Update HashiCorp Vault image to 1.6.5 (#52)

asaintsever · web-flow · commit cfc6cf8dc026 · 2021-05-26T09:02:36.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog for Vault Sidecar Injector
 
+## Release v7.2.1 - 2021-05-26
+
+New default Vault image to fix CVE-2021-32923 (refer to HashiCorp Vault's [changelog](https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#may-20th-2021-1)).
+
+**Changed**
+
+- [VSI #52](https://github.com/Talend/vault-sidecar-injector/pull/52) - Update HashiCorp Vault image to 1.6.5
+
 ## Release v7.2.0 - 2021-05-19
 
 This release comes with support for `admission.k8s.io/v1` AdmissionReview and `admissionregistration.k8s.io/v1` MutatingWebhookConfiguration on Kubernetes 1.16+. As a result, Vault Sidecar Injector now handles both v1 and v1beta1 versions of those resources.
diff --git a/VERSION_CHART b/VERSION_CHART
@@ -1 +1 @@
-4.3.0
+4.3.1
diff --git a/VERSION_RELEASE b/VERSION_RELEASE
@@ -1 +1 @@
-7.2.0
+7.2.1
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -74,7 +74,7 @@ injectconfig:
   vault:
     image:
       path: "vault" # image path
-      tag: "1.6.2" # image tag
+      tag: "1.6.5" # image tag
       pullPolicy: Always # Pull policy for images: IfNotPresent or Always
     log:
       level: info # Vault log level: trace, debug, info, warn, err
diff --git a/doc/Configuration.md b/doc/Configuration.md
@@ -21,7 +21,7 @@ The following table lists the configurable parameters of the `Vault Sidecar Inje
 | injectconfig.jobbabysitter.resources.requests.memory | Job babysitter sidecar memory resource requests | 20Mi |
 | injectconfig.vault.image.path  | Image path  | vault |
 | injectconfig.vault.image.pullPolicy    | Pull policy for image: IfNotPresent or Always  | Always   |
-| injectconfig.vault.image.tag  | Image tag | 1.6.2 |
+| injectconfig.vault.image.tag  | Image tag | 1.6.5 |
 | injectconfig.vault.log.format                    | Vault log format: standard, json    | json    |
 | injectconfig.vault.log.level                    | Vault log level: trace, debug, info, warn, err    | info    |
 | injectconfig.vault.resources.limits.cpu | Vault sidecar CPU resource limits | 200m |
diff --git a/test/config/injectionconfig.yaml b/test/config/injectionconfig.yaml
@@ -1,6 +1,6 @@
 initContainers:
   - name: tvsi-vault-agent-init
-    image: vault:1.6.2
+    image: vault:1.6.5
     imagePullPolicy: Always
     env:
       - name: SKIP_SETCAP
@@ -106,7 +106,7 @@ containers:
         mountPath: /var/run/secrets/kubernetes.io/serviceaccount
         readOnly: true
   - name: tvsi-vault-agent
-    image: vault:1.6.2
+    image: vault:1.6.5
     imagePullPolicy: Always
     env:
       - name: SKIP_SETCAP
diff --git a/test/config/injectionconfig.yaml.resolved b/test/config/injectionconfig.yaml.resolved
@@ -116,7 +116,7 @@ containers:
   - name: VSI_VAULT_AUTH_METHOD
     value: kubernetes
   - name: VSI_VAULT_ROLE
-  image: vault:1.6.2
+  image: vault:1.6.5
   imagePullPolicy: Always
   lifecycle:
     preStop:
@@ -173,7 +173,7 @@ initContainers:
     value: https://vault:8200
   - name: VSI_SECRETS_TEMPLATES_PLACEHOLDER
   - name: VSI_VAULT_ROLE
-  image: vault:1.6.2
+  image: vault:1.6.5
   imagePullPolicy: Always
   name: tvsi-vault-agent-init
   resources: {}
