Prepare v1.7.0 release

.github/actions/integration-test/action.yml

@@ -21,7 +21,7 @@ inputs:
     default: 'vault-k8s'
   bats-version:
     description: 'Version of bats to run tests with'
-    default: '1.11.0'
+    default: '1.11.1'
   vault-license:
     description: 'Vault license to use for enterprise tests'
     required: true
@@ -50,7 +50,7 @@ runs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: "hashicorp/vault-helm"
-        ref: "v0.29.1"
+        ref: "v0.30.0"
         path: "vault-helm"
 
     - name: Create Kind Cluster
@@ -59,7 +59,7 @@ runs:
         cluster_name: ${{ inputs.kind-cluster-name }}
         config: vault-helm/test/kind/config.yaml
         node_image: kindest/node:v${{ inputs.k8s-version }}
-        version: "v0.27.0"
+        version: "v0.29.0"
 
     - name: Create kind export log root
       id: create_kind_export_log_root

.github/workflows/jira.yaml

@@ -14,4 +14,4 @@ jobs:
       JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
       JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
     with:
-      teams-array: '["vault-eco"]'
+      teams-array: '["vault-eco", "vault-eco-infra"]'

.github/workflows/tests.yaml

@@ -39,10 +39,11 @@ jobs:
       - run: echo "setting versions"
     outputs:
       # JSON encoded array of k8s versions.
-      K8S_VERSIONS: '["1.32.2", "1.31.6", "1.30.10", "1.29.14", "1.28.15"]'
-      VAULT_N: "1.18.5"
-      VAULT_N_1: "1.17.6"
-      VAULT_N_2: "1.16.3"
+      K8S_VERSIONS: '["1.33.1", "1.32.5", "1.31.9", "1.30.13", "1.29.14"]'
+      VAULT_N: "1.19.5"
+      VAULT_N_1: "1.18.5"
+      VAULT_N_2: "1.17.6"
+      VAULT_LTS_1: "1.16.3"
 
   latest-vault:
     name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }}
@@ -81,6 +82,7 @@ jobs:
         vault-version:
           - ${{ needs.versions.outputs.VAULT_N_1 }}
           - ${{ needs.versions.outputs.VAULT_N_2 }}
+          - ${{ needs.versions.outputs.VAULT_LTS_1 }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

CHANGELOG.md

@@ -1,7 +1,26 @@
 ## Unreleased
 
+## 1.7.0 (June 24, 2025)
+
 Changes:
 * Building with Go 1.24.4
+* Default Vault version updated to 1.19.5
+* Testing with K8s versions 1.29 - 1.33
+* Dependency updates:
+  * Docker image `alpine` 3.21.3 => 3.22.0
+  * Docker image `ubi8/ubi-minimal` 8.10-1179.1739286367 => 8.10-1295.1749680713
+  * github.com/go-logr/logr v1.4.2 => v1.4.3
+  * github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 => v0.2.0
+  * github.com/hashicorp/vault/sdk v0.15.0 => v0.18.0
+  * github.com/operator-framework/operator-lib v0.17.0 => v0.18.0
+  * github.com/prometheus/client_golang v1.21.0 => v1.22.0
+  * k8s.io/api v0.32.2 => v0.33.2
+  * k8s.io/apimachinery v0.32.2 => v0.33.2
+  * k8s.io/client-go v0.32.2 => v0.33.2
+  * sigs.k8s.io/controller-runtime v0.20.2 => v0.21.0
+
+Features:
+* Add support for setting `template_config.lease_duration_threshold` in Agent config [GH-761](https://github.com/hashicorp/vault-k8s/pull/761)
 
 ## 1.6.2 (February 26, 2025)
 

Dockerfile

@@ -66,7 +66,7 @@ ENTRYPOINT ["/bin/vault-k8s"]
 
 # This target creates a production ubi release image
 # for the project for use on OpenShift.
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295.1749680713.1749680713 AS ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295.1749680713 AS ubi
 
 ARG PRODUCT_NAME
 ARG PRODUCT_VERSION

Makefile

@@ -1,7 +1,7 @@
 REGISTRY_NAME ?= docker.io/hashicorp
 IMAGE_NAME = vault-k8s
 VERSION ?= 0.0.0-dev
-VAULT_VERSION ?= 1.18.5
+VAULT_VERSION ?= 1.19.5
 IMAGE_TAG ?= $(REGISTRY_NAME)/$(IMAGE_NAME):$(VERSION)
 PUBLISH_LOCATION ?= https://releases.hashicorp.com
 DOCKER_DIR = ./build/docker
@@ -15,7 +15,7 @@ PKG = github.com/hashicorp/vault-k8s/version
 LDFLAGS ?= "-X '$(PKG).Version=v$(VERSION)'"
 TESTARGS ?= '-test.v'
 
-VAULT_HELM_CHART_VERSION ?= 0.29.1
+VAULT_HELM_CHART_VERSION ?= 0.30.0
 # TODO: add support for testing against enterprise
 
 TEST_WITHOUT_VAULT_TLS ?=

agent-inject/agent/agent.go

@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	DefaultVaultImage                       = "hashicorp/vault:1.18.5"
+	DefaultVaultImage                       = "hashicorp/vault:1.19.5"
 	DefaultVaultAuthType                    = "kubernetes"
 	DefaultVaultAuthPath                    = "auth/kubernetes"
 	DefaultAgentRunAsUser                   = 100

deploy/injector-deployment.yaml

@@ -44,7 +44,7 @@ spec:
             - name: AGENT_INJECT_VAULT_ADDR
               value: "https://vault.$(NAMESPACE).svc:8200"
             - name: AGENT_INJECT_VAULT_IMAGE
-              value: "hashicorp/vault:1.18.5"
+              value: "hashicorp/vault:1.19.5"
             - name: AGENT_INJECT_TLS_AUTO
               value: vault-agent-injector-cfg
             - name: AGENT_INJECT_TLS_AUTO_HOSTS

subcommand/injector/flags_test.go

@@ -119,7 +119,7 @@ func TestCommandEnvs(t *testing.T) {
 		{env: "AGENT_INJECT_VAULT_CACERT_BYTES", value: "foo", cmdPtr: &cmd.flagVaultCACertBytes},
 		{env: "AGENT_INJECT_PROXY_ADDR", value: "http://proxy:3128", cmdPtr: &cmd.flagProxyAddress},
 		{env: "AGENT_INJECT_VAULT_AUTH_PATH", value: "auth-path-test", cmdPtr: &cmd.flagVaultAuthPath},
-		{env: "AGENT_INJECT_VAULT_IMAGE", value: "hashicorp/vault:1.18.5", cmdPtr: &cmd.flagVaultImage},
+		{env: "AGENT_INJECT_VAULT_IMAGE", value: "hashicorp/vault:1.19.5", cmdPtr: &cmd.flagVaultImage},
 		{env: "AGENT_INJECT_VAULT_NAMESPACE", value: "test-namespace", cmdPtr: &cmd.flagVaultNamespace},
 		{env: "AGENT_INJECT_TLS_KEY_FILE", value: "server.key", cmdPtr: &cmd.flagKeyFile},
 		{env: "AGENT_INJECT_TLS_CERT_FILE", value: "server.crt", cmdPtr: &cmd.flagCertFile},
@@ -238,7 +238,8 @@ func TestCommandEnvFloats(t *testing.T) {
 		{
 			env:    "AGENT_INJECT_TEMPLATE_LEASE_RENEWAL_THRESHOLD",
 			value:  0.75,
-			cmdPtr: &cmd.flagLeaseRenewalThreshold},
+			cmdPtr: &cmd.flagLeaseRenewalThreshold,
+		},
 	}
 
 	for _, tt := range tests {