Releases: channable/vaultenv
v0.17.0 - "Is it secret? Is it safe?"
This release contains some small fixes and dependency changes:
What's Changed
- Fix typo in Forbidden error message by @ruuda in #136
- Use http-client-openssl instead of http-client-tls by @jfroche in #137
- Change ci machine type from e1 to f1 by @d-goncalves in #138
- Nixpkgs update, and crypton-connection upgrade by @ErnestKz in #140
New Contributors
Full Changelog: v0.16.0...v0.17.0
v0.16.0 - "I am always right"
This release contains some fixes and minor enhancements, in addition to a new feature.
What's Changed
- Update Nix to 2.10.3 on CI by @adrianotm in #128
- Remove cachix from default.nix by @d-goncalves in #132
- Replace references to nix run with nix shell by @Riscky in #133
- Add a bit more logging at info level by @ruuda in #130
- Allow overwriting over environment variables by @joris-burgers in #135
New Contributors
- @adrianotm made their first contribution in #128
- @d-goncalves made their first contribution in #132
Full Changelog: v0.15.1...v0.16.0
v0.15.1 - "Sharing is caring"
This is a bugfix release to v0.15.0 with one minor change:
- Github- and Kubernetes authentication will now inject the
VAULT_TOKEN
, unless blacklisted. This allows both authentication methods to be used as a complete replacement for the token auth.
v0.15.0 - "A token of my appreciation"
This release adds two new authentication methods to Vaultenv:
- GitHub authentication
- Kubernetes authentication (thanks @ruuda!)
The former is meant to be used in a development environment, and works
with a personal access token. The latter is meant to be used in a
Kubernetes cluster.
This release also updates some dependencies.
v0.14.0 - "It's the little things"
This release fixes some minor issues in Vaultenv:
-
Vaultenv will now enable "line buffering" mode for its output, which prevents issues with log messages getting mixed up or delayed if e.g. running under Systemd or Kubernetes.
This was fixed by @ruuda in #115. -
When printing the configuration with
--log-level info
Vaultenv will now correctly specify the unit for the base delay (milliseconds), where it previously printed an ambiguous plain number.
This was added by @ruuda in #113.
This release also contains fixes to make running the integration tests more reliable / work in more Linux environments.
This was contributed by @ruuda in #114.
v0.13.3 - "Staying Alive"
This release reduces server load while loading large secrets files.
This release should enable connection reuse on the requests to vault. The support for this was technically already in place, but because all requests were sent simultaneously, no actual reuse was done. The new release limits the number of concurrent requests to 8 by default, which can be overridden using the --max-concurrent-requests
option VAULTENV_MAX_CONCURRENT_REQUESTS
environment variable. Setting this value to 0 restores the old behaviour.
In addition, minor improvements were made to the Vault response parser.
v0.13.2 - "Secret Agent"
This release should allow Vaultenv to be used in conjunction with Vault agent.
Requests to vault now have the X-Vault-Request
header set, and the vault token has become an optional parameter. If the parameter is not set, the vault requests are sent without and Vault Agent is expected to add a token using auto auth.
As a result, a misconfiguration regarding missing tokens that would previously be detected locally are now detected by the Vault server instead. Vaultenv should still exit once it receives such a response.
In addition, VAULT_ADDR
is now allowed without port. The port defaults to 80
when the scheme is http://
and 443
when the scheme is https://
.
v0.13.1 - "Owned by me and not by thee"
This release fixes a bug in the provided Debian package.
The packages of 0.13.0 and earlier versions were not built with the fakeroot
utility, which caused the installed package files (/usr/bin/vaultenv
and
/etc/secrets.d/
) to be owned by the local user with uid 1000 instead of by root
.
We've now adjusted the build script to correctly use fakeroot
, the package will
also automatically correct this issue by changing the owner and mode of
/usr/bin/vaultenv
and /etc/secrets.d
when upgrading from an earlier version.
There are no changes to the code of the Vaultenv binary, except for an increase in
the version number.
v0.13.0 - "If at first you don't succeed"
This release fixes a bug in Vaultenv's retry behaviour.
The bug caused Vaultenv to crash immediately if it failed to retrieve
the mount information or a secret from the Vault server, while it was
supposed to retry fetching that information.
If Vaultenv fails to fetch the mount info or one or more secrets it will
now correctly retry fetching that information according to the
configured retry policy. This retry policy is (and was) configurable
with the options --retry-base-delay-milliseconds
/
VAULTENV_RETRY_BASE_DELAY_MS
and --retry-attempts
/
VAULTENV_RETRY_ATTEMPTS
.
Vaultenv will now also redact the used Vault token before outputting an
error message when a secret or the mount info cannot be fetched within
the retry period.
v0.12.0 - "Need to Know"
Vaultenv now supports removing specific variables from the environment before
executing the wrapped command, allowing the user to selectively inherit the
parent environment (instead of completely or not at all).
This behaviour can be enabled by passing the --inherit-env-blacklist
option, setting the VAULTENV_INHERIT_ENV_BLACKLIST
environment
variable, or setting the VAULTENV_INHERIT_ENV_BLACKLIST
option in a
Vaultenv configuration file. The value of the option or variable should
be a list of names of environment variables to remove, separated by
commas.
Vaultenv will remove the variables from the environment of the command to
execute if the variable has a name that exactly matches a name in the
blacklist. Vaultenv will also remove variables retrieved from Vault if the name
of the variable matches a name on the blacklist.
The blacklist has no effect if --no-inherit-env
is used, and the option will
be silently ignored.