[v0.17.1] - 2023-05-28
- The docs now have “last update” timestamp and a commit hash too.
- Other documentation updates.
- Fixed minor go report card warnings. Aegis now has an A+, as go report card goes.
- Enhancements to speed up the build operations.
AEGIS_SAFE_USE_KUBERNETES_SECRETSwas a noop, fixed it to have impact if the option is not specified declaratively. That is, if the value is not provided, environment variable is honored (if set, otherwise assumed
- Fixed a bunch of “UNKNOWN ENTITY” warnings in audit logs, also made entity name mandatory in the audit logs.
- Upgraded manifests to remove Kustomization deprecation warnings.
- BREAKING: Renamed
AEGIS_BOOTSTRAP_TIMEOUT. Reasoning: No need to expose unnecessary jargon and implementation specifics, also the current variable name is more representative of what is being done
[v0.16.1] - 2023-05-16
- There were inconsistencies in the documentation due to recent changes that need an update. The docs are more consistent now.
- Minor bug fixes.
- Fixes in the Kustomization files to remove deprecation warnings.
- Documentation overhaul: Added an index page, modified the video player on the home page to make it easier to watch, added more use cases.
- Minor bug fixes.
- Upgraded SPIRE to v1.6.3; SPIFFE CSI Driver to v0.2.3; CSI Node Driver Registrar to v2.7.0
- The sample workload name use the examples has been changed from
example. This makes it clear that the workload is just an example, and it is ot related to
aegis-systemat all. It is not the platform, it is the consumer.
- Changes in the build scripts and the
- BREAKING: The
nonetype is removed from the Aegis Sentinel formatting option; the default format is
- BREAKING: Changed container repository names to
aegishub/example-*. This was due to a root signing key being lost and us being unable to sign upcoming images. Nonetheless, the change allowed us some cleanup and restructuring too.
[v0.15.8] - 2023-04-21
This was a maintenance release that includes a few important hotfixes.
- Aegis Safe queues were not cleaning due to a bootstrapping bug. Fixed that.
- Aegis Safe was crashing when deleting a secret that does not exist. Fixed that.
- Template transformation bugs for certain kinds of input data. Right now
template transformation works for any
[v0.15.7] - 2023-04-19
This was a prerelease to test the “multiple secrets” feature and create a demo workload that can be utilized in certain CI/CD scenarios. There will be a follow-up minor release to clean up some of the dust and make the documentation aligned with the current state of the source code.
Here is a list of changes:
- Aegis Sentinel can now encrypt values. You can then use those encrypted values instead of plain text value to store as secrets for an added layer of security.
- Documentation updates in the source code to make contributions easier, and the code easier to understand.
- All logs require a
correlationIdto make it easier to track the requests and responses.
- Added a new use case to demonstrate the ability to add multiple secrets.
- Aegis now supports associating multiple secrets with a workload. This is
useful especially when you have many secrets for the workload, and you
want to encrypt them in chunks. This is done with the append (
- BREAKING: Log levels have changes. Now the lowest level is
0(OFF) and the highest level is
- BREAKING: Made the secret deletion more explicit with the
- BREAKING: Removed the ability to change log levels dynamically. Piggybacking on the secret payload was a hacky solution. We will implement a more robust solution in the future.
[v0.15.6] - 2023-03-30
- Added an error logs when Aegis Safe secrets queue overflows. That is useful to create alarms, as it is an important metric of Aegis Safe’s performance.
- Simplified the development and publishing flows.
- Added links to the documentation pages to make them editable on GitHub.
- Stability improvements.
- Moved all Aegis projects under a single (mono)repo for ease of maintenance. This way, all the examples and documentation can remain under the same repo; eliminating the need to jump between several codebases. Plus, it makes static analysis, coverage reporting, vulnerability scanning, detecting unused functions, repetitive code blocks, etc, etc. so much easier: All good things.
- Design changes on the website to make it more eye-friendly. Improvements to the readability of the documentation.
- BREAKING: Removed
"cluster"as a backing store option. It does not make sense to back up secrets onto etcd. It makes the architecture complicated, impacts the security posture without providing much added value.
[v0.14.0] - 2023-03-18
- Upgraded Aegis to use
- Aegis now has versioned documentation: We will take a snapshot of the documentation at every important release.
- Significant documentation updates.
- Updated the build scripts to be less error-prone.
- The namespace of Kubernetes
Secrets created by Aegis Sentinel now default to
- Moved the audit logging functionality to
aegis-coreto make it reusable between all Aegis modules.
- Moved Aegis repositories to a GitHub organization (ShieldWorks) for ease of management: https://github.com/shieldworks.
- BREAKING: Removed the insecure random string generator methods from the
core API. Now, there is only one
RandomString()method that generates a cryptographically secure and unique random string.
- BREAKING: The versioned copies of the secrets on the drive are suffixed
.backupto grep them easily. The older items (that are not suffixed) will be caught by the
ListAPI as new key/value pairs, resulting in extra entries that are not being used.
[v0.13.0] - 2023-03-03
- Aegis has a new website: aegis.ist.
- Added a documentation page for Aegis Sentinel CLI usage.
- Template transformations now apply to the secret values that are reflected to the workloads as well.
- Fixed minor errors in documentation.
- Minor bug fixes.
- BREAKING: Trust root of entities changed from
- Updated to Aegis Sentinel commands.
- Documentation updates to talk about how to use Aegis Sidecar to propagate Aegis-Safe-managed secrets into Kubernetes.
- Documentation update: Changed contact, support, and security feedback emails
[v0.12.70] - 2023-02-17
- Ability to wait for the secret to initialize first, using Aegis Init Container.
- Ability to use go templates to transform secrets. In this version, the
transformation only applies to the generated Kubernetes
Secrets. In the upcoming versions, Aegis Safe API will also honor the transformations when returning the secret values.
- Upgraded all builder images to Go
- Fixed a channel overflow bug that was blocking secret operations when an error occurs.
[v0.12.55] - 2023-02-15
- Added ability to use actual Kubernetes
Secretobject to save the values of the registered secrets—this is (mostly) for legacy support.
- Added an option to use the cluster as a backing store (work in progress)
- Implemented additional configuration options through environment variables
- Created a script to list the status of all Aegis projects (especially useful when doing deployments and release cuts)
- There are breaking changes in certain environment variable names. The documentation ha been updated to reflect these changes.
[v0.12.30] - 2023-02-05
- Added contributing guidelines.
- Added local development instructions.
- Added default values to sample
- Added the ability to list secrets to Aegis Sentinel.
- Other documentation updates.
- Improvements to local development workflow.
- BREAKING: Changes in Aegis Safe REST API that required changes in demo workload implementations, and Aegis Sentinel.
[v0.11.20] - 2023-02-03
- Added a media kit .
- Added more configuration options through environment variables.
- Aegis Sidecar now exponentially backs off if it cannot fetch secrets in a timely manner.
- BREAKING: All time units in environment variables are now milliseconds, instead of seconds.
[v0.11.5] - 2023-02-01
- Improved the website’s information architecture.
- Added audit logs to Safe API methods.
- When a secret persist error occurs, it is logged.
- Improvements in development workflow (enabling local registries)
- Retry persisting secrets to disk one more time before erring out.
- Added a channel mechanism to funnel disk errors instead of suppressing them.
[v1.11.0] - 2023-01-28
As per this release, Aegis is able to securely dispatch secrets to workloads within a single cluster; it encrypts and backs up secrets to a volume; and if it crashes, it recovers its state from the backups. The code is stable enough and the solution can be used at a production capacity.
That’s also why we started a changelog: Before this point in time, it was a figurative cambrian soup, and it was too chaotic to even keep a changelog.
From this point on, we will record the changes, deprecations, removals, fixes, and security patches more carefully.
- Added a script to do functional test before every release cut.
- Whenever a secret is saved, the old secret is backed up.
- Ability to delete secrets.
- In-memory mode: Secrets can optionally NOT be persisted on disk and kept only in memory. This is not the default behavior and needs to be set using an environment variable.
- Usability improvements to the website.
- Added more tutorials and articles to the website to explain how Aegis works.
- Aegis Safe responds with RFC3339 instead of RubyDate. RFC3339 is also what Go uses when serializing dates into JSON.
- Added a buffered channel to save secrets on disk to improve performance especially for slower disks.
- Better logs.