Releases: bitnami-labs/sealed-secrets
v0.8.0
Changelog
The main improvements in this release are:
- support for annotations and labels (#92)
- support for secrets rotation opt-in (#137)
- fix bug with OwnerReferences handling (#127)
- EKS support; client-go version bump to release-7.0 (#110)
- Instructions to run on GKE when user is not cluster-admin (#111)
- Windows binary of kubeseal (#85)
- Internal codebase modernization (e.g. switch to Go modules)
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1
Many thanks for all the folks who contributed to this release!
Install
# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal
# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0/controller.yaml
NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.
NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.
v0.8.0-rc.3
- Ensure mage pull policy is not Never (#194)
v0.8.0-rc.2
Update github deployment key
v0.8.0-rc.1
Intro
Sorry for the delay, we've been through a fun ride lately but we're back on track.
Thanks to all the people who have contributed and offered their help!
v0.8.0 is a long overdue release but I don't want to rush it.
I would like to ask the community to help us validate this release and I guess cutting a release candidate
will lower the barrier for the testers.
The main improvements in this release are:
- support for annotations and labels (#92)
- support for secrets rotation opt-in (#137)
- fix bug with OwnerReferences handling (#127)
- EKS support; client-go version bump to release-7.0 (#110)
- Instructions to run on GKE when user is not cluster-admin (#111)
- Internal codebase modernization (e.g. switch to Go modules)
The full changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1
Install
# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0-rc.1/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal
# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0-rc.1/controller.yaml
NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.
NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.
v0.7.0
Big change for this release is the switch to per-key encrypted values.
("Keys" as in "object key/value", not as in "encryption key". English is hard.)
- Previously we generated a single big encrypted blob for each Secret, now we encrypt each value in the Secret separately, with the keys in plain text.
- This allows:
- Existing keys can now be renamed and deleted without re-encrypting the value(s).
- New keys/values can be added to the SealedSecret without re-encrypting (or even having access to!) the existing values.
- Note that (as before) the encrypted values are still tied to the namespace/name of the enclosing Secret/SealedSecret, so can't be moved to another Secret.
(The cluster-wide annotation does allow this, with the corresponding caveats, as before)
- The
kubeseal
tool does not yet have an option to output just a single value, but you can safely mix+match the individual values fromkubeseal
output with an existing SealedSecret. Improvingkubeseal
support for this feature is still an open action item. - Existing/older "all-in-one" SealedSecrets are declared deprecated, but will continue to be supported by the controller for the foreseeable future. New invocations of the
kubeseal
tool now produce per-key encrypted output - if you need to produce the older format, just use an olderkubeseal
. Please raise a github issue if you have a use-case that requires supporting "all-in-one" SealedSecrets going forward. - Note the CRD schema used for server-side validation in k8s >=1.9 has been temporarily removed, because it was unable to support the new per-key structure correctly (see kubernetes/kubernetes#59485).
- Huge thanks to @sullerandras for the code and his persistence in getting this merged!
v0.6.0
- Support "cluster wide" secrets, that are not restricted to the original namespace
- Set
sealedsecrets.bitnami.com/cluster-wide: "true"
annotation - Warning: cluster-wide SealedSecrets can be decrypted by anyone who can create a SealedSecret in your cluster
- Set
- Move to client-go v5.0
- Move to bitnami-labs github org
- Fix bug in schema validation for k8s 1.9
v0.5.1
Note: this version moves TPR/CRD definition into a separate file. To install, you need controller.yaml
and either sealedsecret-tpr.yaml
or sealedsecret-crd.yaml
- Add CRD definition and TPR->CRD migration documentation
- Add
kubeseal --fetch-cert
to dump server cert to stdout, for later offline use withkubeseal --cert
- Better sanitisation of input object to
kubeseal
(v0.5.1 fixes a travis/github release issue with v0.5.0)
v0.4.0
v0.3.1
- Add
controller-norbac.yaml
to the release build. This iscontroller.yaml
without RBAC rules and related service account - for environments where RBAC is not yet supported, like Azure. - Fix missing controller RBAC ClusterRoleBinding in v0.3.0