Vault Plugin Secrets Github Versions Save

Summary

A release focused on optimizations for using the plugin at significant scale based on feedback from large enterprise deployments.

New features

• The config endpoint gets a option for significantly reducing the memory footprint of the plugin with exclude_repository_metadata.
• The plugin is now multiplexed to avoid spawning multiple plugin processes for mounts of the same type.

Hygiene

• Go 1.22 and codebase modernized.
• All dependencies upgraded.
• Project infrastructure simplified (Nix; no more Make and Docker) and modernized (goreleaser).
• SBOMs added to the release collateral.

Changelog

• b27482c Disable proxy
• 06444ef Fix CI
• 4704d2b Fix new hide metadata contribution
• 9adcf63 Handle Prom/OpenMetrics upgrade
• 4f09214 Support existence checks
• db002ca Support multiplexed plugins
• 537597d Ditch Docker and Make for pure Nix
• ef9e7ba Run github.com/martinbaillie/copiedloopvarfixer over code
• 03f158b Replace dated usage of interface{} with any
• 52200f6 Fix disable metadata feature
• 9bfbd38 feat: added a configuration key [hide_repository_metadata] that, if set to true, will minimize the [token.data.repositories] to [token.data.repositories.names] to avoid high memory consumption (#114)
• 8fd5e5a Update the releases link (#108)
• 072ee83 Update documentation for v2.0.0

With this release, the plugin is moving to a model where it can support multiple GitHub App installations from the one mount. It does this in v2 by moving the configuration of GitHub App installation IDs (installation_id) to request time rather than configuration time.

Users can provide the installation_id as part of ad-hoc requests to the /token endpoint but are encouraged instead to utilise the powerful Permission Sets feature to persist and abstract away the installation_id parameter from the user entirely. By creating a permission set you only need to enter the installation_id once.

For convenience and to support another use case, the token and permission set endpoints can alternatively take an org_name value instead of an installation_id. In this case, the plugin will perform an additional lookup (roundtrip to your GitHub instance) against org_name to discover the current installation_id first during token creation flows. Note that there is no caching of the discovered installation_id so this extra lookup occurs every time. For high traffic mounts or permission sets you may wish to continue setting installation_id instead of org_name.

Breaking Changes:

• Installation ID configuration is moved to request time. Permission Sets strongly encouraged.

v2.0.0-rc.1

The plugin is moving to a model where it can support multiple GitHub App installations from the one mount. It does this in v2 by moving the configuration of GitHub App installation IDs (ins_id) to request time rather than configuration time.

Users can provide the ins_id as part of ad-hoc requests to the /token endpoint but are encouraged instead to utilise the powerful Permission Sets feature to abstract away the ins_id parameter entirely.

Breaking Changes:

• Installation ID configuration is moved to request time. Permission Sets strongly encouraged.
• Installation ID lookup using Organisation name. This may be reintroduced in some form before v2.0.0.

v1.3.0

New features:

• A new org_name config value that can be used to discover the GitHub App installation ID from the organisation instead of providing it explicitly.

v1.2.0

New features:

• A new repositories parameter that allows you to specify token repository constraints by name instead of ID!

v1.1.1

Bug fixes:

• A 401 Bad credentials from GitHub during a Vault lease revocation operation is now considered a success because the token has already been revoked by GitHub before Vault could.

v1.1.0

New features:

• Permission sets
• Lease revocation

Breaking changes:

• Private key no longer returned in config read payloads

v1.0.0

After running this in production at $WORK for the best part of a year, I'm releasing a v1.0.0.

This version also fixes https://github.com/martinbaillie/vault-plugin-secrets-github/issues/6 and implements the requests in https://github.com/martinbaillie/vault-plugin-secrets-github/issues/9.

v1.0.0-alpha