v1.3.0

What's Changed

• You can now exclude specific labels and annotations from being reported to the Venafi Control Plane API. For more information, see Configuring annotations.
• You can now configure the Agent to output logs in JSON format using the flag --logging-format=json. By default, the logs in the klog textual format. You can also change the verbosity level using -v.
• Venafi Kubernetes Agent is now able to discover Firefly Routes objects. Due to a bug with the role-based access control in the Helm chart, Venafi Kubernetes Agent was previously unable to discover these two objects (unlike what the logs were saying).

Note that the logging changes introduced in 1.3.0 changed how logs are printed. Like before, the logs are still shown in a textual format by default. But since 1.3.0, the textual format uses Kubernetes' standard textual format rather than Go's standard logging format.

Before:

2024/11/14 13:53:38 Preflight agent version: development ()
2024/11/14 13:53:38 Using the Venafi Cloud Key Pair Service Account auth mode since --client-id and --private-key-path were specified.
2024/11/14 13:53:38 Using period from config 5m0s
2024/11/14 13:53:38 Loading upload_path from "venafi-cloud" configuration.
2024/11/14 13:53:38 error messages will not show in the pod's events because the POD_NAME environment variable is empty
2024/11/14 13:53:38 starting "k8s/namespaces" datagatherer
2024/11/14 13:53:38 starting "k8s/secrets" datagatherer
2024/11/14 13:54:47 server missing resource for datagatherer of "cert-manager.io/v1, Resource=issuers"
W1114 13:54:47.844087   31016 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list networking.istio.io/v1alpha3, Resource=virtualservices: the server could not find the requested resource
2024/11/14 13:54:47 server missing resource for datagatherer of "networking.istio.io/v1alpha3, Resource=virtualservices"
W1114 13:54:48.042893   31016 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list jetstack.io/v1alpha1, Resource=venafiissuers: the server could not find the requested resource
2024/11/14 13:53:38 successfully gathered 7 items from "k8s/namespaces" datagatherer
2024/11/14 13:53:38 successfully gathered 5 items from "k8s/secrets" datagatherer
2024/11/14 13:53:38 Posting data to: https://api.venafi.cloud/
2024/11/14 13:53:39 Data sent successfully.

After:

I1114 13:52:48.941205   30246 run.go:59] "Starting" logger="Run" version="development" commit=""
I1114 13:52:48.941655   30246 config.go:404] "Using the Venafi Cloud Key Pair Service Account auth mode since --client-id and --private-key-path were specified." logger="Run"
I1114 13:52:48.941666   30246 config.go:540] "Using period from config" logger="Run" period="5m0s"
I1114 13:52:48.941680   30246 config.go:767] "Loading upload_path from \"venafi-cloud\" configuration." logger="Run"
I1114 13:52:48.941880   30246 run.go:117] "Healthz endpoints enabled" logger="Run.APIServer" addr=":8081" path="/healthz"
I1114 13:52:48.941889   30246 run.go:121] "Readyz endpoints enabled" logger="Run.APIServer" addr=":8081" path="/readyz"
E1114 13:52:48.943810   30246 run.go:269] "Error messages will not show in the pod's events because the POD_NAME environment variable is empty" logger="Run"
W1114 13:54:48.042893   31016 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list jetstack.io/v1alpha1, Resource=venafiissuers: the server could not find the requested resource
W1114 13:54:48.042893   31016 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list jetstack.io/v1alpha1, Resource=venafiissuers: the server could not find the requested resource
I1114 13:52:49.655153   30246 run.go:409] "Data sent successfully" logger="Run.gatherAndOutputData.postData"

Full Changelog: v1.2.0...v1.3.0

v1.2.0

What's Changed

• You can now better diagnose issues with the Venafi Kubernetes Agent by looking at the Kubernetes events attached to its pod (#589)
• The Venafi Kubernetes Agent now compresses its requests made to the Venafi Control Plane API, reducing the network traffic by 90% (#594)

Full Changelog: v1.1.0...v1.2.0

v1.1.0

• The agent now reports the annotations and labels of namespaces and secrets. (#581, #582)
• The agent now exposes readiness and liveness probes. (#580)

• In Venafi Cloud Key Pair Service Account mode, you can now omit the server field in the configuration file. It defaults to the URL https://api.venafi.cloud. If you are in the european region, you still need to set server: https://api.venafi.eu field in the configuration file. (#575)

• It is now possible to use the --period flag without also giving the period field. (#575)
• Helm chart values are now validated to alert you if they contain errors to help you quickly identify typos in fields. (#556)
• The "unauthenticated mode" has been removed as it made it hard to diagnose mismatched authentication flags. For example, using --venafi-cloud without --credentials-file/-k used to not show any error and the Agent would happily start. Now, if you don't provide the right set of authentication flags, the Agent will show a helpful message explaining how the authentication flags can be used. (#575)
• The --help has been re-written to help understanding how authentication flags interact with each other. (#575)
• You can no longer use --private-key-path along with --credentials-path. Previously, --private-key-path would be ignored if --credentials-path was provided. Now, the two options are mutually exclusive and a helpful message is shown when trying to use both. (#575)
• The flag --private-key-path now defaults to the empty string. It previously defaulted to /etc/venafi/agent/key/privatekey.pem and the flag was omitted from the deployment manifest, which was confusing to users trying to understand how this private key was being configured. A helpful message is now shown when trying to run --client-id without --private-key-path. (#575)
• The field uploader_id in the configuration file is deprecated. Setting this field will no longer do anything. A warning is now shown when using this field. The reason this field was deprecated is that it was never used by the Venafi Cloud API. Behind the scenes, the uploader_id is arbitrarily set to no so that the API doesn't complain. (#575)
• The binary's size has been reduced from 72 MB down to 55 MB. (#556)
• The Docker image is now built using cert-manager's base image based on apko's alpine image using ko. As a result, the binary's location in the image is now located at /ko-app/preflight instead of /bin/preflight. (#556)

v1.1.0-alpha.0

What's Changed

• The agent now reports the annotations and labels of namespaces and secrets. (#581, #582)
• The agent now exposes readiness and liveness probes. (#580)

• In Venafi Cloud Key Pair Service Account mode, you can now omit the server field in the configuration file. It defaults to the URL https://api.venafi.cloud. If you are in the european region, you still need to set server: https://api.venafi.eu field in the configuration file. (#575)

• It is now possible to use the --period flag without also giving the period field. (#575)
• Helm chart values are now validated to alert you if they contain errors to help you quickly identify typos in fields. (#556)
• The "unauthenticated mode" has been removed as it made it hard to diagnose mismatched authentication flags. For example, using --venafi-cloud without --credentials-file/-k used to not show any error and the Agent would happily start. Now, if you don't provide the right set of authentication flags, the Agent will show a helpful message explaining how the authentication flags can be used. (#575)
• The --help has been re-written to help understanding how authentication flags interact with each other. (#575)
• You can no longer use --private-key-path along with --credentials-path. Previously, --private-key-path would be ignored if --credentials-path was provided. Now, the two options are mutually exclusive and a helpful message is shown when trying to use both. (#575)
• The flag --private-key-path now defaults to the empty string. It previously defaulted to /etc/venafi/agent/key/privatekey.pem and the flag was omitted from the deployment manifest, which was confusing to users trying to understand how this private key was being configured. A helpful message is now shown when trying to run --client-id without --private-key-path. (#575)
• The field uploader_id in the configuration file is deprecated. Setting this field will no longer do anything. A warning is now shown when using this field. The reason this field was deprecated is that it was never used by the Venafi Cloud API. Behind the scenes, the uploader_id is arbitrarily set to no so that the API doesn't complain. (#575)
• The binary's size has been reduced from 72 MB down to 55 MB. (#556)
• The Docker image is now built using cert-manager's base image based on apko's alpine image using ko. As a result, the binary's location in the image is now located at /ko-app/preflight instead of /bin/preflight. (#556)

Full Changelog: v1.0.0...v1.1.0-alpha.0

v1.0.0

What's Changed

• You can now use the VenafiConnection CRD to authenticate to Venafi Control Plane. With the VenafiConnection CRD, you can choose to authenticate using a Workload Identity Federation service account ("secretless"). (#552, #559)
• The memory usage of Venafi Kubernetes Agent has been reduced by excluding Helm release Secrets and some standard Secret types. You can configure the ignored types with the Helm value config.ignoredSecretTypes. (#554)
• The configuration manifest is no longer dumped on startup, uncluttering the logs. (#564)

New Contributors

• @inteon made their first contribution in #558

Full Changelog: v0.1.49...v1.0.0

v0.1.49

What's Changed

• An error preventing the Venafi Kubernetes Agent deployment on Red Hat OpenShift clusters has been resolved. The error "runAsUser: Invalid value: 1000" is no longer encountered. By @ThatsMrTalbot in #546
• You no longer have to scroll up in the logs to find out why the agent pod has crashed. The last log line before the process exits now shows the reason for giving up. By @james-w in #537
• The Helm chart venafi-kubernetes-agent has been improved:
  • When a proxy for outbound connections to api.venafi.cloud or api.venafi.eu is required, and the proxy uses a certificate issued by a private certificate authority, you can now add the certificate authority to a custom CA bundle that will be trusted by the agent. The Helm chart now supports specifying volumes and volume mounts to streamline this process. By @maelvls in #543
  • The Helm chart has been enhanced to allow users to control the metrics settings. For more information, see the {{ven}} {{k8s}} Agent Helm values reference page. By @wallrj in #544
  • Following best practices, the default CPU limit for the Venafi Kubernetes Agent pod has been removed. This allows for more dynamic resource allocation by Kubernetes. By @wallrj in #539
• The Helm chart for jetstack-secure has also been improved:
  • You can now set volumes and volumeMounts when using the jetstack-agent Helm chart. By @hawksight in #540
  • The jetstack-secure Helm chart version has been bumped to 0.4.0. By @hawksight in #542

New Contributors

• @james-w made their first contribution in #537
• @ThatsMrTalbot made their first contribution in #546

Full Changelog: v0.1.48...v0.1.49

v0.1.48

What's Changed

• feat(httpproxy): Update chart to support httproxy by @tfadeyi in #535
• chore: Prepare for 0.1.48 release by @tfadeyi in #536

Full Changelog: v0.1.47...v0.1.48

v0.1.47

What's Changed

• Helm: the namespace was missing in the configmap, deployment, and serviceaccount templates by @maelvls in #526
• fix/vc-31703-agent-memory-startup-spikes by @mol-george in #525
• chore: Update the chart to 0.1.47 by @tfadeyi in #527

New Contributors

• @maelvls made their first contribution in #526

Full Changelog: v0.1.46...v0.1.47

v0.1.46

What's Changed

• feat(helm): Add PodDisruptionBudget option to helm chart by @SgtCoDFish in #516
• Use agent image in the venafi repository by @tfadeyi in #517
• Add missing labels for VEI clusterrole / binding by @SgtCoDFish in #521
• Update helm chart version by @tfadeyi in #522

New Contributors

• @SgtCoDFish made their first contribution in #516

Full Changelog: v0.1.45...v0.1.46

v0.1.45

What's Changed

• Prepare v0.1.45 release by @tfadeyi in #511

Full Changelog: v0.1.44...v0.1.45