v0.14.0

v0.14.0 - 2022-10-20

Changelog

Bug Fixes 🐞

• 712b5a1 fix: remove trim suffix from resource_id in proxy (#594)

Continuous Integration 💜

• 90fdd63 ci: add codeql action (#555)

Documentation 📘

• 43a8bf6 docs: update keyvault command for managed identity in quickstart (#583)
• 2e02d54 docs: update docs for managed identity (#577)
• 32b5da0 docs: update to non-beta Azure Identity SDKs (#574)
• c618a64 docs: Use KEYVAULT_URL in quick start guide (#563)

Features 🌈

• 885c9d1 feat: add azure-identity java example (#585)
• 75ae5a2 feat: add azure-identity .NET example (#581)
• 8aadc8f feat: add azure-identity node example (#580)
• d3ea1dc feat: add azure-identity python example (#579)

Maintenance 🔧

• fdb07e0 chore: bump dependencies for k8s v1.25.3 (#600)
• 6c77e40 chore: bump github.com/Azure/aad-pod-identity from 1.8.12 to 1.8.13 (#595)
• 82df24e chore: bump k8s.io/kubernetes from 1.25.2 to 1.25.3 (#597)
• 662a3e4 chore: bump docker/login-action from 2.0.0 to 2.1.0 (#598)
• 529d525 chore: bump github/codeql-action from 2.1.26 to 2.1.27 (#589)
• 708c8dd chore: bump stefanprodan/helm-gh-pages from 1.5.0 to 1.6.0 (#588)
• 14e2d37 chore: bump github/codeql-action from 2.1.25 to 2.1.26 (#578)
• a00ef76 chore: Update KEYVAULT_URL in dotnet and python examples (#573)
• 83fbae3 chore: bump k8s.io/kubernetes from 1.25.1 to 1.25.2 (#570)
• 188a279 chore: bump github/codeql-action from 2.1.24 to 2.1.25 (#571)
• c8527f3 chore: update golangci-lint to v1.49.0 (#565)
• cb6f5bc chore: bump k8s.io/kubernetes from 1.25.0 to 1.25.1 (#567)
• 7e8eae2 chore: bump github/codeql-action from 2.1.22 to 2.1.24 (#568)
• c91eb15 chore: Load keyvault url from environment variable in example (#561)
• 1f67e29 chore: bump github.com/Azure/aad-pod-identity from 1.8.11 to 1.8.12 (#558)
• 0ad2a3b chore: bump k8s.io/klog/v2 from 2.80.0 to 2.80.1 (#559)
• 33d34cb chore: bump azure/login from 1.4.5 to 1.4.6 (#560)
• 9c747e8 chore: run apt update && apt upgrade -y in dockerfile
• 2e1d7d4 chore: support kubernetes v1.25.0 (#552)

Security Fix 🛡️

• 174a043 security: fix multiple CVEs

Testing 💚

• 4cc5768 test: use kubernetes v1.23 for aks cluster (#590)
• 3b1e98f test: pin default aks cluster version to 1.22 (#586)

v0.13.0

v0.13.0 - 2022-08-31

Changelog

Code Refactoring 💎

• eb5c173 refactor: update msal-go-sdk and use NewCredFromAssertionCallback (#529)

Continuous Integration 💜

• cd42c73 ci: remove upgrade_aks_linux tests in pr.yaml (#512)
• ea054bb ci: debug failure with az and aks-preview (#518)

Documentation 📘

• 229c2b4 docs: add AKS admission enforcer to known issues (#534)
• 2f3ef7c docs: update quick-start to use azure cli for federated credentials (#533)
• 018b019 docs: update docs to use azure cli for federated identity credential (#526)
• f51a30b docs: improve reactive code in Java sample (#511)

Features 🌈

• 2e0b396 feat: add image pull secrets to service account (#541)
• 32ce9f9 feat: add pod disruption budget for webhook (#542)
• f823b98 feat: Add objectselector to mutatingwebhook configuration (#524)
• b5462cf feat: allow setting mwh annotations in helm charts (#537)
• 4956fbf feat: make priority class name configurable in helm charts (#527)
• 39fbdb3 feat: make mwh failurePolicy configurable in helm charts (#528)
• 6fa9c43 feat: add psa (#508)

Maintenance 🔧

• d9db5e7 chore: update debian-iptables to bullseye-v1.5.1 (#538)
• ee993ff chore: bump github.com/AzureAD/microsoft-authentication-library-for-go (#535)
• e8b5155 chore: bump k8s.io/kubernetes from 1.24.3 to 1.24.4 (#536)
• 8b88c06 chore: bump github.com/mattn/go-colorable from 0.1.12 to 0.1.13 (#530)
• d5ffd3f chore: update to go 1.19 (#531)
• 16a14c1 chore: bump github.com/Azure/aad-pod-identity from 1.8.10 to 1.8.11 (#520)
• aa4286f chore: bump github.com/Azure/go-autorest/autorest (#513)
• ec65580 chore: bump github.com/Azure/go-autorest/autorest/azure/cli (#514)
• 9dce908 chore: bump github.com/Azure/go-autorest/autorest/adal (#515)

Security Fix 🛡️

• 82063cc security: fix CVE-2022-37434 (#543)
• 36c7293 security: fix multiple CVEs (#522)

Testing 💚

• cdd6a45 test: update default aks cluster version to 1.23 (#539)

v0.12.0

v0.12.0 - 2022-07-26

Changelog

Code Refactoring 💎

• 8dd8d32 refactor: migrate golang to MCR and parameterize non-Dockerhub images (#489)

Continuous Integration 💜

• a31ae79 ci: update SERVICE_ACCOUNT_ISSUER in azwi e2e (#505)
• 8713e4d ci: remove @chewong from CODEOWNERS (#504)

Documentation 📘

• 318274d docs: add documentation for metrics (#503)
• ce01319 docs: add the release schedule throughout the docs (#502)
• ce470b2 docs: add documentation for sidecar injection annotation (#501)
• af2a905 docs: remove kubernetes version 1.21 (EOL) (#500)

Features 🌈

• e2bba60 feat: add proxy --probe and enable lifecycle postStart hook (#490)

Maintenance 🔧

• 7531c62 chore: bump k8s.io/kubernetes from 1.24.2 to 1.24.3 (#497)
• b67b0c3 chore: bump github.com/Azure/aad-pod-identity from 1.8.9 to 1.8.10 (#492)
• 0f72f3c chore: bump sigs.k8s.io/controller-runtime from 0.12.2 to 0.12.3 (#493)
• 3610a78 chore: update debian-iptables to bullseye-v1.5.0 (#491)
• 060c6ad chore: bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (#487)
• 41690bb chore: add user agent to start log in proxy (#485)
• 9010714 chore: bump golangci-lint to v1.46.2 (#484)

Security Fix 🛡️

• 47db093 security: fix CVE-2021-4209 (#494)

Testing 💚

• c17a4c0 test: remove GINKGO_SKIP in upgrade tests (#483)

v0.11.0

v0.11.0 - 2022-06-29

Changelog

Bug Fixes 🐞

• 1a338d2 fix: --aad-appliction-name arg listed twice (#480)
• d25cbc1 fix: inject proxy image registry via LDFLAGS (#469)
• 639362d fix: use id instead of objectId for app object id (#460)
• c21b798 fix: add affinity to deployment in helm charts (#459)

Documentation 📘

• ae7d230 docs: many-to-one relationship and fic delay (#467)

Features 🌈

• 77d7216 feat: add metrics (#478)
• 0171ac8 feat: allow setting azure.workload.identity/use in annotations (#479)
• 5311027 feat: optimize azwi serviceaccount delete (#468)
• 5ae082d feat: inject proxy init container and sidecar via mutating webhook (#466)

Maintenance 🔧

• 2a052f8 chore: bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.2 (#475)
• 4f6ad77 chore: bump azure/login from 1.4.4 to 1.4.5 (#476)
• 2704887 chore: bump k8s.io/kubernetes from 1.24.1 to 1.24.2 (#470)
• 5351fbd chore: update debian-iptables to bullseye-v1.4.0 (#465)
• ff32f39 chore: bump gopkg.in/ini.v1 from 1.62.0 to 1.62.1 (#462)
• 0774aee chore: bump k8s.io/kubernetes from 1.24.0 to 1.24.1 (#463)
• 7b28a4d chore: support v1.24.1 kind cluster version (#447)
• 68c02d0 chore: bump k8s.io/kubernetes from 1.22.9 to 1.22.10 (#457)
• f803c4b chore: bump github.com/Azure/azure-sdk-for-go (#455)
• 43fd395 chore: bump github.com/Azure/aad-pod-identity from 1.8.8 to 1.8.9 (#452)
• 414cd86 chore: bump github.com/Azure/go-autorest/autorest/adal (#453)
• 35fce51 chore: bump goreleaser/goreleaser-action from 2 to 3 (#454)
• 29c2595 chore: bump github.com/Azure/azure-sdk-for-go (#450)

Security Fix 🛡️

• 175aa14 security: fix CVE-2022-2068 (#477)
• 70adbd7 security: fix CVE-2022-1664 (#458)
• 491f4bf security: fix CVE-2022-1292 (#451)

v0.10.0

v0.10.0 - 2022-05-11

Changelog

Bug Fixes 🐞

• 854b475 fix: use default service account when service account name is empty (#446)
• 7d83be4 fix: use debian11 in Dockerfile build image (#437)

Continuous Integration 💜

• 55bd681 ci: disable markdown link check for SECURITY.md (#445)
• dc942c4 ci: exclude .github path in tests (#420)

Documentation 📘

• 4cb46ac docs: remove kubernetes version 1.20 (EOL) (#407)

Features 🌈

• d397826 feat: add azwi podidentity detect subcommand (#432)

Maintenance 🔧

• 95e05b0 chore: bump github.com/Azure/go-autorest/autorest/adal (#442)
• ff8fd19 chore: bump github.com/Azure/azure-sdk-for-go (#443)
• bd6b478 chore: bump docker/login-action from 1.14.1 to 2 (#444)
• 8dd170f chore: bump azure/login from 1.4.3 to 1.4.4 (#431)
• 067b2ff chore: use go 1.17 for golangci-lint (#430)
• ec953d0 chore: bump github.com/Azure/go-autorest/autorest from 0.11.26 to 0.11.27 (#428)
• 53bad99 chore: bump github.com/Azure/azure-sdk-for-go from 63.3.0+incompatible to 63.4.0+incompatible (#426)
• 1b11baf chore: bump k8s.io/kubernetes from 1.22.8 to 1.22.9 (#427)
• a315186 chore: bump golangci-lint to v1.45.2 (#429)
• 03c7246 chore: bump github.com/Azure/go-autorest/autorest (#423)
• 460dd3b chore: bump github.com/Azure/azure-sdk-for-go (#422)
• fe8cc72 chore: change variable name from pod to workload identity (#421)
• f3d4fe8 chore: bump actions/setup-go from 2 to 3 (#419)
• 01422b2 chore: bump github.com/Azure/azure-sdk-for-go from 63.0.0+incompatible to 63.1.0+incompatible (#418)
• e2c0646 chore: upgrade to debian-iptables:bullseye-v1.3.0 (#415)
• 77bc66c chore: bump sigs.k8s.io/controller-runtime from 0.11.1 to 0.11.2 (#410)
• 3c8e1ca chore: bump github.com/Azure/go-autorest/autorest (#411)
• ff5336e chore: bump github.com/Azure/azure-sdk-for-go (#412)
• fe3c374 chore: bump peter-evans/create-pull-request from 3 to 4 (#406)

Security Fix 🛡️

• be2823f security: fix CVE-2022-1271 (#425)
• bfb448d security: fix CVE-2018-25032 (#409)

Testing 💚

• 49c78ed test: check AKS agentpool provisioning state before upgrading (#424)

v0.9.0

v0.9.0 - 2022-03-29

Changelog

Bug Fixes 🐞

• 0a2a128 fix: update proxy-init iptables rule to prevent forwarding loop (#402)
• d854e5a fix: do not specify tenant id when creating credential via Azure CLI (#395)
• 96e8756 fix: use sha256 hash as federated identity credential name (#372)

Continuous Integration 💜

• 83320f2 ci: update azwi workflow to run on push to main and remove pull_request (#383)
• b573df1 ci: use chore prefix for dependabot updates (#382)
• 1edb03d ci: use pull_request instead of pull_request_target for Actions (#380)

Documentation 📘

• 306abde fix(docs): add Azure Portal UI steps and screenshot (#374)

Features 🌈

• 2618ac4 feat: add msal-java example (#375)

Maintenance 🔧

• 4f92012 chore: upgrade go version to 1.18 (#403)
• 3e85ce4 chore: switch to upstream acr (#397)
• cae0719 chore: bump github.com/go-logr/logr from 1.2.2 to 1.2.3 (#398)
• 9be4e2f chore: bump github.com/Azure/azure-sdk-for-go (#399)
• 6fc09d4 chore: bump k8s.io/kubernetes from 1.22.6 to 1.22.8 (#400)
• fa2b11a chore: bump github.com/Azure/azure-sdk-for-go (#394)
• ea924e0 chore: bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#393)
• 102f4fb chore: bump actions/checkout from 2 to 3 (#389)
• 2689039 chore: bump docker/login-action from 1.14.0 to 1.14.1 (#390)
• 454b874 chore: bump github.com/Azure/azure-sdk-for-go (#388)
• 09ace00 chore: bump github.com/Azure/azure-sdk-for-go from 61.6.0+incompatible to 62.0.0+incompatible (#385)
• 55868ac chore: bump docker/login-action from 1.13.0 to 1.14.0 (#386)

Security Fix 🛡️

• bb19bcd security: fix multiple cves (#404)
• 3f2be3a security: bump github.com/Azure/azure-sdk-for-go (#377)
• 49c7908 security: bump docker/login-action from 1.12.0 to 1.13.0 (#379)
• 6a80831 security: bump sigs.k8s.io/controller-runtime from 0.11.0 to 0.11.1 (#378)
• 6149969 security: bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#370)
• 1efbc28 security: bump github.com/Azure/azure-sdk-for-go from 61.4.0+incompatible to 61.5.0+incompatible (#369)
• 149b871 security: bump stefanprodan/helm-gh-pages from 1.4.1 to 1.5.0 (#371)

Testing 💚

• da5aeea test: remove volume-mount-path-to-check e2e flag (#367)

v0.8.0

v0.8.0 - 2022-02-07

Changelog

Bug Fixes 🐞

• 3acb94f fix: enable auth with GKE clusters (#363)
• 395b841 fix: change mount path to /var/run/secrets/azure/tokens (#360)
• ef6bd8a fix: check for graph error from graph library response (#358)
• 038bf3b fix: add tolerations to controller manager deployment (#351)
• 1c0f627 fix: generate federated identity credential name based on service account (#317)

Continuous Integration 💜

• 51534f1 ci: fix dependabot update-types (#343)
• bbd9385 ci: add version-update semver-* prefix (#341)
• 4c86d08 ci: update dependabot freq to weekly and pin to patch for go.mod (#339)
• 7c7bf07 ci: checkout pull request head when running actions (#321)
• 561ad44 ci: remove ignore pattern from markdown link check (#315)
• a8ac863 ci: use goreleaser for release (#309)

Documentation 📘

• e4fe77c fix(docs): webhook install follow redirect (#361)
• 8d0f67f docs: remove go install step for azwi (#353)
• b5d0cf9 docs: clarify pod identity v2 in faq (#350)
• 47f3007 docs: troubleshooting on incorrect token issuer (#348)
• d126293 docs: add FAQ page and minimum versions for azure-identity sdks (#322)
• ab20588 docs: enable website preview with netlify (#324)
• 6916d94 docs: revert some changes from #306 (#312)
• d370083 docs: add link to aks oidc issuer setup (#310)
• 486a780 docs: add aks feature registration (#308)
• e50e52b docs: minor documentation update (#306)

Maintenance 🔧

• 1ab87ff chore: migrate from trivy to trivy image (#355)
• 475b59e chore: use pull_request_target and fix broken doc links (#318)
• bbb5739 chore: upgrade controller-runtime to v0.11.0 (#304)

Security Fix 🛡️

• 36069b6 security: bump github.com/Azure/azure-sdk-for-go (#356)
• 7eed491 security: bump k8s.io/kubernetes from 1.22.3 to 1.22.6 (#345)
• 677d91c security: bump gopkg.in/ini.v1 from 1.51.0 to 1.51.1 (#347)
• 5498eb8 security: fix CVE-2021-3995, CVE-2021-3996 (#349)
• 064bd95 security: bump github.com/Azure/go-autorest/autorest/azure/cli from 0.4.2 to 0.4.5 (#346)
• 84f1806 security: bump github.com/go-logr/logr from 1.2.0 to 1.2.2 (#338)
• 929a304 security: bump github.com/Azure/azure-sdk-for-go from 57.3.0+incompatible to 61.3.0+incompatible (#336)
• 25e0b0e security: bump github.com/Azure/go-autorest/autorest from 0.11.19 to 0.11.24 (#344)
• d16e5cf security: bump github.com/microsoftgraph/msgraph-beta-sdk-go (#333)
• 90ea634 security: bump azure/login from 1.4.0 to 1.4.3 (#329)
• ac53a35 security: bump github.com/mattn/go-colorable from 0.0.9 to 0.1.12 (#334)
• 437d602 security: bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#330)
• 2f9505b security: bump docker/login-action from 1.10.0 to 1.12.0 (#328)
• 1e75b26 security: update follow-redirects to 1.14.7 (#327)
• 5776af0 security: fix CVE-2021-43618 (#302)

Testing 💚

• 8ac1f2d test: use official charts repo for helm upgrade tests (#319)
• c9b7d8a test: bump kubernetes version to v1.23.1 (#313)
• 5c12b64 test: add --enable-oidc-issuer to az aks create (#305)
• 258b103 test: remove service account token expiration e2e flag (#301)

v0.7.0

v0.7.0 - 2021-12-14

Bug Fixes 🐞

• convert registry to lowercase before building images (#258)
• allow make deploy to deploy webhook using deployment YAML (#259)
• set default token expiration to 1h (#247)
• replace ; with : in azwi version output (#222)

Code Refactoring 💎

• migrate publishing pipeline to GitHub Actions (#252)

Continuous Integration 💜

• add markdown-link-check workflow (#283)
• use latest azure cli for azwi-e2e workflow (#280)
• migrate e2e test on kind clusters to GitHub Actions (#272)
• create zip for azwi cli for windows (#268)
• allow content: read token permission for publish_images workflow (#260)
• scope github token for actions (#256)
• add semantic.yml and update release-manfiest make target (#210)

Documentation 📘

• fix issuer url query value for aks (#287)
• create & delete federated identity credentials with azwi-cli (#282)
• update property name (#285)
• reference azwi-cli in quick start and bump Kubernetes versions (#281)
• update helm installation steps (#277)
• document tenant conditional access policy (#276)
• address documentation issues (#265)
• address several documentation issues (#249)
• allow kubectl apply -f through a URL (#253)
• update quick-start based on testing (#228)
• add language-specific examples (#229)
• add troubleshooting guide (#226)
• add example for kind cluster (#225)
• add required configurations for cluster (#224)
• documentations on azwi and service account key generation (#223)
• fix link and update configmap name (#219)
• add steps for managed clusters (#218)

Features 🌈

• use graph sdk for azwi (#292)
• add individual commands for phases (#227)
• add role definition id client for azwi (#221)
• introduce phases for azwi serviceaccount delete (#220)
• introduce phases for azwi serviceaccount create (#217)

Maintenance 🔧

• update dependencies (#296)
• support v1.23.0 kind cluster version (#294)
• update debian-iptables to bullseye-v1.1.0 (#291)
• make azwi serviceaccount create|delete flags constant (#274)
• remove SUPPORT.md (#278)
• replace federated identity with federated identity credential (#266)
• add debug logs for msal-go (#257)
• add makefile for msal-go demo image and update image in docs (#212)
• use TARGETARCH for webhook and proxy image build (#215)
• remove hack/generate-jwks (#211)

Security Fix 🛡️

• fix CVE-2021-43784 (#293)
• bump Kubernetes version to v1.22.3 (#261)

Testing 💚

• decrease ginkgo nodes to 1 to reduce flakiness (#297)
• set subscription after login (#295)
• e2e test for azwi build on ubuntu and macos (#286)
• enable token exchange and proxy test scenario on soak clusters (#289)
• bump kubernetes version to v1.22.4 (#288)
• e2e test coverage for azwi-cli (#271)

v0.6.0

v0.6.0 - 2021-10-13

Documentation 📘

• update flow diagram with app registration (#205)
• setup OIDC issuer for self-managed clusters (#202)
• update SUMMARY.md (#201)
• update self-managed-clusters.md (#199)
• simplify quick-start flow and create dedicated sections for managed/self-managed clusters (#197)

Features 🌈

• add --token-expiration flag in azwi serviceaccount create (#204)
• add azwi jwks to generate jwks (#203)
• add initial framework for azwi-cli (#180)
• add arm64 support to images (#188)

Maintenance 🔧

• release tarball in preparation to support homebrew (#208)
• include azwi as part of GitHub releases (#198)
• use numeric user in Dockerfile & parameterize trivy version (#195)
• re-enable init-containers test for helm chart (#184)

Security Fix 🛡️

• fix CVE-2021-37750 (#200)

v0.5.0

v0.5.0 - 2021-09-28

Bug Fixes 🐞

• make proxy port configurable in init-iptables.sh (#178)

Continuous Integration 💜

• add release artifacts to create-tag gh action (#167)
• add CODEOWNERS file (#164)
• select Kubernetes versions based on region (#159)

Documentation 📘

• key rotation guidelines and best practices (#182)
• add proxy diagram (#173)
• key rotation for self-managed clusters (#169)
• issue with file mode in Kubernetes 1.18 (#160)

Features 🌈

• support console log encoding with klogr (#175)
• add msal-node example (#168)
• add msal-python example (#165)
• add webhook support for init containers (#162)
• set number of replicas to 2 for High Availability (#161)

Maintenance 🔧

• update to debian-iptables:bullseye-v1.0.0 (#181)
• update debian-iptables to buster-v1.6.7 (#176)
• use go install instead of depcreated go get (#171)
• update to go 1.17 (#170)

Security Fix 🛡️

• bump msal-go to v0.3.1 (#179)

Testing 💚

• output proxy and proxy init logs for debug purpose (#174)
• reenable upgrade tests and update validate mutate pod check (#158)