v0.2.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default in v0.0.23. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.
• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade from versions < v0.1.0

Documentation 📘

• add details on v0.1.0 upgrades (#650, @tam7t)
• Update Membership.md with more roles/details (#607, @karenhchu)
• update load test doc for filtered watch secret (#667, @aramase)

Testing 💚

• use kubectl exec instead of cp (#664, @aramase)
• gcp tests: explicit specify namespace (#664, @tam7t)
• adds make target for deploy manifest (#669, @nilekhc)

Helm 📈

• add option to configure fullnameOverride (#671, @aramase)
• Add pre-install to upgrade hook so existing CRDs on helm install can be upgraded (#679, @ritazh)
• use same toleration and nodeselector for crd-hook jobs (#683, @uncycler)

Maintenance 🔧

• update golangci-lint (#635, @tam7t)
• Add metrics port definition to DS (#614, @NissesSenap)
• Migrate from deprecated io/ioutil package to using os package (#673, @katyamag)
• update debian base to buster-v1.9.0 (#681, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.1.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Return files in gRPC responses to the driver is now the recommended approach. See #551
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0 will result in an error.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.
• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to #550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade

Features 🌈

• set filtered-watch-secret to true by default for nodePublishSecretRef (#594, @aramase)
• use DynamicRESTMapper for manager (#608, @aramase)
• add possibility to annotate the created secret with CSI driver (#612, @tetianakravchenko)
• Initial implementation of token request (#471, @micahhausler)

Bug Fixes 🐞

• fix Windows nodes compatibility issues in pod definition (#625, @georgechang)
• fix CVE-2021-33910 (#645, @aramase)

Documentation 📘

• Debugging (#556, @nilekhc)
• Release management (#555, @nilekhc)
• update master to main release (#616, @ikarldasan)
• link and mention optional features (#627, @tam7t)
• use testgrid for readme test status (#631, @tam7t)
• adds note about crd upgrade (#642, @nilekhc)

Testing 💚

• add e2e for filtered-watch-secret=false (#596, @aramase)
• add kubernetes.io/os nodeselector for azure tests (#626, @aramase)
• use kubectl wait to check if pods ready (#628, @aramase)
• implements e2e upgrade test (#602, @nilekhc)
• ensure pod deletion is successful (#599, @tam7t)
• include more debug info in artifacts (#632, @tam7t)
• get logs for sidecar containers (#638, @aramase)
• gcp use workload id instead of node publish (#641, @tam7t)
• add driver-crd image to e2e-helm-upgrade target (#657, @aramase)

Helm 📈

• ❗ Move crds to crds dir for helm3 and installCRDs flag for supporting helm3 ( #289, @Evalle)
• move default annotations out of conditional (#629, @aramase)
• Crd upgrade via helm hooks (#623, @nilekhc)
• add keep-crd upgrade hook (#656, @aramase)

Maintenance 🔧

• upgrades controller-runtime to v0.9.0 (#593, @nilekhc)
• update to debian-base v1.7.2 and update packages to fix CVEs (#603, @aramase)
• add warning message for sync secret forbidden error (#606, @aramase)
• update debian base to buster-v1.8.0 (#609, @aramase)
• removes local cache used for rotation (#598, @nilekhc)
• revert changes from deploy and add to manifest_staging (#630, @aramase)
• switch to using distroless base image for driver-crds (#643, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.23

Announcement 📢

• --filtered-watch-secret will be enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Prepare to return files in gRPC responses as this will become the recommended approach in the next release. See #551

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade.

Features 🌈

• add arm64 build (#575, @aramase)
• add rbac role and binding for rotation (#586, @aramase)

Bug Fixes 🐞

• CVE-2021-3520 (#562, @aramase)

Documentation 📘

• set-as-env-var pod indent (#553, @dawncold)
• add membership criteria and getting involved section (#563, @aramase)
• fix the default volume path for providers (#574, @katyamag)
• Add AWS Provider (#517, @nlamirault)
• add aws provider ref in install provider (#584, @aramase)

Testing 💚

• enable shellcheck and fix errors (#557, @aramase)
• Add test coverage report into Makefile for unit test (#537, @hixichen)
• add aws integration tests (#533, @lasred)
• Add uuid to AWS secret and parameter names (#569, @lasred)

Helm 📈

• provide ability to add volume and volumeMounts (#539, @hixichen)
• add image pull secrets (#554, @mehmetsalgar)
• default syncSecret.enable to false (#510, @ritazh)

Maintenance 🔧

• add psp snippet to manifests target (#560, @aramase)
• add tam7t as approver (#564, @aramase)
• update to debian-base v1.7.0 (#565, @aramase)
• remove deprecated --grpc-supported-providers and --debug flag (#566, @aramase)
• Add golang version validate at Makefile (#538, @hixichen)
• Added GOPROXY propagation to container builds (#571, @micahhausler)
• Replace golang.org/x/net/context with context (#577, @hixichen)
• generate log if grpc message size larger than max (#581, @aramase)
• list builder instances in image build (#583, @aramase)
• enable qemu for multi-arch (#586, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.22

Announcement 📢

• syncSecret.enabled will be set to false by default in the next release v0.0.23. Refer to #268 for more info.
• --filtered-watch-secret will be enabled by default in v0.1.0 release. Refer to #550 for more info.
• Note to Providers: Prepare to return files in gRPC responses as this will become the recommended approach in a future release. See #551

Features 🌈

• add optional healthcheck for provider plugins (#508, @aramase)
• allow maxCallRecvMsgSize to be increased for large secret mounts (#512, @tam7t)
• vendor atomic_writer and use it to write files returned by grpc (#520, @tam7t)

Bug Fixes 🐞

• GetMountedFiles() returns map that key includes sub directory (#516, @mitsutaka)
• windows targetpath cleanup as part of node unpublish (#545, @aramase)

Documentation 📘

• fix indentation in load tests (#504, @aramase)
• add test scenarios currently supported (#509, @aramase)
• install to kube-system & best-practices (#505, @tam7t)

Testing 💚

• include nested path in secret sync and update vault suite (#532, @aramase)

Helm 📈

• Added Pod Security Policy to the chart (#478, @pierluigilenoci)
• node affinity now prevents CSI driver from being scheduled on a node with a label 'type=virtual-kublet' (#513, @manedurphy)

Maintenance 🔧

• updates CSIDriver api ver to storage.k8s.io/v1 (#518, @nilekhc)
• update to using k8s.io/mount-utils (#524, @aramase)
• remove windows file deletion on unmount (#526, @tam7t)
• update sidecar images and set imagePullPolicy to IfNotPresent (#519, @aramase)
• update release docs and makefile targets (#543, @aramase)
• Bump versions for v0.0.22 (#544, @tam7t)
• make manifests dependencies (#547, @tam7t)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.21

Features 🌈

• add helpers and tools to install proto utilities (#461, @tam7t)
• optimization based on load test (#458, @aramase)
  • add filtered watch for reconcile
  • switch to using versioned clients for rotation
  • enable filtered secret watch with feature flag
  • create separate cache for nodepublishsecretref in rotation
  • ❗ Refer to Load tests for more details and actions to take.
• connect to plugins at runtime instead of configuration (#462, @tam7t)
• allow providers to have the driver write files (#481, @tam7t)

Bug Fixes 🐞

• CVE-2021-24032 (#470, @aramase)
• prevent duplicate owner references (#493, @aramase)
• grpc naming is not compatible with windows unix socket (#490, @tam7t)

Documentation 📘

• update ingress sample url for azure provider (#452, @aramase)
• fix urls in providers doc (#466, @aramase)
• add design docs url and remove old docs (#468, @aramase)
• Fix broken doc link for website (#465, @hixichen)
• use multi-os image for examples and update urls (#494, @aramase)
• add load test spec and results (#497, @aramase)

Testing 💚

• add e2e for filtered watch secret (#479, @aramase)
• update vault e2e to use versioned deployment (#484, @aramase)
• add make target for installing chart releases (#487, @aramase)
• add helm deploy target for windows tests (#491, @aramase)
• update tests to use multi-os image (#480, @aramase)

Maintenance 🔧

• update to go 1.16 (#467, @aramase)
• upgrade to controller-runtime v0.8.2 (#473, @aramase)
• remove v1.15 yamls and update doc (#486, @aramase)
• update servercore reference to windows-servercore-cache (#488, @aramase)
• update debian base to buster-v1.5.0 (#496, @aramase)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.20

Features 🌈

• enable 2004 builds for windows images (#439)
• set secrets-store default container for log (#451)

Bug Fixes 🐞

• set rsa key type for pkcs1 key (#448)

Documentation 📘

• Update mdbook to 0.4.5 to fix CVE-2020-26297 (#436)
• update docs site (#399)
• update readme to reference docs site (#445)

Testing 💚

• Update e2e tests for gRPC Vault provider release (#431)
• add image scan as part of CI (#441)

Helm 📈

• Helm value for setting pod annotations (#440)
• add podLabels parameter (#444)
• add log verbosity for node-driver-registrar (#449)

Maintenance 🔧

• update debian-base image to buster-v1.3.0 (#428)
• add vault provider to grpc supported providers (#434)
• remove host network (#437)
• remove deprecated logic of invoking provider binary (#433)
• update klog to v2.5.0 (#449)
• increase cloudbuild timeout to 1h (#456)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.19

Warning ⚠️

• With this release of the driver, the liveness-probe sidecar container image has been updated to v2.2.0. This version of the liveness-probe contains a fix for memory leak issues that were observed in previous versions. Update to the latest driver using helm or manifests to get the latest liveness-probe image.

Features 🌈

• use common port for all metrics (#421)

Bug Fixes 🐞

• CVE-2020-27350, CVE-2020-29362 (#422)

Helm 📈

• add support to set annotations (#412)
• add providersDir (#409)

Maintenance 🔧

• add azure provider to grpc supported providers (#417)
• update PR template for chart updates (#419)
• update node-driver-registrar and liveness-probe images (#424) ❗

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.18

Features 🌈

• best-effort cleanup socket (#387)
• create target path in node publish (#383)
  • ❗ This is required for Kubernetes version v1.20+. Older version of driver will not work with v1.20+
• Build and reuse provider grpc clients across mounts and reconciliation (#394)
• add pprof profiling (#396)
• csidriver object api version v1 (#402)

Bug Fixes 🐞

• skip pods in succeeded or failed phase (#388)
• set key type to rsa or ec (#393)
• windows image build with buildx (#404)

Documentation 📘

• add netlify book configuration (#360)
• add mailing list url to readme (#381)
• update doc link for azure tls sample (#391)
• update install doc for crds to check (#400)

Testing 💚

• Fix vault bats tests for v0.0.6 of the provider (#380)

Maintenance 🔧

• add tam7t as reviewer (#397)
• deploy: set namespace as kube-system (#386)

Driver images are hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.17

Warning ⚠️

• CVE-2020-8568 (Medium): Secrets sync/rotate directory traversal. See #378 for more details.

Features 🌈

• update deps and switch to klog (#365)

Bug Fixes 🐞

• validate SPCPS targetPaths match Pod UIDs (#371)
• handle pod termination during reconcile (#373)

Documentation 📘

• add link to GCP provider (#348)
• update demo in the readme (#363)

Testing 💚

• gcp integration tests (#340)
• add gosec linter and fix warnings (#352)
• make tests more deterministic and retries (#359)

Helm 📈

• Add priorityClassName to daemonsets (#337)
• Allow the 'updateStrategy' of the Daemonset to be configured in Helm (#362)

Maintenance 🔧

• add gcp as grpcSupportedProviders by default (#351)
• Switch to using official images for containers (#358)
• remove lifecycle prestop hook command (#366)
• Update otel to 0.13.0 (#374)
• Driver images are now hosted in GCR at k8s.gcr.io/csi-secrets-store/driver

v0.0.16

Warning ⚠️

• The SecretProviderClass needs to be in the same namespace as the pod referencing it as of v0.0.12.
• Defining driver configuration and provider-specific parameters to the CSI driver in pod.Spec[].Volumes has been deprecated in v0.0.12. It is now mandatory to use SecretProviderClass custom resource.

Bug Fixes 🐞

• marshal secrets for non node publish secret ref (#339)