-
Notifications
You must be signed in to change notification settings - Fork 7
/
CHANGELOG
36 lines (32 loc) · 2.41 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
v1.3.0: 22-Nov-2021
* Errors during sync loop while running sidecar mode will no longer terminate vault-ctrl-tool.
* Sidecar mode now can run a Prometheus metrics endpoint which emits metrics about sidecar syncs.
Prometheus can be toggled with "--enable-prometheus-metrics" and have its port overridden by "--prometheus-port".
* Added better documentation and some refactoring and cleanup of internal libraries.
* Vault client HTTP timeout and maxRetries are now configurable using "--vault-client-timeout" and "--vault-client-retries" flags.
Note: These now default to 30s and 2, respectively. Compared to previous version of vault-ctrl-tool which where 60s, 2.
v1.2.0: 26-May-2021
* Added --force-refresh-ttl which temporary credentials will optionally be renewed before their actual expiry.
* Added --sts-ttl flag which lets you specify token ttl for aws tokens
generated using sts.
* Added buildVersion value when running version flag (vault-ctrl-tool --version)
* Embedded version now uses semver that will correspond with tagged versions.
10-Nov-2020
* secrets that only output raw fields can now have a lifetime of "version". The output of these fields
will be updated when the version # of the secret changes
* output of raw fields support base64 decoding with "encoding: base64" per-field
* secrets can be pinned to a specific version - this is generally inadvisable, but can be done if needed
for testing with "pinnedVersion:"
* secrets with lifetime of "version" can specify a "touchfile" which is touched when any fields are rewritten (for
external services to trigger refreshes). Touchfiles are only touched after fields are rewritten.
13-Oct-2020
* vault-token ConfigMap supports "renewable" which is used to tell v-c-t to not renew the vault token in the ConfigMap
* TOKEN_RENEWABLE environment variable can be used to disable renewing a passed in VAULT_TOKEN
* --token-renewable can be set to "false" to disable renewing the token passed in on the command line
* NOTE: these mechanisms only disable their respective token. For example TOKEN_RENEWABLE=false has no effect on ConfigMap
or tokens passed in as CLI args.
23-Sep-2020
* Started CHANGELOG
* Added provisional file locking around sync runs to prevent concurrent modification
* --init in Kubernetes will now function as a --sidecar --oneshot instead of re-authenticating (this is to
work around Kubernetes issues where init containers will re-run)