Release 1.3.1

The most notable changes in this release are:

• Fallback to the Pod generated name when creating a secret for an unnamed pod #322
• Use a more refined regex to match valid injectable secret names #320 #281
• Fixes correct RBAC Role vs ClusterRole when watchAllNamespaces is false SparebankenVest/public-helm-charts#62
• Upgrade k8s client v0.23.5
• Upgrade go 1.18
• Upgrade alpine base image 3.15.6

Controller

Features

• Upgrade k8s client v0.23.5
• Upgrade go 1.18
• Upgrade alpine base image 3.15.6

Bug Fixes

• Fallback to the Pod generated name when creating a secret for an unnamed pod #322
• Use a more refined regex to match valid injectable secret names #320 #281

Helm Charts

• Add priorityClassName spec to akv2k8s controller deployment SparebankenVest/public-helm-charts#60
• Fixes correct RBAC Role vs ClusterRole when watchAllNamespaces is false SparebankenVest/public-helm-charts#62
• Remove duplicate MTLS_PORT environment variable SparebankenVest/public-helm-charts#70
• Upgrade PodDistributionBudget api version to v1 SparebankenVest/public-helm-charts#71
• Update generated CRD

Chart and Image versions

Type	Component	Version
Helm Chart	akv2k8s	2.2.0
Docker Image	spvest/azure-keyvault-controller	1.3.1
Docker Image	spvest/azure-keyvault-webhook	1.3.1
Docker Image	spvest/azure-keyvault-env	1.3.1

Release 1.3.0

The most notable changes in this release are:

• Ability to run controller in specific namespace only
• Ability to allow akvs objects with different labels to be handled by controllers with different authorization policies
• Generate CRD's from code with controller-gen

Controller

Features

• #82 - Allow controller to run in specific namespace only
• #159 - Generate crd with controller gen
• #174 - Export certificates stored as Base64 PFX in Azure Key Vault secret object as Kubernetes TLS secret
• #178 - Allow akvs objects with different labels to be handled by controllers with different authorization policies
• #202 - Upgrade dependencies k8s to v0.21.2
• Upgrade to Go 1.16.5
• Upgrade alpine base image to 3.14.0

Bug Fixes

• #209 - Fix using an EC header/footer for ECDSA keys

Docs

• Docs for version 1.3 is default - added version 1.2 to version dropdown

Helm Charts

• Add generated crd from #159
• Ignore files in .helmignore
• Add support for watchAllNamespaces
• SparebankenVest/public-helm-charts#45 - Upgrade cert-manager CRD's to api version v1
• Remove unused RUNNING_INSIDE_AZURE_AKS env
• SparebankenVest/public-helm-charts#57 - Add optional pod annotations to the controller
• SparebankenVest/public-helm-charts#59 - Add optional pod security context

Chart and Image versions

Type	Component	Version
Helm Chart	akv2k8s	2.1.0
Docker Image	spvest/azure-keyvault-controller	1.3.0
Docker Image	spvest/azure-keyvault-webhook	1.3.0
Docker Image	spvest/azure-keyvault-env	1.3.0

controller-1.2.3

Bug fixes

• Fix nonexistent secret (#167)
• Fix nonexistent configmap
• Fix null pointer when secret has no owner (#168)

Release 1.2.2

Env-Injector

Bug Fixes

• Make sure authService exists before creating http endpoints

Chart and Image versions

Type	Component	Version
Helm Chart	akv2k8s	2.0.2
Docker Image	spvest/azure-keyvault-controller	1.2.0
Docker Image	spvest/azure-keyvault-webhook	1.2.2
Docker Image	spvest/azure-keyvault-env	1.2.1

Release 1.2.1

Env-Injector

Bug Fixes

• Ensure Pod Name and Namespace are injected as env vars into Pod when authService is disabled
• Only create and validate credentials when authService is enabled

Env-Injector Init Container

Features

• Handle log level and format from env variables using klog

Chart and Image versions

Type	Component	Version
Helm Chart	akv2k8s	2.0.1
Docker Image	spvest/azure-keyvault-controller	1.2.0
Docker Image	spvest/azure-keyvault-webhook	1.2.1
Docker Image	spvest/azure-keyvault-env	1.2.1

webhook-1.2.2

Webhook version 1.2.2

webhook-1.2.1

Webhook version 1.2.1

Release 1.2.0

The most notable changes in this release are:

• The Controller support sync to ConfigMap (in addition to Secret)
• The Controller support several AzureKeyVaultSecret-resources pointing to same Secret/ConfigMap as long as they have different output dataKey's
• The Env Injector's auth service use Mutual TLS authentication (mTLS) to secure credential exchange with Pods
• Both Controller and Env Injector has optional Prometheus metrics
• All known stability issues with version 1.1 should be fixed

Env-Injector

Features

• The Env Injector's auth service use Mutual TLS authentication (mTLS) to secure credential exchange with Pods
• #38 - Optionally expose Prometheus metrics

Bug Fixes

• #55 - when using aad-pod-identity, env-injector fail to pull image from ACR
• #147 - akv2k8s-ca ConfigMap disappears after some hours never to come back
• #151 - secret output transform does not work - The CRD and API were using different key
• #153 - config map deleted by Kubernetes garbage collector

Other

• The CA Bundle sync is removed, as this is now handled during Pod mutation in the Env-Injector

Controller

Features

• #18 - Sync to ConfigMap (requires AzureKeyVaultSecret apiVersion: spv.no/v2beta1)
• #36 - Multiple AzureKeyVaultSecret-resources can reference the same Secret/ConfigMap as long as they have different output dataKey's
• #38 - Optionally expose Prometheus metrics

Docs

• Docs for version 1.2 is default - added version 1.1 to version dropdown
• New features documented
• Examples/tutorials updated with latest CRD API version apiVersion: spv.no/v2beta1
• Installation section updated with latests changes
• Section added for Monitoring (logs and metrics)

Helm Charts

• Standardized all labels, simplified and standardized values - breaking change requires major version bump to 2.0.0
• Support global values which will effect both the Controller and Env Injector, preventing value duplication
• Enable Prometheus metrics configuration and ServiceMonitor configuration
• Support adding extra volumes
• Use ephemeral ports internally by default to avoid running with elevated privileges

Chart and Image versions

Type	Component	Version
Helm Chart	akv2k8s	2.0.0
Docker Image	spvest/azure-keyvault-controller	1.2.0
Docker Image	spvest/azure-keyvault-webhook	1.2.0
Docker Image	spvest/azure-keyvault-env	1.2.0

Release 1.1.1

The most notable changes in this release are:

• a complete rewrite of how Azure Key Vault authentication is handled and secured in Env-Injector
• a new Helm chart akv2k8s containing both the Controller and Env-Injector

General

Features

• Support for Azure Managed Identities (MSI) when authenticating with Azure Key Vault
• Support fmt and json log formats - fmt is default
• Support other cloud types than Public Cloud (AZURECHINACLOUD, AZUREGERMANCLOUD and AZUREUSGOVERNMENTCLOUD)

Other

• AzureKeyVaultSecret CRD version changed from apiVersion: spv.no/v1alpha1 to apiVersion: spv.no/v1 - still backward compatible with previous versions
• Kubernetes >= v0.17.4

Env-Injector

Features

• Basic support for Prometheus metrics
• Use remote inspection, instead of docker pull, to find Docker image cmd or entrypoint
• As part of the Auth service, introduced a ca-bundle-controller that will sync akv2k8s ca-cert to every namespace enabled with env-injection
• Support for SHA Docker image notation

Bug Fixes

• Provide Auth endpoint as a better and more secure alternative to storing credentials in a volume attached to a Pod - fixes issue #25 (and #42 #40 #39 and more) for getting oauth tokens to authenticate with Azure Key Vault
• Fix #69 - handle containers with no explicit cmd

Controller

Features

• Add chainOrder option to ensure server certificate is first in chain (thanks to @david.mansson)

Bug Fixes

• #104 - pass on labels and annotations from AzureKeyVaultSecret to Kubernetes Secret

Docs

• Updated tutorials
• Show multiple versions (currently 1.0 and 1.1) - where 1.1 is now default
• Updated authentiction docs to reflect changes in 1.1

Helm Charts

• Introduced a new Helm chart (akv2k8s) that contains both the Controller and Env-Injector in one chart AND uses Helm 3
• Removed CRDs from old charts (azure-key-vault-controller and azure-key-vault-env-injector)
• Updated installation instructions for why and how to manually install CRDs
• Fixed issue #55 where auth with ACR was not working
• Support log format fmt and json
• New charts have major changes in values - make sure to check yours match

Components versions

Type	Component	Version
Helm Chart	akv2k8s	1.1.24
Helm Chart	azure-key-vault-controller	1.1.3
Helm Chart	azure-key-vault-env-injector	1.1.18
Docker Image	azure-keyvault-controller	1.1.0
Docker Image	azure-keyvault-webhook	1.1.10
Docker Image	azure-keyvault-env	1.1.1
Docker Image	ca-bundle-controller	1.1.0

Release 1.1.0-beta.4

This is a beta release to verify several fixes to the env-injector as described in issue #42. There were two main issues:

1. The env-injector copied azure.json (containing AKS Service Principal) to every Pod using secret injection and users could exec into the pod and view the file content. Deleting the file was not an option, since it would prevent the container from recovering from errors (Pod restarting container) as the file was needed to authenticate with AKV.
2. A user could exec into a Pod and execute /azure-keyvault/azure-keyvault-env printenv and it would download and print out all injected secrets

The implemented solution:

1. A auth endpoint, protected by a client certificate, is added to the env-injector webhook. The azure-keyvault-env executable will call this endpoint (instead of using credentials from azure.json), and get a oauth token to access AKV. This solution prevents the AKS Service Principal credentials to be revealed inside the Pod, but still using the same credentials.
2. To prevent arbitrary arguments to be passed to /azure-keyvault/azure-keyvault-env (like printenv) the env-injector webhook creates a signature of the original arguments and azure-keyvault-env checks that signature before executing. This prevents revealing secrets in plain text when exec into Pod.

Installation / Upgrade

To upgrade existing Helm chart, do:

helm repo update

and pass on --version 1.1.0-beta.1 to helm upgrade

See https://akv2k8s.io/installation for other details