Releases: jetstack/jetstack-secure
Releases · jetstack/jetstack-secure
v1.7.1
v1.7.1
This tag was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.1
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.1
ARK_IMAGE_DIGEST: sha256:b63bfa7eb45302be214e7f408aff70aa15221105ced934e95c2faf83e65aa0af
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.1
ARK_CHART_DIGEST: sha256:2d0ff2fd142e2f84541bd228591f1133b5b0604c7bedbecc839964696c0b49e0
What's Changed
This is a patch release with a small change to the CyberArk disco-agent, to filter out deleted Secret resources from the data which it uploads to the CyberArk Discovery and Context API because that data is not needed by the backend.
This release also contains various changes to the venafi-kubernetes-agent Helm chart documentation, related to the rebranding of Venafi to CyberArk product names.
Finally, this release contains extended debug logging, as a result of updating to the latest version of venafi-connection-lib, to help customers and support engineers diagnose problems with VenafiConnection based authentication in the field.
- [VC-46370] CyberArk: Skip deleted resources when converting data readings to snapshot by @wallrj-cyberark in #741
- [VC-45018] Improve consistency of contextual information in cert-components by @iossifbenbassat123 in #739
- [VC-46486] Update venafi-connection-lib to v0.5.1 by @wallrj-cyberark in #742
New Contributors
- @iossifbenbassat123 made their first contribution in #739
Helm Chart Changes
$ diff -u <(helm template oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version v1.7.0 | fgrep -v -e helm.sh/chart -e app.kubernetes.io/version) <(helm template oci://quay.io/jetstack/charts/venafi-kubernetes-agent:v1.7.1 | fgrep -v -e helm.sh/chart -e app.kubernetes.io/version)
Pulled: quay.io/jetstack/charts/venafi-kubernetes-agent:v1.7.1
Pulled: quay.io/jetstack/charts/venafi-kubernetes-agent:v1.7.0
Digest: sha256:94782809893d1ad0e815054216bb77f41a97c9db9941da5743034fffd327ed4c
Digest: sha256:2776ca45271676dbfee30cbec69063faaef66c51081a56f0df249c20ba6d954e
--- /dev/fd/63 2025-11-04 12:20:32.541652736 +0000
+++ /dev/fd/62 2025-11-04 12:20:32.542652733 +0000
@@ -877,7 +877,7 @@
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- image: "quay.io/jetstack/venafi-agent:v1.7.0"
+ image: "quay.io/jetstack/venafi-agent:v1.7.1"
imagePullPolicy: IfNotPresent
env:
- name: POD_NAMESPACEDocker Image Comparison
$ diffoci diff quay.io/jetstack/venafi-agent:v1.7.0 quay.io/jetstack/venafi-agent:v1.7.1 --semantic
INFO[0000] Target platforms: [linux/amd64]
TYPE NAME INPUT-0 INPUT-1
File ko-app/preflight b2453fed97b6041799436821ae56d88e12b272ad373cde0c87af8261dc5f27f5 6d6aaa53e279170a4e42811ca176bf44330eda4acca70740970a657b03082cc0
File licenses/LICENSES eba3b9d98369e17c83a1ee29798b663e14dd9b54bcf720b936127a06f104fed3 b73d0d9af1d810bd33928f92085aa3e97ba79f3cc8f842f65f2be17ad7c7d7bd
Mani ctx:/manifests-0/annotations field "Annotations"
Idx ctx:/annotations field "Annotations"
Full Changelog: v1.7.0...v1.7.1
Contributors
wallrj-cyberark and iossifbenbassat123
Assets 2
v1.7.1-alpha.1
v1.7.1-alpha.1
This tag was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
434f5a1
This commit was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
A pre-release to test the latest venafi-connection-lib upgrade in #742
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.1-alpha.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.1-alpha.1
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.1-alpha.1
ARK_IMAGE_DIGEST: sha256:6b43f206b6087f134e357b7a44936d02a466d30bd1dd08c2b3da351d17b1eb62
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.1-alpha.1
ARK_CHART_DIGEST: sha256:8a6011fe5d93fde6411cbaa358dcc04943ec10d436a5de3acff4d15a1f835e0c
v1.7.1-alpha.0
v1.7.1-alpha.0
This tag was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.1-alpha.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.1-alpha.0
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.1-alpha.0
ARK_IMAGE_DIGEST: sha256:27b5cba92c3a1d697efbb3dd30ad63f21fce913dcdf8ef466835ba9a129f40dc
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.1-alpha.0
ARK_CHART_DIGEST: sha256:0d9f386fb2678d311064df66f16ca16423e532bcd8fdff2cef73106e8c208499
What's Changed
- [VC-46370] CyberArk: Skip deleted resources when converting data readings to snapshot by @wallrj-cyberark in #741
Full Changelog: v1.7.0...v1.7.1-alpha.0
Contributors
wallrj-cyberark
Assets 2
v1.7.0
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.0
ARK_IMAGE_DIGEST: sha256:d752c23399c41fc21c42b08451fed264934bbf4175d69f54d66ab91440faa0fa
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.0
ARK_CHART_DIGEST: sha256:4db0e34c80fc3d690f5b2d2bc7c242c11b4f01bf65117b81d20667672b3efa92
What's Changed
This release introduces a new Helm chart for the CyberArk Disco Agent, enhances data collection with additional cluster and secret metadata, and adds new output modes for easier debugging and integration.
Notable Changes
- Add CyberArk Disco Agent Helm chart by @wallrj-cyberark in #678
- Add cluster UID derived from kube-system namespace by @SgtCoDFish in #670
- Add cluster name and description to CyberArk Discovery and Context snapshot by @wallrj-cyberark in #730
- Collect creationTimestamp, deletionTimestamp and resourceVersion metadata for Secret and Route resources by @wallrj-cyberark in #688
- Report Kubernetes Secret immutable attribute to DisCo by @FelixPhipps in #735
- Add Local File output path mode by @wallrj-cyberark in #692
- Add support for MachineHub output mode to the CyberArk agent by @wallrj-cyberark in #696
- Change default agent config period to 12h in values.yaml by @wallrj-cyberark in #720
- Minimize snapshot by filtering non-clientauth TLS secrets by @wallrj-cyberark in #714
- Add debug roundtripper to discovery and identity clients for easier debugging by @wallrj-cyberark in #683
- Fix the version subcommand panic by @mladen-rusev-cyberark in #736
- Fix agent version reporting to handle go module/repo mismatch by @wallrj-cyberark in #733
- Improve DataReading JSON parsing and error handling by @wallrj-cyberark in #710
Non user-facing changes
- Remove jetstack-agent chart and docs by @SgtCoDFish in #672
- Rename cyberark-disco-agent to disco-agent across repo by @wallrj-cyberark in #727
- Deprecate service/discovery API and implement the new one by @mladen-rusev-cyberark in #706
- Refactor various clients (identity, servicediscovery, dataupload) to take an HTTP client by @wallrj-cyberark in #698, #699, #700
- Relocate internal packages and update imports by @wallrj-cyberark in #704
- Automate the e2e script to run in CI by @mladen-rusev-cyberark in #716
- Automate the release process for cyberark-disco-agent by @wallrj-cyberark in #725
- Add telemetry header to all API requests by @wallrj-cyberark in #719
Full Changelog: v1.6.0...v1.7.0
Helm chart changes
--- a/templates/configmap.yaml
+++ b/templates/configmap.yaml
@@ -10,7 +10,7 @@
data:
config.yaml: |-
- cluster_id: ""
+ cluster_name: ""
cluster_description: ""
server: "https://api.venafi.cloud/"
period: "0h1m0s"
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -40,7 +40,7 @@
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- image: "quay.io/jetstack/venafi-agent:v1.6.0"
+ image: "quay.io/jetstack/venafi-agent:v1.7.0"
imagePullPolicy: IfNotPresent
env:
- name: POD_NAMESPACE```
Docker image comparison
$ diffoci diff quay.io/jetstack/venafi-agent:v1.6.0 quay.io/jetstack/venafi-agent:v1.7.0 --semantic
TYPE NAME INPUT-0 INPUT-1
Cfg ctx:/manifests-0/config/config ? ?
File etc/apk/world b005d32b3c6437c7acc3dc372fd377180f028df42e35b8edaece5625828a3934 ccab516202f5c1747c0060362aa9652ccbf52236effcf0663c114e29154fe3fa
File usr/lib/apk/db/installed 066f1509b4133f5021e121da18eda3fc2a37cde6a0260167685d5b3b20efe9c4 1428b7aaf0d79c238df410b03badbd234e2762ec08c80a77dcf95d29e44f992a
File etc/apko.json 19d45daafeeb64b0943af80bca018ad41e0f4d6c389a08dba2d1c8a7a24e41f0 72d190d81d2ab81032d8899690429f1f21ffa1bc78644af134062cee263f8112
File etc/ssl/certs/ca-certificates.crt 756cdfe4c3affc2e460278cc65ab01f67c3f4fc05d43fc683d7ebbdeb644e5f4 657ca6ba4bc43138f89de75fb63794cbfaa897e0e110b069fd1367bd66a5bb6c
File ko-app/preflight 144c10c27ae5fb3dc5974dd4a648d48bd00bf8e29f83fdd3cd95b8093d975b74 b2453fed97b6041799436821ae56d88e12b272ad373cde0c87af8261dc5f27f5
File licenses/LICENSES a808d2a8c423671bc8be51030969d3fd89915e6097e09c0ffc2896a4c3741dc3 eba3b9d98369e17c83a1ee29798b663e14dd9b54bcf720b936127a06f104fed3
Mani ctx:/manifests-0/annotations field "Annotations"
Idx ctx:/annotations field "Annotations"
Contributors
SgtCoDFish, FelixPhipps, and 2 other contributors
Assets 2
v1.7.0-alpha.3
v1.7.0-alpha.3
This tag was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
a8f7fe8
This commit was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.3
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.3
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.3
ARK_IMAGE_DIGEST: sha256:aeed02e2468464ad18932c9b73b9287a1a87c168c10f6c021267ed5924a1af99
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.0-alpha.3
ARK_CHART_DIGEST: sha256:0c92e8b4ac90ebd7490001ce1c3b66b5e0563fcda1480703de887668da0e6b91
What's Changed
- [VC-45349] Rename cyberark-disco-agent to disco-agent across repo by @wallrj-cyberark in #727
Full Changelog: v1.7.0-alpha.2...v1.7.0-alpha.3
Contributors
wallrj-cyberark
Assets 2
v1.7.0-alpha.2
v1.7.0-alpha.2
This tag was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
85e9028
This commit was signed with the committer’s verified signature.
wallrj-cyberark
Richard Wall
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.2
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.2
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.2
ARK_IMAGE_DIGEST: sha256:3224e9d1dc2234c14cc660388b125ea6d975169d47b2af799c39f02d9c7d8eec
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.0-alpha.2
ARK_CHART_DIGEST: sha256:7fec8e163bca52434b3991ecb3b55b04875edeffd53435fca865bb3b513b2491
v1.7.0-alpha.1
OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.1
# cyberark-disco-agent
ARK_IMAGE: quay.io/jetstack/cyberark-disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.1
ARK_IMAGE_DIGEST: sha256:ac710aed72ca82c4094b6c0c239361ab218a011170bb3c60d794ffd87ba72b9d
ARK_CHART: quay.io/jetstack/charts/cyberark-disco-agent
ARK_CHART_TAG: v1.7.0-alpha.1
ARK_CHART_DIGEST: sha256:7f2009f335df8eb2ea42979cf61f0651b23b20eb2f39b56c9c45c3f3bcdafc67
v1.6.0
helm show chart oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.6.0
What's Changed
This release contains the following notable bug fixes and dependency updates:
- Reduce memory usage by removing the Replicaset data gatherer from the default config by @wallrj in #658
- Fix a bug that caused proxy settings to be ignored by @hawksight in #669
golang.org/x/netwas upgraded to address: CVE-2025-22872 by @wallrj in #675- Go was upgraded to v1.24.4 to address: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673
Non user-facing changes
- make upgrade-klone upgrade-base generate-govulncheck by @wallrj in #657
- feat: Initial work on CyberArk Identity client by @SgtCoDFish in #655
- VC-41203: Allow users to select the Machine Hub mode by @maelvls in #653
- golangci-lint spelling linter fixes by @inteon in #659
- Linter fixes (part 2) by @inteon in #660
- Cleanup: config.go by @inteon in #661
- Cleanup client interface by @inteon in #662
- Use new client-go functions for contextual logging by @inteon in #663
- Quick README cleanup, removing a lot of out of date information by @inteon in #665
- Drop unused Delete() function by @inteon in #667
- Remove parts of API that are not used by @inteon in #666
- Remove unnecessary go dependencies by @inteon in #668
- Add CyberArk client and mock server by @inteon in #664
- chore: manually upgrade makefile-modules by @SgtCoDFish in #671
- Go module upgrades to fix CVE-2025-22872 by @wallrj in #675
- Update Go modules in preparation for releasing 1.6.0 by @wallrj in #676
Helm Chart Changes
--- /dev/fd/63 2025-06-25 15:40:20.799993519 +0100
+++ /dev/fd/62 2025-06-25 15:40:20.799993519 +0100
@@ -62,13 +62,6 @@
resource: deployments
group: apps
- kind: "k8s-dynamic"
- name: "k8s/replicasets"
- config:
- resource-type:
- version: v1
- resource: replicasets
- group: apps
- - kind: "k8s-dynamic"
name: "k8s/statefulsets"
config:
resource-type:
@@ -884,8 +877,25 @@
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- image: "quay.io/jetstack/venafi-agent:v1.5.0"
+ image: "quay.io/jetstack/venafi-agent:v1.6.0"
imagePullPolicy: IfNotPresent
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_UID
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.uid
+ - name: POD_NODE
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
args:
- "agent"
- "-c"
@@ -909,23 +919,6 @@
- name: credentials
mountPath: "/etc/venafi/agent/key"
readOnly: true
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_UID
- valueFrom:
- fieldRef:
- fieldPath: metadata.uid
- - name: POD_NODE
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
ports:
- containerPort: 8081
name: http-metricsDocker Image Changes
$ diffoci diff quay.io/jetstack/venafi-agent:v1.5.0 quay.io/jetstack/venafi-agent:v1.6.0 --semantic
INFO[0000] Target platforms: [linux/amd64]
TYPE NAME INPUT-0 INPUT-1
Layer ctx:/manifests-0/layers-0/layer length mismatch (666 vs 669)
Layer ctx:/manifests-0/layers-0/layer name "lib/apk/db" only appears in input 0
Layer ctx:/manifests-0/layers-0/layer name "lib/apk/db/lock" only appears in input 0
Layer ctx:/manifests-0/layers-0/layer name "lib/apk/db/scripts.tar" only appears in input 0
Layer ctx:/manifests-0/layers-0/layer name "lib/apk/db/installed" only appears in input 0
File lib/apk Linkname Linkname ../usr/lib/apk
Layer ctx:/manifests-0/layers-0/layer name "lib/apk/db/triggers" only appears in input 0
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk/exec" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk/db/triggers" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk/db" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk/db/installed" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk/db/lock" only appears in input 1
Layer ctx:/manifests-0/layers-0/layer name "usr/lib/apk/db/scripts.tar" only appears in input 1
File ko-app/preflight 0f9e150ac6eb84d6da1f23e9ab36e10fc923dd728c9ed71ef305030e178477ec 144c10c27ae5fb3dc5974dd4a648d48bd00bf8e29f83fdd3cd95b8093d975b74
File licenses/LICENSES 993aa0cd6335911daa13e99056a65a6c431cf6078da800c38ef2fcfcc6219439 a808d2a8c423671bc8be51030969d3fd89915e6097e09c0ffc2896a4c3741dc3
Mani ctx:/manifests-0/annotations field "Annotations"
Idx ctx:/annotations field "Annotations"
Full Changelog: v1.5.0...v1.6.0
Contributors
wallrj, SgtCoDFish, and 3 other contributors
Assets 2
v1.5.0
What's Changed
-
The Kubernetes agent's resource collection capabilities have been extended. It now supports Venafi Connection, Smallstep Issuer, Cloudflare Origin CA, FreeIPA Issuer, and EJBCA Issuer. (#648)
-
The OCI images now contain annotations (#650). These annotations include the Git revision as well as the build date and are used by linters such as Trivy, Snyk, and Harbor when scanning images. You can now look the annotations using the command:
crane manifest registry.venafi.cloud/venafi-agent/venafi-agent:v1.5.0
-
The Helm chart now adheres to Kyverno's Pod Security Standards rules. (#647)
-
Preliminary work went into this release to let you use Cyberark Secrets Hub for discovering Kubernetes resources. This change introduces a client to fetch the Identity API URL, with future work planned to use this for login. (#646)
-
(non-user-facing) The venafi-connection-lib dependency has been upgraded to the latest version (from cd2301fd4e7c to ec1757b9e01b) (#637). Although this version brings support for loading credentials from disk files in YAML or JSON format, as well as a file-based authentication for non-Kubernetes environments, these features are not yet utilized in the agent. Future updates may incorporate them.
Full Changelog: v1.4.1...v1.5.0
v1.4.1
What's Changed
- Suppress the excessive logs from client-go reporting "the server could not find the requested resource" (#639)
- The client ID is now shown in the logs on startup when using the Venafi Cloud Key Pair Service Account authentication. (#625)
- You can now debug problems with the data upload using
--log-level=6which now shows the request details in the logs. (#627) - The HTTP header
User-Agent: venafi-kubernetes-agent/v1.4.1is now set for all outgoing HTTP requests. Previously, the User-Agent header was only set in VenafiConnection mode. (#631) - Fixed CVEs: CVE-2024-51744 (github.com/golang-jwt/jwt/v4), CVE-2024-45338 (x/net), and CVE-2024-45337 (x/crypto) (#636).
Full Changelog: v1.4.0...v1.4.1