Calendar Favorite 1 Streamline Icon: https://streamlinehq.com  Mark Your Calendars: The next VSecM Contributor Sync will be on... Thursday, 2024-08-30 at 8:00am Pacific time.
Rating Star 1 Streamline Icon: https://streamlinehq.com  Star VMware Secrets Manager to show your support. Help us reach out to even more people with this amazing tech.

VSecM Changelog

Link Recent Updates

  • Removed useClusterSpiffeIds and useSpireControllerManager from helm charts options. SPIRE helm charts use SPIRE Controller Manager, and disabling it is nontrivial. Also, ClusterSPIFFEIDs are the best way to manage SPIFFEIDs in a Kubernetes cluster. — If we find a use case where these options are necessary, or if there is a need from the community, we can modify the code to let SPIRE install without SPIRE Controller Manager and bring those flags back.
  • Optimized the build pipeline, reducing the build time by 60%.
  • Removed bundle endpoints from SPIRE manifests. We don’t use them anywhere. If there is a need, we can bring them back. Note that this also impacts the experimental “federation” feature. Federation can still be enabled by manually editing the SPIRE Server and SPIRE Agent configmaps. Later, we’ll have a cross-cluster replication feature where we will introduce these bundle endpoints using a hub-spoke topology in a more controlled manner.
  • Introduced new Architecture Decision Records (ADRs) as drafts. These ADRs will be reviewed and finalized in the upcoming releases.

Link [0.26.1] - 2024-07-07

Link Added

  • VMware Secrets Manager Helm charts now have the ability to generate RedHat OpenShift compatible manifests. You’ll need to set global.enableOpenShift to true to use this feature. It is false by default because it introduced OpenShift-specific security rules that other clusters will not interpret properly.
  • Introduced new images spireHelperBash, spireHelperKubectl, openShiftHelperUbi9 to help and streamline SPIRE deployment and harden its security by mutating webhook configurations and other security attributes post-install.
  • Increased unit tests coverage. Our first target is 50%, and we are aiming to reach there one unit test at a time.
  • Documentation updates.

Link Changed

  • BREAKING: We have made significant updates in the VSecM SPIRE helm charts to align them with the official upstream SPIFFE helm-charts-hardened project. This means, VSecM users will need to add className: "vsecm" to their workload SPIFFEID for the workloads to get their SVIDs.
  • BREAKING: The default SPIRE Agent socket is renamed to spire-agent.sock instead of agent.sock. If you are using VSecM SDK or VSecM Sidecar this change is transparent; however if you are manually consuming the SPIRE Agent socket, you’d need to change your code to listen to the new socket.
  • SPIRE Server and SPIRE Agent configuration values in the ConfigMaps are now in JSON form to align with helm-charts-hardened.
  • SPIRE Server Service is now serving from the standard TLS port 443.
  • Updated SPIRE-related dependencies to their recent stable versions.
  • Updates in the exponential backoff algorithm to make it more robust.
  • Certain environment variables changed, the changes have not reflected to the documentation by the time of this release note. We will update the documentation shortly. In the meantime, when in doubt, take source code as the authoritative reference for variable naming. Helm charts will also contain the correct environment variable names and default values.
  • Other refactorings in the codebase to improve performance. The changes do not change the behavior or introduce any new behavior.

Link Security

  • SPIRE Server is now in its own namespace (to benefit from the security of namespace isolation) and also has a restricted pod security audit with a read-only file system and an unprivileged non-root account.
  • Other security enhancements especially focused around SPIRE.

Link Fixed

  • Several minor bugfixes and regressions.

Link [0.26.0] - 2024-06-28

Link Added

  • Added the ability to have regex-based SPIFFE ID matchers.
  • Enabled stricter validation on SPIFFE IDs to reduce configuration errors.
  • Added ability to optionally use multiple worker nodes for the development clusters.
  • Introduced helm-docs to automatically augment the documentation with the Helm chart’s values.yaml.
  • Added the ability to deploy VSecM without SPIRE Controller Manager. In this mode, the operator will need to manually create SPIRE Server registration entries.
  • Added the ability to not create ClusterSPIFFEIDs for the VSecM components automatically. In this mode, the operator will need to manually create those required ClusterSPIFFEIDs.
  • Ability to use regexes for SPIFFEID prefix matching.
  • Ability to use a custom trust domain.
  • Ability to Use Regex-Based Validation for Sentinel, Safe, and Workload SPIFFE IDs.
  • Code cleanup and refactoring.
  • Random secret generator can now generate symbols too, along with numbers and letters.
  • Created a ./lib folder to hold common code that can be shared across different components, or even be imported by external applications.
  • Stability: Enhancements in liveness and readiness probes for VSecM components. This change ensures that the components are more resilient and reliable.
  • Enable Istio-style SPIFFE IDs; custom namespaces, and custom trust domains.

Link Changed

  • Lots of documentation updates to reflect the recent changes in the project.
  • Replaced github.com/pkg/errors with the native errors package to reduce the number of dependencies and the codebase more secure and maintainable.
  • Updates to the exponential backoff algorithm.
  • Enhancements to speed up build time.
  • Rephrased the “Problem reading secret” error message to be more informative. The message ought to have been a notification, not an error because it regularly happens during cache misses. Fixed the wording to indicate there is no need to panic.
  • We started using zola for the documentation website. This change makes the documentation website faster, more accessible, and easier to navigate and follow.

Link Security

  • Stricter workload validation: Workload validation now panics if the SPIFFE ID does not have the proper trust domain or is badly formatted.

Link [0.25.3] - 2024-05-17

Link Changed

  • Removed some configuration options including VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET because how the root key will be updated will be depending on backing store implementation. And it does not make sense for an operator updating the root key in memory but not updating the backing Kubernetes secret. That could bring inconsistencies to the system.
  • Removed VSECM_SAFE_REMOVE_LINKED_K8S_SECRETS since we have long deprecated and removed the -k flag that was dealing with the linked Kubernetes secrets. Again, future behavior will be contingent upon the backing store plugins that will be implemented.
  • Removed Kubernetes secrets deletion queue because we do not link Kubernetes secrets to workloads anymore. Deletion of ad-hoc VSecM-generated Kubernetes Secrets will be handled by upcoming configuration options. Right now, VSecM Safe can only create and update, but not delete Kubernetes Secrets.
  • Stability improvements, including adding “exponential backoff“s to places where requests can be retried before giving up; also letting the apps crash (and be re-crated by the scheduler) if certain critical requests fail even after a fair amount exponentially-backed-off of retries (10 by default).
  • An entire overhaul of the documentation website: It is now faster, more accessible, more usable, easier to navigate and follow.
  • Refactorings and improvements across the entire codebase.

Link Added

  • Added an experimental Java SDK. The keyword here is: experimental; we do know that it does not work out-of-the box, so we are not providing any documentation yet: Feel free to join our Slack channel to learn more about how best you can use it.
  • Introduced Architectural Decision Records
  • Added app.kubernetes.io/operated-by labels to the VSecM-managed Kubernetes Secrets to make it easier to identify the components that are managed by VSecM.

Link [0.25.2] - 2024-05-06

This release introduced many structural changes. The functionality remains the same, but the codebase is more organized and easier to maintain. We had to temporarily disable some of the unit tests to make the release happen on time. We will re-enable them before the next release.

Link Changed

  • Simplified audit journaling
  • Refactoring and code organization
  • Now helm-chart can deploy VSecM and SPIRE to any namespace, before it had to be vsecm-system and spire-system respectively.
  • removed “backing store” from secret meta info; backing store will be set at a global level.
  • removed -b (backing store) flag from VSecM Sentinel’s CLI too.
  • Added certain useful methods from internal packages to the core package to make it more reusable. These functionalities may be part of the SDK too, later.
  • Organized imports and functions according to the project standards.
  • Renamed certain modules and functions for clarity.
  • Introduced certain environment variables whose functionalities will be implemented later.
  • updated helm charts, removed hard coded namespace references from service URLs.

Link [0.25.1] - 2024-04-26

This was a stability and reliability release. We have made several improvements to VSecM Sentinel, helm charts, and Kubernetes manifests to make the system more reliable and resilient.

Link Changed

  • Converted VSecM Safe and SPIRE Server to StatefulSets (because they are stateful).
  • VSecM Sentinel “init command” loop now exits the container if it cannot execute commands after exponential backoff. The former behavior was to retry forever, and that was not a cloud-native way of handling the situation. Panicking early and thus killing the pod fixed issues with things like persistent volumes and CSI drivers.

Link Fixed

  • Minor bug fixes in the VSecM Sentinel init command workflow.

Link [0.25.0] - 2024-04-24

Link Added

  • Documentation updates.
  • Added liveness and readiness probes to SPIRE Server and SPIRE Agent.
  • Added pod priority classes to SPIRE Server, SPIRE Agent, and VSecM pods to ensure that VSecM components are prioritized and maintained in the event of resource constraints.
  • VSecM Sentinel Init Commands can now wait a configurable amount of time before running. This feature is useful when you want to delay the execution of the init commands to ensure that other components are ready.
  • VSecM Sentinel can now wait before marking Init Commands as successful. This feature is useful when you want to delay the readiness of VSecM Sentinel until other components are ready.
  • VSecM Sentinel Init Command can now parse and understand all VSecM Sentinel commands.
  • Added Generated protobuffer files into the source code for ease of maintenance.

Link Changed

  • Removed the tombstone feature, we use VSecM Keystone instead of tombstone, which is more reliable, secure, and under our control.
  • Reliability improvements in VSecM Sentinel. For example, VSecM Sentinel does not wait forever in a loop for VSecM Safe to be ready. Instead, it crashes after a grace period, and the orchestrator can restart it in a more cloud-native way.
  • SPIRE Server is now a StatefulSet by default instead of a Deployment. This change ensures that SPIRE Server has a stable identity across restarts.
  • VSecM Keystone, and VSecM Keystone secrets are being used instead of tombstone.
  • Various other stabilization improvements.

Link Fixed

  • Minor bug fixes and feature enhancements.

Link Security

Link [v0.24.1] - 2024-03-31

Link Added

  • Added 4 new use cases to the documentation.

Link Fixed

  • VSecM Sentinel was not honoring the tombstone secret, now it is fixed.

Link [v0.24.0] - 2024-03-28

Link Added

  • Kickstarted SDK work for Java.
  • VSECM_MANUAL_ROOT_KEY_UPDATES_K8S_SECRET environment variable added for giving an option to updating internal k8s secrets when manual root key provided.
  • Added additional logs to VSecM Sentinel to help with debugging.

Link Fixed

  • Quickstart guide on the website was not working as expected, now it is fixed.

Link [v0.23.3] - 2024-03-24

Link Added

  • Added the Helm charts the ability for SPIRE Server to use Persistent Volumes for its data.
  • Introduced VSecM Keystone a workload that waits until all the “init commands” that VSecM Sentinel runs are completed. This feature is useful, especially when an orchestrator watches for the readiness of VSecM Keystone to bring up other workloads that depend on the secrets that VSecM Sentinel initializes.
  • Now, one secret can be associated with multiple workloads in multiple namespaces. This feature is useful when you want to share a secret across multiple workloads in different namespaces.
  • Added image pull secrets to SPIRE Server and SPIRE Agent Helm charts.
  • Added Kampus Discord Server as a welcoming and supporting community for VSecM users and contributors. This is an additional community that augments the official Slack workspace. The Slack workspace is still the primary community for VSecM. Kampus is a global community; however, its core audience is Turkish-speaking people. The community is open to everyone.
  • By adding Kampus as a supported community, we aim to:
    • Acknowledge and express gratitude for the Kampus community’s ongoing support and contributions.
    • Facilitate a more integrated and cohesive ecosystem for current and future contributors.
    • Enhance accessibility for new contributors seeking guidance or looking to engage with the project community.
    • Foster a diverse and inclusive environment where all members can share, learn, and contribute to the project’s success.

Link Changed

  • BREAKING: Removed the -k flag from Sentinel, as the k8s: prefix was a better way that does an identical job. This change also simplified the internal workings of VSecM Safe, making it more efficient, reliable, and easier to maintain.
  • VSecM documentation now has a dark mode for better readability. In addition, the typography and layout of the documentation have been improved for a more consistent and user-friendly experience.

Link Fixed

  • Integration tests were failing, now they are fixed.
  • Various minor bugfixes.
  • Performance improvements and asset cleanup in the documentation website.

Link Security

  • SPIRE Server Helm charts was using NodePort; we defaulted it to the more secure ClusterIP in the Helm charts.

Link [v0.23.2] - 2024-03-13

Link Added

  • VSecM Sentinel can now act as an OIDC Resource Server (experimental). This feature is disabled by default, and can be enabled by an environment variable. When you enable it, you should also ensure the security of the OIDC Server as breaching it will give direct access to VSecM. This feature changes the attack surface of the system and should be implemented only if you are extremely sure of what you are doing.
  • Documented all public methods in the codebase. This will help contributors to understand the codebase better and make it easier to contribute.
  • We now have an official “VSecM Inspector” container image that can be used to inspect the secrets bound to workloads without having to shell into the workloads. This is especially helpful when you want to debug a workload’s secrets without needing to uninstall or change the source code of the workload.
  • Unit tests to increase coverage.

Link Changed

  • We now have a Go-based integration test suite instead of the former bash-based one. This change makes the tests more reliable and easier to maintain, while we can leverage the Go language’s powerful primitives to make the tests readable, maintainable, and scalable.
  • VSecM components have sensible “memory” lower limits in helm charts (before it was left for the end-user to decide, now we provide a starting point while encouraging the user to do their own benchmarks to update the resource limits to their production needs.)
  • Updated the log level of all VSecM components to the highest (7, TRACE). This setting is to help VSecM users to diagnose and debug potential installation issues during initial deployment. Once you are sure that things work as expected, you are encouraged to change the log level to a more sensible value (like, 3, DEBUG).
  • Refactorings to make the code easier to follow.

Link Fixed

  • VSecM Sentinel’s “Init Command” loop had a logic error that was preventing the initialization command to function under certain edge conditions. It’s now fixed.

Link Security

Link [v0.23.0] - 2024-03-01

Link Added

  • VSecM Sentinel now waits for VSecM Safe to be ready before running init commands.
  • Documentation updates and code refactoring.
  • Updated dependencies for better security.
  • Updated Go version to 1.22.0–the latest stable version.

Link [v0.22.5] - 2024-02-26

Link Added

  • Provisioned an public ECR registry to deploy and test VSecM on EKS.
  • Added a GitHub Actions workflow to generate a test coverage badge, and coverage reports.
  • Added the ability to use a persistent volume for VSecM Safe.

Link Changed

  • Bumped SPIRE Server and SPIRE Agent to the latest versions (1.9.0).
  • VSecM Sentinel logs now have a correlation ID to make it easier to trace logs initiated by different requests.
  • Improvements to the logging-and-auditing-related code.
  • Deleting a VSecM Safe “secret” now also deletes the associated Kubernetes secret, if it exists.
  • VSecM Safe now has a more robust retry strategy for creating and updating Kubernetes secrets.

Link [v0.22.4] - 2024-02-17

Link Added

  • Added the ability to associate multiple namespaces with a single VSecM secret.
  • Added a tombstone feature to VSecM Sentinel, so that when the init commands run to completion, they will not run again if VSecM Sentinel is evicted and restarted.
  • Created an ECR repository to test edge versions of VSecM container images that have not been released yet.
  • Added audit logging capabilities to VSecM Sentinel.

Link Fixed

  • Secrets creation now has a backoff policy and will retry if the first attempt fails.
  • VSECM_LOG_LEVEL was left at 7 (verbose) in the charts, defaulting to 3 (warn).

Link Changed

  • Moved “VMware, Inc.” from the copyright headers, replacing it with “VMware Secrets Manager contributors”.
  • Default resource limits for Minikube initialization scripts to a more reasonable values for development. These are still configurable via environment variables.

Link Security

Link [v0.22.3] - 2024-02-04

Link Added

  • Added the ability to run init commands during bootstrap to VSecM Sentinel.
  • Added more test cases to the project.
  • Added coverage targets to tests.
  • Added scripts to test the project on a cloud AWS EKS cluster.

Link Fixed

  • Bug fixes and performance improvements.
  • make h and make help had a cosmetic regression, which is now fixed.

Link Changed

  • Upgraded SPIRE Controller Manager to v0.4.1.
  • Documentation updates, especially around establishing a secure production deployment.

Link [v0.22.2] - 2024-01-14

Link Added

  • Documentation updates.
  • Ability to create and update Kubernetes secrets without attaching the secret to a workload. This is useful for legacy use cases, or when you don’t have direct access to the app’s source code or deployment manifests.

Link [v0.22.1] - 2024-01-11

Link Added

  • Added expiration and “invalid before” dates to secrets.
  • Implemented a basic CI automation that runs test whenever there is a change in the main branch. The automation runs unit and integration tests and send status updates upon failure.
  • Upgraded SPIRE and SPIFFE CSI Driver to the latest versions.
  • Minor fixes and documentation updates.

Link [v0.22.0] - 2024-01-08

Link Added

  • Documentation updated, especially around production usage and security.
  • Added a make commit helper for a better-commits workflow.
  • Added a PR template.
  • Achieved great progress towards Open SSF Best Practices compliance; reaching 93% of the requirements.
  • Added ability to generate random secrets based on a pattern.
  • Added ability to export encrypted secrets.

Link Changed

  • BREAKING: Certain environment variables are renamed to be more consistent with the rest of the project. The old variables are not supported anymore. check out the configuration section of the documentation for more details.
  • Updated SPIRE, SPIRE Controller Manager, and SPIFFE CSI Driver to the latest versions.
  • Moved older versions of the manifests to a k8s branch, and older snapshots of documentation to a docs branch to keep the main branch clean.

Link Fixed

  • Fixes on workflow scripts to have a more streamlined build process and development experience.
  • Minor bugfixes and code enhancements.

Link [v0.21.5] - 2023-12-18

Link Changed

  • BREAKING: Environment variables related to SPIFFEID are renamed from i.e. VSECM_SENTINEL_SVID_PREFIX to VSECM_SPIFFEID_PREFIX_SENTINEL.

Link Added

  • Documentation updates on security, production installation recommendations, and kind cluster usage for development.
  • Minor code enhancements.

Link Security

Link [v0.21.4] - 2023-11-30

This patch release includes one security update, a minor refactoring, and documentation updates.

Link Security

Link [v0.21.3] - 2023-11-03

Link Added

  • Started experimental work on multi-cluster secret federation.
  • Various Documentation updates.
  • Automated Kubernetes manifest creation from Helm charts.

Link Security

Link [v0.21.2] - 2023-10-18

This is a purely security-focused release that fixes several vulnerabilities and also hardens the AES encryption flow against time-based attacks.

Link Security

Link [v0.21.1] - 2023-10-11

Link Added

  • Fixed spire-controller-manager’s version. The older setup was fixed on nightly which was causing ad-hoc issues.

Link Changed

  • Performance update: VSecM Sentinel now honors SIGTERM and SIGINT signals and gracefully shuts down when the pod is killed.
  • Performance update: VSecM Safe is now leveraging several goroutines to speed up some of the blocking code paths during bootstrapping and initialization.
  • Minor updates to the documentation.

Link Security

  • VSecM Safe has stricter validation routines for its identity.
  • Added VSecM Keygen: a utility application that generates VSecM Safe’s bootstrapping keys if you want an extra level of security and control the creation of the root key.

Link [v0.21.0] - 2023-09-08

Link Added

Link Fixed

  • Minor bugfixes after migration; ensuring feature and behavior parity with Aegis.
  • Implemented stricter matchers for VSecM Sentinel and VSecM Safe’s Identity.yamls.

Link Security

  • Updated the security policy, clarifying our ideal response time for security vulnerabilities.
  • Fixed a minor vulnerability in activesupport dependency: (CVE-2023-38037). fix; dependabot. The vulnerability affects only the website build process, not the VSecM codebase itself. It is not exploitable in our case, but we still wanted to fix it.

Link [v0.20.0] - 2023-07-27

Link Added

Link Changed

  • Minor changes to build and deployment scripts.
  • BREAKING: The binary that vsecm-sentinel uses is called safe right now (formerly it was aegis).

edit this page ✏️