v2.1.0

What's Changed

• Add support for azure keyvault backend by @Wiston999 in #87
• keep generated files in repo to implement runtime.Object interface by @fcgravalos in #89

New Contributors

• @Wiston999 made their first contribution in #87

Full Changelog: v2.0.1...v2.1.0

v2.0.1

What's Changed

• fix nil pointer dereference bug in controller's regular kubernetes client by @fcgravalos in #86

Full Changelog: v2.0.0...v2.0.1

v2.0.0

⚠️⚠️ This release is broken and won't work on new kubernetes versions. Please use release v2.0.1 ⚠️⚠️

What's Changed

• K8s labels annotations by @eduardogr in #78
• Update to kubebuilder 3.1.0 by @avenging in #81

Full Changelog: v1.1.0...v2.0.0

v1.1.0

• [BEHAVIOUR] Using flags watch-namespaces / exclude-namespaces. They interact differently.
  • All namespaces are watched. A namespace is excluded if it is specified within the exclude-namespaces flag.
• [FEATURE] Adding auth-method param to specify Vault authentication method.
  • Adding vault authentication method from kubernetes. With auth-method param set to kubernetes.
• [BUG] set the controller name to something unique avoid 'duplicate metrics collector registration attempted' errors.

v1.0.2 - Watch Namespaces

• This will allow watching specific namespaces restricting the scope of secrets-manager. This is part of the feedback we got from this Vault thread, where we are proposing secrets-manager as the tool to synchronize secrets from Vault to Kubernetes.

v1.0.1 - Patch release with minor fixes

v1.0.1 2019-08-14

Fixes

• Deleting a SecretDefinition hangs if the corresponding secret does not exist.
• Invalid metric names in README

Deprecates

• Unused prometheus metrics secrets_manager_controller_update_secret_errors_total and secrets_manager_controller_last_updated

v1.0.0 - Stable release - Custom Resource Definitions and Vault AppRole

This is the stable release after v1.0.0-rc.1 which enables two major changes in secrets-manager:

• SecretDefinitions created via Custom Resource Definitions, which will deprecate secrets-manager's Configmap
• Vault AppRole authentication istead of token-based login

v1.0.0-rc.1

Added

• SecretDefinitions created via CustomResourceDefinitions
• If the SecretDefinion gets deleted, the corresponding secret will be removed too.
• New zap logger based on controller-runtime project. Use -enable-debug-log to get a more verbose output.
• Enable Vault AppRole auth method and secrets-manager will try to re-login every time it fails to fetch the token. This will make secrets-manager more resilient to issues connecting to Vault that potentially caused the token to expire.
• New secrets_manager_login_errors_total Prometheus metric.

Fixes

• #2 Switch to custom resource definitions instead of a single configmap
• #8 Secrets deletion proposal
• #27-Implement AppRole auth

Breaking changes

• Configmaps won't be supported to define secrets, and so that won't work all the relevant configmap flags.
• log.format and log.level flags won't work anymore, as we have changed the logger to addapt to the controller-runtime project. Use -enable-debug-log to get a more verbose output.
• config.backend-scrape-interval no longer works as we check the backend state on every reconcile event. Use reconcile-period instead
• listen-address removed in favor of metrics-addr
• Token based login won't be supported, as re-login with and invalid token won't make secrets-manager to self-heal.
• This makes this new version not backward compatible with previous v0.2.0

v0.2.0-rc.2

Added

• New secrets_manager_vault_max_token_ttl metric, so a user could alert based on this and secrets_manager_token_ttl
• New secrets_manager_secret_last_sync_status metric, that shows wether the secret succeded or not in last synchronization iteration

Fixed

• Deprecates secrets_manager_vault_token_expired metric as it was quite confusing since it's not really possible for secrets-manager to know when the token it's expired, just when it's "close to expire".
• Renames counter metrics to follow the Prometheus naming standard with the _total suffix instead of _count.
• Simplifies prometheus token renewal metrics by merging secrets_manager_vault_token_lookup_errors_count and secrets_manager_vault_token_renew_errors_count into one single metric secrets_manager_vault_token_renewal_errors_total with one more dimension called vault_operation which will be one of lookup-self, renew-self, is-renewable.

v0.2.0-rc.1

Added

• Enable prometheus metrics
• cfg.backend-timeout flag to specify a connection timeout to the secrets backend.
• listen-address flag to specify the listen address of the HTTP API

Fixed

• Bad return condition in startTokenRenewer, so token lookup won't
  happen in case of a token revoked.