Stable release. Adds watching specific namespaces (see v1.0.2-rc.1) and some minor fixes.
- Deleting a
SecretDefinition
hangs if the corresponding secret does not exist. - Invalid metric names in README
- Unused prometheus metrics
secrets_manager_controller_update_secret_errors_total
andsecrets_manager_controller_last_updated
Stable release
Release Candidate 1
SecretDefinitions
created viaCustomResourceDefinitions
- If the
SecretDefinion
gets deleted, the corresponding secret will be removed too. - New zap logger based on controller-runtime project. Use
-enable-debug-log
to get a more verbose output.
- congimaps won't be supported to define secrets, and so that won't work all the relevant configmap flags.
- log.format and log.level flags won't work anymore, as we have changed the logger to addapt to the controller-runtime project. Use
-enable-debug-log
to get a more verbose output. config.backend-scrape-interval
no longer works as we check the backend state on every reconcile event. Usereconcile-period
insteadlisten-address
removed in favor ofmetrics-addr
- Enable Vault AppRole auth method and
secrets-manager
will try to re-login every time it fails to fetch the token. This will makesecrets-manager
more resilient to issues connecting to Vault that potentially caused the token to expire. - New
secrets_manager_login_errors_total
Prometheus metric.
- Token based login won't be supported, as re-login with and invalid token won't make
secrets-manager
to self-heal. - This makes this new version not backward compatible with previous v0.2.0
Stable
- New
secrets_manager_vault_max_token_ttl
metric, so a user could alert based on this andsecrets_manager_token_ttl
- New
secrets_manager_secret_last_sync_status
metric, that shows wether the secret succeded or not in last synchronization iteration
- Backend timeout not properly set through flags
- Deprecates
secrets_manager_vault_token_expired
metric as it was quite confusing since it's not really possible forsecrets-manager
to know when the token it's expired, just when it's "close to expire". - Renames counter metrics to follow the Prometheus naming standard with the
_total
suffix instead of_count
. - Simplifies prometheus token renewal metrics by merging
secrets_manager_vault_token_lookup_errors_count
andsecrets_manager_vault_token_renew_errors_count
into one single metricsecrets_manager_vault_token_renewal_errors_total
with one more dimension calledvault_operation
which will be one oflookup-self, renew-self, is-renewable
.
- Enable prometheus metrics
cfg.backend-timeout
flag to specify a connection timeout to the secrets backend.listen-address
flag to specify the listen address of the HTTP API
- Bad return condition in startTokenRenewer, so token lookup won't happen in case of a token revoked.