v0.27.3

This is a quick patch release to add Helm chart options.

Added

• Added helm charts the ability to optionally disable custom namespace generation.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• v0.27.2 -- changelog update by @v0lkan in #1145
• Introducing initial helm-chart for version 0.27.3 by @v0lkan in #1146
• next helm charts (0.27.3) by @v0lkan in #1147
• cleanup by @v0lkan in #1150
• 🌟 enhancement(VSecM Helm Charts): Add kapp annotations and pull secrets by @v0lkan in #1152
• Helm Charts: Ability to opt out from namespace creation by @v0lkan in #1153
• v0.27.3 by @v0lkan in #1154

Full Changelog: v0.27.2...v0.27.3

v0.27.2

Added

• Documented all undocumented public methods in the source code.
• Other documentation updates.
• Updated some of the Asciinema screen recordings of the use cases.
• Minor code fixes and enhancements.
• Added missing imagePullSecrets to SPIFFE CSI Driver helm template of the
  VSecM Helm charts.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• minor typo by @v0lkan in #1082
• Introducing initial helm-chart for version 0.27.1 by @v0lkan in #1084
• doc changes by @v0lkan in #1085
• 🧹 chore(vsecm): Release next version's manifests by @v0lkan in #1087
• 📚 docs(vsecm): add version snapshot by @v0lkan in #1088
• 🐛 fix(VSecM Keygen): regression: keygen was not decrypting secrets by @v0lkan in #1092
• 🌟 enhancement(VSecM): pointed example images to upstream by @v0lkan in #1093
• Added a new use case by @v0lkan in #1094
• Use case: Using Init container with k8s secrets by @v0lkan in #1095
• 🐛 fix(VSecM): fix logic error in example workload by @v0lkan in #1096
• Create scorecard.yml by @v0lkan in #1098
• 🌟 enhancement(VSecM Web): Add a new landing page by @v0lkan in #1112
• 📚 docs(VSecM Web): add screen recordings to some use cases by @v0lkan in #1114
• Test/app sentinel coverage by @gurkanguray in #1117
• 💄 cosmetic(VSecM Web): landing page mobile fixes by @v0lkan in #1118
• 🌟 enhancement(VSecM): Isolate VSecM SDK by @v0lkan in #1120
• (chore) Version Update for the New SDK Approach to work by @v0lkan in #1121
• 🐛 fix(VSecM Helm Charts): SPIRE Server was crashing if not persistent by @v0lkan in #1122
• Refactor: fix potential panic & refactor some code by @canack in #1123
• 🚨 test(VSecM): unit tests added for core/audit and core/constants by @gurkanguray in #1099
• 📚 docs(VSecM Web): added new contributor hours video recording by @v0lkan in #1125
• update roadmap by @v0lkan in #1126
• Finalized pending ADRs + security enhancements by @v0lkan in #1127
• Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in /sdk by @dependabot in #1128
• 🚨 test(VSecM Sentinel): 1100 add unit test and refactor app/sentinel by @gurkanguray in #1129
• Release v0.27.1 by @v0lkan in #1130
• Introducing initial helm-chart for version 0.27.2 by @v0lkan in #1132
• 🌟 enhancement(VSecM): next helm charts and docs by @v0lkan in #1133
• 0.27.2 (future version) by @v0lkan in #1136
• documentation update and minor code fixes by @v0lkan in #1137
• doc update by @v0lkan in #1138
• 🐛 increased go version in test-coverage.yml by @marikann in #1139
• documentation update + spiffe workshop files by @v0lkan in #1140
• add helper scripts to workshop by @v0lkan in #1141
• Update CODEOWNERS by @v0lkan in #1142
• v0.27.2 by @v0lkan in #1143

New Contributors

• @canack made their first contribution in #1123

Full Changelog: v0.27.0...v0.27.2

v0.27.1

This is a security and stability release. We have fixed several vulnerabilities
and made the components more robust.

Added

• Increased test coverage.
• Minor bug fixes and performance improvements.
• Documentation updates.

Changed

• Updated Go to version 1.23.1 on major components. vSecM SDK remains at Go
  version 1.21.0 to offer compatibility with older systems. This is the smallest
  version that we can support with the SDK without exposing vulnerabilities.

Fixed

• Fixed a bug where SPIRE Server was crashing when using Helm charts and not
  enabling persistent volumes.

Security

• Fixed GHSA-xr7q-jx4m-x55m Private tokens could appear in logs if context containing gRPC metadata is logged in

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• minor typo by @v0lkan in #1082
• Introducing initial helm-chart for version 0.27.1 by @v0lkan in #1084
• doc changes by @v0lkan in #1085
• 🧹 chore(vsecm): Release next version's manifests by @v0lkan in #1087
• 📚 docs(vsecm): add version snapshot by @v0lkan in #1088
• 🐛 fix(VSecM Keygen): regression: keygen was not decrypting secrets by @v0lkan in #1092
• 🌟 enhancement(VSecM): pointed example images to upstream by @v0lkan in #1093
• Added a new use case by @v0lkan in #1094
• Use case: Using Init container with k8s secrets by @v0lkan in #1095
• 🐛 fix(VSecM): fix logic error in example workload by @v0lkan in #1096
• Create scorecard.yml by @v0lkan in #1098
• 🌟 enhancement(VSecM Web): Add a new landing page by @v0lkan in #1112
• 📚 docs(VSecM Web): add screen recordings to some use cases by @v0lkan in #1114
• Test/app sentinel coverage by @gurkanguray in #1117
• 💄 cosmetic(VSecM Web): landing page mobile fixes by @v0lkan in #1118
• 🌟 enhancement(VSecM): Isolate VSecM SDK by @v0lkan in #1120
• (chore) Version Update for the New SDK Approach to work by @v0lkan in #1121
• 🐛 fix(VSecM Helm Charts): SPIRE Server was crashing if not persistent by @v0lkan in #1122
• Refactor: fix potential panic & refactor some code by @canack in #1123
• 🚨 test(VSecM): unit tests added for core/audit and core/constants by @gurkanguray in #1099
• 📚 docs(VSecM Web): added new contributor hours video recording by @v0lkan in #1125
• update roadmap by @v0lkan in #1126
• Finalized pending ADRs + security enhancements by @v0lkan in #1127
• Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in /sdk by @dependabot in #1128
• 🚨 test(VSecM Sentinel): 1100 add unit test and refactor app/sentinel by @gurkanguray in #1129
• Release v0.27.1 by @v0lkan in #1130

New Contributors

• @canack made their first contribution in #1123

Full Changelog: v0.27.0...v0.27.1

v0.27.0

Changed

• Removed useClusterSpiffeIds and useSpireControllerManager from helm charts
  options. SPIRE helm charts use SPIRE Controller Manager, and disabling it
  is nontrivial. Also, ClusterSPIFFEIDs are the best way to manage SPIFFEIDs
  in a Kubernetes cluster. — If we find a use case where these options are
  necessary, or if there is a need from the community, we can modify the
  code to let SPIRE install without SPIRE Controller Manager and bring those
  flags back.
• Optimized the build pipeline, reducing the build time by 60%.
• Removed bundle endpoints from SPIRE manifests. We don't use them anywhere.
  If there is a need, we can bring them back. Note that this also impacts
  the experimental "federation" feature. Federation can still be enabled
  by manually editing the SPIRE Server and SPIRE Agent configmaps. Later, we'll
  have a cross-cluster replication feature where we will introduce these
  bundle endpoints using a hub-spoke topology in a more controlled manner.

Added

• Introduced new Architecture Decision Records (ADRs) as drafts. These ADRs
  will be reviewed and finalized in the upcoming releases.
• Namespaces of vsecm-system, spire-server, and spire-system can now
  be dynamically configurable via Helm charts.
• Various documentation and README updates.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• cleanup by @v0lkan in #1063
• 🐛 fix(VSecM Helm Charts): remove ability to not use SCM by @v0lkan in #1064
• remove default spiffeids. by @v0lkan in #1065
• Make Namespaces Dynamic in Helm Charts by @v0lkan in #1066
• Build Time Improvement by @v0lkan in #1067
• Code Cleanup and Doc Updates by @v0lkan in #1069
• Convert Internal RootKey Representation to a Struct by @v0lkan in #1070
• 🛡️ security(VSecM): remove printAdditionalDetails from envInfo by @v0lkan in #1071
• Documentation and Security Updates by @v0lkan in #1073
• 🚨 test(VSecM): 902 add test for url.go by @omergk28 in #1072
• 899 builder test by @omergk28 in #1074
• minor wording change by @v0lkan in #1076
• manifest updates by @v0lkan in #1077
• fixed broken links in README and other documentation updates by @v0lkan in #1079
• README update by @v0lkan in #1080
• v0.27.0 by @v0lkan in #1081

Full Changelog: v0.26.1...v0.27.0

v0.26.1

Added

• VMware Secrets Manager Helm charts now have the ability to generate
  RedHat OpenShift compatible manifests. You’ll need to set global.enableOpenShift
  to true to use this feature. It is false by default because it introduced
  OpenShift-specific security rules that other clusters will not interpret
  properly.
• Introduced new images spireHelperBash, spireHelperKubectl,
  openShiftHelperUbi9 to help and streamline SPIRE deployment and harden
  its security by mutating webhook configurations and other security attributes
  post-install.
• Increased unit tests coverage. Our first target is 50%, and we are aiming to
  reach there one unit test at a time.
• Documentation updates.

Changed

• BREAKING: We have made significant updates in the VSecM SPIRE helm charts
  to align them with the official upstream SPIFFE helm-charts-hardened
  project. This means, VSecM users will need to add className: "vsecm" to
  their workload SPIFFEID for the workloads to get their SVIDs.
• BREAKING: The default SPIRE Agent socket is renamed to spire-agent.sock
  instead of agent.sock. If you are using VSecM SDK or VSecM Sidecar
  this change is transparent; however if you are manually consuming the SPIRE
  Agent socket, you’d need to change your code to listen to the new socket.
• SPIRE Server and SPIRE Agent configuration values in the ConfigMaps are now
  in JSON form to align with helm-charts-hardened.
• SPIRE Server Service is now serving from the standard TLS port 443.
• Updated SPIRE-related dependencies to their recent stable versions.
• Updates in the exponential backoff algorithm to make it more robust.
• Certain environment variables changed, the changes have not reflected to the
  documentation by the time of this release note. We will update the documentation
  shortly. In the meantime, when in doubt, take source code as the authoritative
  reference for variable naming. Helm charts will also contain the correct
  environment variable names and default values.
• Other refactorings in the codebase to improve performance. The changes do
  not change the behavior or introduce any new behavior.

Security

• SPIRE Server is now in its own namespace (to benefit from the security of
  namespace isolation) and also has a restricted pod security audit with
  a read-only file system and an unprivileged non-root account.
• Other security enhancements especially focused around SPIRE.

Fixed

• Several minor bugfixes and regressions.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.26.1 by @v0lkan in #1024
• 📚 docs(VSecM): Documentation Updates by @v0lkan in #1033
• 💄 cosmetic(VSecM): fix a dockerfile build warning by @v0lkan in #1034
• 🛡️ security(VSecM Helm Charts): add security labels to namespaces by @v0lkan in #1035
• generated files for the playground by @v0lkan in #1036
• manifest changes by @v0lkan in #1039
• convert configs to json form by @v0lkan in #1041
• Rename socket path by @v0lkan in #1042
• helm chart changes by @v0lkan in #1043
• more manifest changes by @v0lkan in #1044
• update spire server port to 443 by @v0lkan in #1045
• manifest updates by @v0lkan in #1046
• Helm Changes and OpenShift Support by @v0lkan in #1047

Full Changelog: v0.26.0...v0.26.1

v0.26.0

Added

• Added the ability to have regex-based SPIFFE ID matchers.
• Enabled stricter validation on SPIFFE IDs to reduce configuration errors.
• Added ability to optionally use multiple worker nodes for the development
  clusters.
• Introduced helm-docs to automatically augment the documentation with the
  Helm chart's values.yaml.
• Added the ability to deploy VSecM without SPIRE Controller Manager. In this
  mode, the operator will need to manually create SPIRE Server registration
  entries.
• Added the ability to not create ClusterSPIFFEIDs for the VSecM components
  automatically. In this mode, the operator will need to manually create those
  required ClusterSPIFFEIDs.
• Ability to use regexes for SPIFFEID prefix matching.
• Ability to use a custom trust domain.
• Ability to Use Regex-Based Validation for Sentinel, Safe, and Workload
  SPIFFE IDs.
• Code cleanup and refactoring.
• Random secret generator can now generate symbols too, along with numbers and
  letters.
• Created a ./lib folder to hold common code that can be shared across
  different components, or even be imported by external applications.
• Stability: Enhancements in liveness and readiness probes for VSecM components.
  This change ensures that the components are more resilient and reliable.
• Enable Istio-style SPIFFE IDs; custom namespaces, and custom trust domains.

Changed

• Lots of documentation updates to reflect the recent changes in the project.
• Replaced github.com/pkg/errors with the native errors package
  to reduce the number of dependencies and the codebase more
  secure and maintainable.
• Updates to the exponential backoff algorithm.
• Enhancements to speed up build time.
• Rephrased the "Problem reading secret" error message to be more informative.
  The message ought to have been a notification, not an error because it
  regularly happens during cache misses. Fixed the wording to indicate
  there is no need to panic.
• We started using zola for the documentation
  website. This change makes the documentation website faster, more accessible,
  and easier to navigate and follow.

Security

• Stricter workload validation: Workload validation now panics if the SPIFFE ID
  does not have the proper trust domain or is badly formatted.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Initializing helm chart/0.25.4 by @v0lkan in #964
• release 0.25.3 by @v0lkan in #967
• documentation patch by @v0lkan in #969
• ✨ test(VSecM): increase test coverage from core/env by @muratmirgun in #970
• 🚨 test(VSecM): add missed unit tests by @muratmirgun in #972
• minor refactoring by @v0lkan in #973
• Ability to Use Regex-Based Validation for Sentinel, Safe, and Workload SPIFFE IDs by @v0lkan in #974
• documentation update by @v0lkan in #978
• Remove side effects from certain functions. by @v0lkan in #979
• Add symbols support for secret gen function by @BulldromeQ in #971
• Documentation update and multi-node minikube by @v0lkan in #981
• Introduce helm-docs by @v0lkan in #984
• Remove FIPS from build-local by @v0lkan in #990
• [security] Move SPIRE Server Into its Own Namespace by @v0lkan in #992
• Increase Unite Tests to %19 by @muratmirgun in #991
• Backoff Algorithm Updates by @v0lkan in #993
• Environment Variable Updates by @v0lkan in #994
• Minor fixes in makefiles by @v0lkan in #1000
• Instructions to publish the new documentation by @v0lkan in #1001
• Various Refactorings by @v0lkan in #1002
• Documentation update. by @v0lkan in #1003
• rename "internal" to "lib" by @v0lkan in #1004
• Use Go’s Native “errors” Package by @v0lkan in #1005
• Minor Refactorings by @v0lkan in #1007
• Created a ./lib folder for reusable modules. by @v0lkan in #1008
• Consolidate Constants by @v0lkan in #1009
• minor refactoring by @v0lkan in #1010
• Enable Istio-style SPIFFE IDs; custom namespaces, and trust domains by @v0lkan in #1011
• Minor by @v0lkan in #1012
• Mainly documentation updates by @v0lkan in #1015
• Add unit test for core/crypto and a little change in the empty []byte return value. by @yigithankarabulut in #1014
• 🌟 enhancement(VSecM Helm Charts): add operated-by label to secrets by @v0lkan in #1016
• Release v0.26.0 by @v0lkan in #1021
• helm docs update by @v0lkan in #1022

Full Changelog: v0.25.3...v0.26.0

v0.25.3

• Removed some configuration options including VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET because how the root key will
  be updated will be depending on backing store implementation. And it does
  not make sense for an operator updating the root key in memory but not
  updating the backing Kubernetes secret. That could bring inconsistencies
  to the system.
• Removed VSECM_SAFE_REMOVE_LINKED_K8S_SECRETS since we have long
  deprecated and removed the -k flag that was dealing with the linked
  Kubernetes secrets. Again, future behavior will be contingent upon the
  backing store plugins that will be implemented.
• Removed Kubernetes secrets deletion queue because we do not link Kubernetes
  secrets to workloads anymore. Deletion of ad-hoc VSecM-generated Kubernetes
  Secrets will be handled by upcoming configuration options. Right now,
  VSecM Safe can only create and update, but not delete Kubernetes Secrets.
• Stability improvements, including adding "exponential backoff"s to places
  where requests can be retried before giving up; also letting the apps
  crash (and be re-crated by the scheduler) if certain critical requests fail
  even after a fair amount exponentially-backed-off of retries (10 by default).
• An entire overhaul of the documentation website: It is now faster, more
  accessible, more usable, easier to navigate and follow.
• Added an experimental Java SDK. The keyword here is: experimental; we
  do know that it does not work out-of-the box, so we are not providing any
  documentation yet: Feel free to join our Slack channel to learn more about
  how best you can use it.
• Refactorings and improvements across the entire codebase.
• Introduced Architectural Decision Records

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.25.3 by @v0lkan in #958
• ✨ feat(VSecM): 448 Java SDK by @sahinakyol in #732
• Updates and Improvements by @v0lkan in #963

Full Changelog: v0.25.2...v0.25.3

v0.25.2

This release introduced many structural changes. The functionality remains
the same, but the codebase is more organized and easier to maintain.
We had to temporarily disable some of the unit tests to make the release
happen on time. We will re-enable them before the next release.

Changed

• Simplified audit journaling
• Refactoring and code organization
• Now helm-chart can deploy VSecM and SPIRE to any namespace, before it had
  to be vsecm-system and spire-system respectively.
• removed "backing store" from secret meta info; backing store will be set
  at a global level.
• removed -b (backing store) flag from VSecM Sentinel's CLI too.
• Added certain useful methods from internal packages to the core package
  to make it more reusable. These functionalities may be part of the SDK too,
  later.
• Organized imports and functions according to the project standards.
• Renamed certain modules and functions for clarity.
• Introduced certain environment variables whose functionalities will be
  implemented later.
• updated helm charts, removed hard coded namespace references from service URLs.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.25.2 by @v0lkan in #948
• add serviceName for conformance by @v0lkan in #952
• 0.25.2 - intermediate release cut by @v0lkan in #953
• Enable Namespace Change in Helm Charts by @v0lkan in #955
• Add helm hooks for ordering spire-agent and spire-server deployment by @BulldromeQ in #954
• cleanup by @v0lkan in #956

Full Changelog: v0.25.1...v0.25.2

v0.25.1

This was a stability and reliability release. We have made several improvements
to VSecM Sentinel, helm charts, and Kubernetes manifests to make the system
more reliable and resilient.

Changed

• Converted VSecM Safe and SPIRE Server to StatefulSets (because they are stateful).
• VSecM Sentinel "init command" loop now exits the container if it cannot execute
  commands after exponential backoff. The former behavior was to retry forever,
  and that was not a cloud-native way of handling the situation. Panicking
  early and thus killing the pod fixed issues with things like persistent volumes
  and CSI drivers.

Fixed

• Minor bug fixes in the VSecM Sentinel init command workflow.

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Introducing initial helm-chart for version 0.25.1 by @v0lkan in #938
• v0.25.0 release notes by @v0lkan in #940
• 🌟 enhancement(VSecM Sentinel): refactored forever loops by @v0lkan in #946
• PV Support for VSecM Safe by @v0lkan in #947

Full Changelog: v0.25.0...v0.25.1

v0.25.0

Added

• Documentation updates.
• Added liveness and readiness probes to SPIRE Server and SPIRE Agent.
• Added pod priority classes to SPIRE Server, SPIRE Agent, and VSecM pods
  to ensure that VSecM components are prioritized and maintained in the
  event of resource constraints.
• VSecM Sentinel Init Commands can now wait a configurable amount of time
  before running. This feature is useful when you want to delay the execution
  of the init commands to ensure that other components are ready.
• VSecM Sentinel can now wait before marking Init Commands as successful.
  This feature is useful when you want to delay the readiness of VSecM Sentinel
  until other components are ready.
• VSecM Sentinel Init Command can now parse and understand all VSecM Sentinel
  commands.
• Added Generated protobuffer files into the source code for ease of maintenance.

Changed

• Removed the tombstone feature, we use VSecM Keystone instead of tombstone,
  which is more reliable, secure, and under our control.
• Reliability improvements in VSecM Sentinel. For example, VSecM Sentinel does
  not wait forever in a loop for VSecM Safe to be ready. Instead, it crashes
  after a grace period, and the orchestrator can restart it in a more cloud-native way.
• SPIRE Server is now a StatefulSet by default instead of a Deployment.
  This change ensures that SPIRE Server has a stable identity across restarts.
• VSecM Keystone, and VSecM Keystone secrets are being used instead of tombstone.
• Various other stabilization improvements.

Fixed

• Minor bug fixes and feature enhancements.

Security

• Fixed CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
• Fixed GHSA-pxvg-2qj5-37jq Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs
• Fixed GHSA-xc9x-jj77-9p9j Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
• Fixed GHSA-vcc3-rw6f-jv97 Use-after-free in libxml2 via Nokogiri::XML::Reader
• Addressed CVE-2020-8559 Privilege Escalation in Kubernetes

---

Check out the changelog for a human-readable summary of what has happened so far.

Below are the generated release notes of every commit since the last release cut:

What's Changed

• next helm charts by @v0lkan in #796
• next by @v0lkan in #798
• 💄 cosmetic(VSecM): rename busywait to background by @v0lkan in #811
• add wait time to init commands by @v0lkan in #813
• 🌟 enhancement(VSecM Sentinel): option to terminate early by @v0lkan in #814
• wait before marking init command as successful by @v0lkan in #816
• SDK signature change by @v0lkan in #818
• Refactoring Init Command code by @v0lkan in #819
• Closes #644, Add statefulset support in spire-server fix by @BulldromeQ in #812
• Address some of the TODO’s in the source code by @v0lkan in #820
• statefulset by @v0lkan in #823
• Remove Tombstone and Use Keystone Instead by @v0lkan in #824
• 🌟 enhancement(VSecM Sentinel): processInitCommands improvement by @v0lkan in #825
• documentation update by @v0lkan in #826
• documentation updates by @v0lkan in #911
• Update spire-server.yaml statefulset missing serviceName by @BulldromeQ in #926
• enhancement: protofiles generated, dev-env md and workflow edited by @marikann in #930
• Stabilization Improvement for the Helm Charts (for Resource-Limited Environments) by @v0lkan in #933
• Add events-based cache by @v0lkan in #934
• Bump golang.org/x/net from 0.19.0 to 0.23.0 by @dependabot in #936
• Introducing initial helm-chart for version 0.25.0 by @v0lkan in #937

Full Changelog: v0.24.4...v0.25.0