0.1.0 (March 24th, 2021)
CHANGES
- All secret engines are now supported [GH-63]
- This makes several breaking changes to the configuration of the SecretProviderClass'
objects
entry - There is no top-level
array
entry underobjects
objectVersion
is now ignoredobjectPath
is renamed tosecretPath
secretKey
,secretArgs
andmethod
are newly available optionsobjectName
no longer determines which key is read from the secret's data- If
secretKey
is set, that is the key from the secret's data that will be written - If
secretKey
is not set, the whole JSON response from Vault will be written vaultSkipTLSVerify
is no longer required to be set to"true"
if thevaultAddress
scheme is nothttps
- This makes several breaking changes to the configuration of the SecretProviderClass'
- The provider will now authenticate to Vault as the requesting pod's service account [GH-64]
- This is likely a breaking change for existing deployments being upgraded
- vault-csi-provider service account now requires cluster-wide permission to create service account tokens
- auth/kubernetes mounts in Vault will now need to bind ACL policies to the requesting pods'
service accounts instead of the provider's service account. spec.parameters.kubernetesServiceAccountPath
is now ignored and will log a warning if set
- The provider now supports mTLS [GH-65]
spec.parameters.vaultCAPem
is now ignored and will log a warning if set. This is a breaking changespec.parameters.vaultTLSClientCertPath
andspec.parameters.vaultTLSClientKeyPath
are newly available options