- [UPGRADE] Upgrade apiextensions.k8s.io from v1beta1 to v1
- [FEATURE] Populating Labels and Annotations from the SecretDefinition to the generated Secret.
- [ENHANCEMENT] Updates the
managed-by
andupdatedAt
labels to more closely match k8s recommended values (using annotations and recommended labels), as seen below:
annotations:
secrets-manager.tuenti.io/lastUpdateTime: 2020-04-22T14.34.17Z
labels:
app.kubernetes.io/managed-by: secrets-manager
- [BEHAVIOUR] Using flags watch-namespaces / exclude-namespaces. They interact differently.
- All namespaces are watched. A namespace is excluded if it is specified within the exclude-namespaces flag.
- [FEATURE] Adding auth-method param to specify Vault authentication method.
- Adding vault authentication method from kubernetes. With auth-method param set to kubernetes.
- [BUG] set the controller name to something unique avoid 'duplicate metrics collector registration attempted' errors.
- No logic changes in secrets-manager. But we are going to stablish some changes in the project management:
-
Now versions are going to follow semantic versioning where version tags are going to have the 'v' preffix, they are going to be just:
- v{major}.{minor}.{patch}, where major, minor and path are integers
-
From now on we are going to push release candidates to the docker registry
-
Stable release. Adds watching specific namespaces (see v1.0.2-rc.1) and some minor fixes.
- Deleting a
SecretDefinition
hangs if the corresponding secret does not exist. - Invalid metric names in README
- Unused prometheus metrics
secrets_manager_controller_update_secret_errors_total
andsecrets_manager_controller_last_updated
Stable release
Release Candidate 1
SecretDefinitions
created viaCustomResourceDefinitions
- If the
SecretDefinion
gets deleted, the corresponding secret will be removed too. - New zap logger based on controller-runtime project. Use
-enable-debug-log
to get a more verbose output.
- congimaps won't be supported to define secrets, and so that won't work all the relevant configmap flags.
- log.format and log.level flags won't work anymore, as we have changed the logger to addapt to the controller-runtime project. Use
-enable-debug-log
to get a more verbose output. config.backend-scrape-interval
no longer works as we check the backend state on every reconcile event. Usereconcile-period
insteadlisten-address
removed in favor ofmetrics-addr
- Enable Vault AppRole auth method and
secrets-manager
will try to re-login every time it fails to fetch the token. This will makesecrets-manager
more resilient to issues connecting to Vault that potentially caused the token to expire. - New
secrets_manager_login_errors_total
Prometheus metric.
- Token based login won't be supported, as re-login with and invalid token won't make
secrets-manager
to self-heal. - This makes this new version not backward compatible with previous v0.2.0
Stable
- New
secrets_manager_vault_max_token_ttl
metric, so a user could alert based on this andsecrets_manager_token_ttl
- New
secrets_manager_secret_last_sync_status
metric, that shows wether the secret succeded or not in last synchronization iteration
- Backend timeout not properly set through flags
- Deprecates
secrets_manager_vault_token_expired
metric as it was quite confusing since it's not really possible forsecrets-manager
to know when the token it's expired, just when it's "close to expire". - Renames counter metrics to follow the Prometheus naming standard with the
_total
suffix instead of_count
. - Simplifies prometheus token renewal metrics by merging
secrets_manager_vault_token_lookup_errors_count
andsecrets_manager_vault_token_renew_errors_count
into one single metricsecrets_manager_vault_token_renewal_errors_total
with one more dimension calledvault_operation
which will be one oflookup-self, renew-self, is-renewable
.
- Enable prometheus metrics
cfg.backend-timeout
flag to specify a connection timeout to the secrets backend.listen-address
flag to specify the listen address of the HTTP API
- Bad return condition in startTokenRenewer, so token lookup won't happen in case of a token revoked.