v0.33.1

Changelog

• f953854 fix: inject version from git tag at build time

v0.40.0-rc.2

Release candidate for v0.40.0 with Linux packaging and critical bug fixes.

New Features:

• feat(packaging): Add RPM and DEB package support via nFPM (#520)
  • Systemd service with security hardening
  • Environment file configuration (/etc/default/confd or /etc/sysconfig/confd)
  • Packages for amd64, arm64, and armv7 architectures
• feat(cli): Add comprehensive environment variable support (#516)

Bug Fixes:

• fix: Address high severity bugs - goroutine leaks, FD leaks, data races (#493, #494, #496, #497)
• fix: File backend wildcard keys filtered out (#498)
• fix: Preflight now uses per-resource backend for key checks (#495)
• fix(redis): Support multiple prefixes in WatchPrefix (#510)
• fix(imds): Close response body in HealthCheck and New (#511)
• fix(imds): Avoid trailing slash in user-data cache key (#500)
• fix(backends): Respect context cancellation in WatchPrefix stubs (#512)
• fix(template): Use atomic.Bool for reloadRequested to prevent data race (#504)
• fix(template): Reduce backend fetch log verbosity (#506)
• fix(config): Return error for invalid duration values in confd.toml (#505)
• fix(zookeeper): Propagate errors from recursive nodeWalk calls (#499)

Testing:

• test(template): Add integration tests for watch reconnection after backend failures (#519)
• Complete E2E test migration to Go testcontainers framework (#464-476)

Documentation:

• docs: Add Linux package installation instructions
• docs: Update service deployment guide with package-based setup

Install via packages:

# Debian/Ubuntu
curl -LO https://github.com/abtreece/confd/releases/download/v0.40.0-rc.2/confd_0.40.0-rc.2_linux_amd64.deb
sudo dpkg -i confd_0.40.0-rc.2_linux_amd64.deb

# RHEL/Fedora
curl -LO https://github.com/abtreece/confd/releases/download/v0.40.0-rc.2/confd-0.40.0.rc.2-1.x86_64.rpm
sudo rpm -i confd-0.40.0.rc.2-1.x86_64.rpm

v0.40.0-rc.1

v0.40.0 RC 1

This release represents a significant evolution of confd with major architectural improvements, new features, and performance optimizations. The version jump from v0.33.0 to v0.40.0 reflects the scope of these changes.

BREAKING CHANGES:

• CLI migrated to Kong with backend subcommands: The CLI now uses confd <backend> [flags] syntax instead of confd --backend=<backend>. For example, confd --backend=etcd --node=http://localhost:2379 becomes confd etcd --node=http://localhost:2379. (#357)

• Logging migrated from logrus to slog: confd now uses Go's standard library log/slog for structured logging. Log output format has changed. Use --log-format=json for machine-parseable logs. (#420)

• Redis client migrated from redigo to go-redis/v9: Internal implementation change that may affect connection behavior. (#376)

New Features:

• feat: Add AWS EC2 IMDS backend for Instance Metadata Service v2 (#431)
• feat: Add Prometheus metrics and observability instrumentation (--metrics-addr) (#416)
• feat: Add health check endpoints (/health, /ready, /ready/detailed) (#429)
• feat: Standardize HealthCheck implementations across all backends (#427)
• feat: Add error aggregation and failure modes (--failure-mode=best-effort|fail-fast) (#426)
• feat: Extract hardcoded timeouts and retry delays to configuration flags (#425)
• feat: Add templates_loaded and watched_keys gauge metrics (#424)
• feat: Add structured logging with timing metrics to critical paths (#420)
• feat: Add template compilation caching for improved performance (#368)
• feat: Add per-resource backend configuration support (#359)
• feat: Add configuration validation, template enhancements, and watch mode improvements (#360)
• feat(redis): Implement exponential backoff for connection retries (#405)

Performance Improvements:

• perf: Use conditional defer in process() to avoid overhead when metrics disabled (#462)
• perf: Pool map allocations in memkv List/ListDir operations (#461)
• perf: Optimize IsConfigChanged to reduce syscalls (#460)
• perf: Avoid FuncMap copy on every include call (#459)
• perf: Add TTL-based caching for template file stat checks (#458)
• perf: Cache prefixed keys on TemplateResource initialization (#457)
• perf: Pre-compile command templates in CommandExecutor (#456)
• perf: Pre-allocate template slice in getTemplateResources (#454)

Bug Fixes:

• fix: Exclude timeout fields from client cache hash (#455)
• fix(vault): Improve flatten() function type safety (#433)
• fix(redis): Add automatic reconnection for PubSub watch mode (#408)
• fix: Improve code quality and fix potential issues (#380)

Refactoring:

• refactor: Refactor TemplateResource to follow Single Responsibility Principle (#409)
• refactor: Propagate context.Context through backend calls (#379)
• refactor: Internalize memkv package from abandoned upstream (#369)
• refactor: Standardize error wrapping across codebase (#423)
• refactor(vault): Replace panic-based error handling with explicit error returns (#378)
• refactor(vault): Consolidate duplicate recursive listing functions (#404)

Testing:

• Comprehensive integration test suite reorganized into categorical structure (#432)
• Test coverage improved significantly across all backends
• Added integration tests for health, metrics, failure modes, includes, and signals (#430)

Infrastructure:

• Update Go version to 1.25 (#415)
• Numerous dependency updates for security and compatibility
• feat: Add official Docker images published to Docker Hub and GHCR
  • feat: Multi-architecture support (linux/amd64, linux/arm64)
  • feat: Add workflow_dispatch for manual release triggers

v0.33.0

What's New

New Features

• AWS Secrets Manager Backend (#356) - New backend for retrieving secrets from AWS Secrets Manager

  • Supports JSON secrets with automatic flattening to key/value pairs
  • Binary secret support (base64 encoded)
  • Version stage selection (--secretsmanager-version-stage)
  • --secretsmanager-no-flatten flag to disable JSON flattening
  • Local endpoint support for testing with LocalStack

• AWS ACM Backend (#328) - New backend for retrieving certificates from AWS Certificate Manager

  • Certificate and chain retrieval
  • Private key export support (#329) with --acm-export-private-key flag

• AWS SDK v2 Migration (#355) - Migrated all AWS backends (SSM, DynamoDB, ACM, Secrets Manager) from AWS SDK v1 to v2

  • Improved performance and reliability
  • Better credential handling
  • Consistent endpoint override support for local testing

Improvements

• Benchmark Suite (#353) - Added comprehensive benchmarks for template and backend performance
• Code Quality (#352) - Code cleanup and godoc improvements
• Go 1.24.7 - Standardized Go version across all configuration files

Documentation

• Updated quick-start guide with Secrets Manager examples
• Added command-line flag documentation for new backends
• Updated README with new backend support

Breaking Changes

None

Upgrade Notes

To use the new Secrets Manager backend:

confd -onetime -backend secretsmanager

For JSON secrets, keys are automatically flattened. A secret named database with value {"host":"127.0.0.1","port":"3306"} can be accessed as /database/host and /database/port in templates.

v0.32.0

BREAKING CHANGE: The global prefix setting in confd.toml is now concatenated with resource-level prefix values in template resource files (conf.d/*.toml) instead of overriding them. For example, if confd.toml has prefix = "production" and a resource has prefix = "myapp", the effective prefix is now /production/myapp instead of /production. To restore the previous behavior, remove the prefix setting from your template resource files. (#324)

What's Changed

• feat: Add JSON log format support via --log-format flag (#327)
• feat: Add template variable support ({{.src}}, {{.dest}}) in reload_cmd (#326)
• docs: Update CHANGELOG with releases v0.19.2 through v0.31.1 (#325)
• chore: Fix goreleaser v2 deprecation warnings

Full Changelog: v0.31.1...v0.32.0

v0.31.1

Changelog

• 041fa8b chore: Update goreleaser config to version 2
• be34247 fix: Update go.mod to mark etcd/api/v3 as direct dependency

v0.31.0

Changes

• test: Improve Etcd and Consul backend test coverage (#322) @abtreece
• test: Improve Vault and Zookeeper test coverage (#321) @abtreece
• test: Improve Redis and Etcd test coverage (#320) @abtreece
• test: improve test coverage from 13% to 40% (#319) @abtreece
• Bump golang.org/x/crypto from 0.40.0 to 0.45.0 (#318) @abtreece
• Update Go to 1.24.7 (#309) @abtreece
• Update deprecated use of ioutil (#286) @abtreece
• Update deprecated use of ioutil (#271) @abtreece

Minor Changes

• Bump go.etcd.io/etcd/client/v3 from 3.6.5 to 3.6.6 (#315) @dependabot[bot]
• Bump github.com/gomodule/redigo from 1.9.2 to 1.9.3 (#313) @dependabot[bot]
• Bump github.com/hashicorp/vault/api from 1.21.0 to 1.22.0 (#311) @dependabot[bot]
• Bump github/codeql-action from 3 to 4 (#312) @dependabot[bot]
• Bump actions/checkout from 5 to 6 (#317) @dependabot[bot]
• Bump go.etcd.io/etcd/client/v3 from 3.6.4 to 3.6.5 (#307) @dependabot[bot]
• Bump github.com/hashicorp/vault/api from 1.16.0 to 1.21.0 (#306) @dependabot[bot]
• Bump actions/setup-go from 5 to 6 (#305) @dependabot[bot]
• Bump go.etcd.io/etcd/client/v3 from 3.5.18 to 3.6.4 (#302) @dependabot[bot]
• Bump github.com/aws/aws-sdk-go from 1.55.6 to 1.55.8 (#303) @dependabot[bot]
• Bump actions/checkout from 4 to 5 (#304) @dependabot[bot]
• Bump golang.org/x/crypto from 0.32.0 to 0.35.0 (#294) @dependabot[bot]
• Bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0 (#292) @dependabot[bot]
• Bump github.com/BurntSushi/toml from 1.4.0 to 1.5.0 (#290) @dependabot[bot]
• Bump github.com/hashicorp/consul/api from 1.30.0 to 1.31.2 (#284) @dependabot[bot]
• Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#285) @dependabot[bot]
• Bump github.com/hashicorp/vault/api from 1.15.0 to 1.16.0 (#281) @dependabot[bot]
• Bump go.etcd.io/etcd/client/v3 from 3.5.17 to 3.5.18 (#280) @dependabot[bot]
• Bump github.com/aws/aws-sdk-go from 1.55.5 to 1.55.6 (#279) @dependabot[bot]
• Bump golang.org/x/crypto from 0.27.0 to 0.31.0 (#277) @dependabot[bot]
• Bump codecov/codecov-action from 4 to 5 (#276) @dependabot[bot]
• Bump go.etcd.io/etcd/client/v3 from 3.5.16 to 3.5.17 (#275) @dependabot[bot]
• Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#274) @dependabot[bot]
• Bump github.com/hashicorp/consul/api from 1.29.4 to 1.30.0 (#273) @dependabot[bot]

Refactor Vault backend to properly handle KV v1 and KV v2

Overview

This commit is NOT backwards compatible with Vault KV v2 configurations that include /data/ in the key path.

I have broadly refactored the Vault backend to improve K/V lookup for both KV v1 and KV v2. The change enables the proper use of the prefix configuration for the KV path and accommodates the differences between the KV v1 and KV v2 endpoints, specifically the use of data in the secret path. This returns the Vault backend back to pathing parity with the other backends.

Previous
in this configuration kv-v2 is the Secrets Engine path and data was necessary for the v2 endpoint.

[template]
mode = "0644"
src = "nested.conf.tmpl"
dest = "/tmp/confd-nested-test.conf"
keys = [
  "kv-v2/data/nested",
]

Current
In this configuration the kv-v2 Secrets Engine path is prefixed and data is handled by the backend when necessary.

[template]
mode = "0644"
src = "nested.conf.tmpl"
dest = "/tmp/confd-nested-test.conf"
prefix = "/kv-v2"
keys = [
  "/nested",
]

Changes

Major Changes

• Broadly refactor Vault client (#270) @abtreece

Minor Changes

• Add proper integration check for nested config (#248) @abtreece
• Upgrade Go version from 1.20 to 1.21 (#242) @abtreece
• Pin integration test container to 22.04 for now (#241) @abtreece
• Bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7 (#258) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.52.2 to 1.53.5 (#246) @dependabot
• Bump github.com/hashicorp/consul/api from 1.28.2 to 1.28.3 (#247) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.51.30 to 1.52.2 (#243) @dependabot
• Bump github.com/hashicorp/vault/api from 1.12.2 to 1.13.0 (#239) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.51.21 to 1.51.30 (#240) @dependabot
• Bump golang.org/x/net from 0.17.0 to 0.23.0 (#237) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.51.1 to 1.51.21 (#236) @dependabot
• Bump go.etcd.io/etcd/client/v3 from 3.5.12 to 3.5.13 (#234) @dependabot
• Bump github.com/hashicorp/vault/api from 1.10.0 to 1.12.2 (#231) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.49.4 to 1.51.1 (#229) @dependabot
• Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 (#228) @dependabot
• Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#226) @dependabot
• Bump github.com/hashicorp/consul/api from 1.27.0 to 1.28.2 (#224) @dependabot
• Bump github.com/gomodule/redigo from 1.8.9 to 1.9.2 (#223) @dependabot
• Bump go.etcd.io/etcd/client/v3 from 3.5.11 to 3.5.12 (#215) @dependabot
• Bump codecov/codecov-action from 3 to 4 (#217) @dependabot
• Bump release-drafter/release-drafter from 5 to 6 (#216) @dependabot
• Bump github.com/hashicorp/consul/api from 1.26.1 to 1.27.0 (#210) @dependabot
• Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#205) @dependabot
• Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (#204) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.44.266 to 1.49.4 (#203) @dependabot
• Bump github.com/hashicorp/vault/api from 1.9.1 to 1.10.0 (#202) @dependabot
• Bump github/codeql-action from 2 to 3 (#201) @dependabot

Update Go to 1.20 and bump deps

Changes

• Update Go version from 1.19.5 to latest 1.20 (#200) @abtreece

Minor Changes

• Jesse bowling patch 1 (#161) @JesseBowling
• Bump github.com/hashicorp/consul/api from 1.20.0 to 1.26.1 (#199) @dependabot
• Bump go.etcd.io/etcd/client/v3 from 3.5.9 to 3.5.11 (#195) @dependabot
• Bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 (#198) @dependabot
• Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#197) @dependabot
• Bump github.com/BurntSushi/toml from 1.2.1 to 1.3.2 (#196) @dependabot
• Bump actions/checkout from 3 to 4 (#194) @dependabot
• Bump actions/setup-go from 4 to 5 (#193) @dependabot
• Bump github.com/hashicorp/vault/api from 1.8.3 to 1.9.1 (#192) @abtreece
• Bump go.etcd.io/etcd/client/v3 from 3.5.7 to 3.5.9 (#187) @dependabot
• Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 (#188) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.44.196 to 1.44.266 (#189) @dependabot
• Bump google.golang.org/grpc from 1.49.0 to 1.56.3 (#191) @dependabot
• Bump golang.org/x/net from 0.7.0 to 0.17.0 (#190) @dependabot
• Bump actions/setup-go from 3 to 4 (#174) @dependabot
• Bump github.com/hashicorp/consul/api from 1.18.0 to 1.20.0 (#172) @dependabot
• Bump golang.org/x/net from 0.1.0 to 0.7.0 (#165) @dependabot
• Bump actions/checkout from 2 to 3 (#162) @dependabot

Update deps and fix security issues

Changes

• fix: Allow env var precedence for SSM region (#133) @abtreece
• fix: Updates golang.org/x/text to 0.3.8 (#137)

Minor Changes

• Bump github.com/aws/aws-sdk-go from 1.44.126 to 1.44.196 (#158) @dependabot
• Bump github.com/hashicorp/vault/api from 1.8.2 to 1.8.3 (#154) @dependabot
• Bump go.etcd.io/etcd/client/v3 from 3.5.5 to 3.5.7 (#153) @dependabot
• Bump github.com/hashicorp/consul/api from 1.15.3 to 1.18.0 (#144) @dependabot
• Bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1 (#135) @dependabot
• Bump github.com/hashicorp/vault/api from 1.7.2 to 1.8.2 (#134) @dependabot
• Bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 (#127) @dependabot
• Bump go.etcd.io/etcd/client/v3 from 3.5.4 to 3.5.5 (#119) @dependabot
• Bump github.com/hashicorp/consul/api from 1.14.0 to 1.15.3 (#130) @dependabot
• Bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.126 (#132) @dependabot