Skip to content

@anguslees anguslees released this Mar 22, 2018 · 50 commits to master since this release

Big change for this release is the switch to per-key encrypted values.
("Keys" as in "object key/value", not as in "encryption key". English is hard.)

  • Previously we generated a single big encrypted blob for each Secret, now we encrypt each value in the Secret separately, with the keys in plain text.
  • This allows:
    • Existing keys can now be renamed and deleted without re-encrypting the value(s).
    • New keys/values can be added to the SealedSecret without re-encrypting (or even having access to!) the existing values.
    • Note that (as before) the encrypted values are still tied to the namespace/name of the enclosing Secret/SealedSecret, so can't be moved to another Secret.
      (The cluster-wide annotation does allow this, with the corresponding caveats, as before)
  • The kubeseal tool does not yet have an option to output just a single value, but you can safely mix+match the individual values from kubeseal output with an existing SealedSecret. Improving kubeseal support for this feature is still an open action item.
  • Existing/older "all-in-one" SealedSecrets are declared deprecated, but will continue to be supported by the controller for the foreseeable future. New invocations of the kubeseal tool now produce per-key encrypted output - if you need to produce the older format, just use an older kubeseal. Please raise a github issue if you have a use-case that requires supporting "all-in-one" SealedSecrets going forward.
  • Note the CRD schema used for server-side validation in k8s >=1.9 has been temporarily removed, because it was unable to support the new per-key structure correctly (see kubernetes/kubernetes#59485).
  • Huge thanks to @sullerandras for the code and his persistence in getting this merged!
Assets 8

@anguslees anguslees released this Feb 9, 2018 · 65 commits to master since this release

  • Support "cluster wide" secrets, that are not restricted to the original namespace
    • Set sealedsecrets.bitnami.com/cluster-wide: "true" annotation
    • Warning: cluster-wide SealedSecrets can be decrypted by anyone who can create a SealedSecret in your cluster
  • Move to client-go v5.0
  • Move to bitnami-labs github org
  • Fix bug in schema validation for k8s 1.9
Assets 8

@anguslees anguslees released this Oct 2, 2017 · 85 commits to master since this release

Note: this version moves TPR/CRD definition into a separate file. To install, you need controller.yaml and either sealedsecret-tpr.yaml or sealedsecret-crd.yaml

  • Add CRD definition and TPR->CRD migration documentation
  • Add kubeseal --fetch-cert to dump server cert to stdout, for later offline use with kubeseal --cert
  • Better sanitisation of input object to kubeseal

(v0.5.1 fixes a travis/github release issue with v0.5.0)

Assets 8
Oct 2, 2017

@anguslees anguslees released this Sep 6, 2017 · 101 commits to master since this release

  • controller: deployment security hardening: non-root uid and read-only rootfs
  • kubeseal: Include oidc and gcp auth provider plugins
  • kubeseal: Add support for YAML output
Assets 6

@anguslees anguslees released this Jul 11, 2017 · 114 commits to master since this release

  • Add controller-norbac.yaml to the release build. This is controller.yaml without RBAC rules and related service account - for environments where RBAC is not yet supported, like Azure.
  • Fix missing controller RBAC ClusterRoleBinding in v0.3.0
Assets 6

@anguslees anguslees released this Jun 21, 2017 · 126 commits to master since this release

Rename everything to better represent project scope. Better to do this early (now) and apologies for the disruption.

  • Rename repo and golang import path -> bitnami/sealed-secrets
  • Rename cli tool -> kubeseal
  • Rename SealedSecret apiGroup -> bitnami.com
Assets 5

@anguslees anguslees released this Jun 21, 2017 · 133 commits to master since this release

  • Fix invalid field resourceName in v0.2.0 controller.yaml (thanks @Globegitter)
Assets 5

@anguslees anguslees released this Jun 20, 2017 · 141 commits to master since this release

  • Client tool has better defaults, and can fetch the certificate automatically from the controller.
  • Improve release process to include pre-built Linux and OSX x86-64 binaries.
Assets 5
Pre-release

@anguslees anguslees released this Jun 8, 2017 · 159 commits to master since this release

Basic functionality is complete.

Assets 3
You can’t perform that action at this time.