3.2.4 (2026-06-25)
3.2.3 (2026-06-10)
- release: make chart publishing jobs succeed end-to-end (#80) (5279db1)
- release: stop deleting the package version that holds stable tags (#78) (f768c3a)
- renewer: decouple renew increment from sync interval (#81) (8aed571)
3.2.2 (2026-06-04)
- deps: bump go directive to 1.26.4 to patch stdlib CVEs (5436350)
- helm: default image registry to ghcr.io (375923a)
- release: publish v3.2.1 to ghcr.io and align chart defaults (326e1a1)
- bump install examples to v3.2.1 (a6f2ca6)
- release: allow workflow_dispatch for an existing tag (4fac603)
3.2.1 (2026-05-25)
- renewer: flush per-pod metrics when pod is deleted (f09c61a)
- renewer: flush per-pod metrics when pod is deleted (c5ee788)
3.2.0 (2026-05-13)
- config: add NRI.Prewarmer block (Enabled, MaxConcurrent) (7500b3d)
- helm: expose nri.prewarmer.{enabled,maxConcurrent} values (53ac202)
- metrics: add NRI prewarmer counters and cache_hit_total (55993cf)
- nri: add cacheSource parallel map for cache_hit_total labelling (4e01302)
- nri: add prewarmer with informer-driven AddFunc + DeleteFunc (201a29b)
- nri: add resolveMappingWithSource, instrument cache_hit_total (8ebc0fe)
- nri: prewarmer + fail-closed substitution + ttrpc reconnect lifecycle (77201e7)
- nri: start prewarmer in runner, gated by Prewarmer.Enabled (2e13f58)
- nri: bounded reconnect on ttrpc disconnect, then crash for kubelet restart (ffcd463)
- nri: propagate gctx to lifecycle + derive prewarm fetch ctx from runCtx (edb50ec)
- nri: sweeper now also evicts cacheSource entries (c16d80c)
- vault: never revoke shared bookkeeping token in cleanup defer (da90242)
- webhook: never revoke shared bookkeeping token on success path (b8825b1)
- document NRI prewarmer config keys and tuning section (EN+FR) (feb79d6)
- metrics: document NRI prewarmer and cache_hit_total metrics (2225c43)
- plans: amend NRI prewarmer plan per plan review (b18e808)
- plans: implementation plan for NRI prewarmer (2eae186)
- specs: add NRI prewarmer design spec (e7b24a2)
- specs: amend NRI prewarmer design per security review (a4a1dcd)
- specs: fix two stale references after first amendment (7b4de08)
- nri: extract evictCacheEntry helper, sync cacheSource (1e3494e)
3.1.0 (2026-05-12)
- nri: fail-closed substitution + per-step timing logs (0d8b5c3)
- nri: fail-closed substitution + per-step timing logs (03f49c7)
3.0.1 (2026-05-06)
- ci: regenerate helm/README.md and auto-regen on release-please PRs (d413caf)
- ci: regenerate helm/README.md and auto-regen on release-please PRs (0bfaa10)
- vault: detach StoreDataAsync from caller context (5173a39)
- vault: detach StoreDataAsync from caller context (48af1fc)
3.0.0 (2026-05-06)
- All Prometheus metric names previously prefixed with vault_injector_ are now prefixed with vdbi_. Dashboards, alerts and recording rules that reference the legacy names must be updated. See docs/how-it-works/migration-v2-to-v3.md (will be added in a follow-up commit) for the full mapping.
- config: tokenRequestExpirationSeconds default 60 → 600
- metrics: All Prometheus metric names previously prefixed with vault_injector_ are now prefixed with vdbi_. Dashboards, alerts and recording rules that reference the legacy names must be updated. See docs/how-it-works/migration-v2-to-v3.md (will be added in a follow-up commit) for the full mapping.
- add .claude (d8af429)
- bpf: add vault_injector_bpf_map_size gauge metric (62a4ba7)
- bpf: cilium/ebpf-based loader (ec90cc5)
- bpf: LSM substitution program (9f48e23)
- bpf: node-local runner watching local pods (1b070f3)
- bpf: program BPF map for all containers in a pod (c70d52e)
- bpf: resolve cgroup_id from podUID + containerID (2c5ca9a)
- bpf: support cgroupfs driver and mount /sys/kernel/security (b12f1e1)
- bpf: tmpfs persister for cross-restart mapping recovery (82f386a)
- bugfix: better sentry implementation, async vault, contextId on… (#29) (01cd9b2)
- chart,docs: integrate helm-docs for auto-generated Helm values reference (e1edd3a)
- config: add BPFConfig and ModeBPF runtime mode (de3a3f8)
- config: add useProjectedSA + TokenRequest options (e3b024e)
- controller: add RunBPF skeleton and ModeBPF dispatch (b0b69a0)
- gh-action: fix docker implementation (28e1dce)
- helm: add per-resource serviceAccountName overrides (0be2585)
- helm: BPF DaemonSet and bpf.enabled switch (175c728)
- helm: conditional projected-SA RBAC + config values (1422b3d)
- helm: dedicated SAs for renewer + revoker (dd27581)
- helm: per-mode kubeRole overrides (5b63c3a)
- implement a new rate limit on the vault API to avoid 429 error (2d3b69d)
- implement a new rate limit on the vault API to avoid 429 error (a537831)
- k8s: add RequestSAToken (TokenRequest API wrapper) (d5dc983)
- k8smutator: wrap creds with placeholders when cfg.BPF.Enabled (ade5408)
- logs: add contextId and duration as field when its necessary. (#32) (b909457)
- metrics: observability for projected-SA flow (506010d)
- metrics: rename all metrics to vdbi_* prefix (82f7b35)
- metrics: warn + gauge when projected mode lacks audience (I7) (8d98df8)
- NRI injection mode + projected-SA + CI overhaul (#56) (3e2f26c)
- nri: branch on UseProjectedSA for Vault auth + creds (7eb77b0)
- nri: pull-not-push refactor — no Vault token in PodSpec (8b6498b)
- nri: transparent mode — no nri-mapping annotation, label-filtered (984682e)
- placeholder: fixed-length token generator and matcher (2fe113d)
- state: enhance information that are stored on the state for debugging purpose including sa, podname and nodename (#20) (27f8998)
- vault: add WrapValues and UnwrapValues on Connector (55f4a28)
- vault: cache bookkeeping login token to bound Vault auth load (I4) (f811553)
- vault: classify Vault login errors for granular metrics (I8) (200c8ea)
- vault: script + reference doc for Vault roles/policies (215af94)
- vault: support SkipOrphanCreation in GetDbCredentials (e5cf81e)
- webhook: branch on UseProjectedSA for Vault auth + creds (a7d9ccd)
- address code review findings on desloppify/code-health (b1768c4)
- bpf,k8smutator: thread WrapTokenTTL and validate credential length at admission (88d4b3f)
- bpf: handle informer tombstones and reset processed on missing field (25df0b9)
- bpf: persist tmpfs as hostPath /run so it survives DS restarts (c7318c8)
- bpf: pre-program pod-level cgroup to cover init/crash race (04bf668)
- bpf: repopulate BPF map after DS restart using stored cgroup IDs (fd53ada)
- bpf: roll back partial PutMapping on multi-container failure (6f4559a)
- bpf: runtime-validate program — GPL license + integration test compat (a73fc0c)
- bpf: runtime-validated fixes from k3d end-to-end test (f2e1ffb)
- bpf: scan envp byte-by-byte using bpf_loop (5.17+) (ec73b51)
- bpf: snapshot restored UIDs to avoid double-counting mappingsLoaded (81c1f38)
- bpf: switch from LSM hook to tracepoint/sys_enter_execve (87b9754)
- bpf: use ConnectAndRenew for Vault token auto-renewal (836e81a)
- bpf: wire MaxMappingsPerNode to map, add save-rollback, cgroup preflight, and CI invariants (b63f503)
- ci: align bpf-integration workflow to Go 1.26 (77d4b20)
- ci: apply final review fixes to release.yml (291c031)
- ci: bump golangci-lint to v2.12.1 and fix Chart.yaml symlink target (d404b3e)
- config: hard-fail on empty audiences in projected mode + drop redundant warn (fe6ab56)
- config: NRIConfig envconfig tags must not repeat nri_ prefix (6fbc53b)
- config: tokenRequestExpirationSeconds default 60 → 600 (72b0657)
- controller: propagate context.Err on RunBPF idle path (04cc639)
- controller: start healthcheck and metrics servers in RunBPF (0444a70)
- controller: warnLegacyMode only applies to RunInjector (c9f2f3a)
- deleting uuid from metric cardinality (bf5151e)
- deleting uuid from metric dimension (3c2f24a)
- deployment: fix ci and helm (e844aad)
- deps: bump go-jose/v4 to 4.1.4 and grpc to 1.79.3 (CVE fixes) (d7f1c2d)
- helm,config: correct BPF DaemonSet args, env prefix, ConfigMap structure, and hostPID (6e9d27c)
- helm: add injectorLabel default + merge duplicate useProjectedSA conditional (f77d62d)
- helm: always create ServiceAccount objects (even when overridden) (43c17c9)
- helm: drop trailing space after tokenRequestAudiences key (118e7d4)
- helm: gate renewer/revoker SA switch on useProjectedSA (C1) (aa9d054)
- helm: NRI plugin DS must run as root to connect NRI socket (685ecd1)
- helm: RBAC bindings target effective SA (auto-bind override) (3f8d137)
- helm: satisfy yamllint comments-indentation in chart files (ca0dca3)
- helm: wire BPF DaemonSet to its ConfigMap via --config arg (4146fa4)
- k8s: guard empty TokenRequest response (356adfa)
- k8s: pass nil audiences to TokenRequest when list is empty (I1) (81c24d4)
- lint: address G118 and noctx findings from golangci-lint v2.12.1 (85730ac)
- metrics,healthcheck: apply Phase 1 lint review fixes (1437751)
- metrics: legacy mode warning + login error metric on legacy auth (2e6414c)
- metrics: PodCleanupSuccessCount only on full pod cleanup success (M9) (01d75bc)
- metrics: vault_injector_store_data_count_success was not cleaned… (#24) (147d02d)
- misc review minors (validation, debug logs, helm safety, spec) (7491a64)
- nri,webhook: track and revoke all per-iteration tokens on multi-dbConfig failure (C2) (c444143)
- nri: address pre-ship review findings (CRIT-1, CRIT-2, IMP-1, IMP-2, IMP-5) (27bac55)
- nri: explicit Stop() on shutdown to release plugin connection (21ef4d7)
- nri: node affinity gate + readiness label (685e300)
- nri: only AddEnv for changed vars to avoid plugin conflicts (5285d81)
- nri: periodic cache sweep evicts force-deleted pods (ab42b08)
- nri: persist cache on tmpfs to survive plugin restarts (ca14a19)
- nri: reject empty pod serviceAccountName in projected mode (I10) (508df95)
- nri: reject malformed placeholder keys in mapping (73684c4)
- nri: renewer/revoker mismatched pod identifier in transparent mode (722de30)
- nri: revoke pod-token on error paths in projected mode (I6) (77874b1)
- nri: single-flight resolveMapping to prevent duplicate creds for multi-container pods (C3) (435dd5e)
- nri: support multi-dbConfiguration pods (was silently dropping all but the first) (6be26d9)
- nri: verify pod identity via K8s API to block annotation forgery (#H6) (4f40a54)
- parser: sort dbConfigurations by DbName for deterministic ordering (I1) (8165c5f)
- reliability: replace panic with error return and harden logger (8739658)
- renewer: don't self-revoke at end of SyncAndCleanupTokens (715789d)
- renewer: drop orphan-token dance in SyncAndCleanupTokens (3b3acf4)
- renewer: silence Sentry false-positives on recoverable lease errors (4dd6a46)
- renewer: treat 'could not find role' as unrecoverable lease (bec1489)
- revoker: delete KV bookkeeping entry after revoking token (cf59b64)
- token-was-not-correctly-renewed-for-the-renewer-and-revoker: use the c.SetToken to correctly change the token with the new one (af5921f)
- token-was-not-correctly-renewed-for-the-renewer-and-revoker: use… (5eb599f)
- vault: address review feedback on wrap/unwrap (97b95b7)
- vault: LoginAsInjectorSA respects kubeRoleNri override (I10) (3ef520b)
- vault: RevokeSelfToken now actually revokes the given token (C1) (d4a339f)
- vault: tighten isLeaseUnrecoverable to Vault 400 errors (I8) (21cde5d)
- vault: treat KV 404 as idempotent in DeleteData (I9) (5178dcf)
- vault: use distinct PodVaultToken in projected mode (C2) (06bd687)
- vault: use injector SA login for KV bookkeeping in projected mode (bbddfa3)
- webhook: short-circuit annotation collision in wrapAndAnnotate before wrapping (61c9944)
- add Cloud Native Days talk replay and demo environment (OpenBao + CNPG) (bd61e60)
- add NRI migration implementation plan (e39de57)
- add NRI migration spec superseding eBPF design (7d4a434)
- add open-bao readme compatibilies overwiew (0e62b72)
- align user-facing docs with recent fix cascade (0c521bf)
- BPF mode operator and contributor documentation (f1641d3)
- bpf-mode: correct EAGAIN claim, placeholder length, and phantom metrics (c6ab03a)
- bpf: document kubectl exec limitation and pod hardening recommendations (c3d2d8a)
- contributing: replace self-referencing absolute URLs with relative links (379ab1a)
- design spec and implementation plan for eBPF credential injection (75082f5)
- harden migration footgun callout for renewer/revoker SA switch (f31092c)
- license: use apache-2.0 license (9748e06)
- license: use apache-2.0 license (ae9e9c5)
- NRI mode operator runbook with failure modes and sample alert (3abc828)
- nri: document multi-dbConfig JWT lifetime constraint (M7) (e52bef0)
- nri: trust model comment now reflects projected vs legacy mode (M5) (e7225b7)
- phase 1 — new persona-oriented nav and rewritten Home (486b194)
- phase 2 — Getting Started canonical NRI + Projected-SA path (c2a7d40)
- phase 2 fix — address spec review findings (66afab8)
- phase 3 — Operators section (06bb693)
- phase 3 fix — include operator page content (cce70b8)
- phase 4 — Developers section (48f1e91)
- phase 5 — Contributors and Reference sections (b88ba98)
- phase 6 — delete legacy how-it-works/, monitoring/, and merged GS pages (26948f8)
- phase 7 — French mirror of the entire site (9299487)
- plan: add 2026-05-05 documentation overhaul implementation plan (7afe183)
- plan: CI/CD overhaul implementation plan — 6 phases, mica parity + OSS extensions (02a11c6)
- plan: incorporate code review fixes for CI overhaul plan (3ae126e)
- plan: projected ServiceAccount Vault authentication implementation plan (29b707c)
- projected-SA usage and configuration guide (896adf2)
- README: add CI/CD badges and migrate install instructions to ghcr.io (c4d3408)
- README: fill coverage badge gist URL (c9d65b4)
- rename KV mount default from vault-injector to vault-db-injector (4c7e2d6)
- security: document NRI DaemonSet root + cluster-wide TokenRequest grant (M3) (d359ff3)
- spec: add 2026-05-05 documentation overhaul design (637954f)
- spec: CI/CD overhaul design — mica parity + OSS extensions (13fbaac)
- spec: drop URL-stability mitigation from overhaul design (812b131)
- spec: projected ServiceAccount Vault authentication design (cb1fcd6)
- v2.x → v3.0 migration guide (7d8ae46)
- vault-policies: tighten injector/renewer policies and add NRI policy section (c22bb9c)
- vault: clarify CreateOrphanToken legacy-only scope (M4) (2800eed)
- vault: clarify roles/policies — distinguish KV mount, separate modes (60208e5)
- vault: renewer policy truly minimal; revoker owns full cleanup (I3+C4) (98bd70f)
- arch: tighten module boundaries and remove cross-package leaks (52fbbff)
- bpf: cache cgroup_mappings map handle and wrap update errors (619cd6f)
- bpf: document cgroup layout and improve error messages (ed0ab6f)
- config: align projected-SA fields position and test style (aa1102f)
- config: inline BPFConfig defaults in NewConfig (c9261bc)
- decompose mutator, deduplicate worker bootstrap, sentinel errors (e6fe91f)
- errors: add missing fmt import for SentryRecoveryMiddleware (I5) (53df454)
- errors: wrap original error in webhook auth/creds paths (I4) (4d396a6)
- errors: wrap upstream errors with cockroachdb/errors.Wrapf (I5) (5a82d3e)
- k8s: extract ClassifyTokenRequestError using apierrors (I2) (d19e38c)
- k8s: extract VaultLoginToken helper to pkg/k8s (I3) (58dc83c)
- k8smutator: extract wrapAndAnnotate helper, share BPFMapping type (44a5969)
- main: adopt run-error pattern with signal-aware context (feb58fe)
- nri: replace BPF substitution layer with NRI plugin (cc2cd7f)
- nri: replace containsString with slices.Contains (M8) (199697c)
- rename misspelled and non-idiomatic exported names (4fb8e5a)
- vault: move safety-net KV cleanup from renewer to revoker (I3) (5f216d6)
- vault: tighten API contracts, fix data race, sentinel errors (ef41432)
- deps: bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 (81af1b0)
- deps: bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (05300f1)
- deps: bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (301044a)
- deps: bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.2 (db35c0f)
- deps: bump golang.org/x/net from 0.34.0 to 0.36.0 (2759d94)
- deps: bump golang.org/x/net from 0.36.0 to 0.38.0 (721fea2)
- isolate hashicorp/vault server behind integration build tag (42286d8)
- Makefile: use a proper script to retrieve the version (f350878)
- Makefile: use a proper script to retrieve the version (9410cd4)
- add consolidated ci.yml with lint, test+coverage, govulncheck, helm-lint, helm-docs sync, and mkdocs strict (991a33a)
- add release.yml pipeline and preserve chart-releaser artifacts in gh-pages (0758430)
- bump CI and Dockerfile Go version to 1.26 (dc1985a)
- bump go-version to 1.24 to match go.mod (a5991a3)
- enable Dependabot and seed .trivyignore for upcoming Trivy gate (3b720e2)
- enable release-please for automated version bumps and changelog (0bc10b2)
- remove legacy workflows now folded into ci.yml and release.yml (b95f73b)
- workflows: initial support for test (#14) (3334cc5)