Skip to content

Releases: bitnami-labs/sealed-secrets

v0.8.0

23 Jul 12:17
Compare
Choose a tag to compare

Changelog

The main improvements in this release are:

  • support for annotations and labels (#92)
  • support for secrets rotation opt-in (#137)
  • fix bug with OwnerReferences handling (#127)
  • EKS support; client-go version bump to release-7.0 (#110)
  • Instructions to run on GKE when user is not cluster-admin (#111)
  • Windows binary of kubeseal (#85)
  • Internal codebase modernization (e.g. switch to Go modules)

The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1

Many thanks for all the folks who contributed to this release!

Install

# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0/controller.yaml

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

v0.8.0-rc.3

22 Jul 10:10
Compare
Choose a tag to compare
v0.8.0-rc.3 Pre-release
Pre-release
  • Ensure mage pull policy is not Never (#194)

v0.8.0-rc.2

22 Jul 08:44
Compare
Choose a tag to compare
v0.8.0-rc.2 Pre-release
Pre-release
Update github deployment key

v0.8.0-rc.1

19 Jul 22:33
Compare
Choose a tag to compare
v0.8.0-rc.1 Pre-release
Pre-release

Intro

Sorry for the delay, we've been through a fun ride lately but we're back on track.
Thanks to all the people who have contributed and offered their help!

v0.8.0 is a long overdue release but I don't want to rush it.
I would like to ask the community to help us validate this release and I guess cutting a release candidate
will lower the barrier for the testers.

The main improvements in this release are:

  • support for annotations and labels (#92)
  • support for secrets rotation opt-in (#137)
  • fix bug with OwnerReferences handling (#127)
  • EKS support; client-go version bump to release-7.0 (#110)
  • Instructions to run on GKE when user is not cluster-admin (#111)
  • Internal codebase modernization (e.g. switch to Go modules)

The full changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1

Install

# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0-rc.1/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0-rc.1/controller.yaml

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

v0.7.0

22 Mar 00:20
Compare
Choose a tag to compare

Big change for this release is the switch to per-key encrypted values.
("Keys" as in "object key/value", not as in "encryption key". English is hard.)

  • Previously we generated a single big encrypted blob for each Secret, now we encrypt each value in the Secret separately, with the keys in plain text.
  • This allows:
    • Existing keys can now be renamed and deleted without re-encrypting the value(s).
    • New keys/values can be added to the SealedSecret without re-encrypting (or even having access to!) the existing values.
    • Note that (as before) the encrypted values are still tied to the namespace/name of the enclosing Secret/SealedSecret, so can't be moved to another Secret.
      (The cluster-wide annotation does allow this, with the corresponding caveats, as before)
  • The kubeseal tool does not yet have an option to output just a single value, but you can safely mix+match the individual values from kubeseal output with an existing SealedSecret. Improving kubeseal support for this feature is still an open action item.
  • Existing/older "all-in-one" SealedSecrets are declared deprecated, but will continue to be supported by the controller for the foreseeable future. New invocations of the kubeseal tool now produce per-key encrypted output - if you need to produce the older format, just use an older kubeseal. Please raise a github issue if you have a use-case that requires supporting "all-in-one" SealedSecrets going forward.
  • Note the CRD schema used for server-side validation in k8s >=1.9 has been temporarily removed, because it was unable to support the new per-key structure correctly (see kubernetes/kubernetes#59485).
  • Huge thanks to @sullerandras for the code and his persistence in getting this merged!

v0.6.0

09 Feb 16:00
c8ea403
Compare
Choose a tag to compare
  • Support "cluster wide" secrets, that are not restricted to the original namespace
    • Set sealedsecrets.bitnami.com/cluster-wide: "true" annotation
    • Warning: cluster-wide SealedSecrets can be decrypted by anyone who can create a SealedSecret in your cluster
  • Move to client-go v5.0
  • Move to bitnami-labs github org
  • Fix bug in schema validation for k8s 1.9

v0.5.1

02 Oct 06:28
v0.5.1
Compare
Choose a tag to compare

Note: this version moves TPR/CRD definition into a separate file. To install, you need controller.yaml and either sealedsecret-tpr.yaml or sealedsecret-crd.yaml

  • Add CRD definition and TPR->CRD migration documentation
  • Add kubeseal --fetch-cert to dump server cert to stdout, for later offline use with kubeseal --cert
  • Better sanitisation of input object to kubeseal

(v0.5.1 fixes a travis/github release issue with v0.5.0)

v0.4.0

06 Sep 12:07
v0.4.0
Compare
Choose a tag to compare
  • controller: deployment security hardening: non-root uid and read-only rootfs
  • kubeseal: Include oidc and gcp auth provider plugins
  • kubeseal: Add support for YAML output

v0.3.1

11 Jul 05:52
v0.3.1
Compare
Choose a tag to compare
  • Add controller-norbac.yaml to the release build. This is controller.yaml without RBAC rules and related service account - for environments where RBAC is not yet supported, like Azure.
  • Fix missing controller RBAC ClusterRoleBinding in v0.3.0

v0.3.0

21 Jun 04:35
v0.3.0
Compare
Choose a tag to compare

Rename everything to better represent project scope. Better to do this early (now) and apologies for the disruption.

  • Rename repo and golang import path -> bitnami/sealed-secrets
  • Rename cli tool -> kubeseal
  • Rename SealedSecret apiGroup -> bitnami.com