v1.1.0

v1.1.0 - 2022-03-02

Changelog

Bug Fixes 🐞

• 0711e98 fix: updates conformance image tag (#792)
• 99de388 fix: Add missing fullnameOverride to helm chart (#760)
• a207c91 fix: uses provisioningState to verify ext install (#694)

Code Refactoring 💎

• 9492015 refactor: use secret file for object versions (#761)

Continuous Integration 💜

• 17b7d60 ci: add goreleaser workflow for release (#788)
• cdfff93 ci: remove aks-engine cluster in test matrix (#779)
• 4f79862 ci: fix shellcheck file paths (#786)
• c407a87 ci: add workflow for publishing helm charts (#785)
• d2be2cf ci: enable shellcheck (#783)
• f9f810f ci: add dependabot config (#762)
• 7e3bd77 revert "ci: add markdown-link-check workflow (#715)" (#717)
• e4e3d61 ci: add markdown-link-check workflow (#715)
• 1f2bba7 ci: add semantic.yml (#686)

Documentation 📘

• 9e8b08b docs: Fix documentation links in readme.md (#791)
• cf1f49b docs: update chart repo to https://azure.github.io/secrets-store-csi-driver-provider-azure/charts (#784)
• 8fd5a43 docs: add keyvault artificats setup for testing (#772)
• 774f814 docs: update features (#710)
• e34837b docs: fix broken link in getting-started/usage page (#692)
• adb7285 docs: update api version to v1 and add upgrade guide (#681)

Features 🌈

• 07b6ace feat: add workload identity (#778)
• c06bc12 feat: add configuration for file permission (#751)
• b458c5c feat: implements outbound proxy support for arc extension (#695)

Maintenance 🔧

• ce4bf34 chore: upgrade to driver v1.1.0 (#805)
• 655f807 chore: update website deploy workflow (#780)
• e78f732 chore: update driver, kubernetes deps (#776)
• a40f897 chore: update adal deps to v0.9.18 (#741)
• a83b295 chore: remove deprecated --driver-write-secrets flag (#709)
• 31f6bdd chore: use kubernetes 1.22.2 for test and update makefile (#702)

Security Fix 🛡️

• 6fd96c3 security: bump stefanprodan/helm-gh-pages from 1.4.1 to 1.5.0 (#803)
• 05920f3 security: bump actions/setup-go from 2.1.5 to 2.2.0 (#797)
• c572369 security: bump actions/setup-go from 2.1.4 to 2.1.5 (#763)
• 6947a9f security: bump actions/checkout from 2 to 2.4.0 (#764)
• 9d47ead security: bump autoprefixer from 9.8.6 to 9.8.8 in /website (#765)
• bff5120 security: fix CVE-2021-43784 (#733)
• 8a3834b security: bump kubernetes version to v1.22.3 (#701)

Testing 💚

• d0be43d test: enable workload identity test with deploy manifests (#806)
• 132553e test: fix upgrade tests (#800)
• 5003b56 test: add kubernetes v1.23.0 kind cluster (#737)
• b35ae5f test: bump kubernetes version to v1.22.4 and remove v1.19 (#729)
• e37a205 test: implements arc e2e tests for AKS (#703)

v1.1.0-rc.0

v1.1.0-rc.0 - 2022-02-24

Changelog

Bug Fixes 🐞

• 0711e98 fix: updates conformance image tag (#792)
• 99de388 fix: Add missing fullnameOverride to helm chart (#760)
• a207c91 fix: uses provisioningState to verify ext install (#694)

Code Refactoring 💎

• 9492015 refactor: use secret file for object versions (#761)

Continuous Integration 💜

• 17b7d60 ci: add goreleaser workflow for release (#788)
• cdfff93 ci: remove aks-engine cluster in test matrix (#779)
• 4f79862 ci: fix shellcheck file paths (#786)
• c407a87 ci: add workflow for publishing helm charts (#785)
• d2be2cf ci: enable shellcheck (#783)
• f9f810f ci: add dependabot config (#762)
• 7e3bd77 revert "ci: add markdown-link-check workflow (#715)" (#717)
• e4e3d61 ci: add markdown-link-check workflow (#715)
• 1f2bba7 ci: add semantic.yml (#686)

Documentation 📘

• 9e8b08b docs: Fix documentation links in readme.md (#791)
• cf1f49b docs: update chart repo to https://azure.github.io/secrets-store-csi-driver-provider-azure/charts (#784)
• 8fd5a43 docs: add keyvault artificats setup for testing (#772)
• 774f814 docs: update features (#710)
• e34837b docs: fix broken link in getting-started/usage page (#692)
• adb7285 docs: update api version to v1 and add upgrade guide (#681)

Features 🌈

• 07b6ace feat: add workload identity (#778)
• c06bc12 feat: add configuration for file permission (#751)
• b458c5c feat: implements outbound proxy support for arc extension (#695)

Maintenance 🔧

• ce4bf34 chore: upgrade to driver v1.1.0 (#805)
• 655f807 chore: update website deploy workflow (#780)
• e78f732 chore: update driver, kubernetes deps (#776)
• a40f897 chore: update adal deps to v0.9.18 (#741)
• a83b295 chore: remove deprecated --driver-write-secrets flag (#709)
• 31f6bdd chore: use kubernetes 1.22.2 for test and update makefile (#702)

Security Fix 🛡️

• 6fd96c3 security: bump stefanprodan/helm-gh-pages from 1.4.1 to 1.5.0 (#803)
• 05920f3 security: bump actions/setup-go from 2.1.5 to 2.2.0 (#797)
• c572369 security: bump actions/setup-go from 2.1.4 to 2.1.5 (#763)
• 6947a9f security: bump actions/checkout from 2 to 2.4.0 (#764)
• 9d47ead security: bump autoprefixer from 9.8.6 to 9.8.8 in /website (#765)
• bff5120 security: fix CVE-2021-43784 (#733)
• 8a3834b security: bump kubernetes version to v1.22.3 (#701)

Testing 💚

• d0be43d test: enable workload identity test with deploy manifests (#806)
• 132553e test: fix upgrade tests (#800)
• 5003b56 test: add kubernetes v1.23.0 kind cluster (#737)
• b35ae5f test: bump kubernetes version to v1.22.4 and remove v1.19 (#729)
• e37a205 test: implements arc e2e tests for AKS (#703)

v1.0.1

Continuous Integration 💜

• add semantic.yml (#686, @aramase)

Documentation 📘

• update api version to v1 and add upgrade guide (#681, @aramase)
• fix broken link in getting-started/usage page (#692, @christianfosli)

Helm 📈

• implements outbound proxy support for arc extension (#695, @nilekhc)
• upgrade to driver v1.0.1 release (#752, @aramase)
• make provider socket volume configurable (#708, @aramase)

Maintenance 🔧

• update klog.InfoS to klog.V(5).InfoS (#730, @helayoty)

Testing 💚

• uses provisioningState to verify ext install (#694, @nilekhc)
• implements arc e2e tests for AKS (#703, @nilekhc)

v1.0.0

Refer to Upgrade notes before upgrading to v1.0.0.

Code Refactoring 💎

• create kv client once and update to structured logging (#634, @aramase)

Documentation 📘

• adds pros n cons for access methods (#636, @nilekhc)
• add /etc/ssl/certs volume mount for custom cloud (#651, @aramase)
• Remove note about kubernets secret type constraint (#678, @arsenvlad)

Features 🌈

• add metrics for provider (#407, @aramase)
• adds windows server 2022 (#660, @nick5616)

Helm 📈

• update driver to v1.0.0-rc.0 (#658, @aramase)
• update to driver v1.0.0 in helm charts (#677, @aramase)

Maintenance 🔧

• make --driver-write-secrets flag no-op (#617, @aramase)
• update to go 1.17 (#630, @aramase)
• use ErrorS instead of Fatalf for structured logging (#638, @aramase)
• update build status badge to new pipeline (#643, @aramase)
• replace deprecated codecov uploader with GitHub action (#648, @aramase)
• add cherry_pick_pull script from kubernetes (#661, @aramase)
• bump ansi-regex from 5.0.0 to 5.0.1 in /website (#675, @dependabot)

Testing 💚

• refactor cleanup image template (#613, @aramase)
• adds e2e test for containerd on windows (#612, @nilekhc)
• adds default runtime for nightly runs (#627, @nilekhc)
• cleanup unit tests that have external dependency (#635, @aramase)
• switch from service principal to managed identity for e2e test (#621, @nilekhc)
• add kubernetes version matrix for kind tests (#642, @aramase)
• bump test timeout to 120m (#650, @aramase)
• update driver version to v1.0.0-rc.0 and run gofmt (#664, @aramase)
• e2e tests arc extension (#668, @nilekhc)
• run e2e tests with driver v1.0.0-rc.1 (#674, @aramase)
• wait only for driver and provider pods before running suite (#683, @aramase)
• adds e2e for arc reconciliation (#679, @nilekhc)

v1.0.0-rc.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to kubernetes-sigs/secrets-store-csi-driver#550 for more info.
• CustomResourceDefinitions in helm charts were moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.
• ❗ Rollback to previous helm chart versions after installing v0.1.0+ will result in an error.

Code Refactoring 💎

• create kv client once and update to structured logging (#634, @aramase)

Documentation 📘

• adds pros n cons for access methods (#636, @nilekhc)
• add /etc/ssl/certs volume mount for custom cloud (#651, @aramase)

Features 🌈

• add metrics for provider (#407, @aramase)

Helm 📈

• update driver to v1.0.0-rc.0 (#658, @aramase)

Maintenance 🔧

• make --driver-write-secrets flag no-op (#617, @aramase)
• update to go 1.17 (#630, @aramase)
• use ErrorS instead of Fatalf for structured logging (#638, @aramase)
• update build status badge to new pipeline (#643, @aramase)
• replace deprecated codecov uploader with GitHub action (#648, @aramase)

Testing 💚

• refactor cleanup image template (#613, @aramase)
• adds e2e test for containerd on windows (#612, @nilekhc)
• adds default runtime for nightly runs (#627, @nilekhc)
• cleanup unit tests that have external dependency (#635, @aramase)
• switch from service principal to managed identity for e2e test (#621, @nilekhc)
• add kubernetes version matrix for kind tests (#642, @aramase)
• bump test timeout to 120m (#650, @aramase)

v0.2.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to kubernetes-sigs/secrets-store-csi-driver#550 for more info.
• CustomResourceDefinitions in helm charts were moved from templates to crds directory in v0.1.0. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default in CSI Driver v0.0.23 release. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set secrets-store-csi-driver.syncSecret.enabled=true as part of helm install/upgrade. Ref: https://azure.github.io/secrets-store-csi-driver-provider-azure/upgrading/#upgrading-to-helm-chart-version-0020
• --filtered-watch-secret was enabled by default in v0.1.0 release. Refer to kubernetes-sigs/secrets-store-csi-driver#550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade from driver version < v0.1.0

Features 🌈

• enable construct PEM chain by default (#605, @aramase)

Documentation 📘

• Update ingress-tls.md (#591, @DavidMarquezF)

Testing 💚

• adds e2e tests for GPU nodes (#594, @nilekhc)
• adds kind test for deployment manifests (#582, @nilekhc)
• use kubernetes e2e framework to check pods running (#601, @aramase)

Helm 📈

• move helm dependencies to Chart.yaml (#595, @aramase)
• fix security context for linux (#600, @aramase)

Maintenance 🔧

• use actions/stale instead of probot/stale (#597, @aramase)
• update to driver release v0.2.0 (#608, @aramase)

v0.1.0

Announcement 📢

• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to kubernetes-sigs/secrets-store-csi-driver#550 for more info.
• CustomResourceDefinitions in helm charts have been moved from templates to crds directory. pre-upgrade hooks have been added to manage the lifecycle of CRDs during install/upgrade.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set syncSecret.enabled=true as part of helm install/upgrade. Ref: https://azure.github.io/secrets-store-csi-driver-provider-azure/upgrading/#upgrading-to-helm-chart-version-0020
• --filtered-watch-secret has been enabled by default in v0.1.0 release. Refer to kubernetes-sigs/secrets-store-csi-driver#550 for more info. If you're using nodePublishSecretRef in the volume, refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html on actions to take before upgrade.
• Refer to https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#pre-v010 before upgrade

Features 🌈

• default driver-write-secrets to true (#541, @aramase)
• update driver release to v0.1.0 (#587, @aramase)

Documentation 📘

• add syncSecret.enabled=true in helm install for load test (#538, @aramase)
• add note for syncSecret.enabled=true (#543, @aramase)
• set secrets-store-csi-driver.syncSecret.enabled for sync secret (#555, @aramase)
• add nodepublishsecretref namespace limitation (#559, @aramase)
• adds release management doc (#558, @nilekhc)
• adds sample cmds to test AKV connectivity (#562, @nilekhc)
• add note about the lifetime of synced k8s secrets (#572, @aramase)

Testing 💚

• adds e2e test for k8s secret sync (#560, @nilekhc)

Helm 📈

• Added kubeletRootDir (#539, @dmcconnell-m)
• fix security context privileged for linux (#563, @aramase)

Maintenance 🔧

• bump glob-parent from 5.1.1 to 5.1.2 in /website (#540, @depandabot)
• bump postcss from 7.0.32 to 7.0.36 in /website (#545, @depandabot)
• set allowPrivilegeEscalation to false (#549, @nilekhc)
• log pod identity response for error (#554, @aramase)
• update kind version to v0.11.0 (#573, @aramase)
• update golangci-lint to v1.41.1 and enable additional linters (#574, @aramase)
• updates docker image to distroless (#578, @nilekhc)
• add release branch for pr pipeline (#581, @aramase)

0.0.16

Note 🗒️

• Before upgrade, refer to doc on the optimizations done in the Secrets Store CSI Driver and actions to take for reducing memory consumption.

Breaking Changes ⚠️

• syncSecret.enabled has been set to false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of helm install/upgrade. If you're using the driver to sync mounted content as Kubernetes secret, you'll need to set secrets-store-csi-driver.syncSecret.enabled=true as part of helm install/upgrade.

Ref: https://azure.github.io/secrets-store-csi-driver-provider-azure/upgrading/#upgrading-to-helm-chart-version-0020

Features 🌈

• use distroless base image (#515, @aramase)
• add arm64 build (#528, @aramase)

Bug Fixes 🐞

• Update pod-security-policy.yaml to correct the unknown field "hostPort (#512, @balram2697)
• check if result bundle not nil before dereferencing (#533, @aramase)

Documentation 📘

• add installation steps for Azure RedHat Openshift (#446, @aramase)
• update url reference in usage doc (#529, @aramase)
• Add clarity about Service Principal being the only Identity Access Mode allowed for non Azure environments (#534, @DaveSlinn)

Helm 📈

Testing 💚

• add unit tests and kind tests as part of nightly (#517, @aramase)
• use variable group for kind e2e jobs (#522, @aramase)

Maintenance 🔧

• bump golang.org/x/crypto to v0.0.0-20201216223049-8b5274cf687f (#511, @aramase)
• bump browserslist from 4.14.0 to 4.16.6 in /website (#520, @dependabot)
• Update pod-security-policy.yaml (#519, @616b2f)
• Update Secrets Store CSI Driver to v0.0.23 (#536, @aramase)

Azure Key Vault Provider image is now in mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.16 and Secrets Store CSI Driver image is in mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver

0.0.15

Note 🗒️

• Before upgrade, refer to doc on the optimizations done in the Secrets Store CSI Driver and actions to take for reducing memory consumption.
• Refer to https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v0.0.22 for driver release notes.

Features 🌈

• add version response for provider (#466, @aramase)
• add support for RSA-HSM keys (#470, @aramase)
• switch to driver writing files (#460, @aramase)
  • Introduces a new flag --driver-write-secrets to return files in gRPC response to driver. Default value is false.

Documentation 📘

• add example for sync k8s secret dockerconfigjson (#467, @aramase)
• clarify sync k8s secret namespace (#468, @aramase)
• fix typo in sync k8s doc (#473, @sozercan)
• fix pod commands in examples (#492, @aramase)
• add guidance for deploying in kube-system and update troubleshooting (#500, @aramase)

Helm 📈

• Add Helm Chart variables to mount the Custom Azure Environment File (#451, @chrisamert)
• Pod Security Policy added to the chart (#443, @pierluigilenoci)
• Nodeaffinity vk (#486, @nilekhc)
• remove deprecated helm values for image (#495, @aramase)

Testing 💚

• switch to using multi-os image, update docs (#416, @aramase)
• add cluster upgrade test (#448, @aramase)
• remove CODECOV_TOKEN env var (#478, @aramase)
• implements upgrade test (#489, @nilekhc)
• use AddToScheme for the csi-secrets-store apis (#499, @aramase)
• runs e2e test on 3 aks versions (#503, @nilekhc)

Maintenance 🔧

• add stale bot config (#461, @aramase)
• updates psp to match helm chart (#493, @nilekhc)
• bump lodash from 4.17.20 to 4.17.21 in /website (#502, @dependabot)
• bump version to 0.0.15 (#508, @aramase)
• bump driver version to v0.0.22 (#509, @aramase)

Azure Key Vault Provider image is now in mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15 and Secrets Store CSI Driver image is in mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver

0.0.14

Note 🗒️

• Before upgrade, refer to doc on the optimizations done in the Secrets Store CSI Driver and actions to take for reducing memory consumption.

Features 🌈

• switch to using httpget for liveness-probe (#453, @aramase)

Bug Fixes 🐞

• CVE-2021-24032 (#426, @aramase)
• use scheme long format for Helm dependencies (#449, @4devnull)

Documentation 📘

• Update _index.md (#422, @norelina)
• fix rotation url (#432, @aramase)
• fix parameter in walkthrough (#441, @aramase)

Helm 📈

• Added podAnnotations to the staging chart (#442, @pierluigilenoci)

Testing 💚

• switch to using multi-os image, update docs (#416, @aramase)
• add cluster upgrade test (#448, @aramase)

Maintenance 🔧

• add troubleshooting guide url in issue template (#417, @aramase)
• update to go 1.16 (#424, @aramase)
• update sdk dependencies (#439, @aramase)
• use nanoserver base image for windows (#454, @aramase)
• update debian base to buster-v1.5.0 (#455, @aramase)
• bump y18n from 4.0.0 to 4.0.1 in /website (#457, @dependabot)
• update to driver v0.0.21 (#458, @aramase)

Azure Key Vault Provider image is now in mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14 and Secrets Store CSI Driver image is in mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver