v1.2.0

v1.2.0 - 2022-06-22

Changelog

Bug Fixes 🐞

• 3ae12bd fix: remove files before cleanup mount point in unpublish
• 0af2483 fix: panic when using --log-format-json
• 830d184 fix: update err variable in defer to prevent err shadowing
• c452ac4 fix: add unit test to validate error shadowed bug

Code Refactoring 💎

• b0af2b9 refactor: use NewSharedInformerFactoryWithOptions for new shared informer
• 14489c7 refactor: update mdbook install and serve

Continuous Integration 💜

• d1181e3 ci: add kubernetes 1.24 in e2e matrix
• ce47672 ci: fix aws eks cluster creation
• 384db8b ci: fix markdown link check workflow failures
• 12d1c99 ci: update kubernetes version matrix in staging e2e workflow
• 0246e35 ci: update e2e_mock_provider_tests kubernetes versions
• 2f16132 ci: add goreleaser workflow for release
• d0e614f ci: fix shellcheck file paths
• 00a1445 ci: add markdown-link-check workflow

Documentation 📘

• 3787ca2 docs: include security explanations for root/privileged/and pod tokens
• b55eaef docs: update instructions on generating release notes
• c0e97a5 docs: add subPath volume mount limitation
• 592ad7b docs: update supported versions and replace v1alpha1 with v1
• 8c41c4a docs: remove helm repo url change note in install steps
• 052429b docs: add slack badge
• 95218a6 docs: fix dead links based on errors
• 0391489 docs: update features and add toc
• ba364e1 docs: Update helm README.md with linux crd image values (#797)
• 856ad85 docs: update supported feature by current providers
• a760c18 docs: fix typo in api version group name
• ed9ecf3 docs: add design docs and roadmap to website
• 99aafa5 docs: add project status to docs

Features 🌈

• 0723e1e feat: support provider paths under /var/run
• 7ac887a feat: add token requests client (#805)
• 4b8c442 feat: send NodePublishVolumeRequest.VolumeContext in MountRequest to provider

Maintenance 🔧

• 23ae1fb chore: bump version to v1.2.0 in release-1.2
• a95f0e5 chore: update kustomize to v4
• 1d264d2 chore: update tools dependencies and generate manifests
• e0f1850 chore: update kubernetes deps to v1.24.1
• 5ddc969 chore: add crds.podLabels for helm hook jobs (#962)
• d70d198 chore: update debian-base to bullseye-v1.3.0
• a48fdde chore: bump node-driver-registrar:v2.5.1 and livenessprobe:v2.7.0
• 68ef471 chore: bump kind version to v0.13.0 to support kubernetes v1.24
• 75d28a4 chore: update pull request template
• 1faac89 chore: change default to /var/run for providers path
• e6cc3d5 chore: upgrade makefile test binary versions
• 4b09e85 chore: upgrade to go 1.18
• 1ec0f8b chore: remove deprecated minimumProviderVersions in helm chart
• b46dfcb chore: make token requests conditional for v1.20+
• 37f55b2 chore: bump node-driver-registrar:v2.5.0 and livenessprobe:v2.6.0
• ca257a8 chore: mark v1alpha1 api version as deprecated
• ae87243 chore: remove old helm packages and index
• ccb9fa4 chore: updates trivy command
• a596624 chore: log invalid key in error
• dac5381 chore: update debian-base to bullseye-v1.1.0
• f694be2 chore: bump node-driver-reegistrar image to v2.4.0
• 9750771 chore: remove deprecated --filtered-watch-secret flag
• c78559e chore: bump livenessprobe image to v2.5.0
• 2b27e0c chore: upgrade kubernetes deps
• 6069215 chore: use TARGETARCH for image build and makefile update
• e1f143c chore: use corev1 as import alias instead of v1

Security Fix 🛡️

• 84f8b21 security: fix CVE-2022-1664
• 860c83e security: fix CVE-2022-1292
• 28a14d2 security: fix CVE-2022-1271
• f4b9d0f security: fix CVE-2018-25032 and update to debian-base:bullseye-v1.2.0
• 5a34967 security: fix CVEs
• b558858 security: fix CVE-2022-0778, CVE-2021-4160
• e6d1c8f security: fix CVE-2021-3995, CVE-2021-3996
• 6462375 security: fix CVE-2021-43618

Testing 💚

• df67b53 test: cleanup provider tests (part 1)
• 725b77d test: use helm upgrade --install for azure e2e
• 86d368e test: use helm charts for azure provider
• 0ec6250 test: conditionally check token requests role and binding
• 899d3ed test: add test for view and admin cluster role (#845)

v1.1.2

v1.1.2 - 2022-03-31

Changelog

Bug Fixes 🐞

• 9e39ed6 Automated cherry pick of #898: fix: validate additionalProviderPaths does not contain providers dir (#902)

Maintenance 🔧

• cf55d98 chore: bump version to 1.1.2 in release-1.1
• 2c0743e chore: update golangci-lint to v1.45.2 and pin to go 1.17

Security Fix 🛡️

• 78d2507 security: fix CVEs
• 8cd6b62 security: fix CVE-2022-0778, CVE-2021-4160

v1.1.1

v1.1.1 - 2022-03-07

Changelog

Bug Fixes 🐞

• 8b6a1e6 fix: panic when using --log-format-json

Maintenance 🔧

• f2c8ae2 chore: bump version to 1.1.1 in release-1.1

v1.1.0

v1.1.0 - 2022-02-23

Announcement 📢

• The helm charts were moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts as part of v0.3.0 release. As part of this release, the old charts from the main branch have been removed. Update to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts to use the helm charts for all releases.
• secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1 instead for SecretProviderClass API version.
• Note to Providers: The provider volume default will move from /etc/kubernetes/secrets-store-csi-providers to /var/run/secrets-store-csi-providers in a future version of the driver. For more info see #823 and #870.

Changelog

Bug Fixes 🐞

• c8c4533 fix: update err variable in defer to prevent err shadowing
• 91440b7 fix: add unit test to validate error shadowed bug

Code Refactoring 💎

• b0af2b9 refactor: use NewSharedInformerFactoryWithOptions for new shared informer
• 14489c7 refactor: update mdbook install and serve

Continuous Integration 💜

• 2f16132 ci: add goreleaser workflow for release
• d0e614f ci: fix shellcheck file paths
• 00a1445 ci: add markdown-link-check workflow

Documentation 📘

• 8c41c4a docs: remove helm repo url change note in install steps
• 052429b docs: add slack badge
• 95218a6 docs: fix dead links based on errors
• 0391489 docs: update features and add toc
• ba364e1 docs: Update helm README.md with linux crd image values (#797)
• 856ad85 docs: update supported feature by current providers
• a760c18 docs: fix typo in api version group name
• ed9ecf3 docs: add design docs and roadmap to website
• 99aafa5 docs: add project status to docs

Features 🌈

• 7ac887a feat: add token requests client (#805)
• 4b8c442 feat: send NodePublishVolumeRequest.VolumeContext in MountRequest to provider
• d7809a7 feat: support provider paths under /var/run

Maintenance 🔧

• 06931d3 chore: bump version to v1.1.0-rc.0 in release-1.1
• ca257a8 chore: mark v1alpha1 api version as deprecated
• ccb9fa4 chore: updates trivy command
• a596624 chore: log invalid key in error
• dac5381 chore: update debian-base to bullseye-v1.1.0
• f694be2 chore: bump node-driver-reegistrar image to v2.4.0
• 9750771 chore: remove deprecated --filtered-watch-secret flag
• c78559e chore: bump livenessprobe image to v2.5.0
• 2b27e0c chore: upgrade kubernetes deps
• 6069215 chore: use TARGETARCH for image build and makefile update
• e1f143c chore: use corev1 as import alias instead of v1
• 331cf9f chore: bump version to v1.1.0 in release-1.1
• 1ecec55 chore: make token requests conditional for v1.20+
• a036d14 chore: bump node-driver-registrar:v2.5.0 and livenessprobe:v2.6.0

Security Fix 🛡️

• e6d1c8f security: fix CVE-2021-3995, CVE-2021-3996
• 6462375 security: fix CVE-2021-43618

Testing 💚

• 899d3ed test: add test for view and admin cluster role (#845)

v1.1.0-rc.0

v1.1.0-rc.0 - 2022-02-08

Changelog

Code Refactoring 💎

• b0af2b9 refactor: use NewSharedInformerFactoryWithOptions for new shared informer
• 14489c7 refactor: update mdbook install and serve

Continuous Integration 💜

• 2f16132 ci: add goreleaser workflow for release
• d0e614f ci: fix shellcheck file paths
• 00a1445 ci: add markdown-link-check workflow

Documentation 📘

• 8c41c4a docs: remove helm repo url change note in install steps
• 052429b docs: add slack badge
• 95218a6 docs: fix dead links based on errors
• 0391489 docs: update features and add toc
• ba364e1 docs: Update helm README.md with linux crd image values (#797)
• 856ad85 docs: update supported feature by current providers
• a760c18 docs: fix typo in api version group name
• ed9ecf3 docs: add design docs and roadmap to website
• 99aafa5 docs: add project status to docs

Features 🌈

• 7ac887a feat: add token requests client (#805)
• 4b8c442 feat: send NodePublishVolumeRequest.VolumeContext in MountRequest to provider

Maintenance 🔧

• 06931d3 chore: bump version to v1.1.0-rc.0 in release-1.1
• ca257a8 chore: mark v1alpha1 api version as deprecated
• ccb9fa4 chore: updates trivy command
• a596624 chore: log invalid key in error
• dac5381 chore: update debian-base to bullseye-v1.1.0
• f694be2 chore: bump node-driver-reegistrar image to v2.4.0
• 9750771 chore: remove deprecated --filtered-watch-secret flag
• c78559e chore: bump livenessprobe image to v2.5.0
• 2b27e0c chore: upgrade kubernetes deps
• 6069215 chore: use TARGETARCH for image build and makefile update
• e1f143c chore: use corev1 as import alias instead of v1

Security Fix 🛡️

• e6d1c8f security: fix CVE-2021-3995, CVE-2021-3996
• 6462375 security: fix CVE-2021-43618

Testing 💚

• 899d3ed test: add test for view and admin cluster role (#845)

v1.0.1

Security Fix 🛡️

• fix CVE-2021-43618 (#826, @aramase)

Maintenance 🔧

• remove strict linting (#822, @aramase)
• update livenessprobe image to v2.5.0 (#803, @aramase)
• update node-driver-registrar image to v2.4.0 (#807, @aramase)
• use k8s-staging-test-infra/gcb-docker-gcloud (#814, @spiffxp)
• update debian-base to bullseye-v1.1.0 (#825, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v1.0.0

Announcement 📢

• This is the first stable release for the driver!
• The SecretProviderClass and SecretProviderClassPodStatus CRDs are now v1 🎉

Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v100 before upgrade. Refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html for load test results.

Features 🌈

• Promoted CRDs to v1 (#760, @aramase)
• Add Windows Server 2022 (#757, @nick5616)

Bug Fixes 🐞

• create or update secretproviderclasspodstatus post mount (#735, @aramase)
• Update base image for ltsc2022 (#770, @aramase)

Documentation 📘

• update RELEASE docs based on v0.3.0 experience (#718, @tam7t)
• fix typo in helm url (#720, @nilekhc)
• fix typo in chart url in charts dir (#721, @aramase)
• add detail about pprof and metrics endpoint (#731, @aramase)
• update design docs status (#737, @aramase)
• add providers support matrix (#724, @nilekhc)
• add supported kubernetes versions (#751, @aramase)
• additional release note updates based on v1.0.0-rc.1 (#776, @tam7t)
• update docs for v1.0.0 and CRD version upgrades (#781, @tam7t)

Helm 📈

• Support imagePullSecrets in Job/secrets-store-csi-driver-keep-crds (#778, @remm)

Maintenance 🔧

• rename references from master to main (#726, @aramase)
• add LICENSE to all files (#727, @aramase)
• remove deprecated --prometheus-port flag (#732, @aramase)
• update the initialDelaySeconds and timeoutSeconds for node-driver-registrar livenessprobe (#729, @aramase)
• use structured logging and update imports order (#736, @aramase)
• use kubectl.kubernetes.io/default-container annotation (#738, @aramase)
• update to debian-base:bullseye-v1.0.0 (#742, @aramase)

Testing 💚

• implement e2e provider (#682, @nilekhc)
• add workflow for e2e using staging images (#730, @nilekhc)
• adds support for inplace upgrade test (#741, @nilekhc)
• adds e2e test for vault rotation (#758, @tam7t)
• log the secrets-store API version (#764, @aramase)
• add k8s test matrix for staging e2e (#774, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v1.0.0-rc.1

Announcement 📢

• The SecretProviderClass and SecretProviderClassPodStatus CRDs are now v1!
• The helm charts have been moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts. Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades for information on upgrading existing clusters.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Features 🌈

• Promoted CRDs to v1 (#760, @aramase)
• Add Windows Server 2022 (#757, @nick5616)

Bug Fixes 🐞

• Update base image for ltsc2022 (#770, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v1.0.0-rc.0

Announcement 📢

• The helm charts have been moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts. Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades for information on upgrading existing clusters.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Bug Fixes 🐞

• create or update secretproviderclasspodstatus post mount (#735, @aramase)

Documentation 📘

• update RELEASE docs based on v0.3.0 experience (#718, @tam7t)
• fix typo in helm url (#720, @nilekhc)
• fix typo in chart url in charts dir (#721, @aramase)
• add detail about pprof and metrics endpoint (#731, @aramase)
• update design docs status (#737, @aramase)

Maintenance 🔧

• rename references from master to main (#726, @aramase)
• add LICENSE to all files (#727, @aramase)
• remove deprecated --prometheus-port flag (#732, @aramase)
• update the initialDelaySeconds and timeoutSeconds for node-driver-registrar livenessprobe (#729, @aramase)
• use structured logging and update imports order (#736, @aramase)
• use kubectl.kubernetes.io/default-container annotation (#738, @aramase)
• update to debian-base:bullseye-v1.0.0 (#742, @aramase)

Testing 💚

• implement e2e provider (#682, @nilekhc)
• add workflow for e2e using staging images (#730, @nilekhc)
• adds support for inplace upgrade test (#741, @nilekhc)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.3.0

Announcement 📢

• The helm charts have been moved to https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts. Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades for information on upgrading existing clusters.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Breaking Changes ⚠️

• --filtered-watch-secret cannot be disabled starting in v0.3.0. Refer to #550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• syncSecret.enabled has been set to false by default in v0.0.23. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade from versions < v0.1.0

Bug Fixes 🐞

• remove constraints on secret type name (#703, @aramase)

Testing 💚

• extended windows first pod timeout to 300s (#698, @aramase)
• cleanup filteredWatchSecret=false from e2e tests (#708, @aramase)
• update kubectl to 1.22.1 (#713, @tam7t)
• add aws release test (#633, @tam7t)

Helm 📈

• allow annotations on upgrade jobs (#692, @thomasmRavn )
• publish helm charts using github workflow (#693, @aramase)
• update chart repo to https://kuberentes-sigs.github.io/secrets-store-csi-driver/charts (#695, @aramase)
• add pod security policy to upgrade hooks (#709, @nilekhc)

Maintenance 🔧

• update release documentation (#649, @tam7t)
• update node-driver-registrar to v2.3.0 (#691, @aramase)
• update opentelemetry to v0.20.0 (#701, @aramase)
• refactor: remove csi-common package and update driver (#702, @aramase)
• update build to go 1.17 (#710, #711, @aramase)
• update livenessprobe to v2.4.0 (#712, @aramase)
• upgrade build runner to N1_HIGHCPU_8 (#714, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver