CHANGELOG.md

Unreleased

Features:

• Add support for openbao.org/ annotations GH-14
• Rewrite vault.hashicorp.com/ annotations to openbao.org/ annotations GH-21
• Add flag to disable rewriting vault.hashicorp.com/ annotations GH-23
• Add agent injector telemetry GH-96
• Add annotations for customizing template delimiters GH-96
• Added "tls_ca_cert_file" to envvar configuration GH-97

Changes:

• Refactor environment variables and flags GH-12
• Update webhook CA bundle verification log message GH-93
• Dependency updates:
  • RedHat UBI container image ubi8/ubi-minimal v8.9-1161 => ubi9-minimal v9.6-1751286687
  • github.com/Masterminds/semver/v3 v3.1.1 => v3.4.0
  • github.com/Masterminds/sprig/v3 v3.2.1 => v3.3.0
  • github.com/bgentry/speakeasy v0.1.0 => v0.2.0
  • github.com/cespare/xxhash/v2 v2.2.0 => v2.3.0
  • github.com/emicklei/go-restful/v3 v3.11.0 => v3.13.0
  • github.com/evanphx/json-patch/v5 v5.8.0 => v5.9.0
  • github.com/evanphx/json-patch v5.9.0+incompatible => v5.9.11+incompatible
  • github.com/fatih/color v1.14.1 => v1.18.0
  • github.com/go-logr/logr v1.4.1 => v1.4.3
  • github.com/go-openapi/jsonpointer v0.19.6 => v0.22.4
  • github.com/go-openapi/jsonreference v0.20.2 => v0.21.4
  • github.com/go-openapi/swag v0.22.3 => v0.25.4
  • github.com/google/gnostic-models v0.6.8 => 0.7.1
  • github.com/google/go-cmp v0.6.0 => v0.7.0
  • github.com/google/uuid v1.3.1 => v1.6.0
  • github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 => v0.2.0
  • github.com/hashicorp/go-sockaddr v1.0.5 => v1.0.7
  • github.com/hashicorp/vault/sdk/helper/strutil v0.11.1 => github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
  • github.com/hashicorp/vault/sdk v0.11.1 => github.com/openbao/openbao/sdk/v2 v2.5.1
  • github.com/huandu/xstrings v1.3.2 => v1.5.0
  • github.com/mattn/go-colorable v0.1.13 => v0.1.14
  • github.com/mattn/go-isatty v0.0.17 => v0.0.20
  • github.com/modern-go/reflect2 v1.0.2 => v1.0.3-0.20250322232337-35a7c28c31ee
  • github.com/operator-framework/operator-lib v0.11.1 => v0.19.0
  • github.com/posener/complete v1.2.1 => v1.2.3
  • github.com/prometheus/client_golang v1.19.0 => v1.23.2
  • github.com/prometheus/client_model v0.5.0 => v0.6.2
  • github.com/prometheus/common v0.48.0 => v0.67.5
  • github.com/prometheus/procfs v0.12.0 => v0.19.2
  • github.com/shopspring/decimal v1.2.0 => v1.4.0
  • github.com/spf13/cast v1.3.1 => v1.10.0
  • github.com/spf13/pflag v1.0.5 => v1.0.10
  • github.com/stretchr/testify v1.9.0 => v1.11.1
  • golang.org/x/crypto v0.22.0 => v0.48.0
  • golang.org/x/net v0.24.0 => v0.50.0
  • golang.org/x/oauth2 v0.16.0 => v0.35.0
  • golang.org/x/sys v0.19.0 => v0.41.0
  • golang.org/x/term v0.19.0 => v0.40.0
  • golang.org/x/text v0.14.0 => v0.34.0
  • golang.org/x/time v0.3.0 => v0.14.0
  • google.golang.org/appengine v1.6.8 => v1.36.11
  • google.golang.org/protobuf v1.33.0 => v1.36.11
  • gopkg.in/yaml.v2 v2.4.0 => go.yaml.in/yaml/v2 v2.4.3
  • k8s.io/api v0.29.3 => v0.35.1
  • k8s.io/apimachinery v0.29.3 => v0.35.1
  • k8s.io/client-go v0.29.3 => v0.35.1
  • k8s.io/klog/v2 v2.110.1 => v2.130.1
  • k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 => v0.0.0-20260127142750-a19766b6e2d4
  • k8s.io/utils v0.0.0-20230726121419-3b25d923346b => v0.0.0-20260210185600-b8788abfbbc2
  • sigs.k8s.io/controller-runtime v0.17.2 => v0.23.1
  • sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd => v0.0.0-20250730193827-2d320260d730
  • sigs.k8s.io/structured-merge-diff/v4 v4.4.1 => sigs.k8s.io/structured-merge-diff/v6 v6.3.2
  • sigs.k8s.io/yaml v1.4.0 => v1.6.0
• Added dependencies:
  • dario.cat/mergo v1.0.2
  • github.com/x448/float16 v0.8.4
  • go.yaml.in/yaml/v3 v3.0.4
• Removed dependencies:
  • github.com/gogo/protobuf v1.3.2
  • github.com/golang/protobuf v1.5.4
  • github.com/google/gofuzz v1.2.0
  • github.com/imdario/mergo v0.3.12
  • github.com/josharian/intern v1.0.0
  • github.com/mailru/easyjson v0.7.7

Bugs:

• Disable handling update on pods GH-94

1.4.1 (April 8, 2024)

Changes:

• Building with Go 1.22.2
• Default Vault version update to 1.16.1
• Dependency updates:
  • Docker UBI image ubi8/ubi-minimal 8.9-1137 => 8.9-1161
  • github.com/cenkalti/backoff/v4 v4.2.1 => v4.3.0
  • github.com/go-logr/logr v1.3.0 => v1.4.1
  • github.com/hashicorp/go-hclog v1.6.2 => v1.6.3
  • github.com/hashicorp/vault/sdk v0.11.0 => v0.11.1
  • golang.org/x/crypto v0.18.0 => v0.22.0
  • golang.org/x/net v0.20.0 => v0.24.0
  • golang.org/x/sys v0.16.0 => v0.19.0
  • golang.org/x/term v0.16.0 => v0.19.0
  • k8s.io/api v0.29.2 => v0.29.3
  • k8s.io/apimachinery v0.29.2 => v0.29.3
  • k8s.io/client-go v0.29.2 => v0.29.3
  • sigs.k8s.io/controller-runtime v0.16.3 => v0.17.2

Bugs:

• Enable logging from operator-lib's leader election (used during auto-tls certificate generation) GH-608

1.4.0 (March 4, 2024)

Features:

• Add support for max_connections_per_host within Agent injector GH-579
• Add support for error_on_missing_key within Agent injector GH-441

Changes:

• Default Vault version updated to 1.15.6
• Building with Go 1.21.7
• Testing with K8s versions 1.25-1.29
• Dependency updates:
  • Docker UBI image ubi8/ubi-minimal 8.8-1072.1697626218 => 8.9-1137
  • Docker alpine version 3.18.4 => 3.19.1
  • k8s.io/api v0.28.3 => v0.29.2
  • k8s.io/apimachinery v0.28.3 => v0.29.2
  • k8s.io/client-go v0.28.3 => v0.29.2
  • k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 => v0.0.0-20230726121419-3b25d923346b`
  • github.com/hashicorp/go-hclog v1.5.0 => v1.6.2
  • github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2 => v0.1.3
  • github.com/hashicorp/vault/sdk v0.10.2 => v0.11.0
  • github.com/prometheus/client_golang v1.17.0 => v1.19.0
  • github.com/operator-framework/operator-lib v0.11.0 => v0.12.0
  • github.com/evanphx/json-patch v5.7.0 => v5.9.0
  • github.com/stretchr/testify v1.8.4 => v1.9.0

1.3.1 (October 25, 2023)

Changes:

• Default Vault version updated to 1.15.1
• Building with Go 1.21.3
• Testing with K8s versions 1.24-1.28
• Dependency updates:
  • Docker UBI image ubi8/ubi-minimal 8.8-1037 -> 8.8-1072.1697626218
  • Docker alpine version 3.18.3 -> 3.18.4
  • golang.org/x/crypto v0.11.0 => v0.14.0
  • golang.org/x/net v0.13.0 => v0.17.0
  • golang.org/x/sys v0.10.0 => v0.13.0
  • golang.org/x/term v0.10.0 => v0.13.0
  • golang.org/x/text v0.11.0 => v0.13.0
  • k8s.io/api v0.27.4 => v0.28.3
  • k8s.io/apimachinery v0.27.4 => v0.28.3
  • k8s.io/client-go v0.27.4 => v0.28.3
  • github.com/hashicorp/vault/sdk v0.9.2 => v0.10.2
  • github.com/prometheus/client_golang v1.16.0 => v1.17.0
  • github.com/evanphx/json-patch v5.6.0 => v5.7.0

Improvements:

• Injector can set CA certificate for injected pods via AGENT_INJECT_VAULT_CACERT_BYTES env var or -vault-cacert-bytes flag GH-507
• Remove refs to deprecated io/ioutil GH-516

1.3.0 (August 16, 2023)

Improvements:

• Add NAMESPACE, HOST_IP, and POD_IP environment variables to Agent container using downward API GH-486

Changes:

• Templated secrets no longer require the -secret annotation GH-505
• Only inject Pods that are Pending GH-501
• Default to Vault 1.14.1
• Building with Go 1.20.7
• Testing with K8s versions 1.23-1.27
• Dependency updates:
  • github.com/cenkalti/backoff/v4 v4.2.0 -> v4.2.1
  • github.com/hashicorp/vault/sdk v0.8.1 -> v0.9.2
  • github.com/stretchr/testify v1.8.2 -> v1.8.4
  • github.com/prometheus/client_golang v1.14.0 -> v1.16.0
  • k8s.io/apimachinery v0.26.3 -> v0.27.4
  • k8s.io/api v0.26.3 -> v0.27.4
  • k8s.io/client-go v0.26.3 -> v0.27.4
  • golang.org/x/net v0.7.0 -> v0.13.0
  • golang.org/x/sys v0.5.0 -> v0.10.0
  • golang.org/x/term v0.5.0 -> v0.10.0
  • golang.org/x/text v0.7.0 -> v0.11.0
  • Docker alpine version 3.17.3 -> 3.18.3
  • Docker UBI image ubi8/ubi-minimal 8.7-1107 -> 8.8-1037

Bugs:

• Prevent auth-config-token-path from being overridden when another serviceaccount volume is present GH-457

1.2.1 (April 6, 2023)

Changes:

• Default to Vault 1.13.1
• Building with Go 1.20.3
• Dependency updates:
  • github.com/cenkalti/backoff/v4 v4.1.3 -> v4.2.0
  • github.com/hashicorp/go-hclog v1.3.1 -> v1.5.0
  • github.com/hashicorp/vault/sdk v0.6.1 -> v0.8.1
  • golang.org/x/net v0.4.0 -> v0.7.0
  • golang.org/x/sys v0.3.0 -> v0.5.0
  • golang.org/x/term v0.3.0 -> v0.5.0
  • golang.org/x/text v0.5.0 -> v0.7.0
  • k8s.io/api v0.25.4 -> v0.26.3
  • k8s.io/apimachinery v0.25.4 -> v0.26.3
  • k8s.io/client-go v0.25.4 -> v0.26.3
  • k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed -> v0.0.0-20230406110748-d93618cff8a2
  • Docker UBI image ubi8/ubi-minimal 8.7 -> 8.7-1107
  • Used fixed Docker alpine version: 3.17.3

Bugs:

• Don't override shareProcessNamespace if an annotation is not present GH-445

1.2.0 (February 6, 2023)

Changes:

• Building with Go 1.19.5
• Update golang.org/x/net to v0.4.0 GH-409
• Default to Vault v1.12.3

Features:

• Add support for enabling sharedProcessNamespace on the Pod spec GH-408
• Add agent-telemetry annotation GH-413

Improvements:

• Set Kubernetes user-agent to include vault-k8s version GH-411

Bugs:

• Preserve metadata when updating the cert secret GH-401

1.1.0 (November 17, 2022)

Changes:

• Building with go 1.19.3
• Default to Vault v1.12.1

Features:

• Allow modifying agent and agent-init containers with json-patch GH-399
• Support for setting exit_on_err in the agent auto-auth method config GH-400.

Improvements:

• Dependency updates:
  • github.com/cenkalti/backoff/v4 v4.1.1 => v4.1.3
  • github.com/hashicorp/go-hclog v1.0.0 => v1.3.1
  • github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1 => v0.1.2
  • github.com/hashicorp/vault/sdk v0.2.1 => v0.6.1
  • github.com/mitchellh/cli v1.1.4 => v1.1.5
  • github.com/operator-framework/operator-lib v0.8.0 => v0.11.0
  • github.com/prometheus/client_golang v1.11.1 => v1.12.1
  • github.com/stretchr/testify v1.8.0 => v1.8.1
  • k8s.io/api v0.22.2 => v0.25.4
  • k8s.io/apimachinery v0.22.2 => v0.25.4
  • k8s.io/client-go v0.22.2 => v0.25.4

1.0.1 (October 24, 2022)

Changes:

• Default to Vault v1.12.0

Bugs:

• Default ephemeral storage resources to unset for injected containers GH-386

Improvements:

• Upgrade dependency golang.org/x/net from v0.0.0-20220708220712-1185a9018129 to v0.0.0-20221004154528-8021a29435af
• Upgrade dependency golang.org/x/sys from v0.0.0-20220520151302-bc2c85ada10a to v0.0.0-20220728004956-3c1f35247d10
• Upgrade dependency golang.org/x/text from v0.3.7 to v0.3.8

1.0.0 (September 6, 2022)

Changes:

• Upgrade Docker base image to alpine:3.16.2 GH-382
• Default to Vault v1.11.3

Features:

• Support for setting disable_keep_alives in the agent config GH-376
• Added flags, envs and annotations to control ephemeral storage resources for injected containers GH-360

0.17.0 (July 28, 2022)

Features:

• Support for setting disable_idle_connections in the agent config GH-366

Improvements:

• Added support to configure default vault namespace on the agent config GH-345

Bugs:

• Properly return admission errors GH-363

0.16.1 (May 25, 2022)

Improvements:

• ConfigMap with missing vault section should default to env vars GH-353
• Wait for certificate before starting HTTP listener GH-354
• Update example injector mutating webhook config to exclude agent pod GH-351

Bugs:

• Certificate watcher timer deadlock fix GH-350

0.16.0 (May 11, 2022)

Features:

• Add agent-enable-quit annotation GH-330
• Add go-max-procs annotation GH-333
• Add min and max auth backoff annotations and environment variables GH-341

Improvements:

• Add a name to the service port GH-262

Changes:

• Only update webhook CA bundles when needed GH-336

0.15.0 (March 21, 2022)

Features:

• Add agent-inject-containers annotation GH-313

Changes:

• Build with go 1.17.8
• Default to Vault v1.9.4

0.14.2 (January 19, 2022)

Changes:

• Build with go 1.17.6
• Default to Vault v1.9.2

0.14.1 (November 17, 2021)

Changes:

• Bump the default Vault image to v1.9.0

Improvements:

• Dependency update GH-304

0.14.0 (October 21, 2021)

Improvements:

• Added options for setting the TLS minimum version (default 1.2) and supported cipher suites: GH-302

0.13.1 (September 29, 2021)

Changes:

• Bump the default Vault image to v1.8.3

0.13.0 (September 15, 2021)

Improvements:

• Continuously retry updating the cert secret: GH-280
• Keep the last CA when creating a new one: GH-287
• Moved leader election inside vault-k8s: GH-271
• Add projected service account support GH-288

Bugs:

• Set GVK on AdmissionReview responses in webhook GH-296
• Fix a typo in deploy/injector-mutating-webhook.yaml manifest GH-296

0.12.0 (August 18, 2021)

Features:

• New annotation to allow the user to set the rendered file permission: GH-277
• Adds flag and annotation to configure template config static_secret_render_interval: GH-276

0.11.0 (July 28, 2021)

Features:

• Added exit_on_retry_failure flag and annotation: GH-267

Improvements:

• Switch the default vault image to come from the hashicorp docker hub org: GH-270
• Better support for setting the region when auth type is AWS: GH-268
• Added support for K8s v1 Admission API: GH-273

0.10.2 (June 16, 2021)

Improvements:

• Dependency update: GH-265

0.10.1 (May 25, 2021)

Bugs:

• Fix agent-inject-token when caching enabled: GH-250
• Remove new line from injected token: GH-250

0.10.0 (April 14, 2021)

Features:

• Added flags/envs to change default resources for all injected containers: GH-235
• Added an annotation to use template path on disk: GH-222
• Added an annotation and global flag to change default template from map to json: GH-242

Improvements:

• Better support for IRSA on AWS/EKS: GH-169

0.9.0 (March 18, 2021)

Features:

• Added annotation to specify HTTPS proxy on Vault Agent containers: GH-211
• Added support for all auto-auth methods: GH-213
• Added support for persistent agent caching: GH-229
• Arm binaries and images are now being published as part of a release: GH-221

Improvements:

Bugs:

0.8.0 (February 2, 2021)

Features:

• Added annotation to copy mounts from a specified container: GH-212
• Added annotation to change log format for the agent: GH-200

0.7.0 (January 5, 2021)

Features:

• Added UBI container image: GH-183
• Support for multiple replicas with auto-tls: GH-198

0.6.0 (October 20, 2020)

Features:

• Added extra-secret annotation for mounting kube-secrets: GH-119

Improvements:

• Resource limits and requests can be disabled via annotation: GH-174

0.5.0 (August 24, 2020)

Features:

• Added annotations to configure agent caching/listener: GH-132
• Added annotation for specifying filenames and paths within the secrets volume: GH-158
• Added prometheus telemetry support: GH-145

Improvements:

• Injected agents are now configured with readOnlyRootFilesystem: true: GH-142
• Added additional security contexts for better integration with restrictive PSPs: GH-153
• Added unique token volumes for init/sidecar: GH-170

0.4.0 (June 2, 2020)

Features:

• Added annotations/envs to change the UID and GID of the Vault Agent process: GH-60
• Added command-line options, annotations, and envs for run-as-same-user and set-security-context: GH-131

Improvements:

Bugs:

0.3.0 (March 5th, 2020)

Features:

• Added flag/env to change log-format for the injector: GH-50
• Added annotation to run a command after template has been rendered: GH-57
• Added annotation to configure Vault namespace: GH-82
• Added annotation to configure Vault Agent log level: GH-82
• Added annotation that shares the Vault Agent token in the shared volume: GH-77
• Added annotations to configure token revocation during shutdown: GH-67
• Added annotations to customize render path of secrets (per secret and global default): GH-71
• Added annotation to preserve case: GH-71
• Added annotation to configure if the init container runs first or last: GH-91

Improvements:

• Added GO111MODULE flag to Makefile: GH-61
• Changed token location from /home/vault/.token to /home/vault/.vault-token: GH-66

Bugs:

• Fixed bug where secret volumes were not shared with other init containers: GH-91

0.2.0 (January 31st, 2020)

Features:

• Added configurable auth mount path annotation and environment variable [GH-23]
• Added kustomize [GH-43]

0.1.2 (January 8th, 2020)

Bugs:

• Fixed bug where tlsSkipVerify was true by default [GH-34]

0.1.1 (January 2nd, 2020)

Bugs:

• Fixed bug causing pods in kube-system to be rejected [GH-14]

0.1.0 (December 17th, 2019)

Initial release