Squash merge branch 'main' into VAULT-40103-approle-extension

Author: hashiblaum

.github/workflows/build.yaml

@@ -164,7 +164,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        arch: ["arm64", "amd64", "s390x"]
+        arch: ["arm64", "amd64"]
     env:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
@@ -219,6 +219,7 @@ jobs:
         run: |
           make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
       - name: Docker Build (Action)
+        if: ${{ matrix.arch != 's390x' }}
         uses: hashicorp/actions-docker-build@v2
         env:
           VERSION: ${{ needs.get-product-version.outputs.product-version }}
@@ -231,11 +232,22 @@ jobs:
           tags: |
             docker.io/hashicorp/${{env.repo}}:${{env.image_tag}}
             public.ecr.aws/hashicorp/${{env.repo}}:${{env.image_tag}}
-
-      - name: Check binary version in container
+      - name: Docker Build (Action) s390x
+        if: ${{ matrix.arch == 's390x' }}
+        uses: hashicorp/actions-docker-build@v2
+        env:
+          VERSION: ${{ needs.get-product-version.outputs.product-version }}
+          GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }}
+        with:
+          version: ${{env.version}}
+          target: release-ubi
+          arch: ${{matrix.arch}}
+          redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}}
+      - name: Check binary version in container ${{ matrix.arch }}
+        if: ${{ matrix.arch != 's390x' }}
         shell: bash
         run: |
-          version_output=$(docker run hashicorp/${{env.repo}}:${{env.image_tag}} --version --output=json)
+          version_output=$(docker run --platform linux/${{matrix.arch}} hashicorp/${{env.repo}}:${{env.image_tag}} --version --output=json)
           echo $version_output
           git_version=$(echo $version_output | jq -r .gitVersion)
 
@@ -269,6 +281,7 @@ jobs:
         - "0.10.0"
         - "1.0.0"
         - "1.0.1"
+        - "1.1.0"
     steps:
       - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:

.go-version

@@ -1 +1 @@
-1.25.4
+1.25.5

.release/security-scan.hcl

@@ -2,33 +2,37 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 binary {
-	go_stdlib  = true // Scan the Go standard library used to build the binary.
-	go_modules = true // Scan the Go modules included in the binary.
-	osv        = true // Use the OSV vulnerability database.
-	oss_index  = true // And use OSS Index vulnerability database.
+    go_stdlib  = true // Scan the Go standard library used to build the binary.
+    go_modules = true // Scan the Go modules included in the binary.
+    osv        = true // Use the OSV vulnerability database.
+    oss_index  = true // And use OSS Index vulnerability database.
 
-	secrets {
-		all = true
-	}
+    secrets {
+        all = true
+    }
 
-	triage {
-		suppress {
-			vulnerabilities = [
-				// GO-2022-0635 is of low severity, and VSO isn't using the affected functionalities
-				// Upgrading to latest version of go-secure-stdlib is not possible at this time.
-				// The required functionality was inadvertently dropped from
-				// github.com/hashicorp/go-secure-stdlib/awsutil during the migration to aws-sdk-go-v2.
-				"GO-2022-0635"
-			]
-		}
-	}
+    triage {
+        suppress {
+            vulnerabilities = [
+                // GO-2022-0635 is of low severity, and VSO isn't using the affected functionalities
+                // Upgrading to latest version of go-secure-stdlib is not possible at this time.
+                // The required functionality was inadvertently dropped from
+                // github.com/hashicorp/go-secure-stdlib/awsutil during the migration to aws-sdk-go-v2.
+                "GO-2022-0635",
+                // CVE-2025-6020 is for the UBI image.
+                // It has not yet been patched in registry.access.redhat.com/ubi10/ubi-micro:latest, 
+                // and is not applicable to this project.
+                "CVE-2025-6020",
+            ]
+        }
+    }
 }
 
 container {
-	dependencies = true // Scan any installed packages for vulnerabilities.
-	osv          = true // Use the OSV vulnerability database.
+    dependencies = true // Scan any installed packages for vulnerabilities.
+    osv          = true // Use the OSV vulnerability database.
 
-	secrets {
-		all = true
-	}
+    secrets {
+        all = true
+    }
 }

.release/vault-secrets-operator-artifacts.hcl

@@ -11,12 +11,10 @@ artifacts {
   container = [
     "vault-secrets-operator_release-default_linux_amd64_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-default_linux_arm64_${version}_${commit_sha}.docker.tar",
-    "vault-secrets-operator_release-default_linux_s390x_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-ubi_linux_amd64_${version}_${commit_sha}.docker.redhat.tar",
     "vault-secrets-operator_release-ubi_linux_arm64_${version}_${commit_sha}.docker.redhat.tar",
     "vault-secrets-operator_release-ubi_linux_s390x_${version}_${commit_sha}.docker.redhat.tar",
     "vault-secrets-operator_release-ubi_linux_amd64_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-ubi_linux_arm64_${version}_${commit_sha}.docker.tar",
-    "vault-secrets-operator_release-ubi_linux_s390x_${version}_${commit_sha}.docker.tar",
   ]
 }

CHANGELOG.md

@@ -1,3 +1,37 @@
+## 1.1.1 (December 16th, 2025)
+
+Fix:
+* Helm: properly set the PodSecurityContext: ([#1183](https://github.com/hashicorp/vault-secrets-operator/pull/1183))
+
+Enhancements:
+* Helm: bump CSI driver version to 1.0.1: ([#1184](https://github.com/hashicorp/vault-secrets-operator/pull/1184))
+
+
+## 1.1.0 (December 12th, 2025)
+
+Enhancements:
+* Add support for linux/s390x and linux/arm64 (Red Hat): ([#1152](https://github.com/hashicorp/vault-secrets-operator/pull/1152))
+
+Fix:
+* Topology spread constraints bugfix: ([#1148](https://github.com/hashicorp/vault-secrets-operator/pull/1148))
+* Update docs branch version: ([#1140](https://github.com/hashicorp/vault-secrets-operator/pull/1140))
+
+Build:
+* ci: updating vault-helm to v0.31.0 and latest Vault versions: ([#1125](https://github.com/hashicorp/vault-secrets-operator/pull/1125))
+
+Dependency Updates:
+* Bump the gomod-backward-compatible group across 1 directory with 4 updates: ([#1172](https://github.com/hashicorp/vault-secrets-operator/pull/1172))
+* Bump the gomod-backward-compatible group with 4 updates: ([#1178](https://github.com/hashicorp/vault-secrets-operator/pull/1178))
+* Bump github.com/gruntwork-io/terratest from 0.53.0 to 0.54.0 in the gomod-backward-compatible group: ([#1162](https://github.com/hashicorp/vault-secrets-operator/pull/1162))
+* Bump the gomod-backward-compatible group across 1 directory with 6 updates: ([#1147](https://github.com/hashicorp/vault-secrets-operator/pull/1147))
+* Bump golang.org/x/crypto from 0.43.0 to 0.45.0: ([#1154](https://github.com/hashicorp/vault-secrets-operator/pull/1154))
+* Bump the gomod-backward-compatible group with 7 updates: ([#1157](https://github.com/hashicorp/vault-secrets-operator/pull/1157))
+* Bump google.golang.org/api from 0.250.0 to 0.251.0 in the gomod-backward-compatible group: ([#1133](https://github.com/hashicorp/vault-secrets-operator/pull/1133))
+* Bump the gomod-backward-compatible group with 5 updates: ([#1128](https://github.com/hashicorp/vault-secrets-operator/pull/1128))
+* Bump Go version to 1.25.4: ([#1151](https://github.com/hashicorp/vault-secrets-operator/pull/1151))
+* Bump ubi10/ubi-micro from 10.0 to 10.1: ([#1150](https://github.com/hashicorp/vault-secrets-operator/pull/1150))
+* Bump ubi10/ubi-minimal from 10.0 to 10.1: ([#1149](https://github.com/hashicorp/vault-secrets-operator/pull/1149))
+
 ## 1.0.1 (September 26th, 2025)
 
 Fix:

Makefile

@@ -5,7 +5,7 @@
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
 VERSION ?= 0.0.0-dev
 KUBE_RBAC_PROXY_VERSION = v0.18.1
-VSO_CSI_DRIVER_VERSION ?= 1.0.0
+VSO_CSI_DRIVER_VERSION ?= 1.0.1
 VSO_CSI_LIVENESS_PROBE_VERSION ?= v2.16.0
 VSO_CSI_NODE_DRIVER_REGISTRAR_VERSION ?= v2.14.0
 

chart/Chart.yaml

@@ -3,8 +3,8 @@
 
 apiVersion: v2
 name: vault-secrets-operator
-version: 1.0.1
-appVersion: "1.0.1"
+version: 1.1.1
+appVersion: "1.1.1"
 kubeVersion: ">=1.21.0-0"
 description: Official Vault Secrets Operator Chart
 type: application

chart/templates/_helpers.tpl

@@ -487,14 +487,14 @@ topologySpreadConstraints appends the "vso.chart.selectorLabels" to .Values.cont
 vso.privileged.securityContext extends the given securithContext to always
 include privileged: true
 */}}
-{{- define "vso.privileged.securityContext" -}}
+{{- define "vso.privilegedContainer.securityContext" -}}
 {{- $sc := dict -}}
 {{- with . -}}
 {{- range $k, $v := . -}}
 {{- $_ := set $sc $k $v -}}
 {{- end -}}
 {{- end -}}
-{{- $_ := set $sc "privileged" (true | quote) -}}
+{{- $_ := set $sc "privileged" true -}}
 {{- toYaml $sc -}}
 {{- end -}}
 

chart/templates/csi-driver.yaml

@@ -61,8 +61,10 @@ spec:
       annotations:
       {{- include "vso.csi.annotations" . | nindent 8 }}
     spec:
+      {{- with .Values.csi.securityContext }}
       securityContext:
-      {{- include "vso.privileged.securityContext" .Values.csi.securityContext | nindent 8 }}
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "vso.chart.fullname" . }}-csi
       {{- with .Values.csi.hostAliases }}
       hostAliases:
@@ -133,7 +135,7 @@ spec:
         {{- end }}
         imagePullPolicy: {{ .Values.csi.driver.image.pullPolicy }}
         securityContext:
-        {{- include "vso.privileged.securityContext" .Values.csi.driver.securityContext | nindent 10 }}
+        {{- include "vso.privilegedContainer.securityContext" .Values.csi.driver.securityContext | nindent 10 }}
         livenessProbe:
             failureThreshold: 5
             httpGet:

chart/values.yaml

@@ -197,7 +197,7 @@ controller:
     image:
       pullPolicy: IfNotPresent
       repository: hashicorp/vault-secrets-operator
-      tag: 1.0.1
+      tag: 1.1.1
 
     # logging
     logging:
@@ -1049,7 +1049,7 @@ csi:
       # The Docker repository of the CSI driver image.
       repository: hashicorp/vault-secrets-operator-csi
       # The version of the CSI driver image to download.
-      tag: 1.0.0
+      tag: 1.0.1
 
     # Additional environment variables for the
     # CSI driver container.