v0.23.2
·
258 commits
to main
since this release
Added
- VSecM Sentinel can now act as an OIDC Resource Server (experimental). This
feature is disabled by default, and can be enabled by an environment variable.
When you enable it, you should also ensure the security of the OIDC Server
as breaching it will give direct access to VSecM. This feature changes the
attack surface of the system and should be implemented only if you are
extremely sure of what you are doing. - Documented all public methods in the codebase. This will help
contributors to understand the codebase better and make it easier to
contribute. - We now have an official “VSecM Inspector” container image that can be used
to inspect the secrets bound to workloads without having to shell into
the workloads. This is especially helpful when you want to debug a workload’s
secrets without needing to uninstall or change the source code of the workload. - Unit tests to increase coverage.
Changed
- We now have a Go-based integration test suite instead of the former bash-based
one. This change makes the tests more reliable and easier to maintain, while
we can leverage the Go language’s powerful primitives to make the tests
readable, maintainable, and scalable. - VSecM components have sensible “memory” lower limits in helm charts (before
it was left for the end-user to decide, now we provide a starting point
while encouraging the user to do their own benchmarks to update the
resource limits to their production needs.) - Updated the log level of all VSecM components to the highest (7, TRACE).
This setting is to help VSecM users to diagnose and debug potential
installation issues during initial deployment. Once you are sure that things
work as expected, you are encouraged to change the log level to a more
sensible value (like, 3, DEBUG). - Refactorings to make the code easier to follow.
Fixed
- VSecM Sentinel’s “Init Command” loop had a logic error that was preventing the
initialization command to function under certain edge conditions. It’s now
fixed.
Security
- Updated SPIRE Server, SPIRE Client, and SPIRE Controller Manager images to
their latest version. - Increased the Go version to the recent stable.
- Fixed CVE-2024-28180 Go JOSE vulnerable to Improper Handling of Highly
Compressed Data
Check out the changelog for a human-readable summary of what has happened so far.
Below are the generated release notes of every commit since the last release cut:
What's Changed
- v0.23.0 by @v0lkan in #583
- 0.23.0 by @v0lkan in #584
- Enable Golang-based Integration Tests by @v0lkan in #590
- Add Resource Limits to Helm Charts by @v0lkan in #594
- 0.23.1 helm charts by @v0lkan in #595
- 0.23.2 by @v0lkan in #597
- refactor: go version increased and name changed in test-coverage.yaml by @marikann in #593
- feat: Add FreeForm format handling by @marikann in #591
- 🛡️ security(SPIRE): Upgrading spire images for latest release by @abhishek44sharma in #604
- chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot in #603
- Add VSecM Inspector as a Utility App by @v0lkan in #605
- 404 create service sentinel by @sahinakyol in #592
- v0.23.2 by @v0lkan in #608
Full Changelog: v0.23.0...v0.23.2
Contributors
v0lkan, sahinakyol, and 3 other contributors