Bugs:
- injector: add missing
get
nodes
permission to ClusterRole GH-1005
Changes:
- Default
vault
version updated to 1.15.2
Features:
- server: Support setting
persistentVolumeClaimRetentionPolicy
on the StatefulSet GH-965 - server: Support setting labels on PVCs GH-969
- server: Support setting ingress rules for networkPolicy GH-877
Improvements:
- Support exec in the server liveness probe GH-971
Bugs:
- Fix templating of
server.ha.replicas
when set via override file. The0.26.0
chart would ignoreserver.ha.replicas
and always deploy 3 server replicas whenserver.ha.enabled=true
unless overridden by command line when issuing the helm command:--set server.ha.replicas=<some_number>
. Fixed in GH-961
Changes:
- Default
vault
version updated to 1.15.1 - Default
vault-k8s
version updated to 1.3.1 - Default
vault-csi-provider
version updated to 1.4.1 - Tested with Kubernetes versions 1.24-1.28
- server: OpenShift default readiness probe returns 204 when uninitialized GH-966
Features:
- server: Add support for dual stack clusters GH-833
- server: Support
hostAliases
for the StatefulSet pods GH-955 - server: Add
server.service.active.annotations
andserver.service.standby.annotations
GH-896 - server: Add long-lived service account token option GH-923
Bugs:
- csi: Add namespace field to
csi-role
andcsi-rolebindings
. GH-909
Improvements:
- global: Add
global.namespace
to override the helm installation namespace. GH-909 - server: use vault.fullname in Helm test GH-912
- server: Allow scaling HA replicas to zero GH-943
Changes:
- Latest Kubernetes version tested is now 1.27
- server: Headless service ignores
server.service.publishNotReadyAddresses
setting and always sets it astrue
GH-902 vault
updated to 1.14.0 GH-916vault-csi-provider
updated to 1.4.0 GH-916
Improvements:
- CSI: Make
nodeSelector
andaffinity
configurable for CSI daemonset's pods GH-862 - injector: Add
ephemeralLimit
andephemeralRequest
as options for configuring Agent's ephemeral storage resources GH-798 - Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version GH-916
Bugs:
- server: Set the default for
prometheusRules.rules
to an empty list GH-886
Bugs:
- csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions GH-872
Changes:
- Earliest Kubernetes version tested is now 1.22
vault
updated to 1.13.1 GH-863vault-k8s
updated to 1.2.1 GH-868vault-csi-provider
updated to 1.3.0 GH-749
Features:
- server: New
extraPorts
option for adding ports to the Vault server statefulset GH-841 - server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset GH-831
- injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe GH-852
- csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals GH-749
Changes:
vault
updated to 1.12.1 GH-814vault-k8s
updated to 1.1.0 GH-814vault-csi-provider
updated to 1.2.1 GH-814
Features:
- server: Add
extraLabels
for Vault server serviceAccount GH-806 - server: Add
server.service.active.enabled
andserver.service.standby.enabled
options to selectively disable additional services GH-811 - server: Add
server.serviceAccount.serviceDiscovery.enabled
option to selectively disable a Vault service discovery role and role binding GH-811 - server: Add
server.service.instanceSelector.enabled
option to allow selecting pods outside the helm chart deployment GH-813
Bugs:
- server: Quote
.server.ha.clusterAddr
value GH-810
Changes:
Features:
- Add PrometheusOperator support for collecting Vault server metrics. GH-772
Changes:
CHANGES:
vault-k8s
updated to 0.17.0. GH-771vault-csi-provider
updated to 1.2.0 GH-771vault
updated to 1.11.2 GH-771- Start testing against Kubernetes 1.24. GH-744
- Deprecated
injector.externalVaultAddr
. Addedglobal.externalVaultAddr
, which applies to both the Injector and the CSI Provider. GH-745 - CSI Provider pods now set the
VAULT_ADDR
environment variable to either the internal Vault service or the configured external address. GH-745
Features:
- server: Add
server.statefulSet.securityContext
to override pod and containersecurityContext
. GH-767 - csi: Add
csi.daemonSet.securityContext
to override pod and containersecurityContext
. GH-767 - injector: Add
injector.securityContext
to override pod and containersecurityContext
. GH-750 and GH-767 - Add
server.service.activeNodePort
andserver.service.standbyNodePort
to specify thenodePort
for active and standby services. GH-610 - Support for setting annotations on the injector's serviceAccount GH-753
CHANGES:
vault-k8s
updated to 0.16.1 GH-739
Improvements:
- Mutating webhook will no longer target the agent injector pod GH-736
Bugs:
vault
service account is now created even if the server is set to disabled, as per before 0.20.0 GH-737
CHANGES:
global.enabled
now works as documented, that is, settingglobal.enabled
to false will disable everything, with individual components able to be turned on individually GH-703- Default value of
-
used for injector and server to indicate that they followglobal.enabled
. GH-703 - Vault default image to 1.10.3
- CSI provider default image to 1.1.0
- Vault K8s default image to 0.16.0
- Earliest Kubernetes version tested is now 1.16
- Helm 3.6+ now required
Features:
- Support topologySpreadConstraints in server and injector. GH-652
Improvements:
- CSI: Set
extraLabels
for daemonset, pods, and service account GH-690 - Add namespace to injector-leader-elector role, rolebinding and secret GH-683
- Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector GH-710
- Make the Cluster Address (CLUSTER_ADDR) configurable GH-629
- server: Make
publishNotReadyAddresses
configurable for services GH-694 - server: Allow config to be defined as a YAML object in the values file GH-684
- Maintain default MutatingWebhookConfiguration values from
v1beta1
GH-692
CHANGES:
- Vault image default 1.9.2
- Vault K8s image default 0.14.2
Features:
- Added configurable podDisruptionBudget for injector GH-653
- Make terminationGracePeriodSeconds configurable for server GH-659
- Added configurable update strategy for injector GH-661
- csi: ability to set priorityClassName for CSI daemonset pods GH-670
Improvements:
- Set the namespace on the OpenShift Route GH-679
- Add volumes and env vars to helm hook test pod GH-673
- Make TLS configurable for OpenShift routes GH-686
CHANGES:
- Removed support for deploying a leader-elector container with the vault-k8s injector injector since vault-k8s now uses an internal mechanism to determine leadership GH-649
- Vault image default 1.9.0
- Vault K8s image default 0.14.1
Improvements:
- Added templateConfig.staticSecretRenderInterval chart option for the injector GH-621
Improvements:
- Add option for Ingress PathType GH-634
KNOWN ISSUES:
- The chart will fail to deploy on Kubernetes 1.19+ with
server.ingress.enabled=true
because nopathType
is set
CHANGES:
- Vault image default 1.8.4
- Vault K8s image default 0.14.0
Improvements:
- Support Ingress stable networking API GH-590
- Support setting the
externalTrafficPolicy
forLoadBalancer
andNodePort
service types GH-626 - Support setting ingressClassName on server Ingress GH-630
Bugs:
- Ensure
kubeletRootDir
volume path and mounts are the same whencsi.daemonSet.kubeletRootDir
is overridden GH-628
CHANGES:
- Vault image default 1.8.3
- Vault K8s image default 0.13.1
CHANGES:
- Support for deploying a leader-elector container with the vault-k8s injector injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set
useContainer=true
.
Improvements:
- Make CSI provider
hostPaths
configurable viacsi.daemonSet.providersDir
andcsi.daemonSet.kubeletRootDir
GH-603 - Support vault-k8s internal leader election GH-568 GH-607
Improvements:
Features:
- Added templateConfig.exitOnRetryFailure chart option for the injector GH-560
Improvements:
- Support configuring pod tolerations, pod affinity, and node selectors as YAML GH-565
- Set the default vault image to come from the hashicorp organization GH-567
- Add support for running the acceptance tests against a local
kind
cluster GH-567 - Add
server.ingress.activeService
to configure if the ingress should use the active service GH-570 - Add
server.route.activeService
to configure if the route should use the active service GH-570 - Support configuring
global.imagePullSecrets
from a string array GH-576
Improvements:
- Added a helm test for vault server GH-531
- Added server.enterpriseLicense option GH-547
- Added OpenShift overrides GH-549
Bugs:
- Fix ui.serviceNodePort schema GH-537
- Fix server.ha.disruptionBudget.maxUnavailable schema GH-535
- Added webhook-certs volume mount to sidecar injector GH-545
Features:
- Pass additional arguments to
vault-csi-provider
usingcsi.extraArgs
GH-526
Improvements:
- Set chart kubeVersion and added chart-verifier tests GH-510
- Added values json schema GH-513
- Ability to set tolerations for CSI daemonset pods GH-521
- UI target port is now configurable GH-437
Bugs:
- CSI:
global.imagePullSecrets
are now also used for CSI daemonset GH-519
Features:
- Added
server.enabled
to explicitly skip installing a Vault server GH-486 - Injector now supports enabling host network GH-471
- Injector port is now configurable GH-489
- Injector Vault Agent resource defaults are now configurable GH-493
- Extra paths can now be added to the Vault ingress service GH-460
- Log level and format can now be set directly using
server.logFormat
andserver.logLevel
GH-488
Improvements:
- Added
https
name to injector service port GH-495
Bugs:
- CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name GH-486
Features:
- Add support for Vault CSI provider GH-461
Improvements:
objectSelector
can now be set on the mutating admission webhook GH-456
Bugs:
- Injector: fix labels for default anti-affinity rule GH-441, GH-442
- Set VAULT_DEV_LISTEN_ADDRESS in dev mode GH-446
Features:
- Injector now supports configurable number of replicas GH-436
- Injector now supports auto TLS for multiple replicas using leader elections GH-436
Improvements:
- Dev mode now supports
server.extraArgs
GH-421 - Dev mode root token is now configurable with
server.dev.devRootToken
GH-415 - ClusterRoleBinding updated to
v1
GH-395 - MutatingWebhook updated to
v1
GH-408 - Injector service now supports
injector.service.annotations
425 - Injector now supports
injector.extraLabels
428 - Added
allowPrivilegeEscalation: false
to Vault and Injector containers 429 - Network Policy now supports
server.networkPolicy.egress
389
Improvements:
- Make server NetworkPolicy independent of OpenShift GH-381
- Added configurables for all probe values GH-387
- MountPath for audit and data storage is now configurable GH-393
- Annotations can now be added to the Injector pods GH-394
- The injector can now be configured with a failurePolicy GH-400
- Added additional environment variables for rendering within Vault config GH-398
- Service account for Vault K8s auth is automatically created when
injector.externalVaultAddr
is set GH-392
Bugs:
- Fixed install output using Helm V2 command GH-378
Features:
- Added
volumes
andvolumeMounts
for mounting any type of volume GH-314. - Added configurable to enable prometheus telemetery exporter for Vault Agent Injector GH-372
Improvements:
- Added
defaultMode
configurable toextraVolumes
GH-321 - Option to install and use PodSecurityPolicy's for vault server and injector GH-177
VAULT_API_ADDR
is now configurable GH-290- Removed deprecated tolerate unready endpoint annotations GH-363
- Add an option to set annotations on the StatefulSet GH-199
- Make the vault server serviceAccount name a configuration option GH-367
- Removed annotation striction from
dev
mode GH-371 - Add an option to set annotations on PVCs GH-364
- Added service configurables for UI GH-285
Bugs:
- Fix python dependency in test image GH-337
- Fix caBundle not being quoted causing validation issues with Helm 3 GH-352
- Fix injector network policy being rendered when injector is not enabled GH-358
Features:
- Added
extraInitContainers
to define init containers for the Vault cluster GH-258 - Added
postStart
lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready GH-315 - Beta: Added OpenShift support GH-319
Improvements:
- Server configs can now be defined in YAML. Multi-line string configs are still compatible GH-213
- Removed IPC_LOCK privileges since swap is disabled on containers [GH-198]
- Use port names that map to vault.scheme [GH-223]
- Allow both yaml and multi-line string annotations [GH-272]
- Added configurable to set the Raft node name to hostname [GH-269]
- Support setting priorityClassName on pods [GH-282]
- Added support for ingress apiVersion
networking.k8s.io/v1beta1
[GH-310] - Added configurable to change service type for the HA active service GH-317
Bugs:
- Fixed default ingress path [GH-224]
- Fixed annotations for HA standby/active services [GH-268]
- Updated some value defaults to match their use in templates [GH-309]
- Use active service on ingress when ha [GH-270]
- Fixed bug where pull secrets weren't being used for injector image GH-298
Features:
-
Added Raft support for HA mode [GH-228]
-
Now supports Vault Enterprise [GH-250]
-
Added K8s Service Registration for HA modes [GH-250]
-
Option to set
AGENT_INJECT_VAULT_AUTH_PATH
for the injector [GH-185] -
Added environment variables for logging and revocation on Vault Agent Injector [GH-219]
-
Option to set environment variables for the injector deployment [GH-232]
-
Added affinity, tolerations, and nodeSelector options for the injector deployment [GH-234]
-
Made all annotations multi-line strings [GH-227]
Improvements:
- Allow process namespace sharing between Vault and sidecar containers [GH-174]
- Added configurable to change updateStrategy [GH-172]
- Added sleep in the preStop lifecycle step [GH-188]
- Updated chart and tests to Helm 3 [GH-195]
- Adds Values.injector.externalVaultAddr to use the injector with an external vault [GH-207]
Bugs:
- Fix bug where Vault lifecycle was appended after extra containers. [GH-179]
Security:
- Added
server.extraArgs
to allow loading of additional Vault configurations containing sensitive settings GH-175
Bugs:
- Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
Bugs:
- Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
Bugs:
- Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
Features:
- Extra containers can now be added to the Vault pods
- Added configurability of pod probes
- Added Vault Agent Injector
Improvements:
- Moved
global.image
toserver.image
- Changed UI service template to route pods that aren't ready via
publishNotReadyAddresses: true
- Added better HTTP/HTTPS scheme support to http probes
- Added configurable node port for Vault service
server.authDelegator
is now enabled by default
Bugs:
- Fixed upgrade bug by removing chart label which contained the version
- Fixed typo on
serviceAccount
(wasserviceaccount
) - Fixed readiness/liveliness HTTP probe default to accept standbys
Bugs:
- Removed
readOnlyRootFilesystem
causing issues when validating deployments
Features:
- Added load balancer support
- Added ingress support
- Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
- Removed root requirements, now runs as Vault user
Improvements:
- Added namespace value to all rendered objects
- Made ports configurable in services
- Added the ability to add custom annotations to services
- Added docker image for running bats test in CircleCI
- Removed restrictions around
dev
mode such as annotations readOnlyRootFilesystem
is now configurable- Image Pull Policy is now configurable
Bugs:
- Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
- Fixed bug where audit storage was not being mounted in HA mode
- Fixed bug where Vault pod wasn't receiving SIGTERM signals
Features:
- Added
extraSecretEnvironmentVars
to allow users to mount secrets as environment variables - Added
tlsDisable
configurable to change HTTP protocols from HTTP/HTTPS depending on the value - Added
serviceNodePort
to configure a NodePort value when settingserviceType
to "NodePort"
Improvements:
- Changed UI port to 8200 for better HTTP protocol support
- Added
path
toextraVolumes
to define where the volume should be mounted. Defaults to/vault/userconfig
- Upgraded Vault to 1.2.2
Bugs:
- Fixed bug where upgrade would fail because immutable labels were being changed (Helm Version label)
- Fixed bug where UI service used wrong selector after updating helm labels
- Added
VAULT_API_ADDR
env to Vault pod to fixed bug where Vault thinks Consul is the active node - Removed
step-down
preStop since it requires authentication. Shutdown signal sent by Kube acts similar tostep-down
Features:
- Added
authDelegator
Cluster Role Binding to Vault service account for bootstrapping Kube auth method
Improvements:
- Added
server.service.clusterIP
tovalues.yml
so users can toggle the Vault service to headless by using the valueNone
. - Upgraded Vault to 1.2.1
Initial release