Improvements:
- Make server NetworkPolicy independent of OpenShift GH-381
Features:
- Added
volumes
andvolumeMounts
for mounting any type of volume GH-314. - Added configurable to enable prometheus telemetery exporter for Vault Agent Injector GH-372
Improvements:
- Added
defaultMode
configurable toextraVolumes
GH-321 - Option to install and use PodSecurityPolicy's for vault server and injector GH-177
VAULT_API_ADDR
is now configurable GH-290- Removed deprecated tolerate unready endpoint annotations GH-363
- Add an option to set annotations on the StatefulSet GH-199
- Make the vault server serviceAccount name a configuration option GH-367
- Removed annotation striction from
dev
mode GH-371 - Add an option to set annotations on PVCs GH-364
- Added service configurables for UI GH-285
Bugs:
- Fix python dependency in test image GH-337
- Fix caBundle not being quoted causing validation issues with Helm 3 GH-352
- Fix injector network policy being rendered when injector is not enabled GH-358
Features:
- Added
extraInitContainers
to define init containers for the Vault cluster GH-258 - Added
postStart
lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready GH-315 - Beta: Added OpenShift support GH-319
Improvements:
- Server configs can now be defined in YAML. Multi-line string configs are still compatible GH-213
- Removed IPC_LOCK privileges since swap is disabled on containers [GH-198]
- Use port names that map to vault.scheme [GH-223]
- Allow both yaml and multi-line string annotations [GH-272]
- Added configurable to set the Raft node name to hostname [GH-269]
- Support setting priorityClassName on pods [GH-282]
- Added support for ingress apiVersion
networking.k8s.io/v1beta1
[GH-310] - Added configurable to change service type for the HA active service GH-317
Bugs:
- Fixed default ingress path [GH-224]
- Fixed annotations for HA standby/active services [GH-268]
- Updated some value defaults to match their use in templates [GH-309]
- Use active service on ingress when ha [GH-270]
- Fixed bug where pull secrets weren't being used for injector image GH-298
Features:
-
Added Raft support for HA mode [GH-228]
-
Now supports Vault Enterprise [GH-250]
-
Added K8s Service Registration for HA modes [GH-250]
-
Option to set
AGENT_INJECT_VAULT_AUTH_PATH
for the injector [GH-185] -
Added environment variables for logging and revocation on Vault Agent Injector [GH-219]
-
Option to set environment variables for the injector deployment [GH-232]
-
Added affinity, tolerations, and nodeSelector options for the injector deployment [GH-234]
-
Made all annotations multi-line strings [GH-227]
Improvements:
- Allow process namespace sharing between Vault and sidecar containers [GH-174]
- Added configurable to change updateStrategy [GH-172]
- Added sleep in the preStop lifecycle step [GH-188]
- Updated chart and tests to Helm 3 [GH-195]
- Adds Values.injector.externalVaultAddr to use the injector with an external vault [GH-207]
Bugs:
- Fix bug where Vault lifecycle was appended after extra containers. [GH-179]
Security:
- Added
server.extraArgs
to allow loading of additional Vault configurations containing sensitive settings GH-175
Bugs:
- Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
Bugs:
- Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
Bugs:
- Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
Features:
- Extra containers can now be added to the Vault pods
- Added configurability of pod probes
- Added Vault Agent Injector
Improvements:
- Moved
global.image
toserver.image
- Changed UI service template to route pods that aren't ready via
publishNotReadyAddresses: true
- Added better HTTP/HTTPS scheme support to http probes
- Added configurable node port for Vault service
server.authDelegator
is now enabled by default
Bugs:
- Fixed upgrade bug by removing chart label which contained the version
- Fixed typo on
serviceAccount
(wasserviceaccount
) - Fixed readiness/liveliness HTTP probe default to accept standbys
Bugs:
- Removed
readOnlyRootFilesystem
causing issues when validating deployments
Features:
- Added load balancer support
- Added ingress support
- Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
- Removed root requirements, now runs as Vault user
Improvements:
- Added namespace value to all rendered objects
- Made ports configurable in services
- Added the ability to add custom annotations to services
- Added docker image for running bats test in CircleCI
- Removed restrictions around
dev
mode such as annotations readOnlyRootFilesystem
is now configurable- Image Pull Policy is now configurable
Bugs:
- Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
- Fixed bug where audit storage was not being mounted in HA mode
- Fixed bug where Vault pod wasn't receiving SIGTERM signals
Features:
- Added
extraSecretEnvironmentVars
to allow users to mount secrets as environment variables - Added
tlsDisable
configurable to change HTTP protocols from HTTP/HTTPS depending on the value - Added
serviceNodePort
to configure a NodePort value when settingserviceType
to "NodePort"
Improvements:
- Changed UI port to 8200 for better HTTP protocol support
- Added
path
toextraVolumes
to define where the volume should be mounted. Defaults to/vault/userconfig
- Upgraded Vault to 1.2.2
Bugs:
- Fixed bug where upgrade would fail because immutable labels were being changed (Helm Version label)
- Fixed bug where UI service used wrong selector after updating helm labels
- Added
VAULT_API_ADDR
env to Vault pod to fixed bug where Vault thinks Consul is the active node - Removed
step-down
preStop since it requires authentication. Shutdown signal sent by Kube acts similar tostep-down
Features:
- Added
authDelegator
Cluster Role Binding to Vault service account for bootstrapping Kube auth method
Improvements:
- Added
server.service.clusterIP
tovalues.yml
so users can toggle the Vault service to headless by using the valueNone
. - Upgraded Vault to 1.2.1
Initial release