v1.10.0-alpha.1

This release tests the introduction of the claimableCerts Helm flag in the discovery-agent chart, allowing operators to control whether discovered certificates are owned by the cluster's tenant or left unassigned for other tenants to claim. Full release notes will be provided when v1.10.0 is released.

What's Changed

• Add claimableCerts Helm flag to discovery-agent chart by @George-Yanev in #794

Full Changelog: v1.10.0-alpha.0...v1.10.0-alpha.1

v1.10.0-alpha.0

This release tests the release process for the new discovery-agent chart. Full release notes will be provided when v1.10.0 is released.

What's Changed

• Add NGTS configuration + NGTS client by @SgtCoDFish in #788
• Add helm chart for NGTS-capable agent by @SgtCoDFish in #789
• disco: re-enable secret sending by default by @SgtCoDFish in #787
• NGTS: Various further updates and fixes by @SgtCoDFish in #790
• Run make upgrade-klone and make generate by @SgtCoDFish in #792
• Force TSG ID to be string, add helm unit-tests by @SgtCoDFish in #793

Full Changelog: v1.9.0...v1.10.0-alpha.0

v1.9.0

disco-agent: Read Before Upgrading!

There are two important changes for disco-agent which you should be aware of before upgrading.

First, v1.9.0 and future releases will use AWS SigV4 unconditionally when uploading to S3. There have been reports of occasional bugs when using an old version of the disco-agent alongside a version which uses SigV4. If you see upload issues, ensure that all agents across your fleet are upgraded to the latest available version.

Second, there's a new required Helm value which must be set to confirm acceptance of the relevant Terms of Service (ToS). Either set the flag --set acceptTerms=true or use the value acceptTerms: true. Upgrading will be blocked until the ToS is accepted.

Major Feature Summary

• disco-agent: Support for External Secrets Operator and ConfigMap resource discovery
• disco-agent: Unconditionally use SigV4 when sending data to S3
• venafi-kubernetes-agent and disco-agent: Support for the new imageRegistry and imageNamespace Helm values, making it much easier to mirror the agent images to your own hub.
• disco-agent: Support for sending encrypted secret values to the Discovery and Context backend
  • This is disabled by default and not recommended to be enabled yet
  • A future release will enable this by default

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.9.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.9.0
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.9.0
ARK_IMAGE_DIGEST: sha256:a296a1b8e6a13cfa88c623ec0bc2ac68181110bc6a93e3e5796154b6c786a037
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.9.0
ARK_CHART_DIGEST: sha256:b34d8f924d1bad90c8670e852caeb70791aed9b63c47b8fe340a5003dcbcb013

What's Changed

• Split the datagatherer/k8s package into k8sdiscovery and k8sdynamic by @inteon in #755
• Add initial (unused) RSA envelope encryption by @SgtCoDFish in #756
• Fix e2e test, which was broken due to helm4 upgrade by @inteon in #759
• Upgrade venctl to a version which supports Helm v4, to fix the E2E tests by @wallrj-cyberark in #760
• Enable CyberArk E2E and integration tests in CI by @wallrj-cyberark in #753
• OIDC datagatherer by @inteon in #758
• Move OIDCDiscoveryData to api/ by @inteon in #763
• Lift service discovery client out of CyberArkClient by @SgtCoDFish in #765
• Add a simple contributing file to help onboard new users by @SgtCoDFish in #766
• Convert RSA envelope encryption to JWE by @SgtCoDFish in #767
• Upload OIDC discovery data to disco backend by @inteon in #762
• Label selectors by @achuchev in #768
• Discovery of ConfigMaps by @achuchev in #769
• Add context to DataGatherer.Fetch by @SgtCoDFish in #771
• Use sigv4 for sending data to s3 by @SgtCoDFish in #772
• Add ability to send encrypted secrets to disco backend by @SgtCoDFish in #770
• Add support for ESO resources in disco-agent by @SgtCoDFish in #780
• add explicit permissions for ESO resources by @SgtCoDFish in #781
• Add support for fetching keys from a JWKS endpoint by @SgtCoDFish in #777
• [VC-48429] Helm chart updates for encrypted secrets by @SgtCoDFish in #783
• chore: make upgrade-klone && make generate by @SgtCoDFish in #784
• Add imageRegistry/imageNamespace to Helm chart image settings by @FelixPhipps in #782
• Minor cleanup after disco secrets work by @SgtCoDFish in #785
• Update links to non-broken page by @SgtCoDFish in #774
• Prepare for v1.9.0 release by @SgtCoDFish in #786

New Contributors

• @achuchev made their first contribution in #768

Full Changelog: v1.8.0...v1.9.0

v1.9.0-alpha.2

Major points:

1. disco-agent: Support for sending encrypted secret values to the Discovery and Context backend
2. disco-agent: Support for External Secrets Operator resource discovery
3. disco-agent: Unconditionally use SigV4 when sending data to S3
4. venafi-kubernetes-agent and disco-agent: Support for the new imageRegistry and imageNamespace Helm values, making it much easier to mirror the agent images to your own hub.

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.9.0-alpha.2
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.9.0-alpha.2
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.9.0-alpha.2
ARK_IMAGE_DIGEST: sha256:124bb9433c9fbd76e39343f18a6687b70a33aa67c343421da9694a4deda0efc3
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.9.0-alpha.2
ARK_CHART_DIGEST: sha256:546433e1f5bd2be791bcf148374a8c630799bcf419d30432b1c9a1ae29c8e624

What's Changed

• Add context to DataGatherer.Fetch by @SgtCoDFish in #771
• Use sigv4 for sending data to s3 by @SgtCoDFish in #772
• Add ability to send encrypted secrets to disco backend by @SgtCoDFish in #770
• Add support for ESO resources in disco-agent by @SgtCoDFish in #780
• add explicit permissions for ESO resources by @SgtCoDFish in #781
• Add support for fetching keys from a JWKS endpoint by @SgtCoDFish in #777
• [VC-48429] Helm chart updates for encrypted secrets by @SgtCoDFish in #783
• chore: make upgrade-klone && make generate by @SgtCoDFish in #784
• Add imageRegistry/imageNamespace to Helm chart image settings by @FelixPhipps in #782

Full Changelog: v1.9.0-alpha.1...v1.9.0-alpha.2

v1.9.0-alpha.1

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.9.0-alpha.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.9.0-alpha.1
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.9.0-alpha.1
ARK_IMAGE_DIGEST: sha256:7eb9b0ec9b86c009db95143cea1b0295dfddcd5f4b523429733f0919c156d09a
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.9.0-alpha.1
ARK_CHART_DIGEST: sha256:eb7e8ad865c45ac29339eaf8c593aec13bf6a33d8a1ca39af69588e873073c2d

What's Changed

• Label selectors by @achuchev in #768
• Discovery of ConfigMaps by @achuchev in #769

New Contributors

• @achuchev made their first contribution in #768

Full Changelog: v1.9.0-alpha.0...v1.9.0-alpha.1

v1.9.0-alpha.0

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.9.0-alpha.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.9.0-alpha.0
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.9.0-alpha.0
ARK_IMAGE_DIGEST: sha256:745d85b7f2461996fb74228bf6ceabb74eae6a21f8298f6af6b9e0c1f19821db
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.9.0-alpha.0
ARK_CHART_DIGEST: sha256:6bcbcdd38cdc8c3c3e244ccc9e0eb3aff9688f58ed0fe3ffcc1cdd3aad39b33d

What's Changed

• Split the datagatherer/k8s package into k8sdiscovery and k8sdynamic by @inteon in #755
• Add initial (unused) RSA envelope encryption by @SgtCoDFish in #756
• Fix e2e test, which was broken due to helm4 upgrade by @inteon in #759
• Upgrade venctl to a version which supports Helm v4, to fix the E2E tests by @wallrj-cyberark in #760
• Enable CyberArk E2E and integration tests in CI by @wallrj-cyberark in #753
• OIDC datagatherer by @inteon in #758
• Move OIDCDiscoveryData to api/ by @inteon in #763
• Lift service discovery client out of CyberArkClient by @SgtCoDFish in #765
• Add a simple contributing file to help onboard new users by @SgtCoDFish in #766
• Convert RSA envelope encryption to JWE by @SgtCoDFish in #767
• Upload OIDC discovery data to disco backend by @inteon in #762

Full Changelog: v1.8.0...v1.9.0-alpha.0

v1.8.0

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.8.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.8.0
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.8.0
ARK_IMAGE_DIGEST: sha256:4fe39b74b626fc2035cbdc67c749d19d27561e822da6f8877ccb9c1362536e95
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.8.0
ARK_CHART_DIGEST: sha256:15fb3bcda2fb2a856a3290fa19fec3b2b21546a2dd1e2bd85ee0b09d2dc39fda

What's Changed

• Add upload timeout by @inteon in #743
• Log debug message before uploading by @inteon in #744
• Upgrade go dependencies and makefile modules by @inteon in #745
• Run 'make upgrade-klone' and 'make generate' by @inteon in #749
• Upgrade go dependencies by @inteon in #750
• Use digests for all GH actions by @inteon in #751
• Rebrand Venafi to CyberArk by @inteon in #752

Full Changelog: v1.7.1...v1.8.0

v1.8.0-alpha.0

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.8.0-alpha.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.8.0-alpha.0
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.8.0-alpha.0
ARK_IMAGE_DIGEST: sha256:884e604811b1ca7b95a888078acfa1dcefeaf3a6c2366aa57ca7892f98abfc9c
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.8.0-alpha.0
ARK_CHART_DIGEST: sha256:9f39b2d5df827a9ac1df7b20da89265055fd646b84fbcd263b64dc30693307c9

What's Changed

• Add upload timeout by @inteon in #743
• Log debug message before uploading by @inteon in #744
• Upgrade go dependencies and makefile modules by @inteon in #745

Full Changelog: v1.7.1...v1.8.0-alpha.0

v1.7.1

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.1
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.1
ARK_IMAGE_DIGEST: sha256:b63bfa7eb45302be214e7f408aff70aa15221105ced934e95c2faf83e65aa0af
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.1
ARK_CHART_DIGEST: sha256:2d0ff2fd142e2f84541bd228591f1133b5b0604c7bedbecc839964696c0b49e0

What's Changed

This is a patch release with a small change to the CyberArk disco-agent, to filter out deleted Secret resources from the data which it uploads to the CyberArk Discovery and Context API because that data is not needed by the backend.
This release also contains various changes to the venafi-kubernetes-agent Helm chart documentation, related to the rebranding of Venafi to CyberArk product names.
Finally, this release contains extended debug logging, as a result of updating to the latest version of venafi-connection-lib, to help customers and support engineers diagnose problems with VenafiConnection based authentication in the field.

• [VC-46370] CyberArk: Skip deleted resources when converting data readings to snapshot by @wallrj-cyberark in #741
• [VC-45018] Improve consistency of contextual information in cert-components by @iossifbenbassat123 in #739
• [VC-46486] Update venafi-connection-lib to v0.5.1 by @wallrj-cyberark in #742

New Contributors

• @iossifbenbassat123 made their first contribution in #739

Helm Chart Changes

$ diff -u  <(helm template oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version v1.7.0 | fgrep -v -e helm.sh/chart -e app.kubernetes.io/version) <(helm template oci://quay.io/jetstack/charts/venafi-kubernetes-agent:v1.7.1 | fgrep -v -e helm.sh/chart -e app.kubernetes.io/version)
Pulled: quay.io/jetstack/charts/venafi-kubernetes-agent:v1.7.1
Pulled: quay.io/jetstack/charts/venafi-kubernetes-agent:v1.7.0
Digest: sha256:94782809893d1ad0e815054216bb77f41a97c9db9941da5743034fffd327ed4c
Digest: sha256:2776ca45271676dbfee30cbec69063faaef66c51081a56f0df249c20ba6d954e
--- /dev/fd/63  2025-11-04 12:20:32.541652736 +0000
+++ /dev/fd/62  2025-11-04 12:20:32.542652733 +0000
@@ -877,7 +877,7 @@
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: "quay.io/jetstack/venafi-agent:v1.7.0"
+          image: "quay.io/jetstack/venafi-agent:v1.7.1"
           imagePullPolicy: IfNotPresent
           env:
           - name: POD_NAMESPACE

Docker Image Comparison

$ diffoci diff quay.io/jetstack/venafi-agent:v1.7.0 quay.io/jetstack/venafi-agent:v1.7.1 --semantic
INFO[0000] Target platforms: [linux/amd64]
TYPE    NAME                            INPUT-0                                                             INPUT-1
File    ko-app/preflight                b2453fed97b6041799436821ae56d88e12b272ad373cde0c87af8261dc5f27f5    6d6aaa53e279170a4e42811ca176bf44330eda4acca70740970a657b03082cc0
File    licenses/LICENSES               eba3b9d98369e17c83a1ee29798b663e14dd9b54bcf720b936127a06f104fed3    b73d0d9af1d810bd33928f92085aa3e97ba79f3cc8f842f65f2be17ad7c7d7bd
Mani    ctx:/manifests-0/annotations    field "Annotations"
Idx     ctx:/annotations                field "Annotations"

Full Changelog: v1.7.0...v1.7.1

v1.7.1-alpha.1

A pre-release to test the latest venafi-connection-lib upgrade in #742

OCI_PREFLIGHT_IMAGE: quay.io/jetstack/venafi-agent
OCI_PREFLIGHT_TAG: v1.7.1-alpha.1
HELM_CHART_IMAGE: quay.io/jetstack/charts/venafi-kubernetes-agent
HELM_CHART_VERSION: v1.7.1-alpha.1
ARK_IMAGE: quay.io/jetstack/disco-agent
ARK_IMAGE_TAG: v1.7.1-alpha.1
ARK_IMAGE_DIGEST: sha256:6b43f206b6087f134e357b7a44936d02a466d30bd1dd08c2b3da351d17b1eb62
ARK_CHART: quay.io/jetstack/charts/disco-agent
ARK_CHART_TAG: v1.7.1-alpha.1
ARK_CHART_DIGEST: sha256:8a6011fe5d93fde6411cbaa358dcc04943ec10d436a5de3acff4d15a1f835e0c