All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
8.2.2 (2021-07-12)
8.2.1 (2021-07-02)
- update transitive dependencies to resolve CVE-2020-28469, CVE-2021-33502 (fcd353f)
8.2.0 (2021-07-02)
- chart: add securityContext settings for pod container (#780) (28ce1a8)
- Upsert secrets only when needed (#782) (48db901)
8.1.3 (2021-06-14)
8.1.2 (2021-06-05)
- deps: CVE-2021-32640, CVE-2021-23364, update transitive dependencies to address ReDOS vulnerabilities (78f7b2e)
8.1.1 (2021-06-03)
- verify CRD is available on startup (182e224)
8.1.0 (2021-06-03)
8.0.2 (2021-06-03)
- crd: remove unnecessary empty properties in oneOf validation (#758) (fa54f54), closes #753
- watcher: ensure that the restart timer is always started regardless of whether there are events or not (#765) (1de5432)
8.0.1 (2021-05-13)
8.0.0 (2021-05-12)
- Drops support for kubernetes versions <1.16. This shouldn't be a breaking change if you have followed earlier deprecation's (like using
spec
instead ofsecretDescriptor
. The updated CRD complies with the new structural validation and should validate all fields, any fields missing in the validation will be dropped from your ExternalSecret resource.
7.2.1 (2021-04-26)
- correctly pass instanceId to daemon so scoping with controllerId works (#719) (82f54e2)
- update dependency jose (#713) (e47dee0)
7.2.0 (2021-04-14)
- chart: add envVarsFromConfigMap and envFrom support for more options to configure the Helm deployment (#706) (14900e5)
7.1.0 (2021-04-14)
- multitenancy: scope KES access using ExternalSecret
spec.controllerId
andINSTANCE_ID
env (#701) (af50ca6)
7.0.1 (2021-04-08)
- chart: add prerelease suffix ('>=1.17.0-0') to all semverCompare checks in rbac template (#699) (87d6037)
- chart: bump Helm chart API version (#698) (ce27e88)
7.0.0 (2021-04-06)
- require .spec field in CRD validation (#682)
- drop helm v2 and builtin CRD management (#663)
- rename time field to avoid duplicate time key in log output
- add arm v7 as docker multi arch target (#679) (7c7cca8)
- add container scan (#658) (82ff43e)
- add support for IBM Cloud Secrets Manager backend (#656) (8ff9490)
- automated docker image build with multi arch (amd64 + arm64) (#665) (4846313)
- drop helm v2 and builtin CRD management (#663) (87a3ecb)
- add a accurate log message when AWS region is not defined in the Systems manager manifest (#648) (448305a)
- remove instructions to push docker image when cutting release (472ad25)
- rename time field to avoid duplicate time key in log output (faf2093)
- require .spec field in CRD validation (#682) (e43a6b8)
- update transitive deps (#667) (7852dd6)
- update transitive netmask dependency to resolve CVE-2021-28918 (#693) (483fb90)
- use getObjectStream to address deprecation warning in kubernetes-client (#664) (3ee939a)
- watch without namespace path if watching all namespaces (#673) (fa070ef)
- deps: drop individual 'lodash.*' packages in favor of lodash package (#661) (cfe3366)
- helm: add patch version to semverCompare (#637) (9394316)
- secretsManager: remove 'undefined' log message when AWS region is not defined in the ExternalSecret manifest (#641) (3409c66)
6.4.0 (2021-02-25)
6.3.0 (2021-02-10)
- aws: allow custom endpoints for aws services (#602) (03f5c65)
- aws-ssm: Add support to get parameters by path (#603) (74d4459)
- core: adds support for nested key lookups (eg
key: a.b.c
to get nested value in json secret) (#592) (190e6db) - helm: add in ability to inject init containers in to deployment from values (#615) (21acce1)
- helm: add pdb in helm chart (#616) (3be641f)
6.2.0 (2021-01-21)
- multitenancy: Allow to watch ExternalSecrets in specific namespaces (#548) (85739fd)
- Add HTTP Proxy support to AWS SDK (#601) (c9d7785)
6.1.0 (2020-12-22)
- add general support for isBinary for all backends (#585) (e138a28)
- restart watcher if no events seen for specified period (default 60 sec) (#532) (bb1ed9e)
- helm: add the ability to set the priorityClassName (#534) (e719c87)
- metrics: add metrics names following Prometheus best practices, deprecating old metrics names! (#540) (5b5a00f)
- values: imagePullSecrets was wrongly indented under image (#577) (7861473), closes #522
- configure nestedKey in logger to avoid invalid json (#568) (a430320)
- deps: bumping @grpc/grpc-js to 1.1.8 (#550) (4e88026)
- deps: bumping lodash from 4.17.19 to 4.17.20 (#545) (6c9d60d)
6.0.0 (2020-10-09)
- azure: Unwraps the value returned from Azure Key vault (migration: "property: value" -> remove property selector) (#460)
- aws: add region support to ssm and sm (#475) (0b35441)
- aws: add support for setting an intermediate iam role (#454) (72920e4)
- Cluster level default settings for Hashicorp Vault (#472) (5215090)
- azure: Unwraps the value returned from Azure Key vault (migration: "property: value" -> remove property selector) (#460) (36d5bbb)
- deps: update dependency @google-cloud/secret-manager to v3 (#345) (2bf42db)
- helm: apply namespace to Deployment and Service (#471) (ba38e3a)
- vault: Cache Vault clients/tokens on a per-role&mountpoint basis. (#488) (ab36718)
- vault: handle token renewal failures (#497) (c3c27bc)
- e2e tests to work with kind 0.9.0 + bump k8s version used (#498) (f815afd)
- provide a meaningful error message when an SSM parameter is missing (#483) (99ce81e)
5.2.0 (2020-08-18)
- vault: token ttl conditional renew (#457) (a52987b)
- reverts assumeRole to use pod role instead of web identity (#453) (fa747dc)
5.1.0 (2020-07-27)
- config: extract LOG_MESSAGE_KEY properly (#456) (a50c219)
- pino: messageKey option as root constructor property (#455) (22208b0)
5.0.0 (2020-07-24)
NOTE There was no breaking changes in this release, just a release script mishap bumping the major.
- chart:: add dns config options
- logging: add config to allow switching level format to human-readable log levels (#429) (4602ad0)
- secretsManager: add support for versionId in AWS Secrets Manager (#436) (95827bc)
- upgrade the Azure Identity SDK and Azure KeyVault secret SDK to support AKS pod identity for authorization (#447) (020c10b)
4.2.0 (2020-07-12)
4.1.0 (2020-07-09)
- add e2e test for naming conventions enforcement (#412) (bfb5ed2)
- allow permitted-key-name to be provided as list (#409) (10e3991)
- Vault namespace support (#403) (6bd9570)
- pass in the Web Identity token to assumeRoleWithWebIdentity (#417) (23d511f)
- use assumeRoleWithWebIdentity when using IRSA (#416) (117b926)
- vault: fix requestOptions for vault namespace support (#410) (e80d83d)
4.0.0 (2020-06-02)
- Changes the values return type from GCP secret manager
Previously secret value was wrapped in an object
{ "value": <secret> }
while now<secret>
will be returned directly so KES features can be properly used GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json
is no longer set by default as it causes conflicts with other configurations.
- add support for Alibaba Cloud KMS Secret Manager (#355) (cceb40b)
- Chart optionally installs CRD / CR Manager configurable for more strict clusters (#344) (131e201)
- vault: follow all redirects to support vault HA (#394) (a05aa92)
- don't set GOOGLE_APPLICATION_CREDENTIALS by default and update README for Google Secret Manager (#371) (e9db0f8)
- Handle JSON in GCP Secrets Manager (#373) (4273598)
3.3.0 (2020-05-01)
- add last_state metric (#357) (1d9d237)
- enable use of AWS STS regional endpoints (#348) (9a46773)
- improve out-of-the-box compatibility with clusters running locked down PodSecurityPolicy enabling runAsNonRoot by default (#361) (27ba7e1)
- support isBinary for GCP (#353) (de20a1b), closes #352
- deps: update dependency kubernetes-client to v9 (#367) (f06bd59)
- deps: update dependency pino to v6 (#322) (3664540)
- deps: update dependency prom-client to v12 (#323) (504ed6c)
3.2.0 (2020-03-27)
- azure-registry: handle binary files (#311) (9727d48)
- stringify json object based secrets (#247) (828d0ce)
- upgrade aws-sdk from 2.575.0 to 2.628.0 (#305) (149e33a)
- upgrade pino from 5.13.6 to 5.16.0 (#306) (be74814)
- verify dataFrom property in naming convention verification (#292) (f26bf2b)
3.1.0 (2020-02-06)
3.0.0 (2020-01-09)
- release: use same version for app and chart release (#242) (2000864)
- allow enforcing naming conventions for key names, limiting which keys can be fetched from backends (#230) (c4fdea6), closes #178 #178 #178
- default service account annotation value (#252) (b163a69)
- remove required top level key from vault backend validation (#255) (e567117)
2.2.1 (2019-12-06)
- do not skew binary data (#244) (01e0ca2)
- chart: remove one of the duplicate securityContext (#222) (2b54f34)
- bump pino and sub dependency flatstr, fixes #218 (#219) (db3491b)
- kv-backend: Add empty keyOptions for dataFrom case. (#221) (8e838ee)
2.2.0 (2019-11-14)
- implement basic e2e tests (#207) (dfa210b)
- chart: support mounting existing secrets as files (#213) (ac9b9e2)
- secrets-manager: Added support for secrets versioning in Secrets Manager using version stage labels (#181) (9d6c2f9)
- add validation to CRD (#208) (d2ebaeb)
- allow disabling of interval polling (#211) (9441216)
- script: remove external-secrets.yml patching from release.sh (#216) (9d871cd)
- add dataFrom support to vault backend (refactor kv-backend) (#206) (24421b9)
- status update conflicts should not cause crash, fixes #199 (#215) (e6171c8)
- Stringify JSON response for compatibility with KV backend (#214) (5527530)
2.1.0 (2019-11-08)
- vault: Support for Hashicorp Vault (#198) (d61312c)
- add status subresource with last sync and generation tracking (#133) (8db1749)
- add support for dataFrom & fix: encoding of non-string values (#196) (90f01c5)
- allow setting additional markup on generated secret resource using template (#192) (25e2f74)
- make role-scope annotation configurable & fix: allow missing roleArn even if annotations are set (#179) (8c17819), closes #174 #174
- support Secret Binary from AWS Secrets Manager (#197) (731edb1)
- Update aws-sdk to enable IRSA (AWS IAM Roles for ServiceAccounts) support, add securityContext to helm chart (#200) (165662c)
- use spec in external secret resource, keeping secretDescriptor for backwards compat (#204) (a2a9dff)
- add missing rbac rules to external-secrets.yml (#195) (b6d8229)
- script: fix release scripts (#186) (238ebd6)
- RBAC config to access namespaces (#177) (9605756)
1.6.0 (2019-10-23)
1.5.0 (2019-09-27)
1.4.0 (2019-09-27)
- daemon: Upsert secrets immediately poller added (a986dfb)
1.3.1 (2019-07-18)
- secret: fix SSM parameter store code (e5e635f)
1.3.0 (2019-06-22)
1.2.3 (2019-06-06)
1.2.2 (2019-06-03)
1.2.1 (2019-05-20)
- config: remove default aws region (#54) (4584a09)
- package: update kubernetes-client to version 7.0.0 (#49) (eeb7acf)
1.2.0 (2019-04-09)
1.1.0 (2019-03-14)
- cicd: add .travis.yml file (#9) (fbe52b3)
- deploy: move deploy resources into single file (#5) (a264f2c)
- examples: add hello-service example (#6) (af5b1d2)
- json: support JSON objects in AWS Secret Manager (#13) (cd7130f)
- project: add nodemon for development (#7) (ec25cbd)
- backends: fix secretsManager backend name (#27) (d494edf)
- deploy: fix deployment file (#4) (bcb1ad1)
- dockerfile: remove broken commands (#3) (7901f90)
- rbac: adjust the poller upsert code so it doesn't need
get
(#22) (5cffe97) - typo: fix typo in external secrets name (#8) (e26f75c)
- updating: use PUT not PATCH when updating an existing Secret (#20) (856d8e0)