Skip to content

Latest commit

 

History

History
326 lines (262 loc) · 40.8 KB

File metadata and controls

326 lines (262 loc) · 40.8 KB

Changelog

3.2.4 (2026-06-25)

Bug Fixes

  • vault: revoke leaked technical tokens (#85) (08af0f4)

3.2.3 (2026-06-10)

Bug Fixes

  • release: make chart publishing jobs succeed end-to-end (#80) (5279db1)
  • release: stop deleting the package version that holds stable tags (#78) (f768c3a)
  • renewer: decouple renew increment from sync interval (#81) (8aed571)

3.2.2 (2026-06-04)

Bug Fixes

  • deps: bump go directive to 1.26.4 to patch stdlib CVEs (5436350)
  • helm: default image registry to ghcr.io (375923a)
  • release: publish v3.2.1 to ghcr.io and align chart defaults (326e1a1)

Documentation

  • bump install examples to v3.2.1 (a6f2ca6)

CI

  • release: allow workflow_dispatch for an existing tag (4fac603)

3.2.1 (2026-05-25)

Bug Fixes

  • renewer: flush per-pod metrics when pod is deleted (f09c61a)
  • renewer: flush per-pod metrics when pod is deleted (c5ee788)

3.2.0 (2026-05-13)

Features

  • config: add NRI.Prewarmer block (Enabled, MaxConcurrent) (7500b3d)
  • helm: expose nri.prewarmer.{enabled,maxConcurrent} values (53ac202)
  • metrics: add NRI prewarmer counters and cache_hit_total (55993cf)
  • nri: add cacheSource parallel map for cache_hit_total labelling (4e01302)
  • nri: add prewarmer with informer-driven AddFunc + DeleteFunc (201a29b)
  • nri: add resolveMappingWithSource, instrument cache_hit_total (8ebc0fe)
  • nri: prewarmer + fail-closed substitution + ttrpc reconnect lifecycle (77201e7)
  • nri: start prewarmer in runner, gated by Prewarmer.Enabled (2e13f58)

Bug Fixes

  • nri: bounded reconnect on ttrpc disconnect, then crash for kubelet restart (ffcd463)
  • nri: propagate gctx to lifecycle + derive prewarm fetch ctx from runCtx (edb50ec)
  • nri: sweeper now also evicts cacheSource entries (c16d80c)
  • vault: never revoke shared bookkeeping token in cleanup defer (da90242)
  • webhook: never revoke shared bookkeeping token on success path (b8825b1)

Documentation

  • document NRI prewarmer config keys and tuning section (EN+FR) (feb79d6)
  • metrics: document NRI prewarmer and cache_hit_total metrics (2225c43)
  • plans: amend NRI prewarmer plan per plan review (b18e808)
  • plans: implementation plan for NRI prewarmer (2eae186)
  • specs: add NRI prewarmer design spec (e7b24a2)
  • specs: amend NRI prewarmer design per security review (a4a1dcd)
  • specs: fix two stale references after first amendment (7b4de08)

Code refactoring

  • nri: extract evictCacheEntry helper, sync cacheSource (1e3494e)

3.1.0 (2026-05-12)

Features

  • nri: fail-closed substitution + per-step timing logs (0d8b5c3)
  • nri: fail-closed substitution + per-step timing logs (03f49c7)

3.0.1 (2026-05-06)

Bug Fixes

  • ci: regenerate helm/README.md and auto-regen on release-please PRs (d413caf)
  • ci: regenerate helm/README.md and auto-regen on release-please PRs (0bfaa10)
  • vault: detach StoreDataAsync from caller context (5173a39)
  • vault: detach StoreDataAsync from caller context (48af1fc)

3.0.0 (2026-05-06)

⚠ BREAKING CHANGES

  • All Prometheus metric names previously prefixed with vault_injector_ are now prefixed with vdbi_. Dashboards, alerts and recording rules that reference the legacy names must be updated. See docs/how-it-works/migration-v2-to-v3.md (will be added in a follow-up commit) for the full mapping.
  • config: tokenRequestExpirationSeconds default 60 → 600
  • metrics: All Prometheus metric names previously prefixed with vault_injector_ are now prefixed with vdbi_. Dashboards, alerts and recording rules that reference the legacy names must be updated. See docs/how-it-works/migration-v2-to-v3.md (will be added in a follow-up commit) for the full mapping.

Features

  • add .claude (d8af429)
  • bpf: add vault_injector_bpf_map_size gauge metric (62a4ba7)
  • bpf: cilium/ebpf-based loader (ec90cc5)
  • bpf: LSM substitution program (9f48e23)
  • bpf: node-local runner watching local pods (1b070f3)
  • bpf: program BPF map for all containers in a pod (c70d52e)
  • bpf: resolve cgroup_id from podUID + containerID (2c5ca9a)
  • bpf: support cgroupfs driver and mount /sys/kernel/security (b12f1e1)
  • bpf: tmpfs persister for cross-restart mapping recovery (82f386a)
  • bugfix: better sentry implementation, async vault, contextId on… (#29) (01cd9b2)
  • chart,docs: integrate helm-docs for auto-generated Helm values reference (e1edd3a)
  • config: add BPFConfig and ModeBPF runtime mode (de3a3f8)
  • config: add useProjectedSA + TokenRequest options (e3b024e)
  • controller: add RunBPF skeleton and ModeBPF dispatch (b0b69a0)
  • gh-action: fix docker implementation (28e1dce)
  • helm: add per-resource serviceAccountName overrides (0be2585)
  • helm: BPF DaemonSet and bpf.enabled switch (175c728)
  • helm: conditional projected-SA RBAC + config values (1422b3d)
  • helm: dedicated SAs for renewer + revoker (dd27581)
  • helm: per-mode kubeRole overrides (5b63c3a)
  • implement a new rate limit on the vault API to avoid 429 error (2d3b69d)
  • implement a new rate limit on the vault API to avoid 429 error (a537831)
  • k8s: add RequestSAToken (TokenRequest API wrapper) (d5dc983)
  • k8smutator: wrap creds with placeholders when cfg.BPF.Enabled (ade5408)
  • logs: add contextId and duration as field when its necessary. (#32) (b909457)
  • metrics: observability for projected-SA flow (506010d)
  • metrics: rename all metrics to vdbi_* prefix (82f7b35)
  • metrics: warn + gauge when projected mode lacks audience (I7) (8d98df8)
  • NRI injection mode + projected-SA + CI overhaul (#56) (3e2f26c)
  • nri: branch on UseProjectedSA for Vault auth + creds (7eb77b0)
  • nri: pull-not-push refactor — no Vault token in PodSpec (8b6498b)
  • nri: transparent mode — no nri-mapping annotation, label-filtered (984682e)
  • placeholder: fixed-length token generator and matcher (2fe113d)
  • state: enhance information that are stored on the state for debugging purpose including sa, podname and nodename (#20) (27f8998)
  • vault: add WrapValues and UnwrapValues on Connector (55f4a28)
  • vault: cache bookkeeping login token to bound Vault auth load (I4) (f811553)
  • vault: classify Vault login errors for granular metrics (I8) (200c8ea)
  • vault: script + reference doc for Vault roles/policies (215af94)
  • vault: support SkipOrphanCreation in GetDbCredentials (e5cf81e)
  • webhook: branch on UseProjectedSA for Vault auth + creds (a7d9ccd)

Bug Fixes

  • address code review findings on desloppify/code-health (b1768c4)
  • bpf,k8smutator: thread WrapTokenTTL and validate credential length at admission (88d4b3f)
  • bpf: handle informer tombstones and reset processed on missing field (25df0b9)
  • bpf: persist tmpfs as hostPath /run so it survives DS restarts (c7318c8)
  • bpf: pre-program pod-level cgroup to cover init/crash race (04bf668)
  • bpf: repopulate BPF map after DS restart using stored cgroup IDs (fd53ada)
  • bpf: roll back partial PutMapping on multi-container failure (6f4559a)
  • bpf: runtime-validate program — GPL license + integration test compat (a73fc0c)
  • bpf: runtime-validated fixes from k3d end-to-end test (f2e1ffb)
  • bpf: scan envp byte-by-byte using bpf_loop (5.17+) (ec73b51)
  • bpf: snapshot restored UIDs to avoid double-counting mappingsLoaded (81c1f38)
  • bpf: switch from LSM hook to tracepoint/sys_enter_execve (87b9754)
  • bpf: use ConnectAndRenew for Vault token auto-renewal (836e81a)
  • bpf: wire MaxMappingsPerNode to map, add save-rollback, cgroup preflight, and CI invariants (b63f503)
  • ci: align bpf-integration workflow to Go 1.26 (77d4b20)
  • ci: apply final review fixes to release.yml (291c031)
  • ci: bump golangci-lint to v2.12.1 and fix Chart.yaml symlink target (d404b3e)
  • config: hard-fail on empty audiences in projected mode + drop redundant warn (fe6ab56)
  • config: NRIConfig envconfig tags must not repeat nri_ prefix (6fbc53b)
  • config: tokenRequestExpirationSeconds default 60 → 600 (72b0657)
  • controller: propagate context.Err on RunBPF idle path (04cc639)
  • controller: start healthcheck and metrics servers in RunBPF (0444a70)
  • controller: warnLegacyMode only applies to RunInjector (c9f2f3a)
  • deleting uuid from metric cardinality (bf5151e)
  • deleting uuid from metric dimension (3c2f24a)
  • deployment: fix ci and helm (e844aad)
  • deps: bump go-jose/v4 to 4.1.4 and grpc to 1.79.3 (CVE fixes) (d7f1c2d)
  • helm,config: correct BPF DaemonSet args, env prefix, ConfigMap structure, and hostPID (6e9d27c)
  • helm: add injectorLabel default + merge duplicate useProjectedSA conditional (f77d62d)
  • helm: always create ServiceAccount objects (even when overridden) (43c17c9)
  • helm: drop trailing space after tokenRequestAudiences key (118e7d4)
  • helm: gate renewer/revoker SA switch on useProjectedSA (C1) (aa9d054)
  • helm: NRI plugin DS must run as root to connect NRI socket (685ecd1)
  • helm: RBAC bindings target effective SA (auto-bind override) (3f8d137)
  • helm: satisfy yamllint comments-indentation in chart files (ca0dca3)
  • helm: wire BPF DaemonSet to its ConfigMap via --config arg (4146fa4)
  • k8s: guard empty TokenRequest response (356adfa)
  • k8s: pass nil audiences to TokenRequest when list is empty (I1) (81c24d4)
  • lint: address G118 and noctx findings from golangci-lint v2.12.1 (85730ac)
  • metrics,healthcheck: apply Phase 1 lint review fixes (1437751)
  • metrics: legacy mode warning + login error metric on legacy auth (2e6414c)
  • metrics: PodCleanupSuccessCount only on full pod cleanup success (M9) (01d75bc)
  • metrics: vault_injector_store_data_count_success was not cleaned… (#24) (147d02d)
  • misc review minors (validation, debug logs, helm safety, spec) (7491a64)
  • nri,webhook: track and revoke all per-iteration tokens on multi-dbConfig failure (C2) (c444143)
  • nri: address pre-ship review findings (CRIT-1, CRIT-2, IMP-1, IMP-2, IMP-5) (27bac55)
  • nri: explicit Stop() on shutdown to release plugin connection (21ef4d7)
  • nri: node affinity gate + readiness label (685e300)
  • nri: only AddEnv for changed vars to avoid plugin conflicts (5285d81)
  • nri: periodic cache sweep evicts force-deleted pods (ab42b08)
  • nri: persist cache on tmpfs to survive plugin restarts (ca14a19)
  • nri: reject empty pod serviceAccountName in projected mode (I10) (508df95)
  • nri: reject malformed placeholder keys in mapping (73684c4)
  • nri: renewer/revoker mismatched pod identifier in transparent mode (722de30)
  • nri: revoke pod-token on error paths in projected mode (I6) (77874b1)
  • nri: single-flight resolveMapping to prevent duplicate creds for multi-container pods (C3) (435dd5e)
  • nri: support multi-dbConfiguration pods (was silently dropping all but the first) (6be26d9)
  • nri: verify pod identity via K8s API to block annotation forgery (#H6) (4f40a54)
  • parser: sort dbConfigurations by DbName for deterministic ordering (I1) (8165c5f)
  • reliability: replace panic with error return and harden logger (8739658)
  • renewer: don't self-revoke at end of SyncAndCleanupTokens (715789d)
  • renewer: drop orphan-token dance in SyncAndCleanupTokens (3b3acf4)
  • renewer: silence Sentry false-positives on recoverable lease errors (4dd6a46)
  • renewer: treat 'could not find role' as unrecoverable lease (bec1489)
  • revoker: delete KV bookkeeping entry after revoking token (cf59b64)
  • token-was-not-correctly-renewed-for-the-renewer-and-revoker: use the c.SetToken to correctly change the token with the new one (af5921f)
  • token-was-not-correctly-renewed-for-the-renewer-and-revoker: use… (5eb599f)
  • vault: address review feedback on wrap/unwrap (97b95b7)
  • vault: LoginAsInjectorSA respects kubeRoleNri override (I10) (3ef520b)
  • vault: RevokeSelfToken now actually revokes the given token (C1) (d4a339f)
  • vault: tighten isLeaseUnrecoverable to Vault 400 errors (I8) (21cde5d)
  • vault: treat KV 404 as idempotent in DeleteData (I9) (5178dcf)
  • vault: use distinct PodVaultToken in projected mode (C2) (06bd687)
  • vault: use injector SA login for KV bookkeeping in projected mode (bbddfa3)
  • webhook: short-circuit annotation collision in wrapAndAnnotate before wrapping (61c9944)

Documentation

  • add Cloud Native Days talk replay and demo environment (OpenBao + CNPG) (bd61e60)
  • add NRI migration implementation plan (e39de57)
  • add NRI migration spec superseding eBPF design (7d4a434)
  • add open-bao readme compatibilies overwiew (0e62b72)
  • align user-facing docs with recent fix cascade (0c521bf)
  • BPF mode operator and contributor documentation (f1641d3)
  • bpf-mode: correct EAGAIN claim, placeholder length, and phantom metrics (c6ab03a)
  • bpf: document kubectl exec limitation and pod hardening recommendations (c3d2d8a)
  • contributing: replace self-referencing absolute URLs with relative links (379ab1a)
  • design spec and implementation plan for eBPF credential injection (75082f5)
  • harden migration footgun callout for renewer/revoker SA switch (f31092c)
  • license: use apache-2.0 license (9748e06)
  • license: use apache-2.0 license (ae9e9c5)
  • NRI mode operator runbook with failure modes and sample alert (3abc828)
  • nri: document multi-dbConfig JWT lifetime constraint (M7) (e52bef0)
  • nri: trust model comment now reflects projected vs legacy mode (M5) (e7225b7)
  • phase 1 — new persona-oriented nav and rewritten Home (486b194)
  • phase 2 — Getting Started canonical NRI + Projected-SA path (c2a7d40)
  • phase 2 fix — address spec review findings (66afab8)
  • phase 3 — Operators section (06bb693)
  • phase 3 fix — include operator page content (cce70b8)
  • phase 4 — Developers section (48f1e91)
  • phase 5 — Contributors and Reference sections (b88ba98)
  • phase 6 — delete legacy how-it-works/, monitoring/, and merged GS pages (26948f8)
  • phase 7 — French mirror of the entire site (9299487)
  • plan: add 2026-05-05 documentation overhaul implementation plan (7afe183)
  • plan: CI/CD overhaul implementation plan — 6 phases, mica parity + OSS extensions (02a11c6)
  • plan: incorporate code review fixes for CI overhaul plan (3ae126e)
  • plan: projected ServiceAccount Vault authentication implementation plan (29b707c)
  • projected-SA usage and configuration guide (896adf2)
  • README: add CI/CD badges and migrate install instructions to ghcr.io (c4d3408)
  • README: fill coverage badge gist URL (c9d65b4)
  • rename KV mount default from vault-injector to vault-db-injector (4c7e2d6)
  • security: document NRI DaemonSet root + cluster-wide TokenRequest grant (M3) (d359ff3)
  • spec: add 2026-05-05 documentation overhaul design (637954f)
  • spec: CI/CD overhaul design — mica parity + OSS extensions (13fbaac)
  • spec: drop URL-stability mitigation from overhaul design (812b131)
  • spec: projected ServiceAccount Vault authentication design (cb1fcd6)
  • v2.x → v3.0 migration guide (7d8ae46)
  • vault-policies: tighten injector/renewer policies and add NRI policy section (c22bb9c)
  • vault: clarify CreateOrphanToken legacy-only scope (M4) (2800eed)
  • vault: clarify roles/policies — distinguish KV mount, separate modes (60208e5)
  • vault: renewer policy truly minimal; revoker owns full cleanup (I3+C4) (98bd70f)

Code refactoring

  • arch: tighten module boundaries and remove cross-package leaks (52fbbff)
  • bpf: cache cgroup_mappings map handle and wrap update errors (619cd6f)
  • bpf: document cgroup layout and improve error messages (ed0ab6f)
  • config: align projected-SA fields position and test style (aa1102f)
  • config: inline BPFConfig defaults in NewConfig (c9261bc)
  • decompose mutator, deduplicate worker bootstrap, sentinel errors (e6fe91f)
  • errors: add missing fmt import for SentryRecoveryMiddleware (I5) (53df454)
  • errors: wrap original error in webhook auth/creds paths (I4) (4d396a6)
  • errors: wrap upstream errors with cockroachdb/errors.Wrapf (I5) (5a82d3e)
  • k8s: extract ClassifyTokenRequestError using apierrors (I2) (d19e38c)
  • k8s: extract VaultLoginToken helper to pkg/k8s (I3) (58dc83c)
  • k8smutator: extract wrapAndAnnotate helper, share BPFMapping type (44a5969)
  • main: adopt run-error pattern with signal-aware context (feb58fe)
  • nri: replace BPF substitution layer with NRI plugin (cc2cd7f)
  • nri: replace containsString with slices.Contains (M8) (199697c)
  • rename misspelled and non-idiomatic exported names (4fb8e5a)
  • vault: move safety-net KV cleanup from renewer to revoker (I3) (5f216d6)
  • vault: tighten API contracts, fix data race, sentinel errors (ef41432)

Build & dependencies

  • deps: bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 (81af1b0)
  • deps: bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (05300f1)
  • deps: bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (301044a)
  • deps: bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.2 (db35c0f)
  • deps: bump golang.org/x/net from 0.34.0 to 0.36.0 (2759d94)
  • deps: bump golang.org/x/net from 0.36.0 to 0.38.0 (721fea2)
  • isolate hashicorp/vault server behind integration build tag (42286d8)
  • Makefile: use a proper script to retrieve the version (f350878)
  • Makefile: use a proper script to retrieve the version (9410cd4)

CI

  • add consolidated ci.yml with lint, test+coverage, govulncheck, helm-lint, helm-docs sync, and mkdocs strict (991a33a)
  • add release.yml pipeline and preserve chart-releaser artifacts in gh-pages (0758430)
  • bump CI and Dockerfile Go version to 1.26 (dc1985a)
  • bump go-version to 1.24 to match go.mod (a5991a3)
  • enable Dependabot and seed .trivyignore for upcoming Trivy gate (3b720e2)
  • enable release-please for automated version bumps and changelog (0bc10b2)
  • remove legacy workflows now folded into ci.yml and release.yml (b95f73b)
  • workflows: initial support for test (#14) (3334cc5)