Improvements:
- Added a helm test for vault server GH-531
- Added server.enterpriseLicense option GH-547
- Added OpenShift overrides GH-549
Bugs:
- Fix ui.serviceNodePort schema GH-537
- Fix server.ha.disruptionBudget.maxUnavailable schema GH-535
- Added webhook-certs volume mount to sidecar injector GH-545
Features:
- Pass additional arguments to
vault-csi-provider
usingcsi.extraArgs
GH-526
Improvements:
- Set chart kubeVersion and added chart-verifier tests GH-510
- Added values json schema GH-513
- Ability to set tolerations for CSI daemonset pods GH-521
- UI target port is now configurable GH-437
Bugs:
- CSI:
global.imagePullSecrets
are now also used for CSI daemonset GH-519
Features:
- Added
server.enabled
to explicitly skip installing a Vault server GH-486 - Injector now supports enabling host network GH-471
- Injector port is now configurable GH-489
- Injector Vault Agent resource defaults are now configurable GH-493
- Extra paths can now be added to the Vault ingress service GH-460
- Log level and format can now be set directly using
server.logFormat
andserver.logLevel
GH-488
Improvements:
- Added
https
name to injector service port GH-495
Bugs:
- CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name GH-486
Features:
- Add support for Vault CSI provider GH-461
Improvements:
objectSelector
can now be set on the mutating admission webhook GH-456
Bugs:
- Injector: fix labels for default anti-affinity rule GH-441, GH-442
- Set VAULT_DEV_LISTEN_ADDRESS in dev mode GH-446
Features:
- Injector now supports configurable number of replicas GH-436
- Injector now supports auto TLS for multiple replicas using leader elections GH-436
Improvements:
- Dev mode now supports
server.extraArgs
GH-421 - Dev mode root token is now configurable with
server.dev.devRootToken
GH-415 - ClusterRoleBinding updated to
v1
GH-395 - MutatingWebhook updated to
v1
GH-408 - Injector service now supports
injector.service.annotations
425 - Injector now supports
injector.extraLabels
428 - Added
allowPrivilegeEscalation: false
to Vault and Injector containers 429 - Network Policy now supports
server.networkPolicy.egress
389
Improvements:
- Make server NetworkPolicy independent of OpenShift GH-381
- Added configurables for all probe values GH-387
- MountPath for audit and data storage is now configurable GH-393
- Annotations can now be added to the Injector pods GH-394
- The injector can now be configured with a failurePolicy GH-400
- Added additional environment variables for rendering within Vault config GH-398
- Service account for Vault K8s auth is automatically created when
injector.externalVaultAddr
is set GH-392
Bugs:
- Fixed install output using Helm V2 command GH-378
Features:
- Added
volumes
andvolumeMounts
for mounting any type of volume GH-314. - Added configurable to enable prometheus telemetery exporter for Vault Agent Injector GH-372
Improvements:
- Added
defaultMode
configurable toextraVolumes
GH-321 - Option to install and use PodSecurityPolicy's for vault server and injector GH-177
VAULT_API_ADDR
is now configurable GH-290- Removed deprecated tolerate unready endpoint annotations GH-363
- Add an option to set annotations on the StatefulSet GH-199
- Make the vault server serviceAccount name a configuration option GH-367
- Removed annotation striction from
dev
mode GH-371 - Add an option to set annotations on PVCs GH-364
- Added service configurables for UI GH-285
Bugs:
- Fix python dependency in test image GH-337
- Fix caBundle not being quoted causing validation issues with Helm 3 GH-352
- Fix injector network policy being rendered when injector is not enabled GH-358
Features:
- Added
extraInitContainers
to define init containers for the Vault cluster GH-258 - Added
postStart
lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready GH-315 - Beta: Added OpenShift support GH-319
Improvements:
- Server configs can now be defined in YAML. Multi-line string configs are still compatible GH-213
- Removed IPC_LOCK privileges since swap is disabled on containers [GH-198]
- Use port names that map to vault.scheme [GH-223]
- Allow both yaml and multi-line string annotations [GH-272]
- Added configurable to set the Raft node name to hostname [GH-269]
- Support setting priorityClassName on pods [GH-282]
- Added support for ingress apiVersion
networking.k8s.io/v1beta1
[GH-310] - Added configurable to change service type for the HA active service GH-317
Bugs:
- Fixed default ingress path [GH-224]
- Fixed annotations for HA standby/active services [GH-268]
- Updated some value defaults to match their use in templates [GH-309]
- Use active service on ingress when ha [GH-270]
- Fixed bug where pull secrets weren't being used for injector image GH-298
Features:
-
Added Raft support for HA mode [GH-228]
-
Now supports Vault Enterprise [GH-250]
-
Added K8s Service Registration for HA modes [GH-250]
-
Option to set
AGENT_INJECT_VAULT_AUTH_PATH
for the injector [GH-185] -
Added environment variables for logging and revocation on Vault Agent Injector [GH-219]
-
Option to set environment variables for the injector deployment [GH-232]
-
Added affinity, tolerations, and nodeSelector options for the injector deployment [GH-234]
-
Made all annotations multi-line strings [GH-227]
Improvements:
- Allow process namespace sharing between Vault and sidecar containers [GH-174]
- Added configurable to change updateStrategy [GH-172]
- Added sleep in the preStop lifecycle step [GH-188]
- Updated chart and tests to Helm 3 [GH-195]
- Adds Values.injector.externalVaultAddr to use the injector with an external vault [GH-207]
Bugs:
- Fix bug where Vault lifecycle was appended after extra containers. [GH-179]
Security:
- Added
server.extraArgs
to allow loading of additional Vault configurations containing sensitive settings GH-175
Bugs:
- Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
Bugs:
- Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
Bugs:
- Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
Features:
- Extra containers can now be added to the Vault pods
- Added configurability of pod probes
- Added Vault Agent Injector
Improvements:
- Moved
global.image
toserver.image
- Changed UI service template to route pods that aren't ready via
publishNotReadyAddresses: true
- Added better HTTP/HTTPS scheme support to http probes
- Added configurable node port for Vault service
server.authDelegator
is now enabled by default
Bugs:
- Fixed upgrade bug by removing chart label which contained the version
- Fixed typo on
serviceAccount
(wasserviceaccount
) - Fixed readiness/liveliness HTTP probe default to accept standbys
Bugs:
- Removed
readOnlyRootFilesystem
causing issues when validating deployments
Features:
- Added load balancer support
- Added ingress support
- Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
- Removed root requirements, now runs as Vault user
Improvements:
- Added namespace value to all rendered objects
- Made ports configurable in services
- Added the ability to add custom annotations to services
- Added docker image for running bats test in CircleCI
- Removed restrictions around
dev
mode such as annotations readOnlyRootFilesystem
is now configurable- Image Pull Policy is now configurable
Bugs:
- Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
- Fixed bug where audit storage was not being mounted in HA mode
- Fixed bug where Vault pod wasn't receiving SIGTERM signals
Features:
- Added
extraSecretEnvironmentVars
to allow users to mount secrets as environment variables - Added
tlsDisable
configurable to change HTTP protocols from HTTP/HTTPS depending on the value - Added
serviceNodePort
to configure a NodePort value when settingserviceType
to "NodePort"
Improvements:
- Changed UI port to 8200 for better HTTP protocol support
- Added
path
toextraVolumes
to define where the volume should be mounted. Defaults to/vault/userconfig
- Upgraded Vault to 1.2.2
Bugs:
- Fixed bug where upgrade would fail because immutable labels were being changed (Helm Version label)
- Fixed bug where UI service used wrong selector after updating helm labels
- Added
VAULT_API_ADDR
env to Vault pod to fixed bug where Vault thinks Consul is the active node - Removed
step-down
preStop since it requires authentication. Shutdown signal sent by Kube acts similar tostep-down
Features:
- Added
authDelegator
Cluster Role Binding to Vault service account for bootstrapping Kube auth method
Improvements:
- Added
server.service.clusterIP
tovalues.yml
so users can toggle the Vault service to headless by using the valueNone
. - Upgraded Vault to 1.2.1
Initial release