helm/secret-store-csi-driver/secrets-store-csi-driver 1.4.0

v1.4.0

on Artifact Hub

v1.4.0 - 2023-11-20

Breaking Changes ⚠️

• total_ prefix in the metrics name has been dropped as part of the latest otel bump in the driver. For Prometheus counters, by default the otel library appends total suffix.
  • total_rotation_reconcile -> rotation_reconcile_total
  • total_rotation_reconcile_error -> rotation_reconcile_error_total
  • total_node_publish -> node_publish_total
  • total_node_unpublish -> node_unpublish_total
  • total_node_publish_error -> node_publish_error_total
  • total_node_unpublish_error -> node_unpublish_error_total
  • total_sync_k8s_secret -> sync_k8s_secret_total

Changelog

Bug Fixes 🐞

• 604019c fix: make manifest diff
• a1380ba fix: update nodeserver publish logs
• cdf0b77 fix: put annotations in right position of daemonset
• bb1815a fix: escape dot in target path regex
• 97d3452 fix: fix CVE-2022-32149 and CVE-2022-27664 (#1059)
• d98c93c fix: handles pfx certs in k8s secrets sync
• 9fcdbb2 fix: update base image reference in script
• ede4c70 fix: sanitize service account tokens in logs
• 2ee77ca fix: use os.Lstat to resolve os.Stat issue in windows
• 3ae12bd fix: remove files before cleanup mount point in unpublish
• 0af2483 fix: panic when using --log-format-json
• 830d184 fix: update err variable in defer to prevent err shadowing
• c452ac4 fix: add unit test to validate error shadowed bug

Code Refactoring 💎

• b0af2b9 refactor: use NewSharedInformerFactoryWithOptions for new shared informer
• 14489c7 refactor: update mdbook install and serve

Continuous Integration 💜

• 35d88b7 ci: [StepSecurity] Apply security best practices
• 76b329d ci: add codecov.yml
• 0d4d5a3 ci: update kubernetes versions for staging image tests
• 47bd321 ci: enable tests with kubernetes v1.26
• 12cdcb4 ci: ignore slack badge in markdown link check
• a3c0e4e ci: add codeql action
• 9a120ea ci: bump kubernetes version to v1.25.0
• f8e3435 ci: bump kind version to v0.14.0
• d1181e3 ci: add kubernetes 1.24 in e2e matrix
• ce47672 ci: fix aws eks cluster creation
• 384db8b ci: fix markdown link check workflow failures
• 12d1c99 ci: update kubernetes version matrix in staging e2e workflow
• 0246e35 ci: update e2e_mock_provider_tests kubernetes versions
• 2f16132 ci: add goreleaser workflow for release
• d0e614f ci: fix shellcheck file paths
• 00a1445 ci: add markdown-link-check workflow

Documentation 📘

• d29d835 docs: mention sig-auth subproject in readme
• e0e5c06 docs: add openssf badge
• 905d82b docs: update reference to registry.k8s.io in release
• 3864b78 docs: update supported releases - v1.3.x and v1.2.x
• b8c64cc docs: add security vuln scanning to release mgmt
• e195c55 docs: update supported releases - v1.2.x and v1.1.x
• 3787ca2 docs: include security explanations for root/privileged/and pod tokens
• b55eaef docs: update instructions on generating release notes
• c0e97a5 docs: add subPath volume mount limitation
• 592ad7b docs: update supported versions and replace v1alpha1 with v1
• 8c41c4a docs: remove helm repo url change note in install steps
• 052429b docs: add slack badge
• 95218a6 docs: fix dead links based on errors
• 0391489 docs: update features and add toc
• ba364e1 docs: Update helm README.md with linux crd image values (#797)
• 856ad85 docs: update supported feature by current providers
• a760c18 docs: fix typo in api version group name
• ed9ecf3 docs: add design docs and roadmap to website
• 99aafa5 docs: add project status to docs

Features 🌈

• 21694f0 feat: add --version flag to print the driver version
• b4d2608 feat: add default toleration for all taints
• 34cb436 feat: Support disabling Helm chart CRD hooks
• 0723e1e feat: support provider paths under /var/run
• 7ac887a feat: add token requests client (#805)
• 4b8c442 feat: send NodePublishVolumeRequest.VolumeContext in MountRequest to provider

Maintenance 🔧

• 9056530 chore: bump version to v1.4.0 in release-1.4
• c4b22eb chore: update to go 1.21.4 in docker
• 7cdb803 chore: update to go 1.21
• a3fbe36 chore: bump google.golang.org/grpc from 1.49.0 to 1.56.3
• 2a6ad3c chore: bump google.golang.org/grpc in /test/e2eprovider
• 0de7b33 chore: bump golang.org/x/net from 0.10.0 to 0.17.0 in /hack/tools
• 41c8819 chore: bump golang.org/x/net from 0.8.0 to 0.17.0
• 7cf7be9 chore: bump golang.org/x/net from 0.8.0 to 0.17.0 in /test/e2eprovider
• 9743144 chore: bump actions/checkout from 3.5.3 to 4.0.0
• a4aa61d chore: bump github/codeql-action from 2.21.2 to 2.21.5
• dca6d3f chore: cleanup secretproviderclass status
• da9fd72 chore: bump github/codeql-action from 2.21.0 to 2.21.2
• 1b10489 chore: bump k8s.io/code-generator from 0.27.3 to 0.27.4 in /hack/tools
• 663d733 chore: bump github/codeql-action from 2.20.4 to 2.21.0
• a4aea02 chore: bump sigs.k8s.io/controller-tools in /hack/tools
• db8c839 chore: bump github/codeql-action from 2.20.3 to 2.20.4
• 14952e6 chore: bump github/codeql-action from 2.20.1 to 2.20.3
• 2403169 chore: update debian-base to bookworm-v1.0.0
• ca06ac3 chore: bump github/codeql-action from 2.20.0 to 2.20.1
• 19f5ce2 chore: bump ossf/scorecard-action from 2.1.3 to 2.2.0
• 61e53b7 chore: bump sigs.k8s.io/controller-tools in /hack/tools
• 3e9a018 chore: bump k8s.io/code-generator from 0.27.2 to 0.27.3 in /hack/tools
• 47468b8 chore: bump github.com/golangci/golangci-lint in /hack/tools
• 0d6bd57 chore: bump github/codeql-action from 2.3.6 to 2.20.0
• f87cf12 chore: bump actions/dependency-review-action from 3.0.4 to 3.0.6
• fb2ff09 chore: bump actions/checkout from 3.5.2 to 3.5.3
• d2ac05d chore: bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0
• 49f966f chore: bump github/codeql-action from 2.3.3 to 2.3.6
• 6938b86 chore: bump github.com/golangci/golangci-lint in /hack/tools
• c8b330c chore: bump k8s.io/code-generator from 0.26.4 to 0.27.2 in /hack/tools
• 6551fe2 chore: bump k8s deps to v1.26.4 (#1254)
• 7b9e0f9 chore: bump codecov/codecov-action from 3.1.3 to 3.1.4
• ceb7ec6 chore: bump actions/setup-go from 4.0.0 to 4.0.1
• 7e5b5dc chore: bump golang from 79ffe35 to 31a8f92 in /test/e2eprovider
• 73fd4cc chore: bump golang from eaf1267 to 31a8f92 in /docker
• 26c8cd5 chore: bump github/codeql-action from 2.3.2 to 2.3.3
• bc0fbbb chore: bump step-security/harden-runner from 2.3.1 to 2.4.0
• 086c6b6 chore: update node-driver-registrar:v2.8.0, livenessprobe:v2.10.0
• ace8c5a chore: bump google.golang.org/grpc in /test/e2eprovider
• cb49b72 chore: bump k8s.io/klog/v2 from 2.80.1 to 2.100.1 in /test/e2eprovider
• beb650e chore: bump golang from 403f486 to 79ffe35 in /docker
• 7b4879f chore: bump monis.app/mlog from 0.0.2 to 0.0.4 in /test/e2eprovider
• ca9178e chore: bump golang from 403f486 to 79ffe35 in /test/e2eprovider
• b855553 chore: bump codecov/codecov-action from 3.1.2 to 3.1.3
• 4f2eae2 chore: bump github/codeql-action from 2.3.0 to 2.3.2
• 5743ab3 chore: bump sigs.k8s.io/controller-tools in /hack/tools
• 0b457df chore: bump github/codeql-action from 2.2.12 to 2.3.0
• 0e85ac0 chore: enable gocritic linter and fix errors
• 1ef0c67 chore: cleanup WritePayloads to be easier to use
• 23b30d1 chore: allow retries on pre-upgrade hook jobs
• 7c7b3e5 chore: bump actions/checkout from 3.5.0 to 3.5.2
• b8069f4 chore: bump github/codeql-action from 2.2.11 to 2.2.12
• dc4bf06 chore: update to go 1.20
• 8048905 chore: bump trivy version to v0.39.1
• 379a4a4 chore: bump kind version to v0.18.0
• e582845 chore: bump github/codeql-action from 2.2.9 to 2.2.11
• 7cce3bb chore: updates error message
• cab63b3 chore: remove unused node name in rotation reconciler
• 957817e chore: remove unused providerVolumePath code paths
• 34afcef chore: bump actions/checkout from 3.4.0 to 3.5.0
• 76f266a chore: bump github.com/golangci/golangci-lint in /hack/tools
• 8b508b2 chore: bump github/codeql-action from 2.2.7 to 2.2.9
• adba078 chore: bump k8s.io/code-generator from 0.26.2 to 0.26.3 in /hack/tools
• a556236 chore: bump google.golang.org/protobuf in /hack/tools
• fa40c79 chore: update golangci-lint to v1.52.1
• ead9b01 chore: bump github/codeql-action from 2.2.6 to 2.2.7
• b4e4c6a chore: bump actions/checkout from 3.3.0 to 3.4.0
• f62667c chore: bump google.golang.org/protobuf in /hack/tools
• ba9625b chore: bump google.golang.org/protobuf in /hack/tools
• 8d15bd1 chore: bump github/codeql-action from 2.2.5 to 2.2.6
• 1367ef6 chore: bump k8s.io/code-generator from 0.26.1 to 0.26.2 in /hack/tools
• 9d23ab4 chore: bump google.golang.org/grpc/cmd/protoc-gen-go-grpc in /hack/tools
• 686b1dc chore: bump gaurav-nelson/github-action-markdown-link-check
• c9e9052 chore: bump github/codeql-action from 2.2.4 to 2.2.5
• 8da23b0 chore: bump golang.org/x/net from 0.4.0 to 0.7.0
• f62048e chore: bump golang.org/x/net from 0.4.0 to 0.7.0 in /hack/tools
• 8bf3cea chore: bump golang.org/x/net from 0.4.0 to 0.7.0 in /test/e2eprovider
• 37b523c chore: bump github/codeql-action from 2.2.2 to 2.2.4
• 7951913 chore: use base and test image from registry.k8s.io
• bd9efb6 chore: bump sigs.k8s.io/controller-tools in /hack/tools
• 06130f8 chore: bump github/codeql-action from 2.2.1 to 2.2.2
• bd549ea chore: bump sigs.k8s.io/controller-tools in /hack/tools
• 3042513 chore: bump github/codeql-action from 2.1.39 to 2.2.1
• ebce4e4 chore: bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0
• 0a3fee2 chore: bump k8s.io/code-generator from 0.26.0 to 0.26.1 in /hack/tools
• 98ec718 chore: bump github/codeql-action from 2.1.38 to 2.1.39
• 143dc71 chore: pin buildx to v0.10.6
• fe84ebc chore: bump github/codeql-action from 2.1.37 to 2.1.38
• 8979367 chore: bump actions/checkout from 3.2.0 to 3.3.0
• c4229cb chore: update livenessprobe to v2.9.0
• 94fc545 chore: update node-driver-registrar to v2.7.0
• 42e786e chore: bump sigs.k8s.io/controller-tools in /hack/tools
• 1b6d197 chore: remove windows version 1903, 1909 and 2004 (EOL)
• 93d0e05 chore: bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0
• 68c4a7a chore: bump github/codeql-action from 2.1.36 to 2.1.37
• d2398b1 chore: bump actions/checkout from 3.1.0 to 3.2.0
• df7c1a5 chore: bump k8s.io/code-generator from 0.25.4 to 0.26.0 in /hack/tools
• d772515 chore: bump github/codeql-action from 2.1.35 to 2.1.36
• 7513988 chore: reenable trivy scan for binary
• 4c1a8f5 chore: use kubectl v1.26.0 in driver-crds
• da5a280 chore: switch to registry.k8s.io
• 215e5c2 chore: update node-driver-registrar to v2.6.2
• 4e6cc57 chore: bump github/codeql-action from 2.1.32 to 2.1.35
• c60d93f chore: bump stefanprodan/helm-gh-pages from 1.6.0 to 1.7.0
• 6a64a91 chore: bump k8s.io/code-generator from 0.25.3 to 0.25.4 in /hack/tools
• c9ec363 chore: bump github/codeql-action from 2.1.31 to 2.1.32
• 1111a97 chore: use kubectl 1.25.4 in driver-crds
• ca89feb chore: remove k8s.io/kubernetes dep
• 59473a2 chore: bump github/codeql-action from 2.1.29 to 2.1.31
• 8778a4c chore: update livenessprobe to v2.8.0
• b12d68a chore: bump github/codeql-action from 2.1.28 to 2.1.29
• 2beee6f chore: bump sigs.k8s.io/controller-tools in /hack/tools
• 4776c62 chore: bump k8s.io/code-generator from 0.25.0 to 0.25.3 in /hack/tools
• 603bb66 chore: bump github.com/golangci/golangci-lint in /hack/tools
• 358b8a3 chore: bump google.golang.org/protobuf in /hack/tools
• 75b1134 chore: bump actions/checkout from 2 to 3
• 6841c6d chore: bump sigs.k8s.io/kustomize/kustomize/v4 in /hack/tools
• f6021d8 chore: bump goreleaser/goreleaser-action from 2.8.1 to 3.2.0
• d3e4260 chore: adds ok-to-test label on dependabot prs
• 8a52d33 chore: bump github.com/golangci/golangci-lint in /hack/tools
• c8fc68f chore: bump stefanprodan/helm-gh-pages from 1.4.1 to 1.6.0
• 57a5cb9 chore: bump gaurav-nelson/github-action-markdown-link-check
• 762f81f chore: add dependabot.yml
• e3ed2f2 chore: use kubectl 1.25.x in driver-crds
• f938672 chore: update golangci-lint to v1.49.0
• 6fda350 chore: run apt update && apt upgrade -y in dockerfile
• 0dc8c0f chore: support kubernetes v1.25.0
• 980a539 chore: remove psp
• f020bdf chore: update debian-base to bullseye-v1.4.2
• 5680241 chore: update k8s deps to v0.24.4
• 4be2208 chore: update to go 1.19
• e272dc9 chore: update debian-base to bullseye-v1.4.1
• efb3274 chore: update debian-base to bullseye-v1.4.0
• 27032f6 chore: update boilerplate for the generated proto files
• fe049c3 chore: use google.golang.org/protobuf and regenerate proto
• a95f0e5 chore: update kustomize to v4
• 1d264d2 chore: update tools dependencies and generate manifests
• e0f1850 chore: update kubernetes deps to v1.24.1
• 5ddc969 chore: add crds.podLabels for helm hook jobs (#962)
• d70d198 chore: update debian-base to bullseye-v1.3.0
• a48fdde chore: bump node-driver-registrar:v2.5.1 and livenessprobe:v2.7.0
• 68ef471 chore: bump kind version to v0.13.0 to support kubernetes v1.24
• 75d28a4 chore: update pull request template
• 1faac89 chore: change default to /var/run for providers path
• e6cc3d5 chore: upgrade makefile test binary versions
• 4b09e85 chore: upgrade to go 1.18
• 1ec0f8b chore: remove deprecated minimumProviderVersions in helm chart
• b46dfcb chore: make token requests conditional for v1.20+
• 37f55b2 chore: bump node-driver-registrar:v2.5.0 and livenessprobe:v2.6.0
• ca257a8 chore: mark v1alpha1 api version as deprecated
• ae87243 chore: remove old helm packages and index
• ccb9fa4 chore: updates trivy command
• a596624 chore: log invalid key in error
• dac5381 chore: update debian-base to bullseye-v1.1.0
• f694be2 chore: bump node-driver-reegistrar image to v2.4.0
• 9750771 chore: remove deprecated --filtered-watch-secret flag
• c78559e chore: bump livenessprobe image to v2.5.0
• 2b27e0c chore: upgrade kubernetes deps
• 6069215 chore: use TARGETARCH for image build and makefile update
• e1f143c chore: use corev1 as import alias instead of v1

Security Fix 🛡️

• d3a4a98 security: bump kubernetes version to v1.27.0 in driver-crds
• 369ab7b security: fix CVE-2022-41717
• fe26e98 security: fix CVE-2022-27664
• 586ff3f security: fix CVE-2022-27664
• e24efb7 security: fix multiple CVEs
• 0dde850 security: fix CVE-2022-37434
• 2d85ba6 security: fix CVE-2022-1996
• 94077a6 security: fix multiple CVEs
• 3bfd4f2 security: fix CVE-2022-29526
• ce8133d security: fix CVE-2021-4209
• 9357134 security: fix CVE-2022-1996
• 0c70232 security: fix CVE-2022-34903
• 6152bf1 security: fix CVE-2022-2068
• 84f8b21 security: fix CVE-2022-1664
• 860c83e security: fix CVE-2022-1292
• 28a14d2 security: fix CVE-2022-1271
• f4b9d0f security: fix CVE-2018-25032 and update to debian-base:bullseye-v1.2.0
• 5a34967 security: fix CVEs
• b558858 security: fix CVE-2022-0778, CVE-2021-4160
• e6d1c8f security: fix CVE-2021-3995, CVE-2021-3996
• 6462375 security: fix CVE-2021-43618

Testing 💚

• 4a54858 test: improve nodeserver testing
• ca6a736 test: more usage of t.TempDir()
• cc6f126 test: replace tmpdir with t.TempDir()
• df67b53 test: cleanup provider tests (part 1)
• 725b77d test: use helm upgrade --install for azure e2e
• 86d368e test: use helm charts for azure provider
• 0ec6250 test: conditionally check token requests role and binding
• 899d3ed test: add test for view and admin cluster role (#845)