Feature:
- Use the
WATCH_NAMESPACEvariable to watch all namespaces or a comma separated list of namespaces. - Add
vault.namespacesvalue to the Helm chart to set theWATCH_NAMESPACEenvironment variable.
vault:
# Watch all namespaces
namespaces: ""
# Watch the namespaces test1, test2 and test3
namespaces: "test1,test2,test3"Misc:
- Update the operator-sdk to version v0.11.x
Version 1.3.2 / 2019-10-17
Bugfix
- Fix helper function to set environment variables from a Kubernetes secret in the Helm chart
Feature
- Add a new value to the Helm chart to specify the deployment strategy for the operator. Currently there seems to be a bug in the operator, which cause problems during an update. Therefor it is recommended to set the strategy type to recreate if a replication count of one is used:
deploymentStrategy:
type: RecreateVersion 1.3.1 / 2019-10-15
Version 1.3.0 / 2019-10-15
Feature: Automatic Reconciliation
- Add an environment variable
VAULT_RECONCILIATION_TIME, which can be set in the Helm chart via thevault.reconciliationTimevalue. - If the value of the
VAULT_RECONCILIATION_TIMEis greater0a CR is reconciled after the specified time (in seconds) - If the
spec.versionis not omitted in a CR, the Kubernetes secret will be automatically updated if the Vault secret changes.
Bugfix: Request was not requeued
- If an error occurred while requesting the Vault secret, the CR was not requeued.
Version 1.2.3 / 2019-09-25
- Add the possibility to read the Vault token from a mounted volume. Therefor we introduce a new environment variable
VAULT_TOKEN_PATHwhich should contain the path to a file with the Vault token. This variable is only processed if the authentication method is set totokenand theVAULT_TOKENenvironment variable is empty. - The Helm chart supports three new values:
vault.tokenPath: Can be used to set theVAULT_TOKEN_PATHenvironment variable.image.volumeMounts: Can be used to mount additional volumes to the container.volumes: Can be used to provide additional volumes.
Example
cat <<EOF | k apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-token
data:
token: |
MY_VAULT_TOKEN
EOF
cat <<EOF | helm upgrade --install vault-secrets-operator ./charts/vault-secrets-operator -f -
image:
repository: ricoberger/vault-secrets-operator
tag: 1.2.3
args: ["--zap-encoder", "console"]
volumeMounts:
- name: vault-token
mountPath: /etc/vault
vault:
address: "vault:8200"
authMethod: "token"
tokenPath: "/etc/vault/token"
volumes:
- name: vault-token
configMap:
name: vault-token
items:
- key: token
path: token
EOF
Version 1.2.2 / 2019-09-12
- Add automatic determination of the KV secret engine version (#12)
The version of the used KV secret engine is now determined by the operator. It is not necessary to specify the KV secret engine version in the CR fieldspec.secretEngine. We keep this field, so we can use it later for other secret engine implementations. This also fixes the bug mentioned in #11. - Add default address for Vault (#13)
The default value of the Vault address in the Helm chart points to http://vault:8200 now.