v1.7.0-alpha.5

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.5
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.5
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.5
ARK_IMAGE_DIGEST: sha256:1dab02346404580ca9e396ec4027c4ff4029f85041b246686328a615fed8d8e2
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.0-alpha.5
ARK_CHART_DIGEST: sha256:91fdaa5be1c044cdc45c2d72e52a54561ba9655a07d2a3553957d28ccd1f00e5

What's Changed

• [VC-46156] Bump makefile modules, base images, GH actions and tools by @wallrj-cyberark in #731
• Agent: Report Kubernetes Secret immutable attribute to DisCo by @FelixPhipps in #735

New Contributors

• @FelixPhipps made their first contribution in #735

Full Changelog: v1.7.0-alpha.3...v1.7.0-alpha.5

v1.7.0-alpha.3

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.3
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.3
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.3
ARK_IMAGE_DIGEST: sha256:aeed02e2468464ad18932c9b73b9287a1a87c168c10f6c021267ed5924a1af99
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.0-alpha.3
ARK_CHART_DIGEST: sha256:0c92e8b4ac90ebd7490001ce1c3b66b5e0563fcda1480703de887668da0e6b91

What's Changed

• [VC-45349] Rename cyberark-disco-agent to disco-agent across repo by @wallrj-cyberark in #727

Full Changelog: v1.7.0-alpha.2...v1.7.0-alpha.3

v1.7.0-alpha.2

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.2
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.2
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.2
ARK_IMAGE_DIGEST: sha256:3224e9d1dc2234c14cc660388b125ea6d975169d47b2af799c39f02d9c7d8eec
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.0-alpha.2
ARK_CHART_DIGEST: sha256:7fec8e163bca52434b3991ecb3b55b04875edeffd53435fca865bb3b513b2491

v1.7.0-alpha.1

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.0-alpha.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.0-alpha.1
# cyberark-disco-agent
ARK_IMAGE: quay.io/jetstack/cyberark-disco-agent
ARK_IMAGE_TAG: v1.7.0-alpha.1
ARK_IMAGE_DIGEST: sha256:ac710aed72ca82c4094b6c0c239361ab218a011170bb3c60d794ffd87ba72b9d
ARK_CHART: quay.io/jetstack/charts/cyberark-disco-agent
ARK_CHART_TAG: v1.7.0-alpha.1
ARK_CHART_DIGEST: sha256:7f2009f335df8eb2ea42979cf61f0651b23b20eb2f39b56c9c45c3f3bcdafc67

v1.6.0

helm show chart oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.6.0

What's Changed

This release contains the following notable bug fixes and dependency updates:

• Reduce memory usage by removing the Replicaset data gatherer from the default config by @wallrj in #658
• Fix a bug that caused proxy settings to be ignored by @hawksight in #669
• golang.org/x/net was upgraded to address: CVE-2025-22872 by @wallrj in #675
• Go was upgraded to v1.24.4 to address: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673

Non user-facing changes

• make upgrade-klone upgrade-base generate-govulncheck by @wallrj in #657
• feat: Initial work on CyberArk Identity client by @SgtCoDFish in #655
• VC-41203: Allow users to select the Machine Hub mode by @maelvls in #653
• golangci-lint spelling linter fixes by @inteon in #659
• Linter fixes (part 2) by @inteon in #660
• Cleanup: config.go by @inteon in #661
• Cleanup client interface by @inteon in #662
• Use new client-go functions for contextual logging by @inteon in #663
• Quick README cleanup, removing a lot of out of date information by @inteon in #665
• Drop unused Delete() function by @inteon in #667
• Remove parts of API that are not used by @inteon in #666
• Remove unnecessary go dependencies by @inteon in #668
• Add CyberArk client and mock server by @inteon in #664
• chore: manually upgrade makefile-modules by @SgtCoDFish in #671
• Go module upgrades to fix CVE-2025-22872 by @wallrj in #675
• Update Go modules in preparation for releasing 1.6.0 by @wallrj in #676

Helm Chart Changes

--- /dev/fd/63  2025-06-25 15:40:20.799993519 +0100
+++ /dev/fd/62  2025-06-25 15:40:20.799993519 +0100
@@ -62,13 +62,6 @@
           resource: deployments
           group: apps
     - kind: "k8s-dynamic"
-      name: "k8s/replicasets"
-      config:
-        resource-type:
-          version: v1
-          resource: replicasets
-          group: apps
-    - kind: "k8s-dynamic"
       name: "k8s/statefulsets"
       config:
         resource-type:
@@ -884,8 +877,25 @@
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: "quay.io/jetstack/venafi-agent:v1.5.0"
+          image: "quay.io/jetstack/venafi-agent:v1.6.0"
           imagePullPolicy: IfNotPresent
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_UID
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.uid
+          - name: POD_NODE
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
           args:
             - "agent"
             - "-c"
@@ -909,23 +919,6 @@
             - name: credentials
               mountPath: "/etc/venafi/agent/key"
               readOnly: true
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_UID
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.uid
-          - name: POD_NODE
-            valueFrom:
-              fieldRef:
-                fieldPath: spec.nodeName
           ports:
             - containerPort: 8081
               name: http-metrics

Docker Image Changes

$ diffoci diff quay.io/jetstack/venafi-agent:v1.5.0 quay.io/jetstack/venafi-agent:v1.6.0 --semantic
INFO[0000] Target platforms: [linux/amd64]
TYPE     NAME                               INPUT-0                                                             INPUT-1
Layer    ctx:/manifests-0/layers-0/layer    length mismatch (666 vs 669)
Layer    ctx:/manifests-0/layers-0/layer    name "lib/apk/db" only appears in input 0
Layer    ctx:/manifests-0/layers-0/layer    name "lib/apk/db/lock" only appears in input 0
Layer    ctx:/manifests-0/layers-0/layer    name "lib/apk/db/scripts.tar" only appears in input 0
Layer    ctx:/manifests-0/layers-0/layer    name "lib/apk/db/installed" only appears in input 0
File     lib/apk                            Linkname                                                            Linkname ../usr/lib/apk
Layer    ctx:/manifests-0/layers-0/layer    name "lib/apk/db/triggers" only appears in input 0
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk/exec" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk/db/triggers" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk/db" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk/db/installed" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk/db/lock" only appears in input 1
Layer    ctx:/manifests-0/layers-0/layer    name "usr/lib/apk/db/scripts.tar" only appears in input 1
File     ko-app/preflight                   0f9e150ac6eb84d6da1f23e9ab36e10fc923dd728c9ed71ef305030e178477ec    144c10c27ae5fb3dc5974dd4a648d48bd00bf8e29f83fdd3cd95b8093d975b74
File     licenses/LICENSES                  993aa0cd6335911daa13e99056a65a6c431cf6078da800c38ef2fcfcc6219439    a808d2a8c423671bc8be51030969d3fd89915e6097e09c0ffc2896a4c3741dc3
Mani     ctx:/manifests-0/annotations       field "Annotations"
Idx      ctx:/annotations                   field "Annotations"

Full Changelog: v1.5.0...v1.6.0

v1.5.0

What's Changed

• The Kubernetes agent's resource collection capabilities have been extended. It now supports Venafi Connection, Smallstep Issuer, Cloudflare Origin CA, FreeIPA Issuer, and EJBCA Issuer. (#648)

• The OCI images now contain annotations (#650). These annotations include the Git revision as well as the build date and are used by linters such as Trivy, Snyk, and Harbor when scanning images. You can now look the annotations using the command:

  crane manifest registry.venafi.cloud/venafi-agent/venafi-agent:v1.5.0

• The Helm chart now adheres to Kyverno's Pod Security Standards rules. (#647)

• Preliminary work went into this release to let you use Cyberark Secrets Hub for discovering Kubernetes resources. This change introduces a client to fetch the Identity API URL, with future work planned to use this for login. (#646)

• (non-user-facing) The venafi-connection-lib dependency has been upgraded to the latest version (from cd2301fd4e7c to ec1757b9e01b) (#637). Although this version brings support for loading credentials from disk files in YAML or JSON format, as well as a file-based authentication for non-Kubernetes environments, these features are not yet utilized in the agent. Future updates may incorporate them.

Full Changelog: v1.4.1...v1.5.0

v1.4.1

What's Changed

• Suppress the excessive logs from client-go reporting "the server could not find the requested resource" (#639)
• The client ID is now shown in the logs on startup when using the Venafi Cloud Key Pair Service Account authentication. (#625)
• You can now debug problems with the data upload using --log-level=6 which now shows the request details in the logs. (#627)
• The HTTP header User-Agent: venafi-kubernetes-agent/v1.4.1 is now set for all outgoing HTTP requests. Previously, the User-Agent header was only set in VenafiConnection mode. (#631)
• Fixed CVEs: CVE-2024-51744 (github.com/golang-jwt/jwt/v4), CVE-2024-45338 (x/net), and CVE-2024-45337 (x/crypto) (#636).

Full Changelog: v1.4.0...v1.4.1

v1.4.0

What's Changed

• The HTTP compression feature has been reverted. We found that compression wasn't supported in Venafi Control Plane's API, and decided to revert the feature until we work on a fix. The flag --disable-compression is still present but no longer has an effect. (#628)
• Venafi Kubernetes Agent is now able to discover OpenShift Routes objects. Due to a bug with the role-based access control in the Helm chart, Venafi Kubernetes Agent was previously unable to discover OpenShift Routes. (#620)
• The Helm chart no longer prints an extra newline after the fields exclude-annotation-keys-regex and exclude-label-keys-regex. This extra newline was breaking Octant's and OpenShift object editor's code highlighters. (#622)

Full Changelog: v1.3.0...v1.4.0

v1.3.0

What's Changed

• You can now exclude specific labels and annotations from being reported to the Venafi Control Plane API. For more information, see Configuring annotations.
• You can now configure the Agent to output logs in JSON format using the flag --logging-format=json. By default, the logs in the klog textual format. You can also change the verbosity level using -v.
• Venafi Kubernetes Agent is now able to discover Firefly and OpenShift Routes objects. Due to a bug with the role-based access control in the Helm chart, Venafi Kubernetes Agent was previously unable to discover these two objects (unlike what the logs were saying).

Note that the logging changes introduced in 1.3.0 changed how logs are printed. Like before, the logs are still shown in a textual format by default. But since 1.3.0, the textual format uses Kubernetes' standard textual format rather than Go's standard logging format.

Before:

2024/11/14 13:53:38 Preflight agent version: development ()
2024/11/14 13:53:38 Using the Venafi Cloud Key Pair Service Account auth mode since --client-id and --private-key-path were specified.
2024/11/14 13:53:38 Using period from config 5m0s
2024/11/14 13:53:38 Loading upload_path from "venafi-cloud" configuration.
2024/11/14 13:53:38 error messages will not show in the pod's events because the POD_NAME environment variable is empty
2024/11/14 13:53:38 starting "k8s/namespaces" datagatherer
2024/11/14 13:53:38 starting "k8s/secrets" datagatherer
2024/11/14 13:54:47 server missing resource for datagatherer of "cert-manager.io/v1, Resource=issuers"
W1114 13:54:47.844087   31016 reflector.go:561] pkg/mod/k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: failed to list networking.istio.io/v1alpha3, Resource=virtualservices: the server could not find the requested resource
2024/11/14 13:54:47 server missing resource for datagatherer of "networking.istio.io/v1alpha3, Resource=virtualservices"
W1114 13:54:48.042893   31016 reflector.go:561] pkg/mod/k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: failed to list jetstack.io/v1alpha1, Resource=venafiissuers: the server could not find the requested resource
2024/11/14 13:53:38 successfully gathered 7 items from "k8s/namespaces" datagatherer
2024/11/14 13:53:38 successfully gathered 5 items from "k8s/secrets" datagatherer
2024/11/14 13:53:38 Posting data to: https://api.venafi.cloud/
2024/11/14 13:53:39 Data sent successfully.

After:

I1114 13:52:48.941205   30246 run.go:59] "Starting" logger="Run" version="development" commit=""
I1114 13:52:48.941655   30246 config.go:404] "Using the Venafi Cloud Key Pair Service Account auth mode since --client-id and --private-key-path were specified." logger="Run"
I1114 13:52:48.941666   30246 config.go:540] "Using period from config" logger="Run" period="5m0s"
I1114 13:52:48.941680   30246 config.go:767] "Loading upload_path from \"venafi-cloud\" configuration." logger="Run"
I1114 13:52:48.941880   30246 run.go:117] "Healthz endpoints enabled" logger="Run.APIServer" addr=":8081" path="/healthz"
I1114 13:52:48.941889   30246 run.go:121] "Readyz endpoints enabled" logger="Run.APIServer" addr=":8081" path="/readyz"
E1114 13:52:48.943810   30246 run.go:269] "Error messages will not show in the pod's events because the POD_NAME environment variable is empty" logger="Run"
W1114 13:54:48.042893   31016 reflector.go:561] pkg/mod/k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: failed to list jetstack.io/v1alpha1, Resource=venafiissuers: the server could not find the requested resource
W1114 13:54:48.042893   31016 reflector.go:561] pkg/mod/k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: failed to list jetstack.io/v1alpha1, Resource=venafiissuers: the server could not find the requested resource
I1114 13:52:49.655153   30246 run.go:409] "Data sent successfully" logger="Run.gatherAndOutputData.postData"

Full Changelog: v1.2.0...v1.3.0

v1.2.0

What's Changed

• You can now better diagnose issues with the Venafi Kubernetes Agent by looking at the Kubernetes events attached to its pod (#589)
• The Venafi Kubernetes Agent now compresses its requests made to the Venafi Control Plane API, reducing the network traffic by 90% (#594)

Full Changelog: v1.1.0...v1.2.0