This is snapshot of VSecM’s documentation at
version v0.22.2.
Check out the latest version of the
documentation.
The next VSecM Contributor Sync will be on…
Thursday, 2024-01-25
at 8:00am Pacific time.
Changelog
Recent Updates
TBD
[v0.22.2] - 2024-01-14
Added
- Documentation updates.
- Ability to create and update Kubernetes secrets without attaching the secret to a workload. This is useful for legacy use cases, or when you don’t have direct access to the app’s source code or deployment manifests.
[v0.22.1] - 2024-01-11
Added
- Added expiration and “invalid before” dates to secrets.
- Implemented a basic CI automation that runs test whenever there is a change
in the
main
branch. The automation runs unit and integration tests and send status updates upon failure. - Upgraded SPIRE and SPIFFE CSI Driver to the latest versions.
- Minor fixes and documentation updates.
[v0.22.0] - 2024-01-08
Added
- Documentation updated, especially around production usage and security.
- Added a
make commit
helper for abetter-commits
workflow. - Added a PR template.
- Achieved great progress towards Open SSF Best Practices compliance; reaching 93% of the requirements.
- Added ability to generate random secrets based on a pattern.
- Added ability to export encrypted secrets.
Changed
- BREAKING: Certain environment variables are renamed to be more consistent with the rest of the project. The old variables are not supported anymore. check out the configuration section of the documentation for more details.
- Updated SPIRE, SPIRE Controller Manager, and SPIFFE CSI Driver to the latest versions.
- Moved older versions of the manifests to a
k8s
branch, and older snapshots of documentation to adocs
branch to keep themain
branch clean.
Fixed
- Fixes on workflow scripts to have a more streamlined build process and development experience.
- Minor bugfixes and code enhancements.
[v0.21.5] - 2023-12-18
Changed
- BREAKING: Environment variables related to SPIFFEID are renamed from
i.e.
VSECM_SENTINEL_SVID_PREFIX
toVSECM_SENTINEL_SPIFFEID_PREFIX
.
Added
- Documentation updates on security, production installation recommendations,
and
kind
cluster usage for development. - Minor code enhancements.
Security
- Fixed CVE-2023-48795 Russh vulnerable to Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC
[v0.21.4] - 2023-11-30
This patch release includes one security update, a minor refactoring, and documentation updates.
Security
- This is a patch release to address GHSA-2c7c-3mj9-8fqh Decryption of malicious PBES2 JWE objects can consume unbounded system resources
[v0.21.3] - 2023-11-03
Added
- Started experimental work on multi-cluster secret federation.
- Various Documentation updates.
- Automated Kubernetes manifest creation from Helm charts.
Security
- Fixed GHSA-m425-mq94-257g gRPC-Go HTTP/2 Rapid Reset vulnerability
[v0.21.2] - 2023-10-18
This is a purely security-focused release that fixes several vulnerabilities and also hardens the AES encryption flow against time-based attacks.
Security
- Fixed CVE-2023-3978 Improper rendering of text nodes in golang.org/x/net/html
- Fixed CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http
- Fixed CVE-2023-44487 swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
- Fixed an issue with possible memory overflow when doing a cryptographic size computation.
- Added a configurable throttle to AES IV computation to make it harder to perform time-based attacks.
- The computed AES IV is zeroed out after use for additional security.
[v0.21.1] - 2023-10-11
Added
- Fixed
spire-controller-manager
’s version. The older setup was fixed onnightly
which was causing ad-hoc issues.
Changed
- Performance update: VSecM Sentinel now honors
SIGTERM
andSIGINT
signals and gracefully shuts down when the pod is killed. - Performance update: VSecM Safe is now leveraging several goroutines to speed up some of the blocking code paths during bootstrapping and initialization.
- Minor updates to the documentation.
Security
- VSecM Safe has stricter validation routines for its identity.
- Added VSecM Keygen: a utility application that generates VSecM Safe’s bootstrapping keys if you want an extra level of security and control the creation of the root key.
[v0.21.0] - 2023-09-08
Added
- Documentation updates to make the project align with the current status of VSecM.
- Migrate existing Aegis documentation to the new VMware Secrets Manager documentation site.
- Updated contributing guidelines to make it easier for first-time contributors.
- Published a formal project governance model.
- Added a blog section to the website.
- Decided to add a new helm chart per each release.
- Added instructional video content to the showcase section.
Fixed
- Minor bugfixes after migration; ensuring feature and behavior parity with Aegis.
- Implemented stricter matchers for VSecM Sentinel and VSecM Safe’s
Identity.yaml
s.
Security
- Updated the security policy, clarifying our ideal response time for security vulnerabilities.
- Fixed a minor vulnerability in
activesupport
dependency: (CVE-2023-38037). fix; dependabot. The vulnerability affects only the website build process, not the VSecM codebase itself. It is not exploitable in our case, but we still wanted to fix it.
[v0.20.0] - 2023-07-27
Added
- Migrated the source code from https://github.com/shieldworks/aegis to https://github.com/vmware-tanzu/secrets-manager
- Did necessary changes for the project to run build and pass tests.
- Created new container image repositories at https://hub.docker.com/u/vsecm.
Changed
- Minor changes to build and deployment scripts.
- BREAKING: The binary that
vsecm-sentinel
uses is calledsafe
right now (formerly it wasaegis
).